Disclaimer: With the 2.5.0 update, pfSense routers now have built-in WireGuard VPN client. Currently, it is impossible to setup the NordLynx protocol on pfSense routers using the WireGuard client, as the NordLynx protocol is only available with the NordVPN application on desktop and mobile devices at this time. More information regarding the availability of NordLynx can be found here.
1. To set up OpenVPN on pfSense 2.5.0, access your pfSense from your browser, then navigate to System > Certificate Manager > CAs. Select +Add.
You should see this screen:
2. For this tutorial, we will configure our pfSense to connect to a server in the Netherlands, but you should connect to a server suggested to you at https://nordvpn.com/servers/tools/. This tool automatically picks a server for you, based on its proximity as well as current workload.
Fill in the fields as follows:
Descriptive Name: NordVPN_CA (we are using this name for the sake of this manual — you can use any name you like)
Method: Import an existing Certificate Authority
Trust Store: Uncheck
Randomize Serial: Uncheck
Do not edit anything else. Press Save.
3. Navigate to VPN > OpenVPN > Clients and press +Add.
4. Fill in the fields as follows:
Disable this client: Uncheck
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only (you can also use TCP)
Device mode: tun – Layer 3 Tunnel Mode
Local port: Leave blank
Server host or address: the hostname of the server recommended to you (in our case, it’s de855.nordvpn.com);
Server port: 1194 (use 443 if you use TCP)
Proxy host or address: Leave blank
Proxy port: Leave blank
Proxy Authentication: none
Description: Any name you like. We will use NordVPN.
USER AUTHENTICATION SETTINGS
Username: Your NordVPN service username.
Password: Your NordVPN service password.
You can find your NordVPN service credentials in the Nord Account dashboard. Copy the credentials using the “Copy” buttons on the right.
Authentication Retry: leave unchecked.
TLS Configuration: Use a TLS Key - Check; Automatically generate a TLS key - Uncheck
TLS Key Usage Mode: TLS Authentication
TLS keydir direction: Use default direction
Peer certificate authority: NordVPN_CA
Peer Certificate Revocation list: Do not define
Client certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different)
Data Encryption Negotiation: Check
Data Encryption Algorithms: AES-256-GCM and AES-256-CBC
Fallback Data Encryption Algorithm: AES-256-CBC
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No Hardware Crypto Acceleration
IPv4 tunnel network: Leave blank
IPv6 tunnel network: Leave blank
IPv4 remote network(s): Leave blank
IPv6 remote network(s): Leave blank
Limit outgoing bandwidth: Leave blank
Allow Compression: Refuse any non-stub compression (Most Secure)
Topology: Subnet – One IP address per client in a common subnet
Don’t pull routes: Uncheck
Don’t add/remove routes: Check
UDP FAST I/O: Uncheck
Exit Notify: Disabled
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended)
5. Navigate to Interfaces > Interface Assignments and Add the NordVPN interface.
6. Press on the OPT1 to the left of your assigned interface and fill in the following information:
Mac Address: Leave blank
MTU: Leave blank
MSS: Leave blank
Do not change anything else. Just scroll down to the bottom and press Save.
7. Navigate to Services -> DNS Resolver -> General Settings
Listen port: Leave as is
Enable SSL/TLS Service: Uncheck
SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different);
SSL/TLS Listen Port: Leave as is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
Python Module: Uncheck
DNS Query Forwarding: Enable forwarding mode - Check; Use SSL/TLS for outgoing DNS Queries to Forwarding Servers - Uncheck
DHCP Registration: Check
Static DHCP: Check
OpenVPN Clients: Uncheck
8. While in DNS Resolver, select Advanced Settings at the top and fill in the following:
ADVANCED PRIVACY OPTIONS:
Hide Identity: Check
Hide Version: Check
Query Name Minimization: Uncheck
Strict Query Name Minimization: Uncheck
ADVANCED RESOLVER OPTIONS:
Prefetch Support: Check
Prefetch DNS Key Support: Check
Harden DNSSEC Data: Uncheck
Do not change anything else. Just scroll down to the bottom and press Save
9. Navigate to Firewall > NAT > Outbound and select Manual Outbound NAT rule generation. Press Save. Six rules will appear. Delete all IPv6 rules and add a new one.
9.1. Interface: NordVPN.
9.2. Address Family: IPv4
9.3. Source: your LAN subnet, for example 192.168.2.0/24.
9.4. Click Save. At the end, it should look like this:
Please note that the newly created NAT rule must be on top.
10. Navigate to Firewall > Rules > LAN and delete the IPv6 rule. Also, edit the IPv4 rule.
10.1. Press on Display Advanced
10.2. Change Gateway to NordVPN
10.3. Click Save.
Now it should look like this:
11. Go to System > General Setup and fill in the fields as follows:
DNS Server 1: 22.214.171.124; none
DNS Server 2: 126.96.36.199; NordVPN_VPNV4 - opt1 - ...
Leave everything else as it is. Click Save.
12. Now navigate to Status > OpenVPN. The status and it should state that the service is “up”.
13. You can also check the connection log file under Status > System Logs > OpenVPN:
That’s it! pfsense VPN setup is complete, and you should now have a VPN connection.
If the IP does not change after setting up the VPN, try restarting the pfSense router and check the IP then.