Use PIA along with pfSense OpenVPN server?
-
I have an OpenVPN server setup on my pfSense firewall. I use it for my mobile devices when I am out using public WiFi. I am also interested in using a VPN service like PIA (Private Internet Access) for my local network and having my pfSense firewall point to it for incoming/outgoing traffic. I am wondering if anyone else has tried this and if it works with PIA and an OpenVPN server running? My concern is that if I tie my pfSense firewall to PIA, will it allow then all my mobile devices to connect back to my pfSense server using OpenVPN? I would think it would block incoming connections since it is tied to the PIA, but not sure. Anyone had any advice on this? Thanks
-
I use both OpenVPN server for my personal clients and 3 PIA tunnels simultaneously. No problems.
-
@whosmatt can you write a quick how-to if you get time?
-
@whosmatt can you write a quick how-to if you get time?
I'm not sure there's anything special to write. There's no inherent conflict between running OpenVPN servers and clients on the same pfSense firewall.
Perhaps I'm misunderstanding the specific question.
-
This is something I would to do as well. The setup is like this
Mobile device - >Pfsense VPN server - >Pfsense PIA Vpn client - >PIA vpn serverI have setup a rule on the Pfsense VPN interface to forward the packets to the PIA Vpn client gateway. Unfortunately, I am not able to ping the internet from the mobile device. I suspect that PIA server has no way to route back to the mobile device.
Any idea how to fix this? -
Ensure that you have an outbound NAT rule in place on PIA interface for the access servers tunnel subnet.
-
Ensure that you have an outbound NAT rule in place on PIA interface for the access servers tunnel subnet.
Thanks, I created an outbound NAT for the PfSense VPN server interface with PIA as a gateway and now mobile device is routed over PIA.
-
Ok, I have looked at and tried to change the rules, gateways…everything I can think of and I'm still having issues. This is my configuration.
I have an OpenVPN Server setup for my mobile devices to use. I also have a PIA OpenVPN client setup for all network traffic to use. If I leave the PIA OpenVPN Client off and the OpenVPN Server on, everything works fine as far as routing traffic to PIA through the OpenVPN client. If I have only the OpenVPN Server on and disable the PIA OPenVPN client, I can connect with my mobile devices perfectly and everything on my mobile and local network works perfectly.
However, if I turn both on, everything changes. On my network workstations, I can access SOME websites and such, but many can't be reached. My mobile devices can't even connect to the OpenVPN Server usually and if they do, they can't access the internet. Turn one OR the other off, and whatever service is on goes back to working perfectly. I'm baffled and I clearly don't understand enough about the system. I am posting some screenshots of my settings in the hope someone will see what is wrong and suggest a change. Thank you for your help.
 -
You've to assign an interface to the PIA client. Interfaces > assign.
Select the PIA client (ovpncx) at "available network ports" and click Add. Open the interface settings, enable it an set a description.After that change the interface in the two OpenVPN outbound NAT rules to the PIA interface.
BTW: You have senseless firewall rules:
On WAN the OpenVPN rule is twice.
On OpenVPN the first rule with dest. WAN address makes no sense. -
I have use PIA on Pfsense for years. I have no problem with using PIA vpn app on phone while the router is routing all traffic through PIA.
You need to make sure you have set the NAT rules, the interface, the firewall and the openvpn settings correctly. Missing any one of these will make it not work.
-
Interface needs to just be created.
2) NAT rules need to specify the vpn and not the wan interface -
OpenVPN needs to be set up correctly. Either AES-128-CBC , sha 1, and I think RSA1024. The other possibility is AES-256-CBC, sha256, RSA2048. I would not use Blowfish any more from security hole found in it.
-
Use fire wall rules to make sure your router doesn't accidently pick the WAN interface.
-
-
ok, Thank you to you both. I am trying to figure this out and I think I am making some progress. The rules referred to as not making as sense were put there via my following several online tutorials. Im still working to understand how rules and interfaces work. But I am still having an issue.
I was able to finally get the VPN server working with remote clients along with the PIA VPN out as long as I configured the tunneling network to be the same as my local network. I had thought based on several tutorials that it was a separate network range and there was a gateway that allowed the OpenVPN clients to communicate to the other local network. But I never could get that to work. Thus, I changed the tunneling network from its own network to the already established local one.
I also setup the interface, but am having an odd problem with it. Everything works, but the OpenVPN gateway appears to not be working and is offline. I have no idea why or where to correct this problem. Here are some more screen shots. Can anyone give me some direction as to where the issue is?
Thanks.
 -
I was able to finally get the VPN server working with remote clients along with the PIA VPN out as long as I configured the tunneling network to be the same as my local network.
Have you modified your outbound NAT rules as I've suggested above?
The point is that you need an outbound NAT rule for PIA interface with source network = vpn access server tunnel network
Since you had already a (senseless) rule for source = 10.0.0.0/24, which is your tunnel, it should work if you just change the interface to PIA.I also setup the interface, but am having an odd problem with it. Everything works, but the OpenVPN gateway appears to not be working and is offline. I have no idea why or where to correct this problem. Here are some more screen shots. Can anyone give me some direction as to where the issue is?
The gateway status is determined by pings (dpinger daemon). So if the vpn server doesn't response to ping the gateway is shown as offline. So if the tunnel is up and traffic flows over it, it's fine.
To get the right status you may set an alternativ monitoring IP (which is only reachable over the vpn) in the gateway settings. -
I followed the notes on the PIA website for pfsense setup with screen shots which includes setting the outbound NAT rules AND options. You have to look carefully at all options like TLG which pfsense checks by default but must be unchecked for PIA!
