Tutorial: Configuring pfSense as VPN client to Private Internet Access



  • @Derelict:

    Looks like it's connecting to me.  What's not working?

    You probably can't ping the gateway directly.  Just turn off monitoring or find something else to use as a monitor IP.

    Thanks - the problem is that as soon as I adjust the LAN firewall rule to direct LAN traffic to the PIAVPN_VPN4 gateway, I lose all internet access.  I can't ping, traceroute, etc. anything outside my LAN.  I have outbound NAT rules setup for both WAN and PIAVPN gateways and firewall rules for each interface that are basically unrestricted:

    sorry for the crappy spacing in the output below

    WAN Firewall Rules:
    ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
    IPv4        *   *                 *       *              *             none

    PIAVPN Firewall Rules
    ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
    IPv4        *   *                 *       *              *             none

    OpenVPN Firewall Rules
    ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
    IPv4        *   *                 *       *              *             none

    LAN Firewall Rules (working)
    ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
    IPv4        *   *                 *       *      WAN_DHCP     none

    LAN Firewall Rules (not working)
    ID Proto   Source Port         Destination  Port Gateway   Queue Schedule Description
    IPv4        *   *                 *       *    PIAVPN_VPNV4  none


  • LAYER 8 Netgate

    Umm.  First thing you should do is delete that WAN rule.  Do it now.  Don't delay.

    Also delete the OpenVPN and PIAVPN rules.  Do it now.


  • LAYER 8 Netgate

    Now that you've done that.  Show us your NAT rules.



  • @Derelict:

    Now that you've done that.  Show us your NAT rules.

    Ha!!  Yeah, those non-LAN rules were NOT active (disabled) and are now deleted - otherwise that would kind of defeat the purpose of a firewall, right? :) The only firewall rules I have right now are:

    The Outbound NAT Rules:

    When I activate the "PIAVPN" version of these rules and the corresponding firewall rule, I lose all connectivity outside my LAN.

    ***UPDATE: It's magically decided to start working now.  I have no idea what the problem was but it's good to go now.


  • LAYER 8 Netgate

    You can leave the NAT rules active.  They mean nothing unless that interface is being used for egress.  They just have to be there if you're going from the source IP addresses out that interface.

    Maybe PIA was having a problem?  Who knows.  Glad it's working and you don't have a pass any any rule on WAN.



  • One additional question: I can get the OpenVPN/PIA tunnel up and functioning, but when I come back after a while the Interface is down and the OpenVPN service needs to be restarted.  This is from the log:

    Feb 14 23:26:43 openvpn[83612]: TLS: soft reset sec=0 bytes=494118/0 pkts=4201/0
    Feb 14 23:26:43 openvpn[83612]: ERROR: could not read Auth username from stdin
    Feb 14 23:26:43 openvpn[83612]: Exiting due to fatal error
    Feb 14 23:26:43 openvpn[83612]: Closing TUN/TAP interface
    Feb 14 23:26:43 openvpn[83612]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 10.179.1.6 10.179.1.5 init

    Is this because I specified "auth-nocache"?  If so, shouldn't this option cause the information to be re-read from the file, not stdin?  I'll try and remove the -nocache option since, really, why should I mind having the login credentials saved in memory when it's OK to have them stored plaintext on disk…

    Is it something else entirely?

    Thanks,
    Aaron


  • LAYER 8 Netgate

    If you added auth-nocache outside of the tutorial, remove it.

    https://community.openvpn.net/openvpn/ticket/225



  • Quick questions since I am still doing my research. If I wanted my VPN service (PIA) to use a different set of DNS servers, to prevent DNS leak, would it be possible? If so how would I go about setting this up? Or would pfsense as a whole have to use only one set of dns servers?

    Sorry, still learning and haven't been able to get any hands on yet.

    Thank you



  • @kintaroju:

    great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.

    Having TWO openVPN client setup via PIA.

    So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west

    The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada

    Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.

    I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?

    Hi there,

    Not sure if you solved your problem, but if you haven't passed "route-nopull" as an advanced option to the OpenVPN client, that might be your problem.  I wanted to selectively send some of my LAN clients to VPN and others not, and had to pass this option as it stopped OpenVPN from generating a default (0.0.0.0) route in my routing tables.

    Good luck!

    Rob



  • First a huge thanks to the OP for providing this.  Exactly what I was looking for.

    Second - and please bear with me as I'm new to pfSense - what is the best way to have ALL communication to the internet shut-off if for whatever reason the VPN becomes disconnected? Or maybe this is already going to occur because of the NAT rules defined?

    Thanks for clarification.


  • LAYER 8 Netgate

    I have found the best way to do this is to edit the firewall rules that policy route traffic over the VPN.  Configure them to add a mark like VPN_ONLY.

