To assign an interface for an openvpn connection or not?



  • My searching skills have failed me and I can't find mention of something that is surely covered somewhere on the forum.

    When do you need to.  or want to assign an opt interface to your configured vpn connection?  I think i've gathered that you needed to in pfsense 1 but not in pfsense 2 but i'm not sure.

    I have a config that has been around since the 1.2 days and now i'm wondering if I need to keep the opt interface assigned to the openvpn tunnel.  I think that everything i'm doing in the assigned opt interface for openvpn can just be put in the ever present OpenVPN Rules Tab.  But if someone could point me to some info on if or when you need to assign your vpn interface to an opt interface it would be appreciated.


  • Banned

    Not really needed to assign unless you want things like WAN over OpenVPN.



  • For site-to-site links connecting private subnets at multiple locations, and servers for road-warriors connecting in, then you don't need an interface assigned. You can do it all with ordinary OpenVPN config - putting private subnets in the appropriate "local network" and "remote network" fields of the GUI, adding client-specific overrides for site-to-site with multiple clients from remote sites connecting in to 1 server… The GUI fields result in the necessary routes being created, then you use the general OpenVPN tab to allow traffic - often you only want/need to allow traffic between your various private IP subnets.

    As doktornoktor says, if you are OpenVPNing out to a server somewhere for general internet access, then you probably need to add a gateway on the link, and direct certain (or all) public internet traffic over the link... and that needs the interface assigned.



  • Thanks.  That all makes sense.  I didn't consider the vpn to a privacy provider use case which of course makes sense that it's assigned an interface for gateway etc.



  • @phil.davis:

    For site-to-site links connecting private subnets at multiple locations, and servers for road-warriors connecting in, then you don't need an interface assigned. You can do it all with ordinary OpenVPN config - putting private subnets in the appropriate "local network" and "remote network" fields of the GUI, adding client-specific overrides for site-to-site with multiple clients from remote sites connecting in to 1 server… The GUI fields result in the necessary routes being created, then you use the general OpenVPN tab to allow traffic - often you only want/need to allow traffic between your various private IP subnets.

    As doktornoktor says, if you are OpenVPNing out to a server somewhere for general internet access, then you probably need to add a gateway on the link, and direct certain (or all) public internet traffic over the link... and that needs the interface assigned.

    If you are providing roadwarrior access with openvpn, you could use squid and squidguard to speed up your connections, so in this case you need the interface also assigned.


Log in to reply