Tutorial: Configuring pfSense as VPN client to Private Internet Access



  • I recently wrote a tutorial on configuring pfSense as a VPN Client to Private Internet Access: http://www.bodenzord.com/archives/324
    I thought I’d reproduce it here as a way to say thanks to the developers as well as give back to the pfSense community. My hope is that it’ll help others through the process of setting this up.

    If you find errors or I’m incorrect in any way, please let me know.


    Configuring pfSense as VPN Client to Private Internet Access

    Configuring pfSense as a VPN Client to Private Internet Access(PIA) is relatively easy. However, there are a few things to watch out for, especially after pfSense version 2.1.1. In this tutorial, I’ll show you how.

    There are other tutorials available around the internet, but I feel that some are severely inaccurate or missing a couple key steps. When I was configuring my setup, I could not find a single tutorial that was complete and accurate. As a result, I had to piecemeal everything together to get it to work.

    Additionally, pfSense changed some of the code in version 2.1.1 with regards to Outbound NAT rules to OpenVPN interfaces. Beforehand, things were a bit easier. But starting with version 2.1.1, there are additional configuration settings that need to be set. It’s not that big of a deal. Before it was automatic. Now it’s manually configured.

    Anyway, I am going to break this down into a step-by-step process without any explanation along the way. Then afterwards, I’ll do my best to explain a few details and to highlight what change was made in pfSense 2.1.1.

    This tutorial assumes the following:

    • You have a current subscription to Private Internet Access with a valid username and password.

    • You are using pfSense version 2.1.1 or newer

    • You have pfSense setup and configured as a base installation with a single WAN interface connected to a modem and a single LAN interface with one or more clients.

    • Firewall LAN rules have a default “Allow All”. (I know that this is not best practice, but after following this tutorial, you can then revise your firewall LAN rules accordingly.)

    Also note that I will be referencing Private Internet Access as PIA throughout the tutorial.

    Getting Started

    We need to acquire a few things first. Start by downloading openvpn.zip from Private Internet Access, https://www.privateinternetaccess.com/openvpn/openvpn.zip. This supplies their ca.crt file and .ovpn files, which include the names of their servers. You won’t be using any of the .opvn files directly, but you can view them in a text editor to get the name of a specific server you want to connect to. Additionally, you’ll need your username and password, which were provided to you by PIA. We’ll be using these later.

    Next, log into your pfSense administration panel. Now let’s go through the following steps in greater detail:

    • Create CA Certificate

    • Create password file to store your PIA username and password

    • Create/configure an OpenVPN Client

    • Create/configure an OpenVPN interface

    • Configure Outbound NAT rules

    • Verify OpenVPN Service

    Create CA Certificate

    • Select menu item: System->Cert Manager

    • Select CAs tab

    • Click Plus symbol to add CA Certificate

    • Configure as follows:

      • Descriptive name = PIAVPN

      • Descriptive name = PIAVPN

      • Method = Import an existing Certificate Authority

      • Certificate data = (copy/paste your ca.crt certificate provided by PIA)
        –—BEGIN CERTIFICATE-----
        .
        .
        .
        -----END CERTIFICATE-----

      • Certificate Private Key = (leave blank)

      • Serial for next certificate = (leave blank)

    • Click the Save button

    Create Password File

    • Select menu: Diagnostics->Edit File

    • Enter the following in the Save/Load from path: /etc/openvpn-password.txt

    • Add the following two lines in the text box, substituting your username and password provided to you by PIA:
      username
      password

    • Click the Save button

    Create OpenVPN Client

    • Select menu: VPN->OpenVPN

    • Select Client tab

    • Click Plus symbol to add client

    • Configure as follows:

      • Disabled = unchecked

      • Server Mode = Peer To Peer (SSL/TLS)

      • Protocol = UDP

      • Device Mode = tun

      • Interface = WAN

      • Local Port = (leave blank)

      • Server host or address = us-texas.privateinternetaccess.com (or any server you choose that PIA offers)

      • Server Port = 1194

      • Proxy host or address = (leave blank)

      • Proxy port = (leave blank)

      • Proxy authentication extra options = none

      • Server host name resolution = checked, Infinitely resolve server

      • Description = PIA OpenVPN (or whatever you desire)

      • TLS Authentication = unchecked, Enable authentication of TLS packets

      • Peer Certificate Authority = PIAVPN

      • Client Certificate = *webConfigurator default In use

      • Encryption algorithm = BF-CBC (128-bit)

      • Hardware Crypto = No Hardware Crypto Acceleration

      • IPv4 Tunnel Network = (leave blank)

      • IPv6 Tunnel Network = (leave blank)

      • IPv4 Remote Network/s = (leave blank)

      • IPv6 Remote Network/s = (leave blank)

      • Limit outgoing bandwidth = (leave blank)

      • Compression = checked, Compress tunnel packets using the LZO algorithm

      • Type-of-Service = unchecked

      • Advanced = (enter the following into the text field, one item per line with a semi-colon separating each)
        auth-user-pass /etc/openvpn-password.txt;
        verb 5;
        remote-cert-tls server

    • Click the Save button

    Create OpenVPN interface

    • Select menu: Interfaces->(assign)

    • Click the Plus button to add new interface. The new interface will be named OPT1 with a network port of ovpnc1().

    • Click on OPT1 to edit the interface

    • Configure as follows:

      • Enabled = checked

      • Description = PIAVPN

      • IPv4 Configuration Type = none

      • IPv6 Configuration Type = none

      • MAC address = (leave blank)

      • MTU = (leave blank)

      • MSS = (leave blank)

      • Block private networks = unchecked

      • Block bogon networks = unchecked

    • Click the Save button

    • On new page, click Apply Changes

    Configure NAT Rules

    • Select menu: Firewall->NAT

    • Select Outbound tab

    • Check the radio button:  Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)

    • Click the Save button

    • At this point, automatic rules that were in use in  Automatic outbound NAT will be generated. It will look like the following, with the exception that the Source IP subnet will match your LAN IP subnet.

    • The next step is to duplicate each of these rules, but change the NAT Address from WAN to PIAVPN. Start with the first rule by clicking the Plus sign immediately to the right of the line “to add a new NAT based on this one.” A new page will open. Configure as follows:

      • Do not NAT = unchecked

      • Interface = PIAVPN

      • Protocol = (do not change)

      • Source = (do not change)

      • Destination = (do not change)

      • Translation = (do not change)

      • No XMLRPC Sync = (no dot change)

      • Description = Auto created rule for ISAKMP - LAN to PIAVPN

    • Click the Save button

    • Repeat this process for the other two rules. When completed, it should resemble the following:

    • Finally, click the Apply Changes button

    Verify OpenVPN Service

    At this point, your system is configured. The only thing you may need to do is restart your OpenVPN Service.

    • Select menu: Status->OpenVPN

    • Status should be UP (but it may be DOWN)

    • My recommendation is to click on the Restart OpenVPN Service button no matter what the status is. It’s the middle button to the right of the service.

    Verify OpenVPN Logs:

    • Select menu: Status->System Logs

    • Click on OpenVPN tab

    • Look for confirmation in your logs:

      openvpn[65701]: Initialization Sequence Completed
      

    A few other observations to make:

    • Select menu: Status->Dashboard

      • Your PIAVPN interface should be listed under Interfaces and have an IP address. I have found that after initial configuration, you may need to restart the OpenVPN service
    • With a client on the LAN, use a browser and go to ifconfig.me

      • The IP address stated should be the public IP of PIA’s server, not your WAN IP

    Explanation

    Now that we have the VPN up and running, allow me to explain a few things.

    verb 5;

    When I setup the OpenVPN client, you will have noticed that I added an advanced directive: verb 5. This advanced setting is simply used to increase the verbosity of the OpenVPN log files. This is a personal preference and you can adjust accordingly. However, as I continue to explain a few things, I’ll reference the log files. Without this advanced directive, your log files will differ and you may not see the same logs that I reference.

    remote-cert-tls;

    Another advanced directive I configured was: remote-cert-tls. This advanced setting is used to prevent Man-In-The-Middle attacks, and the server needs to be configured properly for this to work, which Private Internet Access servers are.

    Quoting from OpenVPN manual:

    –remote-cert-tls client|server
    Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
    This is a useful security option for clients, to ensure that the host they connect to is a designated server.

    Also from OpenVPN manual:

    This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of –remote-cert-tls, --tls-remote, or --tls-verify.

    Thus, ‘remote-cert-tls server’ means that the certificate has “TLS Web Server Auth” as an extended property.

    So when configuring your OpenVPN client with this directive, take a look at your logs. You will see the following lines that validate and verify the certificate. Without this advanced setting, these lines will not be in your logs and this validation is not performed:

    
    openvpn[65701]: Validating certificate key usage
    openvpn[65701]: ++ Certificate has key usage 00a0, expects 00a0
    openvpn[65701]: VERIFY KU OK
    openvpn[65701]: Validating certificate extended key usage
    openvpn[65701]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    openvpn[65701]: VERIFY EKU OK
    openvpn[65701]: VERIFY OK: depth=0, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=server, emailAddress=secure@privateinternetaccess.com
    
    

    Routing

    In some tutorials I found, I was instructed to configure my Firewall LAN rules with an advanced setting to specifically choose my Gateway. I found that this wasn’t necessary be default with a base installation of pfSense. It’s only necessary with more advanced firewall configurations. The following image is how the default firewall rules are for the LAN.

    Take note of the middle rule for IPv4 protocol. This is the default “Allow All” rule that says that any Source IP with any Port is allowed to go to any Destination IP to any Port on any Gateway. With this rule, the decision of which Gateway(interface) to use, WAN or PIAVPN, is made via the system routing table. Now we can override this so that we force LAN traffic to use a specific gateway. As an example, do the following:

    • Click on the Edit button for this default “Allow All” rule. (The button with lower-case ‘e’ to the right of the rule.)

    • Scroll all the way to the bottom to the Advanced Features section.

    • Click the Advanced button next to Gateway.

    • Change the dropdown box to PIAVPN_VPN4

    • Click the Save button

    • You’ll return to Firewall->Rules->LAN tab. Click the Apply Changes button.

    Now that this has changed, you’ll see that your OpenVPN Gateway has been specified for this rule, and this means that all LAN traffic bypasses the system routing table and always goes out your OpenVPN interface to the Private Internet Access server.

    Now I want to point out that we haven’t made the VPN function any differently. All we’ve done is force LAN traffic out the VPN interface instead of having the system routing table make that same decision for us. Why would we want to do this? Well, by creating specific rules for your firewall, you can then force certain clients out the VPN or out the WAN or whatever you want to do. This is just one more tool to allow you to control the firewall exactly how you want.

    Manual Outbound NAT

    If you were setting up your own peer-to-peer VPN and you had control of both the VPN Server and VPN Client, then you wouldn’t need to NAT the client-side LAN subnet to the VPN tunnel IP as we’re doing in this tutorial. Instead, you would use routing and NAT on the server to achieve your goal of reaching the internet through the VPN Server. Obviously, we have no control of PIA’s servers. Additionally, PIA doesn’t know the specific subnet we’re using on our LAN so that they can configure their servers to route and NAT our traffic out their public IP. Instead, they route and NAT the VPN tunnel IP, because that’s what they have control over. This is why we have to create an OpenVPN interface, which the VPN tunnel IP attaches to, and NAT our LAN traffic to it. In the end, this is a double-NAT situation, once from LAN-to-VPN-tunnel-IP on the VPN Client, and again from VPN-tunnel-IP-to-public-IP on the VPN Server.

    As you’ll recall, we configured our Outbound NAT rules manually. These rules are what NATs our LAN subnet to the VPN tunnel IP. But why do we have to manually configure these rules? Why aren’t they automatically created?

    With versions of pfSense prior to 2.1.1, it wasn’t necessary to manually configure the NAT rules as we’ve done. However, the configuration change from Automatic Outbound NAT to Manual Outbound NAT was still required. It’s just that prior to 2.1.1, the necessary rules you needed to get your LAN subnet NAT’ed to your VPN tunnel IP were automatically created for you when you made this change to Manual Outbound NAT - as odd as that may sound.

    So you may be wondering, “Why are NAT rules automatically created in Manual mode but not in Automatic mode? Isn’t this a break in logic?” I thought the same, so I posted my questions to the pfSense forum in the hopes of discovering why: https://forum.pfsense.org/index.php?topic=73727.0. The funny thing is, I got my answers, but the end result was a change in code starting with version 2.1.1 which requires manual configuration for Outbound NAT to OpenVPN interfaces.

    To put it simply, prior to version 2.1.1, Automatic Outbound NAT rules skipped OpenVPN interfaces, yet these interfaces were still considered when automatically creating the first set of manual rules. Starting with version 2.1.1, the code was since been changed so that OpenVPN interfaces are also skipped when automatically creating the first set of manual rules. Here is the bug submission at Redmine if you want further clarification: https://redmine.pfsense.org/issues/3528



  • I appreciate your taking the time to cobble together such an thoroughly written tutorial on setting up PIA on pfSense.  I struggled with this and found much like yourself that I had to use bits and pieces of several tutorials before I could get the VPN up and running.

    This should probably be a sticky to make it easy to find.

    Thank you again.



  • Much appreciated, thank you for taking the time to do this.
    What do you use / recommend using as a DNS server?
    Specifically, can I use PIA’s DNS servers?  Reason to ask is when I do, after some time (a day or two) the system stops internet communication with DNS failure.



  • That’s a good in depth tutorial, thanks for all your efforts  🙂

    One (very) minor nit, I would suggest that you remove the “verb 5” entry once you have verified that the connection is up and running properly.  I use that entry myself when I’m trying to diagnose OpenVPN issues (sometimes I’ll even use verb 7 for more info).  In the long run I find the log files just get filled with too much excess using ‘verb 5’ for a stable connection.

    It’s useful for seeing the initial configuration of your setup, but is a bit excessive in normal operation.

    Just my $0.02, thanks for all your work ;D



  • @Altis:

    What do you use / recommend using as a DNS server?
    Specifically, can I use PIA’s DNS servers?

    The easiest way that I’ve found is to go to System->General Setup, and enter the DNS servers that you want to use. It can be Google’s or PIA’s or any other. But then uncheck: “Allow DNS server list to be overridden by DHCP/PPP on WAN”. After saving, a DNS Leak test at www.dnsleaktest.com or ipleak.net, will show the DNS servers you specified.



  • @divsys:

    One (very) minor nit, I would suggest that you remove the “verb 5” entry once you have verified that the connection is up and running properly.  I use that entry myself when I’m trying to diagnose OpenVPN issues (sometimes I’ll even use verb 7 for more info).  In the long run I find the log files just get filled with too much excess using ‘verb 5’ for a stable connection.

    Thanks for the tip. Much appreciated.



  • Hello.  I appreciate the tutorial in getting things running with PIA, and I’ve been able to get all outbound on my network through PIA just fine however that is not what I want.

    The thing is, it seems that the tunnel takes over all outbound over the WAN as soon as it is started.  That is, when starting the tunnel, if using the automatic NAT rules - I cannot get out to the WAN at all.  Once creating the manual rules, you can get out to the WAN but everything is going out to the WAN.  I really just wanted to keep the tunnel up but have the LAN continue to go directly to the WAN until I specifically change something to selectively go through the tunnel (such as, only for a specific LAN IP).

    What am I missing here in terms of setting things up so at the very least I have this situation as a starting point:

    1. Have the tunnel interface UP
    2. It is not actually used, everything continues to work as it did prior to bringing tunnel up.

    Basically, I thought bringing the tunnel up would just be like adding another NIC to the system with no link or further configuration.  Clearly I was wrong - I need to disable the tunnel for now as it is just not workable for us to have everything always going through it.

    Thanks!

    Edit:  Well, I’ve figured out I need the route-nopull client option to keep the vpn server from mangling up my default routes.  I just need to figure out the rest now in terms of getting specific IPs traffic all through the tunnel … do I use route options in openvpn or outbound nat or…?  Fun stuff…

    Edit Again:  Okay, had to assign an interface to the tunnel.  The tunnel refused to work with route-nopull… so that had to stay.  Then I created manual firewall lan rule for specific host to use the VPN gateway and modified the existing LAN to WAN rule placed underneath to use the WAN gateway.  Then I needed to create a new rule for the VPN interface just to allow traffic through it.  Finally, I added outbound NAT for the host above the auto created rule for the VPN interface.

    It all seems rather messy to me, I may very well be doing more than I really need to but it seems to be working.  All hosts on the LAN are using the normal WAN except for a specific one that I want always routing through the VPN.

    This is much better than the old situation of that host having to open it’s own tunnel which was prone to going down during network interruptions, and the other host has a much lower power CPU than my pfSense router so distributing the load of OpenVPN to the router in this case frees up a lot of cycles on that host.



  • @ binaryjay

    I think you may be overcomplicated things here. If you follow the tutorial, when finished the tunnel should be routing all traffic due to the firewall rule that was created in the tutorial, you would just need to disable or edit it to only push the traffic you need. It’s pretty easy to set up for one host. Just createa new/edit the existing rule with the source being the machine ip that you want to go through the tunnel, and under advanced the VPN interface you have created, usually OPT1. You can do the same using specific destination ports or destination ip ranges if you want to get fancy and only push certain traffic through the tunnel. i.e. for geoblocked services etc.

    @ Everyone else

    Anyone else have the tunnel go down rather frequently using this service? I am connecting to the US-East server and I find my connection reset rather frequently at times? FWIW my WAN connection very rarely goes down so it’s not that. All I see in the logs is the following when it disconnects:

    Jun 15 20:31:20 pfsense openvpn[41114]: MANAGEMENT: Client disconnected
    Jun 15 20:31:37 pfsense openvpn[41114]: event_wait : Interrupted system call (code=4)
    

    Just wondering if this is normal for PIA? Seems to be happening multiple times daily. I don’t recall having this issue when I had PIA openvpn setup on one of my linux boxes but maybe I just wasn’t watching it as closely. 🙂

    Thanks,

    Kevin



  • @binaryjay:

    the tunnel takes over all outbound over the WAN as soon as it is started.

    This tutorial is written so that all LAN traffic is routed through the VPN using the system routing table. So this is to be expected.

    If you followed this tutorial exactly, then there are two ways that I know of to accomplish what you want.

    1. This first option is more involved, because it requires editing every firewall rule. This is not really ideal, but I’m outlining it here as an option so that you’re aware.
    • Go to Advanced settings under every firewall rule and assign the WAN interface as your Gateway.

    • Then create a specific rule for your single computer on the LAN, with the PIAVPN gateway selected.

    • Move this new rule to the top of the list.

    • With this setup, all traffic bypasses the system routing table, and the traffic is routed via each rule through a specific gateway.

    1. The second option is much easier.
    • Add route-nopull to the Advanced Configuration settings of the VPN

    • Create a firewall rule for the specific computer on the LAN with an Advanced setting that specifically chooses the PIAVPN Gateway.

    • Move this new rule to the top of the list.

    To explain how option 2 works, this is from the OpenVPN manual:

    
    –route-nopull
    When used with --client or --pull, accept options pushed by server EXCEPT for routes.
    
    When used on the client, this option effectively bars the server from adding routes to the client's routing table,
    however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface. 
    

    So, this tells the client not to pull the default route from the server, yet it pulls all other necessary TCP/IP settings. And if you look at your system routing table (Diagnostics->Routes) before and after changing this setting, you’ll see the pulled route present and then not present respectively. It’ll be the first line in the table:

    
    0.0.0.0/8 	xxx.xxx.xxx.xxx 	UGS 	0 	0 	1500 	ovpnc1 	=>
    

    Therefore, after adding this Advanced Configuration setting, all traffic continues to use the System Routing Table. And with this pulled route removed from the table, the traffic will be routed out the WAN interface instead of the PIAVPN interface based on the remaining rules in the table.

    However, the new firewall rule you created for your specific LAN computer will be routed out the VPN interface, because you chose it as the Gateway under Advanced settings within the rule. This specific rule then bypasses the System Routing Table.



  • @ouldsmobile:

    If you follow the tutorial, when finished the tunnel should only be routing traffic that you specify using the firwall->lan rules.

    This is incorrect. This tutorial configures the firewall to route all traffic out the VPN interface.

    @ouldsmobile:

    Anyone else have the tunnel go down rather frequently using this service?

    All I see in the logs is the following when it disconnects:

    Jun 15 20:31:20 pfsense openvpn[41114]: MANAGEMENT: Client disconnected
    Jun 15 20:31:37 pfsense openvpn[41114]: event_wait : Interrupted system call (code=4)
    

    Just wondering if this is normal for PIA?

    I don’t experience this at all. I’ve used several of PIA’s server, but not specifically the US-East server.



  • @mpboden:

    This is incorrect. This tutorial configures the firewall to route all traffic out the VPN interface.

    Woops, sorry I followed a couple tutorials when I set mine up, just came across yours after setting mine up, must have gotten them confused. I will edit my post.

    @mpboden:

    I don’t experience this at all. I’ve used several of PIA’s server, but not specifically the US-East server.

    Hmm, strange. Wonder why mine seems to disconnect somewhat frequently. I am using same settings as yourself, just a different server. Out of curiosity what DNS servers are you using? What version of pfSense?

    I have setup a box at work with linux, I will see if it has disconnection issues. I thought it seemed strange to disconnect frequently. My internet service is pretty rock solid, very rarely see any outages thankfully. Maybe I will try a different server for a bit and see if it makes any difference.

    Kevin



  • @ouldsmobile:

    Woops, sorry I followed a couple tutorials when I set mine up

    No problem. Just wanted to make sure that there’s no confusion

    @ouldsmobile:

    Out of curiosity what DNS servers are you using?

    I’m using Google’s DNS servers. Also, under System->General Setup, I do not have the following checked: Allow DNS server list to be overridden by DHCP/PPP on WAN

    @ouldsmobile:

    What version of pfSense?

    2.1.3-RELEASE



  • @mpboden:

    @ouldsmobile:

    Woops, sorry I followed a couple tutorials when I set mine up

    No problem. Just wanted to make sure that there’s no confusion

    @ouldsmobile:

    Out of curiosity what DNS servers are you using?

    I’m using Google’s DNS servers. Also, under System->General Setup, I do not have the following checked: Allow DNS server list to be overridden by DHCP/PPP on WAN

    @ouldsmobile:

    What version of pfSense?

    2.1.3-RELEASE

    Yup, same here all around. I will go through all my settings, make sure I didn’t miss anything. I may try PIA’s DNS servers. Maybe that will be better. Worst case I can put the OpenVPN client back on my linux box which was more reliable it seems, although this was kind of the purpose of building the pfSense box, lol. 🙂 Go figure.



  • Thanks for the tutorial!

    I had made a simular setup but I was missing the advanced setting.

    I have a problem that occurs every few days; the VPN service will be up but the IP address will be missing from the VPN display on the dashboard page.  The VPN log will have 500+ entries that say…

    
    Iopenvpn[72509]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    
    

    I can get it working again by restarting the service.  I think it’s some type of DNS problem, but I don’t have way to debug it.

    Any suggestion on what I should try?

    If I could restart the VPN service every hour that would partial fix it.

    {edit}
    OK I found the problem, in my DNS server I had set the gateway to the VPN interface.  I guess every few days the IP address changes and when that happens it needs to use DNS to find the new IP address.  Anyway I added an extra DNS on the WAN interface, and to day it was able to get the new IP address.  I checked the https://www.dnsleaktest.com/ and http://ipleak.net/ it not showing my IP address.  On a side note when I use 208.67.222.222 and 208.67.220.220 I get better RTT, in my case ~60ms



  • this is by far the best tutorial I’ve found for PFsense and PIA, others have you do redundant steps that are no needed.

    Thanks a lot, great information



  • This is a great tutorial no doubt, and thank you very much for it!

    I only have one issue I’m trying to resolve but have failed, I want to bypass the vpn for one specific ip (my desktop, for gaming reasons) and leave everything else go through the vpn.

    So far I have everything setup and working with the tutorial. I have found similiar posts by using google but nothing I have found has worked. The closest post I’ve found related to my problem is https://forum.pfsense.org/index.php?topic=58630.0 and I’ve tried to follow jimp’s suggestion by creating this lan rule:

    But still have no luck getting that single ip to bypass the vpn.

    Any suggestions and feedback is greatly appreciated.



  • I also wanted to compliment you on this fine (excellent) tutorial  ;D

    It even turned out that I appear to have done something wrong myself months ago (certificate part), and for some strange reason, it did work all these months.



  • @sparks305:

    This is a great tutorial no doubt, and thank you very much for it!

    I only have one issue I’m trying to resolve but have failed, I want to bypass the vpn for one specific ip (my desktop, for gaming reasons) and leave everything else go through the vpn.

    But still have no luck getting that single ip to bypass the vpn.

    Any suggestions and feedback is greatly appreciated.

    I also have the same problem. I think JimP responded to me about this problem in my thread some months ago, but I didn’t understand and then it blead do death  :-[



  • I as well want to route certain traffic around the VPN but my rules aren’t working… It looks just like the above pictures.



  • @xman111:

    I as well want to route certain traffic around the VPN but my rules aren’t working… It looks just like the above pictures.

    +1

    It is working for me now, but had not been working for nearly 48 hours.  What got it working, I have no idea since I haven’t done a thing to pfSense settings since I initially created a thread on the issue.



  • So I had a chance to test a few things, specifically what made it work and what didn’t.  Here’s some screenshots of my interface rules.  I’ve kept some of them in there, just disabled, in case for whatever reason things go south again.

    The big takeaway was to specify the gateway that each rule should use for what gets tunneled through VPN, as well as what host ip/alias you want to use the non-VPN tunnel gateway from your ISP.

    Hope this helps some others…



  • Hello,

    Sorry for bumping this old thread up but it was a great tutorial. Followed every steps and in 15 minutes, all my devices are going through the VPN.

    FYI, I have pFsense set up as a VM on ESXi.

    However, I have 2 issues:

    1. Even though internet works and a “what is my ip” shows I’m behind my VPN, the gateway shows offline in the dashboard. I have rebooted pfsense, stopped/started the openvpn service but it will always go to offline after being online for 15 seconds. Again: i still have internet access but if I open a shell on pFsense and try to ping the PIAVPN gateway, I get no response hence the offline status…what’s the issue here?

    [EDIT] I “fixed” it by disabling monitoring on the gateway.

    2. I’m having trouble wrapping my head around accessing a service on a devices behind the VPN. Put simply, I have a synology that I access with DS audio on my phone to listen to my tunes. Everything works fine when the VPN is not running, however when it is, I can’t connect to my synology.

    I can see the packet arriving in the logs but it seems no response is ever sent out back even though I’m forcing the Synology to use the WAN gateway and not the VPN for outbound traffic.

    Any clues?  ???



  • Ok, allow me to answer my own question. Simply adding route-noexec to the openvpn client configuration (the part where you specify verb 5 etc.) fixed it. Only traffic that I specifically tell to use the vpn goes through the VPN, I am however perfectly able to access my audiostation, didn’t even have to change anything in the port forwarding menu.



  • Love the tutorial and am almost there.  I get stuck when I need to create the default firewall rule to route everything through the VPN.

    I don’t see the PIAVPN_VPN4 gateway. I tried to create it, though I didn’t see that in the tutorial, but that didn’t work either.  I also notice that on the main page the PIAVPN interface never shows an IP address, but if I look under Status->OpenVPN it says it is connected and I see traffic in/out and ip addresses.

    Any ideas what I missed?  I"m running version 2.1.5-RELEASE

    thanks,
    david

    EDIT:
    I found my problem.  Item #2 under “Create OpenVPN interface”, It says ovpnc1() will be selected, but in my case it selected an unused ethernet over firewire port.  When I finally noticed this and changed it to ovpnc(1) it worked!



  • Awesome tutorial! Thank you for taking the time to write it up 🙂



  • Firstly, thank you for the amazing step-by-step tutorial.  I literally had it completed in 10 minutes.

    A few questions.

    First, I have been playing with different servers provided by PIA, from Texas to California to Canada.  Running the test at speedtest.net, my speeds went from 80-90mb/down and 30-40mb/up to 20-40mb/down and 1-4mb/up.  I know the VPN will slow things down a bit, but I was not expecting this level of speed loss.  Is this normal?  My pfsense box is a dual core Atom (with hyperthreading) and this far CPU use has never peaked above 30%, usually at 13% (which is where it was prior to be configuring the VPN).  Just curious if I should just keep testing servers to find one with better speed?

    On the dashboard, my WAN and LAN interface graphs are showing plenty of traffic, but my PIAVPN interface is showing none.  I am presently downloading a file – WAN is showing 500Kbps-5Mbps, but zero activity whatsoever on the VPN interface.  Is this an indication that the VPN is being bypassed?

    Using various ip lookup tools, every site is seeing me on an IP address in Canada (I am currently using the Canadian PIA VPN server).  So why is there no traffic bring generated on the PIA VPN interface?  As far as I can tell it is working.

    Thanks again for the great tutorial.

    ETA VPN just went down, logs show failure to resolve the hostname of the PIAVPN server I had chosen.  Rebooting pfsense worked (I tried everything else I could think of) – wonder how long it will be up and if this will happen again?  I am using OpenDNS servers.



  • About a week ago, PIA service went to sh*t for me… It worked great for over a year, and now constant disconnects.



  • It’s kind of early to say anything for sure–this is the longest I’ve went this week without being disconnected (30minutes so far; these past 2 weeks, it has usually been every 1-2 minutes)…

    But anyway…

    Under OpenVPN ‘advanced configuration’ (in pfsense), I added the following:

    keepalive 5 30;

    So now my ‘advanced configuration’ looks like this:

    auth-user-pass /etc/openvpn-password.txt;persist-tun;verb 5;remote-cert-tls server;route-nopull;keepalive 5 30;

    Note: I added this today:

    route-nopull;

    Not sure if it’s doing anything (probably not) but left it there, since my connection is stable for the time being.

    What I think is going on is PIA is pinging the client, but for whatever reason, the pings are getting blocked.  So in turn ‘keepalive 5 30;’ does something to mitigate that…



  • A lot of pages are loading slowly (to be expected I suppose).  Other pages are denying me access with messages that my IP has been flagged for spam.  Some sites, like Amazon and Home Depot, load slowly, but then most functions don’t work (searching, shopping carts, etc).

    All since I enabled the PIA vpn……



  • Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN…

    That would be exactly what I needed!!


  • Netgate

    @peehoo:

    Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN…

    That would be exactly what I needed!!

    That’s easy.  It’s the opposite of this:

    I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN.  Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example).  Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

    Like this:




  • @peehoo:

    Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN…

    That would be exactly what I needed!!

    Make an Alias for those LAN IPs, then change the rule on LAN that feeds the traffic into PIA so it has just that Alias as the source.

    Whatever traffic is matched by rules going to the PIA gateway is the traffic that goes down the PIA OpenVPN tunnel.



  • Thanks so much for this tutorial.  Between the initial tutorial and some of the modifications in the comments I have my router set up almost exactly as I wanted.

    My question is if there is a way to route traffic on some ports through the VPN interface and the rest through the WAN interface?

    I.e. everything on 10.0.1.10 goes through the WAN except ports 45000-45100, which goes through the PIAVPN.

    Is that possible?


  • Netgate

    Yes.  Just add the ports to the rule sending traffic to the VPN gateway.  The rule won’t match if the port is outside the set so the firewall will move on to the next rule.



  • Good tutorial, Thanks. However I am having a problem at an early stage.

    When I go through the steps to create a certificate, the CA gets entered but no certificates are created (see attachment). Then, when I get to Create OpenVPN Client I run into a “No Certificates Defined” and can’t create the client. Trying to create a certificate under the certificate manager>certificates doesn’t work because I don’t have the private key that is needed.

    What am I missing.

    ![certificate authority manager.JPG](/public/imported_attachments/1/certificate authority manager.JPG)
    ![certificate authority manager.JPG_thumb](/public/imported_attachments/1/certificate authority manager.JPG_thumb)
    ![No Certificates Defined.JPG](/public/imported_attachments/1/No Certificates Defined.JPG)
    ![No Certificates Defined.JPG_thumb](/public/imported_attachments/1/No Certificates Defined.JPG_thumb)


  • Netgate

    It looks like PIA doesn’t verify client certificates at all so any certificate will do.  The walkthrough just uses the default webconfigurator certificate out of pfSense.

    You don’t have any certs at all listed in System->Cert manager->Certificates  ??



  • No. There are no certificates listed at all in system->Cert manager->certificates. Should there be?


  • Netgate

    Yes.  When you installed a cert for the webConfigurator was created.  Looks like you deleted it.

    I have no idea how to tell pfSense to recreate that cert.  Anyone?

    If it’s non-trivial you’ll need to create an internal CA then create an internal cert using that.



  • Not sure that it helps the problem at hand, but the webConfigurator is listed under System: Certificate Manager, Certificates tab. It is somehow and CA and Certificate all in one (exposing my lack of knowledge of this stuff!).



  • Thanks for the replies. It’s odd that there is no cert showing. If I deleted a certificate it would have to have been by accident. I’m pretty careful with such things due to lack of understanding and not wanting to break things. I haven’t had to deal with certificates before and I don’t remember ever working with the cert manager before.

    Having said that, I did create an internal CA and then an internal cert as suggested by @Derelict. That went well and allowed me to get a step further and create an OpenVPN client. Then I had to leave for work, so won’t get back to the VPN installation until later.

    One difference between my setup and that covered by the tutorial is that I already have a third (physical) interface to a DMZ. Does anyone know if that is a potential problem or change anything in the process?

    Thanks very much for your help. I’ll get back when I hit the next snag  🙂


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy