Introduction

This guide describes setting up OpenVPN on a router running PfSense 2.3.4. We used a PCEngine APU for this, other routers work as well. Other routers have different hardware specifications and speeds may be different.

Clients behind this router will only be able to access the Internet when the OpenVPN connection to IPredator is established.

Needed files

To download a file right-click on it and select Save as….

Topology

A regular Client behind the ISP Router accesses the Internet through the unprotected red path. The ISP can log the traffic from this client. The router establishes the blue IPredator connection. The Client behind the IPredator VPN uses the yellow protected path through IPredator to access the Internet. Because the traffic inside the blue tunnel is encrypted, your ISP cannot look into the traffic that the Client behind IPredator generates. The ISP only sees encrypted packets traveling back and forth to IPredator.

Preparation

After the first boot complete the initial configuration wizard. Set the LAN interface network to be 192.168.2.0/24 to match the layout described in the topology section. Configure the IPredator public DNS servers 194.132.32.32 and 46.246.46.246 and uncheck the box to Allow DNS over write by DHCP.

Add the IPredator DNS servers in the setup wizard.

Configuration

In the System -> Cert. Manager create a new certificate authority by clicking Add

Add the IPredator CA in the Certificate Manager.

Add a name like IPredator.se.CA for the certificate authority. Paste the content of IPredator.se.ca.crt (also shown below) into the Certificate data field. Create the Certificate authority by pressing Save.

Insert a name and the CA details from below.

Navigate to VPN -> OpenVPN in the administration interface.

Select the Clients tab.

Choose Add.

Click on Add to create a new OpenVPN connection.

The OpenVPN client configuration wizard is opened. In the first section General information set the Server host address to ipv6.openvpn.ipredator.se. Select the Infinitly resolve server option and add a Description for the VPN connection like IPredator VPN.

Enter the basic information like server address and description for the connection.

Enter your IPredator username and password.

The Cryptographic Settings are adjusted next: Uncheck the Automatically generate a shared TLS authentication key option and paste the IPredator.se.ta.key in the Key field. Make sure the IPredator.se.ca which was added to the system at the beginning is selected. Change the encryption algorithm to AES-256-CBC. If your device supports hardware accelarated cryptography select the engine to be used, for example: BSD cryptodev engine.


-----BEGIN OpenVPN Static key V1-----
03f7b2056b9dc67aa79c59852cb6b35a
a3a15c0ca685ca76890bbb169e298837
2bdc904116f5b66d8f7b3ea6a5ff05cb
fc4f4889d702d394710e48164b28094f
a0e1c7888d471da39918d747ca4bbc2f
285f676763b5b8bee9bc08e4b5a69315
d2ff6b9f4b38e6e2e8bcd05c8ac33c5c
56c4c44dbca35041b67e2374788f8977
7ad4ab8e06cd59e7164200dfbadb942a
351a4171ab212c23bee1920120f81205
efabaa5e34619f13adbe58b6c83536d3
0d34e6466feabdd0e63b39ad9bb1116b
37fafb95759ab9a15572842f70e7cba9
69700972a01b21229eba487745c091dd
5cd6d77bdc7a54a756ffe440789fd39e
97aa9abe2749732b7262f82e4097bee3
-----END OpenVPN Static key V1-----

In the Tunnel Settings section only change the Compression to Enabled with Adaptive-Compression.

The last section allows setting additional configuration details, which are available for copy and pasting below. Set the log verbosity to 3 (Recommended). Click Save.

Paste the additional configuration details, set the log verbosity and save.

tun-mtu 1500
mssfix 1200
ns-cert-type server
remote-cert-tls server
remote-cert-ku 0x00e0
mssfix 1200
passtos
mute-replay-warnings
ifconfig-nowarn

The new OpenVPN client connection is displayed in the list of available connections.

OpenVPN daemon can be restarted in the Status OpenVPN panel.

The OpenVPN configuration for IPredator is mostly done. But PfSense does not support setting the proper TA.key direction which IPredator uses via the web interface. Open a console on the device, either use SSH or the local console access. In the PfSense menu select (8) Shell.

FreeBSD/amd64 (pfSense.localdomain) (ttyu0)

*** Welcome to pfSense 2.3.4-RELEASE-p1 (amd64 full-install) on pfSense ***

 WAN (wan)       -> re1        -> v4/DHCP4: 192.168.1.10/24
 LAN (lan)       -> re2        -> v4: 192.168.2.1/24

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Enable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell


Enter an option: 8
[2.3.4-RELEASE][root@pfSense.localdomain]/root:

Navigate to the OpenVPN config directory in /var/etc/openvpn/. List the available files. Open client1.conf with an editor of your choice.

[2.3.4-RELEASE][root@pfSense.localdomain]/root: cd /var/etc/openvpn
[2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: ls -l
total 20
-rw-------  1 root  wheel  1877 Oct  23 23:42 client1.ca
-rw-------  1 root  wheel   759 Oct  23 23:42 client1.conf
-rw-------  1 root  wheel     3 Oct  23 23:42 client1.interface
-rw-------  1 root  wheel   618 Oct  23 23:42 client1.tls-auth
-rw-r--r--  1 root  wheel    22 Oct  23 23:42 client1.up
[2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: vi client1.conf

If VI is not the preferred text editor, install another one with pkg (8), for example pkg install nano installs nano.

Inside the client1.conf look for the line tls-auth /var/etc/openvpn/client1.tls-auth 1. Remove the 1 at the end and save the file. The new line should be tls-auth /var/etc/openvpn/client1.tls-auth.

