Guide: OpenVPN on pfSense

PP Stephan

Staff member
This thread refers to the how-to OpenVPN on routers with pfSense. Please only post in this thread if you have questions, comments or feedback regarding this howto. To keep this thread updated and free from obsolete and redundant information, this thread will be cleaned up occasionally.
 
Last edited:
I have seen the warning, "Due to a bug in the underlying FreeBSD kernel, IPv6 does currently not work reliably with pfSense (as of May 2018)."

Irregardless of the warning, could you post the configuration for IPv6?
I have IPv6 working with VPN from my own efforts, but it doesn't pass tests such as ipv6-test.com . I conclude my implementation is incomplete.

The bug referenced in the warning is found in the IPv6 packet fragment handling. Why haven't I seen an issue with IPv6? Perhaps one or more of the following:
1) From the IPv6 specification, routers do not pass fragmented packets
2) I have not received any fragmented packets
netstat -s -p IPv6
ip6:
14664696 total packets received
0 with size smaller than minimum
0 with data size < data length
0 with bad options
20527 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 fragments that exceeded limit
0 packets reassembled ok

3) The bug was fixed in FreeBSD 11.2 ; I'm running 11.2-RELEASE-p4 (freebsd-version) [and pfSense 2.4.4_2]
https://redmine.pfsense.org/issues/8165

4) A workaround exists if needed - disabling IPv6 packet fragment reassembly - using this command:
sysctl net.inet6.ip6.maxfrags=0
Given all of the above, I assert it's reasonable to provide the Perfect Privacy configuration for IPv6 on pfSense.

 
Last edited:
So this does not get lost, helpfull advice for usage with OPNsense:
I am a new user that recently updated my account from a one month subscription to a 2-year subscription. I use OpenVPN in OpenSUSE 15.1 OS and FreeBSD 11.2 OS (OPNsense router). I use the NeuroRouting feature and find it works well and the speeds are fast enough to stream 1080p video. I like the fact you have manuals and config generators for any system. You have pfSense router manual and it works succesfully for OPNsense routers too (both pfSense and OPNsense are related, and are based on FreeBSD). For OPNsense, ther ejare a couple of tweaks needed to make it work properly: use tls-auth and not tls-crypt; leave the advanced settings box blank (adding the advanced/custom settings from the config files breaks the service). Both the pfSense and Linux .ovpn configuration files works in OPNsense routers. For desktop I just use Network Manager and import the files as-is and all works flawlessly with no needed adjustments (the Linux OS is OpenSUSE 15.1). I also use VPN of AirVPN for past many years, and think Perfect-Privacy has advantages compared to AirVPN. For those that want to use Perfect-Privacy in a multi-VPN group gateway router setup in pfSense/OPNsense (for failover fault tolerant uninterrupted service) you can visit https://nguvu.org/pfsense/pfsense-multi-vpn-wan/. Juse remember, don't add the custom settings for the OPNsense router. If you want to learn more about OPNsense you can visit https://opnsense.org/ . My hope for Perfect-Privacy is that more users sign up so the traffic is higher - I believe the additional noise will enhance privacy.
 
Well, I got it working. Here are the instructions, presented as what must be changed and added to the Perfect Privacy Setup Instructions for pfSense.

1. Go to menu VPN > OpenVPN > Clients
Edit the line for your OpenVPN Client interface.
The settings are generally per the Perfect Privacy Setup, with these changes:​
General Information
Protocol: UDP IPv4 and IPv6 on all interfaces (multihome)

Advanced Configuration
Custom options: the options given in the Perfect Privacy Setup didn't work well for me -- the interface was constantly cycling from being on to off. If the options given in the setup work for you, keep them. Otherwise, here are the options I find work well for me:
Code:
verb 5
tun-mtu 1500
fragment 1300
tun-ipv6
mssfix
#float
hand-window 120
inactive 604800
mute-replay-warnings
#ns-cert-type server
remote-cert-tls server
persist-remote-ip
#redirect-gateway def1
reneg-sec 0
resolv-retry infinite
keepalive 10 60

key-direction 1

persist-tun
persist-key
verb 4

Gateway creation: Check "Both" [important -- this causes both IPv4 and IPv6 gateways to be created]​

2. Go to menu Firewall > NAT > Outbound
Add a new rule
Edit Advanced Outbound NAT Entry
Interface: OpenVPN
Address Family: IPv6
Protocol: any
Source: Network address: your IPV6 LAN prefix (see notes below)​
Destination: Any [unchanged]​
Translation
Address: Interface Address
Misc
Description: add a description for your rule
NAT Rule.png
Note: you can see the interface address on your dashboard, under Gateways
Notes:​
The "Source" address is the IPv6 network prefix for your local LAN.​
  • I have a 64 bit prefix, so the format is xxxx:xxxx:xxxx:xxxx:: / 64 (note: two colons at end)
  • Where you can find this:
    • From a Windows CMD.exe window, run ipconfig /all and look at the IPv6 address for your ethernet adaptor:
ipconfig ipv6 address.png
My prefix (given I have a /64 subnet) is the first 4 fields of the address​
  • From Linux command line, run ifconfig and look for the inet6 address:
ifconfig linix inet6.png

3. Go to Firewall > Rules > LAN
Create a firewall rule to direct IPv6 traffic to your VPN IPv6 gateway​
Edit Firewall Rule
Action: Pass
Interface: LAN
Address Family: IPv6
Protocol: Any
Source
Source: LAN net
Extra Options
Description: enter a description for your rule
Advanced Options: click on Display Advanced
Advanced Options​
everything at default, except for Gateway -- make sure Gateway is set to VPN WAN IPv6 gateway​
ipv6 firewall rule.png
After you save that rule, pfSense should start sending IPv6 traffic over your OpenVPN IPv6 interface.

