Tutorial: Configuring pfSense as VPN client to Private Internet Access

thethrow

Leaving this note for myself for 6 months when I forget.  8). Unsure if it was discussed prior, but may be worth adding to the tutorial.

I was struggling with the routing part, as I expected the traffic to stop when my gateway went down, once I assigned a VPN gateway to the "Default allow LAN to any rule"

In order to make this work how I expected, I had to make the following change:

(System | Advanced | Miscellaneous)
Do not create rules when gateway is down
By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead.

CTrax

While I appreciate the detail of the original PIA VPN tutorial and all of the subsequent contributions, I've not been able to combine all of that into a working VPN + Bypass configuration. PIA VPN works; it's the 'bypass' exception that does not.

Problem:
I've successfully configured PIA VPN and ipecho.net confirms a PIA IP address but something is preventing any Firewall exception Rule I create (to 'bypass' VPN) from having those IP routed around VPN – such rules appear to be just ignored. I've read, searched and tried every config modification I can find; no luck. All IPs for devices are static IPs on the same 192.168.1.X network but they all just use the tunnel.

Any idea of what to observe or what config to check or change would be appreciated. Thanks!

Intent:
Run the entire local 192.168.1.X net through the PIA VPN -- except a few specific static IP devices.

Network:
ISP - (108.x.x.x) - ISP ADSLmodem - (108.x.x.x) - SG-2440 - (172.28.x.x) - Router/SW - 192.1681.X local net
SG-2440 is at 2.3.2.p1, no added packages

Gateways:
DSLGW(default) / WAN / 108.x.x.x / 108.x.x.x / ADSL Gateway
PIAVPN_VPNV4 / WAN / 10.64.10.5 / 10.64.10.5 / Interface PIAVPN_VPNV4 (the 10.x.x.x appears dynamic)
PIAVPN_VPNV6 / WAN / <blank>/ <blank>/ Interface PIAVPN_VPNV4

Interfaces:
Existing defaults: WAN, LAN
Deleted: OPT2 (unused)

/ Name: PIAVPN / Network port: ovpnc1(PIA openVPN)

Firewall:
NAT:
Existing: (6) WAN Mappings
Copied: (6) and rename Interface: PIAVPN

Aliases:
Roku / 192.168.1.209
VPNPath / 192.168.1.200-208 range

Rules: WAN: (only existing block private and bogon)
Rules: PIAVPN: (no rules)
Rules: OpenVPN: (no rules)

Rules: LAN:
Added: Roku / any port,dest / DSLGW gateway
Added: VPNPath / any port,dest / PIAVPN gateway</blank></blank>

thethrow

@CTrax:

While I appreciate the detail of the original PIA VPN tutorial and all of the subsequent contributions, I've not been able to combine all of that into a working VPN + Bypass configuration. PIA VPN works; it's the 'bypass' exception that does not.

Problem:
I've successfully configured PIA VPN and ipecho.net confirms a PIA IP address but something is preventing any Firewall exception Rule I create (to 'bypass' VPN) from having those IP routed around VPN – such rules appear to be just ignored. I've read, searched and tried every config modification I can find; no luck. All IPs for devices are static IPs on the same 192.168.1.X network but they all just use the tunnel.

Any idea of what to observe or what config to check or change would be appreciated. Thanks!

Intent:
Run the entire local 192.168.1.X net through the PIA VPN -- except a few specific static IP devices.

Network:
ISP - (108.x.x.x) - ISP ADSLmodem - (108.x.x.x) - SG-2440 - (172.28.x.x) - Router/SW - 192.1681.X local net
SG-2440 is at 2.3.2.p1, no added packages

Gateways:
DSLGW(default) / WAN / 108.x.x.x / 108.x.x.x / ADSL Gateway
PIAVPN_VPNV4 / WAN / 10.64.10.5 / 10.64.10.5 / Interface PIAVPN_VPNV4 (the 10.x.x.x appears dynamic)
PIAVPN_VPNV6 / WAN / <blank>/ <blank>/ Interface PIAVPN_VPNV4

Interfaces:
Existing defaults: WAN, LAN
Deleted: OPT2 (unused)

