I set up a dedicated VPN VLAN on my home network this weekend with the latest version of pfSense (ver. 2.4.4 as of July 2019) for IoT and Firestick types of devices. I ran into some hiccups with older guides because a few of the settings and menu options have changed, so I’m putting together my notes here for my own reference and anyone else struggling with more recent pfSense releases and VPN/VLAN configuration.
VPN split tunneling – called Whitelister on the Surfshark VPN app – is the software capability to have only some of your internet traffic go over VPN while the rest uses the internet as usual. And you’re the one to decide when it happens. We have tested SurfShark again, and here are the results of the SurfShark VPN speed test in February 2019. Luckily, things are much better now. Surfshark provides a cheap VPN service that allows unlimited number of devices with ad blocking. In this tutorial we are going to configure pfSense with Surfshark and assign an interface to it so that we can route it to other services. Hello, I’m using pfsense 2.4.5 p1 and I’m trying to use surfshark openvpn. Surfshark provide authentication with login/password. Openvpn succeed to connect but after reboot startup hang on openvpn’s password.
The following assumes you have pfSense up and running with an operational WAN connection and you have a valid VPN account with PrivateInternetAccess.com (referred to as PIA throughout).
Set Up Your VLAN
Go to Interface > Assignments
Click VLANs, the click +Add
Choose a VLAN tag number and add a description.
In my case, I structure my VLAN tags in multiples of 10 and assign them subnets in multiples of 10. For example, VLAN 20 is on the subnet 10.0.20.0/24.
Next up is getting the VLAN assigned to an interface. In my case, I have a single WAN port and five available OPT ports to assign on my modded WatchDog XTM appliance and I send all my VLANs down em1.
Back at Interface > Assignments
At the bottom drop-down where it says “Available network ports“, hit the drop-down and select VLAN 20 that we configured for the VPN and assign it an interface.
Now that the interface is created, click on it from the list.
Check Enable interface
IPv4 Configuration Type should be set to Static IPv4
Now, in the Static IPv4 Configuration, set the IPv4 Address for the interface to 10.0.20.1 or whatever subnet you want to use.
Now, go to Services > DHCP Server and select VLAN 20 (or your named VPN VLAN). Enable DHCP and set the range you want it to hand out to devices on the VLAN.
There’s no connection yet from VLAN 20 to the Internet because we haven’t set a Firewall rule yet. Instead of setting up a WAN rule though, we’ll set the rule up to pass all traffic through the VPN.
Setting Up the VPN
First thing we need to do is get the Certificate Authority from PIA for the AES-128-GCM encryption cipher we’ll be using.
We’re going to use the corresponding ca.rsa.2048.crt certificate. If that download link doesn’t work, you can always find the latest setup files on PIA’s Client Support page under Advanced Router Setup as well as this Knowledgebase page. We’re using the default UDP connection over port 1198 with AES-128-CBC+SHA1.
Now that we’ve got the certificate, open it with a basic text edit program and copy the entire contents of the file using Ctrl+A with Crtl+C (Cmd+A with Cmd+C on Mac).
Back in pfSense, go to System > Cert. Manager and under CAs, click Add. Make sure the Method field is Import an existing Certificate Authority (it should be the default).
Add a description (like PIA-Cert or PIA-2048) and then paste the contents of the ca.rsa.2048.crt file into Certificate Data field. Then click Save at the bottom.
Next, go to VPNs > OpenVPN and then select the Clients tab since we are setting up our connection as a client of PIA’s VPN server. Click Add.
Here are the settings to enter on the client configuration page:
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only
Device mode: tun – Layer 3 Tunnel Mode
Server host or address: us-atlanta.privateinternetaccess.com
- Choose your own optical server! Go to the PIA’s network page to find the right server host for your connection. On this page, you can run network ping and speed tests to find your optimal server.
Server port: 1198
Description: PIA VPN (or whatever name you want to give it)
Next, in the User Authentication Settings section, you need to put your username and password that you got via email from PIA when you signed up. You should have this in an email as it is inaccessible from your account page. If you forgot your password, you’ll need to reset it so you can complete this section.
Moving on to the Cryptographic Setting section, select the certificate you created earlier (e.g., PIA-2048) in the Peer Certificate Authority dropdown.
Encryption Algorithm: AES-128-GCM
NCP Algorithms: AES-256-GCM; AES-128-GCM
Auth digest algorithm: SHA1
In Tunnel Settings, we want Topology set to Subnet — One IP address per client in a common subnet. Additionally, we want Compression set to Adaptive LZO Compression.
In the Advanced Configuration section, add the following lines to the Custom options field:
Continuing down the Advanced Configuration fields, set the following:
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: Default
Now, we have added our VPN client, so click Save.
Add a VPN Interface to pfSense
Now, let’s add an interface for our newly-created VPN client.
Go to Interfaces > Assignments.
