How To Port Forward In pfSense So VPN To RRAS Works From Outside

I have setup a Windows Server 2019 RRAS VPN server which works internally.

I’m trying to get this to work from the outside using Windows 11 built-in VPN client and I’m not getting much joy - largely due to my lack of understanding of pfSense.

I have looked at various pfSense documents and other online articles but not had much success.

Our WAN interface only has 1 public facing IP address available to us so I thought port forwarding could work.

Am I able to achieve this with my current setup?

I’m aware pfSense has its own VPN options but we are looking to use the same setup we have in another office of ours.

The only difference with that setup is the pfSense in that location has HAProxy setup and we do have more than 1 public facing IP available to us.

What does your NAT rule look like?

Firewall → NAT → Port Forward

Thanks for the reply @xMAXIMUSx

My NAT rule looks like:

NAT IP pointed to my RRAS server’s internal IP address.

I’m using port 443 as I understand this supports SSTP VPN (I may be wrong here).

What doesn’t work exactly?

My guess is this is a routing issue.

BTW, given your setup you want to lock this port down to your remote office. Putting old Microsoft VPN on the open internet is not the best idea.

Thanks for the reply @liquidjoe

Yes, it does sound like a routing issue.

When I setup Windows client VPN and have the server address as my external IP address of my WAN interface, I’m unable to establish a VPN connection.

Regarding your last comment, if I lock this port down to our remote office will this not prevent our users to connect from home? Or have I misunderstood you?

OK, so the connection is not being made. So this is not a routing issue quite yet. Must be a forwarding issue on your gateway. Check the forwarding ports and possibly the FW rules on the windows box. Logs are your friend.

I thought you were just using this to link offices together. Using your windows 2019 server as a VPN gateway is a really bad idea in my opinion. I recommend you put your VPN server in a VM or container. That is the safest approach.

As the connection is not being made, I’m not sure I will find anything in the logs.

As I’m able to connect internally I’m assuming the FW rules on the Windows server are set right. As a test I did disable Windows firewall but still couldn’t connect from outside.

The VPN server is a VM.

What port do you have configured on the management port of pfsense - http or https

System - Advanced - Admin access - if https change tcp port if using 443

On the nat rule, under ‘Filter rule association’ you have created filter rule

Thanks for the reply @Paul

I just checked and it’s HTTPS but there is no port number in the TCP port field.

Do I need to put a port number in this field (something different to 443)?

Regarding the filter rule, it created the rule as part of the port forwarding I created (I can see this under Firewall > Rules > WAN).

Try another port number instead of 443, enter another unused port

Just remember to access pfsense you will have to use - https://pfsenseipaddress:https port

ie. https://192.168.0.1:445

There maybe a conflict between pfsense management port and vpn port - both on 443

So made the management port 8443 but my VPN client is still saying no…

Thanks for your input all, I have managed to resolve this myself.

It was related to the lack of a SSL certificate, I thought I could get away with a self signed one.

My port forward settings on the pfSense were correct.