WG vs OpenVPN on PIA

Slugger

@rodger_dodger tl;dr PIA + WG + pfSense is relatively complicated, but doable.

There's my tutorial for setting up my app, which will do most of the heavy lifting for you. My app isn't quite ready for the masses yet. If you're willing to play with the bleeding edge then give it a go (it works, I've been running it against my prod pfSense host for a few weeks now), but there are definitely a couple of kinks left to iron out.

The thing with PIA + WG is their solution is completely dynamic. They assign dynamic IPs for your WG interface, they use dynamically generated and constantly refreshing keys for the interfaces, etc. Anytime the wg interface is dropped, you need to go ask their api for a new interface IP and key.

To get the wg config, you have to make a series of api calls to them to get a json blob that contains the details needed to create a wg0.conf file. They have bash scripts they provide that will make all the api calls you need to get a config file. From there, you'd have to load the config details into pfSense's config.xml file and tell pfSense to reload in order for the wg interface to show up. Or manually create the wg interface in the pfSense gui. And you need that so you can create a gateway and setup outbound NAT, etc. And the first time the interface drops (intermittent internet drop, PIA drops the connection for some reason, etc.) then you have to do these steps all over again because the IP and key assigned for the interface is no longer valid, you need to make all of the api calls again to get new connection details.

My app deals with all of this by making the api calls for you, taking the PIA json blob and getting it into your config.xml file and getting pfSense to load those settings allowing you to create the gateway, NAT rules, etc. It then monitors the interface(s) (yes, you can create multiple interfaces for policy routing, etc.) and recreates them as necessary. You run my app somewhere on your LAN (designed to run as a docker) and it just runs in the background acting as the middle man between PIA and pfSense.

PIA will likely never be any help. At best they'll point you to those bash scripts and say modify them for your platform. Their level of support for wg seems to be use their official client on a supported OS or use/modify their bash scripts or if that's not possible (i.e. on something like pfSense) then use the bash scripts as a guide of what api calls have to happen and then whip up your own solution.

I chose the latter. Before pfSense had wg, I was running a linux vm as a wg gateway hence why my app is a docker based solution. I've since modified the app to talk to pfSense directly to mange the wg interfaces and have removed the linux vpn gateway from my setup, which is nice.

rodger_dodger

@slugger So I saw this, got to the docker part, and was like, well crap, this isn't what I want. Where is the pfsense continuation piece of your tutorial?

Slugger

@rodger_dodger You mean you didn't make it to the bottom of the docker wiki page??

I think this is what you were looking for. But this page assumes you got a wg interface created already by setting up the docker beforehand.

rodger_dodger

@slugger I did I promise! But I'm running Pfsense in a vm, and I don't want to use docker. So can I just skip the docker portion? Is that what you're saying?

Slugger

@rodger_dodger If you skip the docker portion then you have to somehow generate the wg config via the PIA api calls. So you have to adapt those bash scripts that PIA provides or somehow make the api calls to get the wg config details you need to then go and manually create the wg interface in pfSense. And then... anytime the interface stops responding, you have to go do the api calls with PIA again.

In other words, if you just want to create a PIA wg interface in pfSense manually, you have to go adapt and call those bash scripts that PIA provides, extract the json blob of config details then use those details to manually create the wg interface in pfSense. Though that's doable, the real pain is anytime the interface stops responding you have to go do this all again because once the interface stops responding for any reason, the assigned IP and keys for that interface are no longer valid making the interface useless.

If it's just you don't want to use docker then I also package my app up as a standalone app that will run on Windows or Linux. It requires Java be on your system. No docs for that setup yet. If it's just you don't want to have to run some kind of service at all for this then you're in for a challenge. You can't avoid the series of api calls to PIA to configure all of this, it's the only way you get a valid and useable wg config from them.

Slugger

@rodger_dodger I took a few minutes to create a "manual" command in my app that will just generate a valid WireGuard config for PIA and dump it to the console. You can then take that output and manually create a PIA wg interface in pfSense. Let me test it when I get an hour or two in the next few days and then I'll upload it to the gitlab page. You will need Java on your system to run it.

Makes adding a PIA wg interface pretty simple, but it's a completely manual process. Anytime the interface goes stale you'd have to run this command line tool and update the wg settings in pfSense manually based on its output.

rodger_dodger

@slugger Dang that's really awesome of you. Have you given any thoughts on making a docker app for Unraid? I'm running my pfsense box from within a vm on my unraid server. Maybe I could leverage docker on that to use your app?

Slugger

@rodger_dodger The docker I've created should run on Unraid as is without issue. Unraid is just Linux under the hood, right?

Slugger

@rodger_dodger Given this announcement, I've paused my project and am reassessing things. Likely switching back to my previous Linux vm wireguard gateway setup I had going on. Definitely recommend not proceeding with using my app to config wg on pfsense.

rodger_dodger

@slugger Yeah I saw that too. I just wish Openvpn provided better speeds with PIA.

tusc

@ryanm You are not seeing some sites because Wireguard requires MSS clamping. Set the MSS to 1380 and it should solve your problem. It's covered at the end of this page: https://github.com/FingerlessGlov3s/OPNsensePIAWireguard

Also, depending on the CPU, you can get up to 700Mbit/sec with Wireguard-go