Mini Guide: Setup free VPN (Froot using OpenVPN) in PfSense

DrJohnZoidberg

Honorary Master
Joined
Jul 24, 2006
Messages
26,534
Reaction score
5,768
Location
Table View
I just set my FrootVPN account through my PfSense box so I could route certain traffic over it. Thought it may be useful seeing we have so many PfSense converts here lately :)

PART ONE (THE OPENVPN CONFIG)

Step 1:

Sign up and get your free Froot VPN account (https://www.frootvpn.com/).

Step 2:

Download the Froot VPN OVPN config file (https://www.frootvpn.com/files/frootvpn.ovpn).

Step 3:

Copy the certificate info into pfSense. Open up the frootvpn.ovpn file in a text editor.

1. Go to System -> Cert Manager -> CA tab.
2. Click the "+" button.
3. Make sure method is "Import an existing Certificate".
4. In "Descriptive Name" enter frootvpn-ca.
5. In "Certificate Data" copy and paste the <ca> section from the frootvpn.ovpn file. The text should start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
6. You can leave the other fields blank.
7. Hit "Save".

8. Go to System -> Cert Manager -> Certificates tab.
9. Click the "+" button.
10. Make sure method is "Import an existing Certificate".
11. In "Descriptive Name" enter frootvpn.
12. In "Certificate Data" copy and paste the <cert> section from the frootvpn.ovpn file. The text should start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
13. In "Private key data" copy and paste the <key> section from the frootvpn.ovpn file. The text should start with "-----BEGIN PRIVATE KEY-----" and end with "-----END PRIVATE KEY-----".
14. Hit "Save".

Step 4:

Create a password file.

1. Go to Diagnostics -> Edit File.
2. In the "Save / Load from path:" box enter: /etc/frootvpn-password.txt.
3. In the edit box below enter your FrootVPN username and then password, each on a new line like this:

Code:
Username
Password

4. Hit the "Save" button.

Step 5:

Set up a new OpenVPN client.

1. Go to VPN -> OpenVPN -> Client tab.
2. Click the "+" button.
3. Change "Interface" to whichever WAN interface you want to connect to the VPN with.
4. Under "Server host address" enter the host address which can be found in the frootvpn.ovpn file. Currently it is se-openvpn.frootvpn.com.
5. Under "Server port" enter any one of the listed ports in the frootvpn.ovpn file. Currently these range from 1194 through to 1209.
6. Check the "Infinitely resolve server" box.
7. Under "Description" enter Froot VPN.
8. Uncheck the box "Enable authentication of TLS packets".
9. Under "Peer Certificate Authority" select "frootvpn-ca".
10. Under "Client Certificate" select "frootvpn".
11. Under "Encryption algorithm" select "BF-CBC (128-bit)".
12. In the "Advanced" field, enter the following:

Code:
auth-user-pass /etc/frootvpn-password.txt;
ns-cert-type server;
route-nopull;
verb 3;

13. Leave all the other fields either blank or on their default setting and hit "Save". Here is a screen grab of my config:

Screenshot%202014-12-30%2016.52.54.png

Screenshot%202014-12-30%2019.25.08.png


Your VPN should connect now, although you won't be able to route traffic through here until we have configured out interfaces correctly (this is in part two).

To check that your VPN is working, go to Status -> OpenVPN and you will see a section like this:

Screenshot%202014-12-30%2016.56.15.png


Continue to part two.
 
Last edited:
PART TWO (THE INTERFACE CONFIG)

Step 1 (Optional):

I recommend disabling IPv6 for now, unless you specifically need it enabled.

To disable go to System -> Advanced -> Networking tab and uncheck "Allow IPv6".

Step 2:

Create the OpenVPN interface.

1. Go to Interfaces -> Assign -> Interfaces assignment tab and hit the "+" button.
2. A new interface will now be available for you to use, it will be called OPTx (where x is an incremental number based on the amount of interfaces used).
3. On your new interface, click the dropdown menu next to it and select the Froot VPN connection.
4. Hit the "Save" button.
5. Now click on the OpenVPN interface name or navigate to it from the "Interfaces" menu.
6. Check the "Enable Interface" checkbox.
7. In the "Description" field, enter a descriptive name for your OpenVPN interface. I have used OVPN_C0 for mine (OVPN = OpenVPN, C = Client, 0 = incrementing number).
8. Hit the "Save" button.

Step 3:

Disable interface monitoring.

1. Go to System -> Routing - > Gateways tab and edit the auto-created OpenVPN gateway by either double clicking on it or clicking the "e" to the right of it.
2. Check the "Disable Gateway Monitoring" checkbox.
3. Hit the "Save" button.

Step 4:

Enable outbound NAT. I'm not exactly sure if my system was being funny, but my outbound NAT rules were not created automatically when I added the new interface. If you can see outbound NAT rules for you OpenVPN interface already then skip the following.

1. Go to Firewall -> NAT -> Outbound tab.
2. Activate the "Manual Outbound NAT rule generation" radio button and hit the "Save" button.
3. You now need to copy the outbound NAT rules from one of your interfaces and just change the interface assignment. To do this find you need to click on the "+" button next to each existing rule for an interface. There are generally only 3 rules (per interface) and you only really have to add one of them to get things working but for the sake of being thorough lets do all of them.
4. Once you have clicked on the "+" outbound NAT rule edit screen, here you ONLY need to change the "Interface" field from the existing value to the value for your OpenVPN interface we created in Step 2. Once you have done that for each of the 3 rules, hit the "Save" button.
5. For reference, here is what my three rules look like:

Screenshot%202014-12-30%2018.10.59.png


As you can see the 3 rules are exact duplicates of the above 3, only the interface is different.

6. Click the "Apply" button.

Step 5:

Restart the OpenVPN service.

To be thorough let's just restart the OpenVPN service by going to Status -> OpenVPN and clicking on the little Play button cog to the right of your FrootVPN connection.

Once the service is running and your OpenVPN connection is up again you should be able to route traffic through your new interface exactly like you would with any other interface using the firewall rules and changing the appropriate gateway.
 
Last edited:
Quick Speedtest:

4021818961.png


Peaking at 30Mbps on well seeded torrents:

Screenshot%202014-12-30%2017.32.09.png


Overall, pretty impressive for something that doesn't cost a cent.
 
EDIT: Resolved.

I hadn't specified "route-nopull" and this was overriding the default gateway. I have fixed the relevant steps.

==========

Having some issues with the default gateway route on my end. Looks like it's disregarding the default gateway, works fine if a specify it explicitly. If anyone uses this guide can you check if you're also getting the same behaviour?

Thanks.
 
Last edited:
i
luv
u



already had it setup with my Private Internet Access account but having this handy thread to fall back on in the future is great
 




Seeing you're not using LZO compression, would this impact the CPU usage of the system noticeably on a low end Atom box? Been using it since I got it up and thought this was one of those must-have things, I'm incredibly new at this so guidance would be great

Also, PIA's guide uses verb 5, and yours uses verb 3
What exactly does this verb do, and what's the difference between 3 and 5?
 
Last edited:
Seeing you're not using LZO compression, would this impact the CPU usage of the system noticeably on a low end Atom box? Been using it since I got it up and thought this was one of those must-have things, I'm incredibly new at this so guidance would be great

Also, PIA's guide uses verb 5, and yours uses verb 3
What exactly does this verb do, and what's the difference between 3 and 5?

I tried to enable LZO compression initially but it was spitting out tons of errors in my logs, although it was working. I just decided to disable it and has been working fine since. I don't see any noticeable impact on performance.

Verb levels just refer to the debug logging level. Verb = verbosity, the higher the value the more debugging info will be outputted.
 
Top
Sign up to the MyBroadband newsletter