How can we help you?

pfSense 2.3.2 setup

This is a tutorial on how to set up an OpenVPN connection to NordVPN from your pfSense router.

 

1. In order to setup pfSense 2.3.2 with OpenVPN please access your pfSense via a browser. Then navigate to System -> Certificate Manager -> CAs. You should see this screen:

 

 

2. We will configure our pfSense to connect to DK3 server. Press on "+ Add" button. Then fill the fields out like this:

 

Descriptive Name: NordVPN_DK3_CERT

Method: Import an existing Certificate Authority

Certificate data: (you can get this certificate by downloading our CA and TLS files from here: https://downloads.nordcdn.com/configs/archives/certificates/servers.zip)

-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIJAM8U3nIOV0j7MA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQ
MA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNv
bTAeFw0xNzAyMDgxMTQxMTVaFw0yNzAyMDYxMTQxMTVaMIGXMQswCQYDVQQGEwJQ
QTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMHTm9yZFZQ
TjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQMA4GA1UE
KRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLvmN7J8jKGFvITm0nL4J82P8mf
1kyb/599T6lLKyuz8qTq3H8Pv9pzaNAI+t0hksYgfJNzB83VDgh9goDljHz2numD
E32WCex4VwMiFvUr4OzHanrsSJbwgvNhUxHDwJD28OCBjnjetq53k2WGkR1PlWn9
RJLqs8ND6Hl+2lEj5E/9PURu/hkGrMJr9XlmW/YE9Aa1q76w5HN8HnTAWSpvjn3a
FBaw4X+ButE045lkQ9Llg+SAYR4vKbq5k+0OHk/FVSBTY6P+/7ob9uj2cCWtHoeI
RGQDrzquQACzsKvp2Y7JLDLaSt1avC6Em4Avcg6aCfobUkEowuX5EQ/pbgMCAwEA
AaOB/zCB/DAdBgNVHQ4EFgQU/xW/8g1HF/s9ZIRJj054AVpBbtowgcwGA1UdIwSB
xDCBwYAU/xW/8g1HF/s9ZIRJj054AVpBbtqhgZ2kgZowgZcxCzAJBgNVBAYTAlBB
MQswCQYDVQQIEwJQQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYDVQQKEwdOb3JkVlBO
MRAwDgYDVQQLEwdOb3JkVlBOMRMwEQYDVQQDEwpOb3JkVlBOIENBMRAwDgYDVQQp
EwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5vcmR2cG4uY29tggkAzxTe
cg5XSPswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA4VBfnRevmxgY
skbC+c0H/EWHgFEeXD1fcbYq6SVf9M+t4N5mm+CJoDDwgK7VNecQztIB5khBq3hK
/NEjRL2pd4RBhBQ5lPgSGs6f8ayofj5PgZzOdtgvMfRUSkoLucLGbnHBCASlCRiC
jtFBqBVuvG5AP9qWpCNXDRkIAfygZHcK8IeTNV0QXaG2jt3xPS16bweddwvLkqV7
7FAuncLBo4k4YReXVhTHYNK3wwNMNvyuuxRLqoosdOUvrvnujDjw5Ihaf5vMnId9
7TIPXZDAtm5L7f3RA1BsLuyVHKe62wJe6/JlAGZDBFomZCQxian188lmp5fPTm6L
193X8EKHcg==
-----END CERTIFICATE-----

 

Press "Save"

 

You should see something like this:

 

 

3. Then navigate to VPN -> OpenVPN -> Clients and press "+Add"

 

 

4. Fill in the fields:

 

Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP (you can also use TCP);
Device mode: TUN;
Interface: WAN;
Local port: leave blank;
Server host or address: dk3.nordvpn.com;
Server port: 1194;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy authentication extra options: None;
Authentication method: None;
Server host name resolution: check Infinitely resolve server;
Description: Any name you like. In our case it was NordVPN DK3

 

USER AUTHENTICATION SETTINGS
User name/pass: Your NordVPN username / your NordVPN password.

 

CRYPTOGRAPHIC SETTINGS
TLS Authentication: Check
Automatically generate a shared TLS authentication key: Uncheck

 

Then type in TLS key of DK3 server which can be found here: https://downloads.nordcdn.com/configs/archives/certificates/servers.zip

 

-----BEGIN OpenVPN Static key V1-----
004853a6d6a156c71bfa3d08332ad880
f2fb8cfc15bf15634f6b3e76f457aa05
9fec5ac90277c6b51d38cbb56d783506
cc5a8d04948b15b04dbe015bf3507de0
13539e63812685af4ea779d352f45921
7b94ba7f06fd5c5bdd5c5a6b39d86669
763faa1a63453c07871d1e9be348520c
01b7de80eaa9e423a215954409cc490f
f9704c91e1776892454f96d253bf5517
36c85335ab3e4998c9c6dc182ff261ef
f628d9994ae86773d5756b96dee9ede5
2f00f03f544b644fa99767e74023e365
35f5b094268385fb131fc828d2d51ec1
340b739a91a729f7ca89c818add53f66
63e30cdb599b75a16196c9444afe8923
13d3a5c8da74ce7368b92b6bdeebe089
-----END OpenVPN Static key V1-----

 

Peer certificate authority: NordVPN_DK3_CERT;
Client certificate: webConfigurator default (557de1a2a90c7)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
Encryption algorithm: AES-256-CBC (256-bit);
Auth digest algorithm: SHA512 (160-bit); (On older servers, this would be SHA1)
Hardware crypto: No hardware crypto acceleration.

 

TUNNEL SETTINGS

IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network/s: leave blank;
IPv6 remote network/s: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: No LZO compression;
Type-of-service: leave uncheked;
Disable IPv6: check Don’t forward IPv6 traffic;
Don’t pull routes: uncheck;
Don’t add/remove routes: leave unchecked.

 

ADVANCED CONFIGURATIONS

 

Custom Options:

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

 

Verbosity level: 3 (recommended);

 

Click Save.

 

 

5. Navigate to Interfaces -> Interface Assignments and Add NordVPN DK3 interface.

 

 

6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

 

Enable: check
Description: NordVPN
IPv4 Configuration Type: DHCP
IPv6 Configuration Type: None
Mac Address: leave blank
MTU: leave blank
MSS: leave blank

 

Do not change anything else. Just scroll down to the bottom and press "Save"

 

 

7. Navigate to Services -> DNS Resolver -> General Settings

 

Enable: check
Listen port: leave what it already is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check
Save

 

 

8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:

 

Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Save

 

 

9. Navigate to Firewall -> NAT -> Outbound and select "Manual Outbound NAT rule generation". Press "Save". Then four rules will appear. Leave the 127.0.0.0 rules untouched and edit both rules which have your Network address as a source specified. 

9.1. Change the Interface to NordVPN;
9.2. Click Save.

 

At the end it should look like this:

 

 

10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule:

10.1. Press on Show Advanced Options;
10.2. Change Gateway to NordVPN;
10.3. Click Save.

 

At the end it should look like this:

 

 

11. Go to System -> General Setup and fill in:


DNS Server 1: 103.86.96.100 ; none
DNS Server 2: 103.86.99.100 ; NordVPN_DHCP-...
Save

 

 

12. Now you can navigate to Status -> OpenVPN and it should state that the service is "up"

 

 

13. You can also check the connection log file under Status -> System Logs -> OpenVPN:

 

Related Articles

© copyright 2018 all rights reservedSelf-service by