Prerequisites for the pfSense VPN setup:
- Preconfigured and working pfSense 2.4.5-*
- A computer in the LAN network to access the pfSense frontend.
- Any OpenVPN configuration file. The configuration files can be downloaded in the Downloads category on your account.
Step One: Adding the Certificate
To be able to use the pfSense OpenVPN Client, we need to add the ProtonVPN Certificate to the system.
- When logged in to the pfSense frontend, go to System –> Cert. Manager and press Add.
- Choose a Descriptive Name such as ProtonVPN AG.
- Select Import an existing Certificate Authority as Method.
- Open the previously downloaded OpenVPN configuration file and copy the certificate. The certificate starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–.
- Paste this certificate in the field Certificate data.
It should now look like this:
- Click Save.
Step Two: Configuring the OpenVPN Client
In this step, we create the client that handles the encryption and the tunneling of the data itself.
- Go to VPN –> OpenVPN –> Clients and press Add
- Fill in the fields as follows:
General Information
- Disabled: Unchecked
- Server Mode: Peer to Peer (SSL/TLS)
- Protocol: Either UDP on IPv4 only or TCP on IPv4 only depending on your choice
- Device mode: tun – Layer 3 Tunnel Mode
- Interface: WAN
- Local Port: leave empty
- Server host or address: The IP Address of the server you want to connect to. The server consists of the country code and the server number. For example ch-03.protonvpn.com is the Swiss Server 03. To get the IP Address, use a DNS lookup tool like https://mxtoolbox.com/DNSLookup.aspx. In this example, we will use 185.159.158.50 which is the Server IS-03
- Server port: If Protocol is TCP use 443 if Protocol is UDP use 1194
- Proxy host or address: Leave empty
- Proxy port: Leave empty
- Proxy Authentication: Leave empty
- Description: Choose a Display Name for this Configuration. Like ProtonVPN IS-03 UDP
User Authentication Settings
- Username: Your ProtonVPN OpenVPN Username
- Password: Your ProtonVPN OpenVPN Password (enter twice)
- Authentication Retry: Leave unchecked
Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your Username to block malware, or +f2 to block malware, ads, and trackers (for example 123456789+f2).
Cryptographic Settings
- Use a TLS Key: Checked
- Automatically generate a TLS Key: Unchecked
- TLS Key: Paste the Key from the OpenVPN configuration file. The Key starts with —–BEGIN OpenVPN Static key V1—–and ends with —–END OpenVPN Static key V1—–
- TLS Key Usage Mode: TLS Authentication
- Peer Certificate Authority: ProtonVPN AG (or the descriptive name you used in Step One)
- Client Certificate: None (Username and/or Password required)
- Encryption Algorithm: For reliability, use AES-256-CBC (256 bit key, 128 bit block). For security, use AES-256-GCM
- Enable NCP: Checked
- NCP Algorithms: Unchanged (Checked)
- Auth digest algorithm: SHA512 (512-bit)
- Hardware Crypto: Depending on your device. If it’s supported it has to be turned on under System –> Advanced –> Miscellaneous as well. If you want to be safe, choose No hardware crypto acceleration.
- Auth digest algorithm: SHA512 (512-bit)
- Hardware Crypto: Depending on your device. If it’s supported it has to be turned on under System –> Advanced –> Miscellaneous as well. If you want to be safe, choose No hardware crypto acceleration.
Tunnel Settings
- IPv4 Tunnel Network: Leave blank
- IPv6 Tunnel Network: Leave blank
- IPv4 Remote network(s): Leave blank
- IPv6 Remote network(s): Leave blank
- Limit outgoing bandwidth: Leave blank, unless you prefer otherwise
- Compression: No compression
- Topology: Subnet — One IP address per client in a common subnet
- Type of service: Leave unchecked
- Don’t pull routes: Leave unchecked
- Don’t add/remove routes: Leave unchecked
Advanced Configuration
- Custom Options: Add the following:
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
pull;- UDP Fast I/O: Leave unchecked
- Exit Notify: Disabled
- Send/Receive Buffer: Default
- Gateway creation: IPv4 only
- Verbosity level: 3 (recommended)
- Save it.
