Help me understand OpenVPN Interfaces and Firewall Rules

  • Hello,

    I have several site-to-site VPN's setup where my pfSense is the server. I also have it serving as a client to PIA. I basically just followed the online instruction while not knowing what I was actually doing. Now I want to know.

    For my PIA client I created the client in open VPN and then had to assign an interface for it. I just realized I have no rules on that interface yet I am able to send traffic through it by using it as the gateway for the LAN. Why is this possible? Shouldn't the traffic be blocked since I defined no rules for the interface

    Screen Shot 2020-07-25 at 5.54.37 PM.png

    Under firewall rules, there is an OpenVPN tab. I have been using this tab to control traffic from my remote sites to my their respective openVPN servers on my pfsense.
    Why didn't I have to create an interface and respective firewall rules for those openvpn servers? When I go to "Assign Interfaces" they show up as available ports.


  • It is not necessary to define any interfaces for an OpenVPN instance except maybe for a service such as PIA.. I never have myself though others have. If you have the "traffic graphs" on your dashboard then those interfaces would show up there. So that might be a reason for some. I really dont care to watch the graphs from all my VPNs.

    Rules on an interface are for traffic entering that interface. So if you want people on the other side of your PIA connection to have access then you would have to build rules. If not then treat it like your default WAN.

  • @chpalmer Thanks. So the OpenVPN tab on firewall rules services all VPN instances (client and server)? To include, the PIA?

    If so, I shouldn't have an Any<-> Any rule on that tab? I don't want random people accessing my network from PIA.

    If I create an interface for an OpenVPN instance (ovpns or ovpnc) will Firewall on that interface tab rules supersede the ones on the OpenVPN tab?

  • @powerextreme

    Filtering with OpenVPN

    When the OpenVPN interface is assigned, a tab is present under Firewall > Rules dedicated to only this single VPN. These rules govern traffic coming in from the remote side of the VPN and they even get the pf reply-to keyword which ensures traffic entering this VPN interface will exit back out the same interface. This can help with some more advanced NAT and configuration scenarios.


    Rules added here are processed after the OpenVPN tab rules, which are checked first. In order to match the rules on an assigned VPN tab, the traffic must not match any rules on the OpenVPN tab. Remove any “Allow All” style rules from the OpenVPN tab and craft more specific rules instead.

Log in to reply