How can we help you?

pfSense 2.4.3 setup

1. In order to setup pfSense 2.4.3 with OpenVPN please access your pfSense via browser. Then navigate to System -> Cert. Manager -> CAs. And select +Add.

You should see this screen:



2. We will configure our pfSense to connect to NL120 server but you should connect to a server suggested to you at  https://nordvpn.com/servers/#recommended .

You can find the server hostname right under the server title.



Press on “+ Add” button. Then fill the fields out like this:

Descriptive Name: NordVPN_NL120_CA
Method: Import an existing Certificate Authority
Certificate data: (you can get this certificate by downloading our CA and TLS files from here: https://downloads.nordcdn.com/configs/archives/certificates/servers.zip

 

-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJAO6JioltoPZUMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwxMjAubm9yZHZw
bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
ZHZwbi5jb20wHhcNMTcxMDI2MDk1MzIwWhcNMjcxMDI0MDk1MzIwWjCBnjELMAkG
A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEW5sMTIwLm5vcmR2
cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2m1YMMaT
i78Whnb5bQ1WGVBzEQrvwfXLwTBaIJ3WcoyOdzweqt/85YaP4gIBefoiqKyCXja0
Zuh9AKxt/LBkH11GDxLpNzMzRgd9j7zHExJd2k7AGfuGFWF6A5lCEN+82mS+xOqu
Zmzfu/c2uyLGOWsb6DkAEQmx+qLZ2j2JtdFotinRqluPkG5mjU3BUCR4iwty8XI8
R7sGOLqkH2wY0pM06ywgedTC0M7Bfl0G2W18UNUJY8/1/P4u90ZGWpmmzgh7DeYi
r9nqIzOlqMkBZ+AKxoZ8O6m1MqZ3UsFXFouoAAgiJBxmN9eY0kbKCLzPb6jzbHCa
LKqr9s6HI3k8jwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFCVsAOOJHCM7mbeVJr6L
SRf1WCCuMIHTBgNVHSMEgcswgciAFCVsAOOJHCM7mbeVJr6LSRf1WCCuoYGkpIGh
MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwx
MjAubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
EGNlcnRAbm9yZHZwbi5jb22CCQDuiYqJbaD2VDAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQBGsb6q917R1JkszsWD5QxQWO2A++r1OA8rgoyYe9yENVeL
y3W387gOvXN6XHTN8LEJ2UGlvykp5PYcfLGu6j34f20rw02NzOlljF1377OLcxSg
nXYkd3xKdM3gVSjV6v1OgBmlgpXasjhNN3K9n0lvkSVZK2hEz/LuDkU1i9BAKtO2
FPfXjuIsx6yC+9CeLN+N8+el6GGI9c0zp3t0ZYW1abSNN6rRccFz+ww/84c9gojR
xVVn2vcs6K6zPXoi/yUZwgcM5k7B7/TN7uHCd5X1QOKOCbLz+6gdUzYcos2rZjC9
jqFj3HJ/vLv7lVdX16Hg3ruF+npFwFZ/jTgTGK0S
-----END CERTIFICATE-----

Press “Save"

3. Then navigate to VPN -> OpenVPN -> Clients and press “+Add

4. Fill in the fields:

Disable this client: leave unchecked.

Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP on IPv4 only (you can also use TCP);
Device mode: tun – Layer 3 Tunnel Mode;
Interface: WAN;
Local port: leave blank;
Server host or address: nl120.nordvpn.com;
Server port: 1194 (use 443 if you use TCP);
Proxy host or address: leave blank;
Proxy port: leave blank;
Authentication method: None;
Description: Any name you like.We will use NordVPN_NL120.

USER AUTHENTICATION SETTINGS

User name: Your NordVPN username

Password:Your NordVPN password in both fields.
Authentication Retry: leave unchecked

CRYPTOGRAPHIC SETTINGS

TLS Authentication: Check
Automatically generate a shared TLS authentication key: Uncheck

-----BEGIN OpenVPN Static key V1-----
10a11ac9a7c398c4078f8c34c1dedfc0
8baff763410a3e79e46c5e2eb61bc6e5
4b82da7d035696a06b37bbad37b49a2d
1c6d63ade9f7187ee410c354b81a836d
6416300277c3be647d232cd6232e187a
4794ade80211bf678227d702a9c6125d
8ceaffe1dff8264bf330639931ee53f3
dc1339e4c234d20de6f7bbe550fbe9a5
346360b3ac497a451ec6b0f2e3313be4
4883bf2f25df2dac7f15ff0490bd5f8b
084cf7acd8754b814d1dfd6bb4eb40fd
8f4008b62fe6dda81f77f5487670b157
3fc400e43f01a028763693aa1d6c68ce
445bdc9c8873b3ed486582ba387351b3
d02333b76fc0680b6224bc44a24fd781
9247afda9ca70e951480af5b2a848ce2
-----END OpenVPN Static key V1-----


Peer certificate authority: NordVPN_NL120_CA;
Peer Certificate Revocation list: do not define.
Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM and AES-256-CBC.
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.


TUNNEL SETTINGS

IPv4 tunnel network
: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network/s: leave blank;
IPv6 remote network/s: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: No LZO Compression [Legacy style,comp-lzo yes];

Topology: Subnet – One IP address per client in a common subnet
Type-of-service: leave unchecked;
Disable IPv6: check Don’t forward IPv6 traffic;
Don’t pull routes: uncheck;
Don’t add/remove routes: leave unchecked.


ADVANCED CONFIGURATIONS

Custom Options
:

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;


UDP FAST I/O: leave unchecked.
Send/Receive Buffer: Default
Verbosity level: 3 (recommended);




5. Navigate to Interfaces -> Interface Assignments and Add NordVPN NL120 interface.



6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

Enable: check

Description: NordVPN
IPv4 Configuration Type: DHCP
IPv6 Configuration Type: None
Mac Address: leave blank
MTU: leave blank
MSS: leave blank

Do not change anything else. Just scroll down to the bottom and press “Save



7. Navigate to Services -> DNS Resolver -> General Settings

Enable
: check

Listen port: leave what it already is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check

Click
Save




8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:

Hide Identity: check

Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check

Click
Save




9. Navigate to Firewall -> NAT -> Outbound and select “Manual Outbound NAT rule generation.”. Press “Save“. Then four rules will appear. Leave all rules untouched and add new one.
9.1. Select NordVPN as interface.
9.2. Source your LAN subnet.
9.3. Click Save. At the end it should look like this:




10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule.
10.1. Press on Show Advanced Options;

10.2. Change Gateway to NordVPN;
10.3. Click Save.

At the end it should look like this:




11. Go to System -> General Setup and fill in:

DNS Server 1:  103.86.96.100 ; none
DNS Server 2: 103.86.99.100 ; NordVPN_DHCP-…

Click
Save




12. Now you can navigate to Status -> OpenVPN and it should state that the service is “up



13. You can also check the connection log file under Status -> System Logs -> OpenVPN:



That’s it! You should now have the VPN connection set on your pfSense.

Related Articles

© copyright 2018 all rights reservedSelf-service by