How to Set Up and Use NordVPN on pfSense (Updated 2024)
pfSense is an open-source software distribution that can turn a computer into a dedicated router/firewall. It usually operates on a virtual machine or a dedicated physical computer. It is FreeBSD-based, which means it belongs to the family Unix-like BSD distribution. Using a VPN on pfSense enhances its abilities to protect your devices. This article takes a deep dive into configuring NordVPN on pfSense.
Setting Up NordVPN on pfSense
pfSense has different versions, but the latest one is the 2.5.0 version. This new version has an in-built WireGuard VPN client. Unfortunately, NordVPN’s proprietary WireGuard-based protocol is not available for routers. So this setup involves using the OpenVPN protocol to connect to NordVPN’s servers. Let’s take a look at the step-by-step process you need to follow.
1. Open a browser window and log in to your pfSense account with your credentials. The default is usually “admin” for the username and “pfsense” for the password. Reach out to pfSense support or check your user manual if that doesn’t work.
2. Navigate to the certificate authority section through the following path: System > Certificate Manager > CAs. Once you’re in the CA section, click “+Add.”
3. You’re going to need the name of the server in the next steps. So head over to NordVPN’s OpenVPN configurations page and note the name of the server you intend to use or let NordVPN recommend a server for you.
4. Go back to your pfSense page and input the following in their respective fields:
Descriptive Name: NordVPN_CA (this is for this guide, you can use any name)
Method: Import an existing Certificate Authority
Trust Store: Uncheck this box
Randomize Serial: Uncheck this box
Certificate data: copy and paste the data below.
—–BEGIN CERTIFICATE—–
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
—–END CERTIFICATE—–
Click on “Save” to save the configuration.
5. Now go to VPN > OpenVPN > Clients and click on “+Add.”
6. Enter the following in their respective fields:
Disable this client: Uncheck this box.
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only (you can also use TCP)
Device mode: tun – Layer 3 Tunnel Mode
Interface: WAN
Local port: Leave box unchecked
Server host or address: the hostname of the server you selected in step 3 above
Server port: 1194 (use 443 if you use TCP)
Proxy host or address: Leave box unchecked
Proxy port: Leave box unchecked
Proxy Authentication: none
Description: Input any descriptive name of your choice.
7. In the “User Authentication Settings” section, input the following:
Username: Your NordVPN service username
Password: Your NordVPN service password in both fields
Authentication Retry: leave box unchecked
If you don’t know your NordVPN service credentials, you can find them in your NordAccount dashboard under “Advanced configuration.”
8. In the “Cryptographic Settings” section, input the following:
TLS Configuration: Use a TLS Key – Check this box; Automatically generate a TLS key – Uncheck this box
TLS Key: Copy and paste the data below
—–BEGIN OpenVPN Static key V1—–
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
—–END OpenVPN Static key V1—–
TLS Key Usage Mode: TLS Authentication
TLS keydir direction: Use default direction
Peer certificate authority: NordVPN_CA (the CA in step 4 above)
Peer Certificate Revocation list: Do not define
Client certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use). It is important to note that the numbers on your machine might not be the same.
Data Encryption Negotiation: Check this box
Data Encryption Algorithms: AES-256-GCM and AES-256-CBC
Fallback Data Encryption Algorithm: AES-256-CBC
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No Hardware Crypto Acceleration
9. In the “Tunnel Settings” section, input the following:
IPv4 tunnel network: Leave blank
IPv6 tunnel network: Leave blank
IPv4 remote network(s): Leave blank
IPv6 remote network(s): Leave blank
Limit outgoing bandwidth: Leave blank
Allow Compression: Refuse any non-stub compression (Most Secure)
Topology: Subnet – One IP address per client in a common subnet
Type-of-Service: Uncheck this box
Don’t pull routes: Uncheck this box
Don’t add/remove routes: Check this box
10. In the “Advanced Configuration” section, input the following:
Custom Options: Copy and paste the data below
tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
UDP FAST I/O: Uncheck this box
Exit Notify: Disabled
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: 3 (recommended)
