pfSense Forum

pfSense English Support => OpenVPN => Topic started by: mpboden on April 26, 2014, 06:01:11 pm

Title: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: mpboden on April 26, 2014, 06:01:11 pm
I recently wrote a tutorial on configuring pfSense as a VPN Client to Private Internet Access: http://www.bodenzord.com/archives/324 (http://www.bodenzord.com/archives/324)
I thought I'd reproduce it here as a way to say thanks to the developers as well as give back to the pfSense community. My hope is that it'll help others through the process of setting this up.

If you find errors or I'm incorrect in any way, please let me know.



Configuring pfSense as VPN Client to Private Internet Access

Configuring pfSense as a VPN Client to Private Internet Access(PIA) is relatively easy. However, there are a few things to watch out for, especially after pfSense version 2.1.1. In this tutorial, I'll show you how.

There are other tutorials available around the internet, but I feel that some are severely inaccurate or missing a couple key steps. When I was configuring my setup, I could not find a single tutorial that was complete and accurate. As a result, I had to piecemeal everything together to get it to work.

Additionally, pfSense changed some of the code in version 2.1.1 with regards to Outbound NAT rules to OpenVPN interfaces. Beforehand, things were a bit easier. But starting with version 2.1.1, there are additional configuration settings that need to be set. It's not that big of a deal. Before it was automatic. Now it's manually configured.

Anyway, I am going to break this down into a step-by-step process without any explanation along the way. Then afterwards, I'll do my best to explain a few details and to highlight what change was made in pfSense 2.1.1.

This tutorial assumes the following:

Also note that I will be referencing Private Internet Access as PIA throughout the tutorial.

Getting Started

We need to acquire a few things first. Start by downloading openvpn.zip from Private Internet Access, https://www.privateinternetaccess.com/openvpn/openvpn.zip (https://www.privateinternetaccess.com/openvpn/openvpn.zip). This supplies their ca.crt file and .ovpn files, which include the names of their servers. You won't be using any of the .opvn files directly, but you can view them in a text editor to get the name of a specific server you want to connect to. Additionally, you'll need your username and password, which were provided to you by PIA. We'll be using these later.

Next, log into your pfSense administration panel. Now let's go through the following steps in greater detail:


Create CA Certificate


Create Password File


Create OpenVPN Client


Create OpenVPN interface


Configure NAT Rules


Verify OpenVPN Service

At this point, your system is configured. The only thing you may need to do is restart your OpenVPN Service.

Verify OpenVPN Logs:

A few other observations to make:

Explanation

Now that we have the VPN up and running, allow me to explain a few things.

verb 5;

When I setup the OpenVPN client, you will have noticed that I added an advanced directive: verb 5. This advanced setting is simply used to increase the verbosity of the OpenVPN log files. This is a personal preference and you can adjust accordingly. However, as I continue to explain a few things, I'll reference the log files. Without this advanced directive, your log files will differ and you may not see the same logs that I reference.

remote-cert-tls;


Another advanced directive I configured was: remote-cert-tls. This advanced setting is used to prevent Man-In-The-Middle attacks, and the server needs to be configured properly for this to work, which Private Internet Access servers are.

Quoting from OpenVPN manual:

Quote
--remote-cert-tls client|server
Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
This is a useful security option for clients, to ensure that the host they connect to is a designated server.

Also from OpenVPN manual:

Quote
This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --remote-cert-tls, --tls-remote, or --tls-verify.

Thus, 'remote-cert-tls server' means that the certificate has "TLS Web Server Auth" as an extended property.

So when configuring your OpenVPN client with this directive, take a look at your logs. You will see the following lines that validate and verify the certificate. Without this advanced setting, these lines will not be in your logs and this validation is not performed:


openvpn[65701]: Validating certificate key usage
openvpn[65701]: ++ Certificate has key usage 00a0, expects 00a0
openvpn[65701]: VERIFY KU OK
openvpn[65701]: Validating certificate extended key usage
openvpn[65701]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
openvpn[65701]: VERIFY EKU OK
openvpn[65701]: VERIFY OK: depth=0, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=server, emailAddress=secure@privateinternetaccess.com


Routing

In some tutorials I found, I was instructed to configure my Firewall LAN rules with an advanced setting to specifically choose my Gateway. I found that this wasn't necessary be default with a base installation of pfSense. It's only necessary with more advanced firewall configurations. The following image is how the default firewall rules are for the LAN.

(http://www.bodenzord.com/wp-content/uploads/2014/04/PIA_Default_Firewall_LAN.gif)

Take note of the middle rule for IPv4 protocol. This is the default "Allow All" rule that says that any Source IP with any Port is allowed to go to any Destination IP to any Port on any Gateway. With this rule, the decision of which Gateway(interface) to use, WAN or PIAVPN, is made via the system routing table. Now we can override this so that we force LAN traffic to use a specific gateway. As an example, do the following:

Now that this has changed, you'll see that your OpenVPN Gateway has been specified for this rule, and this means that all LAN traffic bypasses the system routing table and always goes out your OpenVPN interface to the Private Internet Access server.

(http://www.bodenzord.com/wp-content/uploads/2014/04/PIA_Gateway_Set.gif)

Now I want to point out that we haven't made the VPN function any differently. All we've done is force LAN traffic out the VPN interface instead of having the system routing table make that same decision for us. Why would we want to do this? Well, by creating specific rules for your firewall, you can then force certain clients out the VPN or out the WAN or whatever you want to do. This is just one more tool to allow you to control the firewall exactly how you want.

