Install OpenVPN on pfSense

Configuring pfSense takes time and is only recommended for advanced users to prevent leaks from occuring.

We recommend Vilfo OS instead as it's easy interface allows simultaneous VPN connections and has DNS leak protection, VPN killswitch and more built-in.

1. Change DNS servers

Navigate to System → General Setup.

Change the DNS servers in the list to:

46.227.67.134
192.165.9.158

Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked

Under DNS Resolution Behavior, select Use remote DNS servers, ignore local DNS.

Save the changes.

2. Create CA certificate

Navigate to System → Certificate. Navigate to Authorities tab.

Click on +Add. Afterwards, alter these settings:

Create/Edit CA

Descriptive name

OVPN

Method

Import an existing Certificate Authority

Trust Store

Unchecked

Randomize Serial

Unchecked

Existing Certificate Authority

Certificate data

You must be logged in to see this.

Certificate Private Key (optional)

(leave blank)

Next Certificate Serial

(leave blank)

Save the changes.

Use OVPN if security is of importance

Your privacy and security is the core focus of OVPN. That's why we've implemented a multi-layered security model.

Learn more

3. Choose how you want to connect to OVPN

4. Configure OpenVPN

Navigate to VPN → OpenVPN. Afterwards click on tab Clients.

Click on +Add. Afterwards, alter these settings

General Information

Description

Optional description for the VPN

Disabled

Should not be selected

Mode configuration

Server mode

Peer to Peer (SSL/TLS)

Device mode

tun – Layer 3 Tunnel Mode

Endpoint Configuration

Protocol

UDP IPv4 and IPv6 on all interfaces (multihome)

Local port

(leave blank)

Server host or address

Server port

Proxy host or address

(leave blank)

Proxy port

(leave blank)

Proxy authentication extra options

none

User Authentication Settings

Username

(enter your username for OVPN)

Password

(enter your password for OVPN)

Authentication Retry

Should not be selected

Cryptographic Settings

TLS Configuration

Should be selected

Automatically generate a TLS Key

Should not be selected

TLS key

You must be logged in to see this.

TLS Key Usage Mode

TLS Authentication

TLS Key Direction

Direction 1

Peer Certificate Authority

OVPN

Peer Certificate Revocation List

None should be defined

Client Certificate

None (Username and/or Password required)

Data Encryption Negotiation

Should be selected

Encryption algorithms

CHACHA20-POLY1305

Fallback Data Encryption Algorithm

AES-256-GCM

Auth Digest Algorithm

SHA1 (160-bit)

Hardware Crypto

No Hardware Crypto Acceleration

Server Certificate Key Usage Validation

Should be selected

Tunnel Settings

IPv4 Tunnel Network

(leave blank)

IPv6 Tunnel Network

(leave blank)

IPv4 Remote Network(s)

(leave blank)

IPv6 Remote Network(s)

(leave blank)

Limit outgoing bandwidth

(leave blank)

Allow Compression

Decompress incoming, do not compress outgoing (Asymmetric)

Compression

Adaptive LZO Compression

Topology

Subnet – One IP-address per client in a common subnet

Type-of-Service

Should not be selected

Don't pull routes

Should not be selected

Don't add/remove routes

Should not be selected

Pull DNS

Should not be selected

Ping Settings

Inactive

0

Ping method

keepalive - Use keepalive helper to define ping configuration

Interval

10

Timeout

60

Advanced configuration

Custom options

You must be logged in to see this.

UDP fast I/O

Should be selected

Exit Notify

Retry 1x

Send/Receive buffer

Default

Gateway Creation

Both

Verbosity level

3 (Recommended)

Save the changes.

5. Create OpenVPN interface

Navigate to Interfaces → Assignments.

Click on the plus (+) icon to create interface ovpnc1 (OVPN client). Afterwards, click on OPT1.

Select, so that Enable interface is checked.

Save your changes and click on Apply changes.

6. Configure NAT

Navigate to Firewall → NAT. Afterwards click on tab Outbound

Select, so that Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) is checked. Save your changes and click on Apply changes.

The next step is to duplicate all existing rules, but changing the interface to OpenVPN. To duplicate a rule, click on the duplicate icon (the middle icon) next to the rule

Change Interface to OpenVPN. You should also alter the Description in order to clarify that the rule is for OpenVPN. Save your changes.

When all the rules have been duplicated, commit your changes by clicking on Apply changes.

7. (Optional) Route through the VPN

As an optional setting, you can set the VPN connection as the default gateway. By doing that, if the VPN connection goes down, it won't switch back to the WAN connection, acting as a sort of killswitch.

Navigate to System → Routing. Navigate to Gateways tab.

Under Default gateway, make the following changes:

Default gateway IPv4

46.227.67.134

Default gateway IPv6

2a07:a880:4601:10f0:cd45::1

8. Start OpenVPN

Navigate to Status → OpenVPN

Click on the icon that looks like a Play button in order to start OpenVPN. If OpenVPN is already running, we suggest restarting it.

9. Finished

You should now be connected to OVPN and be able to browse the internet safely. To make sure everything was set up correctly, please check the dashboard to verify that you are connected.

Account

Switch language

Install OVPN on pfSense

1. Change DNS servers

2. Create CA certificate

Create/Edit CA

Existing Certificate Authority

Use OVPN if security is of importance

3. Choose how you want to connect to OVPN

4. Configure OpenVPN

General Information

Mode configuration

Endpoint Configuration

User Authentication Settings

Cryptographic Settings

Tunnel Settings

Ping Settings

Advanced configuration

5. Create OpenVPN interface

6. Configure NAT

7. (Optional) Route through the VPN

8. Start OpenVPN

9. Finished