How to set up Proton VPN on pfSense 2.5.x

Reading
12 mins
Category
Routers

This guide shows you how to set up Proton VPN on pfSense 2.5.x, which allows any device connected to your router to be protected with a Proton VPN connection. As usual, a Plus or Visionary plan(new window) is required for devices on your network to access streaming services.

Note that we have a separate guide on How to set up Proton VPN on pfSense 2.4.5-*(new window).

Prerequisites for the pfSense VPN setup:

  • Preconfigured and working pfSense 2.5.x-RELEASE
  • A computer in the LAN network to access the pfSense frontend
  • An OpenVPN configuration file. The configuration files can be downloaded in the Downloads section of your account

Step One: Add the Certificate

To use the pfSense OpenVPN client, you first need to add the Proton VPN certificate.

1. Open your browser and type in https://192.168.1.1(new window) to open the pfSense frontend.

2. Log in to pfSense and go to System Cert. ManagerAdd.

PfSense setup 1

3. Choose a Descriptive Name (for example, Proton VPN AG).

4. For Method, select Import an existing Certificate Authority.

5. Open the OpenVPN configuration file you downloaded earlier in a text editor and copy the certificate text. The certificate starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–.

pfSense setup 2

6. Paste this certificate into the Certificate data field.

pfSense setup 3

7. Click Save.

Step Two: Configure the OpenVPN Client

In this step, you will add an OpenVPN client to encrypt your data and tunnel it to the VPN server.

1. Go to VPN OpenVPN Clients and click Add.

2. Fill in the configuration fields as follows:

General Information

  • Disabled: Unchecked
  • Server Mode: Peer to Peer (SSL/TLS)
  • Protocol: Either UDP on IPv4 only or TCP on IPv4 only (your choice)
  • Device mode: tun – Layer 3 Tunnel Mode
  • Interface: WAN
  • Local Port: leave empty
  • Server host or address: Enter the IP address of the server you wish to connect to. To do this, go to https://account.protonvpn.com/downloads, find the server you wish to connect to, and in its Actions column, click the icon next to the Download button. Copy the server’s URL and use a DNS lookup tool(new window) to find its corresponding IP address. For example, Iceland Server #03 has the URL node-is-02.protonvpn.net, which corresponds to the IP address 185.159.158.50
  • Server port: If Protocol is TCP, use 443. If Protocol is UDP, use 1194
  • Proxy host or address: Leave empty
  • Proxy port: Leave empty
  • Proxy Authentication: Leave unchanged (none)
  • Description: Choose a display name for this configuration (for example, Proton VPN IS-03 UDP).

pfSense setup 4

User Authentication Settings

Note: These settings require your Proton VPN OpenVPN credentials, which are different from your regular Proton VPN login credentials. You can find your OpenVPN credentials in your Proton VPN account settings.

  • Username: Your Proton VPN OpenVPN Username
  • Password: Your Proton VPN OpenVPN Password
  • Authentication Retry: Leave unchecked

Note: to enable additional features, add the following suffixes to your OpenVPN username.

  • NetShield Ad-blocker: +f1
  • NetSheild Ad-blocker advanced (available only if you have a paid plan, also blocks malware and trackers): +f2

For example, to enable NetSheild Ad-blocker, enter username+f1.

pfSense setup 5

Cryptographic Settings

  • Use a TLS Key: Checked
  • Automatically generate a TLS Key: Unchecked
  • TLS Key: Paste the key from the OpenVPN configuration file. The key starts with —–BEGIN OpenVPN Static key V1—–and ends with —–END OpenVPN Static key V1—–

pfSense setup 6

  • TLS Key Usage Mode: TLS Authentication
  • TLS keydir direction: Direction 1
  • Peer Certificate Authority: Proton VPN AG (or the descriptive name you used in Step One)
  • Peer Certificate Revocation List: leave unchanged
  • Client Certificate: None (Username and/or Password required)
  • Data Encryption Negotiation: Checked
  • Data Encryption Algorithms: AES-256-GCM, AES-128-GCM, AES-256-CBC
  • Fallback Data Encryption Algorithm: AES-256-CBC (256-bit key, 128-bit block)
  • Auth digest algorithm: SHA512 (512-bit)
  • Hardware Crypto: Whether this is supported depends on your device. If it is supported, it must first be enabled by going to System → Advanced → Miscellaneous. If in doubt, select No hardware crypto acceleration.

pfSense setup 7

Tunnel Settings

  • IPv4 Tunnel Network: Leave blank
  • IPv6 Tunnel Network: Leave blank
  • IPv4 Remote network(s): Leave blank
  • IPv6 Remote network(s): Leave blank
  • Limit outgoing bandwidth: Leave blank, unless you prefer otherwise
  • Allow Compression: Refuse any non-stub compression (Most secure)
  • Topology: Subnet — One IP address per client in a common subnet
  • Type of service: Leave unchecked
  • Don’t pull routes: Leave unchecked
  • Don’t add/remove routes: Leave unchecked

