PIA using pfSense WireGuard Package

Bjur

@ctuchik Thanks for the answer.
I'm not sure I follow.
When you set you default gateway, it's normally just an IP address like 192.168.1.1. What do you mean setting it via DHCP?

You would make sure that the traffic out to the Internet from the WG box is directly out, if it's got to go via pfSense itself.

So in Esxi I should dedicate a WAN interface to DietPi and still have the WAN interface also on PfSense?

ctuchik

@Bjur So, I think maybe we misunderstand each other?

Are you asking me how you set the default gateway for hosts on your LAN?
Because if you are, that's typically allocated by the DHCP server (Services > DHCP Server > Other DHCP Options > Gateway)

If you mean pfsense' gateway, I'm not sure exactly of your unique setup?
What most people do to route traffic to the right place is make a PASS firewall rule for traffic from a particular place (like the IP of the dietpi box maybe) and under advanced options, specify the gateway you want the traffic to take:

For what it's worth, I just gave up bothering with PIA - I've moved to mullvad because they have an excellent self-written guide on setting up wireguard with pfsense.
It's reasonably fast too, compared to openvpn - I'm getting about 5-10x the speed, which still isn't near my uplink max, but far superior still.

The Party of Hell No

https://www.wundertech.net/how-to-set-up-wireguard-on-pfsense/

https://www.reddit.com/r/PFSENSE/comments/lmv1cp/how_to_setup_wireguard_on_pfsense_252102_with/

https://www.youtube.com/watch?v=CXFbEbzFEXw

https://www.paolotagliaferri.com/create-wireguard-vpn-tunnel-with-pfsense-2-5-0/

https://coygeek.com/docs/pfsense-wireguard/ - 404

These are the links I found most helpful.

This is what my setup looks using wireguard
https://forum.netgate.com/topic/181299/surfshark-guide-for-pfsense-wireguard/29?_=1730824716743

Bjur

@chuchik: What I mean is how do I get all my clients on the network (laptops, tablets, TVs to use the DietPi VM?
How do I get the traffic routed through PfSense to DietPi to Internet?
In Esxi I have 3 network adapters usable (1 LAN, 1 WAN, 1 vm). On my motherboard I have 2 physical network ports.

In VM for PFSense I have (1 WAN, 1 LAN) so the ISP bridged modem goes directly to PFSense.

In VM for DietPi which Network adapters should I configure? If I select (1 WAN, 1 LAN) wouldn't that create a IP public mismatch?

What should I select in PFSense to pass it through to DietPi?
As of now I have PIA configured as a client in PfSense where it is used for alias IP addresses.
This is what I have for my firewall rules LAN:

Ideally I would like to have WG configured in PFSense, but as you wrote earlier that's not easy to have.

In regards to PIA I've signed up for some years, so I would not be ideal to switch unfortunately. It would be nice if they upped their game and made an guide to follow for PFSense.

@The-Party-of-Hell-No Thanks for the links. I've also seen Wireguard to Pfsense guides, but to get PIA to work without interruptions, that's not easy.

The Party of Hell No

@Bjur
hello, are you still struggling with this?

Not sure what DietPi VM and DietPI are? Are these the clients created to go out to your PIA VPN service?

ctuchik

@Bjur I didn't use the dietpi method so I'm not certain, I can can pick parts of your questions to try and answer but networking isn't my speciality really!

Man there's a lot of ground to cover in just a loose plan like this. Is ESXi behind another router?

Here's how I once did it with fake IPs and hostnames.

Randomserver1 = 172.16.0.10/24, Gateway 172.16.0.1
Randomserver2 = 172.16.0.20/24, Gateway 172.16.0.100
DietPi (VPN Client) = 172.16.0.100/24, Gateway 172.16.0.1
Router = 172.16.0.1/24, Gateway PUBLICIP

In this basic example, Randomserver2 gets VPN and Randomserver1 doesn't.

The trick is to configure DietPi to accept traffic on its LAN interface, I have a loose note saved like this:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The alternative here is that you have pfsense do the routing instead, that seems to be what you're trying to do, and what other are suggesting.
The above suggestion though is a router on a stick...
Maybe this helps, IDK.

ctuchik

The above isn't persistent sorry, I'm working on a phone right now, to make it persistent:

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
iptables-save | tee /etc/iptables/rules.v4

Bjur

@The-Party-of-Hell-No Yes, I am. Would be nice if there was an easy to follow guide with PIA WG + PFSense that worked persistantly.

@ctuchik Thanks for taking the time for the write up.
My ESXi has PFSense configured and the WAN port goes through an ISP router, but it's bridged so it just passed through traffic.
So the RandomServers are IP created networks on PFSense?
In ESXi where you configure networks adapters. In DietPi does it only have one network card or two?

ctuchik

So the RandomServers are IP created networks on PFSense?

Yeah, like a DHCP range if you like.

In ESXi where you configure networks adapters. In DietPi does it only have one network card or two?

With router on a stick, you can make dietpi just have one interface, on LAN.
As far as your LAN design goes, it's unchanged. You don't need to give dietpi a WAN interface because pfsense won't be hosting the VPN.

Maybe this diagram will help display the flow of traffic.
Again, I'm not doing it this way now, it's something I once did...and, I don't know if it's 'poor network design'. It's a workaround for PIA being shit:

Bjur

Thanks for the nice drawing. I will try again and see if it will work.