April 16, 2017

VPN Routing and pfSense, piecemeal style

While VPNs are nice for hiding your Internet browsing habits, they do have some downsides. They can introduce latency into your connections and when you have a Gigabit Fiber connection, they can severely limit your performance.

With that said, I did still want to route SOME of my traffic over the VPN. Unfortunately the available guides were only pieces of the overall solution for me.

First off, what I am talking about here is "policy based routing". Knowing this made it a bit easier to search Google for solutions.

Another huge "you should know", is that pfSense gets a bit wonky when you add or modify interfaces. This is important knowledge to have because sometimes when you add or modify an interface, it just won't work. The fix is as easy as a quick reboot of pfSense. I spent a mind-boggling amount of time thinking I had set an option wrong somewhere only to realize that I needed to reboot.

Finally, if you aren't already, you should be using Public DNS servers for your DNS, such as Google, This is important for a few reasons. One, it prevents your ISP from seeing what you are doing. And second, DNS lookups over the VPN connection that route back to your ISP's DNS servers will be slow at best, and in some cases might not even work.

Step one is simple. Set up the VPN per the guidelines of your provider.

In my case, PrivateInternetAccess supplied a guide that got me part of the way there. Some other VPN providers just give you an an "ovpn" file, which can fairly easily be translated to the options here.

Import the VPN CA Certificate

The CA certificate should have been given to you by the VPN provider. If not, it's included as part of the "OVPN" file they should have supplied to you:

An example of an OVPN file I received. This file contains options that clearly map to pfSense options:


Importing the VPN CA:


VPN Setup

The route no-pull* was the only place I deviated from the instructions provided from PIA. This prevents your pfSense install from changing its gateway to the VPN, which would route all your traffic over the VPN.

*note that I believe the "Don't pull routes" checkbox would accomplish the same thing. With the troubles I had relating to the reboot problem mentioned above, this is just the config that I landed on and I haven't gone back and changed it

pfSense routing

Assuming everything was set up correctly, the OpenVPN status should now say the VPN connection is "up":

The next step involves adding a new interface. This give you the ability to use the VPN connection for NAT and Firewall rules.

Select the VPN connection and click "Add":

And enable the interface. Note that IPv4 and IPv6 configuration types are "None":

At this point you should do one thing. This applies to ANY time you add or remove Interfaces in pfSense.


In getting this VPN going, and even when I've added VLAN interfaces for other projects, I've wasted an absolutely STUPID amount of time trying to troubleshoot things not working, despite being set up correctly.

I spent two days trying to get this VPN going. Either the VPN would work, but the rest of my network would break. Or the network would work, but the VPN wouldn't do anything. So just do it. Reboot.

Firewall Manipulation

After you reboot pfSense, the VPS Status should say the connection is "up" and the rest of your network should be happily accessing the Internet as expected.

The next thing you need is an alias. This is just so you can quickly add/remove hosts, networks or even specific ports to the VPN connection. In my case, I just wanted two hosts:

But you could easily create an alias for your VLANs (by network), or by specific ports.

Next, you need an outbound NAT rule. The easiest way is to set it to "Hybrid Outbound NAT". This allows pfSense to manage everything else automatically and you to specifically manage what you want excluded:


Finally, you need a policy based firewall rule. For any Interface that contains a host or a network you want to forward over the VPN, you need to add a rule and change the Gateway under the Advanced options:

That's it!

That should be it. Hopefully now your hosts or networks should be routing over the VPN. If it doesn't work, usually the best way to fix it is to turn the VPN off and on again (via the checkbox on the client settings)