How to Set up Remote VPN Access Using pfSense and OpenVPN

Updated on July 11, 2018
skear profile image

Sam has over 10 years of experience working with pfSense firewalls and has written over 30 articles on the subject.

Secure Remote Network Access Using OpenVPN

In this article you will learn how to set up remote access to your network using OpenVPN on pfSense.

Using a VPN, or virtual private network, is the most secure way to remotely access your home or business network. VPNs provide strong security by encrypting all of the traffic sent between the network and the remote client.

Since pfSense is open source and available for free this project won't cost you anything to complete.

This guide assumes you already have a functional pfSense firewall running. If you don't have one yet you can easily build one using an old computer, or even run a virtual one using VirtualBox.

Connect to your network securely using a VPN tunnel.
Connect to your network securely using a VPN tunnel.

OpenVPN Configuration Wizard

The simplest way to configure OpenVPN on pfSense is to use the the built in VPN configuration wizard. The wizard will guide you through the process of creating a certificate authority, issuing a server certificate, and configuring the OpenVPN server settings.

To start the configuration open the VPN menu in the web interface and select OpenVPN, then click on the wizards tab.

For the first step of the configuration wizard you will need to choose the authentication backend type. OpenVPN provides three different authentication methods.

Local user access is the simplest method since it does not require an external authentication server.

OpenVPN Authentication Backends

Authentication Backend
Local User Access
Manage VPN users using the pfSense local user manager.
Manage user access using Windows active directory services.
Manage users on an external RADIUS authentication server.
PfSense OpenVPN setup wizard.
PfSense OpenVPN setup wizard.

Creating a Certificate Autority

The next configuration step is to create a certificate authority for issuing certificates. If there is already an existing CA configured in pfSense you can choose to use it for OpenVPN instead of creating a new one.

If you are creating a new CA then you will need to fill out all of the fields in the wizard in order to continue.

The default key length of 2048 bits is sufficient but you can use a longer length key if more security is required. Larger key sizes are more secure but they will require more CPU resources.

Create a new certificate authority to generate certificates for the OpenVPN server.
Create a new certificate authority to generate certificates for the OpenVPN server.

Creating a Server Certificate

After creating the certificate authority a server certificate must be issued for OpenVPN. Again you will need to select a key size that meets your security needs and CPU resources.

The default certificate lifetime is 3650 days (10 years). For higher security environments you should consider reducing the certificate lifetime. For home users the default lifetime is fine.

Issue a server certificate from the CA for OpenVPN.
Issue a server certificate from the CA for OpenVPN.

OpenVPN General Settings

In the general settings you will need to select the interface OpenVPN will listen for connection on. In most cases this will be the external facing interface (WAN) which is connected to the internet.

The recommended protocol for most users is UDP on IPV4. UDP is faster than TCP but can be less reliable since packet delivery is not guaranteed. TCP will provide higher reliability but can be slower since there is more protocol overhead.

Use the default listening port of 1194 unless you have a specific need to use a different port.

Configure the basic OpenVPN settings.
Configure the basic OpenVPN settings.

Cryptographic Settings

The cryptographic settings can all be left on default, advanced users may want to tweak these settings as needed for their specific security needs.

If you are using a hardware cryptographic accelerator be sure to select it in this section.

The cryptographic settings can be left on their defaults or adjusted if needed.
The cryptographic settings can be left on their defaults or adjusted if needed.

OpenVPN Tunnel Settings

The two most important settings in the tunnel settings section are the tunnel network and the local network.

Tunnel Network

The tunnel network should be a new network that does not currently exist on the network or the pfSense firewall routing table. When clients connect to the VPN they will receive an address in this network. For example you could enter as long as this does not already exist on your network.

Local Network

Enter the address of the network that clients will connect to in the local network box. By default pfSense uses as the local network so most users will enter that as the network address unless they specified a different network.

The rest of the settings in the tunnel section can be left on their default settings.

Configure the settings for the tunnel network.
Configure the settings for the tunnel network.

OpenVPN Client Settings

The settings in the client settings section will be assigned to OpenVPN clients when they connect to the network.

Most users will only need to worry about entering a DNS server in the client settings section. If you are also using pfSense as your local DNS server you would enter the local address of the pfSense firewall (usually If you are using separate DNS servers you can enter them here as well.

Optionally a default DNS domain and NTP servers can be provided to clients as well.

OpenVPN client configuration options.
OpenVPN client configuration options.

Firewall Rules

Once nice feature of the OpenVPN wizard is its ability to automatically generate the necessary firewall rules in pfSense to permit connections to the VPN server. In most basic setups you should enable both of these options. If you do not use the automatic rules then you must manually create rules to allow clients to connect to the VPN.

Traffic from Clients to Server

Enabling this option will automatically generate firewall rules to permit incoming connections to the OpenVPN server from clients anywhere on the internet.

Traffic from Clients Through VPN

This option will create an automatic firewall rule which allows traffic from clients connected to the VPN to anywhere on the local network.

OpenVPN firewall rule configuration.
OpenVPN firewall rule configuration.

Wizard Completion

After entering all of the required settings the setup wizard is complete. Click finish to apply all of the settings to pfSense.

OpenVPN wizard completion.
OpenVPN wizard completion.

Creating VPN Users With Certificates

After the OpenVPN configuration has been completed you are ready to start adding VPN users. If selected the local user access option during the configuration wizard then users can be added using the pfSense user manager (System Menu \ User Manager).

Enter a username, password, and click the certificate checkbox to generate a user certificate. Be sure to set a name in the descriptive name field, then click the save button to complete the process of adding the user.

