Private Internet Access and pfSense

I’ve long been interested in using a VPN to access out-of-country content as well as to secure whatever nefarious activities that I may be up to. Not that I have anything to hide but it’s no one’s business what I do.

I’d toyed with Tor back when I installed Google Voice. It works but is dog slow. My interest in this subject was recently rekindled when I read this article. I found myself drawn to Private Internet Access (PIA) and it’s promises of low cost and unlimited bandwidth coupled with no throttling. I signed up for a monthly plan with the intention of either canceling it if I didn’t like it or switching to a full-year subscription if I did.

Signing up with PIA was easy enough. You can download client software that runs on your individual machines if you wish, but since I have a pfSense firewall, I knew I should be able to channel all traffic through PIA over VPN so I wouldn’t have to install any additional software. Here are the config steps for pfSense 2.0.1.

To start with though, make note of your current IP address as evidenced by http://ipchicken.com. We want to confirm that your IP actually changes when we’re all done.

pfSense Config Files

SSH to your pfSense server and cd to /etc. Create a file “openvpn-password.txt” with two lines, one for your PIA userid, the other for your password.

You also need to download this file from PIA and extract its ca.crt to /etc.

Set 0600 permissions on both of these files e.g. “chmod 0600 /etc/ca.crt”. You can exit SSH at this point.

Certificates

In pfSense’s webConfigurator, go to System and select Cert Manager. Add a new CA, call it something like “Internal CA” using method “Create an internal Certificate Authority”. Fill in the Distinguished Name pieces below as you see fit.

Now click on Certificates and add a new certificate using “Create an internal certificate”. Call it something like “OpenVPN” and select type “Certificate Authority”.

OpenVPN Service

Go to VPN, select OpenVPN and click the Client tab. Add a new client. Leave all defaults except the following:

  • Server host or address: enter your desired PIA host e.g. us-texas.privateinternetaccess.com
  • Check “Infinitely resolve server”
  • Give it a meaningful name e.g. “Private Internet Access OpenVPN”
  • Clear “TLS Authentication” check box
  • Make sure the CA and Cert you created are selected
  • Select “BF-CBC (128-bit)” for the encryption algorithm
  • Check “Compress tunnel packets using the LZO algorithm”
  • Enter the following for Advanced at the bottom:
auth-user-pass /etc/openvpn-password.txt
ca /etc/ca.crt

Click Save to write your config and the OpenVPN service should start. You can click the blue “S” just under the Help menu to confirm that its status is “up”. Also check the log (blue “L”) to make sure there aren’t any errors.

Enable Interface

Go to Interfaces and select (assign). Click the add button. A new entry called OPTn should appear with “ovpnc1” as the port. Click Save. Now you can enable your new interface. Go to Interfaces and select OPTn. Simply click Enable and Save. Note that you can rename the interface if you want to something like “VPN” but it’s not necessary.

Restart the OpenVPN service so everything is in sync. Go to Status and select Services, then click the restart button beside the OpenVPN service. Ensure that the OPTn gateway has an IP. Go to System: Routing and make sure the Gateway has an IP address.

Firewall Config

At this point the OpenVPN service is running but you aren’t using it. You may not even be able to access the Internet in this state. While there’s a lot you can do to tailor your firewall access, here’s a quick way to route all your outgoing traffic through your new VPN connection.

Go to Firewall and select NAT, then click the Outbound tab. Select any existing rules and delete them. Select the “Automatic” option at the top and click Save, then select “Manual” and click Save. You should see a new set of rules which you can activate by clicking Apply Changes.

There’s lots more that could be done to pfSense to tighten up your security but this is a starting point.

Defining Exceptions

One client of mine requires me to log in to their Cisco VPN. Unfortunately this does not work through the VPN connection I just set up. It’s easy to force connections to their VPN server over the WAN interface, bypassing our VPN, by defining a new route as follows:

  • Go to System and select Routing. Click Routes and create a new route.
  • Enter the IP address of the remote host, in this case my client’s VPN IP address. Make sure the WAN gateway is selected and enter an appropriate name.
  • Click Save then Apply Changes.

Attempts to connect to this IP address from any device on your network will bypass the VPN and go directly to that IP address. Too easy!

Test

At this point you should have all your traffic going through the PIA VPN. You can confirm this by refreshing your ipchicken screen which should now show a different IP address.

