Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tutorial: Configuring pfSense as VPN client to Private Internet Access

    OpenVPN
    99
    348
    383.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      plainzwalker
      last edited by

      edit  the firewall at my work was blocking all images.

      Thank you

      1 Reply Last reply Reply Quote 0
      • U
        User1503
        last edited by

        Great tutorial.  Setup my pfsense on the first go-round, thanks!  Now, the 2 issues.  1 is really just speed, I'm only getting 1.6-2.x mbps but that's not really a pfsense issue, more of a PIA issue.  Using Texas server seems to be fastest but still slow compared to my 50mbps VDsL.  #2,  Email.  Email pop3 doesn't work over PIA (goDaddy) and they know it.  Can receive, can't send.  Is there a rule? or setting to let smtp bypass the VPN and use the Wan?  I tried a few tests, obviously unsuccessfully.  Again, great stuff!
        Thanks

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Try setting your mail server to use port 587.

          Sending email is not POP3.  Sending is SMTP.  Port 587 is the SMTP submit port.  You will have to authenticate.  Hopefully your mail provider supports STARTTLS.  Make it required.

          A quick telnet mailserver 587 will either result in an SMTP banner or it won't.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • U
            User1503
            last edited by

            Thanks for the response.  I'm not hosting a mail server.  What I need to do is route my SMTP requests from my pop3 outlook account thru to the wan, bypassing the PIAVPN.  Currently all LAN machines are using pfSense DHCP and pfSense is configured to automatically connect and route to PIA's VPN connection.  Can (How?) do I take an smtp request from a machine that is using the vpn connection and have it's outlook pop3 route past (bypass) the pia vpn?  Let me know if this makes sense.  Thx

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              I know.

              I'm sure PIA blocks port 25.  Try 587 instead.

              That or make a rule above the rule that routes your traffic to PIA that routes connections to your mail ports (TCP 110,143,993,995,25,587 and 465) out your WAN gateway (or the default route).

              Note that any application you use that attempts to bypass firewalling by using one of these commonly-passed ports will no longer go through the VPN either.  If you only use one to a few mail servers, you might want to create an alias using their FQDNs and set the destination address to that to limit the scope of the rule even more.

              ![Screen Shot 2015-02-13 at 7.10.59 AM.png](/public/imported_attachments/1/Screen Shot 2015-02-13 at 7.10.59 AM.png)
              ![Screen Shot 2015-02-13 at 7.10.59 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-02-13 at 7.10.59 AM.png_thumb)

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • U
                User1503
                last edited by

                Thx Derelict. Your advice on the ports worked but only without SSL so I'm not connecting securely to send/receive.  Can you outline in a few steps how to add an smtp to a rule for bypass?  smtp.out.secureserver.net is what godaddy uses for sending, if I can put that in a rule to bypass the vpn and use the wan it should work with encryption (SSL) applied.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Should have nothing to do with negotiating SSL.  I don't know how that server is set up but there are two ways to get SMTP over SSL/TLS:

                  1. Connect on port 465.  This usually expects SSL right off the bat like an HTTPS connection.  You can test this with openssl s_client -connect smtp.out.secureserver.net:465.  Port 465 is a de facto standard for this thanks to Microsoft. YMMV.

                  2. Connect to port 25 or 587.  This establishes a normal SMTP or SMTP Submit connection.  The client must then issue a STARTTLS command to negotiate TLS prior to sending authentication credentials. You can test this with openssl s_client -connect smtp.out.secureserver.net:[25|587] -starttls smtp

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    @User1503:

                    Can you outline in a few steps how to add an smtp to a rule for bypass?

                    Post your LAN rules (or the rules for whatever interface is being used for forwarding to PIA.)

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Hmmm.  smtp.out.secureserver.net doesn't resolve.  You need to figure out where you need to send your outgoing mail.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • W
                        White Widow
                        last edited by

                        I just started using pfSense again after a long hiatus and can't get OpenVPN to work with PIA.  I had it working in an old version of pfSense but the options are different in v2.2 and I'm tearing my hair out.  Everything looks setup right but the gateway never stays up.

                        After restarting the OpenVPN service the 'PIAVPN' Interface shows an IP address, but when I go to the Gateway status, the 'PIAVPN_VPNV4' gateway is always 'offline.'  According to the Gateway log:

                        Feb 14 14:31:57 apinger: SIGHUP received, reloading configuration.
                        Feb 14 14:31:57 apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.100.4.5) *** down ***
                        Feb 14 14:32:08 apinger: ALARM: PIAVPN_VPNV4(10.153.1.5) *** down ***
                        Feb 14 14:32:13 apinger: SIGHUP received, reloading configuration.
                        Feb 14 14:32:13 apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.153.1.5) *** down ***
                        Feb 14 14:32:23 apinger: ALARM: PIAVPN_VPNV4(10.183.1.5) *** down ***
                        Feb 14 14:33:26 apinger: SIGHUP received, reloading configuration.
                        Feb 14 14:33:26 apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.183.1.5) *** down ***
                        Feb 14 14:33:36 apinger: ALARM: PIAVPN_VPNV4(10.182.147.5) *** down ***
                        Feb 14 14:33:40 apinger: SIGHUP received, reloading configuration.
                        Feb 14 14:33:40 apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.182.147.5) *** down ***
                        Feb 14 14:33:50 apinger: ALARM: PIAVPN_VPNV4(10.181.1.5) *** down ***

                        This repeats constantly.  I checked the OpenVPN logs:

                        Feb 14 14:33:35 openvpn[45195]: client = ENABLED
                        Feb 14 14:33:35 openvpn[45195]: pull = ENABLED
                        Feb 14 14:33:35 openvpn[45195]: auth_user_pass_file = '/etc/openvpn-password.txt'
                        Feb 14 14:33:35 openvpn[45195]: OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec 1 2014
                        Feb 14 14:33:35 openvpn[45195]: library versions: OpenSSL 1.0.1k-freebsd 8 Jan 2015, LZO 2.08
                        Feb 14 14:33:35 openvpn[45195]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
                        Feb 14 14:33:35 openvpn[45424]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
                        Feb 14 14:33:35 openvpn[45424]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                        Feb 14 14:33:35 openvpn[45424]: LZO compression initialized
                        Feb 14 14:33:35 openvpn[45424]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
                        Feb 14 14:33:35 openvpn[45424]: Socket Buffers: R=[42080->65536] S=[57344->65536]
                        Feb 14 14:33:35 openvpn[45424]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
                        Feb 14 14:33:35 openvpn[45424]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
                        Feb 14 14:33:35 openvpn[45424]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
                        Feb 14 14:33:35 openvpn[45424]: Local Options hash (VER=V4): '41690919'
                        Feb 14 14:33:35 openvpn[45424]: Expected Remote Options hash (VER=V4): '530fdded'
                        Feb 14 14:33:35 openvpn[45424]: UDPv4 link local (bound): [AF_INET]73.34.122.142
                        Feb 14 14:33:35 openvpn[45424]: UDPv4 link remote: [AF_INET]66.85.147.138:1194
                        Feb 14 14:33:35 openvpn[45424]: TLS: Initial packet from [AF_INET]66.85.147.138:1194, sid=97ab86e1 7dcc85ab
                        Feb 14 14:33:35 openvpn[45424]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
                        Feb 14 14:33:36 openvpn[45424]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
                        Feb 14 14:33:36 openvpn[45424]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
                        Feb 14 14:33:36 openvpn[45424]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
                        Feb 14 14:33:36 openvpn[45424]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
                        Feb 14 14:33:36 openvpn[45424]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
                        Feb 14 14:33:36 openvpn[45424]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
                        Feb 14 14:33:36 openvpn[45424]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
                        Feb 14 14:33:36 openvpn[45424]: [Private Internet Access] Peer Connection Initiated with [AF_INET]66.85.147.138:1194
                        Feb 14 14:33:38 openvpn[45424]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
                        Feb 14 14:33:39 openvpn[45424]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.181.1.1,topology net30,ifconfig 10.181.1.6 10.181.1.5'
                        Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: timers and/or timeouts modified
                        Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: LZO parms modified
                        Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: –ifconfig/up options modified
                        Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: route options modified
                        Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
                        Feb 14 14:33:39 openvpn[45424]: ROUTE_GATEWAY 73.34.122.1
                        Feb 14 14:33:39 openvpn[45424]: TUN/TAP device ovpnc1 exists previously, keep at program end
                        Feb 14 14:33:39 openvpn[45424]: TUN/TAP device /dev/tun1 opened
                        Feb 14 14:33:39 openvpn[45424]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
                        Feb 14 14:33:39 openvpn[45424]: /sbin/ifconfig ovpnc1 10.181.1.6 10.181.1.5 mtu 1500 netmask 255.255.255.255 up
                        Feb 14 14:33:39 openvpn[45424]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.181.1.6 10.181.1.5 init
                        Feb 14 14:33:39 openvpn[45424]: /sbin/route add -net 66.85.147.138 73.34.122.1 255.255.255.255
                        Feb 14 14:33:39 openvpn[45424]: /sbin/route add -net 0.0.0.0 10.181.1.5 128.0.0.0
                        Feb 14 14:33:39 openvpn[45424]: /sbin/route add -net 128.0.0.0 10.181.1.5 128.0.0.0
                        Feb 14 14:33:39 openvpn[45424]: /sbin/route add -net 10.181.1.1 10.181.1.5 255.255.255.255
                        Feb 14 14:33:39 openvpn[45424]: Initialization Sequence Completed

                        Nothing really stands out as problematic there…nothing else gets logged  until maybe 15 minutes later when I get this:

                        Feb 14 14:48:59 openvpn[45424]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
                        Feb 14 14:48:59 openvpn[45424]: MANAGEMENT: CMD 'state 1'
                        Feb 14 14:48:59 openvpn[45424]: MANAGEMENT: CMD 'status 2'
                        Feb 14 14:48:59 openvpn[45424]: MANAGEMENT: Client disconnected

                        Any ideas where I should be looking to resolve this?

