44041
*Manual configuration is available to Premium users only.
This guide is for a fresh install of pfSense version 2.4.5-RELEASE-p1 (amd64) built on June 02 2020 and will work with any version 2.4+
For this guide we have the WAN Gateway (WANGW) set to 192.168.0.60 with the Upstream gateway 192.168.0.1 and the LAN interface set to 10.1.1.1. You will want to be sure to edit the setup as needed for your specific IP settings.
NOTE REGARDING IPv6: If all firewall traffic is going to be passed through our VPN then you will need to set the IPv6 Configuration Type to "None" on your WAN interface as our VPN does not currently support IPv6.
WAN (em0):
LAN (em1):
1. To begin you will need to generate an OpenVPN configuration file or download the archive with all configs: https://utils.privadovpn.com/share/udp_tcp.zip
2. Extract the files to a local directory and open the .ovpn file for the server you would like to connect to in a Text Editor. For this example, we will be using our Los Angeles server, lax-012.vpn.privado.io.
3. With the Text Editor open you will switch back to pfSense webgui and navigate to System > Cert. Manager and click the 
button.
Enter the setting as shown below and click "Save":
Descriptive Name: PrivadoVPN_CA
Method: Import an existing Certificate Authority
Certificate Data: copy/paste the Certificate from the Text Editor window
4. Navigate to VPN > OpenVPN > Clients and click the 
button.
5. Enter the setting as shown below and click "Save": (if the setting is not listed then it can be left default)
General Information
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only
Device mode: tun - Layer 3 Tunnel mode
Interface: WAN
Server host or address: PrivadoVPN server name or IP Address
Server port: 1194
Description: PrivadoVPN
User Authentication Settings:
Username: PrivadoVPN username
Password: PrivadoVPN password
Cryptographic Settings
TLS Configuration: UNCHECKED
Peer Certificate Authority: PrivadoVPN_CA
Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
Enable NCP: UNCHECKED
Auth digest algorithm: SHA256 (256-bit)
Tunnel Settings
Compression: Omit Preference (Use OpenVPN Default)
Topology: net30 -- Isolated /30 network per client
Ping settings - leave default
Advanced Configuration
Custom Options: Copy the 'remote' and 'tls-cipher' lines from the .ovpn file open in the Text Editor.
Gateway creation: IPv4 only
7. Navigate to Interfaces > Assignments, select ovpnc1 (PrivadoVPN) from the 'Available network ports' dropdown menu, and then click the 
button.
8. Click on the newly created OP1 connection, check the "Enable interface" box, change Description to PrivadoVPN, and click Save.
9. Next set the DNS via System > General Setup.
DNS Servers: The first DNS Server, 198.18.0.1, is our DNS server and should be assigned to the (PVPN_VPN4 - opt1) interface to pass all DNS requests for that interface through our servers.
The second DNS Server is set to Google's 8.8.8.8 DNS server but you can use any DNS server for the WAN interface to initiate the VPN connection.
DNS Server Override: UNCHECKED
10. Now navigate to Firewall > NAT and click on Outbound. Select 'Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below)' and click Save.
This will generate 2 'Automatic Rules' at the bottom and you will need to create 4 new rules to route the traffic through the VPN as shown below:
NOTE: Be sure to edit the IP address for the LAN to PVPN connections to the IP address for your installation. Also, be sure that each rule has the 'Address Family' set to 'IPv4'
11. Your PVPN_VPNV4 Gateway should now show as connected and Online under Status > Gateways
12. Next, go to System >Advanced > Miscellaneous and scroll down to Gateway Monitoring. Check the box next to 'Skip rules when gateway is down' and Save. This will help prevent traffic from leaking over the WAN if the VPN disconnects.
If you have any questions or have issues, please contact our support team: https://support.privado.live/new.