Final Thoughts

The biggest concern I had with using a VPN like this was the performance penalty. I used http://speedtest.net before and after and there’s certainly a considerable penalty to be paid, but it’s not as bad as I had feared. I have 100-megabit service and without the VPN connection realize a max throughput of about 93 Mbps. Running the same test WITH the VPN enabled cut that in half. Fortunately, 40+ Mbps is still plenty fast for most of my needs. I have to wonder if the fact that my pfSense is running as a virtual machine plays much of a role here since there’s a whole lot of encryption going on. Perhaps I’d be better off using dedicated hardware, but that’s an experiment for another day.

I may give a few other services a try to see if they offer improved throughput. So far though I am impressed with Private Internet Access.

NOTE: These instructions are for pfSense 1.2.3. For 2.X versions, please see the additional requirements in this article, specifically relating to a bug in older versions of pfSense. Please see the first quote there for more information.

36 thoughts on “Private Internet Access and pfSense”

  1. Hi,
    I was wondering if you could elaborate a bit more the CA:

    [ Part A ]
    In pfSense’s webConfigurator,
    1. Go to System and select Cert Manager.

    2. Add a new CA, call it something like “Internal CA”

    3. Using method “Create an internal Certificate Authority”
    ?: what is the “Key Length”
    ?: What is the “Lifetime” value

    4. Fill in the Distinguished Name pieces below as you see fit.
    ?: The values in the following field can be relatively anything?

    Note: Shouldn’t the value be copied from the “ca.crt” file into the CA?

    [ Part B ]

    1. click on Certificates
    ?: Tab?

    2. add a new certificate
    ?: ‘click’ the Plus sign?

    3. Use “Create an internal certificate”
    ?: Method – select “Create an Inernal Certificate”

    4. Call it something like “OpenVPN”

    5. Select type “Certificate Authority”.

    6. Common Name:
    ?: What did you put here

  2. @MWalsh

    [Part A]

    For the Key Length and Lifetime, I left them at their default values of 2048 bytes and 3650 days (i.e. 10 years). I’m sure you could change this if you had reason to. I considered increasing the Lifetime but I’m reasonably sure I won’t be using pfSense and/or PIA in 10 years so I left it as-is.

    For the Distinguished Name, I set mine to values that represent my geographic location. AFAIK these are to identify the origin of the generated cert. There’s lots of information out there about what these values mean, but since this CA isn’t shared with anyone and is local to the pfSense installation, it doesn’t really matter what you enter as long as you enter *something*.

    You do NOT have to use the value from the ca.crt file. I don’t know if it would break anything if you did but I don’t recommend it. I can however say that using my own custom entries worked for me.

    [Part B]

    Yes, click the Certificates tab followed by the “+” icon. If you hover over those buttons you see their descriptions.

    For the Common Name I used something like “my.cert” but as the example text indicates you can use something of the form “www.example.com”.

    I hope this helps you. Let me know if you have any other questions.

    1. You’re welcome, Doug. I wrote it up in my personal Wiki but it seemed wrong to keep it to myself especially after the struggles I had getting it to work.

  3. First of all, thank you for the tutorial. Everything works up until It’s time to actually access the internet. I can’t seem to get the nat rules to allow access to the web.

  4. Thought I should mention this. Various network-related issues in my temporary apartment recently combined to force me to trash my relatively old 802.11g WiFi router in favour of a fancy new Asus RT-AC66U. I don’t actually have any wireless AC devices as yet but the new setup with external antennae provide dramatically improved WiFi signals.

    As a side benefit I was hoping to realize improved Internet speeds from this newer hardware, hopefully faster than my pfSense VM. Unfortunately the new router doesn’t seem to offer anything in the way of improved speed. If anything it actually seems to be a tad slower. While this certainly isn’t ideal, it is good enough for my current situation although it comes at the cost of my permanent PIA connection. Now I have to install their software on any machine that wants to use the proxy.

    Once the new house is built I expect to revert to pfSense and use the central PIA connection once more.

  5. You can’t do all of the configuration using the pfsense web GUI can you?

    That would be nice for folks like me who are less technical.

    1. John, the only part that requires you to SSH in is the “pfSense Config Files” part where you create the credentials file and download the certificate. I suppose you could do this using a tool like FileZilla but I’ll leave that to you to explore.

      Regardless of how you do it, those two files have to get onto your pfSense server to make this work. Good luck!

  6. Anyone have a way to do the inverse of exceptions? IE I want to make routing over the OpenVPN interface for only certain local subnets and all other traffic bypass it. I have 2 LANs, one is for VPN usage (geo specific applications) the other is for just regular surfing. When OpenVPN connects it seems to inject a default route that I cannot remove without everything stopping.

  7. Thanks for these instructions, they helped a lot.
    Now that I have the VPN set up, I’m unable to reach other computers on my LAN, like my SABNZBD server and my file shares. What do I need to do to fix this?
    Thanks again.

