How to set up OpenVPN on pfSense 2.4.4

This tutorial will show you how to configure an OpenVPN tunnel on your pfSense 2.4.4 router.

To proceed, you need a router with pfSense firmware version 2.4.4 or higher and an active Surfshark subscription, which you can purchase on Surfshark's pricing page.

 

You will learn how to:

  1. Get your credentials
  2. Choose a Surfshark server
  3. Configure the OpenVPN client
  4. Ensure your connection is successful

 

Get your credentials


NOTE: These are not your regular credentials, such as your email and password.

  1. Enter the Surfshark login page and log in. Then, click on VPN > Manual Setup > Router > OpenVPN to generate your credentials.


  2. Once there, make sure that you are in the Credentials tab and click on Generate credentials.

    NOTE: Keep this tab open as we'll need it later.

 

Choose a Surfshark server

 

  1. Open the same page on another browser tab, go to the Locations tab, and locate the server that you wish to connect to.


  2. Click on the download icon to the right of the server name and click on Download UDP
     

 

Configure the OpenVPN client

 

  1. Access your pfSense admin panel via a browser and navigate to SystemCert. ManagerCAs.

  2. Press on the + Add button. Then, fill the fields out like this:

    Descriptive Name: Surfshark_VPN;
    Method: Import an existing Certificate Authority;
    Certificate data:
    -----BEGIN CERTIFICATE-----
    MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
    BAYTAlZHMRIwEAYDVQQKDAlTdXJmc2hhcmsxGjAYBgNVBAMMEVN1cmZzaGFyayBS
    b290IENBMB4XDTE4MDMxNDA4NTkyM1oXDTI4MDMxMTA4NTkyM1owPTELMAkGA1UE
    BhMCVkcxEjAQBgNVBAoMCVN1cmZzaGFyazEaMBgGA1UEAwwRU3VyZnNoYXJrIFJv
    b3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEGMNj0aisM63o
    SkmVJyZPaYX7aPsZtzsxo6m6p5Wta3MGASoryRsBuRaH6VVa0fwbI1nw5ubyxkua
    Na4v3zHVwuSq6F1p8S811+1YP1av+jqDcMyojH0ujZSHIcb/i5LtaHNXBQ3qN48C
    c7sqBnTIIFpmb5HthQ/4pW+a82b1guM5dZHsh7q+LKQDIGmvtMtO1+NEnmj81BAp
    FayiaD1ggvwDI4x7o/Y3ksfWSCHnqXGyqzSFLh8QuQrTmWUm84YHGFxoI1/8AKdI
    yVoB6BjcaMKtKs/pbctk6vkzmYf0XmGovDKPQF6MwUekchLjB5gSBNnptSQ9kNgn
    TLqi0OpSwI6ixX52Ksva6UM8P01ZIhWZ6ua/T/tArgODy5JZMW+pQ1A6L0b7egIe
    ghpwKnPRG+5CzgO0J5UE6gv000mqbmC3CbiS8xi2xuNgruAyY2hUOoV9/BuBev8t
    tE5ZCsJH3YlG6NtbZ9hPc61GiBSx8NJnX5QHyCnfic/X87eST/amZsZCAOJ5v4EP
    SaKrItt+HrEFWZQIq4fJmHJNNbYvWzCE08AL+5/6Z+lxb/Bm3dapx2zdit3x2e+m
    iGHekuiE8lQWD0rXD4+T+nDRi3X+kyt8Ex/8qRiUfrisrSHFzVMRungIMGdO9O/z
    CINFrb7wahm4PqU2f12Z9TRCOTXciQIDAQABo1AwTjAdBgNVHQ4EFgQUYRpbQwyD
    ahLMN3F2ony3+UqOYOgwHwYDVR0jBBgwFoAUYRpbQwyDahLMN3F2ony3+UqOYOgw
    DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAn9zV7F/XVnFNZhHFrt0Z
    S1Yqz+qM9CojLmiyblMFh0p7t+Hh+VKVgMwrz0LwDH4UsOosXA28eJPmech6/bjf
    ymkoXISy/NUSTFpUChGO9RabGGxJsT4dugOw9MPaIVZffny4qYOc/rXDXDSfF2b+
    303lLPI43y9qoe0oyZ1vtk/UKG75FkWfFUogGNbpOkuz+et5Y0aIEiyg0yh6/l5Q
    5h8+yom0HZnREHhqieGbkaGKLkyu7zQ4D4tRK/mBhd8nv+09GtPEG+D5LPbabFVx
    KjBMP4Vp24WuSUOqcGSsURHevawPVBfgmsxf1UCjelaIwngdh6WfNCRXa5QQPQTK
    ubQvkvXONCDdhmdXQccnRX1nJWhPYi0onffvjsWUfztRypsKzX4dvM9k7xnIcGSG
    EnCC4RCgt1UiZIj7frcCMssbA6vJ9naM0s7JF7N3VKeHJtqe1OCRHMYnWUZt9vrq
    X6IoIHlZCoLlv39wFW9QNxelcAOCVbD+19MZ0ZXt7LitjIqe7yF5WxDQN4xru087
    FzQ4Hfj7eH1SNLLyKZkA1eecjmRoi/OoqAt7afSnwtQLtMUc2bQDg6rHt5C0e4dC
    LqP/9PGZTSJiwmtRHJ/N5qYWIh9ju83APvLm/AGBTR2pXmj9G3KdVOkpIC7L35dI
    623cSEC3Q3UZutsEm/UplsM=
    -----END CERTIFICATE-----

