Configuring OPNsense takes time and is only recommended for advanced users to prevent leaks from occuring.
We recommend
Vilfo OS instead as it's easy interface allows simultaneous VPN connections and has DNS leak protection, VPN killswitch and more built-in.
This guide was created for OPNsense 19.7 “Jazzy Jaguar”. If you think it's too complicated, and want a simple way to connect to OVPN and use split tunneling features, we recommend Vilfo.
1. Change DNS servers
Navigate to System → Settings → General.
Change the DNS servers in the list to:
- 46.227.67.134
- 192.165.9.158
Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on
WAN is not checked
Select, so that Do not use the DNS Forwarder or Resolver as a DNS server for the
firewall is checked
Click on Save.
2. Create CA certificate
Navigate to System → Trust → Authorities.
Click on the plus (+) icon. Afterwards, alter these settings:
Create/Edit CA
Method
Import an existing Certificate Authority
Existing Certificate Authority
Certificate data
You must be logged in to see this.
Certificate Private Key (optional)
(leave blank)
Serial for next certificate
(leave blank)
Click on Save.
3. Choose how you want to connect to OVPN
4. Configure OpenVPN
Navigate to VPN → OpenVPN → Clients.
Click on the plus (+) icon. Afterwards, alter these settings
General Information
Disabled
Should not be selected
Server Mode
Peer To Peer (SSL/TLS)
Device Mode
Tun – Layer 3 Tunnel Mode
Retry DNS resolution
Should be selected
Proxy host or address
(leave blank)
Proxy authentication extra options
none
User Authentication Settings
Username
(enter your username for OVPN)
Password
(enter your password for OVPN)
Renegotiate time
Should not be selected
Cryptographic Settings
TLS Configuration → Enable authentication of TLS packets
Should be selected
TLS Configuration → Automatically generate a TLS Key
Should not be selected
Paste your shared key here
You must be logged in to see this.
Peer Certificate Authority
OVPN
Client Certificate
None (Username and/or Password required)
Encryption algorithm
AES-256-GCM
Auth Digest Algorithm
SHA1 (160-bit)
Hardware Crypto
No Hardware Crypto Acceleration
Tunnel Settings
IPv4 Tunnel Network
(leave blank)
IPv6 Tunnel Network
(leave blank)
IPv4 Remote Network(s)
(leave blank)
IPv6 Remote Network(s)
(leave blank)
Limit outgoing bandwidth
(leave blank)
Compression
No Preference
Type-of-Service
Should not be selected
Disable IPv6
Should not be selected
Don't pull routes
Should not be selected
Don't add/remove routes
Should not be selected
Advanced configuration
Custom options
You must be logged in to see this.
Verbosity level
3 (Recommended)
Click on Save.
5. Create OpenVPN interface
Navigate to Interfaces → Assignments.
Click on the plus (+) icon to create interface ovpnc1 (OVPN client). Afterwards, click on OPT1.
Select, so that Enable interface is checked.
Save your changes and click on Apply changes.
6. Send DNS requests through the VPN tunnel
Navigate to Services → Unbound DNS → General.
Enable
Should be selected
Listen port
(leave blank)
DNSSEC
Should not be selected
DHCP Registration
Should be selected
DHCP Domain Override
(leave blank)
DHCP Static Mappings
Should be selected
IPv6 Link-local
Should not be selected
TXT Comment Support
Should not be selected
DNS Query Forwarding
Should be selected
Local Zone Type
Transparent
Custom options
(leave blank)
Outgoing Network Interfaces
ovpnc1 (OVPN client)
WPAD Records
Should not be selected
7. Configure NAT
Navigate to Firewall → NAT → Outbound.
Select, so that Hybrid outbound NAT rule generation is checked. Save your changes and click on Apply changes.
Click on the plus (+) icon. On Interface, select OPT1. Leave everything else as is.
Save your changes and click on Apply changes.
Navigate to Firewall → Rules → LAN.
On the rule IPv4, click on the copy icon to Copy. Set the Gateway to OPT1_DHCP. Click on Save.
On the rule IPv6, click on the copy icon to Copy. Set the Gateway to OPT1_DHCP6. Click on Save.
Save your changes and click on Apply changes.
8. Start OpenVPN
Navigate to VPN → OpenVPN → Connection Status
Click on the icon that looks like a Play button in order to start OpenVPN. If OpenVPN is already running, we suggest restarting it.
9. Finished
You should now be connected to OVPN and be able to browse the internet safely. To make sure everything was set up correctly, please check the dashboard to verify that you are connected.
