Virtual Private Networking

A virtual private network secures public network connections and in doing so it extends the private network into the public network such as internet. With a VPN you can create large secure networks that can act as one private network.


(picture from wikipedia)

Companies use this technology for connecting branch offices and remote users (road warriors).

OPNsense supports VPN connections for branch offices as well as remote users.

Creating a single secured private network with multiple branch offices connecting to a single site can easily be setup from within the graphical user interface. For remote users, certificates can be created and revoked and a simple to use export utility makes the client configuration a breeze.

OPNsense offers a wide range of VPN technologies ranging from modern SSL VPNs to well known IPsec as well as WireGuard and Zerotier via the use of plugins.



Since IPsec is used in many different scenario’s and sometimes has the tendency to be a bit complicated, we will describe different usecases and provide some examples in this chapter.

Site 2 Site policy based

Probably one of the oldest and most used scenarios is the policy based one.

Like all IPsec configurations, a standard site to site setup starts with a so called “Phase 1” entry to establish the communication between both peers defined in VPN -> IPsec -> Tunnel Settings. After the phase 1 is configured, the “Phase 2” defines which policies traffic should match on.

Since the kernel traps traffic matching defined policies, no additional routing need to be configured in order to communicate between both ends of a tunnel.


Using Network Address Translation in these types of setups is different, due to the fact that the installed IPsec policy should accept the traffic in order to encapsulate it. The IPSec BINAT document will explain how to apply translations.


When matching overlapping networks in a policy, make sure to exclude your own network segments in the Passthrough networks option in VPN -> IPsec -> Advanced Settings to prevent traffic being blackholed.

Site 2 Site route based (VTI)

Unlike the policy based setup described in the previous chapter, the route based variant depends on custom routes being installed on both ends of the tunnel. When adding a route based tunnel, the system will add an interface for you which you can use in normal routing operations.


In order to keep track of the connected tunnels, you can use the VPN -> IPsec -> Status Overview to browse through the configured tunnels.

The VPN -> IPsec -> Security Policy Database is also practical to gain insights in the registered policies, when NAT is used, the additional SPD entries should be visible here as well.

When troubleshooting problems with your firewall, it is very likely you have to check the logs available on your system. In the UI of OPNsense, the log files are generally grouped with the settings of the component they belong to. The log files can be found in the “Log file” menu item.


When trying to debug various issues, the amount of log information gathered can be configured using the settings in VPN -> IPsec -> Advanced Settings.


One of the main advantages of OpenVPN in comparison to IPsec is the ease of configuration, there are less settings involved and it’s quite simple to export settings for clients.

Site 2 Site

OpenVPN on OPNsense can also be used to create a tunnel between two locations, similar to what IPsec offers, generally the performance of IPsec is higher which usually makes this a less common choice.


When using the site to site example with SSL/TLS instead of a shared key, make sure to configure “client specific overrides” as well to correctly bind the remote networks to the correct client.

Road Warriors / Mobile users

Mobile usage is really where OpenVPN excells, with various (multifactor) authentication options and a high flexibility in available network options.

Client Specific Overrides

The mechanism of client overrides utilises OpenVPN client-config-dir option, which offer the ability to use specific client configurations based on the client’s X509 common name.

It is possible to specify the contents of these configurations in the gui under VPN -> OpenVPN -> Client Specific Overrides. Apart from that, an authentication server (System -> Access -> Servers) can also provide client details in special cases when returning Framed-IP-Address, Framed-IP-Netmask and Framed-Route properties.


Radius can be used to provisioning tunnel and local networks.

A selection of the most relevant settings can be found in the table below.

Client Specific Overrides




Set this option to disable this client-specific override without removing it from the list


Select the OpenVPN servers where this override applies to, leave empty for all

Common name

The client’s X.509 common name, which is where this override matches on

IPv[4|6] Tunnel Network

The tunnel network to use for this client per protocol family, when empty the servers will be used

IPv[4|6] Local Network

The networks that will be accessible from this particular client per protocol family.

IPv[4|6] Remote Network

These are the networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established.

Redirect Gateway

Force the clients default gateway to this tunnel

Plugin VPN options

Via plugins additional VPN technologies are offered, including:

  • OpenConnect - SSL VPN client, initially build to connect to commercial vendor appliances like Cisco ASA or Juniper.

  • Stunnel - Provides an easy to setup universal TLS/SSL tunneling service, often used to secure unencrypted protocols.

  • Tinc - Automatic Full Mesh Routing

  • WireGuard - Simple and fast VPN protocol working with public and private keys.

  • Zerotier - seamlessly connect everything, requires account from, free for up to 100 devices.