This guide shows you how to set up Proton VPN on pfSense 2.5.x, which allows any device connected to your router to be protected with a Proton VPN connection. As usual, a Plus or Visionary plan is required for devices on your network to access streaming services.
Note that we have a separate guide on How to set up Proton VPN on pfSense 2.4.5-*.
Prerequisites for the pfSense VPN setup:
- Preconfigured and working pfSense 2.5.x-RELEASE
- A computer in the LAN network to access the pfSense frontend
- An OpenVPN configuration file. The configuration files can be downloaded in the Downloads section of your account
Step One: Add the Certificate
To use the pfSense OpenVPN client, you first need to add the Proton VPN certificate.
1. Open your browser and type in https://192.168.1.1 to open the pfSense frontend.
2. Log in to pfSense and go to System → Cert. Manager → Add.
3. Choose a Descriptive Name (for example, Proton VPN AG).
4. For Method, select Import an existing Certificate Authority.
5. Open the OpenVPN configuration file you downloaded earlier in a text editor and copy the certificate text. The certificate starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–.
6. Paste this certificate into the Certificate data field.
7. Click Save.
Step Two: Configure the OpenVPN Client
In this step, you will add an OpenVPN client to encrypt your data and tunnel it to the VPN server.
1. Go to VPN → OpenVPN → Clients and click Add.
2. Fill in the configuration fields as follows:
- Disabled: Unchecked
- Server Mode: Peer to Peer (SSL/TLS)
- Protocol: Either UDP on IPv4 only or TCP on IPv4 only (your choice)
- Device mode: tun – Layer 3 Tunnel Mode
- Interface: WAN
- Local Port: leave empty
- Server host or address: Enter the IP address of the server you wish to connect to. To do this, go to https://account.protonvpn.com/downloads, find the server you wish to connect to, and in its Actions column, click the ⋁ icon next to the Download button. Copy the server’s URL and use a DNS lookup tool to find its corresponding IP address. For example, Iceland Server #03 has the URL node-is-02.protonvpn.net, which corresponds to the IP address 126.96.36.199
- Server port: If Protocol is TCP, use 443. If Protocol is UDP, use 1194
- Proxy host or address: Leave empty
- Proxy port: Leave empty
- Proxy Authentication: Leave unchanged (none)
- Description: Choose a display name for this configuration (for example, Proton VPN IS-03 UDP).
User Authentication Settings
Note: These settings require your Proton VPN OpenVPN credentials, which are different from your regular Proton VPN login credentials. You can find your OpenVPN credentials in your Proton VPN account settings.
- Username: Your Proton VPN OpenVPN Username
- Password: Your Proton VPN OpenVPN Password
- Authentication Retry: Leave unchecked
Note: to enable additional features, add the following suffixes to your OpenVPN username.
- NetShield Ad-blocker: +f1
- NetSheild Ad-blocker advanced (available only if you have a paid plan, also blocks malware and trackers): +f2
For example, to enable NetSheild Ad-blocker, enter username+f1.
- Use a TLS Key: Checked
- Automatically generate a TLS Key: Unchecked
- TLS Key: Paste the key from the OpenVPN configuration file. The key starts with —–BEGIN OpenVPN Static key V1—–and ends with —–END OpenVPN Static key V1—–
- TLS Key Usage Mode: TLS Authentication
- TLS keydir direction: Direction 1
- Peer Certificate Authority: Proton VPN AG (or the descriptive name you used in Step One)
- Peer Certificate Revocation List: leave unchanged
- Client Certificate: None (Username and/or Password required)
- Data Encryption Negotiation: Checked
- Data Encryption Algorithms: AES-256-GCM, AES-128-GCM, AES-256-CBC
- Fallback Data Encryption Algorithm: AES-256-CBC (256-bit key, 128-bit block)
- Auth digest algorithm: SHA512 (512-bit)
- Hardware Crypto: Whether this is supported depends on your device. If it is supported, it must first be enabled by going to System → Advanced → Miscellaneous. If in doubt, select No hardware crypto acceleration.
- IPv4 Tunnel Network: Leave blank
- IPv6 Tunnel Network: Leave blank
- IPv4 Remote network(s): Leave blank
- IPv6 Remote network(s): Leave blank
- Limit outgoing bandwidth: Leave blank, unless you prefer otherwise
- Allow Compression: Refuse any non-stub compression (Most secure)
- Topology: Subnet — One IP address per client in a common subnet
- Type of service: Leave unchecked
- Don’t pull routes: Leave unchecked
- Don’t add/remove routes: Leave unchecked
Leave everything at their default settings.
