Basic pfSense Setup

  1. Add the CA.crt to the Certificate Manager.
    In your PfSense device click on "System" -> "Cert manager" -> "CAs" and then click on "+Add"
    Give it a name, i.e. "IVPN CA"
    Choose "Import an existing Certificate Authority" & past the following under "Certificate data":
    -----BEGIN CERTIFICATE-----
    MIIETjCCAzagAwIBAgIJANeN9f9F53lmMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV
    BAYTAk1UMQ4wDAYDVQQIEwVNYWx0YTEOMAwGA1UEBxMFTWFsdGExETAPBgNVBAoT
    CElWUE4ubmV0MRQwEgYDVQQDEwtJVlBOLm5ldCBDQTEfMB0GCSqGSIb3DQEJARYQ
    c3VwcG9ydEBpdnBuLm5ldDAeFw0xMDA3MjQxNzQxMjBaFw0yMDA3MjExNzQxMjBa
    MHcxCzAJBgNVBAYTAk1UMQ4wDAYDVQQIEwVNYWx0YTEOMAwGA1UEBxMFTWFsdGEx
    ETAPBgNVBAoTCElWUE4ubmV0MRQwEgYDVQQDEwtJVlBOLm5ldCBDQTEfMB0GCSqG
    SIb3DQEJARYQc3VwcG9ydEBpdnBuLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEP
    ADCCAQoCggEBANb0cvGYrnHwXm9vZiHGIlvKDo342dE8XyyA4iIyjeSDTnC2XTdu
    E/NPxQ2hc5Pi8DKFqzrmJ8qxmLRv3n+NGQsHiP+rKE2Wi6wQYzg12fgxmeLYenbH
    J8UzzVCg2YFe97LGs8cBZeirYKHyErP+Od7rYot6VyUKkb5FB+Tjql6GiyiWmxIv
    T9PKoFkXSI3riCiLIP1LwzLVcn0nhZvnXFk2EvVmhmjzdJWLNjqe3Zj78mQLzMdc
    XFBO28kaEaydvh2k/Beu17YUqGQDt2w4sbL+DPyjD+k/NusVzV4HggISfJAKfHZz
    G1cBFA3Hiu+jSkKOMJ4gC3f+WG4Hpj1XS7cCAwEAAaOB3DCB2TAdBgNVHQ4EFgQU
    vCA6yNJ+VUdFGuKo/EnEQZUz874wgakGA1UdIwSBoTCBnoAUvCA6yNJ+VUdFGuKo
    /EnEQZUz876he6R5MHcxCzAJBgNVBAYTAk1UMQ4wDAYDVQQIEwVNYWx0YTEOMAwG
    A1UEBxMFTWFsdGExETAPBgNVBAoTCElWUE4ubmV0MRQwEgYDVQQDEwtJVlBOLm5l
    dCBDQTEfMB0GCSqGSIb3DQEJARYQc3VwcG9ydEBpdnBuLm5ldIIJANeN9f9F53lm
    MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFhU6MPf42dp5U0yPE0c
    ZS3g/pqd4GV4eBe7wYydv88FCScV8o2XGi3VruHKLbyGNxiD3OWwV81NNpLA8rFi
    vFgaKU+meWjCRQmptKWmoFpzPtCxB59D9zqYB0TaAuGOh084ioM+qC+MMXJzYY7c
    aXvOZ02b1lu44Z1GDIDxy1ONhajoRS59QmNpeoD3jtrVfGPmMwcR26TBj2nMudZK
    YMjYmbORgXu/0a/4jZ43B0mvRXCX64xOmwFZHioONhrxdtGA0pNwCXYWKyJ2pnLA
    6VBoEr0Hku56c0ZIDVdi3EUmO/K/XmOmmp6htKELdvjR3goiS/fC/2XTSkIJe3Va
    15U=
    -----END CERTIFICATE-----

