Tutorial: Configuring pfSense as VPN client to Private Internet Access

tucansam · Oct 25, 2014, 9:53 PM

Firstly, thank you for the amazing step-by-step tutorial. I literally had it completed in 10 minutes.

A few questions.

First, I have been playing with different servers provided by PIA, from Texas to California to Canada. Running the test at speedtest.net, my speeds went from 80-90mb/down and 30-40mb/up to 20-40mb/down and 1-4mb/up. I know the VPN will slow things down a bit, but I was not expecting this level of speed loss. Is this normal? My pfsense box is a dual core Atom (with hyperthreading) and this far CPU use has never peaked above 30%, usually at 13% (which is where it was prior to be configuring the VPN). Just curious if I should just keep testing servers to find one with better speed?

On the dashboard, my WAN and LAN interface graphs are showing plenty of traffic, but my PIAVPN interface is showing none. I am presently downloading a file – WAN is showing 500Kbps-5Mbps, but zero activity whatsoever on the VPN interface. Is this an indication that the VPN is being bypassed?

Using various ip lookup tools, every site is seeing me on an IP address in Canada (I am currently using the Canadian PIA VPN server). So why is there no traffic bring generated on the PIA VPN interface? As far as I can tell it is working.

Thanks again for the great tutorial.

ETA VPN just went down, logs show failure to resolve the hostname of the PIAVPN server I had chosen. Rebooting pfsense worked (I tried everything else I could think of) -- wonder how long it will be up and if this will happen again? I am using OpenDNS servers.

duntuk · Oct 27, 2014, 3:38 AM

About a week ago, PIA service went to sh*t for me… It worked great for over a year, and now constant disconnects.

duntuk · Oct 27, 2014, 6:40 AM

It's kind of early to say anything for sure–this is the longest I've went this week without being disconnected (30minutes so far; these past 2 weeks, it has usually been every 1-2 minutes)...

But anyway...

Under OpenVPN 'advanced configuration' (in pfsense), I added the following:

keepalive 5 30;

So now my 'advanced configuration' looks like this:

auth-user-pass /etc/openvpn-password.txt;persist-tun;verb 5;remote-cert-tls server;route-nopull;keepalive 5 30;

Note: I added this today:

route-nopull;

Not sure if it's doing anything (probably not) but left it there, since my connection is stable for the time being.

What I think is going on is PIA is pinging the client, but for whatever reason, the pings are getting blocked. So in turn 'keepalive 5 30;' does something to mitigate that...

tucansam · Nov 4, 2014, 12:11 AM

A lot of pages are loading slowly (to be expected I suppose). Other pages are denying me access with messages that my IP has been flagged for spam. Some sites, like Amazon and Home Depot, load slowly, but then most functions don't work (searching, shopping carts, etc).

All since I enabled the PIA vpn…..

peehoo · Nov 18, 2014, 9:00 PM

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

Derelict · Nov 18, 2014, 11:38 PM

@peehoo:

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

That's easy. It's the opposite of this:

I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN. Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example). Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

Like this:

phil.davis · Nov 19, 2014, 2:11 AM

@peehoo:

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

Make an Alias for those LAN IPs, then change the rule on LAN that feeds the traffic into PIA so it has just that Alias as the source.

Whatever traffic is matched by rules going to the PIA gateway is the traffic that goes down the PIA OpenVPN tunnel.

wreththe · Dec 1, 2014, 11:25 PM

Thanks so much for this tutorial. Between the initial tutorial and some of the modifications in the comments I have my router set up almost exactly as I wanted.

My question is if there is a way to route traffic on some ports through the VPN interface and the rest through the WAN interface?

I.e. everything on 10.0.1.10 goes through the WAN except ports 45000-45100, which goes through the PIAVPN.

Is that possible?

Derelict · Dec 2, 2014, 12:18 AM

Yes. Just add the ports to the rule sending traffic to the VPN gateway. The rule won't match if the port is outside the set so the firewall will move on to the next rule.

GaMcL · Dec 2, 2014, 5:03 AM

Good tutorial, Thanks. However I am having a problem at an early stage.

When I go through the steps to create a certificate, the CA gets entered but no certificates are created (see attachment). Then, when I get to Create OpenVPN Client I run into a "No Certificates Defined" and can't create the client. Trying to create a certificate under the certificate manager>certificates doesn't work because I don't have the private key that is needed.

What am I missing.

![certificate authority manager.JPG](/public/imported_attachments/1/certificate authority manager.JPG)
![certificate authority manager.JPG_thumb](/public/imported_attachments/1/certificate authority manager.JPG_thumb)
![No Certificates Defined.JPG](/public/imported_attachments/1/No Certificates Defined.JPG)
![No Certificates Defined.JPG_thumb](/public/imported_attachments/1/No Certificates Defined.JPG_thumb)

Derelict · Dec 2, 2014, 5:52 AM

It looks like PIA doesn't verify client certificates at all so any certificate will do. The walkthrough just uses the default webconfigurator certificate out of pfSense.

