Tutorial: Configuring pfSense as VPN client to Private Internet Access



  • @Altis:

    What do you use / recommend using as a DNS server?
    Specifically, can I use PIA's DNS servers?

    The easiest way that I've found is to go to System->General Setup, and enter the DNS servers that you want to use. It can be Google's or PIA's or any other. But then uncheck: "Allow DNS server list to be overridden by DHCP/PPP on WAN". After saving, a DNS Leak test at www.dnsleaktest.com or ipleak.net, will show the DNS servers you specified.



  • @divsys:

    One (very) minor nit, I would suggest that you remove the "verb 5" entry once you have verified that the connection is up and running properly.  I use that entry myself when I'm trying to diagnose OpenVPN issues (sometimes I'll even use verb 7 for more info).  In the long run I find the log files just get filled with too much excess using 'verb 5' for a stable connection.

    Thanks for the tip. Much appreciated.



  • Hello.  I appreciate the tutorial in getting things running with PIA, and I've been able to get all outbound on my network through PIA just fine however that is not what I want.

    The thing is, it seems that the tunnel takes over all outbound over the WAN as soon as it is started.  That is, when starting the tunnel, if using the automatic NAT rules - I cannot get out to the WAN at all.  Once creating the manual rules, you can get out to the WAN but everything is going out to the WAN.  I really just wanted to keep the tunnel up but have the LAN continue to go directly to the WAN until I specifically change something to selectively go through the tunnel (such as, only for a specific LAN IP).

    What am I missing here in terms of setting things up so at the very least I have this situation as a starting point:

    1. Have the tunnel interface UP
    2. It is not actually used, everything continues to work as it did prior to bringing tunnel up.

    Basically, I thought bringing the tunnel up would just be like adding another NIC to the system with no link or further configuration.  Clearly I was wrong - I need to disable the tunnel for now as it is just not workable for us to have everything always going through it.

    Thanks!

    Edit:  Well, I've figured out I need the route-nopull client option to keep the vpn server from mangling up my default routes.  I just need to figure out the rest now in terms of getting specific IPs traffic all through the tunnel … do I use route options in openvpn or outbound nat or...?  Fun stuff...

    Edit Again:  Okay, had to assign an interface to the tunnel.  The tunnel refused to work with route-nopull... so that had to stay.  Then I created manual firewall lan rule for specific host to use the VPN gateway and modified the existing LAN to WAN rule placed underneath to use the WAN gateway.  Then I needed to create a new rule for the VPN interface just to allow traffic through it.  Finally, I added outbound NAT for the host above the auto created rule for the VPN interface.

    It all seems rather messy to me, I may very well be doing more than I really need to but it seems to be working.  All hosts on the LAN are using the normal WAN except for a specific one that I want always routing through the VPN.

    This is much better than the old situation of that host having to open it's own tunnel which was prone to going down during network interruptions, and the other host has a much lower power CPU than my pfSense router so distributing the load of OpenVPN to the router in this case frees up a lot of cycles on that host.



  • @ binaryjay

    I think you may be overcomplicated things here. If you follow the tutorial, when finished the tunnel should be routing all traffic due to the firewall rule that was created in the tutorial, you would just need to disable or edit it to only push the traffic you need. It's pretty easy to set up for one host. Just createa new/edit the existing rule with the source being the machine ip that you want to go through the tunnel, and under advanced the VPN interface you have created, usually OPT1. You can do the same using specific destination ports or destination ip ranges if you want to get fancy and only push certain traffic through the tunnel. i.e. for geoblocked services etc.

