Tutorial: Configuring pfSense as VPN client to Private Internet Access

Finger79

I don't think the ISAKMP/500 rules need to be created for the VPN.  Just the two (localhost to VPN and LAN to VPN).  They can be safely removed.

fnkngrv

I followed the PIA guide on their support page completely however it didn't work.  For grins I went in and saw that there was a system update.  I was on 2.3.4 and 2.4 released on Oct 10th.  I have no clue if the update resolved some type of internal software issue however after going back in and having to redo the configs it is now working.  Just figured that I would share for anyone that might be running into issues recently.  Thanks for the tutorial.  I will need to come back to it again for setting up a machine or two to skip using it.

On a sidenote I had followed Mark Furneaux's PFSense guide videos and had hardcoded a dozen or so DNS servers.  Would it be advisable that I have my PIA VPN up and running to remove those?

Finger79

@fnkngrv:

On a sidenote I had followed Mark Furneaux's PFSense guide videos and had hardcoded a dozen or so DNS servers.  Would it be advisable that I have my PIA VPN up and running to remove those?

Are you using Unbound as a DNS Resolver or the old school dnsmasq for DNS Forwarding?  You can have your cake and eat it too.  Meaning, you can have all your clients' DNS queries get routed over the VPN, but the pfSense box itself still needs to be able to do DNS in case the VPN tunnel goes down.

So your list would be something like:

127.0.0.1 (this is there by default, no need to manually add)
DNS 1
DNS 2
DNS 3
etc.

This way for PIA you don't have to hardcode the IP address in the OpenVPN client configuration page.  You can actually do the FQDN us-florida.privateinternetaccess.com (or whatever).

gtj

This is an excellent tutorial and in great detail.
I have set the PIA client successfully however I have also set an OpenVPN sewrver for remote access and these 2 don't seem to work together. I have to disable the server to have the PIA Client encrypting traffic while if I want to connect to my LAN from a remote location, I have to disable the PIA client.

Can anyone please advise what rules should anyone use in order to have both OpenVPN instances running at the same time?

Any help woul;d be much appreciated.

Derelict

They are completely separate. Just use a separate tunnel network for the Remote Access OpenVPN.

gtj

@Derelict:

They are completely separate. Just use a separate tunnel network for the Remote Access OpenVPN.

Does this mean I have to choose under Firewall - Rules - OpenVPN Server a different gateway for the server? (''clean'' WAN instead of the PIA gateway)

Thanks!

Derelict

You need to select the interface you expect the connections from the client to arrive on. That is probably WAN and not PIA.

gtj

@Derelict:

You need to select the interface you expect the connections from the client to arrive on. That is probably WAN and not PIA.

Still can't set it right. When a client is connected to the OpenVPN server, my PIA connection is either slow or down. I have to disable the server to get my connection back.

Do I have to create a rule for both OpenVPN and PIA interfaces or just for OpenVPN? Currently under Firewall –-> Rules ---> PIA there aren't any rules set at all.

I have created a rule for the OpenVPN interface to look like the one below:

Interface: LAN (''Bridge'' in my case as I have bridged 2 NICs to act as one)
Address Family: IPv4
Protocol: TCP/UDP
Source:Any
Destination: Any
Destination Port Range: 1194

Advanced Options -->  "Gateway"---> WAN

I apply the above but still don't see any difference.

gtj

Anyone that can actually help with the problem above? It will be much appreciated.

I did the following:

-I have created separate interfaces for both my PIAVPN and OpenVPN Server.

-Under NAT, I generated the default WAN ''Outbound'' values for both PIAVPN (client) & OpenVPN Server

-Created a WAN rule which allows TCP/UDP traffic to port 1194 and have selected under ''Advanced Settings'' –--> ''Gateway'' the WAN_DHCP instead of the ''Default'' I then duplicated that rule to be present under ''LAN'' as well as under ''Bridge'' tab as I have bridged the 2 NICs of my APU2C4 to act as one LAN.

-There are no rules at all under the tabs ''OpenVPN'', ''LAN2'', ''OPENVPN'', ''BR0''.
At the moment, rules are set only for ''WAN'', ''LAN'' and ''Bridge''.

On the pfSense dashboard the available interfaces are all being shown as active:

WAN        ---- up        (ip assigned)
LAN          ---- n/a
LAN2        ---- n/a
PIAVPN    ---- up        (ip assigned)
OpenVPN  ---- up        (ip assigned)
BR0          ---- up        (ip assigned)

What am I missing?

Haze028

I've followed a few different guides, and googled for quite a while and can't seem to get my connection to work properly. 
My mappings are set:

pfSense shows openVPN as connected, and my VPN interface has an IP assigned to it.  Everything looks like it should be good

I have two LAN firewall rules to specify which computers use the vpn and which don't:

I am unable to access the internet when OpenVPN is connected from a VPN_Users aliased computer.
I am able to ping fine from this computer ex. www.google.ca, but when I try to load a page Firefox just sits saying "Preforming TLS Handshake with.." and never loads. As soon as I shut down OpenVPN service, internet works as normal

I've tried looking at the log, but see no mention of an error.

I'm assuming this is related to my firewall not being configured properly and blocking the access.  I just don't know what I'm missing.

Any Suggestions?

Finger79

@Haze028, I noticed your LAN network is 150.160.170.0/24, which is a public IP range.  If you haven't purchased or otherwise own this block of IPs, you should stick with private IP ranges.

bcruze

these are the updated instructions just provided to me:

https://helpdesk.privateinternetaccess.com/hc/en-us/articles/115005760606-Setting-up-a-Router-running-pfSense-Firmware

bcruze

i've followed the instructions above and now i am getting several events in the logs

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'

WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

seems like several red flags.  what is everyone's opinion on this?

Finger79

@bcruze:

i've followed the instructions above and now i am getting several events in the logs

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'

WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

seems like several red flags.  what is everyone's opinion on this?

I get the 'link-mtu' warnings as well.  The Blowfish/SWEET32 warning is because PIA can't competently maintain their systems (and I'm a customer!) and still defaults to BF-CBC instead of at least AES-128-CBC.  They really should be using the latest OpenVPN 2.4.4 with NCP support.  As much as I like PIA, they can be a real frustrating PI[T]A….

As long as you (the client endpoint) have your config set to use AES-128-CBC or AES-256-CBC, it'll override the server settings, so don't worry about that warning.

Dave R

Thanks for the guide. I was able to get this configured in about an hour or so. There are a couple of things to note:

1. OpenVPN server port numbers are different for PIA depending if you use a sha256 or sha128 cert: https://www.privateinternetaccess.com/forum/discussion/21213/sha256-with-openvpn

2. I didn't want my Steam gaming traffic going over the VPN (ports 27000-27015,…) so I used a NAT Alias to create a list of ports to apply to the outbound NAT rule.

Derelict

That's great but outbound NAT rules have nothing to do with what traffic goes out which interface. They only dictate what NAT occurs when traffic is already routed out that interface by policy routing or the routing table.

Dave R

Hrm, makes sense I guess. Got a link to something explaining how to route 80/443/53 over the VPN interface while leaving all other traffic egressing the WAN ?

Derelict

Just check don't pull routes in the OpenVPN Client configuration then policy route those destination ports to the VPN Gateway followed by pass any without setting a gateway.

Dave R

Ah, I think that works but only if I specify the VPN gateway in the LAN pass rule (under Advanced).  You mention "pass any without setting a gateway." but where else would I specify the VPN gateway for those ports?

Derelict

You policy route using firewall rules as you already stated. So you make a rule specifying those destination ports and the desired gateway/gateway group.