This guide describes setting up OpenVPN on a router running PfSense 2.3.4. We used a PCEngine APU for this, other routers work as well. Other routers have different hardware specifications and speeds may be different.
Clients behind this router will only be able to access the Internet when the OpenVPN connection to IPredator is established.
To download a file right-click on it and select Save as….
A regular Client behind the ISP Router accesses the Internet through the unprotected red path. The ISP can log the traffic from this client. The router establishes the blue IPredator connection. The Client behind the IPredator VPN uses the yellow protected path through IPredator to access the Internet. Because the traffic inside the blue tunnel is encrypted, your ISP cannot look into the traffic that the Client behind IPredator generates. The ISP only sees encrypted packets traveling back and forth to IPredator.
After the first boot complete the initial configuration wizard. Set the LAN interface network to be 192.168.2.0/24 to match the layout described in the topology section. Configure the IPredator public DNS servers 194.132.32.32 and 46.246.46.246 and uncheck the box to Allow DNS over write by DHCP.
In the System -> Cert. Manager create a new certificate authority by clicking Add
Add a name like IPredator.se.CA for the certificate authority. Paste the content of IPredator.se.ca.crt (also shown below) into the Certificate data field. Create the Certificate authority by pressing Save.
-----BEGIN CERTIFICATE----- MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50 ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68 d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm /AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3 ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw /n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y -----END CERTIFICATE-----
Navigate to VPN -> OpenVPN in the administration interface.
Select the Clients tab.
Choose Add.
The OpenVPN client configuration wizard is opened. In the first section General information set the Server host address to ipv6.openvpn.ipredator.se. Select the Infinitly resolve server option and add a Description for the VPN connection like IPredator VPN.
Enter your IPredator username and password.
The Cryptographic Settings are adjusted next: Uncheck the Automatically generate a shared TLS authentication key option and paste the IPredator.se.ta.key in the Key field. Make sure the IPredator.se.ca which was added to the system at the beginning is selected. Change the encryption algorithm to AES-256-CBC. If your device supports hardware accelarated cryptography select the engine to be used, for example: BSD cryptodev engine.
-----BEGIN OpenVPN Static key V1----- 03f7b2056b9dc67aa79c59852cb6b35a a3a15c0ca685ca76890bbb169e298837 2bdc904116f5b66d8f7b3ea6a5ff05cb fc4f4889d702d394710e48164b28094f a0e1c7888d471da39918d747ca4bbc2f 285f676763b5b8bee9bc08e4b5a69315 d2ff6b9f4b38e6e2e8bcd05c8ac33c5c 56c4c44dbca35041b67e2374788f8977 7ad4ab8e06cd59e7164200dfbadb942a 351a4171ab212c23bee1920120f81205 efabaa5e34619f13adbe58b6c83536d3 0d34e6466feabdd0e63b39ad9bb1116b 37fafb95759ab9a15572842f70e7cba9 69700972a01b21229eba487745c091dd 5cd6d77bdc7a54a756ffe440789fd39e 97aa9abe2749732b7262f82e4097bee3 -----END OpenVPN Static key V1-----
In the Tunnel Settings section only change the Compression to Enabled with Adaptive-Compression.
The last section allows setting additional configuration details, which are available for copy and pasting below. Set the log verbosity to 3 (Recommended). Click Save.
tun-mtu 1500 mssfix 1200 ns-cert-type server remote-cert-tls server remote-cert-ku 0x00e0 mssfix 1200 passtos mute-replay-warnings ifconfig-nowarn
The new OpenVPN client connection is displayed in the list of available connections.
The OpenVPN configuration for IPredator is mostly done. But PfSense does not support setting the proper TA.key direction which IPredator uses via the web interface. Open a console on the device, either use SSH or the local console access. In the PfSense menu select (8) Shell.
FreeBSD/amd64 (pfSense.localdomain) (ttyu0) *** Welcome to pfSense 2.3.4-RELEASE-p1 (amd64 full-install) on pfSense *** WAN (wan) -> re1 -> v4/DHCP4: 192.168.1.10/24 LAN (lan) -> re2 -> v4: 192.168.2.1/24 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) PHP shell + pfSense tools 4) Reset to factory defaults 13) Update from console 5) Reboot system 14) Enable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Enter an option: 8 [2.3.4-RELEASE][root@pfSense.localdomain]/root:
Navigate to the OpenVPN config directory in /var/etc/openvpn/. List the available files. Open client1.conf with an editor of your choice.
[2.3.4-RELEASE][root@pfSense.localdomain]/root: cd /var/etc/openvpn [2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: ls -l total 20 -rw------- 1 root wheel 1877 Oct 23 23:42 client1.ca -rw------- 1 root wheel 759 Oct 23 23:42 client1.conf -rw------- 1 root wheel 3 Oct 23 23:42 client1.interface -rw------- 1 root wheel 618 Oct 23 23:42 client1.tls-auth -rw-r--r-- 1 root wheel 22 Oct 23 23:42 client1.up [2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: vi client1.conf
If VI is not the preferred text editor, install another one with pkg (8), for example pkg install nano installs nano.
