NordVPN Help Center
One place for all the information you need

pfSense router setup

Updated

This is a tutorial on how to set up an OpenVPN connection to NordVPN from your pfSense router.

pfSense version 2.2.3
  • 1. Download the latest CA certificates from this link and extract the package.
  • 2. Open the pfSense WebUI and go to System -> Cert Manager.
  • 3. In the CAs tab fill in:

    Descriptive name: name it NordVPN;
    Method: choose Import an existing Certificate Authority;
    Certificate data (this is the CA certificate of the South African server, if you wish to set up other server, you need to use that server’s certificate accordingly):
    —–BEGIN CERTIFICATE—–
    MIIEzTCCA7WgAwIBAgIJAJzKEd/h/+oTMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCQ0ExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
    Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEbMBkGA1UEAxMSdnBuLXphLm5vcmR2
    cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
    cmR2cG4uY29tMB4XDTE0MDYxNzA4MjYwNFoXDTI0MDYxNDA4MjYwNFowgZ8xCzAJ
    BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYDVQQK
    EwdOb3JkVlBOMRAwDgYDVQQLEwdOb3JkVlBOMRswGQYDVQQDExJ2cG4temEubm9y
    ZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRA
    bm9yZHZwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDonNMX
    oZb34Fbmv+r4OuWilz/dcc5vQ1KVu0GyzWQNC+lzH/kK8w9HiTU8bjehdsdOKu1U
    EaPe0rIhwqpf0HzC6ZJxvB8x68DS7ibxxdu6BJtngMuMqie7Vi12sPUezDKIP5XX
    lhqqHjaG/WytMVayRvVRFD12VwoBeXPxUWS6NU53inEyeJynDiv4Mu4DrG9oIGig
    TkJ5eeckNMR1te6BtoOEgYXZ6vdacl/9CDAv6Qow4K3+DJq+yEfW6576kn5sRDpN
    81Maw5goE1n3+t7IFfOx8mnaY0QcoHMnn1Fe1gjEbZCzKMRTFnYnw/8+I4a6/N3n
    pkAIUsjPoaszYGcdAgMBAAGjggEIMIIBBDAdBgNVHQ4EFgQUQ3LpPFZLAj2DM8H/
    oykDODavh5owgdQGA1UdIwSBzDCByYAUQ3LpPFZLAj2DM8H/oykDODavh5qhgaWk
    gaIwgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEBxMGUGFuYW1h
    MRAwDgYDVQQKEwdOb3JkVlBOMRAwDgYDVQQLEwdOb3JkVlBOMRswGQYDVQQDExJ2
    cG4temEubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0B
    CQEWEGNlcnRAbm9yZHZwbi5jb22CCQCcyhHf4f/qEzAMBgNVHRMEBTADAQH/MA0G
    CSqGSIb3DQEBBQUAA4IBAQB7OAOufQwNm9Cl9VCyLu2gaT4Nl9YLfms9wLHnCRgF
    ebPyM/obOvrTlg3Oqkr1t5n2eC+FL6/yHwJ5KhXBoQ0fcZE8OnE1b7WIBolB/kRE
    DggkZR3/HH6R6xN3h6GXwLPaeUIecUdaoxk51Qa8knOjzzAkGVwQ7BNwFeYksUcq
    xunQzBvIPR/20VJPSl1Z8DtDimGlETqXVp3esgSkiKSg6fKR1Wn5FqIgEEb6GkPK
    HqiOFICfIyFXQS7qWGFMj4YSIMMJJ1JNcw08seEJaNS9Y4/No/wiRVEM94L9feP/
    /np9n6Tqs6g9v5EYuo6yEJ/w3tBjq/xCyCwG0mzyCn3t
    —–END CERTIFICATE—–
    Certificate Private Key: leave blank;
    Serial for next certificate: leave blank;
    Click Save.
  • 4. Now go to VPN and select OpenVPN from the drop-down menu.
  • 5.GENERAL INFORMATION
    Select Client tab and enter the configuration as listed below:
    Disable this client: leave unchecked.
    Server mode: Peer to Peer (SSL/TLS);
    Protocol: UDP (you can also use TCP);
    Device mode: TUN;
    Interface: WAN;
    Local port: leave blank;
    Server host or address: za1.nordvpn.com;
    Server port: 1194;
    Proxy host or address: leave blank;
    Proxy port: leave blank;
    Proxy authentication extra options: Authentication method: None;
    Server host name resolution: check Infinitely resolve server;
    Description: Any name you like. In our case it was NordVPN.