Manual Outbound NAT

If you were setting up your own peer-to-peer VPN and you had control of both the VPN Server and VPN Client, then you wouldn't need to NAT the client-side LAN subnet to the VPN tunnel IP as we're doing in this tutorial. Instead, you would use routing and NAT on the server to achieve your goal of reaching the internet through the VPN Server. Obviously, we have no control of PIA's servers. Additionally, PIA doesn't know the specific subnet we're using on our LAN so that they can configure their servers to route and NAT our traffic out their public IP. Instead, they route and NAT the VPN tunnel IP, because that's what they have control over. This is why we have to create an OpenVPN interface, which the VPN tunnel IP attaches to, and NAT our LAN traffic to it. In the end, this is a double-NAT situation, once from LAN-to-VPN-tunnel-IP on the VPN Client, and again from VPN-tunnel-IP-to-public-IP on the VPN Server.

As you'll recall, we configured our Outbound NAT rules manually. These rules are what NATs our LAN subnet to the VPN tunnel IP. But why do we have to manually configure these rules? Why aren't they automatically created?

With versions of pfSense prior to 2.1.1, it wasn't necessary to manually configure the NAT rules as we've done. However, the configuration change from Automatic Outbound NAT to Manual Outbound NAT was still required. It's just that prior to 2.1.1, the necessary rules you needed to get your LAN subnet NAT'ed to your VPN tunnel IP were automatically created for you when you made this change to Manual Outbound NAT - as odd as that may sound.

So you may be wondering, "Why are NAT rules automatically created in Manual mode but not in Automatic mode? Isn't this a break in logic?" I thought the same, so I posted my questions to the pfSense forum in the hopes of discovering why: https://forum.pfsense.org/index.php?topic=73727.0 (https://forum.pfsense.org/index.php?topic=73727.0). The funny thing is, I got my answers, but the end result was a change in code starting with version 2.1.1 which requires manual configuration for Outbound NAT to OpenVPN interfaces.

To put it simply, prior to version 2.1.1, Automatic Outbound NAT rules skipped OpenVPN interfaces, yet these interfaces were still considered when automatically creating the first set of manual rules. Starting with version 2.1.1, the code was since been changed so that OpenVPN interfaces are also skipped when automatically creating the first set of manual rules. Here is the bug submission at Redmine if you want further clarification: https://redmine.pfsense.org/issues/3528 (https://redmine.pfsense.org/issues/3528)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Colin_Maclaurin on April 28, 2014, 04:03:35 pm
I appreciate your taking the time to cobble together such an thoroughly written tutorial on setting up PIA on pfSense.  I struggled with this and found much like yourself that I had to use bits and pieces of several tutorials before I could get the VPN up and running. 

This should probably be a sticky to make it easy to find.

Thank you again.

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Altis on May 26, 2014, 07:42:10 am
Much appreciated, thank you for taking the time to do this.
What do you use / recommend using as a DNS server?
Specifically, can I use PIA's DNS servers?  Reason to ask is when I do, after some time (a day or two) the system stops internet communication with DNS failure.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: divsys on May 26, 2014, 08:04:48 am
That's a good in depth tutorial, thanks for all your efforts  :)

One (very) minor nit, I would suggest that you remove the "verb 5" entry once you have verified that the connection is up and running properly.  I use that entry myself when I'm trying to diagnose OpenVPN issues (sometimes I'll even use verb 7 for more info).  In the long run I find the log files just get filled with too much excess using 'verb 5' for a stable connection.

It's useful for seeing the initial configuration of your setup, but is a bit excessive in normal operation.

Just my $0.02, thanks for all your work ;D
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: mpboden on June 04, 2014, 12:20:09 pm
What do you use / recommend using as a DNS server?
Specifically, can I use PIA's DNS servers?

The easiest way that I've found is to go to System->General Setup, and enter the DNS servers that you want to use. It can be Google's or PIA's or any other. But then uncheck: "Allow DNS server list to be overridden by DHCP/PPP on WAN". After saving, a DNS Leak test at www.dnsleaktest.com  (http://www.dnsleaktest.com)or ipleak.net (http://ipleak.net), will show the DNS servers you specified.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: mpboden on June 04, 2014, 12:21:29 pm
One (very) minor nit, I would suggest that you remove the "verb 5" entry once you have verified that the connection is up and running properly.  I use that entry myself when I'm trying to diagnose OpenVPN issues (sometimes I'll even use verb 7 for more info).  In the long run I find the log files just get filled with too much excess using 'verb 5' for a stable connection.

Thanks for the tip. Much appreciated.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: binaryjay on June 10, 2014, 08:02:16 am
Hello.   I appreciate the tutorial in getting things running with PIA, and I've been able to get all outbound on my network through PIA just fine however that is not what I want.

The thing is, it seems that the tunnel takes over all outbound over the WAN as soon as it is started.  That is, when starting the tunnel, if using the automatic NAT rules - I cannot get out to the WAN at all.  Once creating the manual rules, you can get out to the WAN but everything is going out to the WAN.   I really just wanted to keep the tunnel up but have the LAN continue to go directly to the WAN until I specifically change something to selectively go through the tunnel (such as, only for a specific LAN IP).

What am I missing here in terms of setting things up so at the very least I have this situation as a starting point:

1) Have the tunnel interface UP
2) It is not actually used, everything continues to work as it did prior to bringing tunnel up.

Basically, I thought bringing the tunnel up would just be like adding another NIC to the system with no link or further configuration.  Clearly I was wrong - I need to disable the tunnel for now as it is just not workable for us to have everything always going through it.

Thanks!

Edit:  Well, I've figured out I need the route-nopull client option to keep the vpn server from mangling up my default routes.  I just need to figure out the rest now in terms of getting specific IPs traffic all through the tunnel ... do I use route options in openvpn or outbound nat or...?   Fun stuff...