11. Now go to Interfaces > Interface Assignments. Click on the green “+Add” button to add the NordVPN interface.
12. Select the “OPT1” on the left of your assigned interface input the following in their respective fields:
Enable: Check this box
Description: NordVPN
Mac Address: Leave blank
MTU: Leave blank
MSS: Leave blank
13. Leave everything else and select “Save.”
14. Go to Services -> DNS Resolver -> General Settings and input the following in their respective fields and select “Save”:
Enable: Check this box
Listen port: Ignore this field
Enable SSL/TLS Service: Uncheck this box
SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use). It is important to note that the numbers on your machine might not be the same
SSL/TLS Listen Port: Ignore this field
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: Uncheck this box
Python Module: Uncheck this box
DNS Query Forwarding: Enable forwarding mode – Check this box; Use SSL/TLS for outgoing DNS Queries to Forwarding Servers – Uncheck this box
DHCP Registration: Check this box
Static DHCP: Check this box
OpenVPN Clients: Uncheck this box
15. At the top of “General DNS Resolver Options,” click “Advanced Settings” and input the following in their respective fields and click “Save”:
ADVANCED PRIVACY OPTIONS:
Hide Identity: Check this box
Hide Version: Check this box
Query Name Minimization: Uncheck this box
Strict Query Name Minimization: Uncheck this box
ADVANCED RESOLVER OPTIONS:
Prefetch Support: Check this box
Prefetch DNS Key Support: Check this box
Harden DNSSEC Data: Uncheck this box
16. Go to Firewall > NAT > Outbound, click “Manual Outbound NAT rule generation,” and select “Save.” You will see six rules. Delete every IPv6 rule, add a new one with the following and click “Save”:
Interface: NordVPN
Address Family: IPv4
Source: Input your LAN subnet (something like 192.168.1.0/24)
Note the NAT rule you just created must be on top.
17. Go to Firewall > Rules > LAN and remove the IPv6 rule. Edit the IPv4 rule by clicking on “Display Advanced” and changing “Gateway” to “NordVPN.” Click “Save” after.
18. Head over to “System > General Setup.” Under “DNS Server Settings,” enter the following in their respective fields and click “Save”:
DNS Server 1: 103.86.96.100; none (under “Gateway”)
DNS Server 2: 103.86.99.100; NordVPN_VPNV4 – opt1 – … (under “Gateway”)
19. Now go to Status > OpenVPN and check to see if the connection is up and running. You can also look at your connection log file by navigating to Status > System Logs > OpenVPN.
You can confirm that your VPN connection is active by checking your connection’s IP address to see if it has changed.
Get NordVPN for pfSense
Why Should You Use NordVPN For pfSense?
1. Security and Privacy
NordVPN’s security structure consists of basic and advanced features. It uses the OpenVPN protocol, which is one of the most secure and reliable VPN protocols. Using 256-bit encryption is an effective way to discourage malicious entities from trying to access your data, and NordVPN uses it to protect your network connection. There is also a perfect forward secrecy feature that makes it even more difficult to penetrate your network.
Other important security features include an automatic Kill Switch, Split Tunneling, DNS/IP leak protection, Onion over VPN, DoubleVPN, and CyberSec (an adblocker). Privacy is also its strong point as it keeps no logs, has a cryptocurrency payment method, and has its headquarters in privacy-friendly Panama. Overall, NordVPN provides adequate protection when it comes to privacy and security.
2. Bypass Geo-Restrictions
NordVPN’s impressive server network is the reason why its users can confidently access several streaming platforms without facing any barriers online. It can unblock almost every mainstream streaming service, including Netflix, BBC iPlayer, ESPN, Amazon Prime Video, and Hulu.
3. Reliable Customer Support
Nobody wants to be stuck on a problem and have no one around to help. This is why NordVPN invests in delivering the best support to its users. If you have any issues setting it up on pfSense, you can access a 24/7 live chat system, a ticketing system, FAQs, and a support center with instructional guides.
Frequently Asked Questions on Setting up and Using NordVPN on Pfsense
Will using NordVPN on Pfsense make me completely anonymous online?
No, there is nothing that can make you completely anonymous online, except you isolate your computer and not connect to the internet. While you cannot achieve a hundred percent anonymity, NordVPN has privacy features that can give you a high level of anonymity, such as Double VPN, Tor over VPN, and a watertight zero-log policy. In addition, its headquarters is in Panama, a privacy-friendly territory. So, using NordVPN on Pfsense will not make you completely anonymous, but it will do a good job of reducing your digital footprint online and making it harder for bad actors to track you.
Can I use a free VPN instead of NordVPN on Pfsense?
Yes, you can use a free VPN instead of NordVPN on Pfsense, but we recommend you stick with NordVPN. With free VPNs, you run the risk of malware infection as some of them have been discovered on Google PlayStore to spread malware. In addition, you will discover there are not many VPNs that can work on Pfsense because of its complex configuration process. Furthermore, almost all free VPN services have limitations on speed, bandwidth, server network, etc. Using NordVPN on Pfsense is way better than using the best free VPN service.
Will using NordVPN on Pfsense protect me against malware?
It depends on the sophistication of malware. NordVPN can never be an alternative to an anti-malware application. The best NordVPN can do is protect you from basic network threats that look to infiltrate your network or ads that contain malware. Its CyberSec feature blocks unwanted ads and known malicious sites. It cannot prevent advanced malware with sophisticated techniques. It is better to get a standalone anti-malware software than depend on NordVPN for protection.
Is it illegal to use NordVPN on Pfsense?
It is certainly not illegal to use NordVPN on Pfsense or any other device. NordVPN is an application meant to keep your internet connection secure, and many countries have no issues with it. However, there are a few countries that work relentlessly against VPNs. You might have to be careful in such countries.
Conclusion
Setting up NordVPN on pfSense is not an easy process, but if you follow the instructions in this guide accurately, you should have no issues with it. In terms of security, privacy, unblocking streaming platforms, and reliable support, you stand to gain a lot using NordVPN on pfSense.