How to Setup and Use NordVPN on pfSense

Editor Choice emblem

NordVPN

Our Score: 9.6

Since 2004, pfSense has taken the world by storm as an open-source router. It allows you to enjoy a fully-customized secure experience either at work or at home. However, to maximize your internet experience on your pfSense, you need a VPN. 

NordVPN, a Panama based company with over 12 million subscribers, is among the best choices. But, if you’re new to setting up VPNs on routers, you might have a little trouble setting up NordVPN on your pfSense. Well, don’t stress; this clear guide will teach you all you need to know about how it’s done. But first, why NordVPN?

Why you should choose NordVPN

  1. NordVPN offers you military-grade security with its 256-bit keys encryption. Also, with its Double VPN and CyberSec feature, you’re safe from hackers and other internet malware.
  2. It has over 5800 servers in 59 countries that allow you to bypass geo-restrictions.
  3. NordVPN ensures your privacy with its kill switch, leak protection, and strict no-logs policy.
  4. NordVPN has a robust VPN infrastructure that enables you to enjoy lightning speed.
  5. 24/7 customer support in case you have any issues.
  6. It’s cost-effective and offers you a 30-day money-back guarantee if you’re not satisfied. You can purchase a 3-year plan at $3.49/month, a 2-year plan at $4.99/month, a 1-year plan at $6.99/month, or a one-month plan at $11.95.

How to install NordVPN on pfSense

Since your pfSense supports OpenVPN, here’s how to set up NordVPN with OpenVPN on it. 

Step 1: Sign in to your pfSense account on your browser.

Step 2: Select System -> Certificate Manager, then select CAs.

Step 3: Connect to any of the servers suggested by NordVPN by clicking +Add. After this, input the following:

  • Descriptive Name: Enter your preferred server’s name. You should find the server hostname under the server title.
  • Method: Import an existing Certificate Authority
  • Certificate data: Copy and paste the following then click Save

—–BEGIN CERTIFICATE—–
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
—–END CERTIFICATE—–

Step 4: Navigate to the VPN -> OpenVPN and select Clients.

Step 5: Select the +Add bar and enter the following.

  • Disable this client: Don’t check “✔️.”
  • Server mode: Peer to Peer (SSL/TLS)
  • Protocol: UDP on IPv4 only (you can also use TCP)
  • Device mode: tun – Layer 3 Tunnel Mode
  • Interface: WAN
  • Local port: leave empty
  • Server host or address: Input your server’s address from step 3 above
  • Server port: 1194 (use 443 if you use TCP)
  • Proxy host or address: leave empty
  • Proxy port: leave empty
  • Proxy Authentication: None
  • Description: Any name you like.

Step 6: Enter the following under User Authentication Settings.

  • Username: Your NordVPN username
  • Password: Your NordVPN password in both fields.

Authentication Retry: Don’t check “✔️.”

Step 7: Enter the following under Cryptographic Settings.

TLS Configuration: Check “✔️.”

TLS Key: Copy and paste the following

—–BEGIN OpenVPN Static key V1—–
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
—–END OpenVPN Static key V1—–

  • TLS Key Usage Mode: TLS Authentication
  • Peer certificate authority: Enter the descriptive name in Step 3 above
  • Peer Certificate Revocation list: Do not define.
  • Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use). Note that the numbers on your system may be different.
  • Encryption Algorithm: AES-256-GCM
  • Enable NCP: Check “✔️.”
  • NCP Algorithms: AES-256-GCM and AES-256-CBC.
  • Auth digest algorithm: SHA512 (512-bit)
  • Hardware Crypto: No hardware crypto acceleration.

Step 8: Enter the following under Tunnel Settings.

  • IPv4 tunnel network: leave empty
  • IPv6 tunnel network: leave empty
  • IPv4 remote network(s): leave empty
  • IPv6 remote network(s): leave empty
  • Limit outgoing bandwidth: leave empty
  • Compression: No LZO Compression [Legacy style,comp-lzo no]
  • Topology: Subnet – One IP address per client in a common subnet
  • Type-of-service: Don’t check “✔️.”
  • Don’t pull routes: Don’t check “✔️.”
  • Don’t add/remove routes: Check “✔️.”

Step 9: Enter the following under Advanced Configuration.

  • Custom Options: Copy and paste the following

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

  • UDP FAST I/O: Don’t check “✔️.”
  • Send/Receive Buffer: Default
  • Gateway creation: Check IPv4 only
  • Verbosity level: 3 (recommended)

Step 10: Click the Interfaces -> Interfaces Assignments. After this,select Add the NordVPN interface.

Step 11: Select the OPT1 to the left of your assigned interface. After this, enter the details below and click Save.

  • Enable: Check “✔️.”
  • Description: NordVPN
  • Mac Address: leave empty
  • MTU: leave empty

Step 12: Navigate to Services -> DNS Resolver, then click on General Settings. After, enter the information below and click Save.

  • Enable: Check “✔️.”
  • Listen port: Skip this field
  • Enable SSL/TLS Service: Don’t check “✔️.”
  • SSL/TLS Certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use). Note that the numbers on your system may be different.
  • SSL/TLS Listen Port: Skip this field
  • Network Interfaces: All
  • Outgoing Network Interfaces: NordVPN
  • System Domains Local Zone Type: Transparent
  • DNSSEC: Don’t check “✔️.”
  • DNS Query Forwarding: Check “✔️.”
  • DHCP Registration: Check “✔️.”
  • Static DHCP: Check “✔️.”

Step 13: Select Advanced Settings at the top of the DNS Resolver bar. After this, enter the following and click Save:

  1. Advanced Privacy Options
  2. Hide Identity: Check “✔️.”
  3. Hide Version: Check “✔️.”
  4. Advanced Resolver Options
  5. Prefetch Support: Check “✔️.”
  6. Prefetch DNS Key Support: Check “✔️.”

Step 14: Go to Firewall -> NAT -> Outbound -> Manual Outbound NAT rule generation and then click Save. Four rules should appear, however; leave the rules and add a new rule.

  • Select NordVPN as an Interface
  • Source: choose your LAN subnet
  • Click Save

Step 15: Go to Firewall -> Rules -> LAN and delete the IPv6 rule. After, edit the IPv4 rule by selecting Show Advanced Options. Then, change the Gateway to NordVPN and click Save.

Step 16: Go to System -> General Setup, fill in the following, and click Save.

  • DNS Server 1: 103.86.96.100; none
  • DNS Server 2: 103.86.99.100; NordVPN_VPNV4-…

Step 17: Go to Status -> OpenVPN to confirm that your service is up. You can also check your connection log file by selecting Status -> System Logs -> OpenVPN.

In conclusion

If you followed our step-by-step approach above, your NordVPN should be all set up on pfSense already. Although the process appears complicated, we have simplified it as much as possible in this guide. Also, it’s a one-time thing, so you don’t need to worry about repeating the process.