How to setup OpenVPN on pfSense

This guide was created by a community member and reviewed by us. Firmware and router interfaces may change over time, so some steps may differ depending on your device or version.

Prerequisites

This setup is being demonstrated on pfSense 2.8.1 Community Edition but the same steps should be applicable to the Plus version as well.

If your ISP blocks OpenVPN you can still use this guide as a starting point but you may need to continue with the future guides that will cover "OpenVPN over Proxy" to bypass ISP imposed restrictions on OpenVPN.

Scope

This guide does not cover policy routing, split tunneling and kill-switch implementation. If you are interested in the above-mentioned scenarios, keep an eye on the xeovo Hub for follow-up guides, we will publish more advanced guides that cover the aforementioned topics as extensions to this guide.

Configuration

DNS Resolver Settings

1. Log-in to the pfSense Web GUI by entering your pfSense Firewall (Router) IP address (Usually 192.168.1.1)
2. Navigate to Services / DNS Resolver / General Settings
3. Enable ☑ Enable Forwarding Mode
4. Enable ☑ Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
5. Enable OpenVPN Clients ☑
6. Click "🖫 Save"
7. Click "✓ Apply Changes"

Downloading Configuration Files

1. Log-in to your xeovo dashboard.
2. Go to the OpenVPN Generator section.
3. Choose Android as the platform.
4. Select your desired country to download a single config file or the "All countries in .zip" to download config files for all the servers in a single .zip file.
5. Advanced Settings:
   In the Protocol section, Choose UDP if your ISP doesn't block it, UDP offers superior performance and stability compared to TCP.
   If your ISP blocks OpenVPN, your only option is to use TCP since OpenVPN only supports VPN over Proxy in TCP mode.
6. In DNS section, Choose "Block ads & trackers" if you would like DNS ad-blocker functionality, or choose your Custom DNS by entering your preferred custom DNS in the box.
7. Click on the Download button to get your files.

Importing The CA Certificate

1. Open the .ovpn file with a text editor.
2. At the bottom of the file, locate the <ca> tag.
3. Copy everything between the <ca> and </ca> including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
4. Log-in to the pfSense Web GUI.
5. Navigate to System / Certificates / Authorities
6. Clicke the "+ Add" button to create a new entry.
7. In the "Descriptive name" field, enter xeovo.
8. Change "Method" to "Import an existing Certificate Authority".
9. Paste the certificate that we copied from the file in the "Certificate data".
10. Click "🖫 Save"

Importing Client Configurations

1. Navigate to VPN / OpenVPN / Clients

2. Clicke the "+ Add" button to create a new entry.

3. In the "Description" field, enter a description that helps you identify this entry later; for example xeovo-nl-tcp for a TCP connection to the Netherlands server.

4. In the "Endpoint Configuration" section, for the "Protocol", choose TCP on IPv4 only or UDP on IPv4 only based on which protocol you chose in the last section.

5. In the .ovpn file, locate the line starting with the remote keyword and copy the server host address in front of it, for example nl.gw.xeovo.com

6. Paste the server host name you copied in the "Server host or address" field.

7. Copy the port number in front of the host for example 443 and enter in the Server port field.

8. Enter your xeovo username and password in the "User Authentication Settings" section.

9. In the "Cryptographic Settings" section, uncheck the "☐ Use a TLS Key" option.

10. Make sure the CA that we imported in the last step is selected as the "Peer Certificate Authority", In our case it should be xeovo.

11. In the "Tunnel Settings" section, Enable the "☑ Don't pull routes" and "☑ Don't add/remove routes".
    You can also enable "☑ Pull DNS" option as well if you would like pfSense to use DNS servers assigned by xeovo servers.