    USER AUTHENTICATION SETTINGS
    User name/pass: Your NordVPN username / your NordVPN password.

    CRYPTOGRAPHIC SETTINGS
    TLS Authentication (remember, it is for South African Server):
    —–BEGIN OpenVPN Static key V1—–
    ab8937e723d396a72b08fbb95dc5eae2
    70b6f769b1a3a11a9dff0d290e08c0f6
    71b9dd38f2401afe689256b31875050f
    c1d0343aca40a468cbb44ee167b232a1
    e5b9b27b507a33bb2e0f2cdcacd893df
    7d1e80145ff6e52eff22dbff9df2e310
    4962123001c7b57fb44f36649846b682
    dcf7c2403bcfc457ce3cc9a0e8acdf67
    826d96ac051b91b4c75d1853debf9917
    ecb5ae25ec8bab959abf1d35931bfd30
    eecc0c13d1f28ee2005a7ab27ae82c7e
    cde6e63421edc5e6402850f63c87e0b8
    3263d18ead0046abf7adf5033d73d31d
    c39bc30aa237f60ce68e1710772c45ef
    63dc5e4cdb0f858ecec41e578136f703
    b79ee2fbddb69990d96dab2167578ade
    —–END OpenVPN Static key V1—–


    Peer certificate authority: NordVPN;
    Client certificate: webConfigurator default (557de1a2a90c7) *In use (please note that the numbers on your machine could be different);
    Encryption algorithm: AES-256-CBC (256-bit);
    Auth digest algorithm: SHA1 (160-bit); (On newer servers, this would be SHA-512)
    Hardware crypto: No hardware crypto acceleration.

    TUNNEL SETTINGS
    IPv4 tunnel network: leave blank;
    IPv6 tunnel network: leave blank;
    IPv4 remote network/s: leave blank;
    IPv6 remote network/s: leave blank;
    Limit outgoing bandwidth: leave blank;
    Compression: Enabled with adaptive compression;
    Type-of-service: leave uncheked;
    Disable IPv6: check Don’t forward IPv6 traffic;
    Don’t pull routes: check This option effectively bars the server from adding routes to the client’s routing table, however note that this option still allows the server to set the TCP/IP properties of the client’s TUN?TAP interface;
    Don’t add/remove routes: leave unchecked.

    ADVANCED CONFIGURATIONS

    Custom Options:

    tls-client;
    remote-random;
    tun-mtu 1500;
    tun-mtu-extra 32;
    mssfix 1450;
    persist-key;
    persist-tun;
    reneg-sec 0;
    remote-cert-tls server;


    Verbosity level: 3 (recommended);


    Click Save.

  • 6. Go to Interface and select assign drop the drop-down list. Then click on the + button. A new interface will be created. Name it Nord_ZA for instance. Also, change the interface port to ovpncX where X is the number of the interface you have created. Usually it will be 1. Save changes.
  • 7. Now go to Firewall -> NAT -> Outbound. For the outbound rule mode select Hybrid outbound NAT rule generation (Automatic outbound NAT + rules below). You will now need to copy Mappings listed and change Interface to Nord_ZA) (or whatever other name you have used in the previous step). You should now see something like in the picture below.


    The last step is to configure Firewall rules. Go to Firewall -> Rules -> LAN. Create a new rule. The settings should be:
    Action: Pass;
    Disabled: leave unchecked;
    Interface: LAN;
    TCP/IP version: IPv4;
    Protocol: any;
    Source: Type: any;
    Destination: any;
    Log: leave uncheked;
    Description: name it whatever you like;
    ADVANCED FEATURES
    In the advanced features you only need to change one setting:
    Gateway: Type: Interface that we have created (in our case it is Nord_ZA).

    Click Save and then Apply the changes to the firewall settings.


    That’s it! You should now have the VPN connection set on your pfSense.