- Custom Options: Add the following:
tun-mtu 1500; tun-mtu-extra 32; mssfix 1450; reneg-sec 0; remote-cert-tls server; pull;
- UDP Fast I/O: Checked
- Exit Notify: Disabled
- Send/Receive Buffer: Default
- Gateway creation: IPv4 only
- Verbosity level: 3 (recommended)
3. Click Save.
4. Go to Status → OpenVPN.
At this point, you should see the new VPN client with its Status showing up.
Step Three: Configuring the OpenVPN Interface
The VPN client is now running, but no traffic is being routed through it. To route all your network traffic through the secure Proton VPN tunnel, you need to configure the Interfaces and Firewall rules.
1. Go to Interfaces → Assignments.
2. From the OPT1 dropdown menu, select the VPN client you just added. In our example, this is ovpnc1 (Proton VPN IS-03 UDP). Click Save.
3. In the Interface column, click on OPT1 and fill out the fields as follows:
- Enable: Check
- Description: Name of the Interface (alphanumeric only). We will use Proton VPNIS03UDP.
- Block bogon networks: Check
Leave the rest of the fields unchanged.
4. Save and Apply the changes.
Step Four: Setting up the Firewall Rules
We use Firewall Rules to route everything through the Proton VPN interface we set up in Step Three.
1. Go to Firewall → NAT → Outbound.
2. Change Mode to Manual Outbound NAT rule generation, then Save and Apply the change.
3. Go to Mappings, and you will see 6 rules listed. In the Source column, 4 of these rules show the addresses 127.0.0.0/8 and ::1/128. Ignore these and Edit the other 2 rules by clicking on the pencil icon in the Actions column.
4. For both rules, change Interface to the Proton VPN Interface created in Step Three. In our example, this is ProtonVPNIS03UDP. Save and Apply the changes.
Mappings should now look like this:
5. Go to Firewall –> Rules –> LAN. You will see 3 rules. Disable the IPv6 rule and Edit the IPv4 rule by clicking on the pencil icon in the Actions column.
6. Scroll down and select Display Advanced.
7. Change Gateway to the previously created gateway (in our example, ProtonVPNIS03UDP_VNV4). Save and Apply the changes.
8. Go to Status → OpenVPN and Restart the client.
Step Five: Insert the correct DNS Servers for the pfSense VPN setup
All internet traffic passing through the pfSense firewall will now be routed through a Proton VPN server. However, DNS requests are not. To fix this, we need to change the DNS settings in pfSense.
1. Go to System → General Setup → DNS Server Settings.
2. Enter DNS Servers: 10.1.0.1.
3. Leave the Gateway as none.
4. Set DNS Resolution Behavior to Use remote DNS Servers, ignore local DNS.
5. Go to Services → DNS Resolver → DNS Query Forwarding and Enable Forwarding Mode.
6. Scroll up to Outgoing Network Interfaces and select the VPN Interface (in our case, ProtonVPNIS03UDP). Please note that this setting is very important as it prevents DNS leaks).
7. Save and Apply the changes.
Setup is complete
You should see the IP address and location of the Proton VPN server you specified in the setup process above. The DNS address should match this location.
You can exclude some computers on your network from using the VPN interface. (For example, a PlayStation used for gaming). To do this:
1. Go to Firewall → Rules → LAN → Add.
2. Fill in the fields as follows:
- Action: Pass
- Disabled: Unchecked
- Interface: LAN
- Address Family: IPv4
- Protocol: Any
- Source: Single Host or Alias and add the IP of the device to exclude
- Destination: Any
- Log: Unchanged
- Description: Add a description
3. Click on Display Advanced and change Gateway to WAN.
4. Save and Apply changes.
5. Go to Firewall → NAT → Outbound.
6. Switch Mode to Automatic, then Save and Apply the change.
7. Switch back to Manual, then Save and Apply the change again.
This creates 2 additional rules that allow the selected device to access the local WAN network.
The device is now excluded from the VPN interface and will access the internet using the IP address assigned to your network by your ISP. However, it will use Proton VPN’s DNS server.