pfSense OpenVPN firewall rules direction?


I have set up an OpenVPN client in pfSense and it works as expected. I added an interface for the OpenVPN connection (as I’ll also have OpenVPN remote access and that will have it’s own interface), I can see that I need a rule on the interface to allow traffic from my devices to pass over the OpenVPN connection. But, and maybe this is a silly question, are there also inbound rules that apply to that OpenVPN connection? Indeed, is it possible to treat that connection like a WAN and add port forwarding and inbound rules?
Then we come to remote access OpenVPN and site-to-site OpenVPN - How do the rules work for those?

I get that WAN rules are inbound and the other interfaces are outbound but what about VPN interfaces, surely they are both inbound and outbound?

Sorry for the rambling question but this is a bit confusing for me


If you use the OpenVPN wizard it will create a default any to any rule on the virtual OpenVPN adapter which works in conjunction with the default any to any rules on the LAN and WAN adapters to give full access to the local network and outbound to the internet. If you don’t use the wizard, you do need to create rules to allow traffic from the OpenVPN to the other networks it should be able to see. Do remember that on pfSense, any blocking rules you want need to be on the first adapter that will see the traffic. As an example, if you want to block port 3389 going to the LAN from the OVPN connection, you need to put that blocking rule on the OVPN adapter. If you want to block port 445 going to the OVPN network from the LAN, you need to put that rule on the LAN adapter.

When the interfaces are created a suite of rules are also created, so you can think of your OpenVPNs as just another LAN / network. (I don’t use the wizard for creating VPNs)

For my Remote Access Servers I treat them the same as I would treat my vlans, so they have varying rules. For my site to site connections I just allow all traffic to flow (as I trust the other site).

Then I have various Outbound rules. The WAN allows inbound traffic on the VPN ports that I use.

If you setup vlans it’s easy to get the idea of what the rules for VPNs should be.