Last Updated on December 13, 2022 by Thiago Crepaldi
Surfshark provides a cheap VPN service that allows unlimited number of devices with ad blocking. In this tutorial we are going to configure pfSense with Surfshark and assign an interface to it so that we can route it to other services.
Surfshark information
The first step is getting your Surfshark credentials. Go to the login page at https://account.surfshark.com/ and log in. Next, go to Advanced >> Devices >> Manual, scroll down to the bottom of the page and take note of your service credentials.
On the same page of your account, you will find the list of all configuration files and domain name of their servers grouped by country/continent. Take this opportunity and copy the domain URL of the locations you want to use later on.
pfSense configuration
Once you are logged in on your pfSense, go to System >> Cert. Manager >> CAs and click on Add to create a new Certificate Authority as follows:
- Descriptive Name: Surfshark_VPN
- Method: Import an existing Certificate Authority
- Certificate data:
-----BEGIN CERTIFICATE-----
MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNVBAYTAlZHMRIwEAYDVQQKDAlTdXJmc2hhcmsxGjAYBgNVBAMMEVN1cmZzaGFyayBSb290IENBMB4XDTE4MDMxNDA4NTkyM1oXDTI4MDMxMTA4NTkyM1owPTELMAkGA1UEBhMCVkcxEjAQBgNVBAoMCVN1cmZzaGFyazEaMBgGA1UEAwwRU3VyZnNoYXJrIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEGMNj0aisM63oSkmVJyZPaYX7aPsZtzsxo6m6p5Wta3MGASoryRsBuRaH6VVa0fwbI1nw5ubyxkuaNa4v3zHVwuSq6F1p8S811+1YP1av+jqDcMyojH0ujZSHIcb/i5LtaHNXBQ3qN48Cc7sqBnTIIFpmb5HthQ/4pW+a82b1guM5dZHsh7q+LKQDIGmvtMtO1+NEnmj81BApFayiaD1ggvwDI4x7o/Y3ksfWSCHnqXGyqzSFLh8QuQrTmWUm84YHGFxoI1/8AKdIyVoB6BjcaMKtKs/pbctk6vkzmYf0XmGovDKPQF6MwUekchLjB5gSBNnptSQ9kNgnTLqi0OpSwI6ixX52Ksva6UM8P01ZIhWZ6ua/T/tArgODy5JZMW+pQ1A6L0b7egIeghpwKnPRG+5CzgO0J5UE6gv000mqbmC3CbiS8xi2xuNgruAyY2hUOoV9/BuBev8ttE5ZCsJH3YlG6NtbZ9hPc61GiBSx8NJnX5QHyCnfic/X87eST/amZsZCAOJ5v4EPSaKrItt+HrEFWZQIq4fJmHJNNbYvWzCE08AL+5/6Z+lxb/Bm3dapx2zdit3x2e+miGHekuiE8lQWD0rXD4+T+nDRi3X+kyt8Ex/8qRiUfrisrSHFzVMRungIMGdO9O/zCINFrb7wahm4PqU2f12Z9TRCOTXciQIDAQABo1AwTjAdBgNVHQ4EFgQUYRpbQwyDahLMN3F2ony3+UqOYOgwHwYDVR0jBBgwFoAUYRpbQwyDahLMN3F2ony3+UqOYOgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAn9zV7F/XVnFNZhHFrt0ZS1Yqz+qM9CojLmiyblMFh0p7t+Hh+VKVgMwrz0LwDH4UsOosXA28eJPmech6/bjfymkoXISy/NUSTFpUChGO9RabGGxJsT4dugOw9MPaIVZffny4qYOc/rXDXDSfF2b+303lLPI43y9qoe0oyZ1vtk/UKG75FkWfFUogGNbpOkuz+et5Y0aIEiyg0yh6/l5Q5h8+yom0HZnREHhqieGbkaGKLkyu7zQ4D4tRK/mBhd8nv+09GtPEG+D5LPbabFVxKjBMP4Vp24WuSUOqcGSsURHevawPVBfgmsxf1UCjelaIwngdh6WfNCRXa5QQPQTKubQvkvXONCDdhmdXQccnRX1nJWhPYi0onffvjsWUfztRypsKzX4dvM9k7xnIcGSGEnCC4RCgt1UiZIj7frcCMssbA6vJ9naM0s7JF7N3VKeHJtqe1OCRHMYnWUZt9vrqX6IoIHlZCoLlv39wFW9QNxelcAOCVbD+19MZ0ZXt7LitjIqe7yF5WxDQN4xru087FzQ4Hfj7eH1SNLLyKZkA1eecjmRoi/OoqAt7afSnwtQLtMUc2bQDg6rHt5C0e4dCLqP/9PGZTSJiwmtRHJ/N5qYWIh9ju83APvLm/AGBTR2pXmj9G3KdVOkpIC7L35dI623cSEC3Q3UZutsEm/UplsM=
-----END CERTIFICATE-----
Once you are done, click on Save.
