Home / Walkthroughs / OpenVPN + pfSense
 Networking / Security

OpenVPN Remote Access
on pfSense

Full guide to configuring secure remote access VPN on pfSense using the OpenVPN wizard, user certificates, and the client export package for easy OVPN profile download.

Intermediate ~60 minutes pfSense 2.6+ or OPNsense
pfSense OpenVPN VPN Remote Access Certificate Authority Split Tunnel

 Table of Contents

  1. Overview
  2. Install the Client Export Package
  3. Run the OpenVPN Wizard
  4. Certificate Authority Setup
  5. Tunnel Network Configuration
  6. User Management
  7. Export Client Config
  8. Connect from a Client Device
  9. Split Tunnel vs Full Tunnel
  10. References
๐Ÿ“–
Overview

OpenVPN on pfSense lets you securely access your home network from anywhere โ€” whether you're on your phone, laptop, or a client PC. With the openvpn-client-export package, you can generate a ready-to-import .ovpn profile for any device without manual cert management.

This guide sets up Remote Access (User Auth) mode โ€” users authenticate with a username and password. This is suitable for homelab and small-team use cases where per-user access control matters.

This guide applies to both pfSense CE and pfSense Plus. The wizard UI is essentially identical. OPNsense users can follow a similar flow via VPN โ†’ OpenVPN โ†’ Servers.
๐Ÿ“ฆ
Install the Client Export Package

The client export package adds a UI for downloading pre-configured OVPN files. Install it first.

  1. 1

    Navigate to Package Manager

    In pfSense: System โ†’ Package Manager โ†’ Available Packages

  2. 2

    Search and Install

    Search for openvpn-client-export and click Install. Wait for completion.

๐Ÿง™
Run the OpenVPN Wizard
  1. 1

    Launch the Wizard

    Go to VPN โ†’ OpenVPN โ†’ Wizards. Select Local User Access as the server type.

  2. 2

    Choose Type of Server

    For home use, select Local User Access. This uses the pfSense local user database โ€” no LDAP or RADIUS required.

๐Ÿ”
Certificate Authority Setup

The wizard creates a new Certificate Authority (CA) that signs all client and server certs for this VPN.

  1. 1

    Create a New CA

    Fill in the CA details: Country, State, City, Organization, Email, and Common Name (e.g. HomeLab-CA). Set Key Length to 2048 or 4096.

  2. 2

    Click "Create New Certificate"

    The CA is saved internally. The wizard will use it to sign the server certificate automatically.

๐ŸŒ
Tunnel Network Configuration

This is the most important part โ€” configure your VPN subnet and what networks VPN clients can reach.

  1. 1

    Set a Description

    Give the VPN server a meaningful name (e.g. HomeLab-VPN). This appears in logs and the UI.

  2. 2

    Configure Tunnel Network

    Enter the VPN subnet โ€” this should be different from your LAN. Example: if your LAN is 10.10.10.0/24, use 10.10.11.0/24 for the VPN tunnel.

  3. 3

    Full Tunnel vs Split Tunnel

    To route all client traffic through the VPN (full tunnel), check Redirect Gateway. For split tunnel (only route homelab subnets), leave this unchecked and specify local networks in the next field.

  4. 4

    Set Local Networks

    Enter all subnets you want VPN clients to reach, separated by commas. Example for multiple VLANs:

    10.10.10.0/24, 10.10.20.0/24, 10.10.50.0/24

    Leave blank if using full tunnel mode.

  5. 5

    Firewall Rules

    On the next page, check both boxes to add firewall rules automatically. This creates rules on the WAN to allow OpenVPN traffic and rules on the VPN interface to allow access.

After the wizard finishes, go to VPN โ†’ OpenVPN โ†’ Servers and click the edit (pencil) icon. Change Server Mode from "Remote Access (SSL/TLS)" to "Remote Access (User Auth)". Scroll down and save. This enables username/password authentication.
๐Ÿ‘ค
User Management
  1. 1

    Open User Manager

    Go to System โ†’ User Manager โ†’ Users โ†’ Add.

  2. 2

    Create VPN Users

    Create a username and password for each person who needs VPN access. This account does not need admin privileges โ€” a standard user account is sufficient.

  3. 3

    Generate a User Certificate (Optional)

    For certificate + password auth (more secure), scroll down in the user edit page and click Add Certificate. The certificate will be embedded in the exported OVPN profile.

๐Ÿ“ฅ
Export Client Config
  1. 1

    Navigate to Client Export

    Go to VPN โ†’ OpenVPN โ†’ Client Export. Scroll to the bottom of the page.

  2. 2

    Download the Config

    You'll see export options per user. Download the appropriate format for your device:

    • Windows: Viscosity bundle or standard OVPN
    • iOS/Android: Standard OVPN inline
    • Linux: Standard OVPN
    • macOS: Tunnelblick bundle
๐Ÿ”Œ
Connect from a Client Device
  1. 1

    Install OpenVPN Client

    Download OpenVPN Connect on your device (Windows, macOS, iOS, Android all supported).

  2. 2

    Import the .ovpn File

    Open OpenVPN Connect, click Import Profile, and select your downloaded .ovpn file. It contains the server address, port, certificates, and encryption settings embedded inline.

  3. 3

    Connect and Verify

    Enter your username and password when prompted, then connect. Verify access by browsing to an internal service (e.g. your Portainer UI) from the connected device while on a cellular connection.

Once set up, the OVPN profile can be shared with family/teammates via email or Bitwarden Send. They just import the file and enter their credentials โ€” no manual cert management required.
๐Ÿ”€
Split Tunnel vs Full Tunnel
Mode What Gets Routed Use Case
Split Tunnel Only local subnets (10.x.x.x) Homelab access; internet stays direct
Full Tunnel All traffic including internet Privacy on public WiFi; content filtering

For homelab access without impacting internet speeds, split tunnel is recommended. Full tunnel is useful when you want your pfSense's firewall/content filters to apply to remote clients (parental controls, blocking, etc.).

๐Ÿ“š
References