Edit Again:  Okay, had to assign an interface to the tunnel.  The tunnel refused to work with route-nopull... so that had to stay.  Then I created manual firewall lan rule for specific host to use the VPN gateway and modified the existing LAN to WAN rule placed underneath to use the WAN gateway.  Then I needed to create a new rule for the VPN interface just to allow traffic through it.  Finally, I added outbound NAT for the host above the auto created rule for the VPN interface. 

It all seems rather messy to me, I may very well be doing more than I really need to but it seems to be working.  All hosts on the LAN are using the normal WAN except for a specific one that I want always routing through the VPN.

This is much better than the old situation of that host having to open it's own tunnel which was prone to going down during network interruptions, and the other host has a much lower power CPU than my pfSense router so distributing the load of OpenVPN to the router in this case frees up a lot of cycles on that host.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ouldsmobile on June 16, 2014, 08:13:53 am
@ binaryjay

I think you may be overcomplicated things here. If you follow the tutorial, when finished the tunnel should be routing all traffic due to the firewall rule that was created in the tutorial, you would just need to disable or edit it to only push the traffic you need. It's pretty easy to set up for one host. Just createa new/edit the existing rule with the source being the machine ip that you want to go through the tunnel, and under advanced the VPN interface you have created, usually OPT1. You can do the same using specific destination ports or destination ip ranges if you want to get fancy and only push certain traffic through the tunnel. i.e. for geoblocked services etc.

@ Everyone else

Anyone else have the tunnel go down rather frequently using this service? I am connecting to the US-East server and I find my connection reset rather frequently at times? FWIW my WAN connection very rarely goes down so it's not that. All I see in the logs is the following when it disconnects:

Code: [Select]
Jun 15 20:31:20 pfsense openvpn[41114]: MANAGEMENT: Client disconnected
Jun 15 20:31:37 pfsense openvpn[41114]: event_wait : Interrupted system call (code=4)

Just wondering if this is normal for PIA? Seems to be happening multiple times daily. I don't recall having this issue when I had PIA openvpn setup on one of my linux boxes but maybe I just wasn't watching it as closely. :-)

Thanks,

Kevin
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: mpboden on June 16, 2014, 12:33:35 pm
the tunnel takes over all outbound over the WAN as soon as it is started.

This tutorial is written so that all LAN traffic is routed through the VPN using the system routing table. So this is to be expected.

If you followed this tutorial exactly, then there are two ways that I know of to accomplish what you want.

1) This first option is more involved, because it requires editing every firewall rule. This is not really ideal, but I'm outlining it here as an option so that you're aware.

2) The second option is much easier.

To explain how option 2 works, this is from the OpenVPN manual:


--route-nopull
When used with --client or --pull, accept options pushed by server EXCEPT for routes.

When used on the client, this option effectively bars the server from adding routes to the client's routing table,
however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.


So, this tells the client not to pull the default route from the server, yet it pulls all other necessary TCP/IP settings. And if you look at your system routing table (Diagnostics->Routes) before and after changing this setting, you'll see the pulled route present and then not present respectively. It'll be the first line in the table:


0.0.0.0/8    xxx.xxx.xxx.xxx    UGS    0    0    1500    ovpnc1    =>


Therefore, after adding this Advanced Configuration setting, all traffic continues to use the System Routing Table. And with this pulled route removed from the table, the traffic will be routed out the WAN interface instead of the PIAVPN interface based on the remaining rules in the table.

However, the new firewall rule you created for your specific LAN computer will be routed out the VPN interface, because you chose it as the Gateway under Advanced settings within the rule. This specific rule then bypasses the System Routing Table.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: mpboden on June 16, 2014, 12:39:58 pm
If you follow the tutorial, when finished the tunnel should only be routing traffic that you specify using the firwall->lan rules.
This is incorrect. This tutorial configures the firewall to route all traffic out the VPN interface.


Anyone else have the tunnel go down rather frequently using this service?

All I see in the logs is the following when it disconnects:
Code: [Select]
Jun 15 20:31:20 pfsense openvpn[41114]: MANAGEMENT: Client disconnected
Jun 15 20:31:37 pfsense openvpn[41114]: event_wait : Interrupted system call (code=4)

Just wondering if this is normal for PIA?

I don't experience this at all. I've used several of PIA's server, but not specifically the US-East server.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ouldsmobile on June 16, 2014, 12:52:49 pm
This is incorrect. This tutorial configures the firewall to route all traffic out the VPN interface.

Woops, sorry I followed a couple tutorials when I set mine up, just came across yours after setting mine up, must have gotten them confused. I will edit my post.

I don't experience this at all. I've used several of PIA's server, but not specifically the US-East server.

Hmm, strange. Wonder why mine seems to disconnect somewhat frequently. I am using same settings as yourself, just a different server. Out of curiosity what DNS servers are you using? What version of pfSense?

I have setup a box at work with linux, I will see if it has disconnection issues. I thought it seemed strange to disconnect frequently. My internet service is pretty rock solid, very rarely see any outages thankfully. Maybe I will try a different server for a bit and see if it makes any difference.

Kevin
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: mpboden on June 16, 2014, 01:32:27 pm
Woops, sorry I followed a couple tutorials when I set mine up
No problem. Just wanted to make sure that there's no confusion

Out of curiosity what DNS servers are you using?
I'm using Google's DNS servers. Also, under System->General Setup, I do not have the following checked: Allow DNS server list to be overridden by DHCP/PPP on WAN

What version of pfSense?
2.1.3-RELEASE
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ouldsmobile on June 16, 2014, 02:27:36 pm
Woops, sorry I followed a couple tutorials when I set mine up
No problem. Just wanted to make sure that there's no confusion

Out of curiosity what DNS servers are you using?
I'm using Google's DNS servers. Also, under System->General Setup, I do not have the following checked: Allow DNS server list to be overridden by DHCP/PPP on WAN

What version of pfSense?
2.1.3-RELEASE

Yup, same here all around. I will go through all my settings, make sure I didn't miss anything. I may try PIA's DNS servers. Maybe that will be better. Worst case I can put the OpenVPN client back on my linux box which was more reliable it seems, although this was kind of the purpose of building the pfSense box, lol. :-) Go figure.

