How to set up OpenVPN on pfSense 2.4.4 (2024)

This tutorial will show you how to configure an OpenVPN tunnel on your pfSense 2.4.4 router.

To proceed, you need a router with pfSense firmware version 2.4.4 or higher and an active Surfshark subscription, which you can purchase on Surfshark's pricing page.

You will learn how to:

Get your credentials
Choose a Surfshark server
Configure the OpenVPN client
Ensure your connection is successful

Get your credentials

NOTE:These are not your regular credentials, such as your email and password.

Enter the Surfshark login pageand log in. Then, click on VPN > Manual Setup > Router > OpenVPN to generate your credentials.
Once there, make sure that you are in the Credentials tab and click on Generate credentials.
NOTE: Keep this tab open as we'll need it later.

Choose a Surfshark server

Open the same page on another browser tab, go to theLocations tab, and locate the server that you wish to connect to.
Click on the download icon to the right of the server name and click on Download UDP.

Configure the OpenVPN client

Access your pfSense admin panel via a browser and navigate to System >Cert. Manager >CAs.

Press on the + Add button. Then, fill the fields out like this:

Descriptive Name: Surfshark_VPN;
Method: Import an existing Certificate Authority;
Certificate data:

Press Save at the bottom of the page.
Afterwards, navigate toVPN >OpenVPN >Clientsand press+Add.
Fill in the fields as so:
General Information
Disable this client: Leave unchecked
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only (you can also use TCP)
Device mode: tun – Layer 3 Tunnel Mode
Interface: WAN
Local port: Leave blank
Server host or address: The server hostname that you wish to connect to (refer toChoose a Surfshark server section in this article)
Server port: 1194 (use 1443 if you use TCP)
Proxy host or address: Leave blank
Proxy port: Leave blank
Proxy Authentication: None
Description: Any name you like

User Authentication Settings

Username and Password:Surfshark service credentials (refer to Get your credentials section in this article)
Authentication Retry: Leave unchecked
See Also
OpenVPN Client Import Package | pfSense Documentation pfSense setup with NordVPN How to Setup your own OpenVPN Server in pfSense VPN firewall definition – Glossary
Cryptographic Settings
TLS Configuration: Check
Automatically generate a TLS Key: Uncheck
TLS Key:
```
-----BEGIN OpenVPN Static key V1-----
b02cb1d7c6fee5d4f89b8de72b51a8d0
c7b282631d6fc19be1df6ebae9e2779e
6d9f097058a31c97f57f0c35526a44ae
09a01d1284b50b954d9246725a1ead1f
f224a102ed9ab3da0152a15525643b2e
ee226c37041dc55539d475183b889a10
e18bb94f079a4a49888da566b9978346
0ece01daaf93548beea6c827d9674897
e7279ff1a19cb092659e8c1860fbad0d
b4ad0ad5732f1af4655dbd66214e552f
04ed8fd0104e1d4bf99c249ac229ce16
9d9ba22068c6c0ab742424760911d463
6aafb4b85f0c952a9ce4275bc821391a
a65fcd0d2394f006e3fba0fd34c4bc4a
b260f4b45dec3285875589c97d3087c9
134d3a3aa2f904512e85aa2dc2202498
-----END OpenVPN Static key V1-----
```
TLS Key Usage Mode: TLS Authentication
Peer certificate authority: Surfshark_VPN
Peer Certificate Revocation list: Do not define
Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (NOTE: The numbers on your machine could be different)
Encryption Algorithm: AES-256-GCM
Enable NCP: Check
NCP Algorithms: AES-256-GCM and AES-256-CBC
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration

Tunnel Settings:
IPv4 tunnel network: Leave blank
IPv6 tunnel network: Leave blank
IPv4 remote network(s): Leave blank
IPv6 remote network(s): Leave blank
Limit outgoing bandwidth: Leave blank
Compression: Omit Preference (Use OpenVPN Default)
Topology:Subnet – One IP address per client in a common subnet
Type-of-service: Leave unchecked
Don’t pull routes: Uncheck
Don’t add/remove routes: Leave unchecked

Advanced Configuration:
See Also
How Add New OpenVPN User in Pfsense – Dade2
Custom options:paste the contents below
```
tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
```
UDP FAST I/O: Leave unchecked
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended)
PressSaveat the bottom of the page andApply changes at the top of the page.
Navigate toInterfaces >Interface Assignments and addSurfshark VPN interface.
Press on OPT1 on the left of your assigned interface and fill in the following information:
Enable: Check
Description: Surfshark VPN
MAC Address: Leave blank
MTU: Leave blank
MSS: Leave blank
Do not change anything else. Just scroll down to the bottom and pressSaveandApply Changes.
Navigate toServices >DNS Resolver >General Settings
Enable: Check
Listen port: Leave as it already is
Enable SSL/TLS Service: Uncheck
SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (please note that the numbers on your machine could be different);
SSL/TLS Listen Port: Leave as it already is
Network Interfaces: All
Outgoing Network Interfaces: Surfshark VPN
System Domains Local Zone Type: Transparent
DNSSEC: Uncheck
DNS Query Forwarding: Check
DHCP Registration: Check
Static DHCP: Check
ClickSaveandApply Changes.
While in DNS Resolver, selectAdvanced Settingsat the top and then fill in the following:
ADVANCED PRIVACY OPTIONS
Hide Identity: Check
Hide Version: Check

ADVANCED RESOLVER OPTIONS
Prefetch Support: Check
Prefetch DNS Key Support: Check
ClickSaveandApply changes.
Navigate toFirewall >NAT >Outboundand selectManual Outbound NAT rule generation.
PressSaveandApply Changes. Then four rules will appear. Leave all rules untouched and add a new one.
1. Select SurfsharkVPNas anInterface.
2. Source:your LAN subnet.
3. Click Save.
Navigate toFirewall >Rules >LANanddelete the IPv6 rule. Also,edit the IPv4 rule:
1. Press on Display Advanced.
2. Change GatewaytoSurfshark VPN.
3. Click SaveandApply Changes.
Go toSystem >General Setup >DNS Server Settings and fill in the following:
DNS Server 1: 162.252.172.57;Gateway: SURFSHARKVPN_VPNV4
DNS Server 2: 149.154.159.92;Gateway: SURFSHARKVPN_VPNV4
ClickSave.
Navigate to Status >OpenVPN, and it should state that the service is up.