- Go to Status –> OpenVPN
If everything was done correctly for the pfSense VPN setup, you should see the Client there now and the status is up.
Step Three: Configuring the OpenVPN Interface
The pfSense VPN setup was done successfully and is already up and running at this point, but it won’t route any traffic through it, yet. To route the whole network through the secure ProtonVPN tunnel, we need to set up Interfaces and Firewall rules first.
- Navigate to Interfaces –> Assignments
- Add the OpenVPN Client as Interface. In our case, this is ProtonVPN IS-03 UDP as ovpnc1.
- Press on OPT1 on the left of the interface
- Fill out the fields as follows:
- Enable: Check
- Description: Name of the Interface (alphanumeric only). We will use ProtonVPNIS03UDP.
- IPv4 Configuration Type: DHCP
- Block bogon networks : Check
- Leave the rest unchanged
- Save it and Apply the changes.
Step Four: Setting up the Firewall Rules
With Firewall Rules we tell pfSense to route everything through the ProtonVPN interface (and with that, through the secure connection) we set up in Step Three.
- Go to Firewall –> NAT –> Outbound
- Change the Mode to Manual Outbound NAT rule generation, then save and apply changes.
- Now you should see 6 rules under Mappings.
- Leave all existing rules, and create a new rule by clicking on Add (with the arrow pointing down) button at the bottom.
- Fill out the fields as follows:
- Disabled: Leave unchecked
- Do not NAT: Leave unchecked
- Interface: change to PROTONVPNIS03UPD
- Address family: change to IPv4
- Protocol: any
- Source: Network – 192.168.1.0 /24 (or subnet that was configured on the LAN interface)
- Destination: Any
- Section Translation, Address: Interface address
- Leave other options unchanged
- Save and Apply the changes. It should now look like this:
- Go to Status –> OpenVPN and restart the Client
Step Five: Insert the correct DNS Servers for the pfSense VPN setup
Now the traffic of the whole network behind the pfSense firewall will already be routed through ProtonVPN. But the DNS requests aren’t. To correct this, we will change the DNS settings.
- Go to System -> General Setup
- Scroll down to DNS Server Settings
- Fill in the DNS Servers: 10.1.0.1. Note: We recommend using this static IP address for our DNS servers in order to prevent the possibility of DNS leaks.
- Leave the Gateway on none
- Check Disable DNS Forwarder
- Scroll down and save.
- Go to Services –> DNS Resolver
- DNSSEC: disable this option if you activated Netshield using “+f1” or “+f2” flag in Step 2.
- Check DNS Query Forwarding
- In the Outgoing Network field, select the VPN Interface (in our case, ProtonVPNIS03UDP). This step is critical, as it is the one that prevents DNS leaks.
- Save and apply changes.
Finished!
If the VPN setup for pfSense was done properly, your whole network should now be secured by the ProtonVPN servers. Any device on the network now should show similar results as the following while doing an Ipleak test, according to the server you’ve connected to:
Neither your IP nor your DNS should leak for your whole network.
Optional Enhancements
If you’d like to finish the pfSense VPN setup and exclude certain computers from the VPN (for example a Playstation for gaming), you can do that as well:
- Go to Firewall –> Rules –> LAN
- Add a new rule on top of the list
- Fill the fields as follows:
- Action: Pass
- Disabled: Unchecked
- Interface: LAN
- Address Family: IPv4
- Protocol: Any
- Source: Single Host or Alias and add the IP of the device to exclude
- Destination: Any
- Log: Unchanged
- Description: Add a description
- Click on Display Advanced
- Change Gateway to WAN
- Save and apply changes.
- Go to Firewall –> NAT –> Outbound
- Switch Mode to Automatic, save and apply changes, then switch back to Manual, save and apply changes again.
- This should have created two more rules that now allow the excluded device to access the WAN network.
Now this device will be excluded and will be visible under your ISP’s IP Address. However it will still use the VPN’s DNS Server.
The guide is made by our community member Rafficer.
Excellent KB! Thank you!!!!!!!!!!
0
Glad that it helped you! :)
0
Are we able to use non-ProtonVPN DNS servers without experiencing DNS Leaks? For example: I would much prefer to use Quad9 DNS but so far each test has failed DNS leak tests. I have also attempted to use ProtonVPN DNS servers as suggested alongside Quad9 but queries aren’t sent through Quad9 as desired…
Any ideas or suggestions here? Or am I going to have to use only ProtonVPN DNS?
