Configuring pfSense takes time and is only recommended for advanced users to prevent leaks from occuring.
We recommend
Vilfo OS instead as it's easy interface allows simultaneous VPN connections and has DNS leak protection, VPN killswitch and more built-in.
1. Change DNS servers
Navigate to System → General Setup.
Change the DNS servers in the list to:
- 46.227.67.134
- 192.165.9.158
Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on
WAN is not checked
Under DNS Resolution Behavior, select Use remote DNS servers, ignore local DNS.
Save the changes.
2. Create CA certificate
Navigate to System → Cert manager.
Click on +Add. Afterwards, alter these settings:
Create/Edit CA
Method
Import an existing Certificate Authority
Randomize Serial
Unchecked
Existing Certificate Authority
Certificate data
You must be logged in to see this.
Certificate Private Key (optional)
(leave blank)
Next Certificate Serial
(leave blank)
Save the changes.
3. Choose how you want to connect to OVPN
4. Configure OpenVPN
Navigate to VPN → OpenVPN. Afterwards click on tab Clients.
Click on +Add. Afterwards, alter these settings
General Information
Disabled
Should not be selected
Server Mode
Peer To Peer (SSL/TLS)
Device Mode
Tun – Layer 3 Tunnel Mode
Proxy host or address
(leave blank)
Proxy authentication extra options
none
User Authentication Settings
Username
(enter your username for OVPN)
Password
(enter your password for OVPN)
Authentication Retry
Should not be selected
Cryptographic Settings
TLS Configuration
Should be selected
Automatically generate a TLS Key
Should not be selected
Paste your shared key here
You must be logged in to see this.
TLS Key Usage Mode
TLS Authentication
TLS Key Direction
Direction 1
Peer Certificate Authority
OVPN
Peer Certificate Revocation List
Leave as is
Client Certificate
None (Username and/or Password required)
Data Encryption Negotiation
Should be selected
Encryption algorithms
CHACHA20-POLY1305
Fallback Data Encryption Algorithm
AES-256-GCM
Auth Digest Algorithm
SHA1 (160-bit)
Hardware Crypto
No Hardware Crypto Acceleration
Tunnel Settings
IPv4 Tunnel Network
(leave blank)
IPv6 Tunnel Network
(leave blank)
IPv4 Remote Network(s)
(leave blank)
IPv6 Remote Network(s)
(leave blank)
Limit outgoing bandwidth
(leave blank)
Allow Compression
Compress packets
Compression
Adaptive LZO Compression [Legacy style, comp-lzo adaptive]
Topology
Subnet – One IP-address per client in a common subnet
Type-of-Service
Should not be selected
Don't pull routes
Should not be selected
Don't add/remove routes
Should not be selected
Pull DNS
Should be selected
Ping Settings
Ping method
ping -- Define ping/ping-exit/ping-restart manually
Ping restart or exit
ping-restart --Restart OpenVPN after timeout
Ping restart or exit seconds
60
Advanced configuration
Custom options
You must be logged in to see this.
UDP fast I/O
Should be selected
Send/Receive buffer
Default
Verbosity level
3 (Recommended)
Save the changes.
5. Create OpenVPN interface
Navigate to Interfaces → Assignments.
Click on the plus (+) icon to create interface ovpnc1 (OVPN client). Afterwards, click on OPT1.
Select, so that Enable interface is checked.
Save your changes and click on Apply changes.
6. Configure NAT
Navigate to Firewall → NAT. Afterwards click on tab Outbound
Select, so that Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) is checked. Save your changes and click on Apply changes.
The next step is to duplicate all existing rules, but changing the interface to OpenVPN. To duplicate a rule, click on the duplicate icon (the middle icon) next to the rule
Change Interface to OpenVPN. You should also alter the Description in order to clarify that the rule is for OpenVPN. Save your changes.
When all the rules have been duplicated, commit your changes by clicking on Apply changes.
7. Start OpenVPN
Navigate to Status → OpenVPN
Click on the icon that looks like a Play button in order to start OpenVPN. If OpenVPN is already running, we suggest restarting it.
8. Finished
You should now be connected to OVPN and be able to browse the internet safely. To make sure everything was set up correctly, please check the dashboard to verify that you are connected.