Cloudflare Docs
Magic WAN
Visit Magic WAN on GitHub
Set theme to dark (⇧+D)

pfSense

This tutorial explains how to set up a policy-based or route-based IPsec VPN with a pfSense device.

​​ (Policy-based only) LAN interface configuration

  1. From the pfSense WebGUI, select Interfaces > LAN.
  2. Choose an interface from the Available network ports list.
  3. Select Add. The General Configuration dialog displays.

Refer to the image below for guidance on which values to use.

General configuration dialog for interface setup for a policy based configuration

FieldValue
Enable✔️ Enable interface
DescriptionLAN
IPv4 Configuration TypeStatic IPv4
IPv6 Configuration TypeStatic IPv6
MSS1446

​​ Phase 1

Policy-based configuration

pfSense IPsec phase 1 setting values for a policy based configuration

FieldValue
DescriptionName
Key Exchange VersionIKE v2
Internet ProtocolIPv4
InterfaceWAN
Remote Gateway<Anycast IP provided by Cloudflare>

pfSense IPsec phase 1 expiration and replacement values for a policy based configuration

FieldValue
Life Time28800
Rekey Time14400
Reauth Time0
Route-based configuration

pfSense IPsec phase 1 setting values for a route based configuration

FieldValue
DescriptionName
Key Exchange VersionIKE v2
Internet ProtocolIPv4
InterfaceWAN
Remote Gateway<Anycast IP provided by Cloudflare>

pfSense IPsec phase 1 expiration and replacement values for a route based configuration

FieldValue
Life Time28800
Rekey Time14400
Reauth Time0

​​ Phase 2

Policy-based configuration

pfSense IPsec phase 2 general information values

FieldValue
DescriptionName
ModeTunnel IPv4
Local Network<Local Network to be tunneled>
NAT/BINAT translationNone
Remote NetworkRemote network available via the tunnel

pfSense IPsec phase 2 key exchange values

FieldValue
ProtocolESP
Encryption Algorithm✔️ AES128-GCM, 128 bits
PFS key group14 (2048 bit)

pfSense IPsec phase 2 key exchange values

FieldValue
Life Time3600
Rekey Time3240
Rand Time360
Automatically ping hostSpecify an IP address available via the tunnel. Refer to the Description field for more information.
Route-based configuration

pfSense IPsec phase 2 general information for a route based configuration

pfSense IPsec phase 2 network settings for a route based configuration

FieldValue
DescriptionName
ModeRouted (VTI)
Local Network<Local Tunnel Inside IP>
Remote Network<Remote Tunnel Inside IP>

pfSense IPsec phase 2 key exchange values for a route based configuration

FieldValue
ProtocolESP
Encryption Algorithm✔️ AES128-GCM, 128 bits
PFS key group14 (2048 bit)

pfSense IPsec phase 2 key exchange values

FieldValue
Life Time3600
Rekey Time3240
Rand Time360
Automatically ping hostSpecify an IP address available via the tunnel. Refer to the Description field for more information.

​​ (Route-based only) Interface assignment

  1. From the pfSense WebGUI, select Interfaces > LAN.
  2. Choose an interface from the Available network ports list.
  3. Select Add. The General Configuration dialog displays.

Refer to the image below for guidance on which values to use.

General configuration dialog for interface setup for a policy based configuration

FieldValue
Enable✔️ Enable interface
DescriptionLAN
IPv4 Configuration TypeStatic IPv4
IPv6 Configuration TypeStatic IPv6
MSS1446
  1. From the pfSense WebGUI, select Interfaces > Assignments.

pfSense interface assignment settings for route based configuration

  1. From Available network ports, select + Add.

Adding an interface to a pfSense interface assignment with a route based configuration

  1. Under Interface, select OPT1.

pfSense interface general configuration settings for a route based configuration

  1. Ensure Enable interface is selected.
  2. For Description, add a description to help you identify the interface.
  3. For MSS, enter 1446, which should be the same as the LAN interface.
  4. Select Save to save your changes when you are done.

​​ Routing configuration

  1. From the pfSense WebGUI, select System, Routing, Static Routes.
  2. On the Static Routes page, select Add.
  3. Create static routes for all network that will be routed via the tunnel with Gateway as the IPsec VTI interface.

pfSense interface routing configuration settings for a route based configuration

​​ Firewall configuration

  1. From the pfSense WebGUI, select Firewall Rules.
  2. Select LAN.
  3. Ensure a rule exists that allows traffic from LAN to IPsec.
  4. Select Save when you are done.

If you need to allow traffic from IPsec to LAN, you will need to create rules that allow this.