How can we help you?

pfSense 2.3.2 router setup

This is a tutorial on how to set up an OpenVPN connection to NordVPN from your pfSense router.

 
pfSense version 2.3.2
  • 1. In order to setup pfSense 2.3.2 with OpenVPN please access your pfSense via browser. Then navigate to System -> Certificate Manager -> CAs. You should see this screen:

  • 2. We will configure our pfSense to connect to DK3 server. Press on "+ Add" button. Then fill the fields out like this:

    • Desctiprive Name: NordVPN_DK3_CERT
    • Method: Import an existing Certificate Authority
    • Certificate data: (you can get this certificate by downloading our CA and TLS files from here: https://nordvpn.com/api/static/ca_and_tls_auth_certificates.zip)

      -----BEGIN CERTIFICATE-----MIIEszCCA5ugAwIBAgIJAM8U3nIOV0j7MA0GCSqGSIb3DQEBCwUAMIGXMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNvbTAeFw0xNzAyMDgxMTQxMTVaFw0yNzAyMDYxMTQxMTVaMIGXMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLvmN7J8jKGFvITm0nL4J82P8mf1kyb/599T6lLKyuz8qTq3H8Pv9pzaNAI+t0hksYgfJNzB83VDgh9goDljHz2numDE32WCex4VwMiFvUr4OzHanrsSJbwgvNhUxHDwJD28OCBjnjetq53k2WGkR1PlWn9RJLqs8ND6Hl+2lEj5E/9PURu/hkGrMJr9XlmW/YE9Aa1q76w5HN8HnTAWSpvjn3aFBaw4X+ButE045lkQ9Llg+SAYR4vKbq5k+0OHk/FVSBTY6P+/7ob9uj2cCWtHoeIRGQDrzquQACzsKvp2Y7JLDLaSt1avC6Em4Avcg6aCfobUkEowuX5EQ/pbgMCAwEAAaOB/zCB/DAdBgNVHQ4EFgQU/xW/8g1HF/s9ZIRJj054AVpBbtowgcwGA1UdIwSBxDCBwYAU/xW/8g1HF/s9ZIRJj054AVpBbtqhgZ2kgZowgZcxCzAJBgNVBAYTAlBBMQswCQYDVQQIEwJQQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYDVQQKEwdOb3JkVlBOMRAwDgYDVQQLEwdOb3JkVlBOMRMwEQYDVQQDEwpOb3JkVlBOIENBMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5vcmR2cG4uY29tggkAzxTecg5XSPswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA4VBfnRevmxgYskbC+c0H/EWHgFEeXD1fcbYq6SVf9M+t4N5mm+CJoDDwgK7VNecQztIB5khBq3hK/NEjRL2pd4RBhBQ5lPgSGs6f8ayofj5PgZzOdtgvMfRUSkoLucLGbnHBCASlCRiCjtFBqBVuvG5AP9qWpCNXDRkIAfygZHcK8IeTNV0QXaG2jt3xPS16bweddwvLkqV77FAuncLBo4k4YReXVhTHYNK3wwNMNvyuuxRLqoosdOUvrvnujDjw5Ihaf5vMnId97TIPXZDAtm5L7f3RA1BsLuyVHKe62wJe6/JlAGZDBFomZCQxian188lmp5fPTm6L193X8EKHcg==-----END CERTIFICATE-----

    • Press "Save"

    You should see something like this:

     

  • 3. Then navigate to VPN -> OpenVPN -> Clients and press "+Add"

     

  • 4. Fill in the fields:

    Disable this client: leave unchecked.
    Server mode: Peer to Peer (SSL/TLS);
    Protocol: UDP (you can also use TCP);
    Device mode: TUN;
    Interface: WAN;
    Local port: leave blank;
    Server host or address: dk3.nordvpn.com;
    Server port: 1194;
    Proxy host or address: leave blank;
    Proxy port: leave blank;
    Proxy authentication extra options: Authentication method: None;
    Server host name resolution: check Infinitely resolve server;
    Description: Any name you like. In our case it was NordVPN DK3

    USER AUTHENTICATION SETTINGS
    User name/pass: Your NordVPN username / your NordVPN password.

    CRYPTOGRAPHIC SETTINGS
    TLS Authentication: Check
    Automatically generate a shared TLS authentication key: Uncheck

    Then type in TLS key of DK3 server which can be found here: https://nordvpn.com/api/static/ca_and_tls_auth_certificates.zip

    -----BEGIN OpenVPN Static key V1-----004853a6d6a156c71bfa3d08332ad880f2fb8cfc15bf15634f6b3e76f457aa059fec5ac90277c6b51d38cbb56d783506cc5a8d04948b15b04dbe015bf3507de013539e63812685af4ea779d352f459217b94ba7f06fd5c5bdd5c5a6b39d86669763faa1a63453c07871d1e9be348520c01b7de80eaa9e423a215954409cc490ff9704c91e1776892454f96d253bf551736c85335ab3e4998c9c6dc182ff261eff628d9994ae86773d5756b96dee9ede52f00f03f544b644fa99767e74023e36535f5b094268385fb131fc828d2d51ec1340b739a91a729f7ca89c818add53f6663e30cdb599b75a16196c9444afe892313d3a5c8da74ce7368b92b6bdeebe089-----END OpenVPN Static key V1-----

    Peer certificate authority: NordVPN_DK3_CERT;
    Client certificate: webConfigurator default (557de1a2a90c7)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
    Encryption algorithm: AES-256-CBC (256-bit);
    Auth digest algorithm: SHA1 (160-bit); (On newer servers, this would be SHA-512)
    Hardware crypto: No hardware crypto acceleration.

    TUNNEL SETTINGS

    IPv4 tunnel network: leave blank;
    IPv6 tunnel network: leave blank;
    IPv4 remote network/s: leave blank;
    IPv6 remote network/s: leave blank;
    Limit outgoing bandwidth: leave blank;
    Compression: Enabled with adaptive compression;
    Type-of-service: leave uncheked;
    Disable IPv6: check Don’t forward IPv6 traffic;
    Don’t pull routes: check;
    Don’t add/remove routes: leave unchecked.

    ADVANCED CONFIGURATIONS

    Custom Options:

    tls-client;

    remote-random

    tun-mtu 1500;

    tun-mtu-extra 32;

    mssfix 1450;

    persist-key;
    persist-tun;

    reneg-sec 0;

    remote-cert-tls server;


    Verbosity level: 3 (recommended);

    Click Save.

     

  • 5. Navigate to Interfaces -> Interface Assignments and Add NordVPN DK3 interface.

     

  • 6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

    Enable: check
    Description: NordVPN
    IPv4 Configuration Type: DHCP
    IPv6 Configuration Type: None
    Mac Address: leave blank
    MTU: leave blank
    MSS: leave blank

    Do not change anything else. Just scroll down to the bottom and press "Save"

     

  • 7. Navigate to Services -> DNS Resolver -> General Settings

    Enable: check
    Listen port: leave what it already is
    Network Interfaces: All
    Outgoing Network Interfaces: NordVPN
    System Domains Local Zone Type: Transparent
    DNSSEC: uncheck
    DNS Query Forwarding: check
    DHCP Registration: check
    Static DHCP: check
    Save

     

  • 8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:

    Hide Identity: check
    Hide Version: check
    Prefetch Support: check
    Prefetch DNS Key Support: check
    Save

     

  • 9. Navigate to Firewall -> NAT -> Outbound and select "Manual Outbound NAT rule generation". Press "Save". Then four rules will appear. Leave the 127.0.0.0 rules untouched and edit both rules which have your Network address as a source specified. 

    9.1. Change the Interface to NordVPN;
    9.2. Click Save.

     

    At the end it should look like this:

     

  • 10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule:

    10.1. Press on Show Advanced Options;
    10.2. Change Gateway to NordVPN;
    10.3. Click Save.

    At the end it should look like this:

     

  • 11. Go to System -> General Setup and fill in:
    DNS Server 1: 162.242.211.137 ; none
    DNS Server 2: 78.46.223.24 ; NordVPN_DHCP-...
    Save

     

  • 12. Now you can navigate to Status -> OpenVPN and it should state that the service is "up"

     

  • 13. You can also check the connection log file under Status -> System Logs -> OpenVPN:

Related Articles