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: skynet99 on July 15, 2014, 08:23:01 pm
Thanks for the tutorial!

I had made a simular setup but I was missing the advanced setting.

I have a problem that occurs every few days; the VPN service will be up but the IP address will be missing from the VPN display on the dashboard page.  The VPN log will have 500+ entries that say...
Code: [Select]
Iopenvpn[72509]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known

I can get it working again by restarting the service.  I think it's some type of DNS problem, but I don't have way to debug it.

Any suggestion on what I should try?

If I could restart the VPN service every hour that would partial fix it.

{edit}
OK I found the problem, in my DNS server I had set the gateway to the VPN interface.  I guess every few days the IP address changes and when that happens it needs to use DNS to find the new IP address.  Anyway I added an extra DNS on the WAN interface, and to day it was able to get the new IP address.  I checked the https://www.dnsleaktest.com/ and http://ipleak.net/ it not showing my IP address.  On a side note when I use 208.67.222.222 and 208.67.220.220 I get better RTT, in my case ~60ms
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: neonflx on July 16, 2014, 10:00:00 pm
this is by far the best tutorial I've found for PFsense and PIA, others have you do redundant steps that are no needed.

Thanks a lot, great information

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: sparks305 on July 17, 2014, 01:04:33 am
This is a great tutorial no doubt, and thank you very much for it!

I only have one issue I'm trying to resolve but have failed, I want to bypass the vpn for one specific ip (my desktop, for gaming reasons) and leave everything else go through the vpn.

So far I have everything setup and working with the tutorial. I have found similiar posts by using google but nothing I have found has worked. The closest post I've found related to my problem is https://forum.pfsense.org/index.php?topic=58630.0 and I've tried to follow jimp's suggestion by creating this lan rule:

(http://i492.photobucket.com/albums/rr286/sparks305/1.jpg) (http://s492.photobucket.com/user/sparks305/media/1.jpg.html)

(http://i492.photobucket.com/albums/rr286/sparks305/2.jpg) (http://s492.photobucket.com/user/sparks305/media/2.jpg.html)

But still have no luck getting that single ip to bypass the vpn.

Any suggestions and feedback is greatly appreciated.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Mr. Jingles on July 19, 2014, 03:42:29 am
I also wanted to compliment you on this fine (excellent) tutorial  ;D

It even turned out that I appear to have done something wrong myself months ago (certificate part), and for some strange reason, it did work all these months.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Mr. Jingles on July 19, 2014, 03:43:44 am
This is a great tutorial no doubt, and thank you very much for it!

I only have one issue I'm trying to resolve but have failed, I want to bypass the vpn for one specific ip (my desktop, for gaming reasons) and leave everything else go through the vpn.


But still have no luck getting that single ip to bypass the vpn.

Any suggestions and feedback is greatly appreciated.

I also have the same problem. I think JimP responded to me about this problem in my thread some months ago, but I didn't understand and then it blead do death  :-[
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: xman111 on July 21, 2014, 02:55:36 pm
I as well want to route certain traffic around the VPN but my rules aren't working.. It looks just like the above pictures.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: kars85 on July 22, 2014, 04:16:43 pm
I as well want to route certain traffic around the VPN but my rules aren't working.. It looks just like the above pictures.

+1

It is working for me now, but had not been working for nearly 48 hours.  What got it working, I have no idea since I haven't done a thing to pfSense settings since I initially created a thread on the issue.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: kars85 on July 22, 2014, 08:56:21 pm
So I had a chance to test a few things, specifically what made it work and what didn't.  Here's some screenshots of my interface rules.  I've kept some of them in there, just disabled, in case for whatever reason things go south again.

The big takeaway was to specify the gateway that each rule should use for what gets tunneled through VPN, as well as what host ip/alias you want to use the non-VPN tunnel gateway from your ISP.

Hope this helps some others...

(http://i.imgur.com/VOeif2b.jpg)


(http://i.imgur.com/h6uBfgK.jpg)


(http://i.imgur.com/S5P29di.jpg)


(http://i.imgur.com/4ZEDDkZ.jpg)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: h311m4n on September 23, 2014, 07:12:50 am
Hello,

Sorry for bumping this old thread up but it was a great tutorial. Followed every steps and in 15 minutes, all my devices are going through the VPN.

FYI, I have pFsense set up as a VM on ESXi.

However, I have 2 issues:

1. Even though internet works and a "what is my ip" shows I'm behind my VPN, the gateway shows offline in the dashboard. I have rebooted pfsense, stopped/started the openvpn service but it will always go to offline after being online for 15 seconds. Again: i still have internet access but if I open a shell on pFsense and try to ping the PIAVPN gateway, I get no response hence the offline status...what's the issue here?

[EDIT] I "fixed" it by disabling monitoring on the gateway.

2. I'm having trouble wrapping my head around accessing a service on a devices behind the VPN. Put simply, I have a synology that I access with DS audio on my phone to listen to my tunes. Everything works fine when the VPN is not running, however when it is, I can't connect to my synology.

I can see the packet arriving in the logs but it seems no response is ever sent out back even though I'm forcing the Synology to use the WAN gateway and not the VPN for outbound traffic.

Any clues?  ???
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: h311m4n on September 25, 2014, 03:27:17 pm
Ok, allow me to answer my own question. Simply adding route-noexec to the openvpn client configuration (the part where you specify verb 5 etc.) fixed it. Only traffic that I specifically tell to use the vpn goes through the VPN, I am however perfectly able to access my audiostation, didn't even have to change anything in the port forwarding menu.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: lovingHDTV on October 09, 2014, 07:42:29 am
Love the tutorial and am almost there.  I get stuck when I need to create the default firewall rule to route everything through the VPN.

