Tutorial: Configuring pfSense as VPN client to Private Internet Access

duntuk

About a week ago, PIA service went to sh*t for me… It worked great for over a year, and now constant disconnects.

duntuk

It's kind of early to say anything for sure–this is the longest I've went this week without being disconnected (30minutes so far; these past 2 weeks, it has usually been every 1-2 minutes)...

But anyway...

Under OpenVPN 'advanced configuration' (in pfsense), I added the following:

keepalive 5 30;

So now my 'advanced configuration' looks like this:

auth-user-pass /etc/openvpn-password.txt;persist-tun;verb 5;remote-cert-tls server;route-nopull;keepalive 5 30;

Note: I added this today:

route-nopull;

Not sure if it's doing anything (probably not) but left it there, since my connection is stable for the time being.

What I think is going on is PIA is pinging the client, but for whatever reason, the pings are getting blocked. So in turn 'keepalive 5 30;' does something to mitigate that...

tucansam

A lot of pages are loading slowly (to be expected I suppose). Other pages are denying me access with messages that my IP has been flagged for spam. Some sites, like Amazon and Home Depot, load slowly, but then most functions don't work (searching, shopping carts, etc).

All since I enabled the PIA vpn…..

peehoo

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

Derelict

@peehoo:

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

That's easy. It's the opposite of this:

I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN. Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example). Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

Like this:

vpn_hosts.jpg_thumb

phil.davis

@peehoo:

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

Make an Alias for those LAN IPs, then change the rule on LAN that feeds the traffic into PIA so it has just that Alias as the source.

Whatever traffic is matched by rules going to the PIA gateway is the traffic that goes down the PIA OpenVPN tunnel.

wreththe

Thanks so much for this tutorial. Between the initial tutorial and some of the modifications in the comments I have my router set up almost exactly as I wanted.

My question is if there is a way to route traffic on some ports through the VPN interface and the rest through the WAN interface?

I.e. everything on 10.0.1.10 goes through the WAN except ports 45000-45100, which goes through the PIAVPN.

Is that possible?

Derelict

Yes. Just add the ports to the rule sending traffic to the VPN gateway. The rule won't match if the port is outside the set so the firewall will move on to the next rule.

GaMcL

Good tutorial, Thanks. However I am having a problem at an early stage.

When I go through the steps to create a certificate, the CA gets entered but no certificates are created (see attachment). Then, when I get to Create OpenVPN Client I run into a "No Certificates Defined" and can't create the client. Trying to create a certificate under the certificate manager>certificates doesn't work because I don't have the private key that is needed.

What am I missing.

![certificate authority manager.JPG](/public/imported_attachments/1/certificate authority manager.JPG)
![certificate authority manager.JPG_thumb](/public/imported_attachments/1/certificate authority manager.JPG_thumb)
![No Certificates Defined.JPG](/public/imported_attachments/1/No Certificates Defined.JPG)
![No Certificates Defined.JPG_thumb](/public/imported_attachments/1/No Certificates Defined.JPG_thumb)

Derelict

It looks like PIA doesn't verify client certificates at all so any certificate will do. The walkthrough just uses the default webconfigurator certificate out of pfSense.

You don't have any certs at all listed in System->Cert manager->Certificates ??

GaMcL

No. There are no certificates listed at all in system->Cert manager->certificates. Should there be?

Derelict

Yes. When you installed a cert for the webConfigurator was created. Looks like you deleted it.

I have no idea how to tell pfSense to recreate that cert. Anyone?

If it's non-trivial you'll need to create an internal CA then create an internal cert using that.

phil.davis

Not sure that it helps the problem at hand, but the webConfigurator is listed under System: Certificate Manager, Certificates tab. It is somehow and CA and Certificate all in one (exposing my lack of knowledge of this stuff!).

GaMcL

Thanks for the replies. It's odd that there is no cert showing. If I deleted a certificate it would have to have been by accident. I'm pretty careful with such things due to lack of understanding and not wanting to break things. I haven't had to deal with certificates before and I don't remember ever working with the cert manager before.