Creating OpenVPN user accounts using the pfSense user manager.
Creating OpenVPN user accounts using the pfSense user manager.

Installing the OpenVPN Client Export Package

I recommend installing the OpenVPN client export package available in pfSense to make the process of setting up clients much easier.

Install the package using the pfSense package manager found under the system menu. Enter openvpn-client-export in the search term box of the package manager and click on install.

After the package has been installed there will be a new tab called client export in the OpenVPN menu.

Installing the OpenVPN client export package.
Installing the OpenVPN client export package.

Client Connection Behavior

In the client export settings you can adjust several settings that will effect client connection behavior. The main setting you may want to modify here is the host name resolution field. By default this field is set to the IP address of the interface running OpenVPN. You can select the option 'other' if you want to enter a DNS name such as a dynamic DNS hostname.

After making any changes click the save as default button to store the settings.

Downloading OpenVPN Client Packages

After the client export settings have been configured you can export client configuration files and bundled clients using the utility.

The client export tool supports several different operating systems and clients including Windows, Mac, Android, and iOS.

Testing VPN Connectivity

After you've exported a client package you are ready to begin testing connectivity. To test connectivity from Windows simpy install the client package and run through the installation wizard.

The best part of using the OpenVPN client export utility is that the client will automatically be configured to connect to your VPN. You will only need to enter your username and password in order to connect.

The Windows OpenVPN client.
The Windows OpenVPN client.

OpenVPN Connect Mobile Client

Android or iOS users can easily connect by installing the OpenVPN connect package through the app store. After installing the app generate a client export settings file and transfer it to your mobile device. Opening the settings file will automatically open the OpenVPN app and import the profile.

Two Factor Authentication

For additional security I strongly recommend implementing two factor authentication. Two factor authentication (2fa) requires logging in using a password and a second code which usually expires after a short period of time or is a one time use password.

Setting up 2fa is a complicated topic that is outside the scope of this article but I will offer a couple of suggestions below.

Which platform do you normally run your VPN client on?

See results

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2018 Sam Kear


    0 of 8192 characters used
    Post Comment
    • profile image

      devendra Kr Pl 

      7 weeks ago

      hi, I have a problem OPENVPN is working properly but VPN user not able to connect the local network please help me if you have a solution.

    • profile image


      7 months ago

      Excellent guide - thanks!

    • profile image


      12 months ago

      i have a question,

      is need install openvpn server before install pfsense and config?

      or pfsense integrated openvpn server and we just need config it?


    • profile image


      14 months ago

      Great guide.

      Provided resources are a cherry bonus.

      Duo is really interesting, thinking to implement it for the charity am volunteering for!

      Thanks for the inspiration!



    • profile image


      15 months ago

      Solved my dns problem, my pfsense dns server was not accepting dns requests from TLS. Ticked the check box in dns Resolver section and it worked. Thank you so much Sam for great guides.

    • profile image


      15 months ago

      Thanks so much, great guide. However, I can not access internet while I’m connected to OpenVPN. I can ping to openvpn client from LAN and I can access pfsense from openvpn client. Please help.

    • profile image


      15 months ago

      Thanks. Worked like a charm !!

    • profile image


      15 months ago

      This article is spot on.

    • profile image


      17 months ago


      can i set period of time in openvpn on pfsense?

      for example the connection timeout after 1 hour and require to reconnect

    • profile image


      19 months ago

      Thanks very good

    • profile image


      19 months ago

      @ Bos

      I have the exact same problem.

      I can connect to GW address of my LAN but that's it.

    • profile image


      20 months ago

      It works but I can not access anything on the LAN, clients not getting gateway

    • profile image


      21 months ago

      Great write up. I’d like to use this to create a personal VPN, when my family is on public WiFi. But, I have the same question/issue as @Lgrier. How do I allow clients to get out to the internet from pfSense VPN?

    • profile image


      22 months ago

      Hi Sam - great guide! Works very well. I'm able to connect without issue. Only problem is I'm unable to access websites while connected to the VPN server. I'm not seeing anything obvious in the fw logs... Any idea where to start to diagnose the problem?

    • profile image


      23 months ago

      It works on PC but not on mobile on version 2.4.3.

      OpenVPN Connect Mobile Client stuck on "Connecting" and finish on "connection timeout".

      Everything works fine with my previous version (2.3.2) on an old server (x86 only).

      Any idea ?

    • profile image


      23 months ago

      This works perfectly!! Thank you.

      We are experiencing a follow up issue.

      The first user to authenticate and connect to the vpn works great, can ping local network.

      When multiple users connect to this VPN, they are authenticated however they are unable to ping.

      Any ideas please?

    • skear profile imageAUTHOR

      Sam Kear 

      24 months ago from Kansas City


      You would then install the VPN client on your laptop or mobile device. Once the VPN client is connected you can access the web GUI as you normally would from within your network.

    • profile image


      24 months ago

      So. After doing all this steps, how can i access my web gui if i am in anyother coutry, for instance ?

    • profile image


      2 years ago

      Thank you very much this is very useful, I can’t connect from outside my LAN I could only connect when I am home not outside the house any help

    • skear profile imageAUTHOR

      Sam Kear 

      2 years ago from Kansas City


      Thanks for pointing that out! I have added a note to the article regarding entering a descriptive name for the certificate.

    • profile image


      2 years ago

      Amazing guide. One minor improvement is that when clicking the "certificate checkbox to generate a user certificate" it is required to enter a "Descriptive name" otherwise the certificate does not get created without giving any error.

    • profile image

      Sith Trader 

      2 years ago

      Awesome write up! I’ll setup a test environment.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)