Select the VPN from the Available network ports: dropdown menu and click Add.
Check Enable Interface and give it a descriptive name. Click Save.
Outbound NAT Rules
Navigate to Firewall > NAT > Outbound and set the Outbound NAT Mode to Hybrid. This gives us the flexibility of using defined manual rules for a specific VLAN, while letting automatic NAT rules generate for the rest of our network’s traffic.
Hybrid Outbound NAT: Utilizes manual rules while also using automatic rules for traffic not matched by manually entered rules. This mode is the most flexible and easy to use for administrators who need a little extra control but do not want to manage the entire list manually.–Netgate documentation
Under the Mappings section, click the up Add button to send it to the top of the list of Outbound NAT rules.
Under Interface, select the VPN interface we created above (e.g., PIA_VPN) from the dropdown menu and then add the Source Network (e.g., 10.0.20.0/24). Now, click Save.
PIA VPN DNS Settings
We also want PIA handling all our DNS for VPN traffic, so go to System > General Setup. Under DNS Server Settings, set DNS Servers to:
Be sure to select the configured PIA VPN from the Gateway dropdown options.
VLAN Firewall Rule Setup
Now, it’s time to set up the firewall rule that will route all of our VLAN traffic over the PIA VPN interface.
Navigate to Firewall > Rules and select the tab for your VLAN that you want to put on the VPN. Click the Add button.
Interface: VL20_VPN (or whatever your VLAN interface is)
Source: VL20_VPN net (or whatever your VLAN network is – note, you can limit this to a specific address but we’re doing the entire vlan, which is why our source says ‘net’ instead of ‘address’)
Now, scroll down to Advanced Options and select the PIA VPN we set up from the Gateway dropdown menu and click Save.
This should have your VPN up and running as your sole gateway for your VLAN.
Last Updated: April 28, 2021
Apple TV is a small box you connect to your TV that gives you access to several streaming platforms, including Apple’s original content. It bridges the gap between traditional TVs and Smart TVs. Using Surfshark on Apple TV gives you added security and privacy. It also permits access to country-specific content you otherwise don’t have access to, among other things. This article will dwell on the different ways you can set up and use Surfshark on Apple TV.
Setting Up Surfshark on Apple TV
Surfshark does not have a standalone application for Apple TV. There are three different ways you can set it up on your Apple TV.
1. You can set it up through Smart DNS. This method doesn’t offer complete protection for your Apple TV.
2. You can set it up through a PC. This method is easy and straightforward but requires connecting your Apple TV to your personal computer by setting up a Wi-Fi hotspot on your computer.
3. You can set it up via a router. This method is the most complex and requires configuring a router.
All these methods come with different complexity levels and range from easy to complex, depending on your technical knowledge. You don’t have to worry about any method’s complexity as this article guides you through every step of each method.
Get Surfshark for your Apple TV
Setting Up a Connection Through Smart DNS
Smart DNS or Smart DNS proxy is a Surfshark feature that allows you to change the DNS servers of your local connection to Surfshark’s DNS servers. This allows you to take advantage of the location of those servers so you can access geo-restricted content. While this method will allow you access to platforms you could not previously access, it does not offer any form of security or privacy. Let’s take a look at the step-by-step process involved in using Smart DNS for Apple TV.
1. Get access to your Surfshark account. If you do not already have a Surfshark subscription, head over to its website and purchase a subscription plan.
2. On the “My Account” page, expand the VPN tab on the sidebar, and click “Smart DNS.”
3. At this point, ensure that you’re not connected to the VPN because Surfshark will detect your IP address to use it to activate Smart DNS. To turn on Smart DNS, click the “Activate Smart DNS” button at the end of the page.
4. Once activated, two Smart DNS IP addresses will be on your screen. Select one of them.
5. On your Apple TV, navigate to settings and select “Network.”
6. Select the tab of your internet connection (Wi-Fi or Ethernet), then click on the name of your network.
7. Navigate to “Configure DNS” and click it.
8. Since we need to configure it manually, choose “Manual” and not “Automatic.”
9. Now input any of the DNS addresses in step four above and click “Done” to complete the process.
10. Restart your Apple TV.
You can see that it’s not complex to set up Smart DNS. However, if you need security and not just looking to bypass geo-restrictions, this method is not adequate.
Setting Up a Connection Through Your PC
You can set up Surfshark on your Apple TV via your personal computer in different ways. Still, the most popular one is by creating a virtual hotspot on your computer so you can share your internet connection with Apple TV. Let’s take a look at the processes involved in making your computer a virtual router on Windows 10.1
1. On your system, go to your computer’s settings page and select “Network and Internet” on the menu.
2. Head over to “Mobile Hotspot” and select it to turn it on.
3. Then scroll down and select the “Change adapter options” under “Related settings.”
4. On your VPN connection, right-click it and select “Properties.”
5. A new window will pop up. At the top of that window, click on the “Sharing” tab.
6. Select the “Allow other network users to connect through this computer’s internet connection” box.
7. Click on the dropdown menu below, select the hotspot network you just created and click the “OK” button.
8. Now go to your Apple TV and connect to the Wi-Fi hotspot you just created.
That’s how simple it is to create a virtual hotspot on your Windows 10 computer. Now let’s take a look at how you can do the same on macOS computers.
