Please note: if you are using pfSense 2.4.5 you will need to follow this tutorial instead. Likewise, in case you have pfSense 2.5 use this tutorial instead.
Here are the steps on how to set up OpenVPN on pfSense 2.4.4:
1. To set up VPN on pfSense 2.4.4, access your pfSense from your browser, then navigate to System > Certificate Manager > CAs. Select +Add.
You should see this screen:
2. For this tutorial, we will configure our pfSense to connect to a server in the Netherlands, but you should connect to a server suggested to you at https://nordvpn.com/servers/tools/.
Fill in the fields as follows:
Descriptive Name: NordVPN_NL120_CA (we are using this name for the sake of this manual — you can use any name you like)
Method: Import an existing Certificate Authority
Certificate data:
-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
Press Save.
3. Navigate to VPN > OpenVPN > Clients and press +Add.
4. Fill in the fields as follows:
Disable this client: leave unchecked;
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP on IPv4 only (you can also use TCP in the case that you experience issues with UDP);
Device mode: tun – Layer 3 Tunnel Mode;
Interface: WAN;
Local port: leave blank;
Server host or address: the hostname of the server recommended to you (in our case, it’s nl120.nordvpn.com);
Server port: 1194 (use 443 if you use TCP);
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy Authentication: none;
Description: Any name you like. We will use NordVPN.
USER AUTHENTICATION SETTINGS
Username: Your NordVPN service username
Password: Your NordVPN service password in both fields.
You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:
- Click Set up NordVPN manually.
- You will receive a verification code in your email that you use for NordVPN services. Type the code in:
- Copy the credentials using the “Copy” buttons on the right:
Authentication Retry: leave unchecked.
CRYPTOGRAPHIC SETTINGS
TLS Configuration: Check
TLS Key:
-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----
TLS Key Usage Mode: TLS Authentication
Peer certificate authority: NordVPN_NL120_CA
Peer Certificate Revocation list: do not define
Client certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different)
Encryption Algorithm: AES-256-GCM
Enable NCP: Check the box
NCP Algorithms: AES-256-GCM and AES-256-CBC
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No Hardware Crypto Acceleration
TUNNEL SETTINGS
IPv4 tunnel network: leave blank
IPv6 tunnel network: leave blank
IPv4 remote network(s): leave blank
IPv6 remote network(s): leave blank
Limit outgoing bandwidth: leave blank
Compression: No LZO Compression [Legacy style,comp-lzo no]
Topology: Subnet – One IP address per client in a common subnet
Type-of-service: leave unchecked
Don’t pull routes: leave unchecked
Don’t add/remove routes: check the box
ADVANCED CONFIGURATION
Custom Options
tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
UDP FAST I/O: leave unchecked
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended)
5. Navigate to Interfaces > Interface Assignments and Add the NordVPN NL120 interface.
6. Press on the OPT1 to the left of your assigned interface and fill in the following information:
Enable: check
Description: NordVPN
Mac Address: leave blank
MTU: leave blank
MSS: leave blank
Do not change anything else. Just scroll down to the bottom and press Save.
7. Navigate to Services -> DNS Resolver -> General Settings
Enable: check the box
Listen port: leave as is
Enable SSL/TLS Service: uncheck
SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different);
SSL/TLS Listen Port: leave as is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check
Click Save.
8. While in DNS Resolver, select Advanced Settings at the top and fill in the following:
ADVANCED PRIVACY OPTIONS:
Hide Identity: check
Hide Version: check
ADVANCED RESOLVER OPTIONS:
Prefetch Support: check
Prefetch DNS Key Support: check
Click Save.
9. Navigate to Firewall > NAT > Outbound and select Manual Outbound NAT rule generation. Press Save. Four rules will appear. Leave all the rules untouched and add a new one.
- Interface: NordVPN.
- Source: your LAN subnet.
- Click Save. At the end, it should look like this:
10. Navigate to Firewall > Rules > LAN and delete the IPv6 rule. Also, edit the IPv4 rule.
- Press on Show Advanced Options
- Change Gateway to NordVPN
- Click Save.
Now it should look like this:
11. Go to System > General Setup and fill in the fields as follows:
DNS Server 1: 103.86.96.100; none
DNS Server 2: 103.86.99.100; NordVPN_VPNV4-…
Click Save.
12. Now navigate to Status > OpenVPN. The status and it should state that the service is “up”.
13. You can also check the connection log file under Status > System Logs > OpenVPN:
That’s it! pfsense VPN setup is complete, and you should now have a VPN connection. In case you woud like to setup selective VPN routing, click here.