How can we help you?

Topics

pfSense 2.5 Setup with NordVPN

Disclaimer: With the 2.5.0 update, pfSense routers now have built-in WireGuard VPN client. Currently, it is impossible to setup the NordLynx protocol on pfSense routers using the WireGuard client, as the NordLynx protocol is only available with the NordVPN application on desktop and mobile devices at this time. More information regarding the availability of NordLynx can be found here.

 

1. To set up OpenVPN on pfSense 2.5.0, access your pfSense from your browser, then navigate to System > Certificate Manager > CAs. Select +Add.

You should see this screen:

Screenshot_2021-02-19_pfSense_localdomain_-_System_Certificate_Manager_CAs_Edit.png

2. For this tutorial, we will configure our pfSense to connect to a server in the Netherlands, but you should connect to a suggested server.

Follow the steps below to find the best server for your connection:

  1. Log into your Nord Account, and click NordVPN.


     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.


     
  3. Select the Server recommendation tab. According to your location, the best server will be recommended.


     
  4. By pressing Advanced filters you can further customize the recommended servers by selecting the Server type and the Security protocol.




     

 

Fill in the fields as follows:

Descriptive Name: NordVPN_CA (we are using this name for the sake of this manual — you can use any name you like)
Method: Import an existing Certificate Authority
Trust Store: Uncheck
Randomize Serial: Uncheck
Certificate data:

-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----

Do not edit anything else. Press Save.

3. Navigate to VPN > OpenVPN > Clients and press +Add.

4. Fill in the fields as follows:

Disable this client: Uncheck
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only (you can also use TCP)
Device mode: tun – Layer 3 Tunnel Mode
Interface: WAN
Local port: Leave blank
Server host or address: the hostname of the server recommended to you (in our case, it’s de855.nordvpn.com);
Server port: 1194 (use 443 if you use TCP)
Proxy host or address: Leave blank
Proxy port: Leave blank
Proxy Authentication: none
Description: Any name you like. We will use NordVPN.

image__3_.png

USER AUTHENTICATION SETTINGS

Username: Your NordVPN service username.
Password: Your NordVPN service password.

You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard.

Follow the steps below to find the service credentials for manual connection setup:

  1. Log into your Nord Account, and click NordVPN.


     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.


     
  3. Select the Service credentials tab, where you'll find the Username and Password needed to connect manually.

 

Authentication Retry: leave unchecked.

image__1_.png

CRYPTOGRAPHIC SETTINGS

TLS Configuration: Use a TLS Key - Check; Automatically generate a TLS key - Uncheck
TLS Key:

-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----


TLS Key Usage Mode: TLS Authentication
TLS keydir direction: Use default direction
Peer certificate authority: NordVPN_CA
Peer Certificate Revocation list: Do not define
Client certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different)
Data Encryption Negotiation: Check
Data Encryption Algorithms: AES-256-GCM and AES-256-CBC
Fallback Data Encryption Algorithm: AES-256-CBC
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No Hardware Crypto Acceleration

Screenshot_2021-02-19_pfSense_localdomain_-_VPN_OpenVPN_Clients_Edit_3_.png

TUNNEL SETTINGS

IPv4 tunnel network: Leave blank
IPv6 tunnel network: Leave blank
IPv4 remote network(s): Leave blank
IPv6 remote network(s): Leave blank
Limit outgoing bandwidth: Leave blank
Allow Compression: Refuse any non-stub compression (Most Secure)
Topology: Subnet – One IP address per client in a common subnet
Type-of-Service: Uncheck
Don’t pull routes: Uncheck
Don’t add/remove routes: Check

Screenshot_2021-02-19_pfSense_localdomain_-_VPN_OpenVPN_Clients_Edit.png

ADVANCED CONFIGURATION

Custom Options

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;


UDP FAST I/O: Uncheck
Exit Notify: Disabled
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended)

image__5_.png


5. Navigate to Interfaces > Interface Assignments and Add the NordVPN interface.

Screenshot_2021-02-09_pfSense_localdomain_-_Interfaces_Interface_Assignments.png

6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

Enable: Check
Description: NordVPN
Mac Address: Leave blank
MTU: Leave blank
MSS: Leave blank

Do not change anything else. Just scroll down to the bottom and press Save.

image__7_.png
 

7. Navigate to Services -> DNS Resolver -> General Settings

Enable: Check
Listen port: Leave as is
Enable SSL/TLS Service: Uncheck
SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (note that the numbers on your machine could be different);
SSL/TLS Listen Port: Leave as is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: Uncheck
Python Module: Uncheck
DNS Query Forwarding: Enable forwarding mode - Check; Use SSL/TLS for outgoing DNS Queries to Forwarding Servers - Uncheck
DHCP Registration: Check
Static DHCP: Check
OpenVPN Clients: Uncheck

Click Save.

image__8_.png

8. While in DNS Resolver, select Advanced Settings at the top and fill in the following:

ADVANCED PRIVACY OPTIONS:

Hide Identity: Check
Hide Version: Check
Query Name Minimization: Uncheck
Strict Query Name Minimization: Uncheck

ADVANCED RESOLVER OPTIONS:

Prefetch Support: Check
Prefetch DNS Key Support: Check
Harden DNSSEC Data: Uncheck

Do not change anything else. Just scroll down to the bottom and press Save

image__9_.png

9. Navigate to Firewall > NAT > Outbound and select Manual Outbound NAT rule generation. Press Save. Six rules will appear. Delete all IPv6 rules and add a new one.

9.1. Interface: NordVPN.
9.2. Address Family: IPv4
9.3. Source: your LAN subnet, for example 192.168.2.0/24.
9.4. Click Save. At the end, it should look like this:

image__11_.png
image__10_.png

Please note that the newly created NAT rule must be on top.

10. Navigate to Firewall Rules LAN and delete the IPv6 rule. Also, edit the IPv4 rule.
10.1. Press on Display Advanced
10.2. Change Gateway to NordVPN
10.3. Click Save.

Now it should look like this:

image__12_.png
 

11. Go to System General Setup and fill in the fields as follows:

DNS Server 1: 103.86.96.100; none
DNS Server 2: 103.86.99.100; NordVPN_VPNV4 - opt1 - ...

Leave everything else as it is. Click Save.

image__12_.png
 

12. Now navigate to Status > OpenVPN. The status and it should state that the service is “up”.

image__11_.png
 

13. You can also check the connection log file under Status > System Logs > OpenVPN:

image__13_.png

That’s it! pfsense VPN setup is complete, and you should now have a VPN connection.

If the IP does not change after setting up the VPN, try restarting the pfSense router and check the IP then.

Was this article helpful?
Thanks!