Question about OpenVPN interfaces



  • RE: https://redmine.pfsense.org/issues/10673#change-46844

    When you configure an OpenVPN server in pfSense for mobile users to remotely access the LAN, it automatically adds an "OpenVPN" tab to the Firewall > Rules page. But apparently that tab does not represent an "interface" because it doesn't appear on the Interface Assignments page nor the Services > Avahi page. The response to my ticket says that I need to manually assign and enable an interface for OpenVPN.

    If I assign and enable a true interface using the Interface Assignments page, then the new interface appears on the Avahi page but now I have TWO tabs on the Firewall > Rules page (the automatic one says OpenVPN and the one for the interface has my interface name, VPN1). And it creates a gateway and gateway monitoring for it, which I have to manually disable since those seem irrelevant for a Remote Access VPN.

    I feel like there's something wrong with the design here.

    I think when you set up a Remote Access OpenVPN server:

    • it should automatically assign and enable an "interface"
    • that interface should NOT have any gateway nor gateway monitoring
    • that interface should appear on the Avahi list (it does this already)
    • that interface should appear as a tab on the Firewall > Rules page
    • the Firewall > Rules page should NOT have a duplicate tab

    Or, it shouldn't use an "interface" at all, and "OpenVPN" should just appear on the Avahi list automatically like it does on the Firewall Rules page.

    Am I missing something here or would this be a good improvement for pfSense?



  • The OpenVPN tab which you can see on the firewall rule page is an interface group including all OpenVPN instances (servers and clients) on pfSense. It is present when at least one OpenVPN instance is configured.

    If you need an interface for handling with services, you have to assign an interface to the particular OpenVPN instance. Then you can see a further firewall rule tab for this, where you may add rules for incoming traffic.

    Consider that rules on interface groups like OpenVPN are applied to all members, so to all OpenVPN instaces you're running.



  • @viragomann said in Question about OpenVPN interfaces:

    The OpenVPN tab which you can see on the firewall rule page is an interface group including all OpenVPN instances

    That explains a lot, thank you very much! But why doesn't this automatic "OpenVPN" Interface Group appear on the Interface Groups list (interfaces_groups.php)? The list is blank on my pfSense.



  • @Jeremy11one
    It's not a group you can modify. So there is no reason to display it there.


Log in to reply