How to set up pfSense 2.4.4 with Surfshark

This tutorial will show you how to configure a Surfshark VPN tunnel on your pfSense 2.4.4 router.

You will learn how to:

• Find your login details 
• Choose a Surfshark server
• Configure the OpenVPN client

To proceed, you need to have a router with pfSense firmware version 2.4.4 or higher and an active Surfshark subscription, which you can purchase on our pricing page.

Find your login details

Surfshark service credentials are different from your Surfshark account credentials, namely your email address and your password. You’ll need Surfshark service credentials to connect to the VPN using the manual OpenVPN configuration method explained below.

Here is how you can get your Surfshark service credentials:

1. Go to this page, where you will find all of the details required for a manual connection.
   
   You may need to log in before proceeding to this page. In that case, enter your email address and your password, then click Log in.
   
   
2. Click on the Credentials tab at the top. You will find the Surfshark service credentials here.
   
   
   
   It's a good idea to keep this page open for now. You will need these credentials a bit later.

Choose a Surfshark server

Every server (location) has a configuration file that you will need to connect to the VPN. You can download all of the configuration files from our website.

1. Go to this page. It’s the same page where the Surfshark service credentials are stored.
   
   
2. Select the Locations tab, where you will see all of the Surfshark servers. 
   
   
   
   
3. You will need an OpenVPN configuration file for the location of your choice. For example, if you wish to connect to Germany, download Germany - Berlin or Germany - Nuernberg server by clicking on the location and then on UDP to download the configuration file. 
   
   
   
   You will need the hostname of the VPN server. You can find the hostname below the flag icon of each location.

Configure the OpenVPN client

1. To set up pfSense 2.4.4 with OpenVPN, access your pfSense admin panel via a browser.
   
   Then navigate to System > Cert. Manager > CAs.
   
   

2. Press on the + Add button. Then fill the fields out like this:

   Descriptive Name: Surfshark_VPN;
   Method: Import an existing Certificate Authority;
   Certificate data:

   -----BEGIN CERTIFICATE-----
   MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
   BAYTAlZHMRIwEAYDVQQKDAlTdXJmc2hhcmsxGjAYBgNVBAMMEVN1cmZzaGFyayBS
   b290IENBMB4XDTE4MDMxNDA4NTkyM1oXDTI4MDMxMTA4NTkyM1owPTELMAkGA1UE
   BhMCVkcxEjAQBgNVBAoMCVN1cmZzaGFyazEaMBgGA1UEAwwRU3VyZnNoYXJrIFJv
   b3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEGMNj0aisM63o
   SkmVJyZPaYX7aPsZtzsxo6m6p5Wta3MGASoryRsBuRaH6VVa0fwbI1nw5ubyxkua
   Na4v3zHVwuSq6F1p8S811+1YP1av+jqDcMyojH0ujZSHIcb/i5LtaHNXBQ3qN48C
   c7sqBnTIIFpmb5HthQ/4pW+a82b1guM5dZHsh7q+LKQDIGmvtMtO1+NEnmj81BAp
   FayiaD1ggvwDI4x7o/Y3ksfWSCHnqXGyqzSFLh8QuQrTmWUm84YHGFxoI1/8AKdI
   yVoB6BjcaMKtKs/pbctk6vkzmYf0XmGovDKPQF6MwUekchLjB5gSBNnptSQ9kNgn
   TLqi0OpSwI6ixX52Ksva6UM8P01ZIhWZ6ua/T/tArgODy5JZMW+pQ1A6L0b7egIe
   ghpwKnPRG+5CzgO0J5UE6gv000mqbmC3CbiS8xi2xuNgruAyY2hUOoV9/BuBev8t
   tE5ZCsJH3YlG6NtbZ9hPc61GiBSx8NJnX5QHyCnfic/X87eST/amZsZCAOJ5v4EP
   SaKrItt+HrEFWZQIq4fJmHJNNbYvWzCE08AL+5/6Z+lxb/Bm3dapx2zdit3x2e+m
   iGHekuiE8lQWD0rXD4+T+nDRi3X+kyt8Ex/8qRiUfrisrSHFzVMRungIMGdO9O/z
   CINFrb7wahm4PqU2f12Z9TRCOTXciQIDAQABo1AwTjAdBgNVHQ4EFgQUYRpbQwyD
   ahLMN3F2ony3+UqOYOgwHwYDVR0jBBgwFoAUYRpbQwyDahLMN3F2ony3+UqOYOgw
   DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAn9zV7F/XVnFNZhHFrt0Z
   S1Yqz+qM9CojLmiyblMFh0p7t+Hh+VKVgMwrz0LwDH4UsOosXA28eJPmech6/bjf
   ymkoXISy/NUSTFpUChGO9RabGGxJsT4dugOw9MPaIVZffny4qYOc/rXDXDSfF2b+
   303lLPI43y9qoe0oyZ1vtk/UKG75FkWfFUogGNbpOkuz+et5Y0aIEiyg0yh6/l5Q
   5h8+yom0HZnREHhqieGbkaGKLkyu7zQ4D4tRK/mBhd8nv+09GtPEG+D5LPbabFVx
   KjBMP4Vp24WuSUOqcGSsURHevawPVBfgmsxf1UCjelaIwngdh6WfNCRXa5QQPQTK
   ubQvkvXONCDdhmdXQccnRX1nJWhPYi0onffvjsWUfztRypsKzX4dvM9k7xnIcGSG
   EnCC4RCgt1UiZIj7frcCMssbA6vJ9naM0s7JF7N3VKeHJtqe1OCRHMYnWUZt9vrq
   X6IoIHlZCoLlv39wFW9QNxelcAOCVbD+19MZ0ZXt7LitjIqe7yF5WxDQN4xru087
   FzQ4Hfj7eH1SNLLyKZkA1eecjmRoi/OoqAt7afSnwtQLtMUc2bQDg6rHt5C0e4dC
   LqP/9PGZTSJiwmtRHJ/N5qYWIh9ju83APvLm/AGBTR2pXmj9G3KdVOkpIC7L35dI
   623cSEC3Q3UZutsEm/UplsM=
   -----END CERTIFICATE-----

