If you have a PFsense gateway you can already set the gateway as a VPN client, but what if you don’t want that, and instead you want to set the VPN connection on a machine/machines behind a PFSense gateway, but you don’t want to set split tunnel on that machine and also you want to be able to have some services that are ported forward through the gateway and they must be accessible outside of the LAN even if that machine is connected to VPN.

One simple solution is to rewrite any incoming connection on a specific port as if it comes from the LAN with this approach you can have the benefit of an interrupted connection with some specific services even if you connect or disconnect on VPN, and you can also control that VPN connection from the machine behind the router not from the router directly.

I recently bought some VPN services and for me basically, there are need two services I need one is RDP the other one is HTTPS, and as you know both RPD and HTTPS work with encrypted traffic, moreover my HTTPS is actually proxified but nevertheless, both connection must be opened outside of LAN. They operate on non-default ports, 3399 and 8443, I use non-default ports as the internet is full of bots(especially true for RDP) that test the default ports and you lose resources in vain.

So first you have to forward your ports here is a screenshot:

screenshot Pfsense

After that, you must go to Firewall->Rulles->Wan, and add a new Rule with the following settings.

I’ll put them into a JSON object for readability sake:

{
'Action':                                           'Pass',
'Interface':                                        'Wan',
'Address Family':                                   'IPv4',  // or v6 depending on what you need
'Protocol':                                         'TCP',  // or what you need
'Destination':                                      '10.0.1.133',  // your LAN IP here
'Description':                                      'your identifier string'
}

Also when creating a rule there are also available some advanced settings, which obviously are not necessary but they might be useful in specific cases.

After that apply your new rule and you are good to go, your services will be available even if you connect to a VPN with no additional setting on the machine behind the gateway.