Router Setup

pfSense® OpenVPN Setup Guide

Basic pfSense Setup

1. Add the CA.crt to the Certificate Manager
   In your pfSense device click on "System" -> "Cert manager" -> "CAs" and then click on "+Add"
   Give it a name, i.e. “IVPN CA” Choose "Import an existing Certificate Authority" and paste the following under “Certificate data”:

   -----BEGIN CERTIFICATE-----
   MIIGoDCCBIigAwIBAgIJAJjvUclXmxtnMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
   VQQGEwJDSDEPMA0GA1UECAwGWnVyaWNoMQ8wDQYDVQQHDAZadXJpY2gxETAPBgNV
   BAoMCElWUE4ubmV0MQ0wCwYDVQQLDARJVlBOMRgwFgYDVQQDDA9JVlBOIFJvb3Qg
   Q0EgdjIxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAaXZwbi5uZXQwHhcNMjAwMjI2
   MTA1MjI5WhcNNDAwMjIxMTA1MjI5WjCBjDELMAkGA1UEBhMCQ0gxDzANBgNVBAgM
   Blp1cmljaDEPMA0GA1UEBwwGWnVyaWNoMREwDwYDVQQKDAhJVlBOLm5ldDENMAsG
   A1UECwwESVZQTjEYMBYGA1UEAwwPSVZQTiBSb290IENBIHYyMR8wHQYJKoZIhvcN
   AQkBFhBzdXBwb3J0QGl2cG4ubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
   CgKCAgEAxHVeaQN3nYCLnGoEg6cY44AExbQ3W6XGKYwC9vI+HJbb1o0tAv56ryvc
   6eS6BdG5q9M8fHaHEE/jw9rtznioiXPwIEmqMqFPA9k1oRIQTGX73m+zHGtRpt9P
   4tGYhkvbqnN0OGI0H+j9R6cwKi7KpWIoTVibtyI7uuwgzC2nvDzVkLi63uvnCKRX
   cGy3VWC06uWFbqI9+QDrHHgdJA1F0wRfg0Iac7TE75yXItBMvNLbdZpge9SmplYW
   FQ2rVPG+n75KepJ+KW7PYfTP4Mh3R8A7h3/WRm03o3spf2aYw71t44voZ6agvslv
   wqGyczDytsLUny0U2zR7/mfEAyVbL8jqcWr2Df0m3TA0WxwdWvA51/RflVk9G96L
   ncUkoxuBT56QSMtdjbMSqRgLfz1iPsglQEaCzUSqHfQExvONhXtNgy+Pr2+wGrEu
   SlLMee7aUEMTFEX/vHPZanCrUVYf5Vs8vDOirZjQSHJfgZfwj3nL5VLtIq6ekDhS
   AdrqCTILP3V2HbgdZGWPVQxl4YmQPKo0IJpse5Kb6TF2o0i90KhORcKg7qZA40sE
   bYLEwqTM7VBs1FahTXsOPAoMa7xZWV1TnigF5pdVS1l51dy5S8L4ErHFEnAp242B
   DuTClSLVnWDdofW0EZ0OkK7V9zKyVl75dlBgxMIS0y5MsK7IWicCAwEAAaOCAQEw
   gf4wHQYDVR0OBBYEFHUDcMOMo35yg2A/v0uYfkDE11CXMIHBBgNVHSMEgbkwgbaA
   FHUDcMOMo35yg2A/v0uYfkDE11CXoYGSpIGPMIGMMQswCQYDVQQGEwJDSDEPMA0G
   A1UECAwGWnVyaWNoMQ8wDQYDVQQHDAZadXJpY2gxETAPBgNVBAoMCElWUE4ubmV0
   MQ0wCwYDVQQLDARJVlBOMRgwFgYDVQQDDA9JVlBOIFJvb3QgQ0EgdjIxHzAdBgkq
   hkiG9w0BCQEWEHN1cHBvcnRAaXZwbi5uZXSCCQCY71HJV5sbZzAMBgNVHRMEBTAD
   AQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAABAjRMJy+mXFLezA
   Z8iUgxOjNtSqkCv1aU78K1XkYUzbwNNrSIVGKfP9cqOEiComXY6nniws7QEV2IWi
   lcdPKm0x57recrr9TExGGOTVGB/WdmsFfn0g/HgmxNvXypzG3qulBk4qQTymICds
   l9vIPb1l9FSjKw1KgUVuCPaYq7xiXbZ/kZdZX49xeKtoDBrXKKhXVYoWus/S+k2I
   S8iCxvcp599y7LQJg5DOGlbaxFhsW4R+kfGOaegyhPvpaznguv02i7NLd99XqJhp
   v2jTUF5F3T23Z4KkL/wTo4zxz09DKOlELrE4ai++ilCt/mXWECXNOSNXzgszpe6W
   As0h9R++sH+AzJyhBfIGgPUTxHHHvxBVLj3k6VCgF7mRP2Y+rTWa6d8AGI2+Raey
   V9DVVH9UeSoU0Hv2JHiZL6dRERnyg8dyzKeTCke8poLIjXF+gyvI+22/xsL8jcNH
   i9Kji3Vpc3i0Mxzx3gu2N+PL71CwJilgqBgxj0firr3k8sFcWVSGos6RJ3IvFvTh
   xYx0p255WrWM01fR9TktPYEfjDT9qpIJ8OrGlNOhWhYj+a45qibXDpaDdb/uBEmf
   2sSXNifjSeUyqu6cKfZvMqB7pS3l/AhuAOTT80E4sXLEoDxkFD4C78swZ8wyWRKw
   sWGIGABGAHwXEAoDiZ/jjFrEZT0=
   -----END CERTIFICATE-----
   

   Click on "Save".

