matomo

Best deal of the year - get 77% off our 2-year plan for Black Friday! Get Deal

Install OVPN on pfSense

This guide is also available in Svenska, Deutsch and Norsk

Supported versions: pfSense 2.7.2

Last updated: February 12, 2024

1. Change DNS servers

Navigate to SystemGeneral Setup.

Change the DNS servers in the list to:

  • 46.227.67.134
  • 192.165.9.158

Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked

Under DNS Resolution Behavior, select Use remote DNS servers, ignore local DNS.

Save the changes.

2. Create CA certificate

Navigate to SystemCertificate. Navigate to Authorities tab.

Click on +Add. Afterwards, alter these settings:

Create/Edit CA

Descriptive name
OVPN
Method
Import an existing Certificate Authority
Trust Store
Unchecked
Randomize Serial
Unchecked

Existing Certificate Authority

Certificate data
You must be logged in to see this.
Certificate Private Key (optional)
(leave blank)
Next Certificate Serial
(leave blank)

Save the changes.

Use OVPN if security is of importance

Your privacy and security is the core focus of OVPN. That's why we've implemented a multi-layered security model.

Learn more

3. Choose how you want to connect to OVPN

4. Configure OpenVPN

Navigate to VPNOpenVPN. Afterwards click on tab Clients.

Click on +Add. Afterwards, alter these settings

General Information

Description
Optional description for the VPN
Disabled
Should not be selected

Mode configuration

Server mode
Peer to Peer (SSL/TLS)
Device mode
tun – Layer 3 Tunnel Mode

Endpoint Configuration

Protocol
UDP IPv4 and IPv6 on all interfaces (multihome)
Local port
(leave blank)
Server host or address
Server port
Proxy host or address
(leave blank)
Proxy port
(leave blank)
Proxy authentication extra options
none

User Authentication Settings

Username
(enter your username for OVPN)
Password
(enter your password for OVPN)
Authentication Retry
Should not be selected

Cryptographic Settings

TLS Configuration
Should be selected
Automatically generate a TLS Key
Should not be selected
TLS key
You must be logged in to see this.
TLS Key Usage Mode
TLS Authentication
TLS Key Direction
Direction 1
Peer Certificate Authority
OVPN
Peer Certificate Revocation List
None should be defined
Client Certificate
None (Username and/or Password required)
Data Encryption Negotiation
Should be selected
Encryption algorithms
CHACHA20-POLY1305
Fallback Data Encryption Algorithm
AES-256-GCM
Auth Digest Algorithm
SHA1 (160-bit)
Hardware Crypto
No Hardware Crypto Acceleration
Server Certificate Key Usage Validation
Should be selected

Tunnel Settings

IPv4 Tunnel Network
(leave blank)
IPv6 Tunnel Network
(leave blank)
IPv4 Remote Network(s)
(leave blank)
IPv6 Remote Network(s)
(leave blank)
Limit outgoing bandwidth
(leave blank)
Allow Compression
Decompress incoming, do not compress outgoing (Asymmetric)
Compression
Adaptive LZO Compression
Topology
Subnet – One IP-address per client in a common subnet
Type-of-Service
Should not be selected
Don't pull routes
Should not be selected
Don't add/remove routes
Should not be selected
Pull DNS
Should not be selected

Ping Settings

Inactive
0
Ping method
keepalive - Use keepalive helper to define ping configuration
Interval
10
Timeout
60

Advanced configuration

Custom options
You must be logged in to see this.
UDP fast I/O
Should be selected
Exit Notify
Retry 1x
Send/Receive buffer
Default
Gateway Creation
Both
Verbosity level
3 (Recommended)

Save the changes.

5. Create OpenVPN interface

Navigate to InterfacesAssignments.

Click on the plus (+) icon to create interface ovpnc1 (OVPN client). Afterwards, click on OPT1.

Select, so that Enable interface is checked.

Save your changes and click on Apply changes.

6. Configure NAT

Navigate to FirewallNAT. Afterwards click on tab Outbound

Select, so that Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) is checked. Save your changes and click on Apply changes.

The next step is to duplicate all existing rules, but changing the interface to OpenVPN. To duplicate a rule, click on the duplicate icon (the middle icon) next to the rule

Change Interface to OpenVPN. You should also alter the Description in order to clarify that the rule is for OpenVPN. Save your changes.

When all the rules have been duplicated, commit your changes by clicking on Apply changes.

7. (Optional) Route through the VPN

As an optional setting, you can set the VPN connection as the default gateway. By doing that, if the VPN connection goes down, it won't switch back to the WAN connection, acting as a sort of killswitch.

Navigate to SystemRouting. Navigate to Gateways tab.

Under Default gateway, make the following changes:

Default gateway IPv4
46.227.67.134
217.64.148.33
Default gateway IPv6
2a07:a880:4601:10f0:cd45::1
2a07:a880:4601:12a0:adb::1

8. Start OpenVPN

Navigate to StatusOpenVPN

Click on the icon that looks like a Play button in order to start OpenVPN. If OpenVPN is already running, we suggest restarting it.

9. Finished

You should now be connected to OVPN and be able to browse the internet safely. To make sure everything was set up correctly, please check the dashboard to verify that you are connected.