How to configure pfSense - OpenVPN?
Steve M avatar
Written by Steve M
Updated over a week ago

pfSense is an open source firewall/router computer software distribution based on FreeBSD. This is the tutorial on how to set up your pfSense device with LimeVPN. 

1. In order to setup pfSense 2.3.2 with OpenVPN please access your pfSense via browser. Then navigate to System -> Certificate Manager -> CAs. You should see this screen:

2. We will configure our pfSense to connect to EU1 server. Press on “+ Add” button. Then fill the fields out like this:

Descriptive Name: LimeVPN
Method: Import an existing Certificate Authority
Certificate data: (you can get this certificate by downloading our CA and TLS files from here:
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIJAM8U3nIOV0j7MA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQ
MA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNv
bTAeFw0xNzAyMDgxMTQxMTVaFw0yNzAyMDYxMTQxMTVaMIGXMQswCQYDVQQGEwJQ
QTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMHTm9yZFZQ
TjEQMA4GA1UECxMHTm9yZFZQTjETMBEGA1UEAxMKTm9yZFZQTiBDQTEQMA4GA1UE
KRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3JkdnBuLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLvmN7J8jKGFvITm0nL4J82P8mf
1kyb/599T6lLKyuz8qTq3H8Pv9pzaNAI+t0hksYgfJNzB83VDgh9goDljHz2numD
E32WCex4VwMiFvUr4OzHanrsSJbwgvNhUxHDwJD28OCBjnjetq53k2WGkR1PlWn9
RJLqs8ND6Hl+2lEj5E/9PURu/hkGrMJr9XlmW/YE9Aa1q76w5HN8HnTAWSpvjn3a
FBaw4X+ButE045lkQ9Llg+SAYR4vKbq5k+0OHk/FVSBTY6P+/7ob9uj2cCWtHoeI
RGQDrzquQACzsKvp2Y7JLDLaSt1avC6Em4Avcg6aCfobUkEowuX5EQ/pbgMCAwEA
AaOB/zCB/DAdBgNVHQ4EFgQU/xW/8g1HF/s9ZIRJj054AVpBbtowgcwGA1UdIwSB
xDCBwYAU/xW/8g1HF/s9ZIRJj054AVpBbtqhgZ2kgZowgZcxCzAJBgNVBAYTAlBB
MQswCQYDVQQIEwJQQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYDVQQKEwdOb3JkVlBO
MRAwDgYDVQQLEwdOb3JkVlBOMRMwEQYDVQQDEwpOb3JkVlBOIENBMRAwDgYDVQQp
EwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5vcmR2cG4uY29tggkAzxTe
cg5XSPswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA4VBfnRevmxgY
skbC+c0H/EWHgFEeXD1fcbYq6SVf9M+t4N5mm+CJoDDwgK7VNecQztIB5khBq3hK
/NEjRL2pd4RBhBQ5lPgSGs6f8ayofj5PgZzOdtgvMfRUSkoLucLGbnHBCASlCRiC
jtFBqBVuvG5AP9qWpCNXDRkIAfygZHcK8IeTNV0QXaG2jt3xPS16bweddwvLkqV7
7FAuncLBo4k4YReXVhTHYNK3wwNMNvyuuxRLqoosdOUvrvnujDjw5Ihaf5vMnId9
7TIPXZDAtm5L7f3RA1BsLuyVHKe62wJe6/JlAGZDBFomZCQxian188lmp5fPTm6L
193X8EKHcg==
-----END CERTIFICATE-----
Press “Save“

3. Then navigate to VPN -> OpenVPN -> Clients and press “+Add”

4. Fill in the fields:
Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP
Device mode: TUN;
Interface: WAN;
Local port: leave blank;
Server host or address: eu1.limevpn.com;
Server port: 1194;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy authentication extra options: Authentication method: None;
Server host name resolution: check Infinitely resolve server;
Description: Any name you like. In our case it is LimeVPN

USER AUTHENTICATION SETTINGS
Username/Password : Your LimeVPN username / your LimeVPN password.

CRYPTOGRAPHIC SETTINGS
TLS Authentication: Check
Automatically generate a shared TLS authentication key: Uncheck
Then type in TLS key
AUTH_KEY='-----BEGIN OpenVPN Static key V1-----
334197a6762361463c73c45b64cc3d1d
2d8344efef576bdd4905b46552510ffb
9da6860a061bf154cf2c0fbd7b1e7854
053b036cbc9d363c316b452b3f479df0
2ae396cea5104992a35b2ceec79f235e
D4a62c96281ac2a9f90d28990970b387
F6ad2606c39793a5e1b2cd5dc4b934ec
De56fd2ca7474f9a6b6dd113698da4dc
0fa1ea2aea2a9e26e7e49f32b1c09d3b
C57b7bf3619be1126ad738190d0ba5f7
05e42e00993f050c5f7751ba2e8bfe70
Ce66cb893f28b65554f37074a3bb1079
9eda840dd013a47ee88591bff8ca3396
Ac4026697319b51aae957b71d0151624
A9b97be5f935d5c3b5c771069216e5b4
0875e7ce555006f356b7a8d8a58970ca
-----END OpenVPN Static key V1-----'

Peer certificate authority: LimeVPN
Client certificate: webConfigurator default (557de1a2a90c7)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
Encryption algorithm: AES-256-CBC (256-bit);
Auth digest algorithm: SHA1 (160-bit); (In case it doesn’t work, use SHA-512)
Hardware crypto: No hardware crypto acceleration.

TUNNEL SETTINGS

IPv4 tunnel network: leave blank;

IPv6 tunnel network: leave blank;

IPv4 remote network/s: leave blank;

IPv6 remote network/s: leave blank;

Limit outgoing bandwidth: leave blank;

Compression: Enabled with adaptive compression;

Type-of-service: leave uncheked;

Disable IPv6: check Don’t forward IPv6 traffic;

Don’t pull routes: check;

Don’t add/remove routes: leave unchecked.

ADVANCED CONFIGURATIONS
Custom Options:
tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
Verbosity level: 3 (recommended);

Click Save.

5. Navigate to Interfaces -> Interface Assignments and Add LimeVPN interface.

6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

Description: LimeVPN

IPv4 Configuration Type: DHCP

IPv6 Configuration Type: None

Mac Address: leave blank

MTU: leave blank

MSS: leave blank

Do not change anything else. Just scroll down to the bottom and press “Save”

7. Navigate to Services -> DNS Resolver -> General Settings
Enable: check
Listen port: leave what it already is
Network Interfaces: All
Outgoing Network Interfaces: LimeVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check
Save

8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:

Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Save

9. Navigate to Firewall -> NAT -> Outbound and select “Manual Outbound NAT rule generation” Press “Save“.
Then four rules will appear. Leave the 127.0.0.0 rules untouched and edit both rules which have your Network address as a source specified.

9.1. Change the Interface to LimeVPN;

9.2. Click Save. At the end it should look like this:

10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule:
10.1. Press on Show Advanced Options;

10.2. Change Gateway to LimeVPN;

10.3. Click Save.

11. Go to System -> General Setup and fill in:

DNS Server 1: 8.8.8.8 and  ; none

DNS Server 2: 8.8.4.4 ;
Save

12. Now you can navigate to Status -> OpenVPN and it should state that the service is “up”

13. You can also check the connection log file under Status -> System Logs -> OpenVPN:

You now have VPN connection on your pfSense.

Did this answer your question?