VPN Client-to-Site pfSense: Remote Access Configuration Guide

Remote access VPN is one of the most important features in modern network infrastructure. It allows users to securely connect to internal resources from outside the office while maintaining strong encryption and authentication.

In this tutorial, we will walk through the VPN Client-to-Site pfSense configuration using OpenVPN. This setup allows remote users to connect to the internal network and access services such as servers, web applications, or virtual machines securely.

This guide demonstrates how to:

• Configure the OpenVPN server on pfSense

• Create certificates and VPN users

• Export the VPN client configuration

• Allow traffic through the firewall

• Connect from Windows or mobile devices

📺 Watch the full video tutorial to follow the complete lab demonstration.

1️⃣ Configuring the VPN Server

The first step is to configure the VPN server on pfSense. This includes creating a certificate authority, generating certificates, configuring the OpenVPN server, and allowing VPN traffic through the firewall.

Step 1 – Create a CA and Certificate on pfSense

Go to the pfSense WebGUI:

1. Authorities → Add

2. Certificates → Add

This step creates the certificate authority (CA) and a server certificate, which are required for secure OpenVPN communication.

Step 2 – Configure the OpenVPN Server

Navigate to:

Configure the following settings:

Tunnel Settings

Explanation:

• Tunnel Network defines the IP address range assigned to VPN clients.

• Local Network is the internal LAN network that VPN clients will access.

For example, the LAN network contains servers or VMs such as:

• 192.168.16.173

• 192.168.16.174

• 192.168.16.208

Compression setting:

Then click:

At this stage, the OpenVPN server is ready to accept client connections.

Step 3 – Create a VPN User

Next, create a user account that will be used for VPN authentication.

Go to:

Configure the following:

In the Certificates section, create a certificate for the user:

Each VPN user typically has their own certificate, which enhances security and allows administrators to revoke access if necessary.

Step 4 – Install OpenVPN Client Export

To simplify client configuration, pfSense provides a package that exports ready-to-use VPN configuration files.

Navigate to:

Install the following package:

After installation, go to:

Select the user:

Export the configuration file:

This file contains the client configuration, certificates, and connection settings required to connect to the VPN.

Step 5 – Configure Firewall Rules

To allow VPN traffic, firewall rules must be configured.

#1 WAN Rule

Navigate to:

Add a rule:

Then click:

This rule allows OpenVPN traffic from the internet to reach the pfSense firewall.

#2 OpenVPN Rule

If you only want to allow access to specific services, you can restrict traffic in the Destination field.

This rule controls what VPN clients are allowed to access inside the network.

2️⃣ Install the VPN Client

Once the server is configured, the next step is to install the OpenVPN client on user devices.

Windows VPN Client

#1 OpenVPN Community Client (OpenVPN GUI – free)

Homepage:

This is one of the most commonly used VPN clients for Windows because it is lightweight and easy to use.

You can download it directly from the link above.

#2 OpenVPN Connect (Official Client)

Homepage:

This official client is available for:

• Windows

• macOS

• iOS

• Android

It provides a more modern interface and simplified connection management.

3️⃣ Mobile Applications

You can also connect to the VPN using smartphones or tablets.

Android

Download from Google Play:

iOS

Download from the App Store:

4️⃣ Import and Connect to the VPN

After installing the client application:

1. Run the OpenVPN application

2. Right-click and choose Import

Then connect:

Once the connection is successful, the client device will receive an IP address from:

You can test connectivity by accessing internal resources:

or

If the configuration is correct, the remote device will be able to access internal services through the VPN tunnel.

Important Note

This setup assumes that the pfSense firewall has a static public IP address.

If you are using a dynamic public IP, you will need an additional setup:

• A domain name with DNS API support

• A DNS record pointing to the public IP

• A VM or script that periodically checks the public IP

• Automatic updates when the IP address changes

This ensures that VPN clients can always connect even when the public IP changes. A detailed implementation of this model can be demonstrated in future tutorials.

Conclusion

Setting up VPN Client-to-Site pfSense using OpenVPN provides a secure and reliable way for remote users to access internal network resources.

With this configuration, administrators can:

✔ Provide secure remote access to internal systems
✔ Encrypt all traffic between clients and the network
✔ Control access using firewall rules and certificates

This approach is widely used in enterprise networks, remote work environments, and lab infrastructures, making pfSense a powerful and flexible VPN solution.