Tutorial: Configuring pfSense as VPN client to Private Internet Access
-
Yes. Just add the ports to the rule sending traffic to the VPN gateway. The rule won't match if the port is outside the set so the firewall will move on to the next rule.
I want to do the exact opposite and having trouble figuring it out…
I want all traffic from one IP to go thru the VPN except port 32400 (Plex). How can I adapt the current rules (or add another) that will send Plex traffic thru the WAN GW so the server can be reached remotely?
John
Did you figure this out? My Plex server stopped working and when I check it has my VPN address as the public IP.
I've tried creating a LAN FW rule above the VPN one to tell it that all TCP 32400 traffic should go via WAN_PPOE and not PIAVPN but it doesn't make any difference.
-
Never mind - it started working again. I'm wondering if because the VPN changes IP address so often, maybe Plex is taking too long to update it?
Oh I dunno.. clutching at straws - it all works great for a while and then will stop working, and then will work again. Hate those types of issues!
-
I think the TCP 32400 traffic is INBOUND from Plex. I refuse to use it since they don't post any source addresses so you have to allow the world in.
I believe Plex requires a port forward in on the IP address it is logging in from. So if you are trying to go OUT PIA, I think they need to forward a port to you.
I don't know. Go to a Plex forum and ask exactly what you need in a FIREWALL INDEPENDENT way (just IP/TCP/UDP/NAT/etc) and bring that info back here and it will be easier to help you with that. And you should start another thread for it.
-
I attempted to set openvpn up with PIA however I am unsuccessful at getting it to connect. Under status it says reconnecting; tls-error. When I check system logs it has this:
Mar 26 17:37:48 openvpn[8951]: Re-using SSL/TLS context
Mar 26 17:37:48 openvpn[8951]: LZO compression initialized
Mar 26 17:37:48 openvpn[8951]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Mar 26 17:37:48 openvpn[8951]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Mar 26 17:37:48 openvpn[8951]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Mar 26 17:37:48 openvpn[8951]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mar 26 17:37:48 openvpn[8951]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mar 26 17:37:48 openvpn[8951]: Local Options hash (VER=V4): '41690919'
Mar 26 17:37:48 openvpn[8951]: Expected Remote Options hash (VER=V4): '530fdded'
Mar 26 17:37:48 openvpn[8951]: UDPv4 link local (bound): [AF_INET]192.168.2.122
Mar 26 17:37:48 openvpn[8951]: UDPv4 link remote: [AF_INET]198.8.80.221:1194
Mar 26 17:37:48 openvpn[8951]: TLS: Initial packet from [AF_INET]198.8.80.221:1194, sid=246e6338 47b9e842
Mar 26 17:37:48 openvpn[8951]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Mar 26 17:37:48 openvpn[8951]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mar 26 17:37:48 openvpn[8951]: TLS Error: TLS object -> incoming plaintext read error
Mar 26 17:37:48 openvpn[8951]: TLS Error: TLS handshake failed
Mar 26 17:37:48 openvpn[8951]: TCP/UDP: Closing socket
Mar 26 17:37:48 openvpn[8951]: SIGUSR1[soft,tls-error] received, process restarting
Mar 26 17:37:48 openvpn[8951]: Restart pause, 2 second(s)Edit: well I realized the directions here are different than what is offered on PIAs website. I tried these and it seems to be working. Not sure why this does and theirs don't. Any ideas?
-
It looks like whatever you did there didn't get the correct certificate imported and trusted for that OpenVPN client connection.
-
As much as I appreciate the effort and thoroughness, the advice to simply duplicate all existing outbound nat rules is both overkill, and potentially will degrade a network.
There are often autogenerated rules that are not required.
The isakmp rule specifically cited, for example, is entirely useless on a non ipsec connection.
Nor does the loopback need to be natted in most cases.
And if one blindly duplicates existing nat rules for other vpn connections, you end up double natting those - repeating on the other end gives you quad natting….and things start to not work so much.
I went on a pruning spree the other day and eliminated most of the nat rules.
All you need is one nat rule per subnet/address you are going to route through the vpn.