    @ Everyone else

    Anyone else have the tunnel go down rather frequently using this service? I am connecting to the US-East server and I find my connection reset rather frequently at times? FWIW my WAN connection very rarely goes down so it's not that. All I see in the logs is the following when it disconnects:

    Jun 15 20:31:20 pfsense openvpn[41114]: MANAGEMENT: Client disconnected
    Jun 15 20:31:37 pfsense openvpn[41114]: event_wait : Interrupted system call (code=4)
    

    Just wondering if this is normal for PIA? Seems to be happening multiple times daily. I don't recall having this issue when I had PIA openvpn setup on one of my linux boxes but maybe I just wasn't watching it as closely. :-)

    Thanks,

    Kevin



  • @binaryjay:

    the tunnel takes over all outbound over the WAN as soon as it is started.

    This tutorial is written so that all LAN traffic is routed through the VPN using the system routing table. So this is to be expected.

    If you followed this tutorial exactly, then there are two ways that I know of to accomplish what you want.

    1. This first option is more involved, because it requires editing every firewall rule. This is not really ideal, but I'm outlining it here as an option so that you're aware.
    • Go to Advanced settings under every firewall rule and assign the WAN interface as your Gateway.

    • Then create a specific rule for your single computer on the LAN, with the PIAVPN gateway selected.

    • Move this new rule to the top of the list.

    • With this setup, all traffic bypasses the system routing table, and the traffic is routed via each rule through a specific gateway.

    1. The second option is much easier.
    • Add route-nopull to the Advanced Configuration settings of the VPN

    • Create a firewall rule for the specific computer on the LAN with an Advanced setting that specifically chooses the PIAVPN Gateway.

    • Move this new rule to the top of the list.

    To explain how option 2 works, this is from the OpenVPN manual:

    
    –route-nopull
    When used with --client or --pull, accept options pushed by server EXCEPT for routes.
    
    When used on the client, this option effectively bars the server from adding routes to the client's routing table,
    however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface. 
    

    So, this tells the client not to pull the default route from the server, yet it pulls all other necessary TCP/IP settings. And if you look at your system routing table (Diagnostics->Routes) before and after changing this setting, you'll see the pulled route present and then not present respectively. It'll be the first line in the table:

    
    0.0.0.0/8 	xxx.xxx.xxx.xxx 	UGS 	0 	0 	1500 	ovpnc1 	=>
    

    Therefore, after adding this Advanced Configuration setting, all traffic continues to use the System Routing Table. And with this pulled route removed from the table, the traffic will be routed out the WAN interface instead of the PIAVPN interface based on the remaining rules in the table.

    However, the new firewall rule you created for your specific LAN computer will be routed out the VPN interface, because you chose it as the Gateway under Advanced settings within the rule. This specific rule then bypasses the System Routing Table.



  • @ouldsmobile:

    If you follow the tutorial, when finished the tunnel should only be routing traffic that you specify using the firwall->lan rules.

    This is incorrect. This tutorial configures the firewall to route all traffic out the VPN interface.

    @ouldsmobile:

    Anyone else have the tunnel go down rather frequently using this service?

    All I see in the logs is the following when it disconnects:

    Jun 15 20:31:20 pfsense openvpn[41114]: MANAGEMENT: Client disconnected
    Jun 15 20:31:37 pfsense openvpn[41114]: event_wait : Interrupted system call (code=4)
    

    Just wondering if this is normal for PIA?

    I don't experience this at all. I've used several of PIA's server, but not specifically the US-East server.



  • @mpboden:

    This is incorrect. This tutorial configures the firewall to route all traffic out the VPN interface.

    Woops, sorry I followed a couple tutorials when I set mine up, just came across yours after setting mine up, must have gotten them confused. I will edit my post.

    @mpboden:

    I don't experience this at all. I've used several of PIA's server, but not specifically the US-East server.

    Hmm, strange. Wonder why mine seems to disconnect somewhat frequently. I am using same settings as yourself, just a different server. Out of curiosity what DNS servers are you using? What version of pfSense?

    I have setup a box at work with linux, I will see if it has disconnection issues. I thought it seemed strange to disconnect frequently. My internet service is pretty rock solid, very rarely see any outages thankfully. Maybe I will try a different server for a bit and see if it makes any difference.