Close ↑

pfSense version 2.3.2
  • 1. In order to setup pfSense 2.3.2 with OpenVPN please access your pfSense via browser. Then navigate to System -> Certificate Manager -> CAs. You should see this screen:

     

  • 2. We will configure our pfSense to connect to DK3 server. Press on "+ Add" button. Then fill the fields out like this:

    • Desctiprive Name: NordVPN_DK3_CERT
    • Method: Import an existing Certificate Authority
    • Certificate data: (you can get this certificate by downloading our CA and TLS files from here: http://downloads.nordcdn.com/configs/archives/certificates/servers.zip)
      -----BEGIN CERTIFICATE-----
      MIIEszCCA5ugAwIBAgIJAM8U3nIOV0j7MA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
      VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
      Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQ
      MA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNv
      bTAeFw0xNzAyMDgxMTQxMTVaFw0yNzAyMDYxMTQxMTVaMIGXMQswCQYDVQQGEwJQ
      QTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMHTm9yZFZQ
      TjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQMA4GA1UE
      KRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNvbTCCASIw
      DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLvmN7J8jKGFvITm0nL4J82P8mf
      1kyb/599T6lLKyuz8qTq3H8Pv9pzaNAI+t0hksYgfJNzB83VDgh9goDljHz2numD
      E32WCex4VwMiFvUr4OzHanrsSJbwgvNhUxHDwJD28OCBjnjetq53k2WGkR1PlWn9
      RJLqs8ND6Hl+2lEj5E/9PURu/hkGrMJr9XlmW/YE9Aa1q76w5HN8HnTAWSpvjn3a
      FBaw4X+ButE045lkQ9Llg+SAYR4vKbq5k+0OHk/FVSBTY6P+/7ob9uj2cCWtHoeI
      RGQDrzquQACzsKvp2Y7JLDLaSt1avC6Em4Avcg6aCfobUkEowuX5EQ/pbgMCAwEA
      AaOB/zCB/DAdBgNVHQ4EFgQU/xW/8g1HF/s9ZIRJj054AVpBbtowgcwGA1UdIwSB
      xDCBwYAU/xW/8g1HF/s9ZIRJj054AVpBbtqhgZ2kgZowgZcxCzAJBgNVBAYTAlBB
      MQswCQYDVQQIEwJQQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYDVQQKEwdOb3JkVlBO
      MRAwDgYDVQQLEwdOb3JkVlBOMRMwEQYDVQQDEwpOb3JkVlBOIENBMRAwDgYDVQQp
      EwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5vcmR2cG4uY29tggkAzxTe
      cg5XSPswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA4VBfnRevmxgY
      skbC+c0H/EWHgFEeXD1fcbYq6SVf9M+t4N5mm+CJoDDwgK7VNecQztIB5khBq3hK
      /NEjRL2pd4RBhBQ5lPgSGs6f8ayofj5PgZzOdtgvMfRUSkoLucLGbnHBCASlCRiC
      jtFBqBVuvG5AP9qWpCNXDRkIAfygZHcK8IeTNV0QXaG2jt3xPS16bweddwvLkqV7
      7FAuncLBo4k4YReXVhTHYNK3wwNMNvyuuxRLqoosdOUvrvnujDjw5Ihaf5vMnId9
      7TIPXZDAtm5L7f3RA1BsLuyVHKe62wJe6/JlAGZDBFomZCQxian188lmp5fPTm6L
      193X8EKHcg==
      -----END CERTIFICATE-----
      
    • Press "Save"

    You should see something like this:

     

  • 3. Then navigate to VPN -> OpenVPN -> Clients and press "+Add"

     

  • 4. Fill in the fields:

    Disable this client: leave unchecked.
    Server mode: Peer to Peer (SSL/TLS);
    Protocol: UDP (you can also use TCP);
    Device mode: TUN;
    Interface: WAN;
    Local port: leave blank;
    Server host or address: dk3.nordvpn.com;
    Server port: 1194;
    Proxy host or address: leave blank;
    Proxy port: leave blank;
    Proxy authentication extra options: Authentication method: None;
    Server host name resolution: check Infinitely resolve server;
    Description: Any name you like. In our case it was NordVPN DK3

    USER AUTHENTICATION SETTINGS
    User name/pass: Your NordVPN username / your NordVPN password.