-
Nor does the loopback need to be natted in most cases.
Could you share some thoughts or examples of when the loopback interface would need natting please?
-
I have a I5 6400 cpu should i leave encryption to BF-CBC (128-bit) or could it be increased i have tried aes-256-cbc but i get alot of dropouts
also would i set cryptographic hardware thanks!
-
Thanks for the awesome guide. I'm having some trouble getting a static IP to get routed through the VPN (all the rest I want to get through the normal WAN). I've made an alias "PIA_VPN_IPs" (IP 192.168.1.230) and made a new LAN firewall rule at the top of the list passing source "PIA_VPN_IPs" to gateway PIAVPN_GW. I can see the traffic getting passed in the log below (I was pinging www.google.com) but I don't get any replies. If I ping 8.8.8.8 it works so I must be getting to the outside world? Could there be some inbound rule that's blocking the pings coming back?
Is there any other way to see what the issue might be? I can ping from within pfsense selecting "PIAVPN" as source address and www.google.com works fine so I'm guessing my VPN connection is ok.
Here are some passed firewall entries:
Jul 5 19:33:56 LAN 192.168.1.230:49388 208.115.201.203:25915 TCP:S
Jul 5 19:33:54 LAN 192.168.1.230 8.8.8.8 ICMP
Jul 5 19:33:54 LAN 192.168.1.230:49387 208.115.201.203:25915 TCP:S
Jul 5 19:33:52 LAN 192.168.1.230:49386 150.101.60.234:443 TCP:S
Jul 5 19:33:48 LAN 192.168.1.230:49385 150.101.60.208:443 TCP:S
Jul 5 19:33:48 LAN 192.168.1.230:49384 150.101.60.208:443 TCP:S
Jul 5 19:33:44 LAN 192.168.1.230:49383 128.121.22.145:443 TCP:S
Jul 5 19:33:44 LAN 192.168.1.230 150.101.60.230 ICMP
Jul 5 19:33:44 LAN 192.168.1.230:53406 8.8.8.8:53 UDP
Jul 5 19:33:41 LAN 192.168.1.230:49382 208.115.201.203:25915 TCP:S
Jul 5 19:33:35 LAN 192.168.1.230:49381 208.115.201.203:25915 TCP:S -
Albeit all data are here is adequate yet it you will Create OpenVPN interface then you have to run with this.
-
Click "Interfaces"
-
Click "(allocate)"
-
"Accessible system ports:" select "ovpnc1(PIA OpenVPN)"
-
Click "include chose interface" (symbol is a "+" image on a little lined sheet of paper)
However for more vpn Configuring you may likewise investigate toptenvpnreviews
www.toptenvpnreviews.com
-
-
**Today an announcement was sent and the openvpn.zip was updated. I believe I have all of the necessary steps/changes at the bottom to come up on the new cert Please let me know if this works for you… (Relevant bit highlighted below)
To Our Beloved Users,
The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year. We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process. We think it’s because we are the most outspoken and only verified no-log VPN provider.
Luckily, since we do not log any traffic or session data, period, no data has been compromised. Our users are, and will always be, private and secure.
Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region.
To make it clear, the privacy and security of our users is our number one priority. For preventative reasons, we are rotating all of our certificates. Furthermore, we’re updating our client applications with improved security measures to mitigate circumstances like this in the future, on top of what is already in place. In addition, our manual configurations now support the strongest new encryption algorithms including AES-256, SHA-256, and RSA-4096.
All Private Internet Access users must update their desktop clients at https://www.privateinternetaccess.com/pages/client-support/ and our Android App at Google Play. Manual openvpn configurations users must also download the new config files from the client download page.
We have decided not to do business within the Russian territory. We’re going to be further evaluating other countries and their policies.
In any event, we are aware that there may be times that notice and due process are forgone. However, we do not log and are default secure against seizure.
If you have any questions, please contact us at helpdesk@privateinternetaccess.com.
Thank you for your continued support and helping us fight the good fight.