     

  3. Press Save at the bottom of the page.
    pfsense3.png

  4. Afterwards, navigate to VPN > OpenVPN > Clients and press +Add.
    pfsense4.png

  5. Fill in the fields as so:

    General Information

    Disable this client: Leave unchecked
    Server mode: Peer to Peer (SSL/TLS)
    Protocol: UDP on IPv4 only (you can also use TCP)
    Device mode: tun – Layer 3 Tunnel Mode
    Interface: WAN
    Local port: Leave blank
    Server host or address: The server hostname that you wish to connect to (refer to Choose a Surfshark server section in this article)
    Server port: 1194 (use 1443 if you use TCP)
    Proxy host or address: Leave blank
    Proxy port: Leave blank
    Proxy Authentication: None
    Description: Any name you like


    User Authentication Settings

    Username and Password: Surfshark service credentials (refer to Get your credentials section in this article)
    Authentication Retry: Leave unchecked


    pfsense5.png

    Cryptographic Settings

    TLS Configuration: Check
    Automatically generate a TLS Key: Uncheck
    TLS Key:

    -----BEGIN OpenVPN Static key V1-----
    b02cb1d7c6fee5d4f89b8de72b51a8d0
    c7b282631d6fc19be1df6ebae9e2779e
    6d9f097058a31c97f57f0c35526a44ae
    09a01d1284b50b954d9246725a1ead1f
    f224a102ed9ab3da0152a15525643b2e
    ee226c37041dc55539d475183b889a10
    e18bb94f079a4a49888da566b9978346
    0ece01daaf93548beea6c827d9674897
    e7279ff1a19cb092659e8c1860fbad0d
    b4ad0ad5732f1af4655dbd66214e552f
    04ed8fd0104e1d4bf99c249ac229ce16
    9d9ba22068c6c0ab742424760911d463
    6aafb4b85f0c952a9ce4275bc821391a
    a65fcd0d2394f006e3fba0fd34c4bc4a
    b260f4b45dec3285875589c97d3087c9
    134d3a3aa2f904512e85aa2dc2202498
    -----END OpenVPN Static key V1-----

    TLS Key Usage Mode: TLS Authentication
    Peer certificate authority: Surfshark_VPN
    Peer Certificate Revocation list: Do not define

    Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (NOTE: The numbers on your machine could be different)
    Encryption Algorithm: AES-256-GCM
    Enable NCP: Check
    NCP Algorithms: AES-256-GCM and AES-256-CBC
    Auth digest algorithm: SHA512 (512-bit)
    Hardware Crypto: No hardware crypto acceleration


    pfsense6.png

    Tunnel Settings:

    IPv4 tunnel network: Leave blank
    IPv6 tunnel network: Leave blank
    IPv4 remote network(s): Leave blank
    IPv6 remote network(s): Leave blank
    Limit outgoing bandwidth: Leave blank
    Compression: Omit Preference (Use OpenVPN Default)
    Topology: Subnet – One IP address per client in a common subnet
    Type-of-service: Leave unchecked
    Don’t pull routes: Uncheck
    Don’t add/remove routes: Leave unchecked


    pfsense7.png

    Advanced Configuration:

    Custom options: paste the contents below

    tls-client;
    remote-random;
    tun-mtu 1500;
    tun-mtu-extra 32;
    mssfix 1450;
    persist-key;
    persist-tun;
    reneg-sec 0;
    remote-cert-tls server;

    UDP FAST I/O: Leave unchecked
    Send/Receive Buffer: Default
    Gateway creation: IPv4 only
    Verbosity level: 3 (recommended)

  6. Press Save at the bottom of the page and Apply changes at the top of the page.
    pfsense8.png

  7. Navigate to InterfacesInterface Assignments and add Surfshark VPN interface.
    pfsense9.png

  8. Press on OPT1 on the left of your assigned interface and fill in the following information:

    Enable: Check
    Description: Surfshark VPN
    MAC Address: Leave blank
    MTU: Leave blank
    MSS: Leave blank


    pfsense10.png

  9. Do not change anything else. Just scroll down to the bottom and press Save and Apply Changes.

  10. Navigate to ServicesDNS ResolverGeneral Settings

    Enable: Check
    Listen port: Leave as it already is
    Enable SSL/TLS Service: Uncheck
    SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (please note that the numbers on your machine could be different);
    SSL/TLS Listen Port: Leave as it already is
    Network Interfaces: All
    Outgoing Network Interfaces: Surfshark VPN
    System Domains Local Zone Type: Transparent
    DNSSEC: Uncheck
    DNS Query Forwarding: Check
    DHCP Registration: Check
    Static DHCP: Check

  11. Click Save and Apply Changes.
    pfsense11.png

  12. While in DNS Resolver, select Advanced Settings at the top and then fill in the following:

    ADVANCED PRIVACY OPTIONS

    Hide Identity: Check
    Hide Version: Check


    pfsense12.png

    ADVANCED RESOLVER OPTIONS

    Prefetch Support: Check
    Prefetch DNS Key Support: Check


    pfsense13.png

  13. Click Save and Apply changes.

  14. Navigate to FirewallNATOutbound and select Manual Outbound NAT rule generation.

  15. Press Save and Apply Changes. Then four rules will appear. Leave all rules untouched and add a new one.

    1. Select SurfsharkVPN as an Interface.
    2. Source: your LAN subnet.

    3. Click Save.
    pfsense14.png

  16. Navigate to FirewallRulesLAN and delete the IPv6 rule. Also, edit the IPv4 rule:

    1. Press on Display Advanced.
    2. Change Gateway to Surfshark VPN.
    3. Click Save and Apply Changes.
    pfsense15.png

    pfsense16.png

  17. Go to SystemGeneral SetupDNS Server Settings and fill in the following:

    DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
    DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4
    pfsense_new_dns.jpg

  18. Click Save.

  19. Navigate to StatusOpenVPN, and it should state that the service is up.

    pfsense18.png

 

Ensure the connection is successful

 

We always recommend checking if Surfshark VPN is working after setting it up for the first time. You can easily do it by performing Surfshark IP leak test and a DNS leak test. For your convenience, both are available on our website.



 

You may also be interested in:

Was this article helpful?
Thank you for your feedback!