Tutorial: Configuring pfSense as VPN client to Private Internet Access
-
An awesome tutorial, we have the house under PIA. I added some WAN rules to allow DNS servers, pfsense upgrade and time servers through, a second-last rule to allow traffic through the VPN server, and to block all else (I want strict control of what goes through the VPN).
Thanks to this thread I was also able to exclude our lounge room smart TV from the VPN.
I'm running into issues getting port forwarding running over the lounge room TV - or even getting basic ports to show that probably don't need to be forwarded at all. The TV needs 80, 443 and 48705 open. I can't get even 80 or 443 to show as open on the IP address reserved for the TV. It is routing outside the VPN, which is a start. This happens whether I have port forwarding enabled or not.
If I suspend the LAN rule allowing an IP address to run outside the VPN, 80 and 443 are open (seen externally and internally with reflection on).
Any help appreciated. I feel I've missed something obvious throughout this thread.
-
You should probably start your own thread and post more details about what you have done. Nobody can really offer any help with what has been provided.
-
Thanks for responding.
Can do, along with configuration screenshots… should it go in the OpenVPN or Firewalling sub-boards?
-
Probably NAT if it's a port forwarding issue.
-
New here and to pfsense and having some problems getting it setup. Keep on getting error An IPv4 protocol was selected, but the selected interface has no IPv4 address.
-
Does WAN have an IPv4 Address?
(And you can use the User Authentication Settings instead of that username/password file in advanced options.)
-
Thanks for the guide, finally got it set up. I have a 4 port lan card and only set up 1 lan port during setup. Is it possible to configure the other 3 to work with PIA? I've tried configuring but end up losing internet connection on the original lan port.
-
What are you doing with the four LAN ports? Are you creating four different networks?
-
What are you doing with the four LAN ports? Are you creating four different networks?
Port for Roku, TV and computer. Thinking it may be easier to to install access point off the one LAN port, but if the other ports can be used I would prefer that.
-
No. pfSense is not a switch. Get a switch. The switch on the LAN side of a router used as an AP would be fine just disable its DHCP server first.
-
Ok thanks
-
Although all information are here is good enough but it you are willing to Create OpenVPN interface then you need to go with this.
- Click "Interfaces"
- Click "(assign)"
- "Available network ports:" select "ovpnc1(PIA OpenVPN)"
- Click "add selected interface" (icon is a "+" symbol on a small lined sheet of paper)
However for more vpn Configuring you may also explore vpnrnaks -
So pia vpn was working on pfsense then i started getting messages vpn host which is pia midewest is not recognized host. So i rebooted and same.
I setup everything from scratch again and now i can not get onto pia vpn. I've been trying all day today. I need some help.
I think the issue may be with NAT rules. My nat rules do not generate in 2.2.6 client as they did in this tutorial in earlier version.
But i recrated it the same way and still no luck. I can not start vpn service. Any help is very much appriciated. I'm exhusted. lolI had to clone the mac of my physical nic card (wan) in order to get isp wan address. Is that the reason why host name is not recognized ?
Here is the log
Feb 17 14:35:31 openvpn[33355]: client_connect_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: learn_address_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: client_disconnect_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: client_config_dir = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: ccd_exclusive = DISABLED
Feb 17 14:35:31 openvpn[33355]: tmp_dir = '/tmp'
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_defined = DISABLED
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_local = 0.0.0.0
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_remote_netmask = 0.0.0.0
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_ipv6_defined = DISABLED
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_ipv6_local = ::/0
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_ipv6_remote = ::
Feb 17 14:35:31 openvpn[33355]: enable_c2c = DISABLED
Feb 17 14:35:31 openvpn[33355]: duplicate_cn = DISABLED
Feb 17 14:35:31 openvpn[33355]: cf_max = 0
Feb 17 14:35:31 openvpn[33355]: cf_per = 0
Feb 17 14:35:31 openvpn[33355]: max_clients = 1024
Feb 17 14:35:31 openvpn[33355]: max_routes_per_client = 256
Feb 17 14:35:31 openvpn[33355]: auth_user_pass_verify_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: auth_user_pass_verify_script_via_file = DISABLED
Feb 17 14:35:31 openvpn[33355]: port_share_host = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: port_share_port = 0
Feb 17 14:35:31 openvpn[33355]: client = ENABLED
Feb 17 14:35:31 openvpn[33355]: pull = ENABLED
Feb 17 14:35:31 openvpn[33355]: auth_user_pass_file = '/etc/openvpn-password.txt'
Feb 17 14:35:31 openvpn[33355]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Feb 17 14:35:31 openvpn[33355]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Feb 17 14:35:31 openvpn[33355]: WARNING: file '/etc/openvpn-password.txt' is group or others accessible
Feb 17 14:35:31 openvpn[33627]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Feb 17 14:35:31 openvpn[33627]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Feb 17 14:35:31 openvpn[33627]: LZO compression initialized
Feb 17 14:35:31 openvpn[33627]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:3 ]
Feb 17 14:35:31 openvpn[33627]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Feb 17 14:35:47 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:35:47 openvpn[33627]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Feb 17 14:35:47 openvpn[33627]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Feb 17 14:35:47 openvpn[33627]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Feb 17 14:35:47 openvpn[33627]: Local Options hash (VER=V4): '66096c33'
Feb 17 14:35:47 openvpn[33627]: Expected Remote Options hash (VER=V4): '691e95c7'
Feb 17 14:36:14 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:36:36 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:36:57 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:37:19 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:37:56 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:38:48 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:39:40 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:40:31 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:41:22 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:42:13 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:43:05 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known -
Hello guys. So i spend entire day yesterday trying to get this working and PIA must have changed some settings as this is no longer working on 128 AES.