Sincerely,
Private Internet Access Team
**Steps you will need to take to continue to use this guide in the future with the new certificate or for anyone using it now who wants to use the new cert ("before/if" they revoke it.) **
1. grab the new openvpn.zip (same location as before)
1. repaste new cert (ca.rsa.2048.crt) into field where ca.crt is/would go
2. on the openvpn client tab change to "aes-128-cbc" from the pull down options for Encryption Algorithm .
3. change server port from 1194 to 1198
4. you could restart openvpn, but I prefer a reboot. :)**
-
We're not limited to AES-128 and 2048 bit cert, higher values - 256 and 4096 - are supported already, see https://forum.pfsense.org/index.php?topic=103934.msg634754#msg634754
These strong settings are available on UDP port 1197 and on TCP port 501 (at least).
Very useful article on PIA site: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-
-
We're not limited to AES-128 and 2048 bit cert, higher values - 256 and 4096 - are supported already, see https://forum.pfsense.org/index.php?topic=103934.msg634754#msg634754
These strong settings are available on UDP port 1197 and on TCP port 501 (at least).
Cool I'm using it now with aes-256 and port 1197 as stated default in openvpn file. This appears to be a new CA as well although made quite awhile ago. Can you verify as I wasn't using it before? Valid From: Thu, 17 Apr 2014 10:40:33 -0700 Valid Until: Wed, 12 Apr 2034 10:40:33 -0700
https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
-
The cert contained within the compressed file you linked to has been out for a while. I've been using it for 4 months or more.
-
I'm wondering if someone can help clear up some confusion I'm having… that being said, my PIA is setup and working fine in pfSense.
My question is regarding some confusion with CA / certificate setup.In this post on the PIA forums: https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video
They say to:
Certificate Setup
- Click "System"
- Click "Cert Manager"
- Click "CAs"
- Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
- "Descriptive name" type in "PIA-internal-CA"
- "Method" select "Create an internal Certificate Authority"
- "Key length" use "2048" bits
- "Digest Algorithm" use "SHA256"
- "Lifetime" type in "3650" days (10 years)
- "Country Code :" (your choice)
- "State or Province :" (your choice, can be invalid data)
- "City :" (your choice, can be invalid data)
- "Organization :" (your choice, can be invalid data)
- "Email Address :" (your choice, can be invalid data)
- "Common Name :" = internal-ca
Now click "Save"System: Certificate Manager
- Click "System"
- Click "Cert Manager"
- Click "Certificates"
- Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
- "Method:" select "Create an internal Certificate"
- "Descriptive name" type in "PIA-Certificate"
- "Key length" use "2048" bits
- "Digest Algorithm" use "SHA256"
- "Lifetime" type in "3650" days (10 years)
- "Country Code :" (your choice)
- "State or Province :" (your choice, can be invalid data)
- "City :" (your choice, can be invalid data)
- "Organization :" (your choice, can be invalid data)
- "Email Address :" (your choice, can be invalid data)
- "Common Name :" type in "PIA-Certificate"
Now click "Save"In this post in pfSense forums, it makes no mention to these two steps… no need to make an internal-CA (not clear on what that is)... and apparently no need to add a certificate.
So, what are these two extra steps for that are listed in the PIA forums?Also, when adding a client, both posts agree that:
"Client Certificate" = "webConfigurator default *In use"If you follow the guide on the PIA forum, why wouldn't you choose the client certificate that you made in the above two steps that I quoted?
If you're not choosing that, then why even make it (like in the guide posted in this thread)?Any insight would be lovely... as I want to also setup another VPN (from another provider) in pfSense but this provider doesn't have any guides for pfSense.
I figure I can use these guides as a template if I understood the difference here.Anyone?
Thanks!
-
I'm wondering if someone can help clear up some confusion I'm having… that being said, my PIA is setup and working fine in pfSense.
