Tutorial: Configuring pfSense as VPN client to Private Internet Access



  • I have a I5 6400 cpu should i leave encryption to BF-CBC (128-bit) or could it be increased i have tried aes-256-cbc but i get alot of dropouts

    also would i set cryptographic hardware thanks!



  • Thanks for the awesome guide. I'm having some trouble getting a static IP to get routed through the VPN (all the rest I want to get through the normal WAN). I've made an alias "PIA_VPN_IPs" (IP 192.168.1.230) and made a new LAN firewall rule at the top of the list passing source "PIA_VPN_IPs" to gateway PIAVPN_GW. I can see the traffic getting passed in the log below (I was pinging www.google.com) but I don't get any replies. If I ping 8.8.8.8 it works so I must be getting to the outside world? Could there be some inbound rule that's blocking the pings coming back?

    Is there any other way to see what the issue might be? I can ping from within pfsense selecting "PIAVPN" as source address and www.google.com works fine so I'm guessing my VPN connection is ok.

    Here are some passed firewall entries:
    Jul 5 19:33:56 LAN   192.168.1.230:49388   208.115.201.203:25915 TCP:S
    Jul 5 19:33:54 LAN   192.168.1.230   8.8.8.8 ICMP
    Jul 5 19:33:54 LAN   192.168.1.230:49387   208.115.201.203:25915 TCP:S
    Jul 5 19:33:52 LAN   192.168.1.230:49386   150.101.60.234:443 TCP:S
    Jul 5 19:33:48 LAN   192.168.1.230:49385   150.101.60.208:443 TCP:S
    Jul 5 19:33:48 LAN   192.168.1.230:49384   150.101.60.208:443 TCP:S
    Jul 5 19:33:44 LAN   192.168.1.230:49383   128.121.22.145:443 TCP:S
    Jul 5 19:33:44 LAN   192.168.1.230   150.101.60.230 ICMP
    Jul 5 19:33:44 LAN   192.168.1.230:53406   8.8.8.8:53 UDP
    Jul 5 19:33:41 LAN   192.168.1.230:49382   208.115.201.203:25915 TCP:S
    Jul 5 19:33:35 LAN   192.168.1.230:49381   208.115.201.203:25915 TCP:S



  • Albeit all data are here is adequate yet it you will Create OpenVPN interface then you have to run with this.

    • Click "Interfaces"

    • Click "(allocate)"

    • "Accessible system ports:" select "ovpnc1(PIA OpenVPN)"

    • Click "include chose interface" (symbol is a "+" image on a little lined sheet of paper)

    However for more vpn Configuring you may likewise investigate toptenvpnreviews

    www.toptenvpnreviews.com



  • **Today an announcement was sent and the openvpn.zip was updated. I believe I have all of the necessary steps/changes at the bottom to come up on the new cert Please let me know if this works for you… (Relevant bit highlighted below)

    To Our Beloved Users,

    The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year. We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process. We think it’s because we are the most outspoken and only verified no-log VPN provider.

    Luckily, since we do not log any traffic or session data, period, no data has been compromised. Our users are, and will always be, private and secure.

    Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region.

    To make it clear, the privacy and security of our users is our number one priority. For preventative reasons, we are rotating all of our certificates. Furthermore, we’re updating our client applications with improved security measures to mitigate circumstances like this in the future, on top of what is already in place. In addition, our manual configurations now support the strongest new encryption algorithms including AES-256, SHA-256, and RSA-4096.

    All Private Internet Access users must update their desktop clients at https://www.privateinternetaccess.com/pages/client-support/ and our Android App at Google Play. Manual openvpn configurations users must also download the new config files from the client download page.

    We have decided not to do business within the Russian territory. We’re going to be further evaluating other countries and their policies.

    In any event, we are aware that there may be times that notice and due process are forgone. However, we do not log and are default secure against seizure.

    If you have any questions, please contact us at helpdesk@privateinternetaccess.com.

    Thank you for your continued support and helping us fight the good fight.

    Sincerely,
    Private Internet Access Team


    **Steps you will need to take to continue to use this guide in the future with the new certificate or for anyone using it now who wants to use the new cert ("before/if" they revoke it.) **

    1. grab the new openvpn.zip (same location as before)

    1.  repaste new cert (ca.rsa.2048.crt) into field where ca.crt is/would go

    2. on the openvpn client tab change to "aes-128-cbc" from the pull down options for Encryption Algorithm .

    3. change server port from 1194 to 1198

    4. you could restart openvpn, but I prefer a reboot. :)**



  • We're not limited to AES-128 and 2048 bit cert, higher values - 256 and 4096 - are supported already, see https://forum.pfsense.org/index.php?topic=103934.msg634754#msg634754

    These strong settings are available on UDP port 1197 and on TCP port 501 (at least).

    Very useful article on PIA site: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-



  • @AndrewZ:

    We're not limited to AES-128 and 2048 bit cert, higher values - 256 and 4096 - are supported already, see https://forum.pfsense.org/index.php?topic=103934.msg634754#msg634754

    These strong settings are available on UDP port 1197 and on TCP port 501 (at least).