12. In the "Custom options" box, enter the configuration commands you find in the last section of the .ovpn file but make sure to end each line with a semicolon ";" like so:

        remote-cert-tls server;
        pull-filter ignore "dhcp-option DNS";
        dhcp-option DNS 10.0.0.21;
        dhcp-option DNS fd64:e20:68a2::21;
        persist-key;
        persist-tun;

    • IMPORTANT: Make sure each line ends with a semicolon ";"

13. Click "🖫 Save"

Assign an Interface for OpenVPN

1. Navigate to Interfaces / Interface Assignments
2. In the "Available network ports:" row, select the newly generated ovpnc interface from the drop-down menu.
   For example, it would be ovpnc1 (xeovo-nl-tcp) in our demo.
3. Clicke the "+ Add" button to select it as our OPT interface network port.
4. Click OPT1 hyperlink to open OPT1 interface configuration.
5. In "General Configuration, check "☑ Enable interface"
6. In "Description" enter a descriptive name like VPN.
7. Click "🖫 Save"
8. Click "✓ Apply Changes"

Set WAN as the Default Gateway

1. Navigate to System / Routing / Gateways
2. In the "Default gateway" section, make sure "WAN_DHCP" and "WAN_DHCP6" are selected for the Default gateway IPv4 and Default gateway IPv6.
3. Click "🖫 Save"
4. Click "✓ Apply Changes"

Defining Outbound NAT Rules

1. Navigate to Firewall / NAT / Outbound
2. Change "Outbound NAT Mode" to "⦿ Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below)"
3. Click "🖫 Save"
4. In the "Mappings" section, Click the "⮭ Add" button to add a new rule to top of the list.
5. Select the interface we created in the last section ("VPN") from the drop-down menu for the "Interface" value.
6. For "Source" type, select LAN subnets from the drop-down menu.
7. In "Translation" section, for "Address" field, Select VPN address from the drop-down menu.
8. Click "🖫 Save"
9. Click "✓ Apply Changes"

Defining Firewall Rules

1. Navigate to Firewall / Rules / LAN
2. Clicke the "⮭ Add" to add new rule to top of the list.
3. In the "Firewall Rule" section, change the "Protocol" to Any
4. For "Source" field, select LAN subnets
5. In "Extra Options" section, Clicke the "⚙ Display Advanced"
6. In the "Advanced Options" section, change the "Gateway" to VPN_VPNV4 - dynamic - Interface ... Gateway
7. Click "🖫 Save"
8. Click the 🗗 (Duplicate) icon on the rule we just created to duplicate it.
9. Change the "Address Family" to IPv6
10. Change the "Gateway" to VPN_VPNV6 - dynamic - Interface ... Gateway
11. Click "🖫 Save"
12. Click "✓ Apply Changes"

Restarting the OpenVPN Service

1. Navigate to Status / OpenVPN
2. Click the "↻" icon to restart OpenVPN service.
3. Visit DoesMyVPN.work to verify you are connected to your desired VPN server.

Adding More Servers

1. Navigate to VPN / OpenVPN / Clients
2. Click the 🗗 (Duplicate) icon to copy the last client we created.
3. Change "Description" to match your new server, for example xeovo-no-tcp
4. In "Endpoint Configuration" section, change "Server host or address" and "Server port" for your desired server, for example no.gw.xeovo.com
5. Click "🖫 Save"
6. Navigate to Interfaces / Interface Assignments
7. Change "Network port" for the "VPN" Interface to your new connection, for example ovpnc2 (xeovo-no-tcp)
8. Click "🖫 Save"
9. To disable the previous connection (ovpnc1), Navigate back to VPN / OpenVPN / Clients
10. Click the "🖉" icon on the previous connection that you don't want to be connected any more.
11. Check "☑ Disable this client" to disable it.
12. Click "🖫 Save"
13. Visit DoesMyVPN.work to verify you are connected to your desired VPN server.

Troubleshooting

Connection Status and Logs

If you experience connection failures, it could be useful to check connection status and OpenVPN logs.

1. Navigate to Status / OpenVPN, On this page you can view the status of the connection and various other useful information about the connection.
2. First try restarting the OpenVPN service by clicking the "↻" icon.
3. If connection fails again, Click the "🗉" ("Related log entries") to view the log.