Support Center / How to set up Proton VPN on pfSense 2.6.x

How to set up Proton VPN on pfSense 2.6.x

This guide shows you how to set up Proton VPN on pfSense 2.6.x, allowing any device connected to your router to be protected with a Proton VPN connection. As usual, a Plus or Visionary plan is required for devices on your network to access streaming services.

Note that we have separate guides on:

Prerequisites for the pfSense VPN setup:

  • Fresh pfSense 2.6.x-RELEASE installation
  • A computer in the LAN network to access the pfSense frontend
  • An OpenVPN configuration file. The configuration files can be downloaded in the Downloads section of your account

Learn how to download Proton VPN OpenVPN configuration files

Step One: Add the Certificate

To use the pfSense OpenVPN client, you first need to add the Proton VPN certificate.

1. Open your browser and type in to open the pfSense frontend

2. Log in to pfSense and go to System Cert. ManagerAdd

PfSense setup 1

3. Choose a Descriptive Name (for example, Proton AG)

4. For Method, select Import an existing Certificate Authority

5. Open the OpenVPN configuration file you downloaded earlier in a text editor and copy the certificate text. The certificate starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–.

pfSense setup 2

6. Paste this certificate into the Certificate data field

pfSense setup 3

7. Click Save

Step Two: Configure the OpenVPN Client

In this step, you will add an OpenVPN client to encrypt your data and tunnel it to the VPN server. 

1. Go to VPN OpenVPN Clients and click Add

2. Fill in the configuration fields as follows:

General Information

  • Description: Choose a display name for this configuration (for example, Proton VPN IS-03 UDP).
  • Disabled: Unchecked

Mode configuration

  • Server Mode: Peer to Peer (SSL/TLS)
  • Device mode: tun – Layer 3 Tunnel Mode

Endpoint configuration

  • Protocol: Either UDP on IPv4 only or TCP on IPv4 only (your choice but need to match the configuration file you downloaded)
  • Interface: WAN
  • Local Port: leave empty
  • Server host or address: This is the IP address of the server you want to connect to. You can find the IP address to enter in this field in the first of the entries starting with remote in the configuration file.
    (e.g. if the first remote line of the configuration file is
    remote 5060
    You should enter in this field.
  • Server port: This is the server port to connect to that can be retrieved as the IP address above in the configuration file. Following the same example as for the IP above, you should enter 5060 in this field.
  • Proxy host or address: Leave empty
  • Proxy port: Leave empty
  • Proxy Authentication: Leave unchanged (none)

User Authentication Settings

Note: These settings require your Proton VPN OpenVPN credentials, which are different from your regular Proton VPN login details. You can find your OpenVPN details in your Proton VPN account settings.

  • Username: Your Proton VPN OpenVPN Username
  • Password: Your Proton VPN OpenVPN Password
  • Authentication Retry: Leave unchecked

Note: to enable additional features, add the following suffixes to your OpenVPN username.

  • NetShield Ad-blocker: +f1
  • NetSheild Ad-blocker advanced (available only if you have a paid plan, also blocks malware and trackers): +f2

For example, to enable NetSheild Ad-blocker, enter username+f1.

pfSense setup 5

Cryptographic Settings

  • Use a TLS Key: Checked
  • Automatically generate a TLS Key: Unchecked
  • TLS Key: Paste the key from the OpenVPN configuration file. The key starts with —–BEGIN OpenVPN Static key V1—–and ends with —–END OpenVPN Static key V1—–
pfSense setup 6

  • TLS Key Usage Mode: TLS Encryption and Authentication
  • TLS keydir direction: Direction 1
  • Peer Certificate Authority: Proton AG (or the descriptive name you used in Step One)
  • Peer Certificate Revocation List: leave unchanged
  • Client Certificate: None (Username and/or Password required)
  • Data Encryption Negotiation: Checked
  • Data Encryption Algorithms: AES-256-GCM, CHACHA20-POLY1305
  • Fallback Data Encryption Algorithm: AES-256-GCM
  • Auth digest algorithm: SHA1 (160-bit)
  • Hardware Crypto: Whether this is supported depends on your device. If it is supported, it must first be enabled by going to System → Advanced → Miscellaneous. If in doubt, select No hardware crypto acceleration.
  • Server Certificate Key Usage Validation: Checked
pfSense crypto settings

Tunnel Settings

  • IPv4 Tunnel Network: Leave blank
  • IPv6 Tunnel Network: Leave blank
  • IPv4 Remote network(s): Leave blank
  • IPv6 Remote network(s): Leave blank
  • Limit outgoing bandwidth: Leave blank, unless you prefer otherwise
  • Allow Compression: Refuse any non-stub compression (Most secure)
  • Topology: Subnet — One IP address per client in a common subnet
  • Type of service: Leave unchecked
  • Don’t pull routes: Check
  • Don’t add/remove routes: Leave unchecked
  • Pull DNS: Check
pfSense setup 8

Ping Settings

Leave everything at their default settings.

pfSense setup 9

Advanced Configuration

  • Custom Options: Add the following:

tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
reneg-sec 0;
remote-cert-tls server;

To improve the reliability of the connection, open the OpenVPN config file you downloaded with a text editor and locate the lines beginning with remote. From the second remote line down, copy each line beginning with remote to the Custom Options field in pfSense, followed by a semicolon.