   
   Press Save at the bottom of the page.
   
   
   
   

3. Afterwards, navigate to VPN > OpenVPN > Clients and press +Add.
   
   
   
   
4. Fill in the fields as so:
   
   General Information:
   
   Disable this client: leave unchecked;
   Server mode: Peer to Peer (SSL/TLS);
   Protocol: UDP on IPv4 only (you can also use TCP);
   Device mode: tun – Layer 3 Tunnel Mode;
   Interface: WAN;
   Local port: leave blank;
   Server host or address: The server hostname that you wish to connect to (from the Choose a Surfshark server step); 
   Server port: 1194 (use 1443 if you use TCP);
   Proxy host or address: leave blank;
   Proxy port: leave blank;
   Proxy Authentication: None;
   Description: Any name you like.
   
   User Authentication Settings:
   
   Username and Password: Surfshark service credentials from the Find your login details step.
   
   Authentication Retry: leave unchecked
   
   
   
   Cryptographic Settings:
   
   

   TLS Configuration: Check;
   Automatically generate a TLS Key: Uncheck;
   TLS Key:

   -----BEGIN OpenVPN Static key V1-----
   b02cb1d7c6fee5d4f89b8de72b51a8d0
   c7b282631d6fc19be1df6ebae9e2779e
   6d9f097058a31c97f57f0c35526a44ae
   09a01d1284b50b954d9246725a1ead1f
   f224a102ed9ab3da0152a15525643b2e
   ee226c37041dc55539d475183b889a10
   e18bb94f079a4a49888da566b9978346
   0ece01daaf93548beea6c827d9674897
   e7279ff1a19cb092659e8c1860fbad0d
   b4ad0ad5732f1af4655dbd66214e552f
   04ed8fd0104e1d4bf99c249ac229ce16
   9d9ba22068c6c0ab742424760911d463
   6aafb4b85f0c952a9ce4275bc821391a
   a65fcd0d2394f006e3fba0fd34c4bc4a
   b260f4b45dec3285875589c97d3087c9
   134d3a3aa2f904512e85aa2dc2202498
   -----END OpenVPN Static key V1-----

   TLS Key Usage Mode: TLS Authentication;
   Peer certificate authority: Surfshark_VPN;
   Peer Certificate Revocation list: do not define;

   Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
   Encryption Algorithm: AES-256-GCM;
   Enable NCP: Check;
   NCP Algorithms: AES-256-GCM and AES-256-CBC;
   Auth digest algorithm: SHA512 (512-bit);
   Hardware Crypto: No hardware crypto acceleration.

