Prerequisites for the pfSense VPN setup:

  • Preconfigured and working pfSense 2.4.x
  • A computer in the LAN network to access the pfSense frontend.
  • Any OpenVPN configuration file. The configuration files can be downloaded in the Downloads category on your account.

Step One: Adding the Certificate

To be able to use the pfSense OpenVPN Client, we need to add the ProtonVPN Certificate to the system.

  1. When logged in to the pfSense frontend, go to System –> Cert. Manager and press Add

1

  1. Choose a Descriptive Name such as ProtonVPN AG
  2. Select Import an existing Certificate Authority as Method
  3. Open the previously downloaded OpenVPN configuration file and copy the certificate. The certificate starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–.

2

  1. Paste this certificate in the field Certificate data

It should now look like this:

3

  1. Save it.

Step Two: Configuring the OpenVPN Client

In this step, we create the client that handles the encryption and the tunneling of the data itself.

  1. Go to VPN –> OpenVPN –> Clients and press Add
  2. Fill in the fields as follows:
General Information
  • Disabled: Unchecked
  • Server Mode: Peer to Peer (SSL/TLS)
  • Protocol: Either UDP on IPv4 only or TCP on IPv4 only depending on your choice
  • Device mode: tun – Layer 3 Tunnel Mode
  • Interface: WAN
  • Local Port: leave empty
  • Server host or address: The IP Address of the server you want to connect to. The server consists of the country code and the server number. For example ch-03.protonvpn.com is the Swiss Server 03. To get the IP Address, use a DNS lookup tool like https://mxtoolbox.com/DNSLookup.aspx. In this example, we will use 185.159.158.50 which is the Server IS-03
  • Server port: If Protocol is TCP use 443 if Protocol is UDP use 1194
  • Proxy host or address: Leave empty
  • Proxy port: Leave empty
  • Proxy Authentication: Leave empty
  • Description: Choose a Display Name for this Configuration. Like ProtonVPN IS-03 UDP

x

User Authentication Settings
  • Username: Your ProtonVPN OpenVPN Username
  • Password: Your ProtonVPN OpenVPN Password (enter twice)
  • Authentication Retry: Leave unchecked

x

Cryptographic Settings
  • Use a TLS Key: Checked
  • Automatically generate a TLS Key: Unchecked
  • TLS Key: Paste the Key from the OpenVPN configuration file. The Key starts with —–BEGIN OpenVPN Static key V1—–and ends with —–END OpenVPN Static key V1—–

1

  • TLS Key Usage Mode: TLS Authentication
  • Peer Certificate Authority: ProtonVPN AG (or the descriptive name you used in Step One)
  • Client Certificate: None (Username and/or Password required)
  • Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
  • Enable NCP: Checked
  • NCP Algorithms: Unchanged (Checked)
  • Auth digest algorithm: SHA512 (512-bit)
  • Hardware Crypto: Depending on your device. If it’s supported it has to be turned on under System –> Advanced –> Miscellaneous as well. If you want to be safe, choose No hardware crypto acceleration.

x

Tunnel Settings
  • IPv4 Tunnel Network: Leave blank
  • IPv6 Tunnel Network: Leave blank
  • IPv4 Remote network(s): Leave blank
  • IPv6 Remote network(s): Leave blank
  • Limit outgoing bandwidth: Leave blank, except you prefer otherwise
  • Compression: LZO Compression [compress lzo, equivalent to comp-lzo yes for compatibility]
  • Topology: Subnet — One IP address per client in a common subnet
  • Type of service: Leave unchecked
  • Don’t pull routes: Check
  • Don’t add/remove routes: Leave unchecked

x

Advanced Configuration
  • Custom Options: Add the following:
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
pull;
  • UDP Fast I/O: Check
  • Send/Receive Buffer: Default
  • Verbosity level: 3 (recommended)

x

  1. Save it.
  2. Go to Status –> OpenVPN

If everything was done correctly for the pfSense VPN setup, you should see the Client there now and the status is up.x

Step Three: Configuring the OpenVPN Interface

The pfSense VPN setup was done successfully and is already up and running at this point, but it won’t route any traffic through it, yet. To route the whole network through the secure ProtonVPN tunnel, we need to set up Interfaces and Firewall rules first.