Tunnel settings

Ping Settings

Leave everything at their default settings.

pfSense setup 8

Advanced Configuration

  • Custom Options: Add the following:
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
reneg-sec 0;
remote-cert-tls server;
pull;
  • UDP Fast I/O: Checked
  • Exit Notify: Disabled
  • Send/Receive Buffer: Default
  • Gateway creation: IPv4 only
  • Verbosity level: 3 (recommended)

pfSense setup 9

3. Click Save.

4. Go to Status → OpenVPN.

At this point, you should see the new VPN client with its Status showing up.

pfSense setup 10

Step Three: Configuring the OpenVPN Interface

The VPN client is now running, but no traffic is being routed through it. To route all your network traffic through the secure Proton VPN tunnel, you need to configure the Interfaces and Firewall rules.

1. Go to Interfaces → Assignments.

2. From the OPT1 dropdown menu, select the VPN client you just added. In our example, this is ovpnc1 (Proton VPN IS-03 UDP). Click Save.

pfSense setup 11

3. In the Interface column, click on OPT1 and fill out the fields as follows:

  • Enable: Check
  • Description: Name of the Interface (alphanumeric only). We will use Proton VPNIS03UDP.
  • Block bogon networks: Check

Leave the rest of the fields unchanged.

pfSense setup 12

4. Save and Apply the changes.

Step Four: Setting up the Firewall Rules

We use Firewall Rules to route everything through the Proton VPN interface we set up in Step Three.

1. Go to Firewall → NAT → Outbound.

2. Change Mode to Manual Outbound NAT rule generation, then Save and Apply the change.

3. Go to Mappings, and you will see 6 rules listed. In the Source column, 4 of these rules show the addresses 127.0.0.0/8 and ::1/128. Ignore these and Edit the other 2 rules by clicking on the pencil icon in the Actions column.

pfSense setup 13

4. For both rules, change Interface to the Proton VPN Interface created in Step Three. In our example, this is ProtonVPNIS03UDP. Save and Apply the changes.

pfSense setup 14

Mappings should now look like this:

pfSense setup 15

5. Go to Firewall –> Rules –> LAN. You will see 3 rules. Disable the IPv6 rule and Edit the IPv4 rule by clicking on the pencil icon in the Actions column.

pfSense setup 16

6. Scroll down and select Display Advanced.

7. Change Gateway to the previously created gateway (in our example, ProtonVPNIS03UDP_VNV4). Save and Apply the changes.

pfSense setup 17

8. Go to Status → OpenVPN and Restart the client.

pfSense setup 18

Step Five: Insert the correct DNS Servers for the pfSense VPN setup

All internet traffic passing through the pfSense firewall will now be routed through a Proton VPN server. However, DNS requests are not. To fix this, we need to change the DNS settings in pfSense.

1. Go to System → General Setup → DNS Server Settings.

2. Enter DNS Servers: 10.1.0.1.

3. Leave the Gateway as none.

4. Set DNS Resolution Behavior to Use remote DNS Servers, ignore local DNS.

pfSense setup 18

5. Go to Services → DNS Resolver → DNS Query Forwarding and Enable Forwarding Mode.

6. Scroll up to Outgoing Network Interfaces and select the VPN Interface (in our case, ProtonVPNIS03UDP). Please note that this setting is very important as it prevents DNS leaks).

pfSense setup 19

7. Save and Apply the changes.

Setup is complete

All traffic from your network is now securely routed through the Proton VPN server(new window) you chose. You can test this by visiting an IP leak test(new window) website from any device on your network.

You should see the IP address and location of the Proton VPN server you specified in the setup process above. The DNS address should match this location.

Optional tweaks

You can exclude some computers on your network from using the VPN interface. (For example, a PlayStation used for gaming). To do this:

1. Go to Firewall → Rules → LAN → Add.

pfSense setup 21

2. Fill in the fields as follows:

  • Action: Pass
  • Disabled: Unchecked
  • Interface: LAN
  • Address Family: IPv4
  • Protocol: Any
  • Source: Single Host or Alias and add the IP of the device to exclude
  • Destination: Any
  • Log: Unchanged
  • Description: Add a description

pfSense setup 26

3. Click on Display Advanced and change Gateway to WAN.

pfSense setup 27

4. Save and Apply changes.

pfSense setup 28

5. Go to Firewall → NAT → Outbound.

6. Switch Mode to Automatic, then Save and Apply the change.

7. Switch back to Manual, then Save and Apply the change again.

This creates 2 additional rules that allow the selected device to access the local WAN network.

pfSense setup 29

The device is now excluded from the VPN interface and will access the internet using the IP address assigned to your network by your ISP. However, it will use Proton VPN’s DNS server.

Didn’t find what you were looking for?

Get help
General contactcontact@proton.me
Media contactmedia@proton.me
Legal contactlegal@proton.me
Partnerships contactpartners@proton.me