Your IP: 34.239.154.240 • ISP: Amazon.com, Inc. • Your Status: Unprotected

How to set up OysterVPN on pfSense

Last Updated: October 6, 2021

pfSense is an open-source firewall and router that you can download for free. This is a perfect firewall that offers load balancing, unified threat management, multi-WAN, and other features for those who are particularly concerned about their online security and privacy.

Fortunately, users can improve their capabilities even further by using OysterVPN, set up on the latest pfSense version. To proceed with, check the following:

  1. An active internet connection.
  2. An active OysterVPN Premium account. Click here to subscribe to OysterVPN if you haven’t already.
  3. A supported router with pfSense firmware version 2.4.4 or higher.

Follow the below-mentioned steps to set up OysterVPN on pfSense:

  1. To configure OpenVPN on pfSense, first, download and extract the essential OpenVPN files from
  2. After logging into your pfSense account, go to System > Cert Manager and click + to add a new certificate.
  3. Select “CAs” and then click the “+Add” button.
  4. Fill out the following information:
  • Descriptive name: Enter CA Cert
  • Certificate data: Download the OpenVPN files from here, open them, and copy them between <ca> </ca> tags from Open CA.crt and paste them into the “Certificate Data” field.
  • Click on the Save
  1. Now the connection is created but not connected.
  2. Select “VPN”, then click on “OpenVPN“.
  3. Now select “Clients” and then press the “+Add” button
  4. Now write as instructed below:
  • Server mode: Peer to Peer (SSL/TLS)
  • Protocol: TCP on IPv4 only (or you can also select UDP)
  • Device mode: TUN – Layer 3 Tunnel Mode
  • Interface: WAN
  • Server host or address: OysterVPN TCP server address if you selected TCP in “Protocol” option above. Once selected UDP, then enter a UDP server address.
  1. Enter your OysterVPN login credentials in the “User Authentication Settings” section.
  2. Now do the following in the “Cryptographic Settings” section.
  • Put a checkmark on the “Use a TLS key. “
  • Uncheck “Automatically generate a shared TLS authentication key. “
  • Enter TLS key: TLS Key is the text between <tls-auth> </tls-auth> tags in the certificate data file that you downloaded in step 3.
  • TLS Key Usage mode: TLS Authentication
  • Peer Certificate Authority: OysterVPN_OVPN_CA
  • Client Certificate: None (username and password required)
  • Encryption Algorithm: AES-256-CBC (256-bit key, 128-bit block)
  1. Uncheck “Enable Negotiable Cryptographic Parameters
  2. Select “SHA (256 bit)”in Authentication Digest Algorithm.
  3. Select “No Hardware Crypto Acceleration” in Hardware Crypto.
  • Compression: LZO Compression
  • Topology: Subnet – One IP address per client in a common subnet
  • Don’t Pull routes: Uncheck “Bars the servers from adding a route to the client’s routing table
  • Don’t add/ remove routes: Uncheck “Don’t add/ remove routes automatically.”
  1. Now, go to the Advance configuration category and follow the below steps:
  • Custom options: Type the following text.
  • auth-no-cache
  • tls-client
  • keepalive 10 60
    • ping-timer-rem
    • Send Receive Buffer: 512 Kib
    • Now save it to create a connection.
  1. Now go to “Status” and select “OpenVPN”.
  2. You will be directed to the client instance statistics page, and you will see OysterVPN connection Status as “up.”
  3. Navigate to “Interfaces
  4. Select “Assignments” from there and do the following:
  • Enable: Check “Enable interface.”
  • Description: OysterVPN
  • IPv4 Connection Type: DHCP
  • IPv6 Configuration Type: None
  • Click on “Save.”
  1. Now go to “General Settings” and do the following:
  • Enable: Check “Enable DNS Resolver”
  • Listen Port: 53
  • Network Interface: All
  • Ongoing Network Interface: OysterVPN
  • System Domain Local Zone Type: Transparent
  • DNSSEC: Check “Enable DNSSEC support.”
  • DNS Query Forwarding: Check “Enable Forwarding Mode
  • DHCP Registration: Check “Register DHCP static mapping in the DNS resolver.”
  • Static DHCP: Check “Register DHCP Static mapping in the DNS resolver.”
  • Click on “Save
  1. Now go to “Advanced Settings” and do the following:
  • Hide Identity:Check “id.server and hostname.bind queries are refused
  • Hide Version: Check “version.server and version.bind queries are refused.”
  • Prefetch Support: Check “Message cache elements are prefetched”.
  • Prefetch DNS Key Support: Check “DNSKEYs are fetched earlier in the validation process.”
  • Harden DNSSEC Data: Check “DNSSEC data is required for trust-anchored zones.”
  1. Now go to “Firewall” and select “NAT”.
  2. Go to “Outbound” and select Manual Outbound NAT rule generation (AON-Advanced Outbound NAT)
  3. Now click on “Save”.
  4. Once saved, follow these steps in Firewall > NAT > Outbound.
  5. Then click on Edit and do the following:
  • Disabled: Uncheck “Disable this rule.”
  • Do not NAT: Uncheck “Enabling this option will disable NAT for traffic matching this rule.”
  • Interface: OysterVPN
  • Protocol: any
  • Source: Network 192.168.1.0 24
  • Destination: any
  • Address: Interface address
  • Click on “Save” to save the settings.
  1. Now again, go to Firewalls and select “LAN”.
  2. Check the IPv6 rule and click on “Delete.”
  3. Then check the IPv4 rule and click on the pencil sign to edit and do the following:
  • Action: Pass
  • Disabled: Uncheck “Disable this rule.”
  • Interface: LAN
  • Address Family: IPv4
  • Protocol: Any
  • Source: LAN net
  • Destination: any
  • Description: Default allow LAN to any rule – Edit – Gateway changed to OysterVPN
  • Advance Option: View Advanced settings
  1. Select “Gateway” and select “OysterVPN _DHCP_Interface FastestVPN_DHCP Gateway“.
  2. Click on save to save all settings.
  3. Go to System and select General Setup.
  4. Set DNS server to 10.8.8.8 and pick “OysterVPN DHCP-opt1-
  5. Check “Allow DNS server list to be altered by DHCP/ PPP on WAN” in DNS Server settings.
  6. Lastly, save your preferences to set up OysterVPN on pfSense.