I don't see the PIAVPN_VPN4 gateway. I tried to create it, though I didn't see that in the tutorial, but that didn't work either.  I also notice that on the main page the PIAVPN interface never shows an IP address, but if I look under Status->OpenVPN it says it is connected and I see traffic in/out and ip addresses.

Any ideas what I missed?  I"m running version 2.1.5-RELEASE

thanks,
david

EDIT:
I found my problem.  Item #2 under "Create OpenVPN interface", It says ovpnc1() will be selected, but in my case it selected an unused ethernet over firewire port.  When I finally noticed this and changed it to ovpnc(1) it worked!

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: AndyKoopa on October 10, 2014, 05:05:44 pm
Awesome tutorial! Thank you for taking the time to write it up :)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: tucansam on October 25, 2014, 04:22:35 pm
Firstly, thank you for the amazing step-by-step tutorial.  I literally had it completed in 10 minutes.

A few questions.

First, I have been playing with different servers provided by PIA, from Texas to California to Canada.  Running the test at speedtest.net, my speeds went from 80-90mb/down and 30-40mb/up to 20-40mb/down and 1-4mb/up.  I know the VPN will slow things down a bit, but I was not expecting this level of speed loss.  Is this normal?  My pfsense box is a dual core Atom (with hyperthreading) and this far CPU use has never peaked above 30%, usually at 13% (which is where it was prior to be configuring the VPN).  Just curious if I should just keep testing servers to find one with better speed?

On the dashboard, my WAN and LAN interface graphs are showing plenty of traffic, but my PIAVPN interface is showing none.  I am presently downloading a file -- WAN is showing 500Kbps-5Mbps, but zero activity whatsoever on the VPN interface.  Is this an indication that the VPN is being bypassed?

Using various ip lookup tools, every site is seeing me on an IP address in Canada (I am currently using the Canadian PIA VPN server).  So why is there no traffic bring generated on the PIA VPN interface?  As far as I can tell it is working.

Thanks again for the great tutorial.


ETA VPN just went down, logs show failure to resolve the hostname of the PIAVPN server I had chosen.  Rebooting pfsense worked (I tried everything else I could think of) -- wonder how long it will be up and if this will happen again?  I am using OpenDNS servers.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: duntuk on October 26, 2014, 10:38:43 pm
About a week ago, PIA service went to sh*t for me... It worked great for over a year, and now constant disconnects.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: duntuk on October 27, 2014, 01:40:41 am
It's kind of early to say anything for sure--this is the longest I've went this week without being disconnected (30minutes so far; these past 2 weeks, it has usually been every 1-2 minutes)...

But anyway...

Under OpenVPN 'advanced configuration' (in pfsense), I added the following:

keepalive 5 30;

So now my 'advanced configuration' looks like this:

auth-user-pass /etc/openvpn-password.txt;persist-tun;verb 5;remote-cert-tls server;route-nopull;keepalive 5 30;

Note: I added this today:

route-nopull;

Not sure if it's doing anything (probably not) but left it there, since my connection is stable for the time being.

What I think is going on is PIA is pinging the client, but for whatever reason, the pings are getting blocked.  So in turn 'keepalive 5 30;' does something to mitigate that...
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: tucansam on November 03, 2014, 06:11:17 pm
A lot of pages are loading slowly (to be expected I suppose).  Other pages are denying me access with messages that my IP has been flagged for spam.  Some sites, like Amazon and Home Depot, load slowly, but then most functions don't work (searching, shopping carts, etc).

All since I enabled the PIA vpn.....
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: peehoo on November 18, 2014, 03:00:36 pm
Awesome tutorial... Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on November 18, 2014, 05:30:38 pm
Awesome tutorial... Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

That's easy.  It's the opposite of this:

(http://i.imgur.com/h6uBfgK.jpg)

I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN.  Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example).  Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

Like this:
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: phil.davis on November 18, 2014, 08:11:44 pm
Awesome tutorial... Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!
Make an Alias for those LAN IPs, then change the rule on LAN that feeds the traffic into PIA so it has just that Alias as the source.

Whatever traffic is matched by rules going to the PIA gateway is the traffic that goes down the PIA OpenVPN tunnel.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: wreththe on December 01, 2014, 05:25:25 pm
Thanks so much for this tutorial.  Between the initial tutorial and some of the modifications in the comments I have my router set up almost exactly as I wanted.

My question is if there is a way to route traffic on some ports through the VPN interface and the rest through the WAN interface?

I.e. everything on 10.0.1.10 goes through the WAN except ports 45000-45100, which goes through the PIAVPN.

Is that possible?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on December 01, 2014, 06:18:05 pm
Yes.  Just add the ports to the rule sending traffic to the VPN gateway.  The rule won't match if the port is outside the set so the firewall will move on to the next rule.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: GaMcL on December 01, 2014, 11:03:52 pm
Good tutorial, Thanks. However I am having a problem at an early stage.

When I go through the steps to create a certificate, the CA gets entered but no certificates are created (see attachment). Then, when I get to Create OpenVPN Client I run into a "No Certificates Defined" and can't create the client. Trying to create a certificate under the certificate manager>certificates doesn't work because I don't have the private key that is needed.

What am I missing.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on December 01, 2014, 11:52:53 pm
It looks like PIA doesn't verify client certificates at all so any certificate will do.  The walkthrough just uses the default webconfigurator certificate out of pfSense.

You don't have any certs at all listed in System->Cert manager->Certificates  ??
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: GaMcL on December 02, 2014, 07:25:29 am
No. There are no certificates listed at all in system->Cert manager->certificates. Should there be?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on December 02, 2014, 10:16:47 am
Yes.  When you installed a cert for the webConfigurator was created.  Looks like you deleted it.

