Note: Due to a bug in the underlying FreeBSD kernel, IPv6 does currently not work reliably with pfSense (as of May 2018). Therefore this documentation does not include IPv6 configuration but only IPv4. See more details in the corresponding forum thread.
Go to the download page in the member area of our website and click on the router icon on the top right.
Choose your configuration, we recommend:
- Type: Servers Grouped
- Protocol: UDP
- Encryption: AES-256-CBC
Then click on Download and save the file mobile_udp.zip on your computer.
If you want to access the Internet without VPN as well you should configure public nameservers, for instance those from Google or any from the OpenNic-Project. If the VPN is connected, DNS requests will be sent anonymously over the VPN tunnel.
Go to the menu System→ General Settings and enter at least two DNS servers of your choice. In this example we are using the Google nameservers 126.96.36.199 and 188.8.131.52.
Deactivate the option DNS Server Override.
Leave the other settings as they are.
Now go to the menu System → Certificate Manager → CAs → [+ Add].
Open one of the *.ovpn files from the mobile_udp.zip archive and copy the content between the <ca></ca> tag into the field Certificate Data, as shown in the lower picture on the left.
Go to the menu System→ Certificate Manager→ CAs and click on the button [+ add/sign].
Copy the content between the <cert></cert> tags into the field Certificate Data and the content beween the <key></key> tags into the field Private Key Data.
Now go to the menu VPN → OpenVPN → Clients → [+ Add].
Configure the OpenVPN client as follows (we are using the Amsterdam server in this documentation):
Server Host or Address: amsterdam.perfect-privacy.com
Server Port: 1149
Username: Your Perfect Privacy username
Password: Your Perfect Privacy password (entwer it twice, also in the confirm field)
Deactivate the option Automatically generate a TLS Key and copy the text between the <tls-auth></tls-auth> tags from the *.ovpn file into the field TLS Key.
Peer Certificate Authority: PP_CA
Client Certificate: PP_Amsterdam_Cert
Tip: Depending on the CPU performance on your router you may want to use the weaker encryption AES-128-CBC to get better speed and bandwith. In this case choose AES-128-CBC for Encryption Algorithm.
Enable NCP: Deactivate
Auth digest algorithm: SHA512
Compression: Adaptive LZO Compression
Topology: net30 – Isolated /30 network per Client
Copy the following text block into the field Custom options:
tun-mtu 1500 fragment 1300 mssfix #float hand-window 120 inactive 604800 mute-replay-warnings ns-cert-type server persist-remote-ip redirect-gateway def1 reneg-sec 3600 resolv-retry 60 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA tls-timeout 5 key-direction 1
Gateway creation: Choose IPv4 only
Verbosity level: 4
Now click on Save.
Go to the menu Interfaces → Interface Assignments and choose Add next to Available Network Ports → ovpnc1 (PP_Amsterdam_Client) .
Click on the newly generated interface and configure it as shown on the lower screenshot on the left.
Navigate to the menu Firewall → Rules → LAN and disable or remove the rule for the IPv6 protocol, then click on Save.
Now open the IPv4 rule with a click on the pen symbol (edit).
Activate Advanced Options and choose VPN_PP_AMSTERDAM_VPN4 for the Gateway.
After saving the configuration should look like in the lower picture on the left.
Open the menu Services → DNS Resolver and choose the VPN Interface (VPN_PP_AMSTERDAM) in Outgoing Network Interfaces.
Note: With the default settings the DNS requests will be sent directly to your ISP which is why it is important to choose a VPN interface for outgoing DNS requests to prevent DNS leaks.
Caution: This step will activate the firewall protection (leak protection or „kill switch“). If you proceed with these steps, the Internet connection will only work when a VPN tunnel has been established.
Go to the menu Firewall → NAT → Outbound and select the option Manual Outbound NAT rule generation and click on Save.
Now edit the WAN rules as shown in the picture on the left.
Remove the Rule with the description Auto created rule for ISAKMP – LAN to WAN.
Edit the WAN rule with the description Auto created rule – LAN to WAN by clicking on the pen icon.
Optional: If you want to deactivate VPN again or temporarily want to use the Internet without VPN, follow these steps:
Go to Firewall → NAT → Outbound and select the mode Automatic outbound NAT rule generation and save. Now switch back to Manual Outbound NAT rule generation and save again – this will restore the original WAN rules. With the rules shown in the upper picture on the left you will will be able to access the Internet without VPN.
Now go to Firewall → Rules → LAN and open the IPv6 rule.
Activate Advanced Options and select Default as gateway.
If your ISP supports IPv6 then repeat the last step for the IPv6 rule.
With the NAT rules being like shown in the left picture you will be able to access the Internet with and without VPN.