   
   
   
   Tunnel Settings:
   
   IPv4 tunnel network: leave blank;
   IPv6 tunnel network: leave blank;
   IPv4 remote network(s): leave blank;
   IPv6 remote network(s): leave blank;
   Limit outgoing bandwidth: leave blank;
   Compression: Omit Preference (Use OpenVPN Default);
   Topology: Subnet – One IP address per client in a common subnet
   Type-of-service: leave unchecked;
   Don’t pull routes: uncheck;
   Don’t add/remove routes: leave unchecked.
   
   
   
   Advanced Configuration:
   
   Custom options: paste the contents below
   

   tls-client;
   remote-random;
   tun-mtu 1500;
   tun-mtu-extra 32;
   mssfix 1450;
   persist-key;
   persist-tun;
   reneg-sec 0;
   remote-cert-tls server;

   UDP FAST I/O: leave unchecked;
   Send/Receive Buffer: Default;
   Gateway creation: IPv4 only;
   Verbosity level: 3 (recommended).
   
   Press Save at the bottom of the page and Apply changes at the top of the page.
   
   
   
   
5. Navigate to Interfaces > Interface Assignments and add Surfshark VPN interface.
   
   
   
   
6. Press on OPT1 on the left of your assigned interface and fill in the following information:
   
   Enable: check;
   Description: Surfshark VPN;
   MAC Address: leave blank;
   MTU: leave blank;
   MSS: leave blank.
   
   
   
   Do not change anything else. Just scroll down to the bottom and press Save and Apply Changes.
   
   
7. Navigate to Services > DNS Resolver > General Settings
   

   Enable: check;
   Listen port: leave as it already is;
   Enable SSL/TLS Service: uncheck;
   SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use) (please note that the numbers on your machine could be different);
   SSL/TLS Listen Port: leave as it already is;
   Network Interfaces: All;
   Outgoing Network Interfaces: Surfshark VPN;
   System Domains Local Zone Type: Transparent;
   DNSSEC: uncheck;
   DNS Query Forwarding: check;
   DHCP Registration: check;
   Static DHCP: check.

   Click Save and Apply Changes.
   
   
   
   

8. While in DNS Resolver, select Advanced Settings at the top and then fill in the following:

   ADVANCED PRIVACY OPTIONS:

   Hide Identity: check;
   Hide Version: check;

   ADVANCED RESOLVER OPTIONS:

   Prefetch Support: check;
   Prefetch DNS Key Support: check;
   
   
   
   
   
   Click Save and Apply changes.
   
   

9. Navigate to Firewall > NAT > Outbound and select Manual Outbound NAT rule generation.
   
   Press Save and Apply Changes. Then four rules will appear. Leave all rules untouched and add a new one.
   
   1. Select SurfsharkVPN as an Interface.
   2. Source: your LAN subnet.
   3. Click Save.
   
   
   
   
10. Navigate to Firewall > Rules > LAN and delete the IPv6 rule. Also, edit the IPv4 rule:
    
    1. Press on Display Advanced.
    2. Change Gateway to Surfshark VPN.
    3. Click Save and Apply Changes.
    
    
    
    
    
    
11. Go to System > General Setup > DNS Server Settings and fill in:
    
    DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
    DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4
    
    
    
    Click Save.
    
    
12. Now you can navigate to Status > OpenVPN, and it should state that the service is up.
    
    

Congratulations - you have successfully installed and configured Surfshark VPN on your router! As long as you’re connected, your location is private, and your sensitive data is secure.

You may also be interested in:

• How to make sure my connection was successful?
• How to enable 2FA on your Surfshark account?
• How to set up a VPN-protected Wi-Fi hotspot using Windows?