    Kevin



  • @ouldsmobile:

    Woops, sorry I followed a couple tutorials when I set mine up

    No problem. Just wanted to make sure that there's no confusion

    @ouldsmobile:

    Out of curiosity what DNS servers are you using?

    I'm using Google's DNS servers. Also, under System->General Setup, I do not have the following checked: Allow DNS server list to be overridden by DHCP/PPP on WAN

    @ouldsmobile:

    What version of pfSense?

    2.1.3-RELEASE



  • @mpboden:

    @ouldsmobile:

    Woops, sorry I followed a couple tutorials when I set mine up

    No problem. Just wanted to make sure that there's no confusion

    @ouldsmobile:

    Out of curiosity what DNS servers are you using?

    I'm using Google's DNS servers. Also, under System->General Setup, I do not have the following checked: Allow DNS server list to be overridden by DHCP/PPP on WAN

    @ouldsmobile:

    What version of pfSense?

    2.1.3-RELEASE

    Yup, same here all around. I will go through all my settings, make sure I didn't miss anything. I may try PIA's DNS servers. Maybe that will be better. Worst case I can put the OpenVPN client back on my linux box which was more reliable it seems, although this was kind of the purpose of building the pfSense box, lol. :-) Go figure.



  • Thanks for the tutorial!

    I had made a simular setup but I was missing the advanced setting.

    I have a problem that occurs every few days; the VPN service will be up but the IP address will be missing from the VPN display on the dashboard page.  The VPN log will have 500+ entries that say…

    
    Iopenvpn[72509]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    
    

    I can get it working again by restarting the service.  I think it's some type of DNS problem, but I don't have way to debug it.

    Any suggestion on what I should try?

    If I could restart the VPN service every hour that would partial fix it.

    {edit}
    OK I found the problem, in my DNS server I had set the gateway to the VPN interface.  I guess every few days the IP address changes and when that happens it needs to use DNS to find the new IP address.  Anyway I added an extra DNS on the WAN interface, and to day it was able to get the new IP address.  I checked the https://www.dnsleaktest.com/ and http://ipleak.net/ it not showing my IP address.  On a side note when I use 208.67.222.222 and 208.67.220.220 I get better RTT, in my case ~60ms



  • this is by far the best tutorial I've found for PFsense and PIA, others have you do redundant steps that are no needed.

    Thanks a lot, great information



  • This is a great tutorial no doubt, and thank you very much for it!

    I only have one issue I'm trying to resolve but have failed, I want to bypass the vpn for one specific ip (my desktop, for gaming reasons) and leave everything else go through the vpn.

    So far I have everything setup and working with the tutorial. I have found similiar posts by using google but nothing I have found has worked. The closest post I've found related to my problem is https://forum.pfsense.org/index.php?topic=58630.0 and I've tried to follow jimp's suggestion by creating this lan rule:

    But still have no luck getting that single ip to bypass the vpn.

    Any suggestions and feedback is greatly appreciated.



  • I also wanted to compliment you on this fine (excellent) tutorial  ;D

    It even turned out that I appear to have done something wrong myself months ago (certificate part), and for some strange reason, it did work all these months.



  • @sparks305:

    This is a great tutorial no doubt, and thank you very much for it!

    I only have one issue I'm trying to resolve but have failed, I want to bypass the vpn for one specific ip (my desktop, for gaming reasons) and leave everything else go through the vpn.

    But still have no luck getting that single ip to bypass the vpn.

    Any suggestions and feedback is greatly appreciated.

    I also have the same problem. I think JimP responded to me about this problem in my thread some months ago, but I didn't understand and then it blead do death  :-[



  • I as well want to route certain traffic around the VPN but my rules aren't working.. It looks just like the above pictures.



  • @xman111:

    I as well want to route certain traffic around the VPN but my rules aren't working.. It looks just like the above pictures.

