Tutorial: Configuring pfSense as VPN client to Private Internet Access
-
I as well want to route certain traffic around the VPN but my rules aren't working.. It looks just like the above pictures.
+1
It is working for me now, but had not been working for nearly 48 hours. What got it working, I have no idea since I haven't done a thing to pfSense settings since I initially created a thread on the issue.
-
So I had a chance to test a few things, specifically what made it work and what didn't. Here's some screenshots of my interface rules. I've kept some of them in there, just disabled, in case for whatever reason things go south again.
The big takeaway was to specify the gateway that each rule should use for what gets tunneled through VPN, as well as what host ip/alias you want to use the non-VPN tunnel gateway from your ISP.
Hope this helps some others…
-
Hello,
Sorry for bumping this old thread up but it was a great tutorial. Followed every steps and in 15 minutes, all my devices are going through the VPN.
FYI, I have pFsense set up as a VM on ESXi.
However, I have 2 issues:
1. Even though internet works and a "what is my ip" shows I'm behind my VPN, the gateway shows offline in the dashboard. I have rebooted pfsense, stopped/started the openvpn service but it will always go to offline after being online for 15 seconds. Again: i still have internet access but if I open a shell on pFsense and try to ping the PIAVPN gateway, I get no response hence the offline status…what's the issue here?
[EDIT] I "fixed" it by disabling monitoring on the gateway.
2. I'm having trouble wrapping my head around accessing a service on a devices behind the VPN. Put simply, I have a synology that I access with DS audio on my phone to listen to my tunes. Everything works fine when the VPN is not running, however when it is, I can't connect to my synology.
I can see the packet arriving in the logs but it seems no response is ever sent out back even though I'm forcing the Synology to use the WAN gateway and not the VPN for outbound traffic.
Any clues? ???
-
Ok, allow me to answer my own question. Simply adding route-noexec to the openvpn client configuration (the part where you specify verb 5 etc.) fixed it. Only traffic that I specifically tell to use the vpn goes through the VPN, I am however perfectly able to access my audiostation, didn't even have to change anything in the port forwarding menu.
-
Love the tutorial and am almost there. I get stuck when I need to create the default firewall rule to route everything through the VPN.
I don't see the PIAVPN_VPN4 gateway. I tried to create it, though I didn't see that in the tutorial, but that didn't work either. I also notice that on the main page the PIAVPN interface never shows an IP address, but if I look under Status->OpenVPN it says it is connected and I see traffic in/out and ip addresses.
Any ideas what I missed? I"m running version 2.1.5-RELEASE
thanks,
davidEDIT:
I found my problem. Item #2 under "Create OpenVPN interface", It says ovpnc1() will be selected, but in my case it selected an unused ethernet over firewire port. When I finally noticed this and changed it to ovpnc(1) it worked! -
Awesome tutorial! Thank you for taking the time to write it up :)
-
Firstly, thank you for the amazing step-by-step tutorial. I literally had it completed in 10 minutes.
A few questions.
First, I have been playing with different servers provided by PIA, from Texas to California to Canada. Running the test at speedtest.net, my speeds went from 80-90mb/down and 30-40mb/up to 20-40mb/down and 1-4mb/up. I know the VPN will slow things down a bit, but I was not expecting this level of speed loss. Is this normal? My pfsense box is a dual core Atom (with hyperthreading) and this far CPU use has never peaked above 30%, usually at 13% (which is where it was prior to be configuring the VPN). Just curious if I should just keep testing servers to find one with better speed?
On the dashboard, my WAN and LAN interface graphs are showing plenty of traffic, but my PIAVPN interface is showing none. I am presently downloading a file – WAN is showing 500Kbps-5Mbps, but zero activity whatsoever on the VPN interface. Is this an indication that the VPN is being bypassed?
Using various ip lookup tools, every site is seeing me on an IP address in Canada (I am currently using the Canadian PIA VPN server). So why is there no traffic bring generated on the PIA VPN interface? As far as I can tell it is working.
Thanks again for the great tutorial.
ETA VPN just went down, logs show failure to resolve the hostname of the PIAVPN server I had chosen. Rebooting pfsense worked (I tried everything else I could think of) -- wonder how long it will be up and if this will happen again? I am using OpenDNS servers.
-
About a week ago, PIA service went to sh*t for me… It worked great for over a year, and now constant disconnects.
-
It's kind of early to say anything for sure–this is the longest I've went this week without being disconnected (30minutes so far; these past 2 weeks, it has usually been every 1-2 minutes)...
