Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail
Support Center / Setup and use / How to set up ProtonVPN on pfSense 2.5.x

How to set up ProtonVPN on pfSense 2.5.x

This guide shows you how to set up ProtonVPN on pfSense 2.5.x, which allows any device connected to your router to be protected with a ProtonVPN connection. As usual, a Plus or Visionary plan is required for devices on your network to access streaming services.

Note that we have a separate guide on How to set up ProtonVPN on pfSense 2.4.5-*

Prerequisites for the pfSense VPN setup:

  • Preconfigured and working pfSense 2.5.x-RELEASE
  • A computer in the LAN network to access the pfSense frontend
  • An OpenVPN configuration file. The configuration files can be downloaded in the Downloads section of your account

Step One: Add the Certificate

To use the pfSense OpenVPN client, you first need to add the ProtonVPN certificate.

1. Open your browser and type in https://192.168.1.1 to open the pfSense frontend.

2. Log in to pfSense and go to System Cert. ManagerAdd.

PfSense setup 1

3. Choose a Descriptive Name (for example, ProtonVPN AG).

4. For Method, select Import an existing Certificate Authority.

5. Open the OpenVPN configuration file you downloaded earlier in a text editor and copy the certificate text. The certificate starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–.

pfSense setup 2

6. Paste this certificate into the Certificate data field.

pfSense setup 3

7. Click Save.

Step Two: Configure the OpenVPN Client

In this step, you will add an OpenVPN client to encrypt your data and tunnel it to the VPN server.

1. Go to VPN OpenVPN Clients and click Add.

2. Fill in the configuration fields as follows:

General Information

  • Disabled: Unchecked
  • Server Mode: Peer to Peer (SSL/TLS)
  • Protocol: Either UDP on IPv4 only or TCP on IPv4 only (your choice)
  • Device mode: tun – Layer 3 Tunnel Mode
  • Interface: WAN
  • Local Port: leave empty
  • Server host or address: This is the IP address of the server you want to connect to. The server consists of the country code and the server number. For example, IS-03.protonvpn.com is the Iceland Server 03. To get the IP Address, use a DNS lookup tool like https://mxtoolbox.com/DNSLookup.aspx. In this example, we will use 185.159.158.50, the IP address of Server IS-03 (based in Iceland).
  • Server port: If Protocol is TCP, use 443. If Protocol is UDP, use 1194
  • Proxy host or address: Leave empty
  • Proxy port: Leave empty
  • Proxy Authentication: Leave unchanged (none)
  • Description: Choose a display name for this configuration (for example, ProtonVPN IS-03 UDP).

pfSense setup 4

User Authentication Settings

Note: These settings require your ProtonVPN OpenVPN credentials, which are different from your regular ProtonVPN login credentials. You can find your OpenVPN credentials in your ProtonVPN account settings.

  • Username: Your ProtonVPN OpenVPN Username
  • Password: Your ProtonVPN OpenVPN Password
  • Authentication Retry: Leave unchecked

pfSense setup 5

Cryptographic Settings

  • Use a TLS Key: Checked
  • Automatically generate a TLS Key: Unchecked
  • TLS Key: Paste the key from the OpenVPN configuration file. The key starts with —–BEGIN OpenVPN Static key V1—–and ends with —–END OpenVPN Static key V1—–

pfSense setup 6

  • TLS Key Usage Mode: TLS Authentication
  • TLS keydir direction: Direction 1
  • Peer Certificate Authority: ProtonVPN AG (or the descriptive name you used in Step One)
  • Peer Certificate Revocation List: leave unchanged
  • Client Certificate: None (Username and/or Password required)
  • Data Encryption Negotiation: Checked
  • Data Encryption Algorithms: AES-256-GCM, AES-128-GCM, AES-256-CBC
  • Fallback Data Encryption Algorithm: AES-256-CBC (256-bit key, 128-bit block)
  • Auth digest algorithm: SHA512 (512-bit)
  • Hardware Crypto: Whether this is supported depends on your device. If it is supported, it must first be enabled by going to System → Advanced → Miscellaneous. If in doubt, select No hardware crypto acceleration.

pfSense setup 7

Tunnel Settings

  • IPv4 Tunnel Network: Leave blank
  • IPv6 Tunnel Network: Leave blank
  • IPv4 Remote network(s): Leave blank
  • IPv6 Remote network(s): Leave blank
  • Limit outgoing bandwidth: Leave blank, unless you prefer otherwise
  • Allow Compression: Refuse any non-stub compression (Most secure)
  • Topology: Subnet — One IP address per client in a common subnet
  • Type of service: Leave unchecked
  • Don’t pull routes: Leave unchecked
  • Don’t add/remove routes: Leave unchecked

Tunnel settings

Ping Settings

Leave everything at their default settings.

