How to configure Proton VPN on pfSense using OpenVPN

Reading
8 mins
Category
Routers

In this guide, we show you how to set up Proton VPN on pfSense 23.09 and pfSense 2.7.x using the OpenVPN VPN protocol. This allows your router to protect any device connected to it with a Proton VPN connection.

Learn more about OpenVPN

If you’re using pfSense 2.7.x, we recommend using the WireGuard protocol instead

Before starting, you’ll need:

  • A fresh pfSense 23.09 or pfSense 2.7.x installation
  • A computer connected to your LAN network so that you can access the pfSense frontend
  • Your OpenVPN username and password. These are different from your regular Proton VPN username and password. To find them, sign in to account.protonvpn.com and go to AccountOpenVPN / IKEv2 username.
Your OpenVPN login details

1. Create an OpenVPN configuration file

Sign in to Proton VPN using your Proton Account username and password at account.protonvpn.com, go to DownloadsOpenVPN configuration files, and download an OpenVPN configuration file. Be sure to Select Platform: Router

Learn how to download an OpenVPN configuration file from Proton VPN 

To configure pfSense, you’ll need the TLS certificate(new window) from this config file. To find it, open the downloaded OpenVPN config file in a text editor and look for the text that starts with —–BEGIN CERTIFICATE—- and ends with –—-END CERTIFICATE—–.

The OpenVPN TLS certificate

You’ll also need the IP address and port number of the VPN server. These can be found on the first remote line listed in the certificate. The first number is the IP address, and the second number is the port number. In the example below, the IP address is 185.159.157.6, and the port number is 51820

The first number is the IP address, and the second number is the port number.

And finally, you’ll need the OpenVPN Static key. This starts with —–BEGIN OpenVPN Static key V1—- and ends with —–END OpenVPN Static key V1—–.

The OpenVPN Static key

2. Add the TLS certificate to pfSense

Enter 192.168.1.1 into your browser’s URL bar to open the pfSense web interface. Sign in and go to SystemCert. ManagerAdd → Import certificate

Add the OpenVPN certificate

Configure the following settings:

Create / Edit CA

  • Descriptive name: This can be any name that you find useful to describe Proton’s TLS certificate
  • Method: Import an existing Certificate Authority

Existing Certificate Authority 

Configure the certificate

Click Save when you’re done. 

3: Configure the OpenVPN Client

You’ll now add an OpenVPN client to encrypt your data and tunnel it to the VPN server. 

Go to VPNOpenVPNClients, click Add, and configure the following settings:

General Information:

  • Description: Choose a display name for this configuration
  • Disabled: Unchecked

Mode Configuration

  • Server Mode: Peer to Peer (SSL/TLS)
  • Device mode: tun – Layer 3 Tunnel Mode

Endpoint Configuration

  • Protocol: Either UDP on IPv4 only or TCP on IPv4 only (your choice, but it needs to match the configuration file you downloaded). Learn more about UDP vs TCP
  • Interface: WAN
  • Local Port: –
  • Server host or address: Please refer to Step 1 to find this. 
  • Server port: Please also refer to Step 1 to find this. 
  • Proxy host or address: –
  • Proxy port: –
  • Proxy Authentication: none
Configure the OpenVPN Client 1

User Authentication Settings

  • Username: Your Proton VPN OpenVPN username
  • Password: Your Proton VPN OpenVPN password
  • Authentication Retry: Leave unchecked

Remember: These are different from your regular Proton VPN username and password. To enable additional features, add the following suffixes to your OpenVPN username.

  • NetShield Ad-blocker: +f1
  • NetShield Ad-blocker advanced (available only if you have a paid plan, also blocks malware and trackers): +f2

For example, to enable NetShield Ad-blocker, enter username+f1.

Configure the OpenVPN Client 2

Cryptographic Settings

  • Use a TLS Key: Checked
  • Automatically generate a TLS Key: Unchecked
  • TLS Key: Paste in the OpenVPN Static key from the OpenVPN configuration file (see Step 1)
  • TLS Key Usage Mode: TLS Encryption and Authentication
  • TLS keydir direction: Use default direction
  • Peer Certificate Authority: Proton AG (or the descriptive name you used in Step 2)
  • Peer Certificate Revocation List: Leave unchanged
  • Client Certificate: None (Username and/or Password required)
  • Data Encryption Negotiation: Checked
  • Data Encryption Algorithms: AES-256-GCM, CHACHA20-POLY1305
  • Fallback Data Encryption Algorithm: AES-256-GCM
  • Auth digest algorithm: SHA256 (256-bit)
  • Hardware Crypto: Whether this is supported depends on your device. If it is supported, it must first be enabled by going to SystemAdvancedMiscellaneous. If in doubt, select No hardware crypto acceleration.
  • Server Certificate Key Usage Validation: Checked
Configure the OpenVPN Client 3

Tunnel Settings

  • IPv4 Tunnel Network: –
  • IPv6 Tunnel Network:-
  • IPv4 Remote network(s): –
  • IPv6 Remote network(s): –
  • Limit outgoing bandwidth: – (unless you prefer otherwise)
  • Allow Compression: Refuse any non-stub compression (Most secure)
  • Topology: Subnet — One IP address per client in a common subnet
  • Type of service: Leave unchecked
  • Don’t pull routes: Check
  • Don’t add/remove routes: Leave unchecked
  • Pull DNS: Check
Configure the OpenVPN Client 4

Ping Settings

  • Leave everything at their default values.
Configure the OpenVPN Client 5

Advanced Configuration

  • Custom Options: Add the following:

tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
reneg-sec 0;
remote-cert-tls server;

To improve the reliability of the connection, open the OpenVPN config file you downloaded with a text editor and locate the lines beginning with remote. From the second remote line down, copy each line beginning with remote to the Custom Options field in pfSense, followed by a semicolon.