                        Thanks for the help!

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Looks like it's connecting to me.  What's not working?

                          You probably can't ping the gateway directly.  Just turn off monitoring or find something else to use as a monitor IP.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • W
                            wiz561
                            last edited by

                            Thanks for the tutorial and it works….but does anybody know how to force OpenVPN to route traffic from only one vlan?  So, for example, I have the following interfaces:

                            WAN
                            LAN (10.0.1.0/24)
                            Guest (10.0.2.0/24)
                            OVPN (10.0.3.0/24)

                            I want the LAN and Guest get routed through WAN.  How do I make only the clients on the OVPN interface use the OpenVPN tunnel?

                            I've tried to limit the NAT to only the 10.0.3.0/24 net, but then the LAN (and probably Guest) wasn't routing any traffic out.  I also tried to setup some firewall rules to route the LAN to the WAN and make OVPN route it through the OpenVPN gateway, but nothing.

                            Thanks!

                            1 Reply Last reply Reply Quote 0
                            • W
                              White Widow
                              last edited by

                              @Derelict:

                              Looks like it's connecting to me.  What's not working?

                              You probably can't ping the gateway directly.  Just turn off monitoring or find something else to use as a monitor IP.

                              Thanks - the problem is that as soon as I adjust the LAN firewall rule to direct LAN traffic to the PIAVPN_VPN4 gateway, I lose all internet access.  I can't ping, traceroute, etc. anything outside my LAN.  I have outbound NAT rules setup for both WAN and PIAVPN gateways and firewall rules for each interface that are basically unrestricted:

                              sorry for the crappy spacing in the output below

                              WAN Firewall Rules:
                              ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
                              IPv4        *   *                 *       *              *             none

                              PIAVPN Firewall Rules
                              ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
                              IPv4        *   *                 *       *              *             none

                              OpenVPN Firewall Rules
                              ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
                              IPv4        *   *                 *       *              *             none

                              LAN Firewall Rules (working)
                              ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
                              IPv4        *   *                 *       *      WAN_DHCP     none

                              LAN Firewall Rules (not working)
                              ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
                              IPv4        *   *                 *       *    PIAVPN_VPNV4  none

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Umm.  First thing you should do is delete that WAN rule.  Do it now.  Don't delay.

                                Also delete the OpenVPN and PIAVPN rules.  Do it now.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Now that you've done that.  Show us your NAT rules.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • W
                                    White Widow
                                    last edited by

                                    @Derelict:

                                    Now that you've done that.  Show us your NAT rules.

                                    Ha!!  Yeah, those non-LAN rules were NOT active (disabled) and are now deleted - otherwise that would kind of defeat the purpose of a firewall, right? :) The only firewall rules I have right now are:

                                    The Outbound NAT Rules:

                                    When I activate the "PIAVPN" version of these rules and the corresponding firewall rule, I lose all connectivity outside my LAN.

                                    ***UPDATE: It's magically decided to start working now.  I have no idea what the problem was but it's good to go now.

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      You can leave the NAT rules active.  They mean nothing unless that interface is being used for egress.  They just have to be there if you're going from the source IP addresses out that interface.

                                      Maybe PIA was having a problem?  Who knows.  Glad it's working and you don't have a pass any any rule on WAN.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • W
                                        White Widow
                                        last edited by

                                        One additional question: I can get the OpenVPN/PIA tunnel up and functioning, but when I come back after a while the Interface is down and the OpenVPN service needs to be restarted.  This is from the log:

                                        Feb 14 23:26:43 openvpn[83612]: TLS: soft reset sec=0 bytes=494118/0 pkts=4201/0
                                        Feb 14 23:26:43 openvpn[83612]: ERROR: could not read Auth username from stdin
                                        Feb 14 23:26:43 openvpn[83612]: Exiting due to fatal error
                                        Feb 14 23:26:43 openvpn[83612]: Closing TUN/TAP interface
                                        Feb 14 23:26:43 openvpn[83612]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 10.179.1.6 10.179.1.5 init

                                        Is this because I specified "auth-nocache"?  If so, shouldn't this option cause the information to be re-read from the file, not stdin?  I'll try and remove the -nocache option since, really, why should I mind having the login credentials saved in memory when it's OK to have them stored plaintext on disk…

                                        Is it something else entirely?

                                        Thanks,
                                        Aaron

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          If you added auth-nocache outside of the tutorial, remove it.

                                          https://community.openvpn.net/openvpn/ticket/225

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            plainzwalker
                                            last edited by

                                            Quick questions since I am still doing my research. If I wanted my VPN service (PIA) to use a different set of DNS servers, to prevent DNS leak, would it be possible? If so how would I go about setting this up? Or would pfsense as a whole have to use only one set of dns servers?

                                            Sorry, still learning and haven't been able to get any hands on yet.

                                            Thank you

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post