Firewall Rules

Whether you decide to use PPTP, L2TP/IPsec or OpenVPN, new firewall rules will be required to let through the necessary traffic to use the VPN.

PPTP

When using PPTP the firewall needs to be configured as follows.

Enable TCP on port 1723 as well as GRE packets.

set firewall name eth1-local rule 100 action accept
set firewall name eth1-local rule 100 destination port 1723
set firewall name eth1-local rule 100 protocol tcp
set firewall name eth1-local rule 110 action accept
set firewall name eth1-local rule 110 protocol gre

L2TP/IPsec

When using L2TP/IPsec the firewall needs to be configured as follows.

ESP traffic needs to be allowed.

set firewall name eth1-local rule 200 action accept
set firewall name eth1-local rule 200 protocol esp

UDP port 500 for IKE traffic.

set firewall name eth1-local rule 210 action accept
set firewall name eth1-local rule 210 destination port 500
set firewall name eth1-local rule 210 protocol udp

UDP port 4500 for NAT traversal over IPsec.

set firewall name eth1-local rule 220 action accept
set firewall name eth1-local rule 220 destination port 4500
set firewall name eth1-local rule 220 protocol udp

UDP port 1701 for L2TP over IPsec.

set firewall name eth1-local rule 230 action accept
set firewall name eth1-local rule 230 destination port 1701
set firewall name eth1-local rule 230 ipsec match-ipsec
set firewall name eth1-local rule 230 protocol udp

OpenVPN

When using OpenVPN the firewall needs to be configured as follows.

OpenVPN uses UDP through port 1194 (by default).

set firewall name eth1-local rule 300 action accept
set firewall name eth1-local rule 300 description 'Allow OpenVPN'
set firewall name eth1-local rule 300 destination port 1194
set firewall name eth1-local rule 300 protocol udp