Setting up a VPN tunnel with pfSense and OpenVPN

You’ll ned to pfSense boxes.

On our example we have both connected to INTERNET each one with one public access on the WAN interface.

For the LAN we’ve set up 2 class C networks. Let’s call pfSenseA the one using (as LAN), and pfSenseB the one using

First, Go to System -> Advance Options and Enable Secure Shell. We’ll connect to one of the boxes in order to create CA certificates.

We’ll start working on pfSeseB which is going to be our SERVER.

Enable Secure Shell

Enable Secure Shell

 And then SSH to the box.

> ssh admin@

You’ll be presented with the Console options:

*** Welcome to pfSense 1.2-RELEASE-embedded on fwofficebackup ***


  OPT1(DMZ)                ->   rl0     ->      NONE

  LAN*                     ->   rl1     ->

  WAN*                     ->   rl2     ->


 pfSense console setup 


 0)  Logout (SSH only)

 1)  Assign Interfaces

 2)  Set LAN IP address

 3)  Reset webConfigurator password

 4)  Reset to factory defaults

 5)  Reboot system

 6)  Halt system

 7)  Ping host

 8)  Shell

 9)  PFtop

10)  Filter Logs

11)  Restart webConfigurator

12)  pfSense PHP shell

13)  Upgrade from console


Enter an option: 

Just option 8 (shell).
If you mounted disk is read-only move to another-one with rw privileges like “/tmp”
Then create a Shared Key
> openvpn –genkey –secret shared.key
copy it to the pfSense as follow:
>cat shared.key
and Copy the output.
Now, let’s go to pfSenseA and Click on VPN -> OpenVPN and ADD (+) an new Server:
Add a Server OpenVPN
Add a Server OpenVPN
Let’s Create a TCP one, and copy the pasted key from the shell to the Share Key Field.
Add a Pool of unused addresses, in our example we’ll use and for Remote Network use the net for pfSenseA, in our case
And we SAVE the changes on the pfSenseA
Server's side Configuration
Now, on pfSenseA, will go to VPN->OpenVPN and we create a Client.
Configure the protocol as TCP and copy the SAME shared key we used on the server-side
As Server Address enter the PUBLIC IP address of pfSenseB.
As Remote IP use pfSenseB network and for Interface IP use the pool of addresses you used on the Server-side (
NOTE. the attached image has the wrong IP Interface address, I’ve troubleshoot it at a later time.
And SAVE it.
Client's Side



Make sure that you allow incoming TCP to the OpenVPN port on both ipSense comming from each other.

Now ping from one network to the other, and DONE.



Multi-WAN Optus and Telstra Cable with pfSense.


This is an example of how you set up pfSense to support multiple ISPs.   

WTF is pfSense? Look here… 

This guide will show you how to setup two connections that require DHCP. 

You can extend this to 3, 4, 5, etc connections, as many as your motherboard can handle. 

In this example, I demonstrate the use of a simple routing policy to assign one PC to use Optus Cable, and the other PC to use Telstra Cable. 

Before I go forward, if you have Telstra Cable, be sure this works first. 
Make sure you can connect to it via pfSense before proceeding. 
pfSense has a bpalogin client for this, so you do NOT need to use the Telstra client program anymore. 

Once you know your ISPs work fine with pfSense, then proceed. 

Test setup for pfSense (router/firewall) box… 
* Celeron 1.2Ghz 
* 512MB RDRAM 
* i820 chipset mobo (ASUS P3C-D) 
* 3x Intel NICs (i82559 chipset) 
* Floppy 
* pfSense 0.95 LiveCD 
* ISP1 : Telstra Broadband Cable (10Mbit/128k) 
* ISP2 : Optus Cable (10Mbit/256k) 

Regarding system requirements : Because pfSense is aimed for the business class, the requirements are hefty compared to other solutions. 

Its recommended that you get at least a PII/PIII, Duron, VIA C3, etc if you want all the features. Its also recommended that you have 128MB or more RAM. I’ve tried pfSense on a Pentium 150Mhz with 48MB RAM, but its quite sluggish. 

In the case of Multi-WAN, it is better to get something with more RAM and grunt, with quality brand of network cards. (Used or 2nd hand Intel NICs are quite cheap, and perfect for this role). 

