Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4
-
How to configure PIA on pfSense 2.4
Link to tutorial on PIA forums: https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1
(In the coming days I will format this to make it looks nice and neat)
1.) Download one of these three certificates (listed below) to your computer.
Least Secure: https://www.privateinternetaccess.com/openvpn/ca.crt <—— Use Port: 1194
Secure: https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt <—— Use Port: 1198
Most Secure: https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt <—— Use Port: 1197
2.) Open the .crt file with a text editor and copy from –---BEGIN CERTIFICATE----- to -----END CERTIFICATE-----
3.) Log in to your pfSense router and navigate to System > Cert. Manager > CAs and click +Add
4.) Name your cert according to the name of the cert your downloaded. (Example: Descriptive name PIA-4096)
5.) Paste the certificate text into the box at Certificate data and click Save.
6.) Navigate to VPN > OpenVPN > Clients and click +Add
Choose a PIA server you want to use: https://www.privateinternetaccess.com/pages/network
7.) Input the server address you chose from the link above at Server host or address.
8.) Enter the Port number based on the Certificate you selected:
ca.crt = 1194
ca.rsa.2048.crt = 1198
ca.rsa.4096.crt = 1197
9.) Description: choose a description that reflects the server region you chose.
10.) User Authentication Settings: Enter your PIA Username and Password
11.) TLS Configuration: Uncheck Use TLS Key
12.) Peer Certificate Authority: Select the PIA Certificate you created if it is not already selected.
13.) Encryption Algorithm: (Note: Setting this to a more secure setting utilizes more CPU processing power.)
Secure: AES-128-CBC
Very Secure: AES-256-CBC14.) Ensure NCP is checked.
Remove AES-128-GCM and AES-256-GCM by clicking on them in the darkened box in NCP Algorithms
Add AES-128-CBC and AES-256-CBC by clicking on them in the left hand list.15.) Auth Digest Algorithm:
Least Secure: SHA1 (160-bit)
Most Secure: SHA256 (256-bit)Hardware Crypto: If your CPU features AES-NI it is advised to select the BSD cryptodev engine.
16.) Compression: Omit Preference (Use OpenVPN default)
17.) Custom Options: Add these parameters:
persist-key
persist-tun
remote-cert-tls server
reneg-sec 018.) Click Save.
19.) Navigate to Firewall -> NAT -> Outbound
Set the Mode under General Logging Options to "Manual Outbound NAT rule generation (AON)", and click Save.Under the Mappings section, click the duplicate (dual-page) icon on the right for the first rule shown in the list.
Set Interface to "OpenVPN"
Repeat the last two steps for all remaining rules shown under Mappings, until every rule has a duplicate for OpenVPN.
Click Save and Apply settings.
20.) Use PIA DNS servers to prevent DNS Leak:
Navigate to System > General Setup and set DNS Servers to PIA's DNS: 209.222.18.222 and 209.222.18.218
21.) If your CPU features AES-NI and you did enable the BSD cryptodev engine, follow these steps:
Navigate to System > Advanced > Miscellaneous, scroll down to Cryptographic & Thermal Hardware and select AES-NI and BSD Crypto Device (aesni, cryptodev)
22.) Navigate to Status -> OpenVPN
If Status doesn't show as "up", click the circular arrow icon under Actions to restart the service. If it still does not come up, navigate to Diagnostics -> Reboot to restart the device.
***** Congratulations! You are all done! Enjoy using Private Internet Access on your pfSense router! *****
To a safe & secure 2018!
~Snickerdoodoo
-
thank you very much! i will compare shortly to my home setup
-
How to configure PIA on pfSense 2.4
15.) Hardware Crypto: If your CPU features AES-NI it is advised to select the BSD cryptodev engine.21.) If your CPU features AES-NI and you did enable the BSD cryptodev engine, follow these steps:
Navigate to System > Advanced > Miscellaneous, scroll down to Cryptographic & Thermal Hardware and select AES-NI and BSD Crypto Device (aesni, cryptodev)
FWIW, I have a HP Thin Client with an AMD GX-420CA and it has AES-NI. In my testing, in step #15 choosing nothing vs BSD cryptodev engine results in better throughput and reduced CPU usage. I use AES-256-CBC and SHA256. I have AES-NI only selected in the pfSense System > Advanced > Miscellaneous settings menu.
-
I thought I would add that I was having some problems with my connection disconnecting and not reconnecting. The VPN client was on a sub-net connected to a wireless router, so my devices would connect and get an IP, but no internet. Someone (can't remember who) in the forum gave me some changes to the custom options that came from PIA support.