/ Name: PIAVPN / Network port: ovpnc1(PIA openVPN)

Firewall:
NAT:
Existing: (6) WAN Mappings
Copied: (6) and rename Interface: PIAVPN

Aliases:
Roku / 192.168.1.209
VPNPath / 192.168.1.200-208 range

Rules: LAN:
Added: Roku / any port,dest / DSLGW gateway
Added: VPNPath / any port,dest / PIAVPN gateway</blank></blank>

3 things to check:
-See my post above, make the change.
-RE: LAN rules Roku is set at your "source"
-put your alias under Firewall | Aliases | IP

Also may want to try just plugging in the address to the source (e.g. 192.168.1.209 for roku), and not using an alias, just for testing.

bartgrefte

Just now I went through this howto to set up a virtualized pfSense as VPN client. Since I do not want all traffic to go through VPN, just one or two specific programs, I figured I'd set up a virtual pc with pfSense and Squid and set the programs in question to connect to Squid so that the traffic goes through pfSense and it's VPN client.

I got a bit confused at the compression setting, there is nothing to check, instead there's a drop down menu with 5 options, I set it to "enabled with adaptive compression". Not sure if it's the right choice though…

Plus option "Auth digest algorithm" is not listed in the howto, I left the default setting as it was, SHA1 (160-bit)

After finishing following the howto, I ended up with "reconnecting; tls-error" as status and this in the log:

Aug 30 14:25:40 openvpn 26470 TLS: Initial packet from [AF_INET]46.166.137.250:1194, sid=95cdf14a 8a04e2c6
Aug 30 14:25:40 openvpn 26470 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Aug 30 14:25:40 openvpn 26470 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Aug 30 14:25:40 openvpn 26470 TLS_ERROR: BIO read tls_read_plaintext error
Aug 30 14:25:40 openvpn 26470 TLS Error: TLS object -> incoming plaintext read error
Aug 30 14:25:40 openvpn 26470 TLS Error: TLS handshake failed
Aug 30 14:25:40 openvpn 26470 TCP/UDP: Closing socket
Aug 30 14:25:40 openvpn 26470 SIGUSR1[soft,tls-error] received, process restarting
Aug 30 14:25:40 openvpn 26470 Restart pause, 2 second(s)

I solved that by changing the port from 1194 to 1198 and the encryption algorithm from BF-CBC (128-bit) to AES-128-CBC (for standard certificates), see https://www.privateinternetaccess.com/forum/discussion/comment/42294/#Comment_42294 for more info.

After that, the VPN showed as "up", so I accessed pfSense's console and ran both```
curl -s checkip.dyndns.org | sed -e 's/.Current IP Address: //' -e 's/<.$//'

curl ipinfo.io/ip

Both show an IP-address that's not my public IPv4-address issued by my ISP, nor the private address issued by my router to pfSense's WAN-interface, so I guess its working :)

I have some questions though.
- Should I disable IPv6 on pfSense? Since PIA doesn't seem to support it.
- As for the NAT-rules part of the howto, I doubled all the rules while setting the VPN as interface as instructed. Since there are now rules for two outbound interfaces, how will I know if the traffic always goes through the VPN?

DaveB

@CTrax:

While I appreciate the detail of the original PIA VPN tutorial and all of the subsequent contributions, I've not been able to combine all of that into a working VPN + Bypass configuration. PIA VPN works; it's the 'bypass' exception that does not.

Problem:
I've successfully configured PIA VPN and ipecho.net confirms a PIA IP address but something is preventing any Firewall exception Rule I create (to 'bypass' VPN) from having those IP routed around VPN – such rules appear to be just ignored. I've read, searched and tried every config modification I can find; no luck. All IPs for devices are static IPs on the same 192.168.1.X network but they all just use the tunnel.

Any idea of what to observe or what config to check or change would be appreciated. Thanks!

Intent:
Run the entire local 192.168.1.X net through the PIA VPN -- except a few specific static IP devices.