My question is regarding some confusion with CA / certificate setup.In this post on the PIA forums: https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video
They say to:
Certificate Setup
- Click "System"
- Click "Cert Manager"
- Click "CAs"
- Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
- "Descriptive name" type in "PIA-internal-CA"
- "Method" select "Create an internal Certificate Authority"
- "Key length" use "2048" bits
- "Digest Algorithm" use "SHA256"
- "Lifetime" type in "3650" days (10 years)
- "Country Code :" (your choice)
- "State or Province :" (your choice, can be invalid data)
- "City :" (your choice, can be invalid data)
- "Organization :" (your choice, can be invalid data)
- "Email Address :" (your choice, can be invalid data)
- "Common Name :" = internal-ca
Now click "Save"System: Certificate Manager
- Click "System"
- Click "Cert Manager"
- Click "Certificates"
- Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
- "Method:" select "Create an internal Certificate"
- "Descriptive name" type in "PIA-Certificate"
- "Key length" use "2048" bits
- "Digest Algorithm" use "SHA256"
- "Lifetime" type in "3650" days (10 years)
- "Country Code :" (your choice)
- "State or Province :" (your choice, can be invalid data)
- "City :" (your choice, can be invalid data)
- "Organization :" (your choice, can be invalid data)
- "Email Address :" (your choice, can be invalid data)
- "Common Name :" type in "PIA-Certificate"
Now click "Save"In this post in pfSense forums, it makes no mention to these two steps… no need to make an internal-CA (not clear on what that is)... and apparently no need to add a certificate.
So, what are these two extra steps for that are listed in the PIA forums?Also, when adding a client, both posts agree that:
"Client Certificate" = "webConfigurator default *In use"If you follow the guide on the PIA forum, why wouldn't you choose the client certificate that you made in the above two steps that I quoted?
If you're not choosing that, then why even make it (like in the guide posted in this thread)?Any insight would be lovely... as I want to also setup another VPN (from another provider) in pfSense but this provider doesn't have any guides for pfSense.
I figure I can use these guides as a template if I understood the difference here.Anyone?
Thanks!
I am wondering the same thing.
This is what I can figure out with the little research I did.
With OpenVPN the Client Certificate is used to authenticate the client. Since PIA is using a Username and Password for authentication the Client Certificate ignored.
Here's a quote from the OpenVPN how to documentation.
Using username/password authentication as the only form of client authentication
By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated.
While it is discouraged from a security perspective, it is also possible to disable the use of client certificates, and force username/password authentication only. On the server:
client-cert-not-required
Such configurations should usually also set:
username-as-common-name
which will tell the server to use the username for indexing purposes as it would use the Common Name of a client which was authenticating via a client certificate.
Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.
For the Client Cert to work, PIA would need to either.
1. generate a client certificate for each user account
2. have each user generate a CSR and submit it to PIA who would return a client certificate to the userSource: https://openvpn.net/index.php/open-source/documentation/howto.html
-
I'm wondering if someone could offer some advice. I just followed this to setup PIA and openvpn on my pfsense. My setup is like this;
at&t router –> pfsense box --> wireless AP/switch
I got everything working with the exception of getting the openvpn client to connect via dns name. When I enter in the dns name us-midwest.privateinternetaccess.com, I get the following error in the openvpn connection logs.
Aug 23 09:28:49 openvpn[78359]: ifconfig_pool_persist_refresh_freq = 600
Aug 23 09:28:49 openvpn[78359]: ifconfig_ipv6_pool_defined = DISABLED
Aug 23 09:28:49 openvpn[78359]: ifconfig_ipv6_pool_base = ::
Aug 23 09:28:49 openvpn[78359]: ifconfig_ipv6_pool_netbits = 0
Aug 23 09:28:49 openvpn[78359]: n_bcast_buf = 256
Aug 23 09:28:49 openvpn[78359]: tcp_queue_limit = 64
Aug 23 09:28:49 openvpn[78359]: real_hash_size = 256
Aug 23 09:28:49 openvpn[78359]: virtual_hash_size = 256
Aug 23 09:28:49 openvpn[78359]: client_connect_script = '[UNDEF]'
Aug 23 09:28:49 openvpn[78359]: learn_address_script = '[UNDEF]'
Aug 23 09:28:49 openvpn[78359]: client_disconnect_script = '[UNDEF]'
Aug 23 09:28:49 openvpn[78359]: client_config_dir = '[UNDEF]'
Aug 23 09:28:49 openvpn[78359]: ccd_exclusive = DISABLED
Aug 23 09:28:49 openvpn[78359]: tmp_dir = '/tmp'
Aug 23 09:28:49 openvpn[78359]: push_ifconfig_defined = DISABLED
Aug 23 09:28:49 openvpn[78359]: push_ifconfig_local = 0.0.0.0
Aug 23 09:28:49 openvpn[78359]: push_ifconfig_remote_netmask = 0.0.0.0
Aug 23 09:28:49 openvpn[78359]: push_ifconfig_ipv6_defined = DISABLED
Aug 23 09:28:49 openvpn[78359]: push_ifconfig_ipv6_local = ::/0
Aug 23 09:28:49 openvpn[78359]: push_ifconfig_ipv6_remote = ::
Aug 23 09:28:49 openvpn[78359]: enable_c2c = DISABLED
Aug 23 09:28:49 openvpn[78359]: duplicate_cn = DISABLED
Aug 23 09:28:49 openvpn[78359]: cf_max = 0
Aug 23 09:28:49 openvpn[78359]: cf_per = 0
Aug 23 09:28:49 openvpn[78359]: max_clients = 1024
Aug 23 09:28:49 openvpn[78359]: max_routes_per_client = 256
Aug 23 09:28:49 openvpn[78359]: auth_user_pass_verify_script = '[UNDEF]'
Aug 23 09:28:49 openvpn[78359]: auth_user_pass_verify_script_via_file = DISABLED
Aug 23 09:28:49 openvpn[78359]: port_share_host = '[UNDEF]'
Aug 23 09:28:49 openvpn[78359]: port_share_port = 0
Aug 23 09:28:49 openvpn[78359]: client = ENABLED
Aug 23 09:28:49 openvpn[78359]: pull = ENABLED
Aug 23 09:28:49 openvpn[78359]: auth_user_pass_file = '/etc/openvpn-passwd.txt'
Aug 23 09:28:49 openvpn[78359]: OpenVPN 2.3.8 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Aug 23 09:28:49 openvpn[78359]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Aug 23 09:28:49 openvpn[78359]: WARNING: file '/etc/openvpn-passwd.txt' is group or others accessible
Aug 23 09:28:49 openvpn[78634]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Aug 23 09:28:49 openvpn[78634]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 23 09:28:49 openvpn[78634]: LZO compression initialized
Aug 23 09:28:49 openvpn[78634]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Aug 23 09:28:49 openvpn[78634]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Aug 23 09:28:49 openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known Aug 23 09:28:49 openvpn[78634]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Aug 23 09:28:49 openvpn[78634]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug 23 09:28:49 openvpn[78634]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug 23 09:28:49 openvpn[78634]: Local Options hash (VER=V4): '41690919'
Aug 23 09:28:49 openvpn[78634]: Expected Remote Options hash (VER=V4): '530fdded'
Aug 23 09:28:49 openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Aug 23 09:28:54 openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Aug 23 09:28:59 openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not knownIf I enter in the IP address, it will connect and everything will work. However this isn't acceptable as every couple days the IP address changes.
I've tried setting up my DNS servers to be the at&t router as well as the PIA DNS servers and neither seems to work.
-
Looks like your firewall can't resolve names. Or at least that name.
What is your DNS configuration in System > General?
Can you resolve names in Diagnostics > DNS Lookup?
When you bring up Status > Dashboard does the update checker complete? Can you bring up System > Package Manager and get a list of packages?
-
Looks like your firewall can't resolve names. Or at least that name.
What is your DNS configuration in System > General?
Can you resolve names in Diagnostics > DNS Lookup?
When you bring up Status > Dashboard does the update checker complete? Can you bring up System > Package Manager and get a list of packages?
DNS is pointing to 209.222.18.218 and 209.222.18.222 and both are using the WAN interface as gateway.
I can resolve names when I connect to the VPN via IP address but when it's trying to connect vie DNS name, it will not resolve. I get…
127.0.0.1 0 msec
209.222.18.218 No response
209.222.18.222 No responseI"m not able to see the update nor see packages when this happens.
-
209.222.18.218 No response
209.222.18.222 No responseHave to figure that out…