if you are using pfSense 2.4.5 you will need to follow this tutorial instead.
Likewise, in case you have pfSense 2.5 use this tutorial instead.
1. To set up OpenVPN on pfSense 2.4.4, access your pfSense from your browser, then navigate to System > Certificate Manager > CAs. Select +Add.
You should see this screen:
2. For this tutorial, we will configure our pfSense to connect to a server in the Netherlands, but you should connect to a server suggested to you at https://nordvpn.com/servers/tools/.
Fill in the fields as follows:
Descriptive Name: NordVPN_NL120_CA (we are using this name for the sake of this manual — you can use any name you like)
Method: Import an existing Certificate Authority
3. Navigate to VPN > OpenVPN > Clients and press +Add.
4. Fill in the fields as follows:
Disable this client: leave unchecked;
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP on IPv4 only (you can also use TCP in the case that you experience issues with UDP);
Device mode: tun – Layer 3 Tunnel Mode;
Local port: leave blank;
Server host or address: the hostname of the server recommended to you (in our case, it’s nl120.nordvpn.com);
Server port: 1194 (use 443 if you use TCP);
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy Authentication: none;
Description: Any name you like. We will use NordVPN.
USER AUTHENTICATION SETTINGS
Username: Your NordVPN service username
Password: Your NordVPN service password in both fields.
You can find your NordVPN service credentials in the Nord Account dashboard. Copy the credentials using the “Copy” buttons on the right.
Authentication Retry: leave unchecked.
TLS Configuration: Check
TLS Key Usage Mode: TLS Authentication
Peer certificate authority: NordVPN_NL120_CA
Peer Certificate Revocation list: do not define
Client certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different)
Encryption Algorithm: AES-256-GCM
Enable NCP: Check the box
NCP Algorithms: AES-256-GCM and AES-256-CBC
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No Hardware Crypto Acceleration
IPv4 tunnel network: leave blank
IPv6 tunnel network: leave blank
IPv4 remote network(s): leave blank
IPv6 remote network(s): leave blank
Limit outgoing bandwidth: leave blank
Compression: No LZO Compression [Legacy style,comp-lzo no]
Topology: Subnet – One IP address per client in a common subnet
Type-of-service: leave unchecked
Don’t pull routes: leave unchecked
Don’t add/remove routes: check the box
UDP FAST I/O: leave unchecked
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended)
5. Navigate to Interfaces > Interface Assignments and Add the NordVPN NL120 interface.
6. Press on the OPT1 to the left of your assigned interface and fill in the following information:
Mac Address: leave blank
MTU: leave blank
MSS: leave blank
Do not change anything else. Just scroll down to the bottom and press Save.
7. Navigate to Services -> DNS Resolver -> General Settings
Enable: check the box
Listen port: leave as is
Enable SSL/TLS Service: uncheck
SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different);
SSL/TLS Listen Port: leave as is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check
8. While in DNS Resolver, select Advanced Settings at the top and fill in the following:
ADVANCED PRIVACY OPTIONS:
Hide Identity: check
Hide Version: check
ADVANCED RESOLVER OPTIONS:
Prefetch Support: check
Prefetch DNS Key Support: check
9. Navigate to Firewall > NAT > Outbound and select Manual Outbound NAT rule generation. Press Save. Four rules will appear. Leave all the rules untouched and add a new one.
9.1. Interface: NordVPN.
9.2. Source: your LAN subnet.
9.3. Click Save. At the end, it should look like this:
10. Navigate to Firewall > Rules > LAN and delete the IPv6 rule. Also, edit the IPv4 rule.
10.1. Press on Show Advanced Options
10.2. Change Gateway to NordVPN
10.3. Click Save.
Now it should look like this:
11. Go to System > General Setup and fill in the fields as follows:
DNS Server 1: 220.127.116.11; none
DNS Server 2: 18.104.22.168; NordVPN_VPNV4-…
12. Now navigate to Status > OpenVPN. The status and it should state that the service is “up”.
13. You can also check the connection log file under Status > System Logs > OpenVPN:
That’s it! pfsense VPN setup is complete, and you should now have a VPN connection.