Tutorial: Configuring pfSense as VPN client to Private Internet Access

neonflx

this is by far the best tutorial I've found for PFsense and PIA, others have you do redundant steps that are no needed.

Thanks a lot, great information

sparks305

This is a great tutorial no doubt, and thank you very much for it!

I only have one issue I'm trying to resolve but have failed, I want to bypass the vpn for one specific ip (my desktop, for gaming reasons) and leave everything else go through the vpn.

So far I have everything setup and working with the tutorial. I have found similiar posts by using google but nothing I have found has worked. The closest post I've found related to my problem is https://forum.pfsense.org/index.php?topic=58630.0 and I've tried to follow jimp's suggestion by creating this lan rule:

But still have no luck getting that single ip to bypass the vpn.

Any suggestions and feedback is greatly appreciated.

Mr. Jingles

I also wanted to compliment you on this fine (excellent) tutorial  ;D

It even turned out that I appear to have done something wrong myself months ago (certificate part), and for some strange reason, it did work all these months.

Mr. Jingles

@sparks305:

This is a great tutorial no doubt, and thank you very much for it!

I only have one issue I'm trying to resolve but have failed, I want to bypass the vpn for one specific ip (my desktop, for gaming reasons) and leave everything else go through the vpn.

But still have no luck getting that single ip to bypass the vpn.

Any suggestions and feedback is greatly appreciated.

I also have the same problem. I think JimP responded to me about this problem in my thread some months ago, but I didn't understand and then it blead do death  :-[

xman111

I as well want to route certain traffic around the VPN but my rules aren't working.. It looks just like the above pictures.

kars85

@xman111:

I as well want to route certain traffic around the VPN but my rules aren't working.. It looks just like the above pictures.

+1

It is working for me now, but had not been working for nearly 48 hours.  What got it working, I have no idea since I haven't done a thing to pfSense settings since I initially created a thread on the issue.

kars85

So I had a chance to test a few things, specifically what made it work and what didn't.  Here's some screenshots of my interface rules.  I've kept some of them in there, just disabled, in case for whatever reason things go south again.

The big takeaway was to specify the gateway that each rule should use for what gets tunneled through VPN, as well as what host ip/alias you want to use the non-VPN tunnel gateway from your ISP.

Hope this helps some others…

h311m4n

Hello,

Sorry for bumping this old thread up but it was a great tutorial. Followed every steps and in 15 minutes, all my devices are going through the VPN.

FYI, I have pFsense set up as a VM on ESXi.

However, I have 2 issues:

1. Even though internet works and a "what is my ip" shows I'm behind my VPN, the gateway shows offline in the dashboard. I have rebooted pfsense, stopped/started the openvpn service but it will always go to offline after being online for 15 seconds. Again: i still have internet access but if I open a shell on pFsense and try to ping the PIAVPN gateway, I get no response hence the offline status…what's the issue here?

[EDIT] I "fixed" it by disabling monitoring on the gateway.

2. I'm having trouble wrapping my head around accessing a service on a devices behind the VPN. Put simply, I have a synology that I access with DS audio on my phone to listen to my tunes. Everything works fine when the VPN is not running, however when it is, I can't connect to my synology.

I can see the packet arriving in the logs but it seems no response is ever sent out back even though I'm forcing the Synology to use the WAN gateway and not the VPN for outbound traffic.

Any clues?  ???

h311m4n

Ok, allow me to answer my own question. Simply adding route-noexec to the openvpn client configuration (the part where you specify verb 5 etc.) fixed it. Only traffic that I specifically tell to use the vpn goes through the VPN, I am however perfectly able to access my audiostation, didn't even have to change anything in the port forwarding menu.

lovingHDTV

Love the tutorial and am almost there.  I get stuck when I need to create the default firewall rule to route everything through the VPN.

I don't see the PIAVPN_VPN4 gateway. I tried to create it, though I didn't see that in the tutorial, but that didn't work either.  I also notice that on the main page the PIAVPN interface never shows an IP address, but if I look under Status->OpenVPN it says it is connected and I see traffic in/out and ip addresses.

Any ideas what I missed?  I"m running version 2.1.5-RELEASE

thanks,
david

EDIT:
I found my problem.  Item #2 under "Create OpenVPN interface", It says ovpnc1() will be selected, but in my case it selected an unused ethernet over firewire port.  When I finally noticed this and changed it to ovpnc(1) it worked!

AndyKoopa

Awesome tutorial! Thank you for taking the time to write it up :)

tucansam

Firstly, thank you for the amazing step-by-step tutorial.  I literally had it completed in 10 minutes.

A few questions.

First, I have been playing with different servers provided by PIA, from Texas to California to Canada.  Running the test at speedtest.net, my speeds went from 80-90mb/down and 30-40mb/up to 20-40mb/down and 1-4mb/up.  I know the VPN will slow things down a bit, but I was not expecting this level of speed loss.  Is this normal?  My pfsense box is a dual core Atom (with hyperthreading) and this far CPU use has never peaked above 30%, usually at 13% (which is where it was prior to be configuring the VPN).  Just curious if I should just keep testing servers to find one with better speed?

On the dashboard, my WAN and LAN interface graphs are showing plenty of traffic, but my PIAVPN interface is showing none.  I am presently downloading a file – WAN is showing 500Kbps-5Mbps, but zero activity whatsoever on the VPN interface.  Is this an indication that the VPN is being bypassed?

Using various ip lookup tools, every site is seeing me on an IP address in Canada (I am currently using the Canadian PIA VPN server).  So why is there no traffic bring generated on the PIA VPN interface?  As far as I can tell it is working.

Thanks again for the great tutorial.

ETA VPN just went down, logs show failure to resolve the hostname of the PIAVPN server I had chosen.  Rebooting pfsense worked (I tried everything else I could think of) -- wonder how long it will be up and if this will happen again?  I am using OpenDNS servers.

duntuk

About a week ago, PIA service went to sh*t for me… It worked great for over a year, and now constant disconnects.

duntuk

It's kind of early to say anything for sure–this is the longest I've went this week without being disconnected (30minutes so far; these past 2 weeks, it has usually been every 1-2 minutes)...

But anyway...

Under OpenVPN 'advanced configuration' (in pfsense), I added the following:

keepalive 5 30;

So now my 'advanced configuration' looks like this:

auth-user-pass /etc/openvpn-password.txt;persist-tun;verb 5;remote-cert-tls server;route-nopull;keepalive 5 30;

Note: I added this today:

route-nopull;

Not sure if it's doing anything (probably not) but left it there, since my connection is stable for the time being.

What I think is going on is PIA is pinging the client, but for whatever reason, the pings are getting blocked.  So in turn 'keepalive 5 30;' does something to mitigate that...

tucansam

A lot of pages are loading slowly (to be expected I suppose).  Other pages are denying me access with messages that my IP has been flagged for spam.  Some sites, like Amazon and Home Depot, load slowly, but then most functions don't work (searching, shopping carts, etc).

All since I enabled the PIA vpn…..

peehoo

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

Derelict

@peehoo:

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

That's easy.  It's the opposite of this:

I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN.  Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example).  Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

Like this:

phil.davis

@peehoo:

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

Make an Alias for those LAN IPs, then change the rule on LAN that feeds the traffic into PIA so it has just that Alias as the source.

Whatever traffic is matched by rules going to the PIA gateway is the traffic that goes down the PIA OpenVPN tunnel.

wreththe

Thanks so much for this tutorial.  Between the initial tutorial and some of the modifications in the comments I have my router set up almost exactly as I wanted.

My question is if there is a way to route traffic on some ports through the VPN interface and the rest through the WAN interface?

I.e. everything on 10.0.1.10 goes through the WAN except ports 45000-45100, which goes through the PIAVPN.

Is that possible?

Derelict

Yes.  Just add the ports to the rule sending traffic to the VPN gateway.  The rule won't match if the port is outside the set so the firewall will move on to the next rule.