You don't have any certs at all listed in System->Cert manager->Certificates ??

GaMcL · Dec 2, 2014, 1:25 PM

No. There are no certificates listed at all in system->Cert manager->certificates. Should there be?

Derelict · Dec 2, 2014, 4:16 PM

Yes. When you installed a cert for the webConfigurator was created. Looks like you deleted it.

I have no idea how to tell pfSense to recreate that cert. Anyone?

If it's non-trivial you'll need to create an internal CA then create an internal cert using that.

phil.davis · Dec 2, 2014, 5:04 PM

Not sure that it helps the problem at hand, but the webConfigurator is listed under System: Certificate Manager, Certificates tab. It is somehow and CA and Certificate all in one (exposing my lack of knowledge of this stuff!).

GaMcL · Dec 2, 2014, 5:22 PM

Thanks for the replies. It's odd that there is no cert showing. If I deleted a certificate it would have to have been by accident. I'm pretty careful with such things due to lack of understanding and not wanting to break things. I haven't had to deal with certificates before and I don't remember ever working with the cert manager before.

Having said that, I did create an internal CA and then an internal cert as suggested by @Derelict. That went well and allowed me to get a step further and create an OpenVPN client. Then I had to leave for work, so won't get back to the VPN installation until later.

One difference between my setup and that covered by the tutorial is that I already have a third (physical) interface to a DMZ. Does anyone know if that is a potential problem or change anything in the process?

Thanks very much for your help. I'll get back when I hit the next snag :)

Derelict · Dec 2, 2014, 6:09 PM

Shouldn't. Possibly some additional rules on DMZ if you want to forward any traffic from hosts there out the VPN connection.

@phil.davis yeah, I don't see a way in the interface to create a cert like that. There's probably a way to re-run the commands that run at first boot after install but I don't feel like digging through the rc scripts.

peehoo · Dec 11, 2014, 12:52 PM

@Derelict:

@peehoo:

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

That's easy. It's the opposite of this:

I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN. Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example). Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

Like this:

Hi!

I think I managed this ::)

Basicly I needed only one internal IP-address go to the PIAVPN so I created two firewall rules.

One which is telling that 192.168.1.60 goes to PIAVPN and one which is reverse for that -> all the other LAN addressess are going to WAN-interface. Is this kind of configuration any sense?

Now my pc is showing me my ISP address and XBMC is showing PIA address.

Ok, I changed that single host to the aliases list because it might be possible every now and then and some other pc:s to use PIAVPN also.

One thing came to my mind… What comes to the security and hidden my network traffic - is there any kind of problem to use same PIA server every day? Manually when using pc-client I've changed it different countries every now and then... Ok, it is manually also possible with pfsense but is it any benefit to change it and if yes -> could it be possible to automaticly use several PIA servers different days?

And at the end couple of stupid questions:

At this point it seems that PIAVPN is working (THX for a great tutorial)
Dashboard is showing in interfaces PIAVPN address BUT
for reason I do not know OpenVPN status shos that PIA client instance status is down??

Should I be worried?

Screencaps below:

Dec 11 13:06:42	openvpn[68212]: Exiting due to fatal error
Dec 11 13:06:42	openvpn[68212]: Cannot open TUN/TAP dev /dev/tun2: Device busy (errno=16)
Dec 11 13:06:42	openvpn[68212]: TUN/TAP device ovpnc2 exists previously, keep at program end
Dec 11 13:06:42	openvpn[68212]: ROUTE_GATEWAY xx.x.x.1

Could this be a reason why I still have DNS Leak? How I manually (and to where) I configure PIA DNS-servers?

Also one minor thing… How I can configure to those piavpn hosts traffic limiter especially upload limiter. I tried to do this with http://www.squidworks.net/2012/08/pfsense-2-0-limiting-users-upload-and-download-speeds-by-limiting-bandwidth/ this instructions but did not succeed.

achaian · Dec 22, 2014, 10:52 PM

I just wanted to say thank you!! This tutorial is the only tutorial that actually worked. All others seemed to not show enough info around certificates. This clearly advised how to create and apply.

Again, thank you!!

flowrider · Dec 26, 2014, 9:44 AM

Hi,
I've just registered here but have been lurking for quite a while.

Thanks for the guide it was much easier than a lot of other guides out there and it's appreciated greatly.

I have a question about DNSleak protection. With this default configuration when I check https://www.dnsleaktest.com/ it's showing that pfSense is leaking. Has anyone configured using PIA's DNS? I'm a little worried to just give it a try because it's taken everything I got to get this far!!

Anyhow if anyone has a tutorial for this it would be great.

Thanks
Steve

wbennett77 · Dec 27, 2014, 4:06 PM

Hey Steve,

The ONLY way I have found to prevent leaks is to use PIA's DNS servers. If anyone has found another way I would really like to hear about it as well.