But anyway...
Under OpenVPN 'advanced configuration' (in pfsense), I added the following:
keepalive 5 30;
So now my 'advanced configuration' looks like this:
auth-user-pass /etc/openvpn-password.txt;persist-tun;verb 5;remote-cert-tls server;route-nopull;keepalive 5 30;
Note: I added this today:
route-nopull;
Not sure if it's doing anything (probably not) but left it there, since my connection is stable for the time being.
What I think is going on is PIA is pinging the client, but for whatever reason, the pings are getting blocked. So in turn 'keepalive 5 30;' does something to mitigate that...
-
A lot of pages are loading slowly (to be expected I suppose). Other pages are denying me access with messages that my IP has been flagged for spam. Some sites, like Amazon and Home Depot, load slowly, but then most functions don't work (searching, shopping carts, etc).
All since I enabled the PIA vpn…..
-
Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...
That would be exactly what I needed!!
-
Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...
That would be exactly what I needed!!
That's easy. It's the opposite of this:
I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN. Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example). Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.
Like this:
-
Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...
That would be exactly what I needed!!
Make an Alias for those LAN IPs, then change the rule on LAN that feeds the traffic into PIA so it has just that Alias as the source.
Whatever traffic is matched by rules going to the PIA gateway is the traffic that goes down the PIA OpenVPN tunnel.
-
Thanks so much for this tutorial. Between the initial tutorial and some of the modifications in the comments I have my router set up almost exactly as I wanted.
My question is if there is a way to route traffic on some ports through the VPN interface and the rest through the WAN interface?
I.e. everything on 10.0.1.10 goes through the WAN except ports 45000-45100, which goes through the PIAVPN.
Is that possible?
-
Yes. Just add the ports to the rule sending traffic to the VPN gateway. The rule won't match if the port is outside the set so the firewall will move on to the next rule.
-
Good tutorial, Thanks. However I am having a problem at an early stage.
When I go through the steps to create a certificate, the CA gets entered but no certificates are created (see attachment). Then, when I get to Create OpenVPN Client I run into a "No Certificates Defined" and can't create the client. Trying to create a certificate under the certificate manager>certificates doesn't work because I don't have the private key that is needed.
What am I missing.
![certificate authority manager.JPG](/public/imported_attachments/1/certificate authority manager.JPG)
![certificate authority manager.JPG_thumb](/public/imported_attachments/1/certificate authority manager.JPG_thumb)
![No Certificates Defined.JPG](/public/imported_attachments/1/No Certificates Defined.JPG)
![No Certificates Defined.JPG_thumb](/public/imported_attachments/1/No Certificates Defined.JPG_thumb) -
It looks like PIA doesn't verify client certificates at all so any certificate will do. The walkthrough just uses the default webconfigurator certificate out of pfSense.
You don't have any certs at all listed in System->Cert manager->Certificates ??
-
No. There are no certificates listed at all in system->Cert manager->certificates. Should there be?
-
Yes. When you installed a cert for the webConfigurator was created. Looks like you deleted it.
I have no idea how to tell pfSense to recreate that cert. Anyone?
If it's non-trivial you'll need to create an internal CA then create an internal cert using that.
-
Not sure that it helps the problem at hand, but the webConfigurator is listed under System: Certificate Manager, Certificates tab. It is somehow and CA and Certificate all in one (exposing my lack of knowledge of this stuff!).
-
Thanks for the replies. It's odd that there is no cert showing. If I deleted a certificate it would have to have been by accident. I'm pretty careful with such things due to lack of understanding and not wanting to break things. I haven't had to deal with certificates before and I don't remember ever working with the cert manager before.
Having said that, I did create an internal CA and then an internal cert as suggested by @Derelict. That went well and allowed me to get a step further and create an OpenVPN client. Then I had to leave for work, so won't get back to the VPN installation until later.
One difference between my setup and that covered by the tutorial is that I already have a third (physical) interface to a DMZ. Does anyone know if that is a potential problem or change anything in the process?
Thanks very much for your help. I'll get back when I hit the next snag :)
-
Shouldn't. Possibly some additional rules on DMZ if you want to forward any traffic from hosts there out the VPN connection.
@phil.davis yeah, I don't see a way in the interface to create a cert like that. There's probably a way to re-run the commands that run at first boot after install but I don't feel like digging through the rc scripts.
-
Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...
That would be exactly what I needed!!
That's easy. It's the opposite of this:
I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN. Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example). Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.
Like this:
Hi!
I think I managed this ::)
Basicly I needed only one internal IP-address go to the PIAVPN so I created two firewall rules.
One which is telling that 192.168.1.60 goes to PIAVPN and one which is reverse for that -> all the other LAN addressess are going to WAN-interface. Is this kind of configuration any sense?
Now my pc is showing me my ISP address and XBMC is showing PIA address.
Ok, I changed that single host to the aliases list because it might be possible every now and then and some other pc:s to use PIAVPN also.
One thing came to my mind… What comes to the security and hidden my network traffic - is there any kind of problem to use same PIA server every day? Manually when using pc-client I've changed it different countries every now and then... Ok, it is manually also possible with pfsense but is it any benefit to change it and if yes -> could it be possible to automaticly use several PIA servers different days?
And at the end couple of stupid questions:
- At this point it seems that PIAVPN is working (THX for a great tutorial)
- Dashboard is showing in interfaces PIAVPN address BUT
- for reason I do not know OpenVPN status shos that PIA client instance status is down??
Should I be worried?
Screencaps below:
Dec 11 13:06:42 openvpn[68212]: Exiting due to fatal error Dec 11 13:06:42 openvpn[68212]: Cannot open TUN/TAP dev /dev/tun2: Device busy (errno=16) Dec 11 13:06:42 openvpn[68212]: TUN/TAP device ovpnc2 exists previously, keep at program end Dec 11 13:06:42 openvpn[68212]: ROUTE_GATEWAY xx.x.x.1
Could this be a reason why I still have DNS Leak? How I manually (and to where) I configure PIA DNS-servers?
Also one minor thing… How I can configure to those piavpn hosts traffic limiter especially upload limiter. I tried to do this with http://www.squidworks.net/2012/08/pfsense-2-0-limiting-users-upload-and-download-speeds-by-limiting-bandwidth/ this instructions but did not succeed.
-
I just wanted to say thank you!! This tutorial is the only tutorial that actually worked. All others seemed to not show enough info around certificates. This clearly advised how to create and apply.
Again, thank you!!
-
Hi,
I've just registered here but have been lurking for quite a while.Thanks for the guide it was much easier than a lot of other guides out there and it's appreciated greatly.
I have a question about DNSleak protection. With this default configuration when I check https://www.dnsleaktest.com/ it's showing that pfSense is leaking. Has anyone configured using PIA's DNS? I'm a little worried to just give it a try because it's taken everything I got to get this far!!
Anyhow if anyone has a tutorial for this it would be great.
Thanks
Steve -
Hey Steve,
The ONLY way I have found to prevent leaks is to use PIA's DNS servers. If anyone has found another way I would really like to hear about it as well.
-
Thanks wbennett77 I ended up using PIA's DNS servers as well and no leaks! It was quite easy which is nice for a change! I'm pretty happy to have found this guide as it's the most comprehensive and simple to use one on the net. I'm pairing it with a Netgear R7000 right now and it seems to be working well especially in the 5gHz range.
-
have anyone figure out DNS settings yet? I stumbled across a topic https://forum.pfsense.org/index.php?topic=29944.0 Step 4, i cannot test this at the moment im waiting for my new mobo. I talked to a PIA rep and he recommended to manually configure DNS and provided me with ip's 208.67.222.222 and 208.67.220.220. i should get my mobo tomorrow and will start playing with my new hardware and installing pfsense.
-
Those are OpenDNS servers.
Copyright enforcement bots are not going to have access to DNS server records. I think all you PIA, etc. users might be overthinking things a bit. Yes, I'm making a generalization that is probably wrong. :P
Just about anything is possible with pfSense. If you want to make sure NOTHING from a particular internal host is transmitted out the normal WAN, set firewall rules on LAN that sets the gateway to PIA and marks the traffic with something like NO_WAN_EGRESS.
Then make a floating rule that blocks any traffic on WAN out marked with NO_WAN_EGRESS.
-
Those are OpenDNS servers.
Copyright enforcement bots are not going to have access to DNS server records. I think all you PIA, etc. users might be overthinking things a bit. Yes, I'm making a generalization that is probably wrong. :P
Just about anything is possible with pfSense. If you want to make sure NOTHING from a particular internal host is transmitted out the normal WAN, set firewall rules on LAN that sets the gateway to PIA and marks the traffic with something like NO_WAN_EGRESS.
Then make a floating rule that blocks any traffic on WAN out marked with NO_WAN_EGRESS.
im lost :) , want to show us step by step? ::)
-
Post the rule that forwards your traffic to PIA.
-
Post the rule that forwards your traffic to PIA.
I got my new mobo coming today, ill se teverything up and post it, thank you for the help
EDIT
so i got my mobo MSI Z87I AC(waiting on AR9380). Pretty much i followed this guide to the end and added opendns ips( im on 2.2-RC (amd64) built on Mon Dec 29 07:41:21 CST 2014 FreeBSD 10.1 RELEASE-p3) to System>General Setup DNS servers and i dont have nay DNS leaks
-
After testing a bit, I see issues when using DHCP (LAN) and the DNS Forwarder. Clients on the LAN are given the pfSense LAN IP as a DNS server and the DNS lookups done by the DNS Forwarder don't seem to be very sophisticated. My firewall rules route a couple machines over the VPN and everything else goes over the WAN:
However, I still see geo-optimized IPs when I do DNS lookups (ex: google.com). I changed my DNS a bit to see if I could figure out what was going on. I set two DNS servers:
Note that one is set to use the WAN gateway and the other is set to use the TGNEWYORK gateway (I'm using TorGuard, not PIA). After doing this, the behavior of one of my 'vpnclients' gives a good indication of what's happening.
When I do a DNS leak test I can see that both DNS servers are being used and the route depends on which DNS server is picked by the DNS Forwarder. I can tell this because it appears that TorGuard forces all DNS requests through OpenDNS, so half the servers found are Google, half are OpenDNS.
There are two things to be careful of in my opinion. 1) Make sure all vpnclients bypass the DNS Forwarder. 2) Make sure normal connections don't use the VPN for DNS lookups. I use a port forward rule to get the vpnclients to bypass the DNS Forwarder. Note the rule uses the LAN interface. Also note the firewall rule I have above to intentionally block all traffic from vpnclients to pfsense.
Another option would be to make sure the DHCP server passes non-local DNS to clients, but keeping the vpnclients and normal clients separated is a pain. To ensure normal connections don't use the VPN for DNS, I explicitly specify the WAN gateway for DNS and don't allow the settings to be overridden by DHCP.
From the testing I did, leaving a gateway of 'none' doesn't work. I still saw DNS lookups going over the VPN gateway. To me this is incorrect behavior since my default gateway is the WAN gateway (only tested on 2.1.4).
Does anyone know if it's possible to get the DNS Forwarder to use a specific gateway for lookups?
-
Has anyone successfully gotten PIA to work with SHA256? Works flawlessly with SHA1. Also if you receive MTU or HMAC authentication errors, try another server. Some servers are acting really wonky right now.
Cheers!
-
great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.
Having TWO openVPN client setup via PIA.
So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west
The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada
Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.
I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?
-
very good guide but mine seems to restart if put under any stress like a download
-
TerryD, did you upgrade to the latest pfSense 2.2 that was released yesterday?
As for my issue, upgrading to 2.2 totally fixed the issues
-
@ryan29:
Does anyone know if it's possible to get the DNS Forwarder to use a specific gateway for lookups?
I did set it up like this, using no special rules:
check in the dns forwarder: Query DNS servers sequentially209.222.18.218 -> pia gateway
209.222.18.222 -> pia gateway
8.8.8.8 -> wan gateway -
great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.
Having TWO openVPN client setup via PIA.
So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west
The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada
Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.
I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?
Once you have one vpn gateway there isn't anything different setting up an other one and select the gateway based on lan ip.
However, there can be a situation where the vpn clients both have the same local interface ip. (the 10.x.x.x ip address)
I don't know what caused it but restarting one vpn client did solve it for me. -
Save yourself some headaches and set your IPs on subnet boundaries instead. That'll make your rules a lot easier.
Like instead of assigning hosts IP addresses from 192.168.0.21 through 192.168.0.40, assign them 192.168.0.33 through 192.168.0.62. You can then cover them in one rule with source IP 192.168.0.32/29 (255.255.255.248)
You could:
pass ip any source 192.168.0.32/29 dest any gateway PIA_USA_WEST # (hosts .33 through .62 - in this case you could actually use .32 and .63 too but I wouldn't)
pass ip any source 192.168.0.64/29 dest any gateway PIA_CANADA # (hosts .65 through .94)
pass ip any source LAN network dest any gateway default # everything else.