Deactivate the option Automatically generate a TLS Key and copy the text between the <tls-auth></tls-auth> tags from the *.conf file into the field TLS Key.
Tip: Depending on the CPU performance on your router you may want to use the weaker encryption AES-128-CBC to get better speed and bandwidth. In this case choose AES-128-CBC for Encryption Algorithm.
Copy the following text block into the field Custom options:
hand-window 120 mute-replay-warnings persist-remote-ip reneg-sec 3600 resolv-retry 60 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSAWITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBCSHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA tls-timeout 5 tun-mtu 1500 fragment 1300 mssfix remote-cert-tls server
Now click on the Save button.
This step is only required for an IPv6 connection. Skip it if you don't want to use IPv6.
Navigate to the menu Firewall → Rules → WAN and create an ICMP rule for the IPv6 protocol with the following options:
Click on the Save button.
If you want to access the Internet without VPN as well you should configure public name servers, for instance those from Cloudflare, Google or any from the OpenNIC-Project. If the VPN is connected, DNS requests will be sent anonymously over the VPN tunnel.
Go to the menu System → General Settings and enter at least two DNS servers of your choice. In this example we are using the DNS servers 188.8.131.52 and 184.108.40.206.
To configure DNS servers for IPv6 too, click on the button + Add DNS Server and enter for example 2606:4700:4700::1111 and 2606:4700:4700::1001 as DNS servers.
Deactivate the option DNS Server Override. Leave the other settings as they are.
Use the menu to go to Services → DNS Resolver and at Outgoing Network Interfaces select
Configure the following option:
Note: With the default settings DNS queries are sent directly to the internet servoce provider, therefore it is important to select a VPN interface as outgoing network interface for DNS queries to prevent DNS leaks.
CAUTION: This step will activate the firewall protection (leak protection or „kill switch“).
If you proceed with these steps, the Internet connection will only work when a VPN tunnel has been established.
Navigate to Firewall → Rules → LAN and deactivate the rule for IPv6 (if the use of IPv6 is not desired) and click on the Save button.
Then open the IPv4 rule by clicking on the pen symbol (Edit). Activate Advanced options at the bottom. At Tag enter:
(If needed repeat this step for the IPv6 rule. Otherwise deactivate the IPv6 rule.)
The traffic thereby is happening via the selected gateways only.
Now a floating rule is required to ensure all traffic is blocked in case the OpenVPN connection is offline.
Change to Firewall → Rules → Floating and create a new block-rule at the bottom with the following settings:
Go to the menu Firewall → NAT → Outbound and select the option Manual Outbound NAT rule generation and click on Save.
The pfSense then generates a set of outbound NAT rules, as shown in the image on the left. Remove all of them execpt for three NAT rules:
Edit the LAN to WAN rule (192.168.1.0/24) by clicking on the pen icon.
You can verify that the VPN connection is working properly by visiting our Check IP website on any device connected to the Internet via the pfSense router.