This guide shows you how to set up Proton VPN on pfSense 2.6.x, allowing any device connected to your router to be protected with a Proton VPN connection. As usual, a Plus or Visionary plan is required for devices on your network to access streaming services.
Note that we have separate guides on:
Prerequisites for the pfSense VPN setup:
- Fresh pfSense 2.6.x-RELEASE installation
- A computer in the LAN network to access the pfSense frontend
- An OpenVPN configuration file. The configuration files can be downloaded in the Downloads section of your account
Step One: Add the Certificate
To use the pfSense OpenVPN client, you first need to add the Proton VPN certificate.
1. Open your browser and type in https://192.168.1.1 to open the pfSense frontend
2. Log in to pfSense and go to System → Cert. Manager → Add
3. Choose a Descriptive Name (for example, Proton AG)
4. For Method, select Import an existing Certificate Authority
5. Open the OpenVPN configuration file you downloaded earlier in a text editor and copy the certificate text. The certificate starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–.
6. Paste this certificate into the Certificate data field
7. Click Save
Step Two: Configure the OpenVPN Client
In this step, you will add an OpenVPN client to encrypt your data and tunnel it to the VPN server.
1. Go to VPN → OpenVPN → Clients and click Add
2. Fill in the configuration fields as follows:
- Description: Choose a display name for this configuration (for example, Proton VPN IS-03 UDP).
- Disabled: Unchecked
- Server Mode: Peer to Peer (SSL/TLS)
- Device mode: tun – Layer 3 Tunnel Mode
- Protocol: Either UDP on IPv4 only or TCP on IPv4 only (your choice but need to match the configuration file you downloaded)
- Interface: WAN
- Local Port: leave empty
- Server host or address: This is the IP address of the server you want to connect to. You can find the IP address to enter in this field in the first of the entries starting with remote in the configuration file.
(e.g. if the first remote line of the configuration file is
remote 126.96.36.199 5060
You should enter 188.8.131.52 in this field.
- Server port: This is the server port to connect to that can be retrieved as the IP address above in the configuration file. Following the same example as for the IP above, you should enter 5060 in this field.
- Proxy host or address: Leave empty
- Proxy port: Leave empty
- Proxy Authentication: Leave unchanged (none)
User Authentication Settings
Note: These settings require your Proton VPN OpenVPN credentials, which are different from your regular Proton VPN login details. You can find your OpenVPN details in your Proton VPN account settings.
- Username: Your Proton VPN OpenVPN Username
- Password: Your Proton VPN OpenVPN Password
- Authentication Retry: Leave unchecked
Note: to enable additional features, add the following suffixes to your OpenVPN username.
- NetShield Ad-blocker: +f1
- NetSheild Ad-blocker advanced (available only if you have a paid plan, also blocks malware and trackers): +f2
For example, to enable NetSheild Ad-blocker, enter username+f1.
- Use a TLS Key: Checked
- Automatically generate a TLS Key: Unchecked
- TLS Key: Paste the key from the OpenVPN configuration file. The key starts with —–BEGIN OpenVPN Static key V1—–and ends with —–END OpenVPN Static key V1—–
- TLS Key Usage Mode: TLS Encryption and Authentication
- TLS keydir direction: Direction 1
- Peer Certificate Authority: Proton AG (or the descriptive name you used in Step One)
- Peer Certificate Revocation List: leave unchanged
- Client Certificate: None (Username and/or Password required)
- Data Encryption Negotiation: Checked
- Data Encryption Algorithms: AES-256-GCM, CHACHA20-POLY1305
- Fallback Data Encryption Algorithm: AES-256-GCM
- Auth digest algorithm: SHA1 (160-bit)
- Hardware Crypto: Whether this is supported depends on your device. If it is supported, it must first be enabled by going to System → Advanced → Miscellaneous. If in doubt, select No hardware crypto acceleration.
- Server Certificate Key Usage Validation: Checked
- IPv4 Tunnel Network: Leave blank
- IPv6 Tunnel Network: Leave blank
- IPv4 Remote network(s): Leave blank
- IPv6 Remote network(s): Leave blank
- Limit outgoing bandwidth: Leave blank, unless you prefer otherwise
- Allow Compression: Refuse any non-stub compression (Most secure)
- Topology: Subnet — One IP address per client in a common subnet
- Type of service: Leave unchecked
- Don’t pull routes: Check
- Don’t add/remove routes: Leave unchecked
- Pull DNS: Check
Leave everything at their default settings.