    Cool I'm using it now with aes-256 and port 1197 as stated default in openvpn file. This appears to be a new CA as well although made quite awhile ago. Can you verify as I wasn't using it before? Valid From: Thu, 17 Apr 2014 10:40:33 -0700 Valid Until: Wed, 12 Apr 2034 10:40:33 -0700

    https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip



  • The cert contained within the compressed file you linked to has been out for a while.  I've been using it for 4 months or more.



  • I'm wondering if someone can help clear up some confusion I'm having… that being said, my PIA is setup and working fine in pfSense.
    My question is regarding some confusion with CA / certificate setup.

    In this post on the PIA forums:  https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video

    They say to:

    Certificate Setup

    - Click "System"
        - Click "Cert Manager"
        - Click "CAs"
        - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
        - "Descriptive name" type in "PIA-internal-CA"
        - "Method" select "Create an internal Certificate Authority"
        - "Key length" use "2048" bits
        - "Digest Algorithm" use "SHA256"
        - "Lifetime" type in "3650" days (10 years)
        - "Country Code :" (your choice)
        - "State or Province :" (your choice, can be invalid data)
        - "City :" (your choice, can be invalid data)
        - "Organization :" (your choice, can be invalid data)
        - "Email Address :" (your choice, can be invalid data)
        - "Common Name :" = internal-ca
    Now click "Save"

    System: Certificate Manager

    - Click "System"
        - Click "Cert Manager"
        - Click "Certificates"
        - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
        - "Method:" select "Create an internal Certificate"
        - "Descriptive name" type in "PIA-Certificate"
        - "Key length" use "2048" bits   
        - "Digest Algorithm" use "SHA256"
        - "Lifetime" type in "3650" days (10 years)
        - "Country Code :" (your choice)
        - "State or Province :" (your choice, can be invalid data)
        - "City :" (your choice, can be invalid data)
        - "Organization :" (your choice, can be invalid data)
        - "Email Address :" (your choice, can be invalid data)
        - "Common Name :" type in "PIA-Certificate"
    Now click "Save"

    In this post in pfSense forums, it makes no mention to these two steps… no need to make an internal-CA (not clear on what that is)... and apparently no need to add a certificate.
    So, what are these two extra steps for that are listed in the PIA forums?

    Also, when adding a client, both posts agree that:
    "Client Certificate" = "webConfigurator default *In use"

    If you follow the guide on the PIA forum, why wouldn't you choose the client certificate that you made in the above two steps that I quoted?
    If you're not choosing that, then why even make it (like in the guide posted in this thread)?

    Any insight would be lovely... as I want to also setup another VPN (from another provider) in pfSense but this provider doesn't have any guides for pfSense.
    I figure I can use these guides as a template if I understood the difference here.

    Anyone?

    Thanks!



  • @killerb81:

    I'm wondering if someone can help clear up some confusion I'm having… that being said, my PIA is setup and working fine in pfSense.
    My question is regarding some confusion with CA / certificate setup.

    In this post on the PIA forums:  https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video

    They say to:

    Certificate Setup

    - Click "System"
        - Click "Cert Manager"
        - Click "CAs"
        - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
        - "Descriptive name" type in "PIA-internal-CA"
        - "Method" select "Create an internal Certificate Authority"
        - "Key length" use "2048" bits
        - "Digest Algorithm" use "SHA256"
        - "Lifetime" type in "3650" days (10 years)
        - "Country Code :" (your choice)
        - "State or Province :" (your choice, can be invalid data)
        - "City :" (your choice, can be invalid data)
        - "Organization :" (your choice, can be invalid data)
        - "Email Address :" (your choice, can be invalid data)
        - "Common Name :" = internal-ca
    Now click "Save"

    System: Certificate Manager

    - Click "System"
        - Click "Cert Manager"
        - Click "Certificates"
        - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
        - "Method:" select "Create an internal Certificate"
        - "Descriptive name" type in "PIA-Certificate"
        - "Key length" use "2048" bits   
        - "Digest Algorithm" use "SHA256"
        - "Lifetime" type in "3650" days (10 years)
        - "Country Code :" (your choice)
        - "State or Province :" (your choice, can be invalid data)
        - "City :" (your choice, can be invalid data)
        - "Organization :" (your choice, can be invalid data)
        - "Email Address :" (your choice, can be invalid data)
        - "Common Name :" type in "PIA-Certificate"
    Now click "Save"

    In this post in pfSense forums, it makes no mention to these two steps… no need to make an internal-CA (not clear on what that is)... and apparently no need to add a certificate.
    So, what are these two extra steps for that are listed in the PIA forums?

    Also, when adding a client, both posts agree that:
    "Client Certificate" = "webConfigurator default *In use"

    If you follow the guide on the PIA forum, why wouldn't you choose the client certificate that you made in the above two steps that I quoted?
    If you're not choosing that, then why even make it (like in the guide posted in this thread)?

    Any insight would be lovely... as I want to also setup another VPN (from another provider) in pfSense but this provider doesn't have any guides for pfSense.
    I figure I can use these guides as a template if I understood the difference here.

