Here are the steps on how to set up OpenVPN on pfSense 2.4.4:
1. To set up VPN on pfSense 2.4.4, access your pfSense from your browser, then navigate to System > Certificate Manager > CAs. Select +Add.
You should see this screen:
2. For this tutorial, we will configure our pfSense to connect to a server in the Netherlands, but you should connect to a server suggested to you at https://nordvpn.com/servers/tools/.
Fill in the fields as follows:
Descriptive Name: NordVPN_NL120_CA (we are using this name for the sake of this manual — you can use any name you like)
Method: Import an existing Certificate Authority
3. Navigate to VPN > OpenVPN > Clients and press +Add.
4. Fill in the fields as follows:
Disable this client: leave unchecked;
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP on IPv4 only (you can also use TCP in the case that you experience issues with UDP);
Device mode: tun – Layer 3 Tunnel Mode;
Local port: leave blank;
Server host or address: the hostname of the server recommended to you (in our case, it’s nl120.nordvpn.com);
Server port: 1194 (use 443 if you use TCP);
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy Authentication: none;
Description: Any name you like. We will use NordVPN.
USER AUTHENTICATION SETTINGS
Username: Your NordVPN service username
Password: Your NordVPN service password in both fields.
You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:
- Click Set up NordVPN manually.
- You will receive a verification code in your email that you use for NordVPN services. Type the code in:
- Copy the credentials using the “Copy” buttons on the right:
TLS Configuration: Check
TLS Key Usage Mode: TLS Authentication
Peer certificate authority: NordVPN_NL120_CA
Peer Certificate Revocation list: do not define
Client certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different)
Encryption Algorithm: AES-256-GCM
Enable NCP: Check the box
NCP Algorithms: AES-256-GCM and AES-256-CBC
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No Hardware Crypto Acceleration
IPv4 tunnel network: leave blank
IPv6 tunnel network: leave blank
IPv4 remote network(s): leave blank
IPv6 remote network(s): leave blank
Limit outgoing bandwidth: leave blank
Compression: No LZO Compression [Legacy style,comp-lzo no]
Topology: Subnet – One IP address per client in a common subnet
Type-of-service: leave unchecked
Don’t pull routes: leave unchecked
Don’t add/remove routes: check the box
UDP FAST I/O: leave unchecked
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended)
5. Navigate to Interfaces > Interface Assignments and Add the NordVPN NL120 interface.
6. Press on the OPT1 to the left of your assigned interface and fill in the following information:
Mac Address: leave blank
MTU: leave blank
MSS: leave blank
Do not change anything else. Just scroll down to the bottom and press Save.
7. Navigate to Services -> DNS Resolver -> General Settings
Enable: check the box
Listen port: leave as is
Enable SSL/TLS Service: uncheck
SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different);
SSL/TLS Listen Port: leave as is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check
8. While in DNS Resolver, select Advanced Settings at the top and fill in the following:
ADVANCED PRIVACY OPTIONS:
Hide Identity: check
Hide Version: check
ADVANCED RESOLVER OPTIONS:
Prefetch Support: check
Prefetch DNS Key Support: check
9. Navigate to Firewall > NAT > Outbound and select Manual Outbound NAT rule generation. Press Save. Four rules will appear. Leave all the rules untouched and add a new one.
- Interface: NordVPN.
- Source: your LAN subnet.
- Click Save. At the end, it should look like this:
10. Navigate to Firewall > Rules > LAN and delete the IPv6 rule. Also, edit the IPv4 rule.
- Press on Show Advanced Options
- Change Gateway to NordVPN
- Click Save.
Now it should look like this:
11. Go to System > General Setup and fill in the fields as follows:
DNS Server 1: 126.96.36.199; none
DNS Server 2: 188.8.131.52; NordVPN_VPNV4-…
12. Now navigate to Status > OpenVPN. The status and it should state that the service is “up”.
13. You can also check the connection log file under Status > System Logs > OpenVPN: