Router Setup

pfSense® OpenVPN Setup Guide

Basic pfSense Setup

Add the CA.crt to the Certificate Manager
In your pfSense device click on "System" -> "Cert manager" -> "CAs" and then click on "+Add"
Give it a name, i.e. “IVPN CA” Choose "Import an existing Certificate Authority" and paste the following under “Certificate data”:

Click on "Save".

Add a VPN connection
In this example, we’ll create the VPN connection to Canada server (CA.GW.IVPN.NET). You can find domain names of other locations on our server status page.
Click on "VPN" -> "OpenVPN" -> "Clients" -> "+Add" & enter the following configuration:
- Server Mode - Peer to Peer (SSL/TLS)
- Protocol - UDP on IPv4 only
- Device mode - tun Layer 3 Tunnel Mode
- Interface - WAN
- Server host - ca.gw.ivpn.net (pick any other location from the server status page)
- Server port - 2049
- Description - IVPN Canada
- Enter your account ID that begins with letters ‘ivpnXXXXXXXX’ or ‘i-XXXX-XXXX-XXXX’ and any password under User Authentication Settings
  Only your account ID is used for authentication and is case-sensitive. The password field can be left empty or set to anything if your client software requires a non-blank password.
- Check Use a TLS Key option under TLS Configuration -> uncheck the Automatically generate a TLS Key option and past the following & past the following under TLS Key
```
-----BEGIN OpenVPN Static key V1-----
ac470c93ff9f5602a8aab37dee84a528
14d10f20490ad23c47d5d82120c1bf85
9e93d0696b455d4a1b8d55d40c2685c4
1ca1d0aef29a3efd27274c4ef09020a3
978fe45784b335da6df2d12db97bbb83
8416515f2a96f04715fd28949c6fe296
a925cfada3f8b8928ed7fc963c156327
2f5cf46e5e1d9c845d7703ca881497b7
e6564a9d1dea9358adffd435295479f4
7d5298fabf5359613ff5992cb57ff081
a04dfb81a26513a6b44a9b5490ad265f
8a02384832a59cc3e075ad545461060b
7bcab49bac815163cb80983dd51d5b1f
d76170ffd904d8291071e96efc3fb777
856c717b148d08a510f5687b8a8285dc
ffe737b98916dd15ef6235dee4266d3b
-----END OpenVPN Static key V1-----
```
- TLS Key Usage Mode - TLS Authentication
- Peer Certificate Authority - IVPN CA
- Client Certificate - None (Username or Password required)
- Encryption Algorithm - AES-256-GCM (256 bit key, 128 bit block)
- Enable NCP - checked
- NCP Algorithms - AES-128-GCM & AES-256-GCM
- Auth digest algorithm - SHA1 (160-bit)
- Compression - No LZO Compression [Legacy style, comp-lzo no]
- UDP Fast I/O - checked.
- Gateway creation - IPv4 only
- Save.
Add an interface
- Click on "Interfaces" -> "Assignments".
- Use the Drop-down menu for the "Available network ports" and select "ovpnc* (IVPN Canada)" and hit "+Add"
- Click on the new interface name (it is usually named "OPT1" or "OPT2") & have the Enable Interface option checked.
- Hit "Save" to apply the changes.
Adjust NAT rules
- Click on "Firewall" -> "NAT" -> "Outbound". Set "Mode" to "Manual Outbound NAT rule Generation (AON)" & click on "Save"
- Look for the entry that contains your local IP address (the one that does not contain port “500” nor “127.0.0.0” entries, for you this will probably be 192.168.1.0/24) & click on the Pen icon (Edit mapping)
- Set the interface to the one created in step 3, write a description & have both Disabled and Do not NAT options Unchecked. Click on the "Save" button
- Delete other rules that contain your local IP that exist via WAN, (keep the 127.0.0.0 ones). This will ensure that traffic doesn’t leak if the VPN tunnel accidentally goes down.
- Hit "Save".
Configure DNS
- Navigate to System - General setup and add the following IVPN DNS servers: 10.0.254.1 & 198.245.51.147. Hit Save to apply the changes.
- Finally, navigate to Status -> OpenVPN & click on the Restart openvpn Service button.
- Open the dnsleaktest.com to verify that you are connected to IVPN.
Sometimes, you might need to additionally reboot pfSense to apply the new configuration.

Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.