Network:
ISP - (108.x.x.x) - ISP ADSLmodem - (108.x.x.x) - SG-2440 - (172.28.x.x) - Router/SW - 192.1681.X local net
SG-2440 is at 2.3.2.p1, no added packages

Gateways:
DSLGW(default) / WAN / 108.x.x.x / 108.x.x.x / ADSL Gateway
PIAVPN_VPNV4 / WAN / 10.64.10.5 / 10.64.10.5 / Interface PIAVPN_VPNV4 (the 10.x.x.x appears dynamic)
PIAVPN_VPNV6 / WAN / <blank>/ <blank>/ Interface PIAVPN_VPNV4

Interfaces:
Existing defaults: WAN, LAN
Deleted: OPT2 (unused)

/ Name: PIAVPN / Network port: ovpnc1(PIA openVPN)

Firewall:
NAT:
Existing: (6) WAN Mappings
Copied: (6) and rename Interface: PIAVPN

Aliases:
Roku / 192.168.1.209
VPNPath / 192.168.1.200-208 range

Rules: WAN: (only existing block private and bogon)
Rules: PIAVPN: (no rules)
Rules: OpenVPN: (no rules)

Rules: LAN:
Added: Roku / any port,dest / DSLGW gateway
Added: VPNPath / any port,dest / PIAVPN gateway</blank></blank>

Hi

Just been struggling with a similar problem and concluded that it was my settings under Firewall/NAT/Outbound - Manual Outbound that were wrong. I had overwritten the existing rules with my VPN rules rather than duplicating and then modifying.

Copy of Rules that sorted it for me is shown below.
Hope you can get it sorted.

Finger79

I don't think the ISAKMP/500 rules need to be created for the VPN.  Just the two (localhost to VPN and LAN to VPN).  They can be safely removed.

fnkngrv

I followed the PIA guide on their support page completely however it didn't work.  For grins I went in and saw that there was a system update.  I was on 2.3.4 and 2.4 released on Oct 10th.  I have no clue if the update resolved some type of internal software issue however after going back in and having to redo the configs it is now working.  Just figured that I would share for anyone that might be running into issues recently.  Thanks for the tutorial.  I will need to come back to it again for setting up a machine or two to skip using it.

On a sidenote I had followed Mark Furneaux's PFSense guide videos and had hardcoded a dozen or so DNS servers.  Would it be advisable that I have my PIA VPN up and running to remove those?

Finger79

@fnkngrv:

On a sidenote I had followed Mark Furneaux's PFSense guide videos and had hardcoded a dozen or so DNS servers.  Would it be advisable that I have my PIA VPN up and running to remove those?

Are you using Unbound as a DNS Resolver or the old school dnsmasq for DNS Forwarding?  You can have your cake and eat it too.  Meaning, you can have all your clients' DNS queries get routed over the VPN, but the pfSense box itself still needs to be able to do DNS in case the VPN tunnel goes down.

So your list would be something like:

127.0.0.1 (this is there by default, no need to manually add)
DNS 1
DNS 2
DNS 3
etc.

This way for PIA you don't have to hardcode the IP address in the OpenVPN client configuration page.  You can actually do the FQDN us-florida.privateinternetaccess.com (or whatever).

gtj

This is an excellent tutorial and in great detail.
I have set the PIA client successfully however I have also set an OpenVPN sewrver for remote access and these 2 don't seem to work together. I have to disable the server to have the PIA Client encrypting traffic while if I want to connect to my LAN from a remote location, I have to disable the PIA client.

Can anyone please advise what rules should anyone use in order to have both OpenVPN instances running at the same time?

Any help woul;d be much appreciated.

Derelict

They are completely separate. Just use a separate tunnel network for the Remote Access OpenVPN.

gtj

@Derelict:

They are completely separate. Just use a separate tunnel network for the Remote Access OpenVPN.

Does this mean I have to choose under Firewall - Rules - OpenVPN Server a different gateway for the server? (''clean'' WAN instead of the PIA gateway)

Thanks!

Derelict

You need to select the interface you expect the connections from the client to arrive on. That is probably WAN and not PIA.

gtj

@Derelict:

You need to select the interface you expect the connections from the client to arrive on. That is probably WAN and not PIA.

Still can't set it right. When a client is connected to the OpenVPN server, my PIA connection is either slow or down. I have to disable the server to get my connection back.

