[How-to] Setup VPN between pfsense and FreePBX


There are tutorials on setting VPN clients in pfsense and VPN server. This is specific for pfsense and FreePBX VPN connections for sites that have phones without VPN capability. For this tutorial I used FreePBX 14 and pfSense 2.4.4.

Step-by-step guide

I assume you have pfsense up and running. For installation of pfsense I recommend reviewing pfSense Documentation https://docs.netgate.com/pfsense/en/latest/#pfsense-documentation or some other tutorials https://youtu.be/9kSZ1oM-4ZM .


In FreePBX:

  • Enable VPN Server in FreePBX.

  • Create VPN Client 

  • Download the client files: sysadmin_ca.crt, sysadmin_client1.conf, sysadmin_client1.crt, sysadmin_client1.key, and sysadmin_client1.ovpn.

In pfsense:

  • Go to System >> Certificate Manager >> CAs >> Add. Change Method to “Import an existing Certificate Authority”. Give it a Descriptive name. Copy and Paste content of sysadmin_ca.crt i to Certificate data and Save.

  • Go to System >> Certificate Manager >> Certificates >> Click Add/Sign >> Change Method to “Import an existing Certificate” >> give it a Descriptive name >> Copy and Past content of sysadmin_client1.crt (everything!) into Certificate data & content of sysadmin_client1.key into Private key data >> Save.

  • Go to VPN >> OpenVPN >> Clients >> Click Add >> Keep all defaults except >> Server host or address (you FreePBX IP address), Server port (FreePBX VPN port default is “1194”) >> give it a Description >> Uncheck Use a TLS Key in TLS Configuration >> Peer Certificate Authority select the CA created above >> Client Certificate select the Certificate created above >> Encryption Algorithm “AES-128-CBC  (128 bit key, 128 bit block)” >> Enable NCP Checked >> NCP Algorithms AES-128-GCM, BF-CBC, AES-256-CBC >> Auth digest algorithm SHA1 (160-bit) >> Optional Hardware Crypto >> Compression LZO Compression [compress lzo, equivalent to comp-lzo yes for compatibility] >> Custom options auth-nocache;resolv-retry infinite;persist-key;Persist-tun; remote-cert-tls server; ignore-unknown-option block-outside-dns; >> Gateway creation IPv4 only >> Click Save.

  • Go to Interfaces >> Interface Assignments >> Available network ports >> Click add next to the VPN client created >> Under Interface click to the name to open >> Enable checked >> Description give it a name >> Click save.

  • Go to Firewall >> Aliases >> IP >> Click add >> give it a Name and Description >> Type “Host(s)” >> IP or FQDN add IP addresses of the VoIP phones >> Click save.

  • Go to Firewall >> Rules >> LAN >> Action Pass >>  Address Family IPv4 >> Protocol Any >> Source Single host or alias and type the Alias name of the IP phones >> Destination Any >> Advanced Options >> Gateway select the interface created above >> Click Save.

  • Go to Firewall >> NAT >> Outbound (! may need to change the mode to Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT) and click save) >> Click Add >> Interface select the one created from the VPN Client >> Protocol Any >> Source Network (your network range for example  >> Destination Any >> Address Interface Address >> Click save.


Go to    Status >> OpenVPN >> It should be up.

Go to   FreePBX >> System Admin >> VPN Server >> pfsense client should be connected.

  1. pfSense Documentation

  2. YouTube video: pfsense 2.4 from install to secure

  3. FreePBX wiki: VPN Server

  4. FreePBX wiki: VPN Setup

  5. pfSense Documentation: Configuring NAT for VoIP Phones

  6. Firewall Best Practices for VoIP on pfSense


Return to Documentation Home I Return to Sangoma Support