    +1

    It is working for me now, but had not been working for nearly 48 hours.  What got it working, I have no idea since I haven't done a thing to pfSense settings since I initially created a thread on the issue.



  • So I had a chance to test a few things, specifically what made it work and what didn't.  Here's some screenshots of my interface rules.  I've kept some of them in there, just disabled, in case for whatever reason things go south again.

    The big takeaway was to specify the gateway that each rule should use for what gets tunneled through VPN, as well as what host ip/alias you want to use the non-VPN tunnel gateway from your ISP.

    Hope this helps some others…



  • Hello,

    Sorry for bumping this old thread up but it was a great tutorial. Followed every steps and in 15 minutes, all my devices are going through the VPN.

    FYI, I have pFsense set up as a VM on ESXi.

    However, I have 2 issues:

    1. Even though internet works and a "what is my ip" shows I'm behind my VPN, the gateway shows offline in the dashboard. I have rebooted pfsense, stopped/started the openvpn service but it will always go to offline after being online for 15 seconds. Again: i still have internet access but if I open a shell on pFsense and try to ping the PIAVPN gateway, I get no response hence the offline status…what's the issue here?

    [EDIT] I "fixed" it by disabling monitoring on the gateway.

    2. I'm having trouble wrapping my head around accessing a service on a devices behind the VPN. Put simply, I have a synology that I access with DS audio on my phone to listen to my tunes. Everything works fine when the VPN is not running, however when it is, I can't connect to my synology.

    I can see the packet arriving in the logs but it seems no response is ever sent out back even though I'm forcing the Synology to use the WAN gateway and not the VPN for outbound traffic.

    Any clues?  ???



  • Ok, allow me to answer my own question. Simply adding route-noexec to the openvpn client configuration (the part where you specify verb 5 etc.) fixed it. Only traffic that I specifically tell to use the vpn goes through the VPN, I am however perfectly able to access my audiostation, didn't even have to change anything in the port forwarding menu.



  • Love the tutorial and am almost there.  I get stuck when I need to create the default firewall rule to route everything through the VPN.

    I don't see the PIAVPN_VPN4 gateway. I tried to create it, though I didn't see that in the tutorial, but that didn't work either.  I also notice that on the main page the PIAVPN interface never shows an IP address, but if I look under Status->OpenVPN it says it is connected and I see traffic in/out and ip addresses.

    Any ideas what I missed?  I"m running version 2.1.5-RELEASE

    thanks,
    david

    EDIT:
    I found my problem.  Item #2 under "Create OpenVPN interface", It says ovpnc1() will be selected, but in my case it selected an unused ethernet over firewire port.  When I finally noticed this and changed it to ovpnc(1) it worked!



  • Awesome tutorial! Thank you for taking the time to write it up :)



  • Firstly, thank you for the amazing step-by-step tutorial.  I literally had it completed in 10 minutes.

    A few questions.

    First, I have been playing with different servers provided by PIA, from Texas to California to Canada.  Running the test at speedtest.net, my speeds went from 80-90mb/down and 30-40mb/up to 20-40mb/down and 1-4mb/up.  I know the VPN will slow things down a bit, but I was not expecting this level of speed loss.  Is this normal?  My pfsense box is a dual core Atom (with hyperthreading) and this far CPU use has never peaked above 30%, usually at 13% (which is where it was prior to be configuring the VPN).  Just curious if I should just keep testing servers to find one with better speed?

    On the dashboard, my WAN and LAN interface graphs are showing plenty of traffic, but my PIAVPN interface is showing none.  I am presently downloading a file – WAN is showing 500Kbps-5Mbps, but zero activity whatsoever on the VPN interface.  Is this an indication that the VPN is being bypassed?

    Using various ip lookup tools, every site is seeing me on an IP address in Canada (I am currently using the Canadian PIA VPN server).  So why is there no traffic bring generated on the PIA VPN interface?  As far as I can tell it is working.

    Thanks again for the great tutorial.

