< Back

How to set up pfSense 2.4.4 with Surfshark

  1. In order to setup pfSense 2.4.4 with OpenVPN please access your pfSense via a browser.

    Then navigate to System -> Cert. Manager -> CAs.

  2. Press on + Add button. Then fill the fields out like this:

    Descriptive Name: Surfshark_VPN
    Method: Import an existing Certificate Authority
    Certificate data:

    -----BEGIN CERTIFICATE-----
    MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
    BAYTAlZHMRIwEAYDVQQKDAlTdXJmc2hhcmsxGjAYBgNVBAMMEVN1cmZzaGFyayBS
    b290IENBMB4XDTE4MDMxNDA4NTkyM1oXDTI4MDMxMTA4NTkyM1owPTELMAkGA1UE
    BhMCVkcxEjAQBgNVBAoMCVN1cmZzaGFyazEaMBgGA1UEAwwRU3VyZnNoYXJrIFJv
    b3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEGMNj0aisM63o
    SkmVJyZPaYX7aPsZtzsxo6m6p5Wta3MGASoryRsBuRaH6VVa0fwbI1nw5ubyxkua
    Na4v3zHVwuSq6F1p8S811+1YP1av+jqDcMyojH0ujZSHIcb/i5LtaHNXBQ3qN48C
    c7sqBnTIIFpmb5HthQ/4pW+a82b1guM5dZHsh7q+LKQDIGmvtMtO1+NEnmj81BAp
    FayiaD1ggvwDI4x7o/Y3ksfWSCHnqXGyqzSFLh8QuQrTmWUm84YHGFxoI1/8AKdI
    yVoB6BjcaMKtKs/pbctk6vkzmYf0XmGovDKPQF6MwUekchLjB5gSBNnptSQ9kNgn
    TLqi0OpSwI6ixX52Ksva6UM8P01ZIhWZ6ua/T/tArgODy5JZMW+pQ1A6L0b7egIe
    ghpwKnPRG+5CzgO0J5UE6gv000mqbmC3CbiS8xi2xuNgruAyY2hUOoV9/BuBev8t
    tE5ZCsJH3YlG6NtbZ9hPc61GiBSx8NJnX5QHyCnfic/X87eST/amZsZCAOJ5v4EP
    SaKrItt+HrEFWZQIq4fJmHJNNbYvWzCE08AL+5/6Z+lxb/Bm3dapx2zdit3x2e+m
    iGHekuiE8lQWD0rXD4+T+nDRi3X+kyt8Ex/8qRiUfrisrSHFzVMRungIMGdO9O/z
    CINFrb7wahm4PqU2f12Z9TRCOTXciQIDAQABo1AwTjAdBgNVHQ4EFgQUYRpbQwyD
    ahLMN3F2ony3+UqOYOgwHwYDVR0jBBgwFoAUYRpbQwyDahLMN3F2ony3+UqOYOgw
    DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAn9zV7F/XVnFNZhHFrt0Z
    S1Yqz+qM9CojLmiyblMFh0p7t+Hh+VKVgMwrz0LwDH4UsOosXA28eJPmech6/bjf
    ymkoXISy/NUSTFpUChGO9RabGGxJsT4dugOw9MPaIVZffny4qYOc/rXDXDSfF2b+
    303lLPI43y9qoe0oyZ1vtk/UKG75FkWfFUogGNbpOkuz+et5Y0aIEiyg0yh6/l5Q
    5h8+yom0HZnREHhqieGbkaGKLkyu7zQ4D4tRK/mBhd8nv+09GtPEG+D5LPbabFVx
    KjBMP4Vp24WuSUOqcGSsURHevawPVBfgmsxf1UCjelaIwngdh6WfNCRXa5QQPQTK
    ubQvkvXONCDdhmdXQccnRX1nJWhPYi0onffvjsWUfztRypsKzX4dvM9k7xnIcGSG
    EnCC4RCgt1UiZIj7frcCMssbA6vJ9naM0s7JF7N3VKeHJtqe1OCRHMYnWUZt9vrq
    X6IoIHlZCoLlv39wFW9QNxelcAOCVbD+19MZ0ZXt7LitjIqe7yF5WxDQN4xru087
    FzQ4Hfj7eH1SNLLyKZkA1eecjmRoi/OoqAt7afSnwtQLtMUc2bQDg6rHt5C0e4dC
    LqP/9PGZTSJiwmtRHJ/N5qYWIh9ju83APvLm/AGBTR2pXmj9G3KdVOkpIC7L35dI
    623cSEC3Q3UZutsEm/UplsM=
    -----END CERTIFICATE-----

    Press Save at the bottom of the page.

    3eC6lrP4la.png

  3. Afterwards, navigate to VPN -> OpenVPN -> Clients and press +Add.

    jIbcHtE7XN.png

  4. Fill in the fields:

    General Information:

    Disable this client: leave unchecked.
    Server mode: Peer to Peer (SSL/TLS);
    Protocol: UDP on IPv4 only (you can also use TCP);
    Device mode: tun – Layer 3 Tunnel Mode;
    Interface: WAN;
    Local port: leave blank;
    Server host or address: The server hostname that you want to connect to from step 2;
    Server port: 1194 (use 1443 if you use TCP);
    Proxy host or address: leave blank;
    Proxy port: leave blank;
    Proxy Authentication: None;
    Description: Any name you like.

