Configuring a Tunnel between a EdgeRouter X and PFSense

PFSense is great because it can be installed as a VM in a datacenter and handle enterprise grade routing and reporting. EdgeRouters are great because they’re readily available and at a very reasonable cost.

Both support Openvpn which tends to be a reliable easy to use VPN protocol that allows the vpn client to not have a static IP address. There is no GUI for Openvpn on the EdgeRouter but it is pre-installed and can be easily be configured in the console.

Once you’ve configured the OpenVPN server in the PFSense interface, there is a export feature that allows a ovpn file to be created that contains the configuration information required for the client side (EdgeRouter).

I initially had issue as the config file included a “pull” command that the Edgerouter complained was not valid without the TLS-Server or TLS-Client specified.   I manually edited the file and removed the “pull” line and then the tunnel connected without issue.

From the EdgeRouter config, do:

# configure
# set interfaces openvpn vtun0 config-file /config/nameofyourconnection.ovpn
# commit
# set service nat rule 5020 description 'masquerade for Tunnel'
# set service nat rule 5020 outbound-interface vtun0
# set service nat rule 5020 type masquerade
# set service nat rule 5020 protocol all
# commit # save

Other Notes:

  • Log files in EdgeOS are in the /var/log/messages file
  • I manually added a push route command to the client config file
    push "route"
  • EdgeOS 2.x uses OpenVPN 1.2.4 as does PFSense 2.4.x
  • Tunnel status is at: /var/run/openvpn/status/vtunX
  • To update, delete the interface and re-create. Delete with delete interfaces openvpn vtun0


Published by

Dar Zuch

Find me on Linkedin at: