You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
Home > VPN Setup Guides > pfSense OpenVPN Setup
pfSense OpenVPN Setup
print icon

This guide written is for a fresh install of pfSense version 2.4.5-RELEASE-p1 (amd64) built on June 02 2020 and will work with any version 2.4+


For this guide we have the WAN Gateway (WANGW) set to 192.168.0.60 with the Upstream gateway 192.168.0.1 and the LAN interface set to 10.1.1.1.  You will want to be sure to edit the setup as needed for your specific IP settings. 

NOTE REGARDING IPv6:  If all firewall traffic is going to be passed through our VPN then you will need to set the IPv6 Configuration Type to "None" on your WAN interface as our VPN does not currently support IPv6.


WAN (em0):

 

LAN (em1):

 

  1. To begin you will download the .ovpn configuration files to a device that has webgui access to your pfSense installation: https://privadovpn.com/apps/ovpn_configs.zip
  2. Extract the files to a local directory and open the .ovpn file for the server you would like to connect to in a Text Editor.  For this example we will be using our Los Angeles server, lax-012.vpn.privado.io.
  3. With the Text Editor open you will switch back to pfSense webgui and navigate to System > Cert. Manager and click the  button.
  4. Enter the setting as shown below and click "Save":
    Descriptive Name:  PrivadoVPN_CA
    Method:  Import an existing Certificate Authority
    Certificate Data:  copy/paste the Certificate from the Text Editor window
  5. Navigate to VPN > OpenVPN > Clients and click the  button.
  6. Enter the setting as shown below and click "Save":  (if the setting is not listed then it can be left default)
    General Information

    Server mode:  Peer to Peer (SSL/TLS)
    Protocol:  UDP on IPv4 only
    Device mode:  tun - Layer 3 Tunnel mode
    Interface:  WAN
    Server host or address:  PrivadoVPN server name or IP Address
    Server port:  1194
    Description:  PrivadoVPN

    User Authentication Settings
    Username:  PrivadoVPN username
    Password:  PrivadoVPN password

    Cryptographic Settings

    TLS Configuration:  UNCHECKED
    Peer Certificate Authority:  PrivadoVPN_CA
    Encryption Algorithm:  AES-256-CBC (256 bit key, 128 bit block)
    Enable NCP:  UNCHECKED
    Auth digest algorithm:  SHA256 (256-bit)

    Tunnel Settings

    Compression:  Omit Preference (Use OpenVPN Default)
    Topology:  net30 -- Isolated /30 network per client

    Ping settings - leave default

    Advanced Configuration

    Custom Options:  Copy the 'remote' and 'tls-cipher' lines from the .ovpn file open in the Text Editor.
    Gateway creation:  IPv4 only
  7. Navigate to Interfaces > Assignments, select ovpnc1 (PrivadoVPN) from the 'Available network ports' dropdown menu and then click the  button
  8. Click on the newly created OP1 connection, check the "Enable interface" box, change Description to PrivadoVPN and click Save.
  9. Next set the DNS via System > General Setup.

    DNS Servers: The first DNS Server, 198.18.0.1, is our DNS server and should be assigned to the (PVPN_VPN4 - opt1) interface to pass all DNS requests for that interface through our servers.
    The second DNS Server is set to Google's 8.8.8.8 DNS server but you can use any DNS server for the WAN interface to initiate the VPN connection.
    DNS Server Override:  UNCHECKED
  10. Now navigate to Firewall > NAT and click out Outbound.  Select 'Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below)' and click Save. 
    This will generate 2 'Automatic Rules' at the bottom and you will need to create 4 new rules to route the traffic through the VPN as shown below:

    NOTE:  Be sure to edit the IP address for the LAN to PVPN connections to the IP address for your installation.  Also be sure that each rule has the 'Address Family' set to 'IPv4'
  11. Your PVPN_VPNV4 Gateway should now show as connected and Online under Status > Gateways
  12. Next, go to System >Advanced > Miscellaneous and scroll down to Gateway Monitoring. Check the box next to 'Skip rules when gateway is down' and Save. This will help prevent traffic from leaking over the WAN if the VPN disconnects.

 

At this point you can navigate to https://whatismyipaddress.com/ and verify that you are showing the IP location of the VPN server you selected.

 

If you have any questions please feel free to reach out via our support page.

Feedback
12 out of 13 found this helpful

scroll to top icon