Everything works except browsing to www.bbc.co.uk. Your browser comes back as www.bbc.com or nothing at all with a DNS address of 1.2.3.4. I've now proved its what they are up to when you now access their site from openVPN, but there's no issue using their PC client app. Those cleverer than me will say it's to do with their client app negotiating and receiving fresh (different) tunnel ports for each session. ??
I need to learn how to allow a website URL to bypass openVPN to get BBC iplayer to work in UK for my home network - suggestions welcome!
Here's the PIA link for pfsense setup which also checks that PIA VPN is working:
https://www.privateinternetaccess.com/pages/client-support/pfsense
-
Ok, I have bene working with this for the last week and I think I have made some additional progress. But I am still baffled by some things. Below are some screen shots of my configuration. here is the situation.
I now have an interface setup for PIA OpenVPN. I also have the OpenVPN network setup and rules that seem to connect the gateways. So everything works. My local network systems AND my remote systems that connect to the OpenVPN server ALL seem to be going through the outgoing OpenVPN PIA client. They all show an IP address through ipchicken.com as a PIA IP address. However, the gateway for the interface still says it is offline and I do not understand why. None of the youtube tutorials I have watched about this say "Offline", in fact they all say "online" and I am following their instructions to the letter.
Additionally, I have several devices I do not want to go to the PIA service (AppleTV for Netflix, etc). As of this current configuration, Netflix works fine, which by all accounts I have heard it should not. If I setup a rule to make that AppleTV device (by its static network IP address) to go to the WAN instead of the PIA interface, the AppleTV no longer work on Netflix or anything else online.
I really am trying to understand how pfSense works and what I am doing wrong, but I'm just not fluent enough in it yet. Any help and guidance anyone can guide me is greatly appreciated. Thanks
(please note - the rules that are darkened are NOT active. They are rules the system created when I set various things up, but they were copied and disabled with the copy being the one I modified.)
 -
Thanks, I'm still struggling but learned a few things. All the setup instructions you find for PIA on pfsense configure openVPN and the NAT rules to ensure everything goes through the tunnel. I think the logic is if you are using a VPN you need to know it's always working. That explains why changing LAN firewall rules doesn't make any difference - all traffic is still forced to openVPN. Another thing I've discovered is access to some media streaming sites is blocked using PIA servers in an openVPN configuration, but not blocked when using the openVPN based PIA local PC client app. Wireshark shows more network info in packets sent using openVPN, whereas the PIA client app is very anonymous/transparent.
Even if I get that sorted, it still doesn't seem possible to route traffic selectively to a URL using resolved DNS, although you can assign a fixed IP to a device e.g smart TV and route that traffic past a VPN if you know the destination IP. That doesn't solve my problem wanting all networked devices including wireless to bypass openVPN for specific URL's, without needing a long list of IP addresses.
-
That doesn't solve my problem wanting all networked devices including wireless to bypass openVPN for specific URL's, without needing a long list of IP addresses.
If you want to bypass the traffic to specific URLs you won't get around to add all these URLs to a list. pfSense can't look in the crystal ball to determine what you want.
However, pfSense can load host lists from a webserver. -
Thanks, I'm still struggling but learned a few things. All the setup instructions you find for PIA on pfsense configure openVPN and the NAT rules to ensure everything goes through the tunnel. I think the logic is if you are using a VPN you need to know it's always working. That explains why changing LAN firewall rules doesn't make any difference - all traffic is still forced to openVPN. Another thing I've discovered is access to some media streaming sites is blocked using PIA servers in an openVPN configuration, but not blocked when using the openVPN based PIA local PC client app. Wireshark shows more network info in packets sent using openVPN, whereas the PIA client app is very anonymous/transparent.
Even if I get that sorted, it still doesn't seem possible to route traffic selectively to a URL using resolved DNS, although you can assign a fixed IP to a device e.g smart TV and route that traffic past a VPN if you know the destination IP. That doesn't solve my problem wanting all networked devices including wireless to bypass openVPN for specific URL's, without needing a long list of IP addresses.
You can in the firewall rules for LAN. Notice there is a source and destination area that have a * in it. I can't remember which one needs to be changed but you can make a firewall rule with priority over others that modifies how traffic flows to particular websites so that with those websites, you don't use a VPN.
-
Kb8wfh,
A couple of things that helped me(and continue to help me) are:- making sure to look in your firewall logs to see what is being blocked
- attached are my rules I have on my wifi interface, they are fairly hardened, I sense you are trying to do the same. It might not work for you…FYI - your LAN rules basically allow everything, rule 1 isn't doing anything that rule 2 would do. Try to understand my rules vs just copying them.
- when writing a rule, go into "Advanced settings" and you can pick a "gateway" i.e. Either WAN or PIA. I use this vs changing my default gateway
- get to know "easy rules" that can be turned on in your firewall log, it will add what was being blocked, you can modify these easy rules but it helped me understand the flow of data. Make sure to possibly change the order of the rule in your interface if necessary.
- make an alias for your Apple tv and WAN only devices (notice in my rules I have SEVLAN as a source, these are aliases I set up after setting up fixed dhcp leases), make rules allowing access using the alias as the "source", in advanced setting for those rules use the WAN.
Dig into your log(NAT or Firewall), I suspect you'll see what's going on....
(As mentioned by someone else, your dashboard is showing your PIA as offline, dig into your gateway settings for PIA and look for the field for "monitoring IP", use googles 8.8.8.8 as the monitoring IP...I had that issue as well and was fixed with adding a google monitoring ip)