Ensure the connection is successful

We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.

FAQs

How to set up OpenVPN on pfSense 2.4.4? ›

The pfSense software GUI includes a certificate management interface that is fully integrated with OpenVPN. Certificate authorities (CAs) and server certificates are managed in the Certificate Manager in the web interface, located at System > Certificates.

Read On ›

How to configure OpenVPN on pfSense step by step? ›

OpenVPN rule

From the menus at the top of the screen, select Firewall > Rules.
Select the OpenVPN sub-menu.
Click the Add button to create a new rule at the top of the list.
Set the Address Family to IPv4 + IPv6 if your system is using both IPv4 and IPv6. ...
Set the Protocol field to Any.
Set the Source to Network.

More items...

Discover More Details ›

Does pfSense support OpenVPN? ›

How do I use pfSense as a VPN server? ›

Create the OpenVPN server

From the pfSense menu, select VPN, and OpenVPN. Click Add.
Select the Server mode, either Remote Access (SSL/TLS), Remote Access (User Auth), or Remote Access (SSL/TLS + User Auth).
Change the Local port if necessary. Otherwise, the default is 1194.
Name your server in the Description section.

Dec 11, 2023

See Details ›

How to set up L2TP VPN on pfSense? ›

II. Set up L2TP VPN client on your pfSense router

Navigate to the Interfaces tab > Assignments > PPPs and click +Add button.
Configure the next parameters as follows: ...
Go to the Interface Assignments tab, select L2TP option for Available network ports and click +Add.
Click the OPT1 label.
Change the following parameters:

More items...

Find Out More ›

How do I install and set up OpenVPN? ›

Windows Installation for OpenVPN Connect with OpenVPN Servers

Download the OpenVPN Connect app from our website.
Wait until the download completes, then open it.
Run the OpenVPN Connect setup wizard.
Agree to the EULA and install.
When prompted, click Yes to approve the privilege escalation request.

More items...

Tell Me More ›

How to activate OpenVPN? ›

Click Configuration > Activation. Paste the activation key into the field, Enter Activation Key here. Click Activate.

Show Me More ›

Which VPN is best for pfSense? ›

NordVPN is our top pick for a pfSense VPN. It dwarfs many other VPNs when it comes to network size, with over 5,400 servers to choose from in 60+ countries, and is one of the fastest VPNs we've reviewed.

Explore More ›

How to setup OpenVPN for remote access? ›

openvpn.com. Navigate to Networks > Networks. Click Add Network. Select the Remote Access network scenario from the three choices: Remote Access, Site-to-site, and Secure Internet Access.

How to get ovpn file from pfSense? ›

OpenVPN Client Export Package

Navigate to System > Packages, Available Packages tab.
Locate the OpenVPN Client Export package in the list.
Click. Install next to that package listing to install.
Click. Confirm to confirm the installation.

Sep 6, 2023

Show Me More ›

What ports to open for L2TP VPN? ›

Required firewall rules and correct order for L2TP/IPSec

IKE - UDP port 500.
L2TP - UDP port 1701.
ESP - protocol 50.
NAT-T - UDP port 4500 (if using NAT-T)

Read The Full Story ›

How to setup L2TP VPN server? ›

Start the L2TP Connection

In the Windows notification area (System Tray), click the Network icon. A list of available networks and VPNs appears.
Click the VPN connection. The Network & Internet VPN settings appear.
Select the VPN connection. Click Connect. ...
Type your user name and password.
Click OK.

See Details ›

How to setup pfSense IPsec VPN? ›

Setup IPsec

Navigate to VPN > IPsec, Mobile Clients tab in the pfSense software GUI.
Configure the settings as follows: Enable IPsec Mobile Client Support: Checked. User Authentication: Local Database (Not used, but the option must have something selected) Provide a virtual IP address to clients: Unchecked. ...
Click Save.

Apr 3, 2024

Get More Info Here ›

How to setup pfSense step by step? ›

How to install and configure pfSense firewall

Download the pfSense installation image from the official website. ...
Burn the image to a CD or USB drive using your preferred method. ...
Boot from the CD or USB drive and follow the on-screen instructions. ...
Once the installation is complete, reboot your computer.

More items...

Jan 22, 2023

How do I start OpenVPN with config? ›

To run OpenVPN, you can: Right click on an OpenVPN configuration file (.ovpn) and select Start OpenVPN on this configuration file. Once running, you can use the F4key to exit.

How do I import an OpenVPN profile into pfSense? ›

Client Import Example

Obtain an OpenVPN configuration file in inline format from the OpenVPN server (e.g. username.ovpn ) ...
Navigate to VPN > OpenVPN, Import tab on the client firewall.
Click Browse in the .ovpn config file field and select the configuration file obtained from the server (e.g. username.ovpn )

More items...

View Details ›

How to manually configure OpenVPN on Linux? ›

How to manually configure OpenVPN CLI

Install OpenVPN. Open a terminal window and: ...
Install openresolv. ...
Download the following DNS update script. ...
Change the directory to where you downloaded your OpenVPN configuration file. ...
Connect to a VPN server using OpenVPN.