The next step is creating the VPN client connection. Navigate to VPN >> OpenVPN >> Clients and press Add.
- General Information
- Disable this client: leave unchecked
- Server mode: Peer to Peer (SSL/TLS)
- Protocol: UDP on IPv4 only (you can also use TCP)
- Device mode: tun – Layer 3 Tunnel Mode
- Interface: WAN
- Local port: leave blank;
- Server host or address: The server address that you want to connect (e.g. us-sea.prod.surfshark.com)
- Server port: 1194 (use 1443 if you use TCP)
- Proxy host or address: leave blank
- Proxy port: leave blank
- Proxy Authentication: None
- Description: Any name you like (e.g. Surfshark US Seattle)
- User Authentication Settings
- Username: Username from Surfshark account
- Password: Password from Surfshark account
- Authentication Retry: unchecked
- Cryptographic Settings
- TLS Configuration: Check
- Automatically generate a TLS Key: Uncheck
- TLS Key:
-----BEGIN OpenVPN Static key V1-----
b02cb1d7c6fee5d4f89b8de72b51a8d0
c7b282631d6fc19be1df6ebae9e2779e
6d9f097058a31c97f57f0c35526a44ae
09a01d1284b50b954d9246725a1ead1f
f224a102ed9ab3da0152a15525643b2e
ee226c37041dc55539d475183b889a10
e18bb94f079a4a49888da566b9978346
0ece01daaf93548beea6c827d9674897
e7279ff1a19cb092659e8c1860fbad0d
b4ad0ad5732f1af4655dbd66214e552f
04ed8fd0104e1d4bf99c249ac229ce16
9d9ba22068c6c0ab742424760911d463
6aafb4b85f0c952a9ce4275bc821391a
a65fcd0d2394f006e3fba0fd34c4bc4a
b260f4b45dec3285875589c97d3087c9
134d3a3aa2f904512e85aa2dc2202498
-----END OpenVPN Static key V1-----
- continuing… Cryptographic Settings
- TLS Key Usage Mode: TLS Authentication
- Peer certificate authority: Surfshark_VPN
- Peer Certificate Revocation list: do not define
- Client certificate: webConfigurator default
- Encryption Algorithm: AES-256-GCM
- Enable NCP: Check
- NCP Algorithms: AES-256-GCM and AES-256-CBC
- Auth digest algorithm: SHA512 (512-bit)
- Hardware Crypto: No hardware crypto acceleration
- Tunnel Settings
- IPv4 tunnel network: leave blank
- IPv6 tunnel network: leave blank
- IPv4 remote network(s): leave blank
- IPv6 remote network(s): leave blank
- Limit outgoing bandwidth: leave blank
- Compression: Omit Preference (Use OpenVPN Default)
- Topology: Subnet – One IP address per client in a common subnet
- Type-of-service: leave unchecked
- Don’t pull routes: checked
- Don’t add/remove routes: checked
- Ping settings
- Inactive: 0
- Ping method: keepalive
- Interval: 10
- Timeout: 60
- Advanced Configuration
- Custom options: paste the contents below
tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1400;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
- Advanced Configuration
- UDP FAST I/O: leave unchecked
- Send/Receive Buffer: Default
- Gateway creation: IPv4 only
- Verbosity level: 3 (recommended)
Press Save at the bottom of the page and Apply changes at the top of the page. Navigate to Status >> OpenVPN to verify your VPN Client is working. Check Client Instance Statistics and verify your new VPN Client connection is listed and that the Status is up.
Using mssfix 1450 as recommended by Surfshark caused constant connection drops. In this post we also checked both Don’t pull routes and Don’t add/remove routes boxes and created manual firewall rules to fit our scenario with multiple LANs, VLANs, etc.
Assigning interface to the VPN client connection
Navigate to Interfaces >> Interface Assignments and Add Surfshark VPN interface.
Press on the OPT1 to the left of your assigned interface and fill in the following information:
- Enable: check
- Description: Surfshark VPN
- MAC Address: leave blank
- MTU: leave blank
- MSS: leave blank
Do not change anything else. Just scroll down to the bottom and press Save and Apply Changes.
Configuring DNS
This section will assume your DNS is already configured through a previous post. The next steps are just additional setting to include the VPN client on a working DNS Resolver instance.
Navigate to Services >> DNS Resolver >> General Settings and make sure that at Outgoing Network interfaces you either select All or also append your new VPN client interface as an outgoing interface. Do not remove any other interface from this list!
- Enable: must already be checked
- Outgoing Network Interfaces: Surfshark VPN
- Register connected OpenVPN clients in the DNS Resolver: checked
Click Save and Apply Changes.
Configuring NAT
Navigate to Firewall >> NAT -> Outbound and select Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below). Press Save and Apply Changes. Now we can create our rules for the new VPN client by clicking on Add (down arrow):
- Edit Advanced Outbound NAT Entry
- Interface: SurfsharkVPN or whatever you called it
- Source: your LAN network (e.g. 10.0.0.0/24)
- Misc
- Description: A nice name, such as NAT outbound for Surfshark US Seattle
Press Save and Apply changes.
Now click on Add (down arrow) again to create one more rule for ISAKMP IPsec VPN traffic:
- Edit Advanced Outbound NAT Entry
- Interface: Surfshark VPN or whatever you called it
- Source: same LAN network from previous rule (e.g. 10.0.0.0/24)
- Destination >> Port or Range: 500
- Translation
- Port or Range >> Static Port: checked
- Misc
- Description: A nice name, such as Manually created for ISAKMP – Surfshark US Seattle
Press Save and Apply changes.
Note that if you have multiple LANs, like me, you will need to repeat this process for each one.
Configuring Firewall
Navigate to Firewall >> Rules page and click on the Interface name you created in the previous steps. Next, click on Add to create a new firewall rule that allows any traffic to go through:
- Action: Pass
- Address Family: IPv4 (I am not using IPv6 on my homelab yet)
- Protocol: Any
- Source: Any
- Destination: Any
Press Save and Apply changes.
You can repeat the steps above for different Server locations from Surfshark.
Now that everything is done, let’s test it. Navigate to Diagnostics >> ping:
- Hostname: google.com
- IP Protocol: IPv4
- Source Address: Select the VPN Client interface
- Maximum number of pings: 3
Click Ping and check the results. Should be something like
PING google.com (216.58.217.46): 56 data bytes
64 bytes from 216.58.217.46: icmp_seq=0 ttl=120 time=1.978ms
64 bytes from 216.58.217.46: icmp_seq=1 ttl=120 time=2.670ms
64 bytes from 216.58.217.46: icmp_seq=2 ttl=120 time=1.940ms
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.940/2.196/2.670/0.336 ms
Passing traffic through the VPN
At this point, your VPN connection is up and running, but not really in use by pfSense. There are a couple options in how to start using the VPN. In this post I will cover how to:
- Configure the VPN connection as the default gateway, so all traffic from your home goes through it
- Configure the VPN connection for specific IPs, so that only these ones goes through the new VPN client connection
Option 1: Using VPN connection as your default gateway
Navigate to Firewall >> Rules >> LAN and edit the default IPv4 rule, that is the rule that allows all traffic on your network. Its description will probably be something like Default allow LAN to any rule.
