Your location: Your IP: Your status:ProtectedUnprotected · To the tests »

OpenVPN on pfSense

pfSense - DNS Server Settings | OpenVPN on pfSense

Set up DNS

If you want to access the Internet without VPN as well you should configure public name servers, for instance those from Google or any from the OpenNIC-Project. If the VPN is connected, DNS requests will be sent anonymously over the VPN tunnel.

Go to the menu SystemGeneral Settings and enter at least two DNS servers of your choice. In this example we are using the Google name servers 8.8.8.8 and 8.8.4.4. Deactivate the option DNS Server Override. Leave the other settings as they are.

System > Certificate Manager > CAs: Add CA | OpenVPN on pfSense

Set up certificates

Now go to the menu SystemCertificate ManagerCAs[+ Add].

Add CA: Enter data | OpenVPN on pfSense

Open one of the *.conf files from the mobile_udp.zip archive and copy the content between the <ca></ca> tags into the field Certificate Data, as shown in the lower picture on the left.

System > Certificate Manager > CAs: Add/Sign | OpenVPN on pfSense

Go to the menu SystemCertificate ManagerCAs and click on the button [+ Add/Sign].

Enter cert and key | OpenVPN on pfSense

Copy the content between the <cert></cert> tags into the field Certificate Data and the content between the <key></key> tags into the field Private Key Data.

VPN > OpenVPN > Clients: Click Add | OpenVPN on pfSense

Set up OpenVPN

Now go to the menu VPNOpenVPNClients[+ Add].

Configuring VPN client | OpenVPN on pfSense

Configure the OpenVPN client as follows (we are using the Amsterdam server in this documentation):

  • Server Host or Address: amsterdam.perfect-privacy.com
  • Server Port: 1149
  • Description: PP_Amsterdam_Client
  • Username: Your Perfect Privacy username
  • Password: Your Perfect Privacy password (enter it twice, also in the confirmation field)

Deactivate the option Automatically generate a TLS Key and copy the text between the <tls-auth></tls-auth> tags from the *.conf file into the field TLS Key.

  • Peer Certificate Authority: PP_CA
  • Client Certificate: PP_Amsterdam_Cert

Tip: Depending on the CPU performance on your router you may want to use the weaker encryption AES-128-CBC to get better speed and bandwidth. In this case choose AES-128-CBC for Encryption Algorithm.

  • Enable NCP: Deactivate
  • Auth digest algorithm: SHA512

Configuring VPN client | OpenVPN on pfSense

  • Compression: Adaptive LZO Compression
  • Topology: net30 – Isolated /30 network per Client

Copy the following text block into the field Custom options:

tun-mtu 1500
fragment 1300
mssfix
#float
hand-window 120
inactive 604800
mute-replay-warnings
ns-cert-type server
persist-remote-ip
redirect-gateway def1
reneg-sec 3600
resolv-retry 60
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
key-direction 1
  • Gateway creation: Choose IPv4 only
  • Verbosity level: 4

Now click on [Save].

Interfaces > Interface Assignments > Available Network Ports > ovpnc1 | OpenVPN on pfSense

Go to the menu InterfacesInterface Assignments and choose [+ Add] next to Available Network Portsovpnc1 (PP_Amsterdam_Client).

Enter interface data | OpenVPN on pfSense

Click on the newly generated interface and configure it as shown on the screenshot.

Firewall > Rules > LAN: Activate Firewall | OpenVPN on pfSense

Navigate to the menu FirewallRulesLAN and disable or remove the rule for the IPv6 protocol, then click on [Save].

Firewall rules: The rules should look like this | OpenVPN on pfSense

Now open the IPv4 rule with a click on the pen symbol (edit). Activate Advanced Options and choose VPN_PP_AMSTERDAM_VPN4 as the Gateway.

After saving the configuration should look like in the lower picture on the left.

Services > DNS Resolver: Set interface for DNS resolver | OpenVPN on pfSense

Open the menu ServicesDNS Resolver and choose the VPN Interface (VPN_PP_AMSTERDAM) in Outgoing Network Interfaces.

Note: With the default settings the DNS requests will be sent directly to your ISP which is why it is important to choose a VPN interface for outgoing DNS requests to prevent DNS leaks.

Firewall > NAT > Outbound: Enable firewall protection | OpenVPN on pfSense

Set up Kill Switch

CAUTION: This step will activate the firewall protection (leak protection or „kill switch“).

If you proceed with these steps, the Internet connection will only work when a VPN tunnel has been established.

Go to the menu FirewallNATOutbound and select the option Manual Outbound NAT rule generation and click on Save.

Now edit the WAN rules as shown in the picture on the left. Remove the Rule with the description Auto created rule for ISAKMP – LAN to WAN.

Edit the WAN rule with the description Auto created rule – LAN to WAN by clicking on the pen icon.

Select OpenVPN interface | OpenVPN on pfSense

In the section Edit Advanced Outbound NAT Entry change the Interface from WAN to OpenVPN.

Setup complete | OpenVPN on pfSense

The configuration is now finished. Restart pfSense once.

Perfect Privacy Check-IP | OpenVPN on pfSense

Check VPN connection

You can verify that the VPN connection is working properly by visiting our Check IP website on any device connected to the Internet via the pfSense router.

Deactivating VPN | OpenVPN on pfSense

Disable VPN

Optional: If you want to deactivate VPN again or temporarily want to use the Internet without VPN, follow these steps:

Go to FirewallNATOutbound and select the mode Automatic outbound NAT rule generation and click on Save.

Now switch back to Manual Outbound NAT rule generation and save again – this will restore the original WAN rules. With the rules shown in the upper picture on the left you will will be able to access the Internet without VPN.

NAT rules like shown will allow to access the Internet with and without VPN | OpenVPN on pfSense

Now go to FirewallRulesLAN and open the IPv4 rule. Activate Advanced Options and select Default as gateway.

If your ISP supports IPv6 then repeat the last step for the IPv6 rule. With the NAT rules being like shown in the left picture you will be able to access the Internet with and without VPN.

VPN
?!
This website uses cookies to analyze the traffic and to control our advertising. By using this site, you agree to the use of cookies. More information can be found in our privacy policy.