Do I have to create a rule for both OpenVPN and PIA interfaces or just for OpenVPN? Currently under Firewall –-> Rules ---> PIA there aren't any rules set at all.

I have created a rule for the OpenVPN interface to look like the one below:

Interface: LAN (''Bridge'' in my case as I have bridged 2 NICs to act as one)
Address Family: IPv4
Protocol: TCP/UDP
Source:Any
Destination: Any
Destination Port Range: 1194

Advanced Options -->  "Gateway"---> WAN

I apply the above but still don't see any difference.

gtj

Anyone that can actually help with the problem above? It will be much appreciated.

I did the following:

-I have created separate interfaces for both my PIAVPN and OpenVPN Server.

-Under NAT, I generated the default WAN ''Outbound'' values for both PIAVPN (client) & OpenVPN Server

-Created a WAN rule which allows TCP/UDP traffic to port 1194 and have selected under ''Advanced Settings'' –--> ''Gateway'' the WAN_DHCP instead of the ''Default'' I then duplicated that rule to be present under ''LAN'' as well as under ''Bridge'' tab as I have bridged the 2 NICs of my APU2C4 to act as one LAN.

-There are no rules at all under the tabs ''OpenVPN'', ''LAN2'', ''OPENVPN'', ''BR0''.
At the moment, rules are set only for ''WAN'', ''LAN'' and ''Bridge''.

On the pfSense dashboard the available interfaces are all being shown as active:

WAN        ---- up        (ip assigned)
LAN          ---- n/a
LAN2        ---- n/a
PIAVPN    ---- up        (ip assigned)
OpenVPN  ---- up        (ip assigned)
BR0          ---- up        (ip assigned)

What am I missing?

Haze028

I've followed a few different guides, and googled for quite a while and can't seem to get my connection to work properly. 
My mappings are set:

pfSense shows openVPN as connected, and my VPN interface has an IP assigned to it.  Everything looks like it should be good

I have two LAN firewall rules to specify which computers use the vpn and which don't:

I am unable to access the internet when OpenVPN is connected from a VPN_Users aliased computer.
I am able to ping fine from this computer ex. www.google.ca, but when I try to load a page Firefox just sits saying "Preforming TLS Handshake with.." and never loads. As soon as I shut down OpenVPN service, internet works as normal

I've tried looking at the log, but see no mention of an error.

I'm assuming this is related to my firewall not being configured properly and blocking the access.  I just don't know what I'm missing.

Any Suggestions?

Finger79

@Haze028, I noticed your LAN network is 150.160.170.0/24, which is a public IP range.  If you haven't purchased or otherwise own this block of IPs, you should stick with private IP ranges.

bcruze

these are the updated instructions just provided to me:

https://helpdesk.privateinternetaccess.com/hc/en-us/articles/115005760606-Setting-up-a-Router-running-pfSense-Firmware

bcruze

i've followed the instructions above and now i am getting several events in the logs

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'

WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

seems like several red flags.  what is everyone's opinion on this?

Finger79

@bcruze:

i've followed the instructions above and now i am getting several events in the logs

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'

WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

seems like several red flags.  what is everyone's opinion on this?

I get the 'link-mtu' warnings as well.  The Blowfish/SWEET32 warning is because PIA can't competently maintain their systems (and I'm a customer!) and still defaults to BF-CBC instead of at least AES-128-CBC.  They really should be using the latest OpenVPN 2.4.4 with NCP support.  As much as I like PIA, they can be a real frustrating PI[T]A….

As long as you (the client endpoint) have your config set to use AES-128-CBC or AES-256-CBC, it'll override the server settings, so don't worry about that warning.

Dave R

Thanks for the guide. I was able to get this configured in about an hour or so. There are a couple of things to note:

1. OpenVPN server port numbers are different for PIA depending if you use a sha256 or sha128 cert: https://www.privateinternetaccess.com/forum/discussion/21213/sha256-with-openvpn

2. I didn't want my Steam gaming traffic going over the VPN (ports 27000-27015,…) so I used a NAT Alias to create a list of ports to apply to the outbound NAT rule.