1. Open System Preferences on your computer and select “Sharing.”
2. Choose the “Internet Sharing” option in the list to the left side of the window.
3. In the “Share your connection from” list, select your Surfshark VPN connection.
4. In the “To the computers using” list, select the “Wi-Fi” option. This is to create a Wi-Fi hotspot. It just means that anyone connecting to your Wi-Fi network will have access to the connection in step 3.
5. Now click the “Wi-Fi Options” button to configure your Wi-Fi hotspot.
6. The default settings are adequate, but you might want to change some settings like “Password” and “Network Name.” Always ensure you set the “Security” option to WPA2 Personal.
7. Click “OK” and select “Start” on the following pop-up window.
8. Now go to your Apple TV and connect to the Wi-Fi hotspot you just created.
The only limitation with this method is that you cannot connect to a Wi-Fi network and host one simultaneously. It is important to note that you need an active Surfshark VPN connection at the start of these processes (whether Windows 10 or macOS).
Setting Up a Connection Through Your Router
Setting up a Surfshark connection on your Apple TV through a router can be somewhat technical, but it offers complete protection. The first thing to consider before starting the configuration process is to ensure Surfshark supports your router. On this page, Surfshark has a list of routers it does not support.
The good news is that you can get pre-configured routers from FlashRouters. Pre-configured routers take away the technical process involved in setting up a router by yourself. However, if you cannot afford one, any router you get must support the OpenVPN Client before configuring Surfshark on it. Let’s take a look at configuring Surfshark on custom DD-WRT router firmware.
1. Get a Surfshark subscription and go to this page to get your service credentials. You will see your service credentials under the “Credentials” tab.
2. Under the “Files” tab, you will see a list of servers. Copy the hostname of the server you choose somewhere.
3. Access your router’s admin panel by inputting the IP address (usually 192.168.1.1) in a browser and entering the username and password (usually admin).
4. Select the “Setup” tab and navigate to “Network Address Server Settings (DHCP),” and input the following:
Static DNS 1: 22.214.171.124
Static DNS 2: 126.96.36.199
Static DNS 3: 0.0.0.0 (default)
Use DNSMasq for DHCP: ✔
Use DNSMasq for DNS: ✔
5. Next, select the “Services” tab. Under the “VPN” tab, enable “OpenVPN Client” and input the following:
Tunnel Device: TUN
Tunnel Protocol: UDP
Encryption Cipher: None
Hash Algorithm: SHA-512
User Pass Authentication: Enable
Username: Your Surfshark service username
Password: Your Surfshark service password
Advanced Options: Enable
TLS Cipher: None
LZO Compression: Disabled
6. In the “Additional Config” field, add the following:
Surf Shark Vpn Pfsense
7. Go to your Surfshark account to download the CA certificate and TLS auth key of the server you chose in step 2. Use a text editor to open the CA certificate file and copy the contents to the “CA Cert” field. Do the same for the TLS auth key and copy its contents to the “TLS Auth Key” field.
8. Click the “Save” and “Apply Settings” buttons to confirm the configurations.
9. Once you confirm the connection is active, you can connect your Apple TV to the router. You can confirm by going to the “Status” tab at the top of the screen, then selecting the “OpenVPN” tab.
Get Surfshark for your Apple TV
Why Should You Use Surfshark for Apple TV?
Here are two reasons you should consider using Surfshark on your Apple TV:
Surfshark Vpn Pfsense 2.5
1. Security and Privacy
Surfshark Compatible Routers
Surfshark’s primary directive is to protect devices from the risks of external cyber threats. It does this by using military-grade encryption, DNS/IPv6, WebRTC leak protection, perfect forward secrecy, an automatic Kill Switch, MultiHop servers, CleanWeb (an ad and malware blocker), and secure protocols such as OpenVPN. Other additional features like Surfshark Alert and Surfshark Search help check if your private information is in leaked databases and maintain anonymity.
2. Access Geo-Restricted Content
While protection is crucial, the main goal of several VPN users is to access geo-restricted content. For example, depending on your region, you might not have access to certain Apple TV shows. Using Surfshark permits you to take a virtual trip to 65 different countries so you can access their Apple TV catalog.
Surfshark is an affordable VPN package with premium features. Whether you’re looking to protect your internet connection or access the Apple TV library of other regions, Surfshark is well equipped to serve you. We hope this article guides you in setting up Surfshark on your Apple TV.