Your IP: Unknown · Your Status: Unprotected Protected

OpenVPN

This is the tutorial on how to set up your pfSense device with NordVPN. The instructions were made for connection to the Denmark #3 (dk3) server with pfSense 2.3.2. For information on how to set up an older pfSense version, 2.2.3, you can look at our tutorial in our Help Center here: https://support.nordvpn.com/hc/en-us/articles/207875115

  • 1. In order to setup pfSense 2.3.2 with OpenVPN please access your pfSense via browser. Then navigate to System -> Certificate Manager -> CAs. You should see this screen:

  • 2. We will configure our pfSense to connect to DK3 server. Press on “+ Add” button. Then fill the fields out like this:
    • Desctiprive Name: NordVPN_DK3_CERT
    • Method: Import an existing Certificate Authority
    • Certificate data: (you can get this certificate by downloading our CA and TLS files from here: http://downloads.nordcdn.com/configs/archives/certificates/servers.zip)
      -----BEGIN CERTIFICATE-----
      MIIEszCCA5ugAwIBAgIJAM8U3nIOV0j7MA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
      VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
      Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQ
      MA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNv
      bTAeFw0xNzAyMDgxMTQxMTVaFw0yNzAyMDYxMTQxMTVaMIGXMQswCQYDVQQGEwJQ
      QTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMHTm9yZFZQ
      TjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQMA4GA1UE
      KRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNvbTCCASIw
      DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLvmN7J8jKGFvITm0nL4J82P8mf
      1kyb/599T6lLKyuz8qTq3H8Pv9pzaNAI+t0hksYgfJNzB83VDgh9goDljHz2numD
      E32WCex4VwMiFvUr4OzHanrsSJbwgvNhUxHDwJD28OCBjnjetq53k2WGkR1PlWn9
      RJLqs8ND6Hl+2lEj5E/9PURu/hkGrMJr9XlmW/YE9Aa1q76w5HN8HnTAWSpvjn3a
      FBaw4X+ButE045lkQ9Llg+SAYR4vKbq5k+0OHk/FVSBTY6P+/7ob9uj2cCWtHoeI
      RGQDrzquQACzsKvp2Y7JLDLaSt1avC6Em4Avcg6aCfobUkEowuX5EQ/pbgMCAwEA
      AaOB/zCB/DAdBgNVHQ4EFgQU/xW/8g1HF/s9ZIRJj054AVpBbtowgcwGA1UdIwSB
      xDCBwYAU/xW/8g1HF/s9ZIRJj054AVpBbtqhgZ2kgZowgZcxCzAJBgNVBAYTAlBB
      MQswCQYDVQQIEwJQQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYDVQQKEwdOb3JkVlBO
      MRAwDgYDVQQLEwdOb3JkVlBOMRMwEQYDVQQDEwpOb3JkVlBOIENBMRAwDgYDVQQp
      EwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5vcmR2cG4uY29tggkAzxTe
      cg5XSPswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA4VBfnRevmxgY
      skbC+c0H/EWHgFEeXD1fcbYq6SVf9M+t4N5mm+CJoDDwgK7VNecQztIB5khBq3hK
      /NEjRL2pd4RBhBQ5lPgSGs6f8ayofj5PgZzOdtgvMfRUSkoLucLGbnHBCASlCRiC
      jtFBqBVuvG5AP9qWpCNXDRkIAfygZHcK8IeTNV0QXaG2jt3xPS16bweddwvLkqV7
      7FAuncLBo4k4YReXVhTHYNK3wwNMNvyuuxRLqoosdOUvrvnujDjw5Ihaf5vMnId9
      7TIPXZDAtm5L7f3RA1BsLuyVHKe62wJe6/JlAGZDBFomZCQxian188lmp5fPTm6L
      193X8EKHcg==
      -----END CERTIFICATE-----
      
    • Press “Save

    You should see something like this:

  • 3. Then navigate to VPN -> OpenVPN -> Clients and press “+Add

  • 4. Fill in the fields:Disable this client: leave unchecked.
    Server mode: Peer to Peer (SSL/TLS);
    Protocol: UDP (you can also use TCP);
    Device mode: TUN;
    Interface: WAN;
    Local port: leave blank;
    Server host or address: dk3.nordvpn.com;
    Server port: 1194;
    Proxy host or address: leave blank;
    Proxy port: leave blank;
    Proxy authentication extra options: Authentication method: None;
    Server host name resolution: check Infinitely resolve server;
    Description: Any name you like. In our case it was NordVPN DK3
    USER AUTHENTICATION SETTINGS
    User name/pass: Your NordVPN username / your NordVPN password.
    CRYPTOGRAPHIC SETTINGS
    TLS Authentication: Check
    Automatically generate a shared TLS authentication key: Uncheck
    Then type in TLS key of DK3 server which can be found here: http://downloads.nordcdn.com/configs/archives/certificates/servers.zip