I'm back on router and couldn't get on until i enabled TLS authentication which is disabled in this tutorial. Also obviously username and password and cert needs to be configured.
So just wanted to let everyone know. I'll try this over the weekend again but i spent too much time on getting this up. -
The answer is to set DNS servers using a DHCP static mapping to something external on the VPN-only hosts and to not set them to use pfSense itself as the DNS server. That way, the DNS queries will be just another internet packet, will be marked by the same rule, and will be blocked out WAN by policy automatically.
Trying to get pfSense DNS forwarder or resolver to behave in a specific way according to the specific source host is folly.
Is there a way to accomplish this using an alias and firewall rule? I am using an alias that I drop IPs in to direct them to the VPN GW (everything else goes through the WAN GW). Is it possible to do the same to assign DNS servers?
I basically want to assign the PIA DNS servers to the clients that I have added to the PIA alias. All others would get the google/opendns entries I have in the General Setup. I know I can assign these via static mappings in the DHCP server…just looking for a more efficient way.
John
-
I suppose you could NAT translate all DNS requests to a specific IP address with a port forward on LAN with those IPs sourced (you can't use an alias in a NAT rule.
But DHCP static mappings is probably the proper way to get this done.
-
Derelict,
I suppose you could NAT translate all DNS requests to a specific IP address with a port forward on LAN with those IPs sourced (you can't use an alias in a NAT rule.
But DHCP static mappings is probably the proper way to get this done.
Could you please explain the NAT process. I understand DHCP would be better but my goal is to have the VPN IP range usable by anyone just by changing their IP client side. It would be nice if I did not have to provide a verbal IP and DNS address for the client to enter.
Thanks for all of your help!
-
Something like this would force all DNS queries from VPN_HOST to PIA_DNS_SERVER instead of whatever is configured as a DNS server.
Note that VPN_HOST and PIA_DNS_SERVER are just placeholders for IP addresses since you can't use aliases in NAT definitions.
You'd have to get creative to use two DNS Servers. Perhaps with both in a pool in the NAT IP or two different definitions.
Firewall > NAT, Port Forward tab
Interface: LAN
Protocol: TCP/UDP
Source Address: VPN_HOST
Source Ports: *
Dest Address: *
Dest Ports: 53
NAT IP: PIA_DNS_SERVER
NAT Ports: 53 -
Derelict,
Thanks! I think this/that is a much better solution than setting it in DHCP Static Mappings. I was able to use the same alias that I use to push the traffic through the VPN in the first place. The only negative is this does limit the VPN to using 1 DNS server whereas using DHCP Static Mappings would allow the use of up to 4.
Just for conversations sake, because I am very happy with the current solution, is there a way to map the VPN traffic to a particular VLAN and set the VLAN to use a different DNS server?
My pfSense setup is almost perfect!
Thanks again. -
If you know the two DNS servers you can make two port forward rules matching on Destination address. You could even set the clients to use something arbitrary like 10.11.12.1 and 10.11.12.2 and forward them each to different PIA DNS servers. You could keep the catch-all dest any rule below those to catch any other configured DNS servers and send those requests to one of the PIA DNS Servers.
is there a way to map the VPN traffic to a particular VLAN and set the VLAN to use a different DNS server?
Sorry, I don't understand what you're asking.
