Prerequisites for the pfSense VPN setup:

  • Preconfigured and working pfSense 2.4.5-*
  • A computer in the LAN network to access the pfSense frontend.
  • Any OpenVPN configuration file. The configuration files can be downloaded in the Downloads category on your account.

Step One: Adding the Certificate

To be able to use the pfSense OpenVPN Client, we need to add the Proton VPN Certificate to the system.

  1. When logged in to the pfSense frontend, go to System –> Cert. Manager and press Add.


  1. Choose a Descriptive Name such as Proton VPN AG.
  2. Select Import an existing Certificate Authority as Method.
  3. Open the previously downloaded OpenVPN configuration file and copy the certificate. The certificate starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–.


  1. Paste this certificate in the field Certificate data.

It should now look like this:


  1. Click Save.

Step Two: Configuring the OpenVPN Client

In this step, we create the client that handles the encryption and the tunneling of the data itself.

  1. Go to VPN –> OpenVPN –> Clients and press Add
  2. Fill in the fields as follows:
General Information
  • Disabled: Unchecked
  • Server Mode: Peer to Peer (SSL/TLS)
  • Protocol: Either UDP on IPv4 only or TCP on IPv4 only depending on your choice
  • Device mode: tun – Layer 3 Tunnel Mode
  • Interface: WAN
  • Local Port: leave empty
  • Server host or address: The IP Address of the server you want to connect to. The server consists of the country code and the server number. For example is the Swiss Server 03. To get the IP Address, use a DNS lookup tool like In this example, we will use which is the Server IS-03
  • Server port: If Protocol is TCP use 443 if Protocol is UDP use 1194
  • Proxy host or address: Leave empty
  • Proxy port: Leave empty
  • Proxy Authentication: Leave empty
  • Description: Choose a Display Name for this Configuration. Like Proton VPN IS-03 UDP


User Authentication Settings
  • Username: Your Proton VPN OpenVPN Username
  • Password: Your Proton VPN OpenVPN Password (enter twice)
  • Authentication Retry: Leave unchecked

Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your Username to block malware, or +f2  to block malware, ads, and trackers (for example 123456789+f2).x

Cryptographic Settings
  • Use a TLS Key: Checked
  • Automatically generate a TLS Key: Unchecked
  • TLS Key: Paste the Key from the OpenVPN configuration file. The Key starts with —–BEGIN OpenVPN Static key V1—–and ends with —–END OpenVPN Static key V1—–


  • TLS Key Usage Mode: TLS Authentication
  • Peer Certificate Authority: Proton VPN AG (or the descriptive name you used in Step One)
  • Client Certificate: None (Username and/or Password required)
  • Encryption Algorithm: For reliability, use AES-256-CBC (256 bit key, 128 bit block). For security, use AES-256-GCM
  • Enable NCP: Checked
  • NCP Algorithms: Unchanged (Checked)
  • Auth digest algorithm: SHA512 (512-bit)
  • Hardware Crypto: Depending on your device. If it’s supported it has to be turned on under System –> Advanced –> Miscellaneous as well. If you want to be safe, choose No hardware crypto acceleration.


  • Auth digest algorithm: SHA512 (512-bit)
  • Hardware Crypto: Depending on your device. If it’s supported it has to be turned on under System –> Advanced –> Miscellaneous as well. If you want to be safe, choose No hardware crypto acceleration.


Tunnel Settings
  • IPv4 Tunnel Network: Leave blank
  • IPv6 Tunnel Network: Leave blank
  • IPv4 Remote network(s): Leave blank
  • IPv6 Remote network(s): Leave blank
  • Limit outgoing bandwidth: Leave blank, unless you prefer otherwise
  • Compression: No compression
  • Topology: Subnet — One IP address per client in a common subnet
  • Type of service: Leave unchecked
  • Don’t pull routes: Leave unchecked
  • Don’t add/remove routes: Leave unchecked

Advanced Configuration
  • Custom Options: Add the following:
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
reneg-sec 0;
remote-cert-tls server;
  • UDP Fast I/O: Leave unchecked
  • Exit Notify: Disabled
  • Send/Receive Buffer: Default
  • Gateway creation: IPv4 only
  • Verbosity level: 3 (recommended)


  1. Save it.
  2. Go to Status –> OpenVPN

If everything was done correctly for the pfSense VPN setup, you should see the Client there now and the status is up.x

Step Three: Configuring the OpenVPN Interface

The pfSense VPN setup was done successfully and is already up and running at this point, but it won’t route any traffic through it, yet. To route the whole network through the secure Proton VPN tunnel, we need to set up Interfaces and Firewall rules first.