4. Test that it's working

Go to the Perfect Privacy Tests website.​
Click on Check IP
The IP tests are run. You should see results for both the IPv4 section and the IPv6 section​
perfect privacy ip tests.png
Congratulations and welcome to the future.
 
Hello blackeneth.

2. Go to menu Firewall > NAT > Outbound
Add a new rule

Edit Advanced Outbound NAT Entry
Interface: OpenVPN
Address Family: IPv6
Protocol: any
Source: Network address: your IPV6 LAN prefix (see notes below)
Destination: Any [unchanged]

You can also use this for IPv4 and IPv6:
2. Go to menu Firewall > NAT > Outbound
Add a new rule

Edit Advanced Outbound NAT Entry
Interface: OpenVPN
Address Family: IPv4 + IPv6
Protocol: any
Source: Any
Destination: Any [unchanged]

This IPv6 configuration only works if your Internet provider offers IPv6. But it must work without IPv6 from your internet provider! A technician of Perfect Privacy said that it is due to a bug.

If anyone does not have IPv6, they can get IPv6 from a tunnel broker like Hurricane Electric. The configuration with Hurricane Electric only makes the configuration more complicated, but it works.

Your instructions cannot be used by everyone.
 
This thread refers to the how-to OpenVPN on routers with pfSense. Please only post in this thread if you have questions, comments or feedback regarding this howto. To keep this thread updated and free from obsolete and redundant information, this thread will be cleaned up occasionally.
You need to update the instructions for pfSense 2.4.5. The custom options do not work at all, the interface goes from on to off all the time. Also, some websites don't load properly (missing pictures, videos not playing, etc.) And please, include instructions for IPv6 setup as well, not just UDP - IPv4 only.
 
Last edited:
Well, I got it working. Here are the instructions, presented as what must be changed and added to the Perfect Privacy Setup Instructions for pfSense.

1. Go to menu VPN > OpenVPN > Clients
Edit the line for your OpenVPN Client interface.
The settings are generally per the Perfect Privacy Setup, with these changes:​
General Information
Protocol: UDP IPv4 and IPv6 on all interfaces (multihome)

Advanced Configuration
Custom options: the options given in the Perfect Privacy Setup didn't work well for me -- the interface was constantly cycling from being on to off. If the options given in the setup work for you, keep them. Otherwise, here are the options I find work well for me:
Code:
verb 5
tun-mtu 1500
fragment 1300
tun-ipv6
mssfix
#float
hand-window 120
inactive 604800
mute-replay-warnings
#ns-cert-type server
remote-cert-tls server
persist-remote-ip
#redirect-gateway def1
reneg-sec 0
resolv-retry infinite
keepalive 10 60

key-direction 1

persist-tun
persist-key
verb 4

Gateway creation: Check "Both" [important -- this causes both IPv4 and IPv6 gateways to be created]​

2. Go to menu Firewall > NAT > Outbound
Add a new rule
Edit Advanced Outbound NAT Entry
Interface: OpenVPN
Address Family: IPv6
Protocol: any
Source: Network address: your IPV6 LAN prefix (see notes below)​
Destination: Any [unchanged]​
Translation
Address: Interface Address
Misc
Description: add a description for your rule
Note: you can see the interface address on your dashboard, under Gateways
Notes:​
The "Source" address is the IPv6 network prefix for your local LAN.​
  • I have a 64 bit prefix, so the format is xxxx:xxxx:xxxx:xxxx:: / 64 (note: two colons at end)
  • Where you can find this:
    • From a Windows CMD.exe window, run ipconfig /all and look at the IPv6 address for your ethernet adaptor:
My prefix (given I have a /64 subnet) is the first 4 fields of the address​
  • From Linux command line, run ifconfig and look for the inet6 address:

3. Go to Firewall > Rules > LAN
Create a firewall rule to direct IPv6 traffic to your VPN IPv6 gateway​
Edit Firewall Rule
Action: Pass
Interface: LAN
Address Family: IPv6
Protocol: Any
Source
Source: LAN net
Extra Options
Description: enter a description for your rule
Advanced Options: click on Display Advanced
Advanced Options​
everything at default, except for Gateway -- make sure Gateway is set to VPN WAN IPv6 gateway​
After you save that rule, pfSense should start sending IPv6 traffic over your OpenVPN IPv6 interface.

4. Test that it's working

Go to the Perfect Privacy Tests website.​
Click on Check IP
The IP tests are run. You should see results for both the IPv4 section and the IPv6 section​
Congratulations and welcome to the future.
Hi Blackeneth, I got everything working, following your instructions, I passed the tests on Perfect-Privacy.com, but when I go to


I get the following message in the attached file
Have you encountered this, is it normal?
Thank you!
 

Attachments

  • Screenshot 2020-05-06 at 18.15.52.png
    Screenshot 2020-05-06 at 18.15.52.png
    341.6 KB · Views: 9
Last edited:
Very bad guide.

NAT should not be used as a killswitch.
Yes it will break the ability to do proper address translation but it will not actually BLOCK the traffic.
Use firewall rules to send all traffic to VPN gateway(s) and block everything else.

Also with this NAT setup you cannot do address translation for WAN if you would want to route some clients to WAN directly without VPN. For example work-notebook, phones, IoT devices, Netflix television, game consoles etc.
 
Last edited:
Back
Top