Scroll down to the bottom and press on Display Advanced at the Extra Options tab. Change Gateway to Surfshark VPN and click Save followed by Apply Changes.
Option 2: Configuring specific IPs to use the VPN
Static DHCP Mapping on LAN
In order to use this approach, you need to reserve IP for the device(s) you want to route through the VPN. Navigate to Services >> DHCP Server >> LAN scroll down to DHCP Static Mappings for this Interface, click on Add and do as follows:
- MAC Address: xx:xx:xx:xx:xx:xx
- You can find this at Status >> DHCP Leases page
- Client identifier: The name that will show up in the DHCP lease page
- You can use the hostname
- IP Address: The static IP to use (e.g. 10.0.0.5)
- Hostname: The device host name
- Description: A friendly description to identify the device
Click Save and Apply changes. Next, disconnect and reconnect the network cable of this device so that it can take the new IP. Repeat this steps for each device you want to put under the VPN.
Now that your devices have a static IP, navigate to Firewall >> Aliases >> IP and click on Add and do as follows:
- Properties
- Name: VPNCLIENT_USA_DEVICES
- Description: Devices which are required to go through a USA OpenVPN client connection
- Type: Host(s)
- Host(s)
- IP or FQDN: <IP you want to put under the VPN> (e.g. 10.0.0.5)
- The hostname or description to help identifying the device
If you want to add more devices (hosts), click on Add Host and add the IP/FQDN + a description for each device.
When you are done, click on Save and Apply changes.
If you don’t have an alias called RFC1918 or Private_IPv4s created in previous posts, you will need to create it now. The goal for it is to help us identify what networks/IPs belong to your LAN and which belong to Internet.
Lastly, we need to update the firewall rule so that it redirects clients to the VPN based on the alias we just created. The current rule must be something like “accept any connection coming from any device going to any destination and use the default gateway (your WAN connection) for them”. What we want is: If the incoming devices belong to the alias we created, use the VPN as gateway. Otherwise, use the default gateway. Note we need two rules and they must appear in this order.
Go to Firewall >> Rules >> LAN and click on copy icon of the default IPv4 rule, that is the rule that allows all traffic on your network to for from * (any) to * (any). Its description will probably be something like Default allow LAN to any rule.
A new window will open with the same settings as the rule used as base, which you need to change the following:
- Source
- Invert match: unchecked
- Any: change it to Single host or alias
- Source address: VPNCLIENT_USA_DEVICES (this is the first alias name)
- Destination
- Invert match: checked
- Any: change it to Single host or alias
- Destination address: RFC1918 (this is the second alias name)
- Extra Options
- Description: Allow VPNCLIENT_USA_DEVICES to Internet rule through VPNClient_USA (assuming this is how you named your VPN interface)
- Click on Display Advanced.
- Advanced Options
- Gateway: Select the interface you assigned to your VPN client connection
Click on Save. You probably have to move (drag and drop) the new rule before the one you copied it from. The rule that redirects traffic to the VPN must come before the default rule. Click on Save and Apply changes.
Optional: Adding a kill switch rule
A kill switch is a mechanism in which no traffic is allowed through your ISP when the encrypted [VPN client] connection drops. This is important for the scenarios in which is preferable to loose connectivity than risking exposing data outside the tunnel
In either Option 1 or Option 2 above, you have to edit the firewall rule at Firewall >> Rules >> LAN and scroll to Advanced Options. There, change Tag field to vpntraffic. Click on Save and Apply changes.
At this point, all traffic will be tagged with vpntraffic. This will be used to identify traffic coming from VPN so that we can block it in the next step.
Go to Firewall >> Rules >> Floating and click in Add (up arrow) to create a new rule that will be applied before all others related to your WAN connection:
- Edit Firewall Rule
- Action: Block
- Disabled: unchecked
- Quick: checked
- Interface: WAN
- Direction: Any
- Address Family: IPv4
- Protocol: Any
- Source
- Invert match: unchecked
- Any
- Destination
- Invert match: unchecked
- Any
- Extra Options
- Description: Kill switch for OpenVPN client traffic
- Click on Display Advanced.
- Advanced Options
- Tagged: vpntraffic
- Action: Block
Click on Save and Apply changes.