    Anyone?

    Thanks!

    I am wondering the same thing.

    This is what I can figure out with the little research I did.

    With OpenVPN the Client Certificate is used to authenticate the client.  Since PIA is using a Username and Password for authentication the Client Certificate ignored.

    Here's a quote from the OpenVPN how to documentation.

    Using username/password authentication as the only form of client authentication

    By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated.

    While it is discouraged from a security perspective, it is also possible to disable the use of client certificates, and force username/password authentication only. On the server:

    client-cert-not-required

    Such configurations should usually also set:

    username-as-common-name

    which will tell the server to use the username for indexing purposes as it would use the Common Name of a client which was authenticating via a client certificate.

    Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.

    For the Client Cert to work, PIA would need to either.
        1. generate a client certificate for each user account
        2. have each user generate a CSR and submit it to PIA who would return a client certificate to the user

    Source: https://openvpn.net/index.php/open-source/documentation/howto.html



  • I'm wondering if someone could offer some advice. I just followed this to setup PIA and openvpn on my pfsense. My setup is like this;

    at&t router –> pfsense box --> wireless AP/switch

    I got everything working with the exception of getting the openvpn client to connect via dns name. When I enter in the dns name us-midwest.privateinternetaccess.com, I get the following error in the openvpn connection logs.

    Aug 23 09:28:49 openvpn[78359]: ifconfig_pool_persist_refresh_freq = 600
    Aug 23 09:28:49 openvpn[78359]: ifconfig_ipv6_pool_defined = DISABLED
    Aug 23 09:28:49 openvpn[78359]: ifconfig_ipv6_pool_base = ::
    Aug 23 09:28:49 openvpn[78359]: ifconfig_ipv6_pool_netbits = 0
    Aug 23 09:28:49 openvpn[78359]: n_bcast_buf = 256
    Aug 23 09:28:49 openvpn[78359]: tcp_queue_limit = 64
    Aug 23 09:28:49 openvpn[78359]: real_hash_size = 256
    Aug 23 09:28:49 openvpn[78359]: virtual_hash_size = 256
    Aug 23 09:28:49 openvpn[78359]: client_connect_script = '[UNDEF]'
    Aug 23 09:28:49 openvpn[78359]: learn_address_script = '[UNDEF]'
    Aug 23 09:28:49 openvpn[78359]: client_disconnect_script = '[UNDEF]'
    Aug 23 09:28:49 openvpn[78359]: client_config_dir = '[UNDEF]'
    Aug 23 09:28:49 openvpn[78359]: ccd_exclusive = DISABLED
    Aug 23 09:28:49 openvpn[78359]: tmp_dir = '/tmp'
    Aug 23 09:28:49 openvpn[78359]: push_ifconfig_defined = DISABLED
    Aug 23 09:28:49 openvpn[78359]: push_ifconfig_local = 0.0.0.0
    Aug 23 09:28:49 openvpn[78359]: push_ifconfig_remote_netmask = 0.0.0.0
    Aug 23 09:28:49 openvpn[78359]: push_ifconfig_ipv6_defined = DISABLED
    Aug 23 09:28:49 openvpn[78359]: push_ifconfig_ipv6_local = ::/0
    Aug 23 09:28:49 openvpn[78359]: push_ifconfig_ipv6_remote = ::
    Aug 23 09:28:49 openvpn[78359]: enable_c2c = DISABLED
    Aug 23 09:28:49 openvpn[78359]: duplicate_cn = DISABLED
    Aug 23 09:28:49 openvpn[78359]: cf_max = 0
    Aug 23 09:28:49 openvpn[78359]: cf_per = 0
    Aug 23 09:28:49 openvpn[78359]: max_clients = 1024
    Aug 23 09:28:49 openvpn[78359]: max_routes_per_client = 256
    Aug 23 09:28:49 openvpn[78359]: auth_user_pass_verify_script = '[UNDEF]'
    Aug 23 09:28:49 openvpn[78359]: auth_user_pass_verify_script_via_file = DISABLED
    Aug 23 09:28:49 openvpn[78359]: port_share_host = '[UNDEF]'
    Aug 23 09:28:49 openvpn[78359]: port_share_port = 0
    Aug 23 09:28:49 openvpn[78359]: client = ENABLED
    Aug 23 09:28:49 openvpn[78359]: pull = ENABLED
    Aug 23 09:28:49 openvpn[78359]: auth_user_pass_file = '/etc/openvpn-passwd.txt'
    Aug 23 09:28:49 openvpn[78359]: OpenVPN 2.3.8 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
    Aug 23 09:28:49 openvpn[78359]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Aug 23 09:28:49 openvpn[78359]: WARNING: file '/etc/openvpn-passwd.txt' is group or others accessible
    Aug 23 09:28:49 openvpn[78634]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Aug 23 09:28:49 openvpn[78634]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Aug 23 09:28:49 openvpn[78634]: LZO compression initialized
    Aug 23 09:28:49 openvpn[78634]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
    Aug 23 09:28:49 openvpn[78634]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Aug 23 09:28:49 openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known Aug 23 09:28:49 openvpn[78634]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
    Aug 23 09:28:49 openvpn[78634]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Aug 23 09:28:49 openvpn[78634]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Aug 23 09:28:49 openvpn[78634]: Local Options hash (VER=V4): '41690919'
    Aug 23 09:28:49 openvpn[78634]: Expected Remote Options hash (VER=V4): '530fdded'
    Aug 23 09:28:49 openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Aug 23 09:28:54 openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
    Aug 23 09:28:59 openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known

    If I enter in the IP address, it will connect and everything will work. However this isn't acceptable as every couple days the IP address changes.

    I've tried setting up my DNS servers to be the at&t router as well as the PIA DNS servers and neither seems to work.


  • LAYER 8 Netgate

    Looks like your firewall can't resolve names. Or at least that name.

    What is your DNS configuration in System > General?

    Can you resolve names in Diagnostics > DNS Lookup?

    When you bring up Status > Dashboard does the update checker complete? Can you bring up System > Package Manager and get a list of packages?



  • @Derelict:

    Looks like your firewall can't resolve names. Or at least that name.

    What is your DNS configuration in System > General?

    Can you resolve names in Diagnostics > DNS Lookup?

    When you bring up Status > Dashboard does the update checker complete? Can you bring up System > Package Manager and get a list of packages?

    DNS is pointing to 209.222.18.218 and 209.222.18.222 and both are using the WAN interface as gateway.

    I can resolve names when I connect to the VPN via IP address but when it's trying to connect vie DNS name, it will not resolve. I get…
    127.0.0.1 0 msec
    209.222.18.218 No response
    209.222.18.222 No response

    I"m not able to see the update nor see packages when this happens.


  • LAYER 8 Netgate

    209.222.18.218  No response
    209.222.18.222  No response

    Have to figure that out…


  • LAYER 8 Global Moderator

    ;; QUESTION SECTION:
    ;218.18.222.209.in-addr.arpa.  IN      PTR

    ;; ANSWER SECTION:
    218.18.222.209.in-addr.arpa. 300 IN    PTR    resolver2.privateinternetaccess.com.

    So your saying pfsense can not use them..  Well pfsense doesn't go out the vpn for its own traffic..

    I can use them from non privateinternaccess.  Does your normal isp block/redirect dns traffic and only allow you to use their dns?

    that fqdn your trying to connect resolves just fine

    ;; QUESTION SECTION:
    ;us-midwest.privateinternetaccess.com. IN A

    ;; ANSWER SECTION:
    us-midwest.privateinternetaccess.com. 300 IN A  104.207.136.87
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.62
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.54
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.80
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.27
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.79
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.20
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.140
    us-midwest.privateinternetaccess.com. 300 IN A  104.207.136.7
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.101.131
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.116
    us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.69
    us-midwest.privateinternetaccess.com. 300 IN A  104.207.136.9

    ;; AUTHORITY SECTION:
    privateinternetaccess.com. 86400 IN    NS      ns2.p28.dynect.net.
    privateinternetaccess.com. 86400 IN    NS      ns4.p28.dynect.net.
    privateinternetaccess.com. 86400 IN    NS      ns3.p28.dynect.net.
    privateinternetaccess.com. 86400 IN    NS      ns1.p28.dynect.net.

    How do you have your pfsense setup for dns.. Looks like you point to loopback which would be a normal setup if using the resolver, but then why do you have the PIA dns listed there as well??  How do you have pfsense setup for dns, forwarder, resolver, resolver in forward mode?



  • Ok, I think I know what's going on here now. My pfSense WAN interface is receiving a bridged connection from the router. I'm not for sure how this was resolved but I figured that my ISP might not allow alternate DNS servers and thus the PIA servers I put in weren't being allowed. So what I did was remove those PIA DNS servers under system –> general setup and then check the box for Allow DNS server list to be overridden by DHCP/PPP on WAN. After doing that, I rebooted and then reran the test and it was successful and connected to the VPN via the DNS name instead of the IP address.

    However, that allowed a DNS Leak and I don't want that. So I simply redid my settings, adding the PIA DNS entries back again under system –> general setup and unchecked the box. I'm not really sure if something is operating off a cached IP address or value but things are working now. I guess we'll see if things blow up again in a few days.


  • LAYER 8 Global Moderator

    So your using the forwarder not the resolver?

    You can force the resolver to use the vpn connection I do believe.  In the resolver settings pick your vpn interface for the outgoing connection, put it in forwarder mode and put your pia nameservers in general setup and make sure you uncheck allow dhcp override your dns, etc.  dnssec prob doesn't work with their nameservers, would have to check.

