Skip to main content

pfSense 2.4.5 (OpenVPN Setup)


This tutorial will walk you through configuring a router using pfSense firmware version 2.4.5.

Before starting, be sure you have downloaded the connection location you would like to use for your connection. For this guide specifically, we have used California, and the associated certificate from the collection labeled Default, be sure to decompress the file so you can access the contents.



Static IP


Strong TCP

Also, decide what DNS servers fit your needs, there are four options:

* — this can provide access to all three of the following

* — DNS only

* — forwards streaming domains to the parent proxy for potential access to some streaming services

* — MACE

Step 1. System - Certificate Manager : this interface will allow you to add the security certificate required for the VPN connection. Click on the System button on the top bar, then click on Cert. Manager from the dropdown (highlighted in red in the image below).

1. Click the Add+ button to create a new certificate entry.

2. Set the Descriptive name to something that will be easy to identify, we have used PIA.2048

3. From the Method dropdown, select Import an existing Certificate Authority

4. You will need to copy the contents of the security certificate specific to the encryption settings you are using, which is provided in the file you downloaded before starting. Open the certificate in a text editor and copy the contents into the Certificate data field. (Note : The contents of this must include the begin and end certificate lines as well, be sure to copy the whole thing.)

5. Click Save.

Step 2. VPN - OpenVPN - Clients : this interface will allow you to input all configuration details required for the OpenVPN connection. Navigate to VPN in the top navigation bar, click on OpenVPN and in the interface that appears, select Clients from the options shown (these are all highlighted red in the image below.)

1. Click Add+ to create a new VPN Client configuration.

2. Set the Protocol you want to use for your connection, you will select UDP on IPv4 only or TCP on IPv4 only. The decision will be based upon the settings you want to use from your file selecction beginning of this guide. (Note: there are many settings available here, only the ones that need to be changed from default values are mentioned. If you are experiencing issues, be sure the unmentioned settings match the screenshot provided in this guide.)

3. Server host or address is where you will input the PIA server that you would like to connect to, the server locations available for the generation of servers you are connecting to is available in the collection you downloaded at the start. The information you are looking for is found on the fourth line of the OpenVPN configuration file; in this case "remote 1198". The text "" is the input for the server address, and "1198" is the input for the server port in the next step.

4. For the Server port setting you will input the required port for the chosen configuration — 1198 from the step above.

5. The Description allows you to specify an identifying name for this VPN configuration.

6. In the Username field, input your PIA username — that is always in the format of p1234567 and cannot be replaced with any other information.

7. The Password field requires the input of the password for your PIA account, which is assigned to you, but you have the ability to customize in the client control panel. The interface will require that you input this password twice as attempted error prevention.

8. The checkbox for Use a TLS key will be checked by default uncheck this.

9. From the dropdown for Peer Certificate Authority select the Descriptive name for the security certificate you created in Step 2.

10. For Encryption Algorithm select the option appropriate to your configuration. In general, we suggest using GCM over CBC.

11. For Auth digest algorithm select the option appropriate to your configuration, shown in the Dependenices Table.

12. Set the Compression dropdown to Adaptive LZO Compression.

13. The Custom options section will require multiple specific lines of text; copy and paste the following into this field:



remote-cert-tls server

reneg-sec 0

auth-retry interact

dhcp-option DNS

dhcp-option DNS

14. For the Gateway Creation setting, select the radio button for IPv4 only.

15. Click Save.