Install OpenVPN on OPNsense

Configuring OPNsense takes time and is only recommended for advanced users to prevent leaks from occuring.

We recommend Vilfo OS instead as it's easy interface allows simultaneous VPN connections and has DNS leak protection, VPN killswitch and more built-in.

This guide was created for OPNsense 19.7 “Jazzy Jaguar”. If you think it's too complicated, and want a simple way to connect to OVPN and use split tunneling features, we recommend Vilfo.

1. Change DNS servers

Navigate to System → Settings → General.

Change the DNS servers in the list to:

46.227.67.134
192.165.9.158

Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked

Select, so that Do not use the DNS Forwarder or Resolver as a DNS server for the firewall is checked

Click on Save.

2. Create CA certificate

Navigate to System → Trust → Authorities.

Click on the plus (+) icon. Afterwards, alter these settings:

Create/Edit CA

Descriptive name

OVPN

Method

Import an existing Certificate Authority

Existing Certificate Authority

Certificate data

You must be logged in to see this.

Certificate Private Key (optional)

(leave blank)

Serial for next certificate

(leave blank)

Click on Save.

Total infrastructure ownership

All the hardware used to operate OVPN is owned by us. All VPN servers operate without hard drives as the operating system only resides in RAM.

Learn more

3. Choose how you want to connect to OVPN

4. Configure OpenVPN

Navigate to VPN → OpenVPN → Clients.

Click on the plus (+) icon. Afterwards, alter these settings

General Information

Disabled

Should not be selected

Description

OVPN

Server Mode

Peer To Peer (SSL/TLS)

Protocol

Device Mode

Tun – Layer 3 Tunnel Mode

Interface

WAN

Remote server

Remote server port

Retry DNS resolution

Should be selected

Proxy host or address

(leave blank)

Proxy port

(leave blank)

Proxy authentication extra options

none

Local port

(leave blank)

User Authentication Settings

Username

(enter your username for OVPN)

Password

(enter your password for OVPN)

Renegotiate time

Should not be selected

Cryptographic Settings

TLS Configuration → Enable authentication of TLS packets

Should be selected

TLS Configuration → Automatically generate a TLS Key

Should not be selected

Paste your shared key here

You must be logged in to see this.

Peer Certificate Authority

OVPN

Client Certificate

None (Username and/or Password required)

Encryption algorithm

AES-256-GCM

Auth Digest Algorithm

SHA1 (160-bit)

Hardware Crypto

No Hardware Crypto Acceleration

Tunnel Settings

IPv4 Tunnel Network

(leave blank)

IPv6 Tunnel Network

(leave blank)

IPv4 Remote Network(s)

(leave blank)

IPv6 Remote Network(s)

(leave blank)

Limit outgoing bandwidth

(leave blank)

Compression

No Preference

Type-of-Service

Should not be selected

Disable IPv6

Should not be selected

Don't pull routes

Should not be selected

Don't add/remove routes

Should not be selected

Advanced configuration

Custom options

You must be logged in to see this.

Verbosity level

3 (Recommended)

Click on Save.

5. Create OpenVPN interface

Navigate to Interfaces → Assignments.

Click on the plus (+) icon to create interface ovpnc1 (OVPN client). Afterwards, click on OPT1.

Select, so that Enable interface is checked.

Save your changes and click on Apply changes.

6. Send DNS requests through the VPN tunnel

Navigate to Services → Unbound DNS → General.

Enable

Should be selected

Listen port

(leave blank)

Network Interfaces

All

DNSSEC

Should not be selected

DHCP Registration

Should be selected

DHCP Domain Override

(leave blank)

DHCP Static Mappings

Should be selected

IPv6 Link-local

Should not be selected

TXT Comment Support

Should not be selected

DNS Query Forwarding

Should be selected

Local Zone Type

Transparent

Custom options

(leave blank)

Outgoing Network Interfaces

ovpnc1 (OVPN client)

WPAD Records

Should not be selected

7. Configure NAT

Navigate to Firewall → NAT → Outbound.

Select, so that Hybrid outbound NAT rule generation is checked. Save your changes and click on Apply changes.

Click on the plus (+) icon. On Interface, select OPT1. Leave everything else as is.

Save your changes and click on Apply changes.

Navigate to Firewall → Rules → LAN.

On the rule IPv4, click on the copy icon to Copy. Set the Gateway to OPT1_DHCP. Click on Save.

On the rule IPv6, click on the copy icon to Copy. Set the Gateway to OPT1_DHCP6. Click on Save.

Save your changes and click on Apply changes.

8. Start OpenVPN

Navigate to VPN → OpenVPN → Connection Status

Click on the icon that looks like a Play button in order to start OpenVPN. If OpenVPN is already running, we suggest restarting it.

9. Finished

You should now be connected to OVPN and be able to browse the internet safely. To make sure everything was set up correctly, please check the dashboard to verify that you are connected.

Account

Switch language

Install OVPN on OPNsense

1. Change DNS servers

2. Create CA certificate

Create/Edit CA

Existing Certificate Authority

Total infrastructure ownership

3. Choose how you want to connect to OVPN

4. Configure OpenVPN

General Information

User Authentication Settings

Cryptographic Settings

Tunnel Settings

Advanced configuration

5. Create OpenVPN interface

6. Send DNS requests through the VPN tunnel

7. Configure NAT

8. Start OpenVPN

9. Finished