0
Hello Justin, Using 3rd party DNS addresses like Quad9 on our application will not be viable since all of our application forces our DNS addresses to be used, so we suggest configuring openvpn gui connection as that should help in your DNS case.
0
Hi,
Could you please help how to configure KillSwitch in Pfsense? Thank you very much.
0
Hello Gabriel. Please contact our customer support team in order to receive the instructions on how to do it. https://protonvpn.com/support-form
0
I tried one of the plus servers (CH 06) and got about 50mbit/s out of my 1gbit/s connection. Is this about what is to be expected by Speed: Highest?
0
Hello Nicolas, please contact our customer support team and we will do our best to improve your speeds. https://protonvpn.com/support-form
0
I follow all the steps but the TCP DNS is not working, if I use 9.9.9.9 it works. What can I do?
0
Hello, Have you tried using the 10.7.7.1 DNS address and what server is configured on it?
0
No it works, Yesterday it didn’t. Thanks for the assit
0
Hi, if you use the Secure Core Server (as a paid client) the DNS look up (my toolbox) doesn’t work. I’m guessing you need to leave out the first 2 letters and – to get the IP address? If so this how to needs updating.
0
Hello Heliks. Could you please contact our customer support team, as we need more details and we are sure we can find the solution together! https://protonvpn.com/support-form
0
In the process of setting up ProtonVPN in pfsense I have tried to different configurations.
One to use the Japan (via Sweden) certificate and corresponding ip address 185.161.200.10
and the other one i tried was the Netherlands (via Iceland) ip 62.112.9.165
After the configuration I tried a DNS Leak test, it would appear that both ip addresses failed the test, unless of course I set it up wrong, could you please help – thankyou
0
Hello Brian, what exactly failed? Did the DNS requests leak? What DNS addresses did you use when setting up the pfSense? Please provide this and more if you can, information for our customer support team and we will do our best to help you out!
0
Hello ProtonVPN Team
I have a new install of Pfsense, on a PC with a i5 processor
My connections are as follows;
WAN (built in network connection)
LAN
OPT1
When I first installed your VPN as per your instructions, all went well, but I realized I had not added the OPT1 interface, so I started a fresh install again. This time I added the OPT1 interface and then proceeded with the install of PtotonVPN. However I have not been able to get anything working.
I still have access to the web configurator, and strangely I have accesss to Facebook but nothing else, where am I going wrong? Thankyou for your help
0
Hello Brian, we will need some screenshots of your current configuration for pfSense. Please provide them and all additional information that we should know to our support here – https://protonvpn.com/support-form
0
I think the DNS server section may need to be updated. It appears that some VPN servers use 10.8.0.1 instead of 10.8.8.1. Can someone confirm?
0
Hello Josh, 10.8.0.1 is for free servers only. Does your results tell the same?
0
When I am connected to server 108.59.0.39 I need to have 10.8.0.1 in my list of DNS servers. AFAIK this is a basic and plus server (US-VA-103).
0
Hello Josh, This server is free tier server that’s why it has to be with 10.8.0.1.
0
I have added this to my guide under point 5.3, as well as point 5,6 and 7 at the very end. I forgot to document the NAT rules, which makes it impossible to access the internet from the excluded device… Sorry :P
Can you update here as well? :)
0
Done deal, Rafficer. :)
0
“If you use a free server or server with a number higher than 100, the DNS server must be 10.8.1.0.” this doesnt make much sense for a mere stupid mortal like myself :P. Let me explain, pfSense dns resolver was fine and Proton VPN working fine until I rebooted and after some long hours battling the problem I tried using google 8.8.8.8 for testing I realized the issue was as simple as just using 10.8.0.1 instead along side 10.8.8.1. Now I have 0 leaks on dns. Thanks :).
0
I would like to add that when configuring the interfaces its a good idea to check the option ‘Block bogon networks’
0
Thanks! :)
I’ve proposed the changes to them and hope they will update it soon. :)
0
We’ve updated it. :)
0
Awesome!
0
This is a great how to. Well done.
0