From the second remote line down, copy each line beginning with remote

  • UDP Fast I/O: Checked
  • Exit Notify: Disabled
  • Send/Receive Buffer: Default
  • Gateway creation: IPv4 only
  • Verbosity level: 3 (recommended)
Configure the OpenVPN Client 6

Click Save and go to StatusOpenVPN. You should see the new VPN client with its Status showing up.

The OpenVPN client should now be running

4. Configure the OpenVPN Interface

The VPN client is now running, but no traffic is being routed through it. To route all your network traffic through the secure Proton VPN tunnel, you’ll need to configure the interfaces and firewall rules.

Go to InterfacesInterface Assignments → Available network ports and select the VPN client you just added from the dropdown menu → Add.

This will create an interface named OPTx (where x depends on how many physical interfaces your router has). Click on the newly created one to configure it.

Configure the OpenVPN Interface 1

Go to Interfaces column, click on OPTx and enter the following configuration settings·

General Configuration:

  • Enable: checked
  • Description: Choose a descriptive name for the interface

Reserved networks:

  • Block bogon networks: Check

Leave the rest of the fields unchanged.

Click Save and Apply Changes.

Configure the OpenVPN Interface 2

5. Configure firewall rules

We use firewall rules to route all traffic through the Proton VPN interface we just set up. Go to FirewallNATOutbound and select Manual Outbound NAT rule generation. Then click Save and Apply Changes.

Configure firewall rules 1

Under Mappings, you’ll see six rules listed. In the Source column, 4 of these rules show the addresses 127.0.0.0/8 and ::1/128. Ignore these and Edit (click the pencil icon in the Actions column) the other two rules.

Configure firewall rules 2

For both rules, change Interface to the Proton VPN Interface you created in Step 4. Click Save and Apply Changes.

Configure firewall rules 3

Note: this automatically also creates a gateway with the same name as the interface. 

Configure firewall rules 4

Mappings settings should now look like this:

Configure firewall rules 5

Go to FirewallRulesLAN. Click the icon next to Default allow LAN IPv6 to any rule to disable it. 

Configure firewall rules 6

Go to Default allow LAN to any rule Edit (pencil icon).

Configure firewall rules 7

Click Display advancedGateway and select the gateway we created in Step 5. Click Save and Apply Changes.

Configure firewall rules 8

Now go to StatusOpenVPN and click the ServiceRestart icon to restart the OpenVPN client with the new settings. 

Configure firewall rules 9

Configure DNS settings

All internet traffic passing through the pfSense firewall will now be routed through a Proton VPN server. However, DNS requests are not. To fix this, we need to change the DNS settings in pfSense.

In pfSense, go to ServicesDNS Resolver → Outgoing Network Interfaces and select the VPN Interface you created in Step 4. Please note: this setting is very important, as it prevents DNS leaks.

If you’ve enabled our NetShield Ad-Blocker feature by adding the +f1 or +f2 suffixes to your OpenVPN username (see Step 3), you must disable DNSSEC support.

Click Save and Apply changes.

DNS settings

Your setup is now complete. All traffic from your network is now securely routed through the Proton VPN server you chose. You can test this by visiting ip.me(new window) from any device on your network.

Optional tweaks

You can exclude some computers on your network from using the VPN interface. For example, you may prefer your gaming console to access the internet without being connected to a VPN. To do this:

1. Go to FirewallRulesLANAdd.

Exclude a device from the VPN 1

2. Configure the settings as follows:

  • Action: Pass
  • Disabled: Unchecked
  • Interface: LAN
  • Address Family: IPv4
  • Protocol: Any
  • Source: Single Host or Alias and add the IP of the device you wish to exclude
  • Destination: Any
  • Log: Unchanged
  • Description: Add a description
Exclude a device from the VPN 2

3. Click on Display Advanced and change Gateway to WAN.

Exclude a device from the VPN 3

4. Click Save and Apply Changes.

Exclude a device from the VPN 4

5. Go to FirewallNATOutbound and switch Mode to Automatic, then click Save and Apply Change. Then switch Mode back to Manual, then click Save and Apply Change.

Exclude a device from the VPN 5

This creates two new rules that allow the selected device to access the local WAN network.

Exclude a device from the VPN 6

The device is now excluded from the VPN interface and will access the internet using the IP address assigned by your ISP. However, it will use Proton VPN’s DNS server.