Your IP: Unknown · Your Status: Unprotected Protected

OpenVPN

pfSense 2.4.3 setup

1. In order to setup pfSense 2.4.3 with OpenVPN please access your pfSense via browser. Then navigate to System -> Cert. Manager -> CAs. And select +Add.

You should see this screen:

2. We will configure our pfSense to connect to NL120 server. but you should connect to a server suggested to you at  https://nordvpn.com/servers/#recommended . You can find the server hostname right under the server title.


Press on “+ Add” button. Then fill the fields out like this:

Descriptive Name: NordVPN_NL120_CA

Method: Import an existing Certificate Authority

Certificate data: (you can get this certificate by downloading our CA and TLS files from here: https://downloads.nordcdn.com/configs/archives/certificates/servers.zip

 —–BEGIN CERTIFICATE—–

MIIEyjCCA7KgAwIBAgIJAO6JioltoPZUMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD

VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH

Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwxMjAubm9yZHZw

bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y

ZHZwbi5jb20wHhcNMTcxMDI2MDk1MzIwWhcNMjcxMDI0MDk1MzIwWjCBnjELMAkG

A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT

B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEW5sMTIwLm5vcmR2

cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v

cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2m1YMMaT

i78Whnb5bQ1WGVBzEQrvwfXLwTBaIJ3WcoyOdzweqt/85YaP4gIBefoiqKyCXja0

Zuh9AKxt/LBkH11GDxLpNzMzRgd9j7zHExJd2k7AGfuGFWF6A5lCEN+82mS+xOqu

Zmzfu/c2uyLGOWsb6DkAEQmx+qLZ2j2JtdFotinRqluPkG5mjU3BUCR4iwty8XI8

R7sGOLqkH2wY0pM06ywgedTC0M7Bfl0G2W18UNUJY8/1/P4u90ZGWpmmzgh7DeYi

r9nqIzOlqMkBZ+AKxoZ8O6m1MqZ3UsFXFouoAAgiJBxmN9eY0kbKCLzPb6jzbHCa

LKqr9s6HI3k8jwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFCVsAOOJHCM7mbeVJr6L

SRf1WCCuMIHTBgNVHSMEgcswgciAFCVsAOOJHCM7mbeVJr6LSRf1WCCuoYGkpIGh

MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ

MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwx

MjAubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW

EGNlcnRAbm9yZHZwbi5jb22CCQDuiYqJbaD2VDAMBgNVHRMEBTADAQH/MA0GCSqG

SIb3DQEBCwUAA4IBAQBGsb6q917R1JkszsWD5QxQWO2A++r1OA8rgoyYe9yENVeL

y3W387gOvXN6XHTN8LEJ2UGlvykp5PYcfLGu6j34f20rw02NzOlljF1377OLcxSg

nXYkd3xKdM3gVSjV6v1OgBmlgpXasjhNN3K9n0lvkSVZK2hEz/LuDkU1i9BAKtO2

FPfXjuIsx6yC+9CeLN+N8+el6GGI9c0zp3t0ZYW1abSNN6rRccFz+ww/84c9gojR

xVVn2vcs6K6zPXoi/yUZwgcM5k7B7/TN7uHCd5X1QOKOCbLz+6gdUzYcos2rZjC9

jqFj3HJ/vLv7lVdX16Hg3ruF+npFwFZ/jTgTGK0S

—–END CERTIFICATE—–

 

Press “Save

3. Then navigate to VPN -> OpenVPN -> Clients and press “+Add

Fill in the fields:
Disable this client: leave unchecked.

Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP on IPv4 only (you can also use TCP);
Device mode: tun – Layer 3 Tunnel Mode;
Interface: WAN;
Local port: leave blank;
Server host or address: nl120.nordvpn.com;
Server port: 1194 (use 443 if you use TCP);
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy authentication extra optionsAuthentication method: None;
Server host name resolution: check Infinitely resolve server;
Description: Any name you like.We will use NordVPN_NL120.
USER AUTHENTICATION SETTINGS
User name: Your NordVPN username

Password:Your NordVPN password in both fields.

Authentication Retryleave unchecked

CRYPTOGRAPHIC SETTINGS
TLS Authentication: Check
Automatically generate a shared TLS authentication key: Uncheck

—–BEGIN OpenVPN Static key V1—–

004853a6d6a156c71bfa3d08332ad880

f2fb8cfc15bf15634f6b3e76f457aa05

9fec5ac90277c6b51d38cbb56d783506

cc5a8d04948b15b04dbe015bf3507de0

13539e63812685af4ea779d352f45921

7b94ba7f06fd5c5bdd5c5a6b39d86669

763faa1a63453c07871d1e9be348520c

01b7de80eaa9e423a215954409cc490f

f9704c91e1776892454f96d253bf5517

36c85335ab3e4998c9c6dc182ff261ef

f628d9994ae86773d5756b96dee9ede5

2f00f03f544b644fa99767e74023e365

35f5b094268385fb131fc828d2d51ec1

340b739a91a729f7ca89c818add53f66

63e30cdb599b75a16196c9444afe8923

13d3a5c8da74ce7368b92b6bdeebe089

—–END OpenVPN Static key V1—–

Peer certificate authority: NordVPN_NL120_CA;

Peer Certificate Revocation list: do not define.

Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);

Encryption Algorithm: AES-256-GCM

Enable NCP: Check.

NCP AlgorithmsAES-256-GCM and AES-256-CBC.
Auth digest algorithm: SHA512 (512-bit)

Hardware CryptoNo hardware crypto acceleration.
TUNNEL SETTINGS

IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network/s: leave blank;
IPv6 remote network/s: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: LZO Compression [Legacy style,comp-lzo yes];

Topology: Subnet – One IP address per client in a common subnet
Type-of-service: leave unchecked;
Disable IPv6: check Don’t forward IPv6 traffic;
Don’t pull routes: uncheck;
Don’t add/remove routes: leave unchecked.

ADVANCED CONFIGURATIONS

Custom Options:

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
auth-retry nointeract;

UDP FAST I/O: leave unchecked.

Send/Receive Buffer: Default

Verbosity level: 3 (recommended);

 

 

5. Navigate to Interfaces -> Interface Assignments and Add NordVPN NL120 interface.

 

6. Press on the OPT1 to the left of your assigned interface and fill in the following information:Enable: check
Description: NordVPN
IPv4 Configuration Type: DHCP
IPv6 Configuration Type: None
Mac Address: leave blank
MTU: leave blank
MSS: leave blank
Do not change anything else. Just scroll down to the bottom and press “Save

7. Navigate to Services -> DNS Resolver -> General Settings Enable: check
Listen port: leave what it already is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check
Save

8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:
Hide Identity: check

Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Save

9. Navigate to Firewall -> NAT -> Outbound and select “Manual Outbound NAT rule generation.”. Press “Save“. Then four rules will appear. Leave all rules untouched and add new one.
9.1. Select NordVPN as interface.
9.2. Source your LAN subnet.
9.3. Click Save. At the end it should look like this:

10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule:
10.1. Press on Show Advanced Options;

10.2. Change Gateway to NordVPN;
10.3. Click Save.
At the end it should look like this:

 

11. Go to System -> General Setup and fill in:
DNS Server 1:  103.86.96.100 ; none
DNS Server 2: 103.86.99.100 ; NordVPN_DHCP-…
Save

 

12. Now you can navigate to Status -> OpenVPN and it should state that the service is “up

 

13. You can also check the connection log file under Status -> System Logs -> OpenVPN:

That’s it! You should now have the VPN connection set on your pfSense.