I have no idea how to tell pfSense to recreate that cert.  Anyone?

If it's non-trivial you'll need to create an internal CA then create an internal cert using that.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: phil.davis on December 02, 2014, 11:04:13 am
Not sure that it helps the problem at hand, but the webConfigurator is listed under System: Certificate Manager, Certificates tab. It is somehow and CA and Certificate all in one (exposing my lack of knowledge of this stuff!).
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: GaMcL on December 02, 2014, 11:22:28 am
Thanks for the replies. It's odd that there is no cert showing. If I deleted a certificate it would have to have been by accident. I'm pretty careful with such things due to lack of understanding and not wanting to break things. I haven't had to deal with certificates before and I don't remember ever working with the cert manager before.

Having said that, I did create an internal CA and then an internal cert as suggested by @Derelict. That went well and allowed me to get a step further and create an OpenVPN client. Then I had to leave for work, so won't get back to the VPN installation until later.

One difference between my setup and that covered by the tutorial is that I already have a third (physical) interface to a DMZ. Does anyone know if that is a potential problem or change anything in the process?

Thanks very much for your help. I'll get back when I hit the next snag  :)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on December 02, 2014, 12:09:29 pm
Shouldn't.  Possibly some additional rules on DMZ if you want to forward any traffic from hosts there out the VPN connection.

@phil.davis yeah, I don't see a way in the interface to create a cert like that.  There's probably a way to re-run the commands that run at first boot after install but I don't feel like digging through the rc scripts.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: peehoo on December 11, 2014, 04:02:49 am
Awesome tutorial... Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

That would be exactly what I needed!!

That's easy.  It's the opposite of this:

(http://i.imgur.com/thvFbHY.png)

I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN.  Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example).  Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

Like this:

Hi!

I think I managed this  ::)

Basicly I needed only one internal IP-address go to the PIAVPN so I created two firewall rules.

One which is telling that 192.168.1.60 goes to PIAVPN and one which is reverse for that -> all the other LAN addressess are going to WAN-interface. Is this kind of configuration any sense?

Now my pc is showing me my ISP address and XBMC is showing PIA address.

(http://i.imgur.com/pA43QG9.png)

Ok, I changed that single host to the aliases list because it might be possible every now and then and some other pc:s to use PIAVPN also.

One thing came to my mind... What comes to the security and hidden my network traffic - is there any kind of problem to use same PIA server every day? Manually when using pc-client I've changed it different countries every now and then... Ok, it is manually also possible with pfsense but is it any benefit to change it and if yes -> could it be possible to automaticly use several PIA servers different days?

And at the end couple of stupid questions:

- At this point it seems that PIAVPN is working (THX for a great tutorial)
- Dashboard is showing in interfaces PIAVPN address BUT
- for reason I do not know OpenVPN status shos that PIA client instance status is down??

Should I be worried?

Screencaps below:

(http://i.imgur.com/Sj1Dopv.png)

(http://i.imgur.com/pEN0Scg.png)

Code: [Select]
Dec 11 13:06:42 openvpn[68212]: Exiting due to fatal error
Dec 11 13:06:42 openvpn[68212]: Cannot open TUN/TAP dev /dev/tun2: Device busy (errno=16)
Dec 11 13:06:42 openvpn[68212]: TUN/TAP device ovpnc2 exists previously, keep at program end
Dec 11 13:06:42 openvpn[68212]: ROUTE_GATEWAY xx.x.x.1

Could this be a reason why I still have DNS Leak? How I manually (and to where) I configure PIA DNS-servers?

Also one minor thing... How I can configure to those piavpn hosts traffic limiter especially upload limiter. I tried to do this with http://www.squidworks.net/2012/08/pfsense-2-0-limiting-users-upload-and-download-speeds-by-limiting-bandwidth/ (http://www.squidworks.net/2012/08/pfsense-2-0-limiting-users-upload-and-download-speeds-by-limiting-bandwidth/) this instructions but did not succeed.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: achaian on December 22, 2014, 04:52:42 pm
I just wanted to say thank you!! This tutorial is the only tutorial that actually worked. All others seemed to not show enough info around certificates. This clearly advised how to create and apply.

Again, thank you!!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: flowrider on December 26, 2014, 03:44:21 am
Hi,
I've just registered here but have been lurking for quite a while.

Thanks for the guide it was much easier than a lot of other guides out there and it's appreciated greatly.

I have a question about DNSleak protection. With this default configuration when I check https://www.dnsleaktest.com/ it's showing that pfSense is leaking. Has anyone configured using PIA's DNS? I'm a little worried to just give it a try because it's taken everything I got to get this far!!

Anyhow if anyone has a tutorial for this it would be great.

Thanks
Steve
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: wbennett77 on December 27, 2014, 10:06:28 am
Hey Steve,

The ONLY way I have found to prevent leaks is to use PIA's DNS servers. If anyone has found another way I would really like to hear about it as well.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: flowrider on December 28, 2014, 01:55:26 am
Thanks wbennett77 I ended up using PIA's DNS servers as well and no leaks! It was quite easy which is nice for a change! I'm pretty happy to have found this guide as it's the most comprehensive and simple to use one on the net. I'm pairing it with a Netgear R7000 right now and it seems to be working well especially in the 5gHz range.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: sogseal on December 28, 2014, 02:46:13 pm
have anyone figure out DNS settings yet? I stumbled across a topic https://forum.pfsense.org/index.php?topic=29944.0 (https://forum.pfsense.org/index.php?topic=29944.0) Step 4, i cannot test this at the moment im waiting for my new mobo. I talked to a PIA rep and he recommended to manually configure DNS and provided me with ip's 208.67.222.222 and 208.67.220.220. i should get my mobo tomorrow and will start playing with my new hardware and installing pfsense.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on December 28, 2014, 03:49:43 pm
Those are OpenDNS servers.

