How to use pfSense with FoxyProxy OpenVPN
This guide makes the following assumptions:
- Your pfSense is set up properly and you can get proper Internet and LAN connectivity on it.
- Your version of pfSense is newer than 2.1.1
- You want to route ALL of your Internet traffic over the VPN.
Replace all instances of “SERVERNAME” with your actual FoxyProxy server name – for example, if your VPN server is someserver.getfoxyproxy.org then you would replace SERVERNAME with “someserver” (without quotes).
Get the OpenVPN CA Certificate
You need the OpenVPN CA certificate for your FoxyProxy server(s). We can email these to you, or you can get them yourself:
- Log into at https://getfoxyproxy.org/panel
- Find the server you wish to use and click the Actions button
- Click Download CA Cert File, and either save it to disk or open it directly in a plaintext editor (such as Notepad or Notepad++ (Windows), TextEdit (macOS), or Gedit/Kate (Linux)
- Copy this CA cert text to the clipboard for the steps below
Put the OpenVPN CA Cert into pfSense
- Log into pfSense
- Go to System,Cert. Manager
- Ensure you are on the CAs tab
- Click the + Add button to add a new CA certificate
- Populate the fields as below:
- Descriptive Name: FoxyProxy (SERVERNAME)
- Method: Import an existing Certificate Authority
- Certificate data: (copy and paste the contents of the downloaded ca.crt file)
- Leave the rest of the fields empty. Click the Save button.
Configure the pfSense OpenVPN client
- Go to VPN, OpenVPN
- Go to the Clients tab
- Click the + Add button
- Configure with the following:
Protocol: TCP IPv4 and IPv6 on all interfaces (multihome)
Server host or address: SERVERNAME.getfoxyproxy.org
Server Port: 443
Description: FoxyProxy VPN (SERVERNAME)
User Authentication Settings
Username: (your FoxyProxy username)
Password: (your FoxyProxy password)
Confirm: (re-enter the same password)
TLS Configuration: Use a TLS Key should be UNCHECKED
Peer Certificate Authority: FoxyProxy (SERVERNAME)
Encryption algorithm: BF-CBC (128 bit key by default, 64 bit block)
Enable NCP: (unchecked)
Auth digest algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Acceleration
Compression: LZO Compression [compress lzo, equivalent to comp-lzo yes for compatibility]
Topology: net30 — Isolated /30 network per client
Verbosity level: 4
Leave all other fields blank/default and click the Save button
- Go to Firewall, NAT
- Click on the Outbound tab
- Toggle/enable Manual Outbound NAT rule generation. (AON – Advanced Outbound NAT)
- Click the Save button (but not Apply Changes yet)
- Now, you should see a list of rules that were originally auto-generated (and hidden before). You need to clone each of these rules by clicking the Add a new mapping based on this one button (it looks like two overlaid squares), and change the Interface field from WAN to OpenVPN.
- Click the Save button for the rule. Remember to repeat for each rule that pre-existed. There will probably be 6 rules on a fresh install of pfSense, so when you’re finished you should have about 12 rules total.
- (OPTIONAL). You may want to edit the description for each rule you create so it is easier to remember why you created them.
- Finally, click the Apply Changes button. Your VPN should is now set up.
Test that pfSense is connected to the VPN server by going to https://getfoxyproxy.org/geoip. If you are connected through VPN, the page reports the IP address and location of the VPN server. If it does not display that, try rebooting pfSense, wait for it to come back up fully, and visit https://getfoxyproxy.org/geoip again.