TorGuard Account Area

Add to Favourites    Print this Article

How to Setup TorGuard VPN on pFSense (Newer build)

Setting up OpenVPN on pfsense [firewall/router]

=============================================

 Log into pfsense webConfigurator

    - https://pfsense-LAN-IP/index.php

    - Ex. https://192.168.1.1/index.php

Prevent DNS leaks by setting TG DNS only

pfsense Setup Wizard 

=====================

    - Click "System"

    - Click "Setup Wizard"

    - Click "Next"

    - Click "Next"

    - For "Primary DNS Server:" type in "104.223.91.194"

    - For "Secondary DNS Server:" type in "104.223.91.210"

    - "Override DNS:" [unchecked]

    - Click "Next"

    - Click "Next"

    - Scroll to the bottom and click "Next"

    - Click "Next"

    - "Admin Password AGAIN:" type in your pfsensePassword for the WebGUI

    - Click "Next"

    - Click "Reload" and wait

    - Click the 2nd "here" where is says...

        - "Click here to continue on to pfSense webConfigurator"

TG-CA Installation

=====================

    - Click "System"

    - Click "Cert Manager"

    - Click "CAs"

    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)

    - "Descriptive name" type in "TG-CA"

    - "Method" select  "Import an existing Certificate Authority"

    - "Certificate data" - (paste in all the content from the ca.crt file here)

    - "Certificate Private Key (optional)" = (leave blank)

    - "Serial for next certificate" = (leave blank)

Now click "Save"

Certificate Setup

=====================

    - Click "System"

    - Click "Cert Manager"

    - Click "CAs"

    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)

    - "Descriptive name" type in "TG-internal-CA"

    - "Method" select "Create an internal Certificate Authority"

    - "Key length" use "2048" bits

    - "Digest Algorithm" use "SHA1"

    - "Lifetime" type in "3650" days (10 years)

    - "Country Code :" (your choice)

    - "State or Province :" (your choice, can be invalid data)

    - "City :" (your choice, can be invalid data)

    - "Organization :" (your choice, can be invalid data)

    - "Email Address :" (your choice, can be invalid data)

    - "Common Name :" = internal-ca

Now click "Save"

System: Certificate Manager

=====================

    - Click "System"

    - Click "Cert Manager"

    - Click "Certificates"

    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)

    - "Method:" select "Create an internal Certificate"

    - "Descriptive name" type in "TG-Certificate"

    - "Key length" use "2048" bits    

    - "Digest Algorithm" use "SHA1"

    - "Lifetime" type in "3650" days (10 years)

    - "Country Code :" (your choice)

    - "State or Province :" (your choice, can be invalid data)

    - "City :" (your choice, can be invalid data)

    - "Organization :" (your choice, can be invalid data)

    - "Email Address :" (your choice, can be invalid data)

    - "Common Name :" type in "TG-Certificate"

Now click "Save"

 

OpenVPN Setup

=====================

    - Click "Diagnostics"

    - Click "Command Prompt"

    - For "Command:" type the following into the box...

         echo "YOUR_TG_USERNAME" > /etc/openvpn-passwd.txt; echo "YOUR_TG_PASSWORD" >> /etc/openvpn-passwd.txt

    - Click "Excute"

Create OpenVPN Client

=====================

    - Click "VPN"

    - Click "OpenVPN"

    - Click the "Client" tab

    - Click "add client" (icon is a "+" symbol on a small lined sheet of paper)

 

Configure as follows...

    - "Disabled" = [unchecked]

    - "Server Mode" = "Peer To Peer (SSL/TLS)"

    - "Protocol" = "UDP"

    - "Device Mode" = "tun"

    - "Interface" = "WAN"

    - "Local Port" = (leave blank)

 

Choose a server for "Server host or address" form the TG list here... My VPN Servers

 

    - "Server host or address" = "east.usa.torguardvpnaccess.com"

    - "Server Port" = "443"

    - "Proxy host or address" = (leave blank)

    - "Proxy port" = (leave blank)

    - "Proxy authentication extra options" = none

    - "Server host name resolution" = [check] "Infinitely resolve server"

    - "Description" = "TG OpenVPN"

    - "TLS Authentication" = [uncheck] "Enable authentication of TLS packets."

