EarthVPN Setup on pfSense

This article explains how to setup EarthVPN on pfSense so that all traffic on your WiFi network goes over the VPN. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more. We will configure pfSense to block all traffic if the VPN drops out so that there is no risk that your traffic will leave your network encrypted.

This article assumes you already have a fresh installation of pfSense sitting in the correct place on your network, either virtualised or installed directly onto the hardware. My home lab is configured like this, with pfSense installed as a VM on my HP MicroServer:

Key interfaces:

  • em0 (aka. WAN) – 192.168.1.1/24
  • em1 (aka. LAN) – 192.168.2.1/24

We will be creating a separate subnet (192.168.2.0/24) using pfSense so that any devices connected to its LAN interface via the Netgear router will have it’s traffic sent over the VPN.

We will also configure rules so that in the event the VPN fails, no traffic will pass. This ensures your data is not accidentally disclosed without you realising.

Step 1: Prepare pfSense

  1. Login to pfSense through it’s web interface https://LANIP with admin and pfsense
  2. Go to System -> User Manager and change the admin users password
  3. Return to the homepage. If it shows that updates are available then apply those updates first
  4. One rebooted, log back in and go to Interfaces -> WAN and make sure you configure the following settings to match your own setup
  5. Go to Interfaces -> LAN and do the same thing
  6. Go to System -> Routing -> Gateways and confirm you only have 1 Gateway, marked as default, that points to your equivalent of my BTHomeHub

Step 2: Configure EarthVPN

First, go to the EarthVPN server list and choose which VPN server you’re going to use. Note: Only servers with (P2P) after them support torrents/peer-2-peer traffic. For the purposes of this I am going to use ams3-nl.earthvpn.com. 

So that I can be extra sure that DNS leakage isn’t an issue, I’m going to block all DNS traffic leaving my LAN, meaning we won’t be able to resolve ams3-nl.earthvpn.com. To fix this, first look up the IP address by opening command prompt and typing ping ams3-nl.earthvpn.com. Make a note of this IP as we will need it in a minute.

  1. Go to System -> Cert. Manager -> Add
  2. Download the EarthVPN client certificate and open it in Notepad++ or WordPad
  3. Back in pfSense, copy the contents of the certificate into the Certificate Data box and click Save
  4. Go to VPN -> OpenVPN -> Clients -> Add
  5. Fill in the form using the exact values shown here, replacing the username and password with your EarthVPN credentials, and replacing ams3-nl.earthvpn.com with the IP recorded above, and then click Save
  6. Go to Status -> OpenVPN and confirm that the status says Up. If it doesn’t, use the circular arrow to restart the service and confirm your settings match the ones shown above 
  7. Go to NAT -> Outbound, tick the radio box “Manual Outbound Nat” and click Save
  8. Delete all the rules except the one with the description of “Auto created rule – LAN to WAN”
  9. Duplicate the one remaining by clicking on  next to the one remaining rule
  10. Change the Interface and Description and click Save

That’s it, your LAN traffic should now be routed across your VPN.

To test this, go to What is my IP? and confirm your IP shows you’re in the same country and the VPN end point you chose.

It is also a good idea to run a DNS leak test to confirm that your DNS requests are not being resolved outside of your VPN connection (and therefore unencrypted). You can use this website to confirm that no local DNS servers are being shown.

Step 3: Block traffic if VPN drops out

In its current configuration, if your VPN drops out there is a risk that your traffic could leave your network encrypted without you realising. We’re now going to configure pfSense to block all traffic unless it goes via the VPN.

  1. Go to Firewall -> Rules -> Floating and click Add
  2. Create a rule that matches this, replacing the IP address with the IP recorded above
  3. Create another rule that matches this
  4. The order of the rules is very important so make sure the allow rule is first

That’s it, now when your VPN connection drops out, you won’t be able to access the Internet and none of your unencrypted traffic will leave the network. To test this, go to Status -> OpenVPN and start & stop the VPN service, checking that you can’t access the Internet when the service is stopped.

Leave a Reply

Your email address will not be published. Required fields are marked *