الخاص بك: Unknown · حالتك: غير محمي محمي

OpenVPN

pfSense 2.4.4 setup

1. In order to setup pfSense 2.4.4 with OpenVPN please access your pfSense via browser. Then navigate to System -> Cert. Manager -> CAs. And select +Add.

You should see this screen:

2. We will configure our pfSense to connect to NL120 server but you should connect to a server suggested to you at  https://nordvpn.com/servers/tools/.

You can find the server hostname right under the server title.

Press on + Add button. Then fill the fields out like this:

Descriptive Name: NordVPN_NL120_CA
Method: Import an existing Certificate Authority
Certificate data: (you can get this certificate by downloading our CA and TLS files from here: https://downloads.nordcdn.com/configs/archives/certificates/servers.zip
 


-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJAO6JioltoPZUMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwxMjAubm9yZHZw
bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
ZHZwbi5jb20wHhcNMTcxMDI2MDk1MzIwWhcNMjcxMDI0MDk1MzIwWjCBnjELMAkG
A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEW5sMTIwLm5vcmR2
cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2m1YMMaT
i78Whnb5bQ1WGVBzEQrvwfXLwTBaIJ3WcoyOdzweqt/85YaP4gIBefoiqKyCXja0
Zuh9AKxt/LBkH11GDxLpNzMzRgd9j7zHExJd2k7AGfuGFWF6A5lCEN+82mS+xOqu
Zmzfu/c2uyLGOWsb6DkAEQmx+qLZ2j2JtdFotinRqluPkG5mjU3BUCR4iwty8XI8
R7sGOLqkH2wY0pM06ywgedTC0M7Bfl0G2W18UNUJY8/1/P4u90ZGWpmmzgh7DeYi
r9nqIzOlqMkBZ+AKxoZ8O6m1MqZ3UsFXFouoAAgiJBxmN9eY0kbKCLzPb6jzbHCa
LKqr9s6HI3k8jwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFCVsAOOJHCM7mbeVJr6L
SRf1WCCuMIHTBgNVHSMEgcswgciAFCVsAOOJHCM7mbeVJr6LSRf1WCCuoYGkpIGh
MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwx
MjAubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
EGNlcnRAbm9yZHZwbi5jb22CCQDuiYqJbaD2VDAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQBGsb6q917R1JkszsWD5QxQWO2A++r1OA8rgoyYe9yENVeL
y3W387gOvXN6XHTN8LEJ2UGlvykp5PYcfLGu6j34f20rw02NzOlljF1377OLcxSg
nXYkd3xKdM3gVSjV6v1OgBmlgpXasjhNN3K9n0lvkSVZK2hEz/LuDkU1i9BAKtO2
FPfXjuIsx6yC+9CeLN+N8+el6GGI9c0zp3t0ZYW1abSNN6rRccFz+ww/84c9gojR
xVVn2vcs6K6zPXoi/yUZwgcM5k7B7/TN7uHCd5X1QOKOCbLz+6gdUzYcos2rZjC9
jqFj3HJ/vLv7lVdX16Hg3ruF+npFwFZ/jTgTGK0S
-----END CERTIFICATE-----

Press Save

3. Then navigate to VPN -> OpenVPN -> Clients and press +Add

4. Fill in the fields:

Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP on IPv4 only (you can also use TCP);
Device mode: tun – Layer 3 Tunnel Mode;
Interface: WAN;
Local port: leave blank;
Server host or address: nl120.nordvpn.com;
Server port: 1194 (use 443 if you use TCP);
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy Authentication: None;
Description: Any name you like. We will use NordVPN_NL120.

USER AUTHENTICATION SETTINGS

Username: Your NordVPN username
Password: Your NordVPN password in both fields.
Authentication Retry: leave unchecked

CRYPTOGRAPHIC SETTINGS

TLS Configuration: Check
TLS Key:


-----BEGIN OpenVPN Static key V1-----
10a11ac9a7c398c4078f8c34c1dedfc0
8baff763410a3e79e46c5e2eb61bc6e5
4b82da7d035696a06b37bbad37b49a2d
1c6d63ade9f7187ee410c354b81a836d
6416300277c3be647d232cd6232e187a
4794ade80211bf678227d702a9c6125d
8ceaffe1dff8264bf330639931ee53f3
dc1339e4c234d20de6f7bbe550fbe9a5
346360b3ac497a451ec6b0f2e3313be4
4883bf2f25df2dac7f15ff0490bd5f8b
084cf7acd8754b814d1dfd6bb4eb40fd
8f4008b62fe6dda81f77f5487670b157
3fc400e43f01a028763693aa1d6c68ce
445bdc9c8873b3ed486582ba387351b3
d02333b76fc0680b6224bc44a24fd781
9247afda9ca70e951480af5b2a848ce2
-----END OpenVPN Static key V1-----

TLS Key Usage Mode: TLS Authentication
Peer certificate authority: NordVPN_NL120_CA;
Peer Certificate Revocation list: do not define.
Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM and AES-256-CBC.
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.

TUNNEL SETTINGS

IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network(s): leave blank;
IPv6 remote network(s): leave blank;
Limit outgoing bandwidth: leave blank;
Compression: No LZO Compression [Legacy style,comp-lzo no];
Topology: Subnet – One IP address per client in a common subnet
Type-of-service: leave unchecked;
Don’t pull routes: uncheck;
Don’t add/remove routes: leave unchecked.

ADVANCED CONFIGURATION

Custom Options


tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

UDP FAST I/O: leave unchecked.
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended);

5. Navigate to Interfaces -> Interface Assignments and Add NordVPN NL120 interface.

6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

Enable: check
Description: NordVPN
Mac Address: leave blank
MTU: leave blank
MSS: leave blank

Do not change anything else. Just scroll down to the bottom and press “Save

7. Navigate to Services -> DNS Resolver -> General Settings

Enable: check
Listen port: leave what it already is
Enable SSL/TLS Service: uncheck
SSL/TLS Certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
SSL/TLS Listen Port: leave what it already is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check

Click Save

8. While in DNS Resolver, select Advanced Settings at the top and then fill in the following:

ADVANCED PRIVACY OPTIONS:

Hide Identity: check
Hide Version: check

ADVANCED RESOLVER OPTIONS:

Prefetch Support: check
Prefetch DNS Key Support: check

Click Save

9. Navigate to Firewall -> NAT -> Outbound and select Manual Outbound NAT rule generation. Press Save. Then four rules will appear. Leave all rules untouched and add a new one.
9.1. Select NordVPN as an Interface.
9.2. Source: your LAN subnet.
9.3. Click Save. At the end it should look like this:

10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule.
10.1. Press on Show Advanced Options;
10.2. Change Gateway to NordVPN;
10.3. Click Save.

At the end it should look like this:

11. Go to System -> General Setup and fill in:

DNS Server 1:  103.86.96.100 ; none
DNS Server 2: 103.86.99.100 ; NordVPN_VPNV4-…

Click Save

12. Now you can navigate to Status -> OpenVPN and it should state that the service is “up

13. You can also check the connection log file under Status -> System Logs -> OpenVPN:

That’s it! You should now have the VPN connection set on your pfSense.