    User Authentication Settings:

    You can find the credentials here: https://account.surfshark.com/setup/manual.

    gCPdkmt3a7.png

    Authentication Retry: leave unchecked

    0G4BYOOnMr.png

    Cryptographic Settings:

    TLS Configuration: Check
    Automatically generate a TLS Key: Uncheck
    TLS Key:

    -----BEGIN OpenVPN Static key V1-----
    b02cb1d7c6fee5d4f89b8de72b51a8d0
    c7b282631d6fc19be1df6ebae9e2779e
    6d9f097058a31c97f57f0c35526a44ae
    09a01d1284b50b954d9246725a1ead1f
    f224a102ed9ab3da0152a15525643b2e
    ee226c37041dc55539d475183b889a10
    e18bb94f079a4a49888da566b9978346
    0ece01daaf93548beea6c827d9674897
    e7279ff1a19cb092659e8c1860fbad0d
    b4ad0ad5732f1af4655dbd66214e552f
    04ed8fd0104e1d4bf99c249ac229ce16
    9d9ba22068c6c0ab742424760911d463
    6aafb4b85f0c952a9ce4275bc821391a
    a65fcd0d2394f006e3fba0fd34c4bc4a
    b260f4b45dec3285875589c97d3087c9
    134d3a3aa2f904512e85aa2dc2202498
    -----END OpenVPN Static key V1-----

    TLS Key Usage Mode: TLS Authentication
    Peer certificate authority: Surfshark_VPN;
    Peer Certificate Revocation list: do not define.

    Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
    Encryption Algorithm: AES-256-GCM
    Enable NCP: Check.
    NCP Algorithms: AES-256-GCM and AES-256-CBC.
    Auth digest algorithm: SHA512 (512-bit)
    Hardware Crypto: No hardware crypto acceleration.

    xaBJ91rFgS.png

    Tunnel Settings:

    IPv4 tunnel network: leave blank;
    IPv6 tunnel network: leave blank;
    IPv4 remote network(s): leave blank;
    IPv6 remote network(s): leave blank;
    Limit outgoing bandwidth: leave blank;
    Compression: Omit Preference (Use OpenVPN Default);
    Topology: Subnet – One IP address per client in a common subnet
    Type-of-service: leave unchecked;
    Don’t pull routes: uncheck;
    Don’t add/remove routes: leave unchecked.

    kBfNx8xr2a.png

    Advanced Configuration:

    Custom options: paste the contents below
    tls-client;
    remote-random;
    tun-mtu 1500;
    tun-mtu-extra 32;
    mssfix 1450;
    persist-key;
    persist-tun;
    reneg-sec 0;
    remote-cert-tls server;
    UDP FAST I/O: leave unchecked.
    Send/Receive Buffer: Default
    Gateway creation: IPv4 only
    Verbosity level: 3 (recommended);

    Press Save at the bottom of the page and Apply changes at the top of the page.

    mceclip1.png

  5. Navigate to Interfaces -> Interface Assignments and Add Surfshark VPN interface.

    mA3mx0oyxR.png

  6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

    Enable: check
    Description: Surfshark VPN
    MAC Address: leave blank
    MTU: leave blank
    MSS: leave blank

    bF8ydL3yfm.png

    Do not change anything else. Just scroll down to the bottom and press Save and Apply Changes.

  7. Navigate to Services -> DNS Resolver -> General Settings

    Enable: check
    Listen port: leave what it already is
    Enable SSL/TLS Service: uncheck
    SSL/TLS Certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
    SSL/TLS Listen Port: leave what it already is
    Network Interfaces: All
    Outgoing Network Interfaces: Surfshark VPN
    System Domains Local Zone Type: Transparent
    DNSSEC: uncheck
    DNS Query Forwarding: check
    DHCP Registration: check
    Static DHCP: check

    Click Save and Apply Changes.

    T7X5KjML47.png

  8. While in DNS Resolver, select Advanced Settings at the top and then fill in the following:

    ADVANCED PRIVACY OPTIONS:

    Hide Identity: check
    Hide Version: check

    ADVANCED RESOLVER OPTIONS:

    Prefetch Support: check
    Prefetch DNS Key Support: check

    T2HreuKhVw.png9a1vkWIQ34.png

    Click Save and Apply changes.

  9. Navigate to Firewall -> NAT -> Outbound and select Manual Outbound NAT rule generation.

    Press Save and Apply Changes. Then four rules will appear. Leave all rules untouched and add a new one.

    10.1 Select SurfsharkVPN as an Interface.
    10.2 Source: your LAN subnet.
    10.3 Click Save.

    V4kMq6Shly.png

  10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule:

    11.1 Press on Display Advanced
    11.2 Change Gateway to Surfshark VPN
    11.3 Click Save and Apply Changes

    IdB1TUlYKR.pnggqcx2yvlC7.png

  11. Go to System -> General Setup -> DNS Server Settings and fill in:

    DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
    DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4

    mceclip0.png

    Click Save.

  12. Now you can navigate to Status -> OpenVPN and it should state that the service is “up

    IiaBj3aDS2.png

That's it! You can now dive into the internet ocean protected by Surfshark!

Was this article helpful?