    Create an interface group for all your WAN interfaces.

    Create a floating rule on the wan interface group direction out.  Make it a Reject rule, Quick, matching any traffic with mark VPN_ONLY.






  • Hi Everyone.
    I have the service up and running but for some reason i am not getting a IP address?
    what have i missed?

    cheers



  • Hey friends
    Can i make a vpn in pfsense firewall between the admin in my LAN to connect 2 dedicated servers with 2 public address x.x.x.x / x.x.x.x
    its urgent thanks for your answer :)


  • LAYER 8 Netgate

    Hey friends
    Can i make a vpn in pfsense firewall between the admin in my LAN to connect 2 dedicated servers with 2 public address x.x.x.x / x.x.x.x
    its urgent thanks for your answer :)

    Start another thread.



  • Hey Derelict thanks for answering my other questiond.  My problem is..uh, I'm not the sharpest at learning; I can follow tutorials (and even wrote some for wireless) and what I need is another tutorial for setting up NAT (or LAN?) rules.  I followed this VPN tutorial and everything is running great!  But like other's have asked, I need to have 1,2 or maybe only 3 IP's (computers) use the VPN, and all other bypass the VPN and go straight to the local internet.  So the answer's I've read of 'create a Lan rule for xxx' are nice and I'm sure easy for some, but I don't know HOW to do that?  I made some LAN rules, but it blocked everything and so I just removed them.  Therefore, if you, or anyone, knows of another tutorial of 'How to create a rule for 1 IP to bypass the VPN' I sure would appreciate a link.  I can follow directions and be successful (driving, making coffee, buying groceries) but I don't know the 'how-to' of pfSense rules.  Thanks!


  • LAYER 8 Netgate

    Create an IP alias called vpn_hosts or something Firewall > Aliases

    Add the IP addresses that you want to be forwarded through the VPN

    Look at the first post in this thread.  Find the section called Routing.

    The walkthrough changes the LAN IPv4 Rule so it forwards all of LAN Net to PIAVPN_VPN4.  You want to make a rule just like it but ABOVE it with the source network set to the alias instead of LAN net.  Then change the LAN net rule back to Gateway: default



  • Thanks for the steps.  I just can't get it to work.  I either have  No outbound connection; Everything thru VPN; or Everything Open, not vpn'd.  The IP's are set in the 'VPN Out IPs' and the gateway is 'default' under the 2nd LAN rule.  Just not getting it I suppose.  Thanks for the help.



  • LAYER 8 Netgate

    That should work.  You sure PIA is up when you try?  Did you clear states?



  • I have very similar set up and same issues.

    As I have it set up now, everything goes through the VPN. All I want is 192.168.0.102 to go on the VPN, all other traffic through ISP.

    What have I got wrong here?



  • LAYER 8 Netgate

    Probably a default route from the VPN provider.

    on 2.2, check Don't pull routes in the OpenVPN client config.  on 2.1.5 add route-nopull; to the advanced section.



  • Derelict thanks for the reply,

    I seem to of messed something up. :-[ :-[

    A few questions:
    1. Every time I enable and disable the VPN Client (which I do a lot while trying to set this up) it gives me a new IP which I then have to add to the firewall rules, is there a easier way of doing this?

    2. I seem to of lost ability to have traffic go through the VPN (I could once have all or nothing), I can see small amount of traffic on the VPN but when I check my IP I get my ISPs. What did I do?

    3. What did checking "Don't add/remove routes" do?

    I seem to go one step forward and two steps back every time I make a change on this.

    Thanks,


  • LAYER 8 Netgate

    What rules are you talking about?  You don't need to care what address they give you.  That's the PIAVPN_V4 address and all pfSense does is NAT to it.  That can change all the time.  You are concerned with your client's LAN address that doesn't change unless you change it (presuming it's static or at least a DHCP Static Mapping which is advisable when you start policy routing based on the source address.

    Many VPN providers push a default route to you so all your traffic gets sent through them.  Checking that box adds route-nopull; to your client configuration which tells the client to ignore all the routes pushed to you.  This leaves it up to you to policy route the traffic you want to go to the VPN.



  • I will attach what I think might be useful, let me know if anything else is needed.

    I also noticed when I check the gateway that the VPN shows online but then quickly goes offline after enabling. Any thoughts on that?



  • LAYER 8 Netgate

    Which rule do you think you have to change?  What, exactly, is the problem?



  • I have to disable that top rule to reply.

    When all the rules are enabled, on the BJENVY pc, it doesn't seem to have internet for some time, then it comes for a few seconds, I can check the ip and it is my WAN IP and then it stops responding.

    Should I be concerned about the Gateway showing offline?

    scratching my head… ???



  • Thanks to Derelict for keeping me at it.  I got the separate IP's working out thru the VPN and all others thru normal gateway/router. 
    bj24 - Follow the steps in Derlict's post for making an alias.  Add the IP's you want going out thru the VPN to it.  Give it a name like 'IPs_Out_VPN' or something you will recognize. 
    Then go to Firewall-Rules-Lan
    Click the plus to create a new rule based on LAN net
    Action=Pass, Interface=LAN, TCP/IP=IPv4, Protocol=any, Source=Type:Single host or alias, Address: IPs_Out_VPN; Destination=any, Description=LAN PIA_VPN Specific IP address Out
    Advanced features:  Gateway=PIAVPN_VPN4-some.ip. (this should be in the list if you followed the tutorial)
    Save, Apply Changes
    In Firewall: Rules - LAN  Click the rule you just made in the checkbox on the left;  Then point at the Arrow to the right of the LAN net rule, and move your IP out rule above it.  It should now be the first rule.
    Go to Status-Services, Restart DHCP, Restart OpenVPN.
    Give your computers 1-2 minutes to get a refreshed IP and see if your computers are running thru the interface you want.
    **** Mine Didn't*** Because I had to go change this:
    Firewall-Rules-LAN
    Choose your IPv4 LAN net (gateway should be '*')  click Edit
    Advanced features - Gateway:  Choose 'WAN_DHCP - 192.168.x.x' 
    Save- Apply changes. 
    Go to Status-Services, Restart DHCP, Restart OpenVPN.
    Give your computers 1-2 minutes to get a refreshed IP and see if your computers are running thru the interface you want.
    If all works, save this to your notepad along with the tutorial and you're good to go! 
    Let me know if you need the individual steps for making the Alias list, it's pretty straightforward but until you do it you can be poking around. 
    Thanks Derelict and others for getting us going!



  • This is very frustrating.

    I have it as you two have said as far as I can tell and it does not work as expected.

    Should I be concerned that the Gateway for the VPN shows offline?!

    What logs should I be looking at or screens? I have found another laptop to use as a tester so I stop losing internet when I test on myself. I have added its IP to the list with a Alias of IPs_Out_VPN.
    I have made a Lan rule with the Gateway selected to use the VPN.

    I restarted the 2 services.

    I test the computer, it still has my ISPs IP address and after a less than 2 minutes internet stops completely on it.

    Should I start to suspect PIA? Like I've wondered, the Gateway keeps going from online to offline.

    puzzled….


  • LAYER 8 Netgate

    Disable gateway monitoring on that gateway.



  • Thank you, that has solved the gateway offline issue.

    However still no routing of IPs_Out_VPN to go out the VPN.

    progress!!…


  • LAYER 8 Netgate

    Why are your NAT entries back here: https://forum.pfsense.org/index.php?topic=76015.msg500950#msg500950 for 192.168.1.0 and your policy route is for 192.168.0.102?



  • I hope thats the issue. I corrected that to 192.168.0.0 but still nothing.

    Here is my updated NAT list, do I need to keep all 7?

    tested it now and still on the ISP IP.



  • oops, heres the NAT list



  • LAYER 8 Netgate

    What are the contents of alias BJENVY?

    What is the IP address of the host you're testing from?

    Is the VPN up?

    Please post evidence so we can see everything is as it should be.



  • I have changed the alias name to IP_out_VPN, it has 2 ips in it 192.168.0.102 and .115

    I am testing from both of those 2 IPs, 192.168.0.102 and .115

    What is the best evidence that the VPN is up? I believe it is as far as I can see.



  • LAYER 8 Netgate

    I guess I don't know.  You've got something wrong somewhere.  Delete it all and start over maybe.



  • :)



  • Will start fresh and see how it goes… cross your fingers  ;)



  • HOLD UP.  My last post I noticed my IP address in the lower right corner and it wasn't mine, it was the IP of the VPN!! So something is working.

    I go to speedtest.net and it shows my current location and ISP IP.
    I go to whatismyip.org and it shows my ISP IP and location.

    What is going on? Why did my post or this forum recognize the VPN but nothing else seemingly?

    steps forward…


  • LAYER 8 Netgate

    There is nothing in your config that cares about the destination unless you're not telling us everything.  Is your VPN going up and down?  Lots of sites report IP addresses.  What does www.ipecho.net say?  What does www.wimi.com say?



  • Derelict,

    What do you imply that I wouldn't be telling?

    Every time I check the status of the VPN it is up and well. When I use the PC application the VPN is very stable. The logs for openVPN don't show anything strange.

    Both of those site showed my ISP IP.

    Any other logs I should be looking at?


Log in to reply