    CRYPTOGRAPHIC SETTINGS
    TLS Authentication: Check
    Automatically generate a shared TLS authentication key: Uncheck

    Then type in TLS key of DK3 server which can be found here: https://nordvpn.com/api/static/ca_and_tls_auth_certificates.zip

    -----BEGIN OpenVPN Static key V1-----
    004853a6d6a156c71bfa3d08332ad880
    f2fb8cfc15bf15634f6b3e76f457aa05
    9fec5ac90277c6b51d38cbb56d783506
    cc5a8d04948b15b04dbe015bf3507de0
    13539e63812685af4ea779d352f45921
    7b94ba7f06fd5c5bdd5c5a6b39d86669
    763faa1a63453c07871d1e9be348520c
    01b7de80eaa9e423a215954409cc490f
    f9704c91e1776892454f96d253bf5517
    36c85335ab3e4998c9c6dc182ff261ef
    f628d9994ae86773d5756b96dee9ede5
    2f00f03f544b644fa99767e74023e365
    35f5b094268385fb131fc828d2d51ec1
    340b739a91a729f7ca89c818add53f66
    63e30cdb599b75a16196c9444afe8923
    13d3a5c8da74ce7368b92b6bdeebe089
    -----END OpenVPN Static key V1-----
    

    Peer certificate authority: NordVPN_DK3_CERT;
    Client certificate: webConfigurator default (557de1a2a90c7)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
    Encryption algorithm: AES-256-CBC (256-bit);
    Auth digest algorithm: SHA1 (160-bit); (On newer servers, this would be SHA-512)
    Hardware crypto: No hardware crypto acceleration.

    TUNNEL SETTINGS

    IPv4 tunnel network: leave blank;
    IPv6 tunnel network: leave blank;
    IPv4 remote network/s: leave blank;
    IPv6 remote network/s: leave blank;
    Limit outgoing bandwidth: leave blank;
    Compression: Enabled with adaptive compression;
    Type-of-service: leave uncheked;
    Disable IPv6: check Don’t forward IPv6 traffic;
    Don’t pull routes: check;
    Don’t add/remove routes: leave unchecked.

    ADVANCED CONFIGURATIONS

    Custom Options:

    tls-client;
    remote-random;
    tun-mtu 1500;
    tun-mtu-extra 32;
    mssfix 1450;
    persist-key;
    persist-tun;
    reneg-sec 0;
    remote-cert-tls server;


    Verbosity level: 3 (recommended);

    Click Save.

     

  • 5. Navigate to Interfaces -> Interface Assignments and Add NordVPN DK3 interface.

     

  • 6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

    Enable: check
    Description: NordVPN
    IPv4 Configuration Type: DHCP
    IPv6 Configuration Type: None
    Mac Address: leave blank
    MTU: leave blank
    MSS: leave blank

    Do not change anything else. Just scroll down to the bottom and press "Save"

     

  • 7. Navigate to Services -> DNS Resolver -> General Settings

    Enable: check
    Listen port: leave what it already is
    Network Interfaces: All
    Outgoing Network Interfaces: NordVPN
    System Domains Local Zone Type: Transparent
    DNSSEC: uncheck
    DNS Query Forwarding: check
    DHCP Registration: check
    Static DHCP: check
    Save

     

  • 8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:

    Hide Identity: check
    Hide Version: check
    Prefetch Support: check
    Prefetch DNS Key Support: check
    Save

     

  • 9. Navigate to Firewall -> NAT -> Outbound and select "Manual Outbound NAT rule generation". Press "Save". Then four rules will appear. Leave the 127.0.0.0 rules untouched and edit both rules which have your Network address as a source specified. 

    9.1. Change the Interface to NordVPN;
    9.2. Click Save.

     

    At the end it should look like this:

    9.PNG 

  • 10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule:

    10.1. Press on Show Advanced Options;
    10.2. Change Gateway to NordVPN;
    10.3. Click Save.

    At the end it should look like this:

    10.PNG 

  • 11. Go to System -> General Setup and fill in:
    DNS Server 1: 162.242.211.137 ; none
    DNS Server 2: 78.46.223.24 ; NordVPN_DHCP-...
    Save

     

  • 12. Now you can navigate to Status -> OpenVPN and it should state that the service is "up"

     

  • 13. You can also check the connection log file under Status -> System Logs -> OpenVPN:

     

Close ↑