Inside the client1.conf look for the line tls-auth /var/etc/openvpn/client1.tls-auth 1. Remove the 1 at the end and save the file. The new line should be tls-auth /var/etc/openvpn/client1.tls-auth.
[..] remote ipv6.openvpn.ipredator.se 1194 auth-user-pass /var/etc/openvpn/client1.up ca /var/etc/openvpn/client1.ca tls-auth /var/etc/openvpn/client1.tls-auth 1 comp-lzo adaptive resolv-retry infinite [..]
PfSense over writes the change just made to the configuration file by default. To prevent PfSense from making changes we can set a special flag on the file.
[2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: chflags schg client1.conf [2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: ls -lo total 20 -rw------- 1 root wheel - 1877 Oct 23 23:42 client1.ca -rw------- 1 root wheel schg 759 Oct 23 23:42 client1.conf -rw------- 1 root wheel - 3 Oct 23 23:42 client1.interface -rw------- 1 root wheel - 618 Oct 23 23:42 client1.tls-auth -rw-r--r-- 1 root wheel - 22 Oct 23 23:42 client1.up
Changing the client1.conf again requires unsetting the schg flag. this requires a securelevel of at least 0 or lower. then remove the the schg flag.
[2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: sysctl kern.securelevel kern.securelevel: -1 [2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: chflags noschg client1.conf [2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: ls -lo total 20 -rw------- 1 root wheel 1877 Oct 23 23:42 client1.ca -rw------- 1 root wheel 759 Oct 23 23:42 client1.conf -rw------- 1 root wheel 3 Oct 23 23:42 client1.interface -rw------- 1 root wheel 618 Oct 23 23:42 client1.tls-auth -rw-r--r-- 1 root wheel 22 Oct 23 23:42 client1.up
From now on the IPredator tunnel should be established and accessible from the PfSense locally. If that is not the case the daemon can be started via the Status -> OpenVPN panel.
The IPredator VPN connection is established and the current VPN IP addrees is displayed.. The controls at the right can be used to restart or stop the service.
Up next is creating an interface for the VPN connection that can be used in firewall rules. Open the Interfaces -> (assign) panel.
For the Available network ports select ovpnc1 and click Add to create the interface.
Click on the OPT1 interface link that is now listed in the Available interfaces.
Check the Enable interface, choose a name for the interface and Save the configuration.
Apply the changes.
The VPN interface gets listed with the correct name. Next up is adjusting the firewall rules for network address translation (NAT) in the Firewall -> NAT .
Select the Outbound tab.
Change the Outbound NAT Mode to Manual Outbound NAT rule generation. Click on Save.
After clicking Apply Changes 4 rules for the WAN interface are listed in the table below.
Each of the 4 NAT rules needs to be duplicated and adjusted for the VPN interface. Click on the 2 page icon for the first rule.
Adjust the interface for the rule from WAN to the IPredator VPN interface and the description at the bottom. Save the changes.
Repeat the steps for the other 3 NAT rules.
The only thing left to be done is disabling the NAT rules for the LAN on the WAN interface. Select Autocreated ISAKMP - LAN to WAN rule for editing with the Pen icon.
Check the Disable this rule box and Save this change.
The edited rule is now greyed out. Edit the LAN to WAN rule the same way.
Check the Disable this rule box and Save this change. The edited rule is now greyed out. Edit the LAN to WAN rule.
The two rules for doing network address translation via the WAN interface are disabled. NAT is only done when the IPredatorVPN interface exists and the packets from the LAN have the IP address of the VPN interface. Apply the changes.
The PfSense admin panel informs about the positive result from the change and everything is setup. If the VPN is not connected for some reason restart it in the Status -> OpenVPN pane as shown earlier.
Use a browser on the LAN to access the internet and check that everything is working. An other option to test is to use MTR or Traceroute and check that the traffic is passing through the tunnel.
root@host # mtr ipredator.se host.localdomain (0.0.0.0) Thu Oct 23 23:42:42 2342 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. anon-49-168.vpn.ipredator.se 0.0% 7 39.0 38.7 38.0 39.3 0.0 2. anon-33-1.vpn.ipredator.se 0.0% 7 37.4 38.5 37.4 39.1 0.4 3. host-193-234-198-154.resolv.to 0.0% 7 39.2 38.5 37.7 39.6 0.4 4. host-193-234-198-154.resolv.to 0.0% 7 39.2 38.5 37.7 39.6 0.4
Once you are connected make sure no information is leaked by accident. Analyze your setup using our test page https://check.ipredator.se.
If you experience any problem after using this guide, please check our Problem Guide and the FAQ first. An overview of the OpenVPN settings detailing technical aspects a bit more in depth and some tweaks is available here.
This guides configuration connects your client to our OpenVPN service via UDP. As outlined in the OpenVPN settings, connecting via TCP and/or to different ports is also supported. TCP is needed if you have to go through a HTTP proxy to reach our servers or if your provider rate-limits UDP connections on port 1194.
If your problem is still not solved please visit the online chat or use the Help Wizard to contact the support.