I am using the following custom options:
# Change persist-tun/persist-key (Reconnect Error) persist-key; remote-cert-tls server; reneg-sec 0; # Added auth-nocache - Reconnect Error auth-nocache;
with a 4096 bit CA and UDP on port 1197.
I commented the changes to remind me what I did, just in case there were problems. Since I made these changes, my connection seems to be working just fine. If the connection does drop, it comes right back up without any problem. In use I haven't noticed any problems.
Sorry, but that's all I can remember - if you want more background, search the forum (circa Oct/Nov 2017 IIRC) for my post about the problem and you'll find more details there.
UPDATE: So far this configuration seems to be working fine. When I connect to my WiFi, there has always been internet access. @Flamez, I can't confirm what configurations these changes work for, but I believe that they should be fine with any of the access methods as long as the rest of your configuration is OK.
-
I have added them and so far it working much better. Thank you.
-
Hi!
4096 bit CA is needed to use AES-256-CBC ? i can only connect with AES-128-CBC when using the 2048 certificate :) -
Hi!
4096 bit CA is needed to use AES-256-CBC ? i can only connect with AES-128-CBC when using the 2048 certificate :)that is correct. i've followed the above tutorial and it works perfectly
with the right hardware 256 bit encryption you won't even know you are using a VPN> and of course a fast reliable service
-
with the right hardware 256 bit encryption you won't even know you are using a VPN> and of course a fast reliable service
thanks!
yes true with 128bit aes currently i have 400mb speed on my 400mb connection :-) -
Does this work on 2.3.5 too?
-
Hello, I followed these instructions to the letter. I have VPN up but I have horrible speeds. I have 400/40 internet service but with VPN I barely get between 20-40 Mb download. Is anyone running this setup with pfsense 2.4.3? My motherboard I'm running is Super Micro C2758 which has aes-ni capability.
-
Hello, I followed these instructions to the letter. I have VPN up but I have horrible speeds. I have 400/40 internet service but with VPN I barely get between 20-40 Mb download. Is anyone running this setup with pfsense 2.4.3? My motherboard I'm running is Super Micro C2758 which has aes-ni capability.
which one did you follow? least secure or most ?
i am doing most secure on a 1.7Ghz atom processor and get full speeds from a 100Mb download 10Mb upload connection.
-
After I posted, I realized I did not mention this. I am running the
Secure: https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt <—— Use Port: 1198I have downgraded down to pfsense 2.4.2, and still get the same speeds. I know the last time I was running decent speeds with vpn was pfsense 2.4.0.
So if I cant fix speeds I will downgrade and stay on 2.40 for a while.Thanks for your reply
-
Hi,
Do these steps still work? I tried them, and get a client that connects successfully and obtains a PIA IP address, but when I perform check to see my public IP address, it still shows as my ISP ip address, is there additional steps needed to get all my outbound traffice to route through PIA?
Thanks
Sunny -
Since PIA doesn't support IPv6 yet, but my ISP does, is there a setting in the VPN client config or firewall NAT rule set which could blackhole any IPv6 traffic while the tunnel was up?
-
I was able to get PIA running on my SG-3100, however it took a bit of prodding.
What's not clear in any of the on-line tutorials is that the AES modes and SHA1/SHA256 are dependent on the goal you're striving for.
I defined 2 OpenVPN client configs for testing; one using the ca.rsa.2048.crt and other using the ca.rsa.4096.crt CA configs.
What's NOT clear in the docs is that the SHA option is restricted to each CA type.
The ca.rsa.2048.crt supports AES-[128|196|256]-CBC with SHA1. The ca.rsa.4096.crt supports AES-[128|196|256]-CBC and SHA256 or SHA1.
If you try to use SHA256 with the ca.rsa.2048.crt the tunnel won't stay up. Since we all know SHA1 is insecure, using the ca.rsa.4096.crt is really the only option with PIA.
AES-NI is NOT supported by the ARM Cortex-A9 CPU. So you have to use the BSD cryptodev driver mode only. See: https://en.wikipedia.org/wiki/AES_instruction_set#Hardware_acceleration_in_other_architectures
These restrictions should be clarified in the docs.
-
The config in this article fixed my slow pfsense sg-3100 pia openvpn. The official documentation isn't accurate and I also had to piece together the setup, which matched this thread. I only got 30MiB out of 400MiB. I switched to AES 256 Strong Auth and the speed immediately jumped to 300. Thanks.