VPN SETUP FOR pfSense 2.3.3


We are going to  setup pfSense 2.3.3 with openvpn in a simple LAN and WAN environment, where WAN is connected to the internet, and LAN will be the OpenVPN connection.

We are using our German VPN as an example.

Create Certificate

Download our zip file with configs and certificates:  blackvpn_linux.zip (MD5) (SHA1)

The zip file contains various .conf files (which should NOT be used for pfSense) as well as a folder called “ssl”. Within that folder, there are two files we need:

ca.crt (Certification Authority certificate) and ta.key (Transport Layer Security key)

In pfSense, navigate to System > Cert Manager, and under the CAs tab, click the  + Add button to add a new CA.

Descriptive name: blackVPN CA

Certificate data: open ssl/ca.crt in a text editor, select all the text in the file and copy it to your clipboard, paste it into the box for the Certificate Data.

Click Save


Create OpenVPN Client

Go to VPN > OpenVPN, and click the Clients tab. Then click the  “+ Add”  button to add a new client.

Description: Descriptive name of the VPN (blackVPN Germany, for example)

Server host name resolution: check Infinitely resolve server

Server port: 443

Server host or address: Choose your server from the list below.  (vpn.blackvpn.de, for example)

blackVPN server list:

Also remember to fill in your blackVPN username and password.

Uncheck “Automatically generate a shared TLS authentication key”, which will reveal a Key box where you should paste in the content of ta.key

Key: Go back to the files you downloaded from blackVPN, open ssl/ta.key in a text editor, and copy its contents to your clipboard, then paste it in the Key box.

Peer Certificate Authority: set to “blackVPN CA” that we created earlier

Client Certificate:None (Username / Password required)

The Encryption Algorithm: AES-256-CBC

Auth Digest message digest algorithm: SHA512.

Compression: Enabled with adaptive compression.

Disable IPv6: Checked
Don’t pull routes: Checked
In the  custom options we can  add a local verify-x509-name check (this is optional)

Custom options: Choose your server name from the list below.  (‘verify-x509-name de name’, example for Germany)

Australia: au
Brazil: br
Canada: canada
Czech Republic: cz
Estonia: estonia
France: fr
Germany: de
Japan: jp
Lithuania: lt
Luxembourg: lux
Netherlands: nl
Norway: no
Romania: ro
Russia: ru
Spain: es
Switzerland: ch
Ukraine: ua
UK: uk
USA Central/East/West: usa


Click save. This will start the VPN in the background.


To confirm that is happening in pfSense, go to Status > System Logs, and click the OpenVPN tab.

The word you’re looking for are “Initialization Sequence Completed”, and the full log should look something like this:

Create Interface

You should do this after the VPN connection has been successfully established.

Navigate to  Interfaces -> (assign)

Available network ports: select “ovpnc1(blackVPN Germany)”. Click the “+ Add” button to add the interface.

The new interface will be named “OPT1”,  Click on “Interfaces > OPT1” to edit the interface.

Enable: check
IPv4 Configuration Type: DHCP

Click Save and Apply Changes.

Dns Resolver

Navigate to Services -> DNS Resolver -> General Settings

Enable: check
Network Interfaces: All
Outgoing Network Interfaces: BLACK
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: uncheck
DHCP Registration: check
Static DHCP: check

Click Save.

While in DNS Resolver, select Advanced Settings.

Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Harden DNSSEC Data: uncheck

Click Save and Apply Changes.


First we are going to automatically create a set of rules, which we can then edit.

Navigate to Firewall -> NAT -> Outbound and select “Manual Outbound NAT rule generation”.

Press Save and then Apply Changes in the top of screen.

4 rules is now created like below:

We now need to edit each of the rules and change the Interface to OpenVPN on all the 4 rules.

Press the “edit pen” button on the first entry in the list.

Interface: OpenVPN

Repeat this process for each of the 3 rules.

In  the end all the rules should have OpenVPN Address as NAT Address, and it should look similar like below:

Now click Apply changes  at the top of the page

Go to Firewall -> Rules -> LAN

Add a new rule by clicking on the “Add”(add top of list) button:

Action: Pass
Interface: LAN
Address Family: IPv4
Protocol: any

Click on Display Advanced and only change:
Gateway: BLACK_DHCP-…

Click Save and Apply Settings

The screen should look something like this:

Preventing Traffic Leaks

To prevent traffic leaks, we will make the VPN Gateway the default route.

Go to System -> Routing -> Gateways

Edit the VPN gateway BLACK_DHCP-, by clicking on the Pen button.


Default Gateway: checked

Save, and then click “Apply Changes.”

The Gateway list should look something like this:

DNS Settings

Since BLACK_DHCP-… is the default gateway, me must specify a WAN DNS that is public.
We use (censurfridns.dk) but you can off course use another reliable third-party DNS server. is the DNS server on the VPN.

Go to System -> General Setup.

DNS Server 1: ; WAN_DHCP-…
DNS Server 2: ; BLACK_DHCP-…

DNS Server Override: uncheck

Disable DNS Forwarder: check

Save and Apply Settings

DHCP Settings

If you use a DHCP Server on the LAN interface to share the openvpn connection, you must add DNS to it. (Prevents DNSLeaks)

Go to Services -> DHCP Server -> Lan

DNS servers:

Save and we are done!

Go to Status -> OpenVPN and restart OpenVPN by pressing the restart button.

That should be it. Give it a minute and it should work.


If no site loads, open a terminal and ping a reliable site like If you get no response.

If Status -> OpenVPN shows that the link is up, and you can ping Internet sites, it’s probably DNS resolution that is the problem.

Recheck the DNS server(s) specified in Services->DHCP Server and  System -> General Setup.