pfSense setup 8

Advanced Configuration

  • Custom Options: Add the following:
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
reneg-sec 0;
remote-cert-tls server;
pull;
  • UDP Fast I/O: Checked
  • Exit Notify: Disabled
  • Send/Receive Buffer: Default
  • Gateway creation: IPv4 only
  • Verbosity level: 3 (recommended)

pfSense setup 9

3. Click Save.

4. Go to Status → OpenVPN.

At this point, you should see the new VPN client with its Status showing up.

pfSense setup 10

Step Three: Configuring the OpenVPN Interface

The VPN client is now running, but no traffic is being routed through it. To route all your network traffic through the secure ProtonVPN tunnel, you need to configure the Interfaces and Firewall rules.

1. Go to Interfaces → Assignments.

2. From the OPT1 dropdown menu, select the VPN client you just added. In our example, this is ovpnc1 (ProtonVPN IS-03 UDP). Click Save.

pfSense setup 11

3. In the Interface column, click on OPT1 and fill out the fields as follows:

  • Enable: Check
  • Description: Name of the Interface (alphanumeric only). We will use ProtonVPNIS03UDP.
  • Block bogon networks: Check

Leave the rest of the fields unchanged.

pfSense setup 12

4. Save and Apply the changes.

Step Four: Setting up the Firewall Rules

We use Firewall Rules to route everything through the ProtonVPN interface we set up in Step Three.

1. Go to Firewall → NAT → Outbound.

2. Change Mode to Manual Outbound NAT rule generation, then Save and Apply the change.

3. Go to Mappings, and you will see 6 rules listed. In the Source column, 4 of these rules show the addresses 127.0.0.0/8 and ::1/128. Ignore these and Edit the other 2 rules by clicking on the pencil icon in the Actions column.

pfSense setup 13

4. For both rules, change Interface to the ProtonVPN Interface created in Step Three. In our example, this is ProtonVPNIS03UDP. Save and Apply the changes.

pfSense setup 14

Mappings should now look like this:

pfSense setup 15

5. Go to Firewall –> Rules –> LAN. You will see 3 rules. Disable the IPv6 rule and Edit the IPv4 rule by clicking on the pencil icon in the Actions column.

pfSense setup 16

6. Scroll down and select Display Advanced.

7. Change Gateway to the previously created gateway (in our example, ProtonVPNIS03UDP_VNV4). Save and Apply the changes.

pfSense setup 17

8. Go to Status → OpenVPN and Restart the client.

pfSense setup 18

Step Five: Insert the correct DNS Servers for the pfSense VPN setup

All internet traffic passing through the pfSense firewall will now be routed through a ProtonVPN server. However, DNS requests are not. To fix this, we need to change the DNS settings in pfSense.

1. Go to System → General Setup → DNS Server Settings.

2. Enter DNS Servers: 10.1.0.1.

3. Leave the Gateway as none.

4. Set DNS Resolution Behavior to Use remote DNS Servers, ignore local DNS.

pfSense setup 18

5. Go to Services → DNS Resolver → DNS Query Forwarding and Enable Forwarding Mode.

6. Scroll up to Outgoing Network Interfaces and select the VPN Interface (in our case, ProtonVPNIS03UDP). Please note that this setting is very important as it prevents DNS leaks).

pfSense setup 19

7. Save and Apply the changes.

Setup is complete

All traffic from your network is now securely routed through the ProtonVPN server you chose. You can test this by visiting an IP leak test website from any device on your network.

You should see the IP address and location of the ProtonVPN server you specified in the setup process above. The DNS address should match this location. 

Optional tweaks

You can exclude some computers on your network from using the VPN interface. (For example, a PlayStation used for gaming). To do this:

1. Go to Firewall → Rules → LAN → Add.

pfSense setup 21

2. Fill in the fields as follows:

  • Action: Pass
  • Disabled: Unchecked
  • Interface: LAN
  • Address Family: IPv4
  • Protocol: Any
  • Source: Single Host or Alias and add the IP of the device to exclude
  • Destination: Any
  • Log: Unchanged
  • Description: Add a description

pfSense setup 26

3. Click on Display Advanced and change Gateway to WAN.

pfSense setup 27

4. Save and Apply changes.

pfSense setup 28

5. Go to Firewall → NAT → Outbound.

6. Switch Mode to Automatic, then Save and Apply the change.

7. Switch back to Manual, then Save and Apply the change again.

This creates 2 additional rules that allow the selected device to access the local WAN network.

pfSense setup 29

The device is now excluded from the VPN interface and will access the internet using the IP address assigned to your network by your ISP. However, it will use ProtonVPN’s DNS server.

Leave a Reply

Your email address will not be published. Required fields are marked *

Don't find your answer? We're happy to help you!     Contact Our Support Team

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN