Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4



  • How to configure PIA on pfSense 2.4

    Link to tutorial on PIA forums: https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1

    (In the coming days I will format this to make it looks nice and neat)

    1.) Download one of these three certificates (listed below) to your computer.

    Least Secure:    https://www.privateinternetaccess.com/openvpn/ca.crt    <—— Use Port: 1194

    Secure:  https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt  <—— Use Port: 1198

    Most Secure:  https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt    <—— Use Port: 1197

    2.) Open the .crt file with a text editor and copy from –---BEGIN CERTIFICATE----- to -----END CERTIFICATE-----

    3.) Log in to your pfSense router and navigate to System > Cert. Manager > CAs and click +Add

    4.) Name your cert according to the name of the cert your downloaded. (Example: Descriptive name PIA-4096)

    5.) Paste the certificate text into the box at Certificate data and click Save.

    6.) Navigate to VPN > OpenVPN > Clients and click +Add


    Choose a PIA server you want to use: https://www.privateinternetaccess.com/pages/network


    7.) Input the server address you chose from the link above at Server host or address.

    8.) Enter the Port number based on the Certificate you selected:

    ca.crt = 1194

    ca.rsa.2048.crt = 1198

    ca.rsa.4096.crt = 1197

    9.) Description: choose a description that reflects the server region you chose.

    10.) User Authentication Settings: Enter your PIA Username and Password

    11.) TLS Configuration: Uncheck Use TLS Key

    12.) Peer Certificate Authority: Select the PIA Certificate you created if it is not already selected.

    13.) Encryption Algorithm: (Note: Setting this to a more secure setting utilizes more CPU processing power.)

    Secure:  AES-128-CBC
              Very Secure:  AES-256-CBC

    14.) Ensure NCP is checked.
          Remove AES-128-GCM and AES-256-GCM by clicking on them in the darkened box in NCP Algorithms
          Add AES-128-CBC and AES-256-CBC  by clicking on them in the left hand list.

    15.) Auth Digest Algorithm:

    Least Secure: SHA1 (160-bit)
              Most Secure: SHA256 (256-bit)

    Hardware Crypto: If your CPU features AES-NI it is advised to select the BSD cryptodev engine.

    16.) Compression: Omit Preference (Use OpenVPN default)

    17.) Custom Options: Add these parameters:

    persist-key
              persist-tun
              remote-cert-tls server
              reneg-sec 0

    18.) Click Save.

    19.) Navigate to Firewall -> NAT -> Outbound
    Set the Mode under General Logging Options to "Manual Outbound NAT rule generation (AON)", and click Save.

    Under the Mappings section, click the duplicate (dual-page) icon on the right for the first rule shown in the list.

    Set Interface to "OpenVPN"

    Repeat the last two steps for all remaining rules shown under Mappings, until every rule has a duplicate for OpenVPN.

    Click Save and Apply settings.

    20.) Use PIA DNS servers to prevent DNS Leak:

    Navigate to System > General Setup and set DNS Servers to PIA's DNS: 209.222.18.222 and 209.222.18.218

    21.) If your CPU features AES-NI and you did enable the BSD cryptodev engine, follow these steps:

    Navigate to System > Advanced > Miscellaneous, scroll down to Cryptographic & Thermal Hardware and select AES-NI and BSD Crypto Device (aesni, cryptodev)

    22.) Navigate to Status -> OpenVPN

    If Status doesn't show as "up", click the circular arrow icon under Actions to restart the service. If it still does not come up, navigate to Diagnostics -> Reboot to restart the device.

    ***** Congratulations! You are all done! Enjoy using Private Internet Access on your pfSense router! *****

    To a safe & secure 2018!

    ~Snickerdoodoo



  • thank you very much!    i will compare shortly to my home setup



  • @Snickerdoodoo:

    How to configure PIA on pfSense 2.4
    15.) Hardware Crypto: If your CPU features AES-NI it is advised to select the BSD cryptodev engine.

    21.) If your CPU features AES-NI and you did enable the BSD cryptodev engine, follow these steps:

    Navigate to System > Advanced > Miscellaneous, scroll down to Cryptographic & Thermal Hardware and select AES-NI and BSD Crypto Device (aesni, cryptodev)

    FWIW, I have a HP Thin Client with an AMD GX-420CA and it has AES-NI. In my testing, in step #15 choosing nothing vs BSD cryptodev engine results in better throughput and reduced CPU usage. I use AES-256-CBC and SHA256. I have AES-NI only selected in the pfSense System > Advanced > Miscellaneous settings menu.



  • I thought I would add that I was having some problems with my connection disconnecting and not reconnecting.  The VPN client was on a sub-net connected to a wireless router, so my devices would connect and get an IP, but no internet.  Someone (can't remember who) in the forum gave me some changes to the custom options that came from PIA support.

    I am using the following custom options:

    # Change persist-tun/persist-key (Reconnect Error)
    persist-key;
    remote-cert-tls server;
    reneg-sec 0;
    # Added auth-nocache - Reconnect Error
    auth-nocache;
    

    with a 4096 bit CA and  UDP on port 1197.

    I commented the changes to remind me what I did, just in case there were problems.  Since I made these changes, my connection seems to be working just fine.  If the connection does drop, it comes right back up without any problem.  In use I haven't noticed any problems.

    Sorry, but that's all I can remember - if you want more background, search the forum (circa Oct/Nov 2017 IIRC) for my post about the problem and you'll find more details there.

    UPDATE: So far this configuration seems to be working fine.  When I connect to my WiFi, there has always been internet access.  @Flamez, I can't confirm what configurations these changes work for, but I believe that they should be fine with any of the access methods as long as the rest of your configuration is OK.



  • I have added them and so far it working much better.  Thank you.



  • Hi!
    4096 bit CA is needed to use AES-256-CBC ? i can only connect with AES-128-CBC when using the 2048 certificate :)



  • @fastc:

    Hi!
    4096 bit CA is needed to use AES-256-CBC ? i can only connect with AES-128-CBC when using the 2048 certificate :)

    that is correct.  i've followed the above tutorial and it works perfectly

    with the right hardware 256 bit encryption you won't even know you are using a VPN>  and of course a fast reliable service



  • @bcruze:

    with the right hardware 256 bit encryption you won't even know you are using a VPN>  and of course a fast reliable service

    thanks!
    yes true with 128bit aes currently i have 400mb speed on my 400mb connection :-)



  • Does this work on 2.3.5 too?



  • Hello, I followed these instructions to the letter. I have VPN up but I have horrible speeds. I have 400/40 internet service but with VPN I barely get between 20-40 Mb download. Is anyone running this setup with pfsense 2.4.3? My motherboard I'm running is Super Micro C2758 which has aes-ni capability.



  • @katinatez:

    Hello, I followed these instructions to the letter. I have VPN up but I have horrible speeds. I have 400/40 internet service but with VPN I barely get between 20-40 Mb download. Is anyone running this setup with pfsense 2.4.3? My motherboard I'm running is Super Micro C2758 which has aes-ni capability.

    which one did you follow?  least secure or most ?

    i am doing most secure on a 1.7Ghz atom processor and get full speeds from a 100Mb download 10Mb upload connection.



  • After I posted, I realized I did not mention this. I am running the
    Secure:  https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt  <—— Use Port: 1198

    I have downgraded down to pfsense 2.4.2, and still get the same speeds. I know the last time I was running decent speeds with vpn was pfsense 2.4.0.
    So if I cant fix speeds I will downgrade and stay on 2.40 for a while.

    Thanks for your reply



  • Hi,

    Do these steps still work? I tried them, and get a client that connects successfully and obtains a PIA IP address, but when I perform check to see my public IP address, it still shows as my ISP ip address, is there additional steps needed to get all my outbound traffice to route through PIA?

    Thanks
    Sunny



  • Since PIA doesn't support IPv6 yet, but my ISP does, is there a setting in the VPN client config or firewall NAT rule set which could blackhole any IPv6 traffic while the tunnel was up?



  • I was able to get PIA running on my SG-3100, however it took a bit of prodding.

    What's not clear in any of the on-line tutorials is that the AES modes and SHA1/SHA256 are dependent on the goal you're striving for.

    I defined 2 OpenVPN client configs for testing; one using the ca.rsa.2048.crt and other using the ca.rsa.4096.crt CA configs.

    What's NOT clear in the docs is that the SHA option is restricted to each CA type.

    The ca.rsa.2048.crt supports AES-[128|196|256]-CBC with SHA1. The ca.rsa.4096.crt supports AES-[128|196|256]-CBC and SHA256 or SHA1.

    If you try to use SHA256 with the ca.rsa.2048.crt the tunnel won't stay up. Since we all know SHA1 is insecure, using the ca.rsa.4096.crt is really the only option with PIA.

    AES-NI is NOT supported by the ARM Cortex-A9 CPU. So you have to use the BSD cryptodev driver mode only. See: https://en.wikipedia.org/wiki/AES_instruction_set#Hardware_acceleration_in_other_architectures

    These restrictions should be clarified in the docs.


Log in to reply