Using a virtual private network (VPN) is a great way to protect yourself from prying eyes. Whether you want to get around some geo-blocking for video streaming or protect your privacy, a VPN is a must-have in today's digital world. Most of the best VPN services have easy apps to install on devices, which connect to servers worldwide and shield your connections. Not all ISP-provided routers can be configured with a VPN. If you're looking to build your own firewall/router, there's a way to hook up your VPN for all connections made outside your network.

👁 Best VPNs.
Best VPN providers in 2025

VPNs have become extremely common these days, and there are almost too many options for both free and paid VPNs.

Why use a VPN through pfSense?

Using a VPN on each of your devices will protect them when connecting to the outside world, but this can be limiting if your provider restricts how many simultaneous active VPN connections are possible. This is where pfSense comes in. By loading up your VPN on the router itself, all traffic passing through will be protected. This also applies to geo-fencing, allowing all connected hardware on your network to get around region blocks without needing to do anything specifically per device. And that's the best part, being able to configure your VPN once and be done with it.

No apps are required on any of your devices, though it's still a good idea to install them on portable hardware (such as your phone or laptop) should you wish to use the VPN when not at home.

👁 ProtonVPN Windows app on laptop
How I made a home VPN with dynamic DNS for secure remote access

Never fret about IP changes again by combining your own self-hosted VPN with DDNS

How to configure a VPN with pfSense

Before we add the VPN connection to pfSense, you must be signed up with a provider. We have a curated list of the best VPN providers, but for this guide, I'll use the same VPN I've used for years, Private Internet Access (PIA).

  1. Download the OpenVPN files from PIA (select default).
  2. Extract the downloaded archive.
  3. Open the certificate file corresponding to the desired location. (This determines which server OpenVPN will connect to. I chose the closest to my location.)
  4. Log into pfSense.
  5. Go to System > Certificates.
  6. Click Add.
  7. Give the certifical authority a name under Descriptive name.
  8. Change the Method to "Import an existing Certificate Authority".
  9. Return to your opened PIA certificate file and copy everything between (and including) BEGIN CERTIFICATE and END CERTIFICATE.
  10. Paste the code into the Certificate data field.
  11. Click Save.
  12. Go to VPN > OpenVPN.
  13. Select the Clients tab.
  14. Click Add.
  15. Give the client a name under Description.
  16. Copy and paste the host address from the downloaded certificate file. (Should end with .privacy.network.)
  17. Change the port to the one displayed in the file. (For PIA, it should be 1198.)
  18. Enter your PIA username and password.
  19. Uncheck TLS Configuration.
  20. Select the certificate authority added in previous steps as the Peer Certificate Authority.
  21. Choose the correct encryption algorithms. (I use AES-128-GCM and AES-128-CBC. Make sure there are no lines between the algorithms on the right.)
  22. Set the Fallback Data encryption Algorithm to AWS-128-CBC.
  23. Set Auth digest algorithm to the corresponding algorithm displayed in the downloaded certificate file. (For PIA, it's SHA1.)
  24. Set Gateway creation to IPv4 only.
  25. Click Save.
  26. Go to Status > OpenVPN. If everything works, the status should read "up" and a virtual address displayed with a remote host.
  27. Go to Interfaces > Assignments.
  28. Select the drop-down menu next to Available network ports.
  29. Click Add.
  30. Select the newly added interface.
  31. Enable the interface.
  32. Click Save.
  33. Click Apply Changes.
  34. Go to Firewall > NAT.
  35. Select the Outbound tab.
  36. Switch the mode to Hybrid Outbound NAT rule generation.
  37. Click Save.
  38. Click Add.
  39. Change the Interface to the one created in step 29.
  40. Change the Source to 127.0.0.0/8.
  41. Click Save.
  42. Duplicate the newly created rule and edit.
  43. Change the Destination port to 500.
  44. Check Static Port under Translation.
  45. Click Save.
  46. Click Add.
  47. Change the Interface to the one created in step 29.
  48. Change the Source to your LAN network (192.168.1.0/24).
  49. Click Save.
  50. Duplicate the newly created rule and edit.
  51. Change the Destination port to 500.
  52. Check Static Port under Translation.
  53. Click Save.
  54. Click Apply Changes.
  55. Go to Firewall > Rules.
  56. Select the LAN tab.
  57. Click Add.
  58. Change the Protocol to Any.
  59. Change Source to Network.
  60. Give the rule a Description.
  61. Click Display Advanced.
  62. Change Gateway to the VPN.
  63. Click Save.
  64. Click Add.
  65. Change Action to Block.
  66. Change Protocol to Any.
  67. Change Source to Network.
  68. Give the rule a Description.
  69. Click Save.
  70. Make sure the allow firewall rule is above the block rule. (Click and drag it if not.)
  71. Click Apply changes.
  72. Go to System > Routing.
  73. Edit the VPN gateway.
  74. Enter an IP address in Monitor IP. (I use 1.0.0.1)
  75. Click Apply Changes.

You're done! Pirate Internet Access is running and all traffic from the network is passing through the VPN. Try an IP checker to make sure your external IP address matches the one from your VPN provider.

It's not all good news with a VPN

I will do as much as possible through a VPN, but it's not perfect. This is why I configured pfSense to only use the VPN with a specific range of IP addresses. Not all devices will be routed through the VPN. Should I need to quickly work on something without the VPN active, I can swap my IP address to one that isn't included within the pool and enjoy using a standard connection. Some sites may not like VPNs, including Google, which can bombard you with more captcha tasks than you'd see fetch quests in the most irritable role-playing game.