    - "Peer Certificate Authority" = "TG-CA"

    - "Client Certificate" = "webConfigurator default *In use"

    - "Encryption algorithm" = "BF-CBC (128-bit)"

    - "Auth Digest Algorithm" = "SHA1 (160-nit)"

    - "Hardware Crypto" = "No Hardware Crypto Acceleration"

    - "IPv4 Tunnel Network" = (leave blank)

    - "IPv6 Tunnel Network" = (leave blank)

    - "IPv4 Remote Network/s" = (leave blank)

    - "IPv6 Remote Network/s" = (leave blank)

    - "Limit outgoing bandwidth" = (leave blank)

    - "Compression" = choose "Enabled with Adaptive Compression"

    - "Type-of-Service" = [unchecked]

    - "Disable IPv6" [check] "Don't forward IPv6 traffic."

    - "Don't pull routes" = [unchecked]

    - "Don't add/remove routes" = [unchecked]

    - For "Advanced" type the following in the box...

        auth-user-pass /etc/openvpn-passwd.txt;

        verb 5;

        remote-cert-tls server

    - "Verbosity level" = default

Now click "Save"

Create OpenVPN interface

=====================

    - Click "Interfaces"

    - Click "(assign)"

    - "Available network ports:" select "ovpnc1(TG OpenVPN)"

    - Click "add selected interface" (icon is a "+" symbol on a small lined sheet of paper)

Note: The new interface will be named "OPT1" with a network port of "ovpnc1(TG OpenVPN)".

    - Click on "OPT1" to edit the interface

Configure as follows...

    - "Enabled" = [check]

    - "Description" = "TG-Interface"

    - "IPv4 Configuration Type" = none

    - "IPv6 Configuration Type" = none

    - "MAC address" = (leave blank)

    - "MTU" = (leave blank)

    - "MSS" = (leave blank)

    - "Block private networks" = [unchecked]

    - "Block bogon networks" = [unchecked]

Now click "Save"

Now click "Apply changes"

 

NAT Settings

=====================

    - Click "Firewall"

    - Click "NAT"

    - Click the "Outbound" tab

    - For "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)"...

        - put a (dot) in the radio button

Now click "Save"

 
The next step is to duplicate each of these rules...

    - but change the NAT Address from WAN to TG-Interface

    - Start with the first rule by clicking the Plus sign immediately to the right of the line to "add a new NAT based on this one"

 
A new page will open configure as follows...

    - "Disabled" = (do not change) [unchecked]

    - "Do not NAT" = (do not change) [unchecked]

    - "Interface" = TG-Interface

    - "Protocol" = (do not change)

    - "Source" = (do not change)

    - "Destination" = (do not change)

    - "Translation" = (do not change)

    - "No XMLRPC Sync" = (no dot change)

    - "Description" = Auto created rule for ISAKMP - LAN to TG-Interface

Now click "Save"

IMPORTANT!  Repeat this process for each of the other rules.  

Now click "Apply changes" at the top of the page

    The changes have been applied successfully.

    You can also monitor the filter reload progress.

Verify OpenVPN Service

=====================

At this point, your system is configured. Restart your OpenVPN service to be sure.

    - "Status"

    - "OpenVPN"

    - "Status" should be "UP" (but it may be DOWN)

        - Click the "Restart OpenVPN Service" button no matter what the status is. 

        - It's the middle button to the right of the service.

    - You should see "openvpn has been restarted."

Verify OpenVPN initialized correctly  by checking System Logs

=====================

    - "Status"

    - "System Logs"

    - Click the "OpenVPN" tab

    - Scroll to the bottom and look for...

        openvpn[65701]: Initialization Sequence Completed

 

Test by opening your Internet browser and going to...

=====================

    - https://ipleak.net/

Enjoy!



Also Read