How to Configure & Use NordVPN on pfSense 2.4.5

pfSense 2.4.5 offers unified threat management that keeps you safe online. But, any privacy-conscious user would couple it with the VPN security. NordVPN renders an advanced level of security services, and its OpenVPN client can be easily run on pfSense firmware-based routers. Here we've prepared a step-by-step guide to help you configure and use NordVPN on pfSense 2.4.5. Have a look.

1. First, visit the NordVPN website.

2. Then, hit the Grab the Deal button and pick a subscription on the next page. 

3. You need to enter your payment information to complete the purchase. 

4. Once done, you'll get a confirmation on your subscription. 

5. Next, visit your pfSense router's web page and navigate to System> Certificate Manager> CAs and click the +Add button. 

6. You need to note the server hostname to perform further steps; click here to find the dedicated IP for your preferred server location. 

7. Next, fill in the details mentioned below- 

• Descriptive Name: Any name
• Method: Import an existing Certificate Authority
• Certificate data:

-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----

8. Now, click Save. 

9. Move to VPN> OpenVPN> Clients after that and press +Add.

10. Then, enter the below-mentioned details-

• Disable this client: Uncheck
• Server mode: Peer to Peer (SSL/TLS)
• Protocol: UDP on IPv4 only (Alternatively, you can use TCP)
• Device mode: tun – Layer 3 Tunnel Mode
• Interface: WAN
• Local port: Blank
• Server host or address: The hostname of your preferred server
• Server port: 1194 (Select 443 for TCP)
• Proxy host or address: Blank
• Proxy port: Blank
• Proxy Authentication: None
• Description: Any name

User Authentication Settings

• Username: Your NordVPN service name
• Password: NordVPN service password

• Authentication Retry: Uncheck

Cryptographic Settings

• TLS Configuration: Check Use a TLS Key; Uncheck Automatically generate a TLS key
• TLS Key:

-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----

• TLS Key Usage Mode: TLS Authentication
• TLS keydir direction: Use default direction
• Peer certificate authority: NordVPN_CA
• Peer Certificate Revocation list: No need to define
• Client certificate: Choose webConfigurator default (59f92214095d8) (Server: Yes, In Use)
• Encryption Algorithm: AES-256-GCM
• Enable NCP: Check
• NCP Algorithms: AES-256-GCM and AES-256-CBC
• Auth digest algorithm: SHA512 (512-bit)
• Hardware Crypto: No Hardware Crypto Acceleration

Tunnel Settings

• IPv4 tunnel network: Blank
• IPv6 tunnel network: Blank
• IPv4 remote network(s): Blank
• IPv6 remote network(s): Blank
• Limit outgoing bandwidth: Blank
• Compression: No LZO Compression [Legacy style,comp-lzo no]
• Topology: Subnet – One IP address per client in a common subnet
• Type-of-Service: Uncheck
• Don’t pull routes: Uncheck
• Don’t add/remove routes: Check

Advanced Configuration

• Custom Options:

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

• UDP FAST I/O: Uncheck
• Exit Notify: Disabled
• Send/Receive Buffer: Default
• Gateway creation: IPv4 only
• Verbosity level: 3 (recommended)

11. Next, move on to Interfaces> Interface Assignments and hit the Add button to include the NordVPN interface.

12. After that, click the OPT1 option and fill the below information in the assigned interface-

• Enable: Check
• Description: NordVPN
• Mac Address: Blank
• MTU: Blank
• MSS: Blank

13. No need to change anything else; just click Save.

14. Now, locate Services> DNS Resolver> General Settings.

15. Enter the below details now-

• Enable: Check
• Listen port: Leave unchanged
• Enable SSL/TLS Service: Uncheck
• SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use)
• SSL/TLS Listen Port: Leave as is
• Network Interfaces: All
• Outgoing Network Interfaces: NORDVPN
• System Domains Local Zone Type: Transparent
• DNSSEC: Uncheck
• Python Module: Uncheck
• DNS Query Forwarding: Check Enable forwarding mode; Uncheck Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
• DHCP Registration: Check
• Static DHCP: Check
• OpenVPN Clients: Uncheck

16. Click Save once done. 

17. Move to DNS Resolver next and select the Advanced Settings tab.

18. Fill this field with the below information-

Advanced Privacy Options

• Hide Identity: Check
• Hide Version: Check
• Query Name Minimization: Uncheck
• Strict Query Name Minimization: Uncheck

Advanced Resolver Options

• Prefetch Support: Check
• Prefetch DNS Key Support: Check
• Harden DNSSEC Data: Uncheck

19. No need to change other options, just press Save.

20. Move to Firewall> NAT> Outbound and choose Manual Outbound NAT rule generation. 

21. Click Save now, and all 6 rules of IPv6 will appear.

22. You need to delete all the rules and add a new one. 

23. For the new rule, the Interface will be NordVPN, and the Source will be your LAN subnet, i.e., 192.168.2.0/24.

24. Click the Save button now and navigate to Firewall> Rules> LAN.

25. You've to delete the IPv6 rule now and edit the IPv4 rule. 

26. To edit that, click Show Advanced Options and change the Gateway to NordVPN.

27. Next, click Save and move to System> General Setup.

28. Now, enter the primary and secondary server as follows-

• DNS Server 1: 103.86.96.100; none
• DNS Server 2: 103.86.99.100; NordVPN_VPNV4 - opt1 - ...

29. Then, hit the Save button.

30. Finally, move to Status> OpenVPN, and the VPN services should be up. 

That’s all! Now you know how to configure and use NordVPN on pfSense 2.4.5. If you have further queries, drop us a comment through the below button. Thanks for reading!