Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4

bcruze · Feb 1, 2018, 11:46 AM

Hi!
4096 bit CA is needed to use AES-256-CBC ? i can only connect with AES-128-CBC when using the 2048 certificate :)

that is correct. i've followed the above tutorial and it works perfectly

with the right hardware 256 bit encryption you won't even know you are using a VPN> and of course a fast reliable service

fastc · Feb 1, 2018, 11:54 AM

@bcruze:

with the right hardware 256 bit encryption you won't even know you are using a VPN> and of course a fast reliable service

thanks!
yes true with 128bit aes currently i have 400mb speed on my 400mb connection :-)

msurg · Apr 1, 2018, 4:59 PM

Does this work on 2.3.5 too?

katinatez · Apr 9, 2018, 2:18 AM

Hello, I followed these instructions to the letter. I have VPN up but I have horrible speeds. I have 400/40 internet service but with VPN I barely get between 20-40 Mb download. Is anyone running this setup with pfsense 2.4.3? My motherboard I'm running is Super Micro C2758 which has aes-ni capability.

bcruze · Apr 9, 2018, 11:26 AM

@katinatez:

Hello, I followed these instructions to the letter. I have VPN up but I have horrible speeds. I have 400/40 internet service but with VPN I barely get between 20-40 Mb download. Is anyone running this setup with pfsense 2.4.3? My motherboard I'm running is Super Micro C2758 which has aes-ni capability.

which one did you follow? least secure or most ?

i am doing most secure on a 1.7Ghz atom processor and get full speeds from a 100Mb download 10Mb upload connection.

katinatez · Apr 9, 2018, 2:07 PM

After I posted, I realized I did not mention this. I am running the
Secure: https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt <—— Use Port: 1198

I have downgraded down to pfsense 2.4.2, and still get the same speeds. I know the last time I was running decent speeds with vpn was pfsense 2.4.0.
So if I cant fix speeds I will downgrade and stay on 2.40 for a while.

Thanks for your reply

sunnyg · Mar 8, 2019, 8:13 PM

Hi,

Do these steps still work? I tried them, and get a client that connects successfully and obtains a PIA IP address, but when I perform check to see my public IP address, it still shows as my ISP ip address, is there additional steps needed to get all my outbound traffice to route through PIA?

Thanks
Sunny

lohphat · Jan 17, 2020, 12:56 AM

Since PIA doesn't support IPv6 yet, but my ISP does, is there a setting in the VPN client config or firewall NAT rule set which could blackhole any IPv6 traffic while the tunnel was up?

lohphat · Jan 20, 2020, 6:45 PM

I was able to get PIA running on my SG-3100, however it took a bit of prodding.

What's not clear in any of the on-line tutorials is that the AES modes and SHA1/SHA256 are dependent on the goal you're striving for.

I defined 2 OpenVPN client configs for testing; one using the ca.rsa.2048.crt and other using the ca.rsa.4096.crt CA configs.

What's NOT clear in the docs is that the SHA option is restricted to each CA type.

The ca.rsa.2048.crt supports AES-[128|196|256]-CBC with SHA1. The ca.rsa.4096.crt supports AES-[128|196|256]-CBC and SHA256 or SHA1.

If you try to use SHA256 with the ca.rsa.2048.crt the tunnel won't stay up. Since we all know SHA1 is insecure, using the ca.rsa.4096.crt is really the only option with PIA.

AES-NI is NOT supported by the ARM Cortex-A9 CPU. So you have to use the BSD cryptodev driver mode only. See: https://en.wikipedia.org/wiki/AES_instruction_set#Hardware_acceleration_in_other_architectures

These restrictions should be clarified in the docs.

Tleary · Dec 5, 2020, 6:21 PM

The config in this article fixed my slow pfsense sg-3100 pia openvpn. The official documentation isn't accurate and I also had to piece together the setup, which matched this thread. I only got 30MiB out of 400MiB. I switched to AES 256 Strong Auth and the speed immediately jumped to 300. Thanks.