ESXi. The best way to build VPN tunnel with pfSense

5 minute read


ESXi is a type-1 hypervisor, meaning it runs directly on system hardware without the need for an operating system (OS). Type-1 hypervisors are also referred to as bare-metal hypervisors because they run directly on hardware.

Also VMware vSphere Hypervisor is a free product and require a free license for the usage.

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.


In this article I have next hardware and installed software on them:

  1. Supermicro server with two network interfaces (1 - connected to Internet, 2 - to LAN)
  2. VMware ESXi 6.5 U3


So I have an installed ESXi hypervisor on my bare metal server. I get access to ESXi through WebGUI by local IP that ESXI have got from DHCP Server. I just open a browser and insert in address line.

Prepare network

So after first boot I see a next window.


Set up a new vSwitch. It will use for access for created virtual machines.


Set an obvious name and select second network interface. In vmnic1 connected my laptop.


Now open Port groups tab. 004_add_new_portgroup

Add new port group that will used to connect our software firewall (pfSense). Name it External as straight external network.


Retry it for creation Internal port group. VMs connected to this port group has access to Internet only through a firewall.


The created port group by default can be removed.


Allow to delete it. 008_alllow_delete_default_port_group

View a result of these actions. 009_view_result_port_group_tab

Add new VMKernel interface. 010_add_new_vm_interface

It needs to get access to ESXi WebGUI from our local network ( 011_configure_new_vmnic

After that we will have two management interfaces. An old one will be removed at the end. 012_view_results

Upload ISO

Now we can prepare to make pfSense on ESXi. First of all add an installation ISO image. 013_open_datastore_page

Create an ISOs directory. 014_create_iso_directory 015_create_iso_directory

Add a downloaded ISO with pfSense. 016_add_pfsense_image

Wait some time. After that you will see the pfsense image in ESXi. 017_content_of_iso_directory

Create VM with pfSense

Open Virtual machines page in ESXi. Click Create new VM. 018_open_vm_page

Yes, create a new virtual machine. 019_create_new_vm

Set name. Select type of VM. 020_set_name

Select where VM will be installed. 021_vm_place_to_store_files

Add more space of VM disk. Add second network adapter. Join them with Internal and External PG. 022_configuration_vm

Select an installation ISO image uploaded earlier. 023_select_iso_image

Check the result of configuring VM. 024_check_result_config

Install pfSense

After that the VM has to be created. And we can click to button Power on for start installation. 025_run_created_vm

In many of screens I’ve just clicked Next and haven’t change anything. 026_accept_copyright 027_install_pfsense 028_use_default_keymap 029_use_default_partition 030_wait_processing 031_skip_manual 032_reboot_system

Configure pfSense

After reboot system will offer to setup network interfaces 033_setup_interfaces

Open VM setting in ESXi to be right in this choose. And view network interface MACs. 034_view_mac_interfaces

The WAN interface should be the virtual interface connected to External port group. 035_select_wan

Another interface will be LAN. 036_select_lan

Next see the results and continue the configuring in browser by 037_view_results

Open browser and login in pfSense web configurator with default credentials (admin:pfsense) 038_pfsense_first_login

Skip welcome page. And read Netgear support information if you need. 039_view_welcome_page 040_read_netgear_support

Set hostname, NTP, timezone. 041_set_hostname 042_set_ntp

Configure WAN interface. My instance get IP by DHCP. 043_configure_wan

Configure LAN network. Set a new network address Remember WebGUI will have a new IP after reboot. 043_configure_lan

Set new admin password. 045_set_admin_password

Click Reload button. 046_reload_system 047_finish_configuration

Open new browser tab with new WebGUI instance accessed by IP 048_dashboard_pfsense

Setup OpenVPN

VMs and ESXi don’t have any public IP. But we can get full access to them if we will install OpenVPN. I have another pfSense server with public IP. It will be OpenVPN Server. This ESXi host and pfSense instance will connect to server and share their LAN ( We name pfSense that we configurating in this article as OpenVPN Client. So for this purposes we need to do some manipulation with OpenVPN Server.

Open VPN page in WebGUI. Click Add button and create new OpenVPN Server. Select Peer to peer (shared key) server mode. Set listen port 1201 (it can be any other). Edit another options if it needs. 049_create_openvpnserver

After we click Save the shared key of the server will be generated. Open created server.

Copy generated key. It will need to connect client to this server. 051_copy_shared_key

Now open WebGUI of another pfSense that will OpenVPN Client. Open VPN page. Click Add. 052_add_new_client

Setup OpenVPN client by my example. I highlight options that I modified. 053_create_openvpn_client

Click save and apply changes. 054_after_save_client

Open status page of VPN connection 055_check_status_vpn

The status will be up. 056_status_ok

Open Firewall configuration page. Follow to OpenVPN tab. 057_open_firewall_rules

Create new rule with allow traffic through this adapter to LAN net. 058_pass_traffic_by_openvpn

Create another pass rule for LAN interface allows anything. 059_pass_traffic_by_lan

Apply the changes. 060_apply_changes

Now we can connect to pfSense (that configuring as OpenVPN client) by local IP ( ESXi server can be hosted in any place. If it connected to Internet also through NAT. OpenVPN will auto connect to our public VPN server.

But to access to ESXi webGUI we should make some addition.

Setup ESXi on private LAN

We have an additional management virtual interface that connected to vSwitchLAN - vmk1. We made it before. 061_open_vmk1_interface

Open the interface, and make sure that it has a right IP adress - 062_check_adapter_ip

Open TCP/IP stack tab. Select Default TCP/IP stack. 063_open_ip_stack_tab

Click Edit settings button. 064_click_edit_settings

Manually configure it. Set pfSense IP as default gateway. 065_manually_configure

We will lose the access to ESXi WebGUI. It’s OK. Just open it in new IP - 066_open_esxi_webgui_by_lan_ip

Open VMKernel NIC’s tab. 067_open_vmk_tab

Remove the management interface connected to External network to vSwitch0. 068_remove_external_mgmt_interface

Confirm remove. 069_confirm_remove

Now we have access only from OpenVPN tunnel or LAN network. 070_view_results

Also we can delete unused Management network port group. 071_open_port_group_tab 072_remove_unused_mgmt_network

Enable autorun pfSense VM

ESXi doesn’t run any VMs after power on by default. You should enable this manually. It’s a simple. Open Virtual machines page and select fw. 075_select_fw_vm

Enable autostart for selected VM. 076_enable_autostart

Install VM tools

ESXi will show you the notice message until you install VM tools.

VMware Tools is not installed in this virtual machine. VMware Tools allows detailed guest information to be displayed as well as allowing you to perform operations on the guest OS, e.g. graceful shutdown, reboot, etc. You should install VMware Tools.


VM tools is very helpful instrument. And VMWare haven’t it for FreeBSD. But exists Open VM tools package. It can be easily installed on pfSense Package manager page. 078_open_package_manager

Search and install Open VM tools. 079_search_open_vm_tools

View success result of installation the package. 080_view_result_of_installation

Done! Now you can create any virtual machines on ESXi host and get full access to them by secure VPN tunnel :)

Some notes

After I install Open VM Tools ESXi will show a warning message:

The configured guest OS (FreeBSD 12 or later versions (64-bit)) for this virtual machine does not match the guest that is currently running (FreeBSD 11 (64-bit)). You should specify the correct guest OS to allow for guest-specific optimizations.


To avoid this just change the Guest OS Version to FreeBSD 11 (64-bit) and will be happy. 082_change_guest_os_to_freebsd11

Additional information