Skip to main content

pfSense 2.4.5 (OpenVPN Setup)


This tutorial will walk you through configuring a router using pfSense firmware version 2.4.5.

Before starting, decide what type of encryption you want to use, and what protocol you want to connect with. The stronger the encryption is the more secure the traffic will be, but it will trade some performance for that additional security. This guide will be using strong, AES-256-GCM encryption with the UDP protocol. Here is a table containing the various options and their dependencies. If you want to configure a different level of encryption, you will need to alter your input to match based upon these specifics.

Dependencies Table

Auth Cipher Cert UDP Port TCP Port
SHA1 BF-CBC ca.crt 53, 8080, 9201 80, 110, 443
SHA1 AES-128-CBC/GCM ca.rsa.2048.crt 1198 502
SHA256 AES-256-CBC/GCM ca.rsa.4096.crt 1197 501

Step 1. System — General Setup : this interface will allow customized DNS settings, as well as setting the system time for your device. To access these settings, select System from the options on the top menu and select General Setup from that dropdown (highlighted in red in the image below) to access the general router settings where you can specify what DNS to use.

1. Input the DNS Server

2. Click on Add DNS Server.

3. Input the second DNS Server

4. Scroll down to the Timezone setting and specify your real, local timezone.

5. Scroll to the bottom of the page and click Save.

Step 2. System - Certificate Manager : this interface will allow you to add the security certificate required for the VPN connection. Click on the System button on the top bar, then click on Cert. Manager from the dropdown (highlighted in red in the image below).

1. Click the Add+ button to create a new certificate entry.

2. Set the Descriptive name to something that will be easy to identify, we have used PIA.4096

3. From the Method dropdown, select Import an existing Certificate Authority

4. You will need to download the security certificate specific to the encryption you are using, links for each of the three certificates can be found in the dependencies table at the beginning of the guide. Open the certificate in a text editor and copy the contents into the Certificate data field. (Note : The contents of this must include the begin and end certificate lines as well, be sure to copy the whole thing.)

5. Click Save.

Step 3. VPN - OpenVPN - Clients : this interface will allow you to input all configuration details required for the OpenVPN connection. Navigate to VPN in the top navigation bar, click on OpenVPN and in the inerface that appears, select Clients from the options shown (these are all highlited red in the image below.)

1. Click Add+ to create a new VPN Client configuration.

2. Set the Protocol you want to use for your connection, you will select UDP on IPv4 only or TCP on IPv4 only. The decision will be based upon the settings you want to use from the Dependencies Table at the beginning of this guide. (Note: there are many settings available here, only the ones that need to be changed from default values are mentioned. If you are experiencing issues, be sure the unmentioned settings match the screenshot provided in this guide.)

3. Server host or address is where you will input the PIA server that you would like to connect to, this guide has used a full list of server locations is available on the Network page of the website.

4. For the Server port setting you will select the option specific to your preferences from the dependencies table at the top of the guide.

5. The Description allows you to specify an identifying name for this VPN configuration.

6. In the Username field, input your PIA username — that is always in the format of p1234567 and cannot be replaced with any other information.

7. The Password field requires the input of the password for your PIA account, which is assigned to you, but you have the ability to customize in the client control panel. The interface will require that you input this password twice as attempted error prevention.

8. The checkbox for Use a TLS key will be checked by default uncheck this.

9. From the dropdown for Peer Certificate Authority select the Descriptive name for the security certificate you created in Step 2.

10. For Encryption Algorithm select the option appropriate to your configuration based upon the settings you want to use from the Dependencies Table at the beginning of this guide. In general, we suggest using GCM over CBC.

11. For Auth digest algorithm select the option appropriate to your configuration, shown in the Dependenices Table.

12. Set the Compression dropdown to Adaptive LZO Compression.

13. The Custom options section will require multiple specific lines of text; copy and paste the following into this field:

remote-cert-tls server
reneg-sec 0
auth-retry interact

14. For the Gateway Creation setting, select the radio button for IPv4 only.

15. Click Save.

Step 4. Firewall — NAT — Outbound : this interface will allow you to manually create the outbound NAT rules to utilize the OpenVPN configuration you have created. Click on Firewall From the top navigation bar, select NAT from the options that appear, and on the page that loads, select Outbound from the options at the top; all those items are highlighted in red in the image below.

1. Click the radio button for Manual Outbound Rule Generation.

2. Click Save.

3. Click Apply Changes so the system uses the new rules you are creating.

4. You will need to duplicate each of the interfaces that are present by default, the first step to this is clicking on the Add a new mapping based on this one button in the Actions column.

5. Change the Interface this new connection is using to OpenVPN.

6. Click Save

7. Repeat the previous three actions (4.4, 4.5, and 4.6) for each of the six connections. Once all interfaces have been duplicated and set to use OpenVPN, click Save

You have successfully completed the OpenVPN setup for pfSense. You can confirm the status of your connection in the Status - OpenVPN interface.

Authors list

First published: 22/04/2020

Last updated: Apr 23, 2020 by Joseph Calhoon