Please note, if you are using pfSense 2.4.4 you will need to follow this tutorial instead.
1. To set up OpenVPN on pfSense 2.4.5, access your pfSense from your browser, then navigate to System > Certificate Manager > CAs. Select +Add.
You should see this screen:
2. For this tutorial, we will configure our pfSense to connect to a server in the Netherlands, but you should connect to a server suggested to you at https://nordvpn.com/servers/tools/.
Fill in the fields as follows:
Descriptive Name: NordVPN_CA (we are using this name for the sake of this manual — you can use any name you like)
Method: Import an existing Certificate Authority
3. Navigate to VPN > OpenVPN > Clients and press +Add.
4. Fill in the fields as follows:
Disable this client: Uncheck
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only (you can also use TCP)
Device mode: tun – Layer 3 Tunnel Mode
Local port: Leave blank
Server host or address: the hostname of the server recommended to you (in our case, it’s de855.nordvpn.com);
Server port: 1194 (use 443 if you use TCP)
Proxy host or address: Leave blank
Proxy port: Leave blank
Proxy Authentication: none
Description: Any name you like. We will use NordVPN.
USER AUTHENTICATION SETTINGS
Username: Your NordVPN service username
Password: Your NordVPN service password in both fields.
You can find your NordVPN service credentials in the Nord Account dashboard. Copy the credentials using the “Copy” buttons on the right.
Authentication Retry: leave unchecked.
TLS Configuration: Use a TLS Key - Check; Automatically generate a TLS key - Uncheck
TLS Key Usage Mode: TLS Authentication
TLS keydir direction: Use default direction
Peer certificate authority: NordVPN_CA
Peer Certificate Revocation list: Do not define
Client certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different)
Encryption Algorithm: AES-256-GCM
Enable NCP: Check
NCP Algorithms: AES-256-GCM and AES-256-CBC
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No Hardware Crypto Acceleration
IPv4 tunnel network: Leave blank
IPv6 tunnel network: Leave blank
IPv4 remote network(s): Leave blank
IPv6 remote network(s): Leave blank
Limit outgoing bandwidth: Leave blank
Compression: No LZO Compression [Legacy style,comp-lzo no]
Topology: Subnet – One IP address per client in a common subnet
Don’t pull routes: Uncheck
Don’t add/remove routes: Check
UDP FAST I/O: Uncheck
Exit Notify: Disabled
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended)
5. Navigate to Interfaces > Interface Assignments and Add the NordVPN interface.
6. Press on the OPT1 to the left of your assigned interface and fill in the following information:
Mac Address: Leave blank
MTU: Leave blank
MSS: Leave blank
Do not change anything else. Just scroll down to the bottom and press Save.
7. Navigate to Services -> DNS Resolver -> General Settings
Listen port: Leave as is
Enable SSL/TLS Service: Uncheck
SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different);
SSL/TLS Listen Port: Leave as is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
Python Module: Uncheck
DNS Query Forwarding: Enable forwarding mode - Check; Use SSL/TLS for outgoing DNS Queries to Forwarding Servers - Uncheck
DHCP Registration: Check
Static DHCP: Check
OpenVPN Clients: Uncheck
8. While in DNS Resolver, select Advanced Settings at the top and fill in the following:
ADVANCED PRIVACY OPTIONS:
Hide Identity: Check
Hide Version: Check
Query Name Minimization: Uncheck
Strict Query Name Minimization: Uncheck
ADVANCED RESOLVER OPTIONS:
Prefetch Support: Check
Prefetch DNS Key Support: Check
Harden DNSSEC Data: Uncheck
Do not change anything else. Just scroll down to the bottom and press Save
9. Navigate to Firewall > NAT > Outbound and select Manual Outbound NAT rule generation. Press Save. Six rules will appear. Delete all IPv6 rules and add a new one.
9.1. Interface: NordVPN.
9.2. Source: your LAN subnet, for example 192.168.2.0/24.
9.3. Click Save. At the end, it should look like this:
10. Navigate to Firewall > Rules > LAN and delete the IPv6 rule. Also, edit the IPv4 rule.
10.1. Press on Show Advanced Options
10.2. Change Gateway to NordVPN
10.3. Click Save.
Now it should look like this:
11. Go to System > General Setup and fill in the fields as follows:
DNS Server 1: 188.8.131.52; none
DNS Server 2: 184.108.40.206; NordVPN_VPNV4 - opt1 - ...
Leave everything else as it is. Click Save.
12. Now navigate to Status > OpenVPN. The status and it should state that the service is “up”.
13. You can also check the connection log file under Status > System Logs > OpenVPN:
That’s it! pfsense VPN setup is complete, and you should now have a VPN connection.
If the IP does not change after setting up the VPN, try restarting the pfSense router and check the IP then.