Router Setup

OPNsense OpenVPN Setup Guide

This guide was produced using OPNsense 21.7.1

Add a Certificate

  1. In your router’s webUI, navigate to System > Trust > Authorities and click on the + button

  2. Give it any name, i.e. “IVPN CA”, select Import an existing Certificate Authority, then copy and paste the contents of our ca.crt file into the Certificate Data field

  3. Click Save.

Configure an OpenVPN Client

  1. Choose an OpenVPN server from our Server Status page and make note of its hostname (this guide uses Ukranian server as an example -

  2. Navigate to VPN > OpenVPN > Clients, click on the + button and enter the following configuration:

    • Disabled - Unchecked
    • Description - Give it any name, i.e. IVPN Ukraine
    • Server Mode - Peer to Peer (SSL/TLS)
    • Protocol - UDP or TCP
    • Device mode - tun
    • Interface - WAN
    • Remote server - IVPN’s server hostname, i.e.
    • Port - 2049 (or 53, 80, 443, 1194, 2050 for UDP and 80, 443, 1443 for TCP. All ports are equally secure)
    • Username - Your IVPN account ID (i-XXXX-XXXX-XXXX or ivpnXXXXXXXX case-sensitive)
    • Password - any string, i.e. ivpn

    • TLS Authentication - check the Enable authentication of TLS packets option then copy and paste the contents of our ta.key file
    • Peer Certificate Authority - IVPN CA
    • Client Certificate - None (Username and Password required)
    • Encryption algorithm - CHACHA20-POLY1305 (256 bit key) (AES-256-GCM & AES-256-CBC are also supported)
    • Auth Digest Algorithm - SHA1 (160bit)
    • Compression - Legacy - Disabled LZO algorithm (–comp-lzo no)

  3. Click Save.

Create an Interface

  1. Navigate to Interfaces > Assignments

  2. Look for the interface with ovpnc1 name, give it any description, i.e. “IVPNUkraine”, then click on the + button and Save

  3. Click on the newly added interface name, have the Enable Interface option checked and Save the changes.

Configure Firewall

  1. Navigate to Firewall > NAT > Outbound, select Manual outbound NAT rule generation and click Save

  2. Click on the + button to add a new rule and fill in the following configuration:

    • Disabled - Unchecked
    • Interface - select the created earlier interface, i.e. IVPNUkraine
    • Source Address - LAN net
    • Translation / target - Interface address
  3. Click Save and Apply Changes.


  1. Navigate to Services > DHCPv4 > [LAN]

  2. In the DNS servers field, specify one of the following DNS servers:

    • = regular DNS with no blocking
    • = standard AntiTracker to block advertising and malware domains
    • = AntiTracker Hardcore Mode to also block Google and Facebook domains
  3. Click Save.

Final Steps

  1. Restart your router device and check the status of the OpenVPN client in the VPN - OpenVPN - Connection Status area.

  2. Check the conenction status and the assigned public IP address on our website and run a leak test at from one of the devices connected to your OPNsense router.

Please note: If you plan to use a Multi-hop setup please see this guide and replace the port number in Step 2 of Configure an OpenVPN Client section with the chosen Exit-hop server Multi-hop port.

Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.