  8. That’s hard to say. I can’t think of any reason why services on your private network would be affected by a VPN from your router to PIA, doesn’t make sense to me.

  9. Thank you, thank you, thank you. Finally a set of directions that work! Hours and hours of frustration ended with your help. Much appreciated!

  10. Thanks for the guide. I just started looking at PIA and using it from my 2.0.3 pfsense box. I like to use OpenDNS for my family internet connection –web filter for my kids and logging. Is there a way to use both PIA and OpenDNS with my VPN connection? In my head I use PIA to bypass ISP throttling and inspection and then use OpenDNS to provide the filtering and logging.

  11. Just chiming in with my gratitude for this. PIA should update their docs with the steps for activating the interface and setting up the NAT rules. That was a huge missing piece of the puzzle that had me stopped dead until I found your blog post. Thanks for taking the time and effort to document the solution!!

  12. Hi Steve, Great set of instructions. I was stranded without your instructions. Now everything is going fine. I have one question though. If I wanted one of my machines (voip phone) not to go through the VPN, how could I do it? I tried creating a firewall rule on LAN stating that anything from this IP should use the WAN gateway and not the PIA gateway. Did not work though. Any ideas?

  13. Hi Sunil, glad this helped.

    If you look at the section on Defining Exceptions this sounds like what you want to do. I would be surprised if this doesn’t work for you. Good luck!

  14. I think I’ve followed your instructions exactly, but I can’t seem to get anything through the router.

    What should “IPv4 Configuration Type” be set to under the OPTn interface? You only state, “Go to Interfaces and select OPTn. Simply click Enable and Save.” I don’t have to set anything under the OPTn inteface?

    Thanks.

    1. If nothing is going through your router, you might not have set your devices’ default gateway to the IP of the router.

      On my network, my router is at 10.0.0.1 and I configured my network’s DHCP scope such that each device automatically gets its default gateway set to this value. Of course, you very well may be using a different subnet (e.g. 192.168.0.X) but regardless, each client needs to know what default gateway to use to get to “the outside”. This is very much a simplification but you get the idea.

      I hope this helps. Good luck!

  15. Hi Steve, I did see the “Defining Exceptions” section. However, what it is talking about is destination IP. I do not know the destination IP. All I have is the source IP. I want any and all communication from an internal IP to bypass VPN. Any suggestions?

  16. Hi Sunil, unfortunately I no longer have my pfSense VM running. A RAID5 failure caused me to lose my inactive VMs otherwise I would have been more than happy to look at the config. If you want I could connect to your pfSense admin remotely and have a quick look, just let me know.

  17. The firewall rule on LAN that was specifically sending all traffic from a LAN IP to the WAN gateway was not working because I had squid/squidguard. When I removed squid, the rules started working. Need to figure out how to have squid and still be able to do this.

    1. Glad to hear you got it working, Sunil! I feel like getting back into the game with a fresh new pfSense installation…

  18. Great guide. I had issues with OpenVPN not restarting after all the configuration was completed. Rebooted the PfSense box and it came back up.

  19. Thanks for this guide! Unfortunately the one on Private Internet Access’s site wasn’t great.

    I have a bit of a problem, however. It appears that I’m unable to download anything other than plain HTML files when connected to the VPN. This means I’m unable to install new packages etcetera. I can fetch websites and view them, however I can’t fetch things like any of the speedtest downloads here: http://www.thinkbroadband.com/download.html. When I disable the VPN, everything works fine. Any idea what I could have done wrong?

    I’m quite new to pfSense, so I’ve maybe missed something!

    Thanks!

    1. Hi Matthew,

      Sorry to hear you’re having problems. I can’t imagine what’s causing this. Unfortunately I am not able to test this myself since I stopped using pfSense quite some time ago. I suggest asking this question on the PIA or pfSense support forumns.

      Good luck!

    1. Hi Bob. I am using an Asus RT-AC66U with great success. I had been running pfSense as a VM but I downsized my infrastructure (long story but it involved moving to a temp apartment while building a new house and dealing with the searing heat of a bunch of servers running in my office…) and deprecated my VMware servers. Some day I plan to give pfSense 2 a whirl but for now the Asus is doing very well and giving me what I need.

  20. Your Firewall Config section saved by bacon! I’ve probably spent 30 hours screwing with the NAT and firewall rules and your tip to delete everything in NAT/Outbound and let PFSense set it got me online. I’m running old version 2.0.3-RELEASE (i386) which is stable for me since the newer versions are causing problems recognizing my WAN/LAN interfaces because apinger is problematic in the newer loads.

Leave a Reply

Your email address will not be published. Required fields are marked *