Pfsense firewall rule to allow VPN connections to see a single machine on the LAN

I know this has gotta be pretty simple, but my firewall-fu is poor.

I’m just trying to give my phone access to a single server on my LAN when away. I have OpenVPN set up and can connect to my home network while away, but I’ve set it up on a different subnet. I want to allow access to one machine on the LAN.

Specifically, should be visible to VPN connections (

Any help would be GREATLY appreciated!

You choose what subnets are available under the “IPv4 Local network(s)” option in the VPN settings.

Oh! Can I specify a single machine there too?

Ie,, allowing access to that one machine but not the rest of the subnet?

No, it is done by subnet, but you can create firewall rules to limit things. Or you can go a bit more in depth such as I did here in this tutorial:

Specifying a single machine should be possible by using a /32 prefix, e.g.

I might be wrong on this, but I believe the “IPv4 Local network(s)” input is simply a GUI wrapper for the push route option. So it makes the client add a route, but you still need a firewall rule on the OpenVPN interface to allow the traffic.

For the VPN interface rules (source), first have a pass rule to a specific IP address (destination). Be sure to specify the needed traffic type (TCP, UDP, and, etc…). Then below the pass rule block access to all of your local networks.