[..]
remote ipv6.openvpn.ipredator.se 1194
auth-user-pass /var/etc/openvpn/client1.up
ca /var/etc/openvpn/client1.ca
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo adaptive
resolv-retry infinite
[..]

PfSense over writes the change just made to the configuration file by default. To prevent PfSense from making changes we can set a special flag on the file.

[2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: chflags schg client1.conf
[2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: ls -lo
total 20
-rw-------  1 root  wheel  -    1877 Oct  23 23:42 client1.ca
-rw-------  1 root  wheel  schg  759 Oct  23 23:42 client1.conf
-rw-------  1 root  wheel  -       3 Oct  23 23:42 client1.interface
-rw-------  1 root  wheel  -     618 Oct  23 23:42 client1.tls-auth
-rw-r--r--  1 root  wheel  -      22 Oct  23 23:42 client1.up

Changing the client1.conf again requires unsetting the schg flag. this requires a securelevel of at least 0 or lower. then remove the the schg flag.

[2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: sysctl kern.securelevel
kern.securelevel: -1
[2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: chflags noschg client1.conf
[2.3.4-RELEASE][root@pfSense.localdomain]/var/etc/openvpn: ls -lo
total 20
-rw-------  1 root  wheel  1877 Oct  23 23:42 client1.ca
-rw-------  1 root  wheel   759 Oct  23 23:42 client1.conf
-rw-------  1 root  wheel     3 Oct  23 23:42 client1.interface
-rw-------  1 root  wheel   618 Oct  23 23:42 client1.tls-auth
-rw-r--r--  1 root  wheel    22 Oct  23 23:42 client1.up

From now on the IPredator tunnel should be established and accessible from the PfSense locally. If that is not the case the daemon can be started via the Status -> OpenVPN panel.

The IPredator VPN connection is established and the current VPN IP addrees is displayed.. The controls at the right can be used to restart or stop the service.

Firewall

Up next is creating an interface for the VPN connection that can be used in firewall rules. Open the Interfaces -> (assign) panel.

For the Available network ports select ovpnc1 and click Add to create the interface.

Click on the OPT1 interface link that is now listed in the Available interfaces.

Check the Enable interface, choose a name for the interface and Save the configuration.

Enable the interface, choose a name and save the configuration.

Apply the changes.

The VPN interface gets listed with the correct name. Next up is adjusting the firewall rules for network address translation (NAT) in the Firewall -> NAT .

Select the Outbound tab.

Change the Outbound NAT Mode to Manual Outbound NAT rule generation. Click on Save.

After clicking Apply Changes 4 rules for the WAN interface are listed in the table below.

After applying the changes 4 NAT rules for the WAN interface are listed.

Each of the 4 NAT rules needs to be duplicated and adjusted for the VPN interface. Click on the 2 page icon for the first rule.

Adjust the interface for the rule from WAN to the IPredator VPN interface and the description at the bottom. Save the changes.

Change the interface from WAN to IPredatorVPN interface and adjust the description.

Repeat the steps for the other 3 NAT rules.

Repeat the steps for the other 3 existing NAT rules.

The only thing left to be done is disabling the NAT rules for the LAN on the WAN interface. Select Autocreated ISAKMP - LAN to WAN rule for editing with the Pen icon.

Check the Disable this rule box and Save this change.

The edited rule is now greyed out. Edit the LAN to WAN rule the same way.

Next the LAN to WAN rule needs be edited.

Check the Disable this rule box and Save this change. The edited rule is now greyed out. Edit the LAN to WAN rule.

The two rules for doing network address translation via the WAN interface are disabled. NAT is only done when the IPredatorVPN interface exists and the packets from the LAN have the IP address of the VPN interface. Apply the changes.

The PfSense admin panel informs about the positive result from the change and everything is setup. If the VPN is not connected for some reason restart it in the Status -> OpenVPN pane as shown earlier.

Changes were applied, everything is setup.

Test run

Use a browser on the LAN to access the internet and check that everything is working. An other option to test is to use MTR or Traceroute and check that the traffic is passing through the tunnel.

root@host # mtr ipredator.se
host.localdomain (0.0.0.0)                          Thu Oct  23 23:42:42 2342
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                       Packets               Pings
 Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. anon-49-168.vpn.ipredator.se      0.0%     7   39.0  38.7  38.0  39.3   0.0
 2. anon-33-1.vpn.ipredator.se        0.0%     7   37.4  38.5  37.4  39.1   0.4
 3. host-193-234-198-154.resolv.to    0.0%     7   39.2  38.5  37.7  39.6   0.4
 4. host-193-234-198-154.resolv.to    0.0%     7   39.2  38.5  37.7  39.6   0.4

Online privacy

Once you are connected make sure no information is leaked by accident. Analyze your setup using our test page https://check.ipredator.se.

Please check our Resources page for other – privacy enhancing – services. We also provide the following infrastructure:

Setup instructions for our DNSCrypt server to fix DNS leaks once and for all.
Jabber
Proxies
DNS
Tor

Support

If you experience any problem after using this guide, please check our Problem Guide and the FAQ first. An overview of the OpenVPN settings detailing technical aspects a bit more in depth and some tweaks is available here.

This guides configuration connects your client to our OpenVPN service via UDP. As outlined in the OpenVPN settings, connecting via TCP and/or to different ports is also supported. TCP is needed if you have to go through a HTTP proxy to reach our servers or if your provider rate-limits UDP connections on port 1194.

If your problem is still not solved please visit the online chat or use the Help Wizard to contact the support.

OpenVPN PfSense

Other guides