Step 1: Log in to your pfSense router.
Step 2: Decide which gateway you would like to connect to, and obtain its hostname. You can find a list of all of our hostnames available on our network page or if you use a Static IP then use this.
Step 3: Navigate to System>Cert Manager and select Add. Enter a name into the Descriptive name field, such as TorGuard-CA.
Set the Method as "Import an existing Certificate Authority".
Download the OpenVPN CA certificate from our certificate page here and open it in a text editor. Copy the entire contents of the file into the Certificate data field.
Then, press Save.
Step 5: Navigate to VPN>OpenVPN>Clients and select Add.
Enter the following settings under "General Information":
Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS)
Protocol: TCP or UDP on IPv4 only - whichever works best for you.
Device mode: tun – Layer 3 Tunnel Mode
Local port: leave blank
Server host or address: The hostname for the region you picked out on our network page or your static IP.
Server port: 1912 - or any port available under our OpenVPN Ports page
Proxy host or address: Leave blank
Proxy port: Leave blank
Authentication method: None
Description: Whatever you would like to title your connection profile
Username: Enter your TG VPN Username
Password: Enter your TG VPN Password
Authentication Retry: Leave Unchecked.
Enter the following settings under "Cryptographic Settings":
TLS Configuration: Checked
TLS-Key: Uncheck to automatically generate one and enter the tls-auth key located here.
TLS Key Usage Mode: TLS Authentication
Peer Certificate Authority: TorGuard-CA
Peer Certificate Revocation list: Leave undefined
Client Certificate: None - Username/Password Required
Data Encryption Negotiation: Checked
Data Encryption Algorithms: The Allowed Data Encryption Algorithms should be prepopulated, click to remove the CHACHA20 for now.
Fallback Data Encryption Algorithm: Set to AES-128-CBC
Auth digest algorithm: SHA256
Hardware Crypto: No Hardware Crypto Acceleration
IPv4 Tunnel Network: Leave blank
IPv6 Tunnel Network: Leave blank
IPv4 Remote network(s): Leave blank
IPv6 Remote network(s): Leave blank
Limit outgoing bandwidth: Leave blank
Compression: Set to "Refuse any non-stub compression (Most Secure)".
Topology: Subnet -- One IP address per client in a common subnet
Don't pull routes: Unchecked
Don't add/remove routes: Unchecked
Enter the following settings under "Ping Settings":
Ping Method: Keepalive - Use Ping helper to define configuration
Exit Notify: Disabled
UDP Fast I/O: Unchecked
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: Default
Then, click Save.
Navigate to Firewall>NAT>Outbound, and select Manual Outbound NAT rule generation. You should see 4 rules.
Under the Actions heading, you should see an icon that looks like two pages, called Add a new mapping based on this one. Duplicate each of the 4 rules exactly, but change their interface to OpenVPN, clicking Save after each rule is duplicated.
Navigate to System > General Setup and set DNS Servers to:
DNS Servers: 184.108.40.206
Add DNS Server: Click to add a secondary DNS and set to: 10.8.0.1
Verify your connection. Navigate to Status>OpenVPN and check to see whether your OpenVPN client is up.
Finally, visit What's My IP to verify that you are protected.