Why Integrate a VPN with Your Firewall

Remote access without a VPN exposes your internal network to the internet on open ports, inviting scans, brute‑force attacks, and exploitation. A VPN adds an encrypted tunnel so all traffic between the remote user and your network is protected. When the VPN server runs behind or on the firewall itself, you gain a single chokepoint where security policies can be enforced. The firewall can block all inbound traffic except the VPN connection, then allow only authenticated and encrypted sessions to reach internal resources. This combination reduces the attack surface and gives you granular control over what remote users can access.

Choosing the Right VPN Protocol

Not all VPN protocols offer the same level of security, performance, or compatibility. Your choice affects firewall rule configuration and client ease of use.

OpenVPN

OpenVPN is the most widely supported open‑source protocol. It uses TLS for authentication and can run over TCP or UDP port 1194. It works through most firewalls and NAT devices, and offers strong encryption (AES‑256‑GCM). OpenVPN requires client software on each remote device.

WireGuard

WireGuard is a modern, lightweight protocol that uses state‑of‑the‑art cryptography (Curve25519, ChaCha20, Poly1305). It operates over UDP on a single port (default 51820). WireGuard is faster and simpler than OpenVPN, but some enterprise firewalls do not yet support it natively. It is ideal for sites that prioritize performance and minimal configuration overhead.

IPsec (IKEv2)

IPsec with IKEv2 offers native support on many operating systems (Windows, macOS, iOS, Android). It uses UDP ports 500 and 4500 for key exchange and ESP (protocol 50) for data. Firewalls must allow both ports and protocol 50. IPsec can be complex to set up, but provides strong security and built‑in mobility support.

SSL/TLS VPN (Client‑less or Full Tunnel)

Some firewalls offer SSL‑based VPNs that run over HTTPS (port 443). These are convenient because they often require no separate client—users connect via a web browser. However, they may not support all applications or provide the same level of encryption as dedicated protocols.

Prerequisites Before You Start

  • A firewall appliance or router with VPN server capabilities (e.g., pfSense, OPNSense, Fortinet, Cisco ASA, or a Linux server with iptables/nftables).
  • Administrator credentials for the firewall’s web interface or command line.
  • A static public IP address (or a dynamic DNS hostname) so remote clients can reach the firewall.
  • VPN client software for each remote device (e.g., OpenVPN Connect, WireGuard client, or native OS VPN clients for IPsec).
  • Basic knowledge of TCP/IP, ports, and routing.

General Firewall Configuration Steps

The exact menus and names differ by vendor, but the logical workflow is consistent. The steps below assume you have already chosen a VPN protocol.

1. Enable the VPN Server on the Firewall

Log into the firewall’s administrative interface. Navigate to the VPN section—often labeled “VPN,” “Remote Access,” or “Services.” Enable the VPN server, select your protocol (OpenVPN, WireGuard, IPsec), and set the listening port or interface. For OpenVPN, you can use UDP port 1194 or change to a non‑standard port to reduce automated scans. For WireGuard, port 51820 is standard.

2. Generate Certificates or Pre‑Shared Keys

For OpenVPN, you need a Certificate Authority (CA) and server/client certificates. Most firewalls can generate these internally. For WireGuard, each peer gets a public/private key pair. For IPsec, you can use pre‑shared keys or certificates. Store private keys securely and distribute certificates or keys to users via a secure channel (e.g., encrypted email or a protected download link).

3. Create Firewall Rules to Allow VPN Traffic

This is the critical integration point. You need to add rules on the WAN interface to allow inbound traffic to the VPN server port(s).

  • OpenVPN: Allow UDP (or TCP) on port 1194 from any source IP. If you use TCP, consider adding a second rule for UDP.
  • WireGuard: Allow UDP on port 51820 from any source IP.
  • IPsec: Allow UDP port 500, UDP port 4500, and protocol 50 (ESP) from any source IP.

After the VPN connection is established, the firewall will treat the virtual interface (e.g., tun0, wg0) as a trusted network. You may also need to add rules on the VPN interface to permit traffic to internal resources (LAN).

4. Configure Authentication and User Access

Most firewalls support local user databases, LDAP/Active Directory, or RADIUS. Create user accounts or groups. Assign each user the correct VPN configuration. For OpenVPN, you can use username/password with a certificate, or just certificates. For WireGuard, each user gets a unique key pair; the server must have a peer stanza for each client. For IPsec, you can use EAP‑MSCHAPv2 with IKEv2 for certificate‑less authentication.

5. Define Split Tunneling or Full Tunnel

Decide whether remote users should send all their traffic through the VPN (full tunnel) or only traffic destined for your internal network (split tunnel).

  • Full tunnel: More secure because internet traffic also goes through your firewall and can be filtered. Higher latency and bandwidth use on your internet connection.
  • Split tunnel: Reduces load on your firewall and improves performance for remote users, but may bypass your security policies. Use with caution.