    ETA VPN just went down, logs show failure to resolve the hostname of the PIAVPN server I had chosen.  Rebooting pfsense worked (I tried everything else I could think of) -- wonder how long it will be up and if this will happen again?  I am using OpenDNS servers.



  • About a week ago, PIA service went to sh*t for me… It worked great for over a year, and now constant disconnects.



  • It's kind of early to say anything for sure–this is the longest I've went this week without being disconnected (30minutes so far; these past 2 weeks, it has usually been every 1-2 minutes)...

    But anyway...

    Under OpenVPN 'advanced configuration' (in pfsense), I added the following:

    keepalive 5 30;

    So now my 'advanced configuration' looks like this:

    auth-user-pass /etc/openvpn-password.txt;persist-tun;verb 5;remote-cert-tls server;route-nopull;keepalive 5 30;

    Note: I added this today:

    route-nopull;

    Not sure if it's doing anything (probably not) but left it there, since my connection is stable for the time being.

    What I think is going on is PIA is pinging the client, but for whatever reason, the pings are getting blocked.  So in turn 'keepalive 5 30;' does something to mitigate that...



  • A lot of pages are loading slowly (to be expected I suppose).  Other pages are denying me access with messages that my IP has been flagged for spam.  Some sites, like Amazon and Home Depot, load slowly, but then most functions don't work (searching, shopping carts, etc).

    All since I enabled the PIA vpn…..



  • Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

    That would be exactly what I needed!!


  • Netgate

    @peehoo:

    Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

    That would be exactly what I needed!!

    That's easy.  It's the opposite of this:

    I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN.  Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example).  Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

    Like this:




  • @peehoo:

    Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

    That would be exactly what I needed!!

    Make an Alias for those LAN IPs, then change the rule on LAN that feeds the traffic into PIA so it has just that Alias as the source.

    Whatever traffic is matched by rules going to the PIA gateway is the traffic that goes down the PIA OpenVPN tunnel.



  • Thanks so much for this tutorial.  Between the initial tutorial and some of the modifications in the comments I have my router set up almost exactly as I wanted.

    My question is if there is a way to route traffic on some ports through the VPN interface and the rest through the WAN interface?

    I.e. everything on 10.0.1.10 goes through the WAN except ports 45000-45100, which goes through the PIAVPN.

    Is that possible?


  • Netgate

    Yes.  Just add the ports to the rule sending traffic to the VPN gateway.  The rule won't match if the port is outside the set so the firewall will move on to the next rule.



  • Good tutorial, Thanks. However I am having a problem at an early stage.

    When I go through the steps to create a certificate, the CA gets entered but no certificates are created (see attachment). Then, when I get to Create OpenVPN Client I run into a "No Certificates Defined" and can't create the client. Trying to create a certificate under the certificate manager>certificates doesn't work because I don't have the private key that is needed.

    What am I missing.

    ![certificate authority manager.JPG](/public/imported_attachments/1/certificate authority manager.JPG)
    ![certificate authority manager.JPG_thumb](/public/imported_attachments/1/certificate authority manager.JPG_thumb)
    ![No Certificates Defined.JPG](/public/imported_attachments/1/No Certificates Defined.JPG)
    ![No Certificates Defined.JPG_thumb](/public/imported_attachments/1/No Certificates Defined.JPG_thumb)


  • Netgate

    It looks like PIA doesn't verify client certificates at all so any certificate will do.  The walkthrough just uses the default webconfigurator certificate out of pfSense.

    You don't have any certs at all listed in System->Cert manager->Certificates  ??



  • No. There are no certificates listed at all in system->Cert manager->certificates. Should there be?


  • Netgate

    Yes.  When you installed a cert for the webConfigurator was created.  Looks like you deleted it.

    I have no idea how to tell pfSense to recreate that cert.  Anyone?

    If it's non-trivial you'll need to create an internal CA then create an internal cert using that.



