Configuring OpenVPN on pfSense


This Howto has been moved to the guide section and will be maintained there from now on.

This howto describes the setup of pfSense for the IPredator VPN. The following steps assume a fresh installation of pfSense 2.2.


Once configured you cannot change the settings for the IPredator VPN connection from the GUI.


GUI configuration

Create an initial OpenVPN configuration through the pfSense GUI. This creates the needed directory structure and configuration files that get altered on the command line. Click on the following screenshot to see what options you need to customize. Leave everything else unchanged.


Command line configuration

pfSense does not support sftp or scp so the OpenVPN configuration file needs to be created manually.

First download the configuration file to a system that has openssl installed and then create the pfSense config on your pfSense router:

your host$  openssl enc -base64 -in IPredator-pfSense-Password.conf
[... copy the output ...]

On the pfSense machine run the openssl again to decode the data and create the configuration file:

[2.2-RELEASE][root@pfSense]/: cd /var/etc/openvpn
[2.2-RELEASE][root@pfSense]/var/etc/openvpn: openssl enc -base64 -d >> client1.conf << EOF
[... paste the output followed by EOF ...]

Your username and password needs to be stored on the router in the next step:

[2.2-RELEASE][root@pfSense]/var/etc/openvpn: cat >> IPredator.auth << EOF

To make sure that the system cannot change the config files, the immutable bit needs to be set on them. While there ensure that the permissions are correct:

[2.2-RELEASE][root@pfSense]/var/etc/openvpn: chmod 600 IPredator.auth client1.conf
[2.2-RELEASE][root@pfSense]/var/etc/openvpn: chflags schg IPredator.auth client1.conf

To undo the immutable restriction make sure you are at least in kern.securelevel 0 (or lower) and use chflags again:

[2.2-RELEASE][root@pfSense]/var/etc/openvpn: sysctl kern.securelevel
kern.securelevel: -1
[2.2-RELEASE][root@pfSense]/var/etc/openvpn: chflags noschg client1.conf
[2.2-RELEASE][root@pfSense]/var/etc/openvpn: chflags noschg IPredator.auth

[2.2-RELEASE][root@pfSense]/var/etc/openvpn: ls -lo
total 14
-rw-------  1 root  wheel  schg 1337 Jan 23 23:42 IPredator.auth
-rw-------  1 root  wheel  -    1876 Jan 23 23:42
-rw-------  1 root  wheel  -    1501 Jan 23 23:42 client1.cert
-rw-------  1 root  wheel  schg 3524 Jan 23 23:42 client1.conf
-rw-------  1 root  wheel  -       3 Jan 23 23:42 client1.interface
-rw-------  1 root  wheel  -     987 Jan 23 23:42 client1.key
srwxrwxrwx  1 root  wheel  -       0 Jan 23 23:42 client1.sock

Start the VPN connection

Back in the GUI, simply restart the OpenVPN service ( StatusOpenVPN). Then either use the GUI or the command line tail -F /var/log/openvpn.log to check the OpenVPN log.


To verify that the VPN connection came up correctly, first execute ifconfig -a on the command line and see if you got a tun interface in the network device list.

DS411> ifconfig -a
ovpnc1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        inet --> netmask 0xffffff00 
        Opened by PID 25694

Issue netstat -nrfinet to see if the the routing table got altered correctly. The following entries are essential:

  • A host route to the VPN server (in this example
  • A new split default route (destinations and
[2.2-RELEASE][root@pfSense]/: netstat -rnfinet
Routing tables

Destination        Gateway            Flags      Netif Expire        UGS      ovpnc1
default       UGS         re0      UGS      ovpnc1     UGS         re0      link#8             UH       ovpnc1          link#6             UH          lo0        UGS      ovpnc1    link#1             U           re0      link#1             UHS         lo0