   

2. Add a VPN connection
   In this example, we’ll create the VPN connection to Canada server (CA.GW.IVPN.NET). You can find domain names of other locations on our server status page.
   Click on "VPN" -> "OpenVPN" -> "Clients" -> "+Add" & enter the following configuration:

   • Server Mode - Peer to Peer (SSL/TLS)
   • Protocol - UDP on IPv4 only
   • Device mode - tun Layer 3 Tunnel Mode
   • Interface - WAN
   • Server host - ca.gw.ivpn.net (pick any other location from the server status page)
   • Server port - 2049
   • Description - IVPN Canada
   • Enter your account ID that begins with letters ‘ivpnXXXXXXXX’ or ‘i-XXXX-XXXX-XXXX’ and any password under User Authentication Settings
     Only your account ID is used for authentication and is case-sensitive. The password field can be left empty or set to anything if your client software requires a non-blank password.
   • Check Use a TLS Key option under TLS Configuration -> uncheck the Automatically generate a TLS Key option and past the following & past the following under TLS Key

     -----BEGIN OpenVPN Static key V1-----
     ac470c93ff9f5602a8aab37dee84a528
     14d10f20490ad23c47d5d82120c1bf85
     9e93d0696b455d4a1b8d55d40c2685c4
     1ca1d0aef29a3efd27274c4ef09020a3
     978fe45784b335da6df2d12db97bbb83
     8416515f2a96f04715fd28949c6fe296
     a925cfada3f8b8928ed7fc963c156327
     2f5cf46e5e1d9c845d7703ca881497b7
     e6564a9d1dea9358adffd435295479f4
     7d5298fabf5359613ff5992cb57ff081
     a04dfb81a26513a6b44a9b5490ad265f
     8a02384832a59cc3e075ad545461060b
     7bcab49bac815163cb80983dd51d5b1f
     d76170ffd904d8291071e96efc3fb777
     856c717b148d08a510f5687b8a8285dc
     ffe737b98916dd15ef6235dee4266d3b
     -----END OpenVPN Static key V1-----
     

   • TLS Key Usage Mode - TLS Authentication
   • Peer Certificate Authority - IVPN CA
   • Client Certificate - None (Username or Password required)
   • Encryption Algorithm - AES-256-GCM (256 bit key, 128 bit block)
   • Enable NCP - checked
   • NCP Algorithms - AES-128-GCM & AES-256-GCM
   • Auth digest algorithm - SHA1 (160-bit)
   • Compression - No LZO Compression [Legacy style, comp-lzo no]
   • UDP Fast I/O - checked.
   • Gateway creation - IPv4 only
   • Save.

3. Add an interface

   • Click on "Interfaces" -> "Assignments".
   • Use the Drop-down menu for the "Available network ports" and select "ovpnc* (IVPN Canada)" and hit "+Add"
   • Click on the new interface name (it is usually named "OPT1" or "OPT2") & have the Enable Interface option checked.
   • Hit "Save" to apply the changes.

4. Adjust NAT rules

   • Click on "Firewall" -> "NAT" -> "Outbound". Set "Mode" to "Manual Outbound NAT rule Generation (AON)" & click on "Save"
   • Look for the entry that contains your local IP address (the one that does not contain port “500” nor “127.0.0.0” entries, for you this will probably be 192.168.1.0/24) & click on the Pen icon (Edit mapping)
   • Set the interface to the one created in step 3, write a description & have both Disabled and Do not NAT options Unchecked. Click on the "Save" button
   • Delete other rules that contain your local IP that exist via WAN, (keep the 127.0.0.0 ones). This will ensure that traffic doesn’t leak if the VPN tunnel accidentally goes down.
   • Hit "Save".
     

5. Configure DNS

   • Navigate to System - General setup
   • and add the following IVPN DNS servers: 10.0.254.1 & 198.245.51.147. Hit Save to apply the changes.
   • Finally, navigate to Status -> OpenVPN & click on the Restart openvpn Service button.
   • Open the dnsleaktest.com to verify that you are connected to IVPN.
   Sometimes, you might need to additionally reboot pfSense to apply the new configuration.

Please note: If you plan to use a Multi-hop setup please see this guide and replace the port number in Step 2 with the chosen Exit-hop server Multi-hop port.