  1. Navigate to Interfaces –> Assignments
  2. Add the OpenVPN Client as Interface. In our case, this is ProtonVPN IS-03 UDP as ovpnc1.
  3. Press on OPT1 on the left of the interface

x

  1. Fill out the fields as follows:
  • Enable: Check
  • Description: Name of the Interface (alphanumeric only). We will use ProtonVPNIS03UDP.
  • IPv4 Configuration Type: DHCP
  • Block bogon networks : Check
  • Leave the rest unchanged

  1. Save it and Apply the changes.

Step Four: Setting up the Firewall Rules

With Firewall Rules we tell pfSense to route everything through the ProtonVPN interface (and with that, through the secure connection) we set up in Step Three.

  1. Go to Firewall –> NAT –> Outbound
  2. Change the Mode to Manual Outbound NAT rule generation, then save and apply changes.
  3. Now you should see 4 rules under Mappings.
  4. Leave the rules with 127.0.0.0/8 as source unchanged and edit the other two by clicking on the pencil.

x

  1. Change Interface to the ProtonVPN Interface created in Step Three on both rules. In our case ProtonVPNIS03UDP. Then Save and apply changes.

x

  1. It should now look like this:

x

  1. Go to Firewall –> Rules –> LAN
  2. You should see 3 rules. Disable the IPv6 rule by clicking on the Check-mark. Edit the IPv4 Rule by clicking on the pencil.

x

  1. Scroll down and press Display Advanced
  2. Change the Gateway to the previously created one. In our case it’s called ProtonVPNIS03UDP_DHCP

x

  1. Save and apply changes.
  2. Go to Status –> OpenVPN and restart the Client.

x

Step Five: Insert the correct DNS Servers for the pfSense VPN setup

Now the traffic of the whole network behind the pfSense firewall will already be routed through ProtonVPN. But the DNS requests aren’t. To correct this we will change the DNS settings.

  1. Go to System -> General Setup
  2. Scroll down to DNS Server Settings
  3. Fill in the DNS Server. If you chose TCP in Step Two, use 10.7.7.1. If you chose UDP, use 10.8.8.1. If you use a free server or server with a number higher than 100, the DNS server must be 10.8.1.0.
  4. Leave the Gateway on none
  5. Check Disable DNS Forwarder

x

  1. Scroll down and save.
  2. Go to Services –> DNS Resolver
  3. Check DNS Query Forwarding
  4. Save and apply changes

Finished!

If the VPN setup for pfSense was done properly, your whole network should now be secured by the ProtonVPN servers. Any device on the network now should show similar results as the following while doing an Ipleak test, according to the server you’ve connected to:

x

Neither your IP nor your DNS should leak for your whole network.

Optional Enhancements

If you’d like to finish the pfSense VPN setup and exclude certain computers from the VPN (for example a Playstation for gaming), you can do that as well:

  1. Go to Firewall –> Rules –> LAN
  2. Add a new rule on top of the list

x

  1. Fill the fields as follows:
  • Action: Pass
  • Disabled: Unchecked
  • Interface: LAN
  • Address Family: IPv4
  • Protocol: Any
  • Source: Single Host or Alias and add the IP of the device to exclude
  • Destination: Any
  • Log: Unchanged
  • Description: Add a description
  • Click on Display Advanced
  • Change Gateway to WAN xx
  1. Save and apply changes.

x

  1. Go to Firewall –> NAT –> Outbound
  2. Switch Mode to Automatic, save and apply changes, then switch back to Manual, save and apply changes again.
  3. This should have created two more rules that now allow the excluded device to access the WAN network.