VPN SETUP FOR pfSense
2. That zip file contains various .conf files (which should NOT be used for pfSense – create your own via the GUI instead) as well as a folder called “ssl”. Within that folder, there are two files: ca.crt (Certification Authority certificate), and ta.key (Transport Layer Security key). We’ll need ta.key in a minute, but let’s start with ca.crt. First of all, open it in a text editorSelect all the text in the file and copy it to your clipboard. Then, in pfSense, go to System > Cert Manager, and under the CAs tab, click the plus button to add a new CA. Add a descriptive name for the CA (“blackVPN CA”, for example), and paste the text for the CA into the box for the certificate data as follows and click save:
3. Go to VPN > OpenVPN, and click the Client tab. Then click the plus button to add a new client.
The top half of the dialog should look like this (I’ve chosen the Estonia server, but you can use whichever blackVPN server you like):
blackVPN server list:
Fill in your blackVPN username and password.
To fill in the TLS key under Cryptographic Setting, you’re going to need to go back to the files you downloaded from blackVPN. Open ta.key in a text editor, and copy its contents to your clipboard. In order to enter the TLS key, you need to uncheck “Automatically generate a shared TLS authentication key”, which will reveal a text box for you to paste in the TLS key.
Peer Certificate Authority is set to be “blackVPN CA” (or whatever you named it in step 2 above).
The Encryption Algorithm should be changed to AES-256-CBC and Auth Digest message digest algorithm to SHA512.
In the advanced setting you need to specify the tls-remote of the server.
Choose the tls-remote of your server from the list below.
Having entered all the details above, click save. This will start the VPN in the background.
To confirm what’s happening in pfSense, go to Status > System Logs, and click the OpenVPN tab.
The word you’re looking for are “Initialization Sequence Completed”, and the full log should look something like this:
4. Create Interface, and you should do this after the VPN connection has been successfully established.
Click “Interfaces/(assign)”, on ”Available network ports:” select “ovpnc1(blackVPN Estonia)”. Click the “+” symbol to add interface,
5. NAT settings.
Click “Firewall/Nat/Outbound tab”.
First Change to Manual Outbound NAT rule generation (AON – Advanced Outbound NAT)
Then you need to duplicate each rule, change the interface from WAN to the blackVPN one.
Start with the first rule by clicking the Plus sign immediately to the right of the line to “add a new NAT based on this one”
Change Interface to the blackVPN one and add a custom Description if you like.
Now click “Save”
Repeat this process for each of the other rules.
Now click “Apply changes” at the top of the page
That screen should subsequently look something like above.
7. That should be it. Give it a minute, then confirm that your IP address is reported as being one of BlackVPN’s by going to http://www.whatsmyip.org.
lternatively, blackVPN’s home page will tell you where it thinks you are: https://www.blackvpn.com.