How can we help you?

pfSense 2.4.4 setup with NordVPN

1. In order to setup pfSense 2.4.4 with OpenVPN please access your pfSense via browser. Then navigate to System -> Cert. Manager -> CAs. And select +Add.

You should see this screen:



2. We will configure our pfSense to connect to NL120 server but you should connect to a server suggested to you at  https://nordvpn.com/servers/tools/ .

You can find the server hostname right under the server title.



Press on + Add button. Then fill the fields out like this:

Descriptive Name: NordVPN_NL120_CA
Method: Import an existing Certificate Authority
Certificate data:
 

-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----

Press Save

3. Then navigate to VPN -> OpenVPN -> Clients and press +Add

4. Fill in the fields:

Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP on IPv4 only (you can also use TCP);
Device mode: tun – Layer 3 Tunnel Mode;
Interface: WAN;
Local port: leave blank;
Server host or address: nl120.nordvpn.com;
Server port: 1194 (use 443 if you use TCP);
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy Authentication: None;
Description: Any name you like. We will use NordVPN_NL120.



USER AUTHENTICATION SETTINGS

Username: Your NordVPN username
Password: Your NordVPN password in both fields.
Authentication Retry: leave unchecked



CRYPTOGRAPHIC SETTINGS

TLS Configuration: Check
TLS Key:

-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----


TLS Key Usage Mode: TLS Authentication
Peer certificate authority: NordVPN_NL120_CA;
Peer Certificate Revocation list: do not define.
Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM and AES-256-CBC.
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.



TUNNEL SETTINGS

IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network(s): leave blank;
IPv6 remote network(s): leave blank;
Limit outgoing bandwidth: leave blank;
Compression: No LZO Compression [Legacy style,comp-lzo no];
Topology: Subnet – One IP address per client in a common subnet
Type-of-service: leave unchecked;
Don’t pull routes: uncheck;
Don’t add/remove routes: check.



ADVANCED CONFIGURATION

Custom Options

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;


UDP FAST I/O: leave unchecked.
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended);



5. Navigate to Interfaces -> Interface Assignments and Add NordVPN NL120 interface.



6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

Enable: check
Description: NordVPN
Mac Address: leave blank
MTU: leave blank
MSS: leave blank

Do not change anything else. Just scroll down to the bottom and press “Save


 

7. Navigate to Services -> DNS Resolver -> General Settings

Enable: check
Listen port: leave what it already is
Enable SSL/TLS Service: uncheck
SSL/TLS Certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
SSL/TLS Listen Port: leave what it already is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check

Click Save


 

8. While in DNS Resolver, select Advanced Settings at the top and then fill in the following:

ADVANCED PRIVACY OPTIONS:

Hide Identity: check
Hide Version: check

ADVANCED RESOLVER OPTIONS:

Prefetch Support: check
Prefetch DNS Key Support: check

Click Save


 

9. Navigate to Firewall -> NAT -> Outbound and select Manual Outbound NAT rule generation. Press Save. Then four rules will appear. Leave all rules untouched and add a new one.
9.1. Select NordVPN as an Interface.
9.2. Source: your LAN subnet.
9.3. Click Save. At the end it should look like this:

10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule.
10.1. Press on Show Advanced Options;
10.2. Change Gateway to NordVPN;
10.3. Click Save.

At the end it should look like this:

11. Go to System -> General Setup and fill in:

DNS Server 1:  103.86.96.100 ; none
DNS Server 2: 103.86.99.100 ; NordVPN_VPNV4-…

Click Save

12. Now you can navigate to Status -> OpenVPN and it should state that the service is “up

13. You can also check the connection log file under Status -> System Logs -> OpenVPN:

That’s it! You should now have the VPN connection set on your pfSense.

Related Articles

© Copyright 2019 all rights reservedSelf-service byNanorep