- Custom Options: Add the following:
To improve the reliability of the connection, open the OpenVPN config file you downloaded with a text editor and locate the lines beginning with remote. From the second remote line down, copy each line beginning with remote to the Custom Options field in pfSense, followed by a semicolon.
- UDP Fast I/O: Checked
- Exit Notify: Disabled
- Send/Receive Buffer: Default
- Gateway creation: IPv4 only
- Verbosity level: 3 (recommended)
3. Click Save
4. Go to Status → OpenVPN
At this point, you should see the new VPN client with its Status showing up.
Step Three: Configuring the OpenVPN Interface
The VPN client is now running, but no traffic is being routed through it. To route all your network traffic through the secure Proton VPN tunnel, you need to configure the Interfaces and Firewall rules.
1. Go to Interfaces → Assignments
2. From the Available network ports dropdown menu, select the VPN client you just added. In our example, this is ovpnc1 (Proton VPN IS-03 UDP). Click Add then Save.
3. In the Interface column, click on OPT1 and fill out the fields as follows:
- Enable: Check
- Description: Name of the Interface (alphanumeric only). We will use Proton VPNIS03UDP.
- Block bogon networks: Check
Leave the rest of the fields unchanged.
4. Save and Apply the changes
Step Four: Setting up the firewall rules
We use firewall rules to route everything through the Proton VPN interface we set up in Step Three.
1. Go to Firewall → NAT → Outbound
2. Change Mode to Manual Outbound NAT rule generation, then Save and Apply the change
3. Go to Mappings, and you will see 6 rules listed. In the Source column, 4 of these rules show the addresses 127.0.0.0/8 and ::1/128. Ignore these and Edit the other 2 rules by clicking on the pencil icon in the Actions column.
4. For both rules, change Interface to the Proton VPN Interface created in Step Three. In our example, this is ProtonVPNIS03UDP. Save and Apply the changes.
Mappings should now look like this:
5. Go to Firewall → Rules → LAN. You will see 3 rules. Disable the IPv6 rule and Edit the IPv4 rule by clicking on the pencil icon in the Actions column.
6. Scroll down and select Display Advanced
7. Change Gateway to the previously created gateway (in our example, ProtonVPNIS03UDP_VNV4). Save and Apply the changes.
8. Go to Status → OpenVPN and Restart the client
Step Five: Setup DNS resolver
All internet traffic passing through the pfSense firewall will now be routed through a Proton VPN server. However, DNS requests are not. To fix this, we need to change the DNS settings in pfSense.
1. Go to Services → DNS Resolver
2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (in our case, ProtonVPNIS03UDP). Please note that this setting is very important as it prevents DNS leaks).
3. If you have enabed our NetShield Adblocker feature by adding the +f1 or +f2 suffixes to your OpenVPN username (see Step 2), you must disable DNSSEC support.
4. Save and Apply the changes
Setup is complete
You should see the IP address and location of the Proton VPN server you specified in the setup process above. The DNS address should match this location.
You can exclude some computers on your network from using the VPN interface. (For example, a PlayStation used for gaming). To do this:
1. Go to Firewall → Rules → LAN → Add
2. Fill in the fields as follows:
- Action: Pass
- Disabled: Unchecked
- Interface: LAN
- Address Family: IPv4
- Protocol: Any
- Source: Single Host or Alias and add the IP of the device to exclude
- Destination: Any
- Log: Unchanged
- Description: Add a description
3. Click on Display Advanced and change Gateway to WAN
4. Save and Apply changes
5. Go to Firewall → NAT → Outbound
6. Switch Mode to Automatic, then Save and Apply the change
7. Switch back to Manual, then Save and Apply the change again
This creates 2 additional rules that allow the selected device to access the local WAN network.
The device is now excluded from the VPN interface and will access the internet using the IP address assigned to your network by your ISP. However, it will use Proton VPN’s DNS server.