In the firewall, set the appropriate routing rules. For OpenVPN, you can push routes to clients. For WireGuard, you specify allowed IPs in the peer configuration.

6. Enable Logging and Monitoring

Turn on logging for VPN connections. Record authentication successes and failures, tunnel establishment, and data transferred. Review logs regularly to detect anomalies. Many firewalls integrate with syslog or provide built‑in reports.

Vendor‑Specific Examples

pfSense / OPNSense

pfSense and OPNSense are popular open‑source firewall distributions with robust VPN support. In pfSense, go to VPN > OpenVPN > Servers to add an OpenVPN instance. Set the interface to WAN, protocol to UDP, port 1194, and choose the TLS authentication settings. Under VPN > OpenVPN > Client Specific Overrides, you can assign static IPs or push routes. Then create firewall rules on the WAN interface (under Firewall > Rules) to allow UDP 1194. Finally, create rules on the OpenVPN interface tab to permit traffic to LAN subnets.

For WireGuard, install the WireGuard package if not included. Go to VPN > WireGuard, add a tunnel, generate keys, and configure peers. Add a firewall rule for the UDP port on WAN.

Example external resource: pfSense OpenVPN Documentation.

Fortinet FortiGate

FortiGate uses IPsec IKEv2 or SSL VPN. Go to VPN > IPsec Wizard and select “Remote Access.” Choose the local interface (WAN) and authentication method (pre‑shared key or certificate). The wizard automatically creates necessary firewall policies. For SSL VPN, configure the portal under VPN > SSL‑VPN Settings and create a firewall policy allowing SSL‑VPN traffic to internal zones.

External resource: Fortinet IPsec VPN Guide.

Cisco ASA / Firepower

On a Cisco ASA, use the command line or ASDM. For IPsec, configure an IKEv2 policy, a crypto map, and an access list permitting UDP 500/4500 and ESP. For AnyConnect SSL VPN, enable the WebVPN feature and assign the “SSL VPN” license. Firewall rules on the outside interface must allow HTTPS (port 443) to the ASA’s interface.

Testing the VPN Connection

After configuration, test from a remote device outside your network. Use the VPN client software to connect using the credentials or keys you generated. Check the following:

  • Connection establishment: The client should successfully complete the handshake and receive an IP address from the VPN subnet.
  • Access to internal resources: Ping a server on your LAN by private IP address. If split tunneling is off, traffic to the internet should route through the VPN.
  • Log verification: On the firewall, confirm that the connection appears in the logs with the correct source IP and user.
  • Encryption test: Use a packet capture tool (e.g., Wireshark) from the firewall to verify that traffic between client and VPN server is encrypted.

If the connection fails, check firewall rules, ensure the VPN server is listening on the correct interface, and verify that NAT‑T or port forwarding (if behind another NAT) is correctly configured.

Common Pitfalls and Troubleshooting

Port Blocked by ISP or Upstream Firewall

Some ISPs block common VPN ports (e.g., UDP 1194). Try changing the port to a higher number (e.g., 443 or 11940) and update firewall rules accordingly.

MTU Issues

Large packets can cause fragmentation and dropped connections. Reduce the MTU on the VPN interface (e.g., 1400 for OpenVPN). Clients can also set a lower MTU in their configuration.

Routing Conflicts

If the VPN subnet overlaps with the remote client’s local network, traffic may not route correctly. Choose a subnet that is not used on clients (e.g., 10.200.0.0/24).

Certificate Expiration

Certificates have a limited lifetime. Set up a reminder to renew them before they expire. For OpenVPN, you can revoke individual certificates without affecting others.

Security Best Practices for VPN + Firewall

  • Use strong authentication: Combine certificates or keys with multi‑factor authentication (MFA) whenever possible. Many firewalls support RADIUS integration with MFA providers.
  • Limit failed login attempts: Enable rate limiting on the VPN service to prevent brute‑force attacks.
  • Keep firmware and VPN packages updated: Subscribe to vendor security advisories and apply patches promptly.
  • Monitor logs continuously: Set up alerts for repeated failed authentications or connections from unfamiliar IP ranges.
  • Disable unused VPN protocols: If you only use WireGuard, turn off OpenVPN and IPsec to reduce attack surface.
  • Use a dedicated VLAN for VPN users: Isolate remote users on a separate subnet. Apply stricter firewall rules for that VLAN (e.g., block direct access to management interfaces).
  • Implement a kill switch (for clients): Instruct users to configure their VPN client to drop all traffic if the VPN disconnects (prevents data leaks).

Conclusion

Setting up a VPN with your firewall is not a one‑time task—it requires careful planning, proper rule creation, and ongoing maintenance. By choosing the right protocol, correctly configuring firewall rules, and following security best practices, you can provide secure remote access without exposing your internal network to unnecessary risk. Whether you are securing a small business or an enterprise, the principles outlined here form a solid foundation. For further reading, refer to the official documentation of your firewall vendor or the OpenVPN Community How‑To and the WireGuard Quick Start.