    Click on "Save".
  2. Add a VPN connection.
    In this example, we'll create the VPN connection to Canada server (CA.GW.IVPN.NET). You can find domain names of other locations on our server status page.
    Click on "VPN" -> "OpenVPN" -> "Clients" -> click on "+Add" & enter the following configuration:
    "Server Mode" - "Peer to Peer (SSL/TLS)"
    "Protocol" - "UDP"
    "Device mode" - "tun Layer 3 Tunnel Mode"
    "Interface" - "WAN"
    "Server host" - "ca.gw.ivpn.net" (pick any other location from the server status page)
    "Server port" - "2049"
    "Description" - "IVPN Canada"
    Enter your IVPN username (ivpnXXXXXXXX) & Password under "User Authentication Settings"
    Check "Use a TLS Key" in "TLS Configuration" & past the following under "TLS Key":
    -----BEGIN OpenVPN Static key V1-----
    ac470c93ff9f5602a8aab37dee84a528
    14d10f20490ad23c47d5d82120c1bf85
    9e93d0696b455d4a1b8d55d40c2685c4
    1ca1d0aef29a3efd27274c4ef09020a3
    978fe45784b335da6df2d12db97bbb83
    8416515f2a96f04715fd28949c6fe296
    a925cfada3f8b8928ed7fc963c156327
    2f5cf46e5e1d9c845d7703ca881497b7
    e6564a9d1dea9358adffd435295479f4
    7d5298fabf5359613ff5992cb57ff081
    a04dfb81a26513a6b44a9b5490ad265f
    8a02384832a59cc3e075ad545461060b
    7bcab49bac815163cb80983dd51d5b1f
    d76170ffd904d8291071e96efc3fb777
    856c717b148d08a510f5687b8a8285dc
    ffe737b98916dd15ef6235dee4266d3b
    -----END OpenVPN Static key V1-----

    "TLS Key Usage Mode" - "TLS Authentication"
    "Peer Certificate Authority" - "IVPN CA"
    "Client Certificate" - "None (Username or Password required)"
    "Encryption Algorithm" - "AES-256-GCM (256 bit key, 128 bit block)"
    "Enable NCP" - checked
    "NCP Algorithms" - "AES-128-GCM" & "AES-256-GCM"
    "Auth digest algorithm" - "SHA1 (160-bit)"
    "Compression" - "No LZO Compression [Legacy style, comp-lzo no]"
    "UDP Fast I/O" - checked.
    "Gateway reation" - "IPv4 only"
    "Save".
  3. Add an interface.
    Click on "Interfaces" -> "Assignments".
    Use the Drop-down menu for the "Available network ports" and select "ovpnc* (IVPN Canada)" and then click on "+Add"
    Click on the new interface name, it is usually named "OPT1" or "OPT2"
    Have the "Enable Interface" checked Click on "Save".
  4. Adjust NAT rules.
    Click on "Firewall" -> "NAT" -> "Outbound" and then set "Mode" to "Manual Outbound NAT rule Generation (AON)" & click on "Save"
    Look for the entry that contains your local IP address (The one that does not contain port 500 nor 127.0.0.0, for you this will probably be 192.168.1.0/24) & click on the Pen icon (Edit mapping) and set the interface to the one created in step 3, write a description
    Make sure that both "Disabled" and "do not NAT" are Unchecked & click on "Save"
    Delete other rules that contain your local IP that exists via WAN, (keep the 127.0.0.0). This will ensure that traffic doesn't leak if the VPN tunnel accidentally goes down.
    Click on "Save".
  5. Set the DNS.
    Navigate to "VPN" - "OpenVPN" - "Clients" & click on the "Related status" button on he top right. Look for the "Virtual Address". In the example it is "10.25.16.11". You can receive a different one depending on the location server you are connecting to. That IP address tells us that the IVPN DNS is "10.25.16.1" ("What is the IP address of your DNS servers?")
    Click on "Services" - "DHCP server" , scroll down & set "DNS server" to the one identified in the previous step - "10.25.16.1". Click on "Save" .

    Finally, click on "VPN" -> "OpenVPN" -> "Related status" icon and then click on the "Restart openvpn Service" found under "Service". Open the dnsleaktest.com to verify you are connected to the IVPN.

Was this answer helpful?

Can you please tell us how we can improve this article?