  • UDP Fast I/O: Checked
  • Exit Notify: Disabled
  • Send/Receive Buffer: Default
  • Gateway creation: IPv4 only
  • Verbosity level: 3 (recommended)
pfSense setup 10

3. Click Save

4. Go to Status → OpenVPN

At this point, you should see the new VPN client with its Status showing up.

pfSense setup 11

Step Three: Configuring the OpenVPN Interface

The VPN client is now running, but no traffic is being routed through it. To route all your network traffic through the secure Proton VPN tunnel, you need to configure the Interfaces and Firewall rules.

1. Go to Interfaces → Assignments

2. From the Available network ports dropdown menu, select the VPN client you just added. In our example, this is ovpnc1 (Proton VPN IS-03 UDP). Click Add then Save.

pfSense setup 12

3. In the Interface column, click on OPT1 and fill out the fields as follows:

  • Enable: Check
  • Description: Name of the Interface (alphanumeric only). We will use Proton VPNIS03UDP.
  • Block bogon networks: Check

Leave the rest of the fields unchanged.

pfSense setup 13

4. Save and Apply the changes

Step Four: Setting up the firewall rules

We use firewall rules to route everything through the Proton VPN interface we set up in Step Three.

1. Go to Firewall → NAT → Outbound

2. Change Mode to Manual Outbound NAT rule generation, then Save and Apply the change

3. Go to Mappings, and you will see 6 rules listed. In the Source column, 4 of these rules show the addresses and ::1/128. Ignore these and Edit the other 2 rules by clicking on the pencil icon in the Actions column.

pfSense setup 14

4. For both rules, change Interface to the Proton VPN Interface created in Step Three. In our example, this is ProtonVPNIS03UDP. Save and Apply the changes.

pfSense setup 15

Mappings should now look like this:

pfSense setup 16

5. Go to Firewall Rules LAN. You will see 3 rules. Disable the IPv6 rule and Edit the IPv4 rule by clicking on the pencil icon in the Actions column.

pfSense setup 17

6. Scroll down and select Display Advanced

7. Change Gateway to the previously created gateway (in our example, ProtonVPNIS03UDP_VNV4). Save and Apply the changes.

pfSense setup 18

8. Go to Status → OpenVPN and Restart the client

pfSense setup 19

Step Five: Setup DNS resolver

All internet traffic passing through the pfSense firewall will now be routed through a Proton VPN server. However, DNS requests are not. To fix this, we need to change the DNS settings in pfSense.

1. Go to Services → DNS Resolver

2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (in our case, ProtonVPNIS03UDP). Please note that this setting is very important as it prevents DNS leaks).

3. If you have enabed our NetShield Adblocker feature by adding the +f1 or +f2 suffixes to your OpenVPN username (see Step 2), you must disable DNSSEC support.

pfSense setup

4. Save and Apply the changes

Setup is complete

All traffic from your network is now securely routed through the Proton VPN server you chose. You can test this by visiting an IP leak test website from any device on your network.

pfSense setup 21

You should see the IP address and location of the Proton VPN server you specified in the setup process above. The DNS address should match this location. 

Optional tweaks

You can exclude some computers on your network from using the VPN interface. (For example, a PlayStation used for gaming). To do this:

1. Go to Firewall → Rules → LAN → Add

pfSense setup 22

2. Fill in the fields as follows:

  • Action: Pass
  • Disabled: Unchecked
  • Interface: LAN
  • Address Family: IPv4
  • Protocol: Any
  • Source: Single Host or Alias and add the IP of the device to exclude
  • Destination: Any
  • Log: Unchanged
  • Description: Add a description
pfSense setup 22

3. Click on Display Advanced and change Gateway to WAN

pfSense setup 23

4. Save and Apply changes

pfSense setup 23

5. Go to Firewall → NAT → Outbound

6. Switch Mode to Automatic, then Save and Apply the change

7. Switch back to Manual, then Save and Apply the change again

This creates 2 additional rules that allow the selected device to access the local WAN network.

pfSense setup 24

The device is now excluded from the VPN interface and will access the internet using the IP address assigned to your network by your ISP. However, it will use Proton VPN’s DNS server.

your internet

Get Proton VPN
Get Proton VPN