Router Setup
pfSense® OpenVPN Setup Guide
Basic pfSense Setup
-
Add the CA.crt to the Certificate Manager
In your pfSense device click on"System"
->"Cert manager"
->"CAs"
and then click on"+Add"
Give it a name, i.e. “IVPN CA” Choose"Import an existing Certificate Authority"
and paste the following under “Certificate data”:-----BEGIN CERTIFICATE----- MIIGoDCCBIigAwIBAgIJAJjvUclXmxtnMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD VQQGEwJDSDEPMA0GA1UECAwGWnVyaWNoMQ8wDQYDVQQHDAZadXJpY2gxETAPBgNV BAoMCElWUE4ubmV0MQ0wCwYDVQQLDARJVlBOMRgwFgYDVQQDDA9JVlBOIFJvb3Qg Q0EgdjIxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAaXZwbi5uZXQwHhcNMjAwMjI2 MTA1MjI5WhcNNDAwMjIxMTA1MjI5WjCBjDELMAkGA1UEBhMCQ0gxDzANBgNVBAgM Blp1cmljaDEPMA0GA1UEBwwGWnVyaWNoMREwDwYDVQQKDAhJVlBOLm5ldDENMAsG A1UECwwESVZQTjEYMBYGA1UEAwwPSVZQTiBSb290IENBIHYyMR8wHQYJKoZIhvcN AQkBFhBzdXBwb3J0QGl2cG4ubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAxHVeaQN3nYCLnGoEg6cY44AExbQ3W6XGKYwC9vI+HJbb1o0tAv56ryvc 6eS6BdG5q9M8fHaHEE/jw9rtznioiXPwIEmqMqFPA9k1oRIQTGX73m+zHGtRpt9P 4tGYhkvbqnN0OGI0H+j9R6cwKi7KpWIoTVibtyI7uuwgzC2nvDzVkLi63uvnCKRX cGy3VWC06uWFbqI9+QDrHHgdJA1F0wRfg0Iac7TE75yXItBMvNLbdZpge9SmplYW FQ2rVPG+n75KepJ+KW7PYfTP4Mh3R8A7h3/WRm03o3spf2aYw71t44voZ6agvslv wqGyczDytsLUny0U2zR7/mfEAyVbL8jqcWr2Df0m3TA0WxwdWvA51/RflVk9G96L ncUkoxuBT56QSMtdjbMSqRgLfz1iPsglQEaCzUSqHfQExvONhXtNgy+Pr2+wGrEu SlLMee7aUEMTFEX/vHPZanCrUVYf5Vs8vDOirZjQSHJfgZfwj3nL5VLtIq6ekDhS AdrqCTILP3V2HbgdZGWPVQxl4YmQPKo0IJpse5Kb6TF2o0i90KhORcKg7qZA40sE bYLEwqTM7VBs1FahTXsOPAoMa7xZWV1TnigF5pdVS1l51dy5S8L4ErHFEnAp242B DuTClSLVnWDdofW0EZ0OkK7V9zKyVl75dlBgxMIS0y5MsK7IWicCAwEAAaOCAQEw gf4wHQYDVR0OBBYEFHUDcMOMo35yg2A/v0uYfkDE11CXMIHBBgNVHSMEgbkwgbaA FHUDcMOMo35yg2A/v0uYfkDE11CXoYGSpIGPMIGMMQswCQYDVQQGEwJDSDEPMA0G A1UECAwGWnVyaWNoMQ8wDQYDVQQHDAZadXJpY2gxETAPBgNVBAoMCElWUE4ubmV0 MQ0wCwYDVQQLDARJVlBOMRgwFgYDVQQDDA9JVlBOIFJvb3QgQ0EgdjIxHzAdBgkq hkiG9w0BCQEWEHN1cHBvcnRAaXZwbi5uZXSCCQCY71HJV5sbZzAMBgNVHRMEBTAD AQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAABAjRMJy+mXFLezA Z8iUgxOjNtSqkCv1aU78K1XkYUzbwNNrSIVGKfP9cqOEiComXY6nniws7QEV2IWi lcdPKm0x57recrr9TExGGOTVGB/WdmsFfn0g/HgmxNvXypzG3qulBk4qQTymICds l9vIPb1l9FSjKw1KgUVuCPaYq7xiXbZ/kZdZX49xeKtoDBrXKKhXVYoWus/S+k2I S8iCxvcp599y7LQJg5DOGlbaxFhsW4R+kfGOaegyhPvpaznguv02i7NLd99XqJhp v2jTUF5F3T23Z4KkL/wTo4zxz09DKOlELrE4ai++ilCt/mXWECXNOSNXzgszpe6W As0h9R++sH+AzJyhBfIGgPUTxHHHvxBVLj3k6VCgF7mRP2Y+rTWa6d8AGI2+Raey V9DVVH9UeSoU0Hv2JHiZL6dRERnyg8dyzKeTCke8poLIjXF+gyvI+22/xsL8jcNH i9Kji3Vpc3i0Mxzx3gu2N+PL71CwJilgqBgxj0firr3k8sFcWVSGos6RJ3IvFvTh xYx0p255WrWM01fR9TktPYEfjDT9qpIJ8OrGlNOhWhYj+a45qibXDpaDdb/uBEmf 2sSXNifjSeUyqu6cKfZvMqB7pS3l/AhuAOTT80E4sXLEoDxkFD4C78swZ8wyWRKw sWGIGABGAHwXEAoDiZ/jjFrEZT0= -----END CERTIFICATE-----
Click on
"Save"
. -
Add a VPN connection
In this example, we’ll create the VPN connection to Canada server (CA.GW.IVPN.NET). You can find domain names of other locations on our server status page.
Click on"VPN"
->"OpenVPN"
->"Clients"
->"+Add"
& enter the following configuration:- Server Mode - Peer to Peer (SSL/TLS)
- Protocol - UDP on IPv4 only
- Device mode - tun Layer 3 Tunnel Mode
- Interface - WAN
- Server host - ca.gw.ivpn.net (pick any other location from the server status page)
- Server port - 2049
- Description - IVPN Canada
- Enter your account ID that begins with letters ‘ivpnXXXXXXXX’ or ‘i-XXXX-XXXX-XXXX’ and any password under User Authentication Settings
Only your account ID is used for authentication and is case-sensitive. The password field can be left empty or set to anything if your client software requires a non-blank password.
- Check Use a TLS Key option under TLS Configuration -> uncheck the Automatically generate a TLS Key option and past the following & past the following under TLS Key
-----BEGIN OpenVPN Static key V1----- ac470c93ff9f5602a8aab37dee84a528 14d10f20490ad23c47d5d82120c1bf85 9e93d0696b455d4a1b8d55d40c2685c4 1ca1d0aef29a3efd27274c4ef09020a3 978fe45784b335da6df2d12db97bbb83 8416515f2a96f04715fd28949c6fe296 a925cfada3f8b8928ed7fc963c156327 2f5cf46e5e1d9c845d7703ca881497b7 e6564a9d1dea9358adffd435295479f4 7d5298fabf5359613ff5992cb57ff081 a04dfb81a26513a6b44a9b5490ad265f 8a02384832a59cc3e075ad545461060b 7bcab49bac815163cb80983dd51d5b1f d76170ffd904d8291071e96efc3fb777 856c717b148d08a510f5687b8a8285dc ffe737b98916dd15ef6235dee4266d3b -----END OpenVPN Static key V1-----
- TLS Key Usage Mode - TLS Authentication
- Peer Certificate Authority - IVPN CA
- Client Certificate - None (Username or Password required)
- Encryption Algorithm - AES-256-GCM (256 bit key, 128 bit block)
- Enable NCP - checked
- NCP Algorithms - AES-128-GCM & AES-256-GCM
- Auth digest algorithm - SHA1 (160-bit)
- Compression - No LZO Compression [Legacy style, comp-lzo no]
- UDP Fast I/O - checked.
- Gateway creation - IPv4 only
- Save.
-
Add an interface
- Click on
"Interfaces"
->"Assignments"
. - Use the Drop-down menu for the
"Available network ports"
and select"ovpnc* (IVPN Canada)"
and hit"+Add"
- Click on the new interface name (it is usually named
"OPT1"
or"OPT2"
) & have the Enable Interface option checked. - Hit
"Save"
to apply the changes.
- Click on
-
Adjust NAT rules
- Click on
"Firewall"
->"NAT"
->"Outbound"
. Set"Mode"
to"Manual Outbound NAT rule Generation (AON)"
& click on"Save"
- Look for the entry that contains your local IP address (the one that does not contain port “500” nor “127.0.0.0” entries, for you this will probably be 192.168.1.0/24) & click on the
Pen icon (Edit mapping)
- Set the interface to the one created in step 3, write a description & have both Disabled and Do not NAT options Unchecked. Click on the
"Save"
button - Delete other rules that contain your local IP that exist via WAN, (keep the 127.0.0.0 ones). This will ensure that traffic doesn’t leak if the VPN tunnel accidentally goes down.
- Hit
"Save"
.
- Click on
-
Configure DNS
- Navigate to
System
-General setup
- and add the following IVPN DNS servers:
10.0.254.1
&198.245.51.147
. HitSave
to apply the changes. - Finally, navigate to
Status
->OpenVPN
& click on theRestart openvpn Service
button. - Open the dnsleaktest.com to verify that you are connected to IVPN.
Sometimes, you might need to additionally reboot pfSense to apply the new configuration. - Navigate to
Please note: If you plan to use a Multi-hop setup please see this guide and replace the port number in Step 2 with the chosen Exit-hop server Multi-hop port.