Copyright enforcement bots are not going to have access to DNS server records.  I think all you PIA, etc. users might be overthinking things a bit.  Yes, I'm making a generalization that is probably wrong.  :P

Just about anything is possible with pfSense.  If you want to make sure NOTHING from a particular internal host is transmitted out the normal WAN, set firewall rules on LAN that sets the gateway to PIA and marks the traffic with something like NO_WAN_EGRESS.

Then make a floating rule that blocks any traffic on WAN out marked with NO_WAN_EGRESS.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: sogseal on December 28, 2014, 06:02:27 pm
Those are OpenDNS servers.

Copyright enforcement bots are not going to have access to DNS server records.  I think all you PIA, etc. users might be overthinking things a bit.  Yes, I'm making a generalization that is probably wrong.  :P

Just about anything is possible with pfSense.  If you want to make sure NOTHING from a particular internal host is transmitted out the normal WAN, set firewall rules on LAN that sets the gateway to PIA and marks the traffic with something like NO_WAN_EGRESS.

Then make a floating rule that blocks any traffic on WAN out marked with NO_WAN_EGRESS.

im lost :) , want to show us step by step?  ::)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on December 28, 2014, 08:26:37 pm
Post the rule that forwards your traffic to PIA.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: sogseal on December 29, 2014, 07:36:18 am
Post the rule that forwards your traffic to PIA.

I got my new mobo coming today, ill se teverything up and post it, thank you for the help

***EDIT***

so i got my mobo MSI Z87I AC(waiting on AR9380). Pretty much i followed this guide to the end and added opendns ips( im on 2.2-RC (amd64)  built on Mon Dec 29 07:41:21 CST 2014 FreeBSD 10.1 RELEASE-p3) to System>General Setup DNS servers and i dont have nay DNS leaks
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ryan29 on January 09, 2015, 06:35:28 am
After testing a bit, I see issues when using DHCP (LAN) and the DNS Forwarder.  Clients on the LAN are given the pfSense LAN IP as a DNS server and the DNS lookups done by the DNS Forwarder don't seem to be very sophisticated.  My firewall rules route a couple machines over the VPN and everything else goes over the WAN:

(http://i.imgur.com/pQUxh4t.png)


However, I still see geo-optimized IPs when I do DNS lookups (ex: google.com).  I changed my DNS a bit to see if I could figure out what was going on.  I set two DNS servers:

(http://i.imgur.com/OSuo2cd.png)

Note that one is set to use the WAN gateway and the other is set to use the TGNEWYORK gateway (I'm using TorGuard, not PIA).  After doing this, the behavior of one of my 'vpnclients' gives a good indication of what's happening.

When I do a DNS leak test I can see that both DNS servers are being used and the route depends on which DNS server is picked by the DNS Forwarder.  I can tell this because it appears that TorGuard forces all DNS requests through OpenDNS, so half the servers found are Google, half are OpenDNS.

There are two things to be careful of in my opinion.  1) Make sure all vpnclients bypass the DNS Forwarder.  2) Make sure normal connections don't use the VPN for DNS lookups.  I use a port forward rule to get the vpnclients to bypass the DNS Forwarder.  Note the rule uses the LAN interface.  Also note the firewall rule I have above to intentionally block all traffic from vpnclients to pfsense.

(http://i.imgur.com/I8pGJQo.png)

Another option would be to make sure the DHCP server passes non-local DNS to clients, but keeping the vpnclients and normal clients separated is a pain.  To ensure normal connections don't use the VPN for DNS, I explicitly specify the WAN gateway for DNS and don't allow the settings to be overridden by DHCP.

(http://i.imgur.com/IDJ57sP.png)

From the testing I did, leaving a gateway of 'none' doesn't work.  I still saw DNS lookups going over the VPN gateway.  To me this is incorrect behavior since my default gateway is the WAN gateway (only tested on 2.1.4).

Does anyone know if it's possible to get the DNS Forwarder to use a specific gateway for lookups?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: cybernet on January 17, 2015, 10:31:49 am
Has anyone successfully gotten PIA to work with SHA256? Works flawlessly with SHA1. Also if you receive MTU or HMAC authentication errors, try another server. Some servers are acting really wonky right now.

Cheers!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: kintaroju on January 22, 2015, 02:11:47 pm
great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.

Having TWO openVPN client setup via PIA.

So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west

The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada

Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.

I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: terryd on January 24, 2015, 05:31:04 am
very good guide but mine seems to restart if put under any stress like a download
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: kintaroju on January 24, 2015, 04:43:44 pm
TerryD, did you upgrade to the latest pfSense 2.2 that was released yesterday?

As for my issue, upgrading to 2.2 totally fixed the issues
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Robs on January 25, 2015, 03:43:06 am
Does anyone know if it's possible to get the DNS Forwarder to use a specific gateway for lookups?

I did set it up like this, using no special rules:
check in the dns forwarder: Query DNS servers sequentially

209.222.18.218 -> pia gateway
209.222.18.222 -> pia gateway
8.8.8.8 ->  wan gateway
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Robs on January 25, 2015, 03:57:32 am
great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.

Having TWO openVPN client setup via PIA.

So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west

The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada

Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.

I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?
Once you have one vpn gateway there isn't anything different setting up an other one and select the gateway based on lan ip.
However, there can be a situation where the vpn clients both have the same local interface ip. (the 10.x.x.x ip address)
I don't know what caused it but restarting one vpn client did solve it for me.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 25, 2015, 01:55:08 pm
Save yourself some headaches and set your IPs on subnet boundaries instead.  That'll make your rules a lot easier.

Like instead of assigning hosts IP addresses from 192.168.0.21 through 192.168.0.40, assign them 192.168.0.33 through 192.168.0.62.  You can then cover them in one rule with source IP 192.168.0.32/29 (255.255.255.248)

You could:

pass ip any source 192.168.0.32/29 dest any gateway PIA_USA_WEST # (hosts .33 through .62 - in this case you could actually use .32 and .63 too but I wouldn't)
pass ip any source 192.168.0.64/29 dest any gateway PIA_CANADA # (hosts .65 through .94)
pass ip any source LAN network dest any gateway default # everything else.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: phatty on January 31, 2015, 09:38:16 am
Since the upgrade to 2.2 I have had PIA randomly disconnect and remain disconnected for me until I manually click connect again. Anyone else experience this problem? Seems to be every couple of days, on 2.1. 5 the only time I had connectivity issues when an internet issue caused a bad route to the server I had been connecting to. Other than that previously it has been very solid for me up until the upgrade.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Moatilliata on January 31, 2015, 10:04:22 pm
Thanks for this guide, I got PIA up and running for just my FireTV and the rest of my devices go through the normal WAN.

The problem I'm having now is I'm trying to access content on hulu and watch Disney Junior with my FireTV, but it says I'm outside of the US (I'm not, and I'm using the PIA California server, I know that Hulu has blocked a lot of VPNs). I don't care if the traffic for Hulu and Disney aren't over PIA, I want to make a rule to bypass the VPN for Hulu, Disney, and potentially a couple of other streaming services. I've tried creating an alias for hulu.com and then I made a firewall rule (placed before my VPN hosts rule) that said if the destination was the hulu alias it would use the WAN gateway instead of the PIA gateway, but I still got the same outside of the US or private network error. I've also added an ipcheck to the alias to make sure it was working and it returned the IP address I wanted when the rule was applied, so it worked for that site at least.

Any ideas how to get this to work? I don't really want to have to turn the VPN off each time I want to turn on Disney Junior for the kids.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: kintaroju on February 01, 2015, 11:39:27 pm
hi moatilliata,

instead of rerouting the traffic you could try to use a dnsmasq server to forward your dns request so you can use the PIA vpn still.

One service that could work although I haven't tried it before is using UnoTelly:

https://www2.unotelly.com/home#2-channels
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Moatilliata on February 02, 2015, 03:24:08 pm
hi moatilliata,

instead of rerouting the traffic you could try to use a dnsmasq server to forward your dns request so you can use the PIA vpn still.

One service that could work although I haven't tried it before is using UnoTelly:

https://www2.unotelly.com/home#2-channels

Well the sites work on my other PC's and iPad, and I'm pretty sure the DNS being sent on my normal WAN is still the PIA DNS, the only difference is the IP address. There must be a DNS or IP that's not included in my alias for Disney and Hulu when my location is being checked on the devices behind the VPN.

Hulu isn't my real problem because my TV has an app, but I don't have an app for Disney. I guess I'll just use the iPad and Chromecast, but that's just one more thing I have to teach my wife how to do.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: kintaroju on February 02, 2015, 04:14:45 pm
One thing I was thinking if you are testing multiple devices, you should test if the registered external IP is the VPN IP or not?

Also you should do a DNS leak test to ensure that the DNS resolution is coming from the correct DNS server, be it be the VPN or local DNS server.

So what I do to troubleshoot the VPN issues is to use the below:

https://www.dnsleaktest.com/
http://whatismyipaddress.com/

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Moatilliata on February 03, 2015, 01:36:49 pm
I've done both of those things already.

The DNS that comes back on DNS leak is always the VPN DNS, but when I'm on my normal WAN the inaccessible content is accessible.

As far as IP check, behind the VPN I'm getting my VPN IP and on the WAN I'm getting my normal IP from my ISP.

That's why I think my alias for Hulu and Disney are incomplete.  They must connect to another DNS or IP that I'm not bypassing in my alias.  I've pretty much given up on it for now. I just wanted it to the convenience of accessing those apps from the Fire TV.

Is there a way to make it so certain source IP's use the VPN DNS and my sources going through WAN use the local DNS? I couldn't figure this out without having a DNS leak which is why I just left it on the VPN DNS.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: kintaroju on February 03, 2015, 01:44:00 pm
if you want to have specific DNS for specific interfaces, you can do it two ways.

One you forward all DNS requests via the firewall to the interface you want to the specific DNS server OR

Go to System -> General Setup. Under DNS servers you can specify specific DNS servers based on the Gateway, or in your case the "VPN Gateway"

Let me know if that helps your cause or not.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: archedraft on February 03, 2015, 05:04:02 pm
Anyone else experiencing slower download speeds through PIA when upgrading from pfsense 2.1.5 to 2.2? My download speeds have been constantly 10-14 Mbps and with 2.1.5 they were 100+ Mbps.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: kintaroju on February 03, 2015, 05:05:58 pm
Nope, I personally haven't had that problem. My speeds to PIA are the same before the upgrade.

Also for the record going from 2.1.5 to 2.2 solved a lot of issues that I was having when opening multiple OpenVPN clients to PIA.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: plainzwalker on February 09, 2015, 02:45:56 am
**edit**  the firewall at my work was blocking all images.


Thank you
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: User1503 on February 11, 2015, 03:52:08 pm
Great tutorial.  Setup my pfsense on the first go-round, thanks!  Now, the 2 issues.  1 is really just speed, I'm only getting 1.6-2.x mbps but that's not really a pfsense issue, more of a PIA issue.  Using Texas server seems to be fastest but still slow compared to my 50mbps VDsL.  #2,  Email.  Email pop3 doesn't work over PIA (goDaddy) and they know it.  Can receive, can't send.  