Having said that, I did create an internal CA and then an internal cert as suggested by @Derelict. That went well and allowed me to get a step further and create an OpenVPN client. Then I had to leave for work, so won't get back to the VPN installation until later.

One difference between my setup and that covered by the tutorial is that I already have a third (physical) interface to a DMZ. Does anyone know if that is a potential problem or change anything in the process?

Thanks very much for your help. I'll get back when I hit the next snag :)

Derelict

Shouldn't. Possibly some additional rules on DMZ if you want to forward any traffic from hosts there out the VPN connection.

@phil.davis yeah, I don't see a way in the interface to create a cert like that. There's probably a way to re-run the commands that run at first boot after install but I don't feel like digging through the rc scripts.

peehoo

@Derelict:

@peehoo:

Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

That's easy. It's the opposite of this:

I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN. Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example). Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

Like this:

Hi!

I think I managed this ::)

Basicly I needed only one internal IP-address go to the PIAVPN so I created two firewall rules.

One which is telling that 192.168.1.60 goes to PIAVPN and one which is reverse for that -> all the other LAN addressess are going to WAN-interface. Is this kind of configuration any sense?

Now my pc is showing me my ISP address and XBMC is showing PIA address.

Ok, I changed that single host to the aliases list because it might be possible every now and then and some other pc:s to use PIAVPN also.

One thing came to my mind… What comes to the security and hidden my network traffic - is there any kind of problem to use same PIA server every day? Manually when using pc-client I've changed it different countries every now and then... Ok, it is manually also possible with pfsense but is it any benefit to change it and if yes -> could it be possible to automaticly use several PIA servers different days?

And at the end couple of stupid questions:

At this point it seems that PIAVPN is working (THX for a great tutorial)
Dashboard is showing in interfaces PIAVPN address BUT
for reason I do not know OpenVPN status shos that PIA client instance status is down??

Should I be worried?

Screencaps below:

Dec 11 13:06:42	openvpn[68212]: Exiting due to fatal error
Dec 11 13:06:42	openvpn[68212]: Cannot open TUN/TAP dev /dev/tun2: Device busy (errno=16)
Dec 11 13:06:42	openvpn[68212]: TUN/TAP device ovpnc2 exists previously, keep at program end
Dec 11 13:06:42	openvpn[68212]: ROUTE_GATEWAY xx.x.x.1

Could this be a reason why I still have DNS Leak? How I manually (and to where) I configure PIA DNS-servers?

Also one minor thing… How I can configure to those piavpn hosts traffic limiter especially upload limiter. I tried to do this with http://www.squidworks.net/2012/08/pfsense-2-0-limiting-users-upload-and-download-speeds-by-limiting-bandwidth/ this instructions but did not succeed.

achaian

I just wanted to say thank you!! This tutorial is the only tutorial that actually worked. All others seemed to not show enough info around certificates. This clearly advised how to create and apply.

Again, thank you!!

flowrider

Hi,
I've just registered here but have been lurking for quite a while.

Thanks for the guide it was much easier than a lot of other guides out there and it's appreciated greatly.

I have a question about DNSleak protection. With this default configuration when I check https://www.dnsleaktest.com/ it's showing that pfSense is leaking. Has anyone configured using PIA's DNS? I'm a little worried to just give it a try because it's taken everything I got to get this far!!

Anyhow if anyone has a tutorial for this it would be great.

Thanks
Steve

wbennett77

Hey Steve,

The ONLY way I have found to prevent leaks is to use PIA's DNS servers. If anyone has found another way I would really like to hear about it as well.

flowrider

Thanks wbennett77 I ended up using PIA's DNS servers as well and no leaks! It was quite easy which is nice for a change! I'm pretty happy to have found this guide as it's the most comprehensive and simple to use one on the net. I'm pairing it with a Netgear R7000 right now and it seems to be working well especially in the 5gHz range.