    So I put in that IP you listed, changed my resolver to forwarder and picked the vpn interface that I have setup to one of my vps as the outgoing interface.  Did a simple test of what is the IP of what is doing dns for me and

    
    > dig whoami.akamai.net
    
    ; <<>> DiG 9.10.4-P2 <<>> whoami.akamai.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36815
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;whoami.akamai.net.             IN      A
    
    ;; ANSWER SECTION:
    whoami.akamai.net.      180     IN      A       209.222.18.218
    
    ;; Query time: 150 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Thu Aug 25 13:58:05 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 62
    
    

    I put it back to resolver

    
    > dig whoami.akamai.net
    
    ; <<>> DiG 9.10.4-P2 <<>> whoami.akamai.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11143
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;whoami.akamai.net.             IN      A
    
    ;; ANSWER SECTION:
    whoami.akamai.net.      180     IN      A       24.13.snipped
    
    ;; Query time: 12 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Thu Aug 25 14:02:01 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 62
    
    

    And as expected comes back with my public IP since I am doing the resolving directly, etc.



  • Hello,

    I've been trying to configure a setup where my Plex servers torrent traffic is routed through openVPN/PIA. I would also like still access my plex server remotely. I run the plex server on a different VLAN than the rest of my network (ex. VLAN30). So, I guess in essence what I'm trying to do is setup split tunneling so all my torrent traffic is secure using openvpn/PIA and all other traffic is sent over the network as usual.

    I tried to use the tutorial in this post however, after following the instruction I lost all my Vlan interfaces and only had access to the LAN interface. I used a backup config.xml to restore my old settings but I really need some help.

    I'm not sure what logs or screenshots I could offer to assist with troubleshooting. Let me know and I will provide then ASAP.



  • Great this is still alive and thanks again to everyone contributing. My [nflx-movies] were using an alias for IP's going through PIA and working fine.  Then all of a sudden quit; along with my [amzn-jungle] box which gives geo-restriction.  What changed?  Jungle always worked, didn't complain like movies which was blocked for everyone a while back.  Is there a simple setup so I can check my DNS to be correct?  Currently I have DNS Srvr 1 as PIA with the PIAopt1 interface assigned.  DNS 2 is google with the WAN_DHCP interface assigned.  My setup is ISP provider router to PFsense box which controls local Lan.  Some clients [jungle/movies] are under a firewall alias that routes everything through PIA.  Other clients just bypass PIA and go out ISP router.  All this is tested and works.  I find it hard to believe that jungle all of the sudden is geo-blocking due to PIA?  If others are seeing this please post.  Otherwise, what did I change that I need to correct?  Thanks!



  • I'm able to connect just fine to PIA, but I'm seeing this in the logs every 10-15 seconds or so.  Can someone help me interpret this?

    Oct 18 01:25:46 openvpn 13031 MANAGEMENT: CMD 'state 1'
    Oct 18 01:25:46 openvpn 13031 MANAGEMENT: CMD 'status 2'
    Oct 18 01:25:46 openvpn 13031 MANAGEMENT: Client disconnected
    Oct 18 01:25:51 openvpn 13031 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Oct 18 01:25:51 openvpn 13031 MANAGEMENT: CMD 'state 1'
    Oct 18 01:25:51 openvpn 13031 MANAGEMENT: CMD 'status 2'
    Oct 18 01:25:51 openvpn 13031 MANAGEMENT: Client disconnected
    Oct 18 01:25:58 openvpn 13031 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Oct 18 01:25:58 openvpn 13031 MANAGEMENT: CMD 'state 1'
    Oct 18 01:25:58 openvpn 13031 MANAGEMENT: CMD 'status 2'
    Oct 18 01:25:58 openvpn 13031 MANAGEMENT: Client disconnected

    Advanced options as follows:

    persist-key
    persist-tun
    remote-cert-tls server
    auth-nocache
    script-security 2
    tls-version-min 1.2

    I see the same "Management" things anyways with or without some of the above advanced options.


  • LAYER 8 Netgate

    I believe those are simply logging of the Status > OpenVPN page or the OpenVPN status dashboard widget.

    Turning down logging should clear those if they bother.



  • Leaving this note for myself for 6 months when I forget.  8). Unsure if it was discussed prior, but may be worth adding to the tutorial.

    I was struggling with the routing part, as I expected the traffic to stop when my gateway went down, once I assigned a VPN gateway to the "Default allow LAN to any rule"

    In order to make this work how I expected, I had to make the following change:

    (System | Advanced | Miscellaneous)
    Do not create rules when gateway is down
    By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead.



  • While I appreciate the detail of the original PIA VPN tutorial and all of the subsequent contributions, I've not been able to combine all of that into a working VPN + Bypass configuration. PIA VPN works; it's the 'bypass' exception that does not.

    Problem:
    I've successfully configured PIA VPN and ipecho.net confirms a PIA IP address but something is preventing any Firewall exception Rule I create (to 'bypass' VPN) from having those IP routed around VPN – such rules appear to be just ignored. I've read, searched and tried every config modification I can find; no luck. All IPs for devices are static IPs on the same 192.168.1.X network but they all just use the tunnel.

    Any idea of what to observe or what config to check or change would be appreciated. Thanks!

    Intent:
    Run the entire local 192.168.1.X net through the PIA VPN -- except a few specific static IP devices.

    Network:
    ISP - (108.x.x.x) - ISP ADSLmodem - (108.x.x.x) - SG-2440 - (172.28.x.x) - Router/SW - 192.1681.X local net
    SG-2440 is at 2.3.2.p1, no added packages

    Gateways:
    DSLGW(default) / WAN / 108.x.x.x / 108.x.x.x / ADSL Gateway
    PIAVPN_VPNV4 / WAN / 10.64.10.5 / 10.64.10.5 / Interface PIAVPN_VPNV4 (the 10.x.x.x appears dynamic)
    PIAVPN_VPNV6 / WAN / <blank>/ <blank>/ Interface PIAVPN_VPNV4

    Interfaces:
    Existing defaults: WAN, LAN
    Deleted: OPT2 (unused)

    Firewall:
    NAT:
    Existing: (6) WAN Mappings
    Copied: (6) and rename Interface: PIAVPN

    Aliases:
    Roku / 192.168.1.209
    VPNPath / 192.168.1.200-208 range

    Rules: WAN: (only existing block private and bogon)
    Rules: PIAVPN: (no rules)
    Rules: OpenVPN: (no rules)

    Rules: LAN:
    Added: Roku / any port,dest / DSLGW gateway
    Added: VPNPath / any port,dest / PIAVPN gateway</blank></blank>



  • @CTrax:

    While I appreciate the detail of the original PIA VPN tutorial and all of the subsequent contributions, I've not been able to combine all of that into a working VPN + Bypass configuration. PIA VPN works; it's the 'bypass' exception that does not.

    Problem:
    I've successfully configured PIA VPN and ipecho.net confirms a PIA IP address but something is preventing any Firewall exception Rule I create (to 'bypass' VPN) from having those IP routed around VPN – such rules appear to be just ignored. I've read, searched and tried every config modification I can find; no luck. All IPs for devices are static IPs on the same 192.168.1.X network but they all just use the tunnel.

    Any idea of what to observe or what config to check or change would be appreciated. Thanks!

    Intent:
    Run the entire local 192.168.1.X net through the PIA VPN -- except a few specific static IP devices.

    Network:
    ISP - (108.x.x.x) - ISP ADSLmodem - (108.x.x.x) - SG-2440 - (172.28.x.x) - Router/SW - 192.1681.X local net
    SG-2440 is at 2.3.2.p1, no added packages

    Gateways:
    DSLGW(default) / WAN / 108.x.x.x / 108.x.x.x / ADSL Gateway
    PIAVPN_VPNV4 / WAN / 10.64.10.5 / 10.64.10.5 / Interface PIAVPN_VPNV4 (the 10.x.x.x appears dynamic)
    PIAVPN_VPNV6 / WAN / <blank>/ <blank>/ Interface PIAVPN_VPNV4

    Interfaces:
    Existing defaults: WAN, LAN
    Deleted: OPT2 (unused)

    Firewall:
    NAT:
    Existing: (6) WAN Mappings
    Copied: (6) and rename Interface: PIAVPN

    Aliases:
    Roku / 192.168.1.209
    VPNPath / 192.168.1.200-208 range

    Rules: LAN:
    Added: Roku / any port,dest / DSLGW gateway
    Added: VPNPath / any port,dest / PIAVPN gateway</blank></blank>

    3 things to check:
    -See my post above, make the change.
    -RE: LAN rules Roku is set at your "source"
    -put your alias under Firewall | Aliases | IP

    Also may want to try just plugging in the address to the source (e.g. 192.168.1.209 for roku), and not using an alias, just for testing.



  • Just now I went through this howto to set up a virtualized pfSense as VPN client. Since I do not want all traffic to go through VPN, just one or two specific programs, I figured I'd set up a virtual pc with pfSense and Squid and set the programs in question to connect to Squid so that the traffic goes through pfSense and it's VPN client.

    I got a bit confused at the compression setting, there is nothing to check, instead there's a drop down menu with 5 options, I set it to "enabled with adaptive compression". Not sure if it's the right choice though…

    Plus option "Auth digest algorithm" is not listed in the howto, I left the default setting as it was, SHA1 (160-bit)

    After finishing following the howto, I ended up with "reconnecting; tls-error" as status and this in the log:

    Aug 30 14:25:40 openvpn 26470 TLS: Initial packet from [AF_INET]46.166.137.250:1194, sid=95cdf14a 8a04e2c6
    Aug 30 14:25:40 openvpn 26470 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
    Aug 30 14:25:40 openvpn 26470 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Aug 30 14:25:40 openvpn 26470 TLS_ERROR: BIO read tls_read_plaintext error
    Aug 30 14:25:40 openvpn 26470 TLS Error: TLS object -> incoming plaintext read error
    Aug 30 14:25:40 openvpn 26470 TLS Error: TLS handshake failed
    Aug 30 14:25:40 openvpn 26470 TCP/UDP: Closing socket
    Aug 30 14:25:40 openvpn 26470 SIGUSR1[soft,tls-error] received, process restarting
    Aug 30 14:25:40 openvpn 26470 Restart pause, 2 second(s)

    I solved that by changing the port from 1194 to 1198 and the encryption algorithm from BF-CBC (128-bit) to AES-128-CBC (for standard certificates), see https://www.privateinternetaccess.com/forum/discussion/comment/42294/#Comment_42294 for more info.

    After that, the VPN showed as "up", so I accessed pfSense's console and ran both```
    curl -s checkip.dyndns.org | sed -e 's/.Current IP Address: //' -e 's/<.$//'

    curl ipinfo.io/ip

    Both show an IP-address that's not my public IPv4-address issued by my ISP, nor the private address issued by my router to pfSense's WAN-interface, so I guess its working :)
    
    I have some questions though.
    - Should I disable IPv6 on pfSense? Since PIA doesn't seem to support it.
    - As for the NAT-rules part of the howto, I doubled all the rules while setting the VPN as interface as instructed. Since there are now rules for two outbound interfaces, how will I know if the traffic always goes through the VPN?


  • @CTrax:

    While I appreciate the detail of the original PIA VPN tutorial and all of the subsequent contributions, I've not been able to combine all of that into a working VPN + Bypass configuration. PIA VPN works; it's the 'bypass' exception that does not.

    Problem:
    I've successfully configured PIA VPN and ipecho.net confirms a PIA IP address but something is preventing any Firewall exception Rule I create (to 'bypass' VPN) from having those IP routed around VPN – such rules appear to be just ignored. I've read, searched and tried every config modification I can find; no luck. All IPs for devices are static IPs on the same 192.168.1.X network but they all just use the tunnel.

    Any idea of what to observe or what config to check or change would be appreciated. Thanks!

    Intent:
    Run the entire local 192.168.1.X net through the PIA VPN -- except a few specific static IP devices.

    Network:
    ISP - (108.x.x.x) - ISP ADSLmodem - (108.x.x.x) - SG-2440 - (172.28.x.x) - Router/SW - 192.1681.X local net
    SG-2440 is at 2.3.2.p1, no added packages

    Gateways:
    DSLGW(default) / WAN / 108.x.x.x / 108.x.x.x / ADSL Gateway
    PIAVPN_VPNV4 / WAN / 10.64.10.5 / 10.64.10.5 / Interface PIAVPN_VPNV4 (the 10.x.x.x appears dynamic)
    PIAVPN_VPNV6 / WAN / <blank>/ <blank>/ Interface PIAVPN_VPNV4

    Interfaces:
    Existing defaults: WAN, LAN
    Deleted: OPT2 (unused)

    Firewall:
    NAT:
    Existing: (6) WAN Mappings
    Copied: (6) and rename Interface: PIAVPN

    Aliases:
    Roku / 192.168.1.209
    VPNPath / 192.168.1.200-208 range

    Rules: WAN: (only existing block private and bogon)
    Rules: PIAVPN: (no rules)
    Rules: OpenVPN: (no rules)

    Rules: LAN:
    Added: Roku / any port,dest / DSLGW gateway
    Added: VPNPath / any port,dest / PIAVPN gateway</blank></blank>

    Hi

    Just been struggling with a similar problem and concluded that it was my settings under Firewall/NAT/Outbound - Manual Outbound that were wrong. I had overwritten the existing rules with my VPN rules rather than duplicating and then modifying.

    Copy of Rules that sorted it for me is shown below.
    Hope you can get it sorted.




  • I don't think the ISAKMP/500 rules need to be created for the VPN.  Just the two (localhost to VPN and LAN to VPN).  They can be safely removed.



  • I followed the PIA guide on their support page completely however it didn't work.  For grins I went in and saw that there was a system update.  I was on 2.3.4 and 2.4 released on Oct 10th.  I have no clue if the update resolved some type of internal software issue however after going back in and having to redo the configs it is now working.  Just figured that I would share for anyone that might be running into issues recently.  Thanks for the tutorial.  I will need to come back to it again for setting up a machine or two to skip using it.

    On a sidenote I had followed Mark Furneaux's PFSense guide videos and had hardcoded a dozen or so DNS servers.  Would it be advisable that I have my PIA VPN up and running to remove those?



  • @fnkngrv:

    On a sidenote I had followed Mark Furneaux's PFSense guide videos and had hardcoded a dozen or so DNS servers.  Would it be advisable that I have my PIA VPN up and running to remove those?

    Are you using Unbound as a DNS Resolver or the old school dnsmasq for DNS Forwarding?  You can have your cake and eat it too.  Meaning, you can have all your clients' DNS queries get routed over the VPN, but the pfSense box itself still needs to be able to do DNS in case the VPN tunnel goes down.

    So your list would be something like:

    127.0.0.1 (this is there by default, no need to manually add)
    DNS 1
    DNS 2
    DNS 3
    etc.

    This way for PIA you don't have to hardcode the IP address in the OpenVPN client configuration page.  You can actually do the FQDN us-florida.privateinternetaccess.com (or whatever).



  • This is an excellent tutorial and in great detail.
    I have set the PIA client successfully however I have also set an OpenVPN sewrver for remote access and these 2 don't seem to work together. I have to disable the server to have the PIA Client encrypting traffic while if I want to connect to my LAN from a remote location, I have to disable the PIA client.

    Can anyone please advise what rules should anyone use in order to have both OpenVPN instances running at the same time?

    Any help woul;d be much appreciated.


  • LAYER 8 Netgate

    They are completely separate. Just use a separate tunnel network for the Remote Access OpenVPN.



  • @Derelict:

    They are completely separate. Just use a separate tunnel network for the Remote Access OpenVPN.

    Does this mean I have to choose under Firewall - Rules - OpenVPN Server a different gateway for the server? (''clean'' WAN instead of the PIA gateway)

    Thanks!


  • LAYER 8 Netgate

    You need to select the interface you expect the connections from the client to arrive on. That is probably WAN and not PIA.



  • @Derelict:

    You need to select the interface you expect the connections from the client to arrive on. That is probably WAN and not PIA.

    Still can't set it right. When a client is connected to the OpenVPN server, my PIA connection is either slow or down. I have to disable the server to get my connection back.

    Do I have to create a rule for both OpenVPN and PIA interfaces or just for OpenVPN? Currently under Firewall –-> Rules ---> PIA there aren't any rules set at all.

    I have created a rule for the OpenVPN interface to look like the one below:

    Interface: LAN (''Bridge'' in my case as I have bridged 2 NICs to act as one)
    Address Family: IPv4
    Protocol: TCP/UDP
    Source:Any
    Destination: Any
    Destination Port Range: 1194

    Advanced Options -->  "Gateway"---> WAN

    I apply the above but still don't see any difference.



  • Anyone that can actually help with the problem above? It will be much appreciated.

    I did the following:

    -I have created separate interfaces for both my PIAVPN and OpenVPN Server.

    -Under NAT, I generated the default WAN ''Outbound'' values for both PIAVPN (client) & OpenVPN Server

    -Created a WAN rule which allows TCP/UDP traffic to port 1194 and have selected under ''Advanced Settings'' –--> ''Gateway'' the WAN_DHCP instead of the ''Default'' I then duplicated that rule to be present under ''LAN'' as well as under ''Bridge'' tab as I have bridged the 2 NICs of my APU2C4 to act as one LAN.

    -There are no rules at all under the tabs ''OpenVPN'', ''LAN2'', ''OPENVPN'', ''BR0''.
    At the moment, rules are set only for ''WAN'', ''LAN'' and ''Bridge''.

    On the pfSense dashboard the available interfaces are all being shown as active:

    WAN        ---- up        (ip assigned)
    LAN          ---- n/a
    LAN2        ---- n/a
    PIAVPN    ---- up        (ip assigned)
    OpenVPN  ---- up        (ip assigned)
    BR0          ---- up        (ip assigned)

    What am I missing?



  • I've followed a few different guides, and googled for quite a while and can't seem to get my connection to work properly. 
    My mappings are set:

    pfSense shows openVPN as connected, and my VPN interface has an IP assigned to it.  Everything looks like it should be good

    I have two LAN firewall rules to specify which computers use the vpn and which don't:

    I am unable to access the internet when OpenVPN is connected from a VPN_Users aliased computer.
    I am able to ping fine from this computer ex. www.google.ca, but when I try to load a page Firefox just sits saying "Preforming TLS Handshake with.." and never loads. As soon as I shut down OpenVPN service, internet works as normal

    I've tried looking at the log, but see no mention of an error.

    I'm assuming this is related to my firewall not being configured properly and blocking the access.  I just don't know what I'm missing.

    Any Suggestions?



  • @Haze028, I noticed your LAN network is 150.160.170.0/24, which is a public IP range.  If you haven't purchased or otherwise own this block of IPs, you should stick with private IP ranges.





  • i've followed the instructions above and now i am getting several events in the logs

    WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'

    WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
    WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
    WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

    seems like several red flags.  what is everyone's opinion on this?



  • @bcruze:

    i've followed the instructions above and now i am getting several events in the logs

    WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'

    WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
    WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
    WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

    seems like several red flags.  what is everyone's opinion on this?

    I get the 'link-mtu' warnings as well.  The Blowfish/SWEET32 warning is because PIA can't competently maintain their systems (and I'm a customer!) and still defaults to BF-CBC instead of at least AES-128-CBC.  They really should be using the latest OpenVPN 2.4.4 with NCP support.  As much as I like PIA, they can be a real frustrating PI[T]A….

    As long as you (the client endpoint) have your config set to use AES-128-CBC or AES-256-CBC, it'll override the server settings, so don't worry about that warning.



  • Thanks for the guide. I was able to get this configured in about an hour or so. There are a couple of things to note:

    1. OpenVPN server port numbers are different for PIA depending if you use a sha256 or sha128 cert: https://www.privateinternetaccess.com/forum/discussion/21213/sha256-with-openvpn

    2. I didn't want my Steam gaming traffic going over the VPN (ports 27000-27015,…) so I used a NAT Alias to create a list of ports to apply to the outbound NAT rule.



Log in to reply