PfSense always on VPN for private browsing

Build a VM at a cloud provider and configure it as an OpenVPN server.  Using a self signed CA, cert, and TLS auth.

For pfSense, take the following steps.

Cat your ovpn file and grab the CA.  Paste it under System/Cert Manager/CA in a new entry.

Then click on Certificates, and paste in your cert plus the private key.

Next go to VPN/OpenVPN/Clients.  Leave the defaults and put in your remote IP and the port, and select “infinitely resolve server.”  Under TLS auth, uncheck the second box and paste in your TLS key.  Then select the CA and certificate you just created. Make sure your algo and digest match what’s in your ovpn file.  Scroll down and enable adaptive compression, and check the “don’t forward IPv6 traffic” box.  You can then view the tunnel status under Status/OpenVPN.  It should be up, but there are a few steps left until you can surf.

Next you need to create an interface, so click Interfaces/Assign. You should see a new VPN interface.  Click new, and then click Interfaces/Iface.  Enable it and give it a name.

Next click Interfaces/LAN and scroll down and click advanced settings.  Scroll down all the way and change the gateway to the VPN interface you created above.

Now you’ll need some NAT rules.  Click Firewall/NAT/Outbound, select Manual Outbound NAT, and click save.  For your LAN subnet there should be two rules.  Edit both of them and change the interface to the VPN iface you created earlier.

Now you just need to change the default outbound LAN rule.  Click Firewall/Rules/LAN.  Edit the Default LAN to any rule, scroll all the way down and change the gateway to VPN V4.

Now all you need to do is restart the VPN client.  Go to Status/OpenVPN and click restart.

Enjoy private surfing.