Note that we have tagged traffic with the vpntraffic label in the LAN interface and blocked it in the Floating interface before it could reach WAN.
As a test you can disconnect the VPN connection and check your connectivity. It should be offline until you reconnect the VPN.
Optional: Using Surfshark’s DNS servers
As an additional step to protect your network, you can use Surfshark’s DNS server. For such, go to System >> General Setup >> DNS Server Settings and fill in:
- DNS Server 1: 162.252.172.57
- DNS Hostname: empty
- Gateway: empty
- DNS Server 2: 149.154.159.92
- DNS Hostname: empty
- Gateway: empty
Click Save and you are good to go. Test your anonymity by visiting http://dnsleaktest.com and have fun!
ps: If DNSSec support is enabled on your DNS Resolver configuration, you may have a false DNS leak report. You can disable DNSSec support, do the test and re-enable later.
Hi , thanks for tutorial.
can you explain how i can setup pfsense and surfshark up so only 1 pc in my network us the surfshark gateway and al other uses my standard gateway???
Noob Here.
many thanks
Hey, sure I can help!. I’ve just updated the post to include this scenario as “option 2”. Let me know how it goes.
Soon?
It is there already. Clean your browser history and try reloading the page
How about the DNS section. I want the normal network to use my ISP DNS servers and VPN clients use SurfShark DNS servers.
many thanks and patience,
Updated it again!
sorry for spamming you with questions.
i have follow your option 2 , but i keep getting a DNSleak . I can see that the pc gets my VPN IP , but i will not use the DNS servers that i have added
DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4
i can send you some screenshots if it helps??
Yup, I can confirm this is happening here. To really hide your DNS requests, you have to apply Surfshark (or even opendns server) to all your network (selection None as gateway)
I will try to find out more details with Netgate. There is something wrong about this dns gateway thing
Thx Bro,
i the mean time ..i am going to save my pfsense setup en reinstall it with your Guides
mant thx
any news from Netgate ????
It happens the Gateway field on the DNS configuration page is not used for this kind of scenario. Currently, DNS servers are a global configuration, so you have to either put pfSense behind the VPN or not. I am adopting Cloud Flare for my setup
Hey thanks so much for this. I tried following the surfshark guide but it seemed so outdated. Glad to have found this. Im still trying to wrap my head around the DNS configs and use cases for RFC and why exactly it needs to be setup that way but im glad I got it working. Before I had just been setting the gateway for the rules I wanted passed but couldnt figure why it wasnt working.
Hey Michael, which part of the DNS config did you get confused? I can try to rewrite and clarify!
The RFC1918 alias is created so that we can easily create firewall rules that separate traffic from private LANs (defined at RFC 1918) from traffic coming from Internet. In this tutorial, we created a rule that allowing traffic to pass coming from the specific PCs (alias VPNCLIENT_USA_DEVICES) towards Internet (which is inverted match of RFC1918). You could get away with “any” in the destination too, but I always try to be as restrictive as possible with what the firewall allows
Thank you so much for this great tutorial. I use option 2 with my OPNsense and it works like a charm. I tried to use a second VPN client with an other Surfshark host adress for a different PC. But 2 Surfshark VPN client instances at the same time seems not to work. I guessed the reason is that both clients use the same wan ip and come up in the same virtual network area (e.g. 10.8.8.0/24).
Greetings
Simon
Actually I do use several simultaneous Open VPN client connections on my pfsense and they all work. There is a catch, though. When your surfshark connections succeeded, check their “Virtual Address”. If they happen to be assigned the same address, one of them will not work. A workaround is to restart one of the connections until different virtual addressed are assigned to all of your Surfshark connections
HI Guys,
I have tried to follow this guide and my vpn is working fine and kill switch also works. Only I still have a DNS leak when iam connected trough my Surfshark VPN. Does someone have a solution for this?
How did you diagnosed the DNS leak? Have you checked https://geekistheway.com/2020/06/21/protect-your-dns-requests-using-your-pfsense/, in specific the section “Verify everything works”? It describes a possible false-positive when DNSSEC is enabled