This guide is written for pfSense version 2.5.2
Navigate to System → General Setup.
Change the DNS servers in the list to:
Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked
Under DNS Resolution Behavior, select Use remote DNS servers, ignore local DNS.
Save the changes.
Navigate to System → Cert manager.
Click on +Add. Afterwards, alter these settings:
Descriptive name | OVPN |
Method | Import an existing Certificate Authority |
Trust Store | Unchecked |
Randomize Serial | Unchecked |
Certificate data | You must be logged in to see this. |
Certificate Private Key (optional) | (leave blank) |
Next Certificate Serial | (leave blank) |
Save the changes.
Navigate to VPN → OpenVPN. Afterwards click on tab Clients.
Click on +Add. Afterwards, alter these settings
Disabled | Should not be selected |
Server Mode | Peer To Peer (SSL/TLS) |
Protocol | |
Device Mode | Tun – Layer 3 Tunnel Mode |
Interface | WAN |
Local port | (leave blank) |
Server host or address | |
Server port | |
Proxy host or address | (leave blank) |
Proxy port | (leave blank) |
Proxy authentication extra options | none |
Description | OVPN client |
Username | (enter your username for OVPN) |
Password | (enter your password for OVPN) |
Authentication Retry | Should not be selected |
TLS Configuration | Should be selected |
Automatically generate a a TLS Key | Should not be selected |
Paste your shared key here | -----BEGIN OpenVPN Static key V1----- 81782767e4d59c4464cc5d1896f1cf60 15017d53ac62e2e3b94b889e00b2c69d dc01944fe1c6d895b4d80540502eb719 10b8d785c9efa9e3182343532adffe1c fbb7bb6eae39c502da2748edf0fb89b8 a20b0a1085cc1f06135037881bc0c4ad 8f2c0f4f72d2ab466fb54af3d8264c5f ddeb0f21aa0ca41863678f5fc4c44de4 ca0926b36dfddc42c6f2fabd1694bdc8 215b2d223b9c21dc6734c2c778093187 afb8c33403b228b9af68b540c284f6d1 83bcc88bd41d47bd717996e499ce1cbb fa768a9723c19c58314c4d19cfed82e5 43ee92e73d38ad26d4fbec231c0f9f3b 30773a5c87792e9bc7c34e8d7611002e bedd044e48a0f1f96527bfdcc940aa09 -----END OpenVPN Static key V1----- |
TLS Key Usage Mode | TLS Authentication |
TLS Key Direction | Direction 1 |
Peer Certificate Authority | OVPN |
Peer Certificate Revocation List | Leave as is |
Client Certificate | None (Username and/or Password required) |
Data Encryption Negotiation | Should be selected |
Encryption algorithms | CHACHA20-POLY1305 |
Fallback Data Encryption Algorithm | AES-256-GCM |
Auth Digest Algorithm | SHA1 (160-bit) |
Hardware Crypto | No Hardware Crypto Acceleration |
IPv4 Tunnel Network | (leave blank) |
IPv6 Tunnel Network | (leave blank) |
IPv4 Remote Network(s) | (leave blank) |
IPv6 Remote Network(s) | (leave blank) |
Limit outgoing bandwidth | (leave blank) |
Allow Compression | Compress packets |
Compression | Adaptive LZO Compression [Legacy style, comp-lzo adaptive] |
Topology | Subnet – One IP-address per client in a common subnet |
Type-of-Service | Should not be selected |
Don't pull routes | Should not be selected |
Don't add/remove routes | Should not be selected |
Pull DNS | Should be selected |
Inactive | 0 |
Ping method | ping -- Define ping/ping-exit/ping-restart manually |
Ping | 10 |
Ping restart or exit | ping-restart --Restart OpenVPN after timeout |
Ping restart or exit seconds | 60 |
Custom options | You must be logged in to see this. |
UDP fast I/O | Should be selected |
Exit Notify | Retry 1x |
Send/Receive buffer | Default |
Gateway Creation | Both |
Verbosity level | 3 (Recommended) |
Save the changes.
Navigate to Interfaces → Assignments.
Click on the plus (+) icon to create interface ovpnc1 (OVPN client). Afterwards, click on OPT1.
Select, so that Enable interface is checked.
Save your changes and click on Apply changes.
Navigate to Firewall → NAT. Afterwards click on tab Outbound
Select, so that Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) is checked. Save your changes and click on Apply changes.
The next step is to duplicate all existing rules, but changing the interface to OpenVPN. To duplicate a rule, click on the duplicate icon (the middle icon) next to the rule
Change Interface to OpenVPN. You should also alter the Description in order to clarify that the rule is for OpenVPN. Save your changes.
When all the rules have been duplicated, commit your changes by clicking on Apply changes.
Navigate to Status → OpenVPN
Click on the icon that looks like a Play button in order to start OpenVPN. If OpenVPN is already running, we suggest restarting it.
You should now be connected to OVPN and be able to browse the internet safely. To make sure everything was set up correctly, please check the dashboard to verify that you are connected.