    -----BEGIN OpenVPN Static key V1-----
    004853a6d6a156c71bfa3d08332ad880
    f2fb8cfc15bf15634f6b3e76f457aa05
    9fec5ac90277c6b51d38cbb56d783506
    cc5a8d04948b15b04dbe015bf3507de0
    13539e63812685af4ea779d352f45921
    7b94ba7f06fd5c5bdd5c5a6b39d86669
    763faa1a63453c07871d1e9be348520c
    01b7de80eaa9e423a215954409cc490f
    f9704c91e1776892454f96d253bf5517
    36c85335ab3e4998c9c6dc182ff261ef
    f628d9994ae86773d5756b96dee9ede5
    2f00f03f544b644fa99767e74023e365
    35f5b094268385fb131fc828d2d51ec1
    340b739a91a729f7ca89c818add53f66
    63e30cdb599b75a16196c9444afe8923
    13d3a5c8da74ce7368b92b6bdeebe089
    -----END OpenVPN Static key V1-----
    

    Peer certificate authority: NordVPN_DK3_CERT;
    Client certificate: webConfigurator default (557de1a2a90c7)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
    Encryption algorithm: AES-256-CBC (256-bit);
    Auth digest algorithm: SHA1 (160-bit); (On newer servers, this would be SHA-512)
    Hardware crypto: No hardware crypto acceleration.

    TUNNEL SETTINGS

    IPv4 tunnel network: leave blank;
    IPv6 tunnel network: leave blank;
    IPv4 remote network/s: leave blank;
    IPv6 remote network/s: leave blank;
    Limit outgoing bandwidth: leave blank;
    Compression: Enabled with adaptive compression;
    Type-of-service: leave uncheked;
    Disable IPv6: check Don’t forward IPv6 traffic;
    Don’t pull routes: check;
    Don’t add/remove routes: leave unchecked.

    ADVANCED CONFIGURATIONS

    Custom Options:

    tls-client;
    remote-random;
    tun-mtu 1500;
    tun-mtu-extra 32;
    mssfix 1450;
    persist-key;
    persist-tun;
    reneg-sec 0;
    remote-cert-tls server;
    

    Verbosity level: 3 (recommended);

    Click Save.

  • 5. Navigate to Interfaces -> Interface Assignments and Add NordVPN DK3 interface.

  • 6. Press on the OPT1 to the left of your assigned interface and fill in the following information:Enable: check
    Description: NordVPN
    IPv4 Configuration Type: DHCP
    IPv6 Configuration Type: None
    Mac Address: leave blank
    MTU: leave blank
    MSS: leave blankDo not change anything else. Just scroll down to the bottom and press “Save

  • 7. Navigate to Services -> DNS Resolver -> General SettingsEnable: check
    Listen port: leave what it already is
    Network Interfaces: All
    Outgoing Network Interfaces: NordVPN
    System Domains Local Zone Type: Transparent
    DNSSEC: uncheck
    DNS Query Forwarding: check
    DHCP Registration: check
    Static DHCP: check
    Save

  • 8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:Hide Identity: check
    Hide Version: check
    Prefetch Support: check
    Prefetch DNS Key Support: check
    Save

  • 9. Navigate to Firewall -> NAT -> Outbound and select “Manual Outbound NAT rule generation.”. Press “Save“. Then four rules will appear. Leave the 127.0.0.0 rules untouched and edit both rules which have your Network address as a source specified.
    9.1. Change the Interface to NordVPN;
    9.2. Click Save.At the end it should look like this:

  • 10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule:10.1. Press on Show Advanced Options;
    10.2. Change Gateway to NordVPN;
    10.3. Click Save.
    At the end it should look like this:

  • 11. Go to System -> General Setup and fill in:
    DNS Server 1: 103.86.96.100 and  ; none
    DNS Server 2: 103.86.99.100 ; NordVPN_DHCP-…
    Save

  • 12. Now you can navigate to Status -> OpenVPN and it should state that the service is “up

  • 13. You can also check the connection log file under Status -> System Logs -> OpenVPN:

That’s it! You should now have the VPN connection set on your pfSense.