  1. Navigate to Interfaces –> Assignments
  2. Add the OpenVPN Client as Interface. In our case, this is Proton VPN IS-03 UDP as ovpnc1.
  3. Press on OPT1 on the left of the interface


  1. Fill out the fields as follows:
  • Enable: Check
  • Description: Name of the Interface (alphanumeric only). We will use ProtonVPNIS03UDP.
  • IPv4 Configuration Type: DHCP
  • Block bogon networks : Check
  • Leave the rest unchanged


  1. Save it and Apply the changes.

Step Four: Setting up the Firewall Rules

With Firewall Rules we tell pfSense to route everything through the Proton VPN interface (and with that, through the secure connection) we set up in Step Three.

  1. Go to Firewall –> NAT –> Outbound
  2. Change the Mode to Manual Outbound NAT rule generation, then save and apply changes.
  3. Now you should see 6 rules under Mappings.
  4. Leave all existing rules, and create a new rule by clicking on Add (with the arrow pointing down) button at the bottom.

  1.  Fill out the fields as follows:
  •     Disabled: Leave unchecked
  •     Do not NAT: Leave unchecked
  •     Interface: change to PROTONVPNIS03UPD
  •     Address family: change to IPv4
  •     Protocol: any
  •     Source: Network – /24 (or subnet that was configured on the LAN interface)
  •     Destination: Any
  •     Section TranslationAddress: Interface address
  •     Leave other options unchanged

  1. Save and Apply the changes. It should now look like this:

  1. Go to Status –> OpenVPN and restart the Client


Step Five: Insert the correct DNS Servers for the pfSense VPN setup

Now the traffic of the whole network behind the pfSense firewall will already be routed through Proton VPN. But the DNS requests aren’t. To correct this, we will change the DNS settings.

  1. Go to System -> General Setup
  2. Scroll down to DNS Server Settings
  3. Fill in the DNS Servers: Note: We recommend using this static IP address for our DNS servers in order to prevent the possibility of DNS leaks.
  4. Leave the Gateway on none
  5. Check Disable DNS Forwarder

  1. Scroll down and save.
  2. Go to Services –> DNS Resolver
  3. DNSSEC: disable this option if you activated Netshield using “+f1” or “+f2” flag in Step 2.
  4. Check DNS Query Forwarding
  5. In the Outgoing Network field, select the VPN Interface (in our case, ProtonVPNIS03UDP). This step is critical, as it is the one that prevents DNS leaks.Screenshot
  6. Save and apply changes.


If the VPN setup for pfSense was done properly, your whole network should now be secured by the Proton VPN servers. Any device on the network now should show similar results as the following while doing an Ipleak test, according to the server you’ve connected to:


Neither your IP nor your DNS should leak for your whole network.

Optional Enhancements

If you’d like to finish the pfSense VPN setup and exclude certain computers from the VPN (for example a Playstation for gaming), you can do that as well:

  1. Go to Firewall –> Rules –> LAN
  2. Add a new rule on top of the list


  1. Fill the fields as follows:
  • Action: Pass
  • Disabled: Unchecked
  • Interface: LAN
  • Address Family: IPv4
  • Protocol: Any
  • Source: Single Host or Alias and add the IP of the device to exclude
  • Destination: Any
  • Log: Unchanged
  • Description: Add a description
  • Click on Display Advanced
  • Change Gateway to WAN xx
  1. Save and apply changes.


  1. Go to Firewall –> NAT –> Outbound
  2. Switch Mode to Automatic, save and apply changes, then switch back to Manual, save and apply changes again.
  3. This should have created two more rules that now allow the excluded device to access the WAN network.