  • Not sure that it helps the problem at hand, but the webConfigurator is listed under System: Certificate Manager, Certificates tab. It is somehow and CA and Certificate all in one (exposing my lack of knowledge of this stuff!).



  • Thanks for the replies. It's odd that there is no cert showing. If I deleted a certificate it would have to have been by accident. I'm pretty careful with such things due to lack of understanding and not wanting to break things. I haven't had to deal with certificates before and I don't remember ever working with the cert manager before.

    Having said that, I did create an internal CA and then an internal cert as suggested by @Derelict. That went well and allowed me to get a step further and create an OpenVPN client. Then I had to leave for work, so won't get back to the VPN installation until later.

    One difference between my setup and that covered by the tutorial is that I already have a third (physical) interface to a DMZ. Does anyone know if that is a potential problem or change anything in the process?

    Thanks very much for your help. I'll get back when I hit the next snag  :)


  • Netgate

    Shouldn't.  Possibly some additional rules on DMZ if you want to forward any traffic from hosts there out the VPN connection.

    @phil.davis yeah, I don't see a way in the interface to create a cert like that.  There's probably a way to re-run the commands that run at first boot after install but I don't feel like digging through the rc scripts.



  • @Derelict:

    @peehoo:

    Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

    That would be exactly what I needed!!

    That's easy.  It's the opposite of this:

    I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN.  Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example).  Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

    Like this:

    Hi!

    I think I managed this  ::)

    Basicly I needed only one internal IP-address go to the PIAVPN so I created two firewall rules.

    One which is telling that 192.168.1.60 goes to PIAVPN and one which is reverse for that -> all the other LAN addressess are going to WAN-interface. Is this kind of configuration any sense?

    Now my pc is showing me my ISP address and XBMC is showing PIA address.

    Ok, I changed that single host to the aliases list because it might be possible every now and then and some other pc:s to use PIAVPN also.

    One thing came to my mind… What comes to the security and hidden my network traffic - is there any kind of problem to use same PIA server every day? Manually when using pc-client I've changed it different countries every now and then... Ok, it is manually also possible with pfsense but is it any benefit to change it and if yes -> could it be possible to automaticly use several PIA servers different days?

    And at the end couple of stupid questions:

    • At this point it seems that PIAVPN is working (THX for a great tutorial)
    • Dashboard is showing in interfaces PIAVPN address BUT
    • for reason I do not know OpenVPN status shos that PIA client instance status is down??

    Should I be worried?

    Screencaps below:

    Dec 11 13:06:42	openvpn[68212]: Exiting due to fatal error
    Dec 11 13:06:42	openvpn[68212]: Cannot open TUN/TAP dev /dev/tun2: Device busy (errno=16)
    Dec 11 13:06:42	openvpn[68212]: TUN/TAP device ovpnc2 exists previously, keep at program end
    Dec 11 13:06:42	openvpn[68212]: ROUTE_GATEWAY xx.x.x.1
    

    Could this be a reason why I still have DNS Leak? How I manually (and to where) I configure PIA DNS-servers?

    Also one minor thing… How I can configure to those piavpn hosts traffic limiter especially upload limiter. I tried to do this with http://www.squidworks.net/2012/08/pfsense-2-0-limiting-users-upload-and-download-speeds-by-limiting-bandwidth/ this instructions but did not succeed.



  • I just wanted to say thank you!! This tutorial is the only tutorial that actually worked. All others seemed to not show enough info around certificates. This clearly advised how to create and apply.

    Again, thank you!!



  • Hi,
    I've just registered here but have been lurking for quite a while.

    Thanks for the guide it was much easier than a lot of other guides out there and it's appreciated greatly.

    I have a question about DNSleak protection. With this default configuration when I check https://www.dnsleaktest.com/ it's showing that pfSense is leaking. Has anyone configured using PIA's DNS? I'm a little worried to just give it a try because it's taken everything I got to get this far!!

    Anyhow if anyone has a tutorial for this it would be great.

    Thanks
    Steve


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy