Surfshark Pfsense

/ Comments off

Last Updated: April 6, 2021

pfSense, an open-source software, has the ability to turn a computer system into a dedicated router or firewall. Using a VPN on open-source pfSense can boost its security abilities, and ExpressVPN is more than up to the task. You can configure it through a web-based interface like most routers. This article will guide you through the process of configuring ExpressVPN on pfSense.

Surfshark provides a cheap VPN service that allows unlimited number of devices with ad blocking. In this tutorial we are going to configure pfSense with Surfshark and assign an interface to it so that we can route it to other services.

  • VPN split tunneling – called Whitelister on the Surfshark VPN app – is the software capability to have only some of your internet traffic go over VPN while the rest uses the internet as usual. And you’re the one to decide when it happens.
  • How to set up pfSense 2.4.4 with Surfshark. How to set up Surfshark on Synology NAS. How to set up Surfshark on Synology 6.2 NAS.
  • SurfShark VPN Review 2020 - In this video we take a look into SurfShark VPN with my honest breakdown of the service!Check out SurfShark:
  • Choosing a fast VPN, like Surfshark, will guarantee servers with no less than 1Gbps port connected. For servers with higher bandwidth (the US and the UK), the number increases to 2x10Gbps. The higher the number, the faster the connection. It means that such tasks as streaming videos and downloading files don’t suffer from lagging and buffering.

Setting Up ExpressVPN on pfSense

Setting up ExpressVPN on pfSense is quite technical. You need to accurately follow the instructions in this article, as any mistake can result in the wrong configuration. The configuration process involves using the OpenVPN protocol to set up a connection to an ExpressVPN server. Although there is a new pfSense version (2.5.0), we will focus on the configuration settings for version 2.4.5 as a more significant number of users are still using it. Let’s dive into how to set up ExpressVPN on pfSense 2.4.5.

Surfshark Pfsense

1. The first thing to do is create an ExpressVPN account if you don’t have one. Go to the ExpressVPN website, click on “Get ExpressVPN,” and follow the instructions to get a subscription plan and complete the account creation process. Once you access your account, navigate to manual configuration settings through the following path: Set Up Other Devices > Manual Configuration.

2. Under “Manual Configuration,” select the “OpenVPN” tab, you will see your service credentials (username and password) directly under it. Leave the browser window open or copy the credentials somewhere you can easily reach because you will need them later. Just below the credentials, there is also a list of servers and their locations.

3. Select the server location you intend to use and pick a server. Then download the OpenVPN configuration file (.ovpn) of that server. You can choose UDP (faster) or TCP (more reliable) depending on your preference.

4. The next thing you need to do is to sign in to your pfSense control panel. The default username and password are usually “admin” and “pfsense” if no one has previously changed it. If that does not work, check the user manual or contact pfSense’s customer support team.

5. Once you’re in, on the top navigation bar, select “System,” then “Certificate Manager.” In the CA section, select the “+Add” button and input the following under their respective fields:

Create/Edit CA

Descriptive name: Input any name to represent your VPN connection (e.g., ExpressVPN-USA).

Method: click on “Import an existing Certificate Authority.”

Existing Certificate Authority

Certificate data: Use any text editor to open the .ovpn file you downloaded in step 3 above, copy the text between the <ca> and </ca> tags, and paste it in this field.

Certificate Private Key (optional): Leave empty.

Serial for next certificate: Leave empty.

Click the “Save” button.

6. Next, select “Certificates,” select the “+Add/Sign” button, and input the following:

Add/Sign a New Certificate

Method: Click Import an existing Certificate.

Descriptive name: Input any name to represent your certificate (e.g., ExpressVPN-Cert).

Import Certificate

Certificate data: Copy the text between the <cert> and </cert> tags in the .ovpn file you opened before and paste it here.

Private ket data: Copy the text between the <key> and </key> tags in the .ovpn file you opened before and paste it in this field.

Click the “Save” button.

7. Navigate to the top navigation bar and select “VPN” then “OpenVPN.” Select “Clients,” click the “+Add” button and input the following:

General Information

Disabled: Leave this box unchecked.

Server mode: Peer to Peer (SSL/TLS).

Protocol: UDP on IPv4 only.

Device mode: tun – Layer 3 Tunnel Mode.

Interface: WAN.

Local port: Leave empty.

Server host or address: Copy the server address listed between the word “remote” and the 4-digit port number in the .ovpn file you opened before and paste it in this field.

Server port: Input the 4-digit port number (next to the server address) you saw above.

Proxy port: Leave empty.

Proxy Authentication: Choose none.

Description: Input any name to represent your VPN connection (e.g., ExpressVPN-NY).

User Authentication Settings

Username: Input the ExpressVPN service username in step 2 above.

Password: Input the ExpressVPN service password in step 2 above twice.

Cryptographic Settings

TLS Configuration: Check this box.

Automatically generate a TLS key: Leave this box unchecked

TLS Key: Copy the text between the <tls-auth> and </tls-auth> tags in the .ovpn file you opened before and paste it in this field (don’t copy any line that begins with “#”).

TLS Key Usage Mode: Choose TLS Authentication.

Peer Certificate Authority: Choose the CA you created earlier (e.g., ExpressVPN-USA)

Client Certificate: Choose the certificate you created earlier (e.g., ExpressVPN-Cert)

Encryption Algorithm: Check the .ovpn file you opened before for the word “cipher” and choose the algorithm displayed after it in the dropdown menu here (e.g., AES-256-CBC).

Enable NCP: Leave this box unchecked.

NCP Algorithms: Leave empty

Auth digest algorithm: Check the .ovpn file you opened before for the word “auth” andchoose the algorithm displayed after it in the dropdown menu here (e.g., SHA512).

Hardware Crypto: Select No Hardware Crypto Acceleration.You should select otherwise only if you are sure your device supports hardware cryptography.

Tunnel Settings

IPv4 Tunnel Network: Leave empty.

IPv6 Tunnel Network: Leave empty.

IPv4 Remote Network(s): Leave empty.

IPv6 Remote Network(s): Leave empty.

Limit outgoing bandwidth: Leave blank.

Compression: Choose Adaptive LZO Compression [Legacy, comp-lzo adaptive].

Topology: Leave as it is.

Type-of-Service: Leave this box unchecked

Don’t pull routers: Leave this box unchecked

Don’t add/remove routes: Leave this box unchecked

Advanced Configuration

Custom options: Copy and paste the following:

fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;remote-cert-tls server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288

UDP Fast I/O: Check this box.

Send/Receive Buffer: Choose 512 KiB.

Gateway Creation: Choose IPv4 only.

Verbosity Level: Choose 3 (recommended).

Click the “Save” button.

8. Go to “Interfaces” in the top navigation bar and select “Assignments.” Click the “+Add” button to add the ExpressVPN interface.

9. Select the “OPT1” under “Interface,” select “ovpnc1,” and click the “Save” button.

10. Back to the top navigation bar, click “Interfaces,” select “OPT1,” and input the following:

General Configuration

Surfshark Openvpn Certificate

Enable: Check this box.

If preferred, Tor Browser may be made portable by extracting it from its archive directly onto removable media such as a USB stick or SD card. It is recommended to use writable media so that Tor Browser can be updated as required. Tor Browser will block browser plugins such as Flash, RealPlayer, QuickTime, and others: they can be manipulated into revealing your IP address. We do not recommend installing additional add-ons or plugins into Tor Browser. Tor browser usb Tor Browser aims to make all users look the same, making it difficult for you to be fingerprinted based on your browser and device information. MULTI-LAYERED ENCRYPTION. Your traffic is relayed and encrypted three times as it passes over the Tor network. The network is comprised of thousands of volunteer-run servers known as Tor relays. Tails uses the Tor network to protect your privacy online and help you avoid censorship. Enjoy the Internet like it should be. Your secure computer anywhere. Shut down the computer and start on your Tails USB stick instead of starting on Windows, macOS, or Linux. Tails leaves no trace on the computer when shut down.

Description: Input any name that represents the interface (e.g., ExpressVPN).

Mac Address: Leave empty.

MTU: Leave empty.

MSS: Leave empty.

Reserved Networks

Block private networks and loopback addresses: Leave this box unchecked

Block bogon networks: Leave this box unchecked

Click the “Save” button and click “Apply Changes.”

11. Back to the top navigation bar, click “Firewall,” then “Aliases.” Select the “+Add” button to add an alias for your home network and input the following:


Name: Enter a name to represent your network (e.g., Local_Subnet)/

Description: A description to describe your network (e.g., Home)

Type: Choose Networks.


Network or FDQN: Input and choose 24.

Click the “Save” button.

12. In the top navigation bar, select Firewall > NAT > Outbound. Choose “Manual Outbound NAT rule generation” for “Mode,” click “Save,” then “Apply Changes.”

13. Under “Mappings,” go to your first WAN interface and click the copy icon under “Actions.” Then choose “EXPRESSVPN” for “Interface” click “Save.” Repeat this step for every WAN entry in this section. Click “Apply Changes” at the top.

14. Next, click “Firewall,” then “Rules.” Select “LAN,” click the “Add” button on the far left and input the following:

Edit Firewall Rule

Action: Choose Pass.

Disabled: Leave unchecked.

Interface: Choose LAN.

Address: Choose IPv4.

Surfshark Pfsense Download

Protocol: Choose Any.


Source: Choose Single host or alias and input the name of the alias you created for your network earlier.

Destination: Choose Any

Log: Leave unchecked.

Description: Input a description of your firewall rule.

Select Display Advanced.

Advanced Options

Gateway: Choose EXPRESSVPN.

Click the “Save” button, then “Apply Changes.”

15. To confirm the OpenVPN connection is active, navigate to the following path: Status > OpenVPN. You should see “up” under the “Status” section.

As you can see, it’s a long and technical process. Be very careful not to miss any step.

Advantages of Using ExpressVPN on pfSense

Here are the perks of using Express on pfSense:

1. Security

ExpressVPN’s security structure includes reliable VPN protocols (OpenVPN), military-grade encryption (AES-256), leak protection, compatibility with the Onion network, malware/ad blocker (CyberSec), Split Tunneling, and a Kill Switch. Your privacy and security are in secure hands.

2. Circumvent Geo-Restrictions

ExpressVPN’s servers are powerful when it comes to unblocking content you cannot view due to geo-restrictions. Netflix, BBC iPlayer, HBO Now, and Amazon Prime Video are a few of the popular services it can unblock. Its extensive server network allows you to access streaming content in any region worldwide.


To use ExpressVPN on pfSense, you have to go through a thorough configuration process. You need to be very meticulous with the setup process because any small detail can affect the connection’s success. We hope that this guide helps you set up ExpressVPN on pfSense.

Last Updated: April 1, 2021

pfSense is an open-source software distribution that can turn a computer into a dedicated router/firewall. It usually operates on a virtual machine or a dedicated physical computer. It is FreeBSD-based, which means it belongs to the family Unix-like BSD distribution. Using a VPN on pfSense enhances its abilities to protect your devices. This article takes a deep dive into configuring NordVPN on pfSense.

Setting Up NordVPN on pfSense

pfSense has different versions, but the latest one is the 2.5.0 version. This new version has an in-built WireGuard VPN client. Unfortunately, NordVPN’s proprietary WireGuard-based protocol is not available for routers. So this setup involves using the OpenVPN protocol to connect to NordVPN’s servers. Let’s take a look at the step-by-step process you need to follow.

1. Open a browser window and log in to your pfSense account with your credentials. The default is usually “admin” for the username and “pfsense” for the password. Reach out to pfSense support or check your user manual if that doesn’t work.

2. Navigate to the certificate authority section through the following path: System > Certificate Manager > CAs. Once you’re in the CA section, click “+Add.”

3. You’re going to need the name of the server in the next steps. So head over to NordVPN’s OpenVPN configurations page and note the name of the server you intend to use or let NordVPN recommend a server for you.

4. Go back to your pfSense page and input the following in their respective fields:

Descriptive Name: NordVPN_CA (this is for this guide, you can use any name)

Method: Import an existing Certificate Authority

Trust Store: Uncheck this box

Randomize Serial: Uncheck this box

Certificate data: copy and paste the data below.


























Surfshark Pfsense Web




Surfshark Compatible Routers


Click on “Save” to save the configuration.

5. Now go to VPN > OpenVPN > Clients and click on “+Add.”

6. Enter the following in their respective fields:

Disable this client: Uncheck this box.

Server mode: Peer to Peer (SSL/TLS)

Protocol: UDP on IPv4 only (you can also use TCP)

Device mode: tun – Layer 3 Tunnel Mode

Interface: WAN

Local port: Leave box unchecked

Server host or address: the hostname of the server you selected in step 3 above

Server port: 1194 (use 443 if you use TCP)

Proxy host or address: Leave box unchecked

Proxy port: Leave box unchecked

Proxy Authentication: none

Description: Input any descriptive name of your choice.

7. In the “User Authentication Settings” section,input the following:

Username: Your NordVPN service username

Password: Your NordVPN service password in both fields

Authentication Retry: leave box unchecked

If you don’t know your NordVPN service credentials, you can find them in your NordAccount dashboard under “Advanced configuration.”

8. In the “Cryptographic Settings” section, input the following:

Surfshark Pfsense

TLS Configuration: Use a TLS Key – Check this box; Automatically generate a TLS key – Uncheck this box

TLS Key: Copy and paste the data below

—–BEGIN OpenVPN Static key V1—–

















—–END OpenVPN Static key V1—–

TLS Key Usage Mode: TLS Authentication

TLS keydir direction: Use default direction

Peer certificate authority: NordVPN_CA (the CA in step 4 above)

Peer Certificate Revocation list: Do not define

Client certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use). It is important to note that the numbers on your machine might not be the same.

Data Encryption Negotiation: Check this box

Data Encryption Algorithms: AES-256-GCM and AES-256-CBC

Fallback Data Encryption Algorithm: AES-256-CBC

Auth digest algorithm: SHA512 (512-bit)

Hardware Crypto: No Hardware Crypto Acceleration

9. In the “Tunnel Settings” section, input the following:

IPv4 tunnel network: Leave blank

IPv6 tunnel network: Leave blank

IPv4 remote network(s): Leave blank

IPv6 remote network(s): Leave blank

Limit outgoing bandwidth: Leave blank

Allow Compression: Refuse any non-stub compression (Most Secure)

Topology: Subnet – One IP address per client in a common subnet

Type-of-Service: Uncheck this box

Don’t pull routes: Uncheck this box

Don’t add/remove routes: Check this box

10. In the “Advanced Configuration” section, input the following:

Custom Options: Copy and paste the data below



tun-mtu 1500;

tun-mtu-extra 32;

mssfix 1450;



reneg-sec 0;

remote-cert-tls server;

UDP FAST I/O: Uncheck this box

Exit Notify: Disabled

Send/Receive Buffer: Default

Gateway creation: IPv4 only

Verbosity level: 3 (recommended)

11. Now go to Interfaces > Interface Assignments. Click on the green “+Add” button to add the NordVPN interface.

12. Select the “OPT1” on the left of your assigned interface input the following in their respective fields:

Enable: Check this box

Description: NordVPN

Mac Address: Leave blank

MTU: Leave blank

MSS: Leave blank

13. Leave everything else and select “Save.”

14. Go to Services -> DNS Resolver -> General Settings and input the following in their respective fields and select “Save”:

Enable: Check this box

Listen port: Ignore this field

Enable SSL/TLS Service: Uncheck this box

SSL/TLS Certificate: webConfigurator default (59f92214095d8) (Server: Yes, In Use). It is important to note that the numbers on your machine might not be the same

SSL/TLS Listen Port: Ignore this field

Network Interfaces: All

Outgoing Network Interfaces: NordVPN

System Domains Local Zone Type: Transparent

DNSSEC: Uncheck this box

Python Module: Uncheck this box

DNS Query Forwarding: Enable forwarding mode – Check this box; Use SSL/TLS for outgoing DNS Queries to Forwarding Servers – Uncheck this box

DHCP Registration: Check this box

Static DHCP: Check this box

OpenVPN Clients: Uncheck this box

15. At the top of “General DNS Resolver Options,” click “Advanced Settings” and input the following in their respective fields and click “Save”:


Hide Identity: Check this box

Hide Version: Check this box

Openvpn Pfsense Guide

Query Name Minimization: Uncheck this box

Strict Query Name Minimization: Uncheck this box


Prefetch Support: Check this box

Prefetch DNS Key Support: Check this box

Harden DNSSEC Data: Uncheck this box

16. Go to Firewall > NAT > Outbound, click “Manual Outbound NAT rule generation,” and select “Save.”You will see six rules. Delete every IPv6 rule, add a new one with the following and click “Save”:

Interface: NordVPN

Address Family: IPv4

Source: Input your LAN subnet (something like

Surfshark Pfsense V

Note the NAT rule you just created must be on top.

17. Go to Firewall > Rules > LAN and remove the IPv6 rule. Edit the IPv4 rule by clicking on “Display Advanced” and changing “Gateway” to “NordVPN.” Click “Save” after.

18. Head over to “System > General Setup.” Under “DNS Server Settings,” enter the following in their respective fields and click “Save”:

DNS Server 1:; none (under “Gateway”)

DNS Server 2:; NordVPN_VPNV4 – opt1 – … (under “Gateway”)

19. Now go to Status > OpenVPN and check to see if the connection is up and running. You can also look at your connection log file by navigating to Status > System Logs > OpenVPN.

You can confirm that your VPN connection is active by checking your connection’s IP address to see if it has changed.

Get NordVPN for pfSense

Why Should You Use NordVPN For pfSense?

1. Security and Privacy

NordVPN’s security structure consists of basic and advanced features. It uses the OpenVPN protocol, which is one of the most secure and reliable VPN protocols. Using 256-bit encryption is an effective way to discourage malicious entities from trying to access your data, and NordVPN uses it to protect your network connection. There is also a perfect forward secrecy feature that makes it even more difficult to penetrate your network.

Other important security features include an automatic Kill Switch, Split Tunneling, DNS/IP leak protection, Onion over VPN, DoubleVPN, and CyberSec (an adblocker). Privacy is also its strong point as it keeps no logs, has a cryptocurrency payment method, and has its headquarters in privacy-friendly Panama. Overall, NordVPN provides adequate protection when it comes to privacy and security.

2. Bypass Geo-Restrictions

NordVPN’s impressive server network is the reason why its users can confidently access several streaming platforms without facing any barriers online. It can unblock almost every mainstream streaming service, including Netflix, BBC iPlayer, ESPN, Amazon Prime Video, and Hulu.

3. Reliable Customer Support

Nobody wants to be stuck on a problem and have no one around to help. This is why NordVPN invests in delivering the best support to its users. If you have any issues setting it up on pfSense, you can access a 24/7 live chat system, a ticketing system, FAQs, and a support center with instructional guides.


Setting up NordVPN on pfSense is not an easy process, but if you follow the instructions in this guide accurately, you should have no issues with it. In terms of security, privacy, unblocking streaming platforms, and reliable support, you stand to gain a lot using NordVPN on pfSense.