If you have a WRAP or Soekris embedded board, you can use that, as pfSense has a version for this class of platform. 

ALSO NOTE: I’ve used a CD-ROM/Floppy as the test platform for this guide. 
Be aware that it is recommended that you use a hard disk. 

If you want, you can use a Compact Flash card with CF to IDE adapter OR Use a Disk-On-Module (DOM)…But make sure you disable swap file by deleting the swap partition. (Do this when you install pfSense). 

It is necessary to disable swap for DOMs and CF implementations due to their limited number of writes. (I think its about 10,000 before it dies). 

Bare in mind, some functions rely on a swap partition, so they may not function properly without swap. If you don’t need those functions, don’t worry about it. 

Network card assignments 
1st network card => fxp0 => LAN 
2nd network card => fxp1 => WAN 
3rd network card => fxp2 => OPT1 (re-designated as WAN2) 

I’m using three network cards which are the same, this is why they will be labelled fxp0, 1, and 2. Remember, PCs start with 0, not 1. 
I also needed to note down the MAC addresses of each card as a result. 

WAN = This connects to your 1st ISP. 

OPT1 = Optional 1 is renamed WAN2. This connects to your 2nd ISP. 
(If you have more NICs, they’ll be called OPT2, 3, 4, etc. You can rename later when you login to pfSense via web browser…) 

LAN = This connects to your PC or a switch for your network behind the firewall. 

SO, in this example… 

WAN => Telstra Cable (due to bpalogin being needed) => BigPond (DHCP) 
WAN2 => Optus Cable (DHCP) 
LAN => Static IP (labelled as 

NOTE : Be aware that WAN2, 3, 4 and so on, only supports DHCP or Static IP. If you need PPPoE, etc, you need to stick a modem with ethernet port in front of the pfSense box. 

IP address of PC 1 on the LAN side => 
IP address of PC 2 on the LAN side => 

I point PC 1 to WAN (Telstra) and PC 2 to WAN2 (Optus) 

Network Layout (For this guide) 

WAN (Telstra)       WAN2 (Optus)
        8-Port Switch
        |           |
       PC 1        PC 2

My settings in pfSense…

Firstly, you need to tell pfSense’s NAT that connections from the LAN can go to your WAN connections. (Connections to your Cable/ADSL/modem/etc. Anything that accepts ethernet.)

For Firewall => NAT Settings…
I’ve checked Enable advanced outbound NAT in the Outbound section.

Interface   Source              Destination     Destination Port     NAT Address   NAT Port   Description
WAN      *               *                    *             *          For Telstra
WAN2      *               *                    *             *          For Optus

The * under DestinationDestination PortNAT Address and NAT Port is the “any” option in pfSense.

Now the following is where you define specific firewall rules.
This is where you control which PC/system uses which ISP.

For Firewall => Rules Settings…

Proto   Source            Port   Destination   Port   Gateway   Description
*      *      *             *      *         PC 1 -> Telstra     
*      *      *             *      WAN2      PC 2 -> Optus

As before, the * under ProtoPortDestinationPort, is the “any” option. The * under Gateway is the default WAN connection. Or your 1st WAN connection. 

That’s it. 

NOTE : You may need to manually specify which DNS server should be used as pfSense will sometimes use DNS servers from each WAN for certain periods. 

NOTE 2 : If you’re using Telstra Cable, either manually assign Telstra’s DNS server first OR use pfSense’s default setting…ie : Let DHCP handle everything. (Override with DHCP settings) 

You can also set up a De-Militarised Zone (DMZ) for your servers, and such and then manually specify rules or forward ports for your servers, etc. 
(If you need to forward ports, this is found in the NAT section, NOT in the Rules section). 

Remember, this is NOT loadbalancing. This is useful if you want to consolidate multiple ISP connections into one router. This method is very simple and easy to work with as you don’t need to worry about VPN and such, like you do with loadbalancing. 

Depending on your requirements and situation, you may find this a cheaper approach than buying a commercial router. Its up to you to assess if this is a viable solution for your needs. 


The pfSense FAQ 

Setting up policybased routing with multiple WAN-links (PDF)