This guide written is for a fresh install of pfSense version 2.4.5-RELEASE-p1 (amd64) built on June 02 2020 and will work with any version 2.4+
For this guide we have the WAN Gateway (WANGW) set to 192.168.0.60 with the Upstream gateway 192.168.0.1 and the LAN interface set to 10.1.1.1. You will want to be sure to edit the setup as needed for your specific IP settings.
NOTE REGARDING IPv6: If all firewall traffic is going to be passed through our VPN then you will need to set the IPv6 Configuration Type to "None" on your WAN interface as our VPN does not currently support IPv6.
- To begin you will download the .ovpn configuration files to a device that has webgui access to your pfSense installation: https://privadovpn.com/apps/ovpn_configs.zip
- Extract the files to a local directory and open the .ovpn file for the server you would like to connect to in a Text Editor. For this example we will be using our Los Angeles server, lax-012.vpn.privado.io.
- With the Text Editor open you will switch back to pfSense webgui and navigate to System > Cert. Manager and click the button.
- Enter the setting as shown below and click "Save":
Descriptive Name: PrivadoVPN_CA
Method: Import an existing Certificate Authority
Certificate Data: copy/paste the Certificate from the Text Editor window
- Navigate to VPN > OpenVPN > Clients and click the button.
- Enter the setting as shown below and click "Save": (if the setting is not listed then it can be left default)
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only
Device mode: tun - Layer 3 Tunnel mode
Server host or address: PrivadoVPN server name or IP Address
Server port: 1194
User Authentication Settings
Username: PrivadoVPN username
Password: PrivadoVPN password
TLS Configuration: UNCHECKED
Peer Certificate Authority: PrivadoVPN_CA
Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
Enable NCP: UNCHECKED
Auth digest algorithm: SHA256 (256-bit)
Compression: Omit Preference (Use OpenVPN Default)
Topology: net30 -- Isolated /30 network per client
Ping settings - leave default
Custom Options: Copy the 'remote' and 'tls-cipher' lines from the .ovpn file open in the Text Editor.
Gateway creation: IPv4 only
- Navigate to Interfaces > Assignments, select ovpnc1 (PrivadoVPN) from the 'Available network ports' dropdown menu and then click the button
- Click on the newly created OP1 connection, check the "Enable interface" box, change Description to PrivadoVPN and click Save.
- Next set the DNS via System > General Setup.
DNS Servers: The first DNS Server, 198.18.0.1, is our DNS server and should be assigned to the (PVPN_VPN4 - opt1) interface to pass all DNS requests for that interface through our servers.
The second DNS Server is set to Google's 220.127.116.11 DNS server but you can use any DNS server for the WAN interface to initiate the VPN connection.
DNS Server Override: UNCHECKED
- Now navigate to Firewall > NAT and click out Outbound. Select 'Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below)' and click Save.
This will generate 2 'Automatic Rules' at the bottom and you will need to create 4 new rules to route the traffic through the VPN as shown below:
NOTE: Be sure to edit the IP address for the LAN to PVPN connections to the IP address for your installation. Also be sure that each rule has the 'Address Family' set to 'IPv4'
- Your PVPN_VPNV4 Gateway should now show as connected and Online under Status > Gateways
- Next, go to System >Advanced > Miscellaneous and scroll down to Gateway Monitoring. Check the box next to 'Skip rules when gateway is down' and Save. This will help prevent traffic from leaking over the WAN if the VPN disconnects.
At this point you can navigate to https://whatismyipaddress.com/ and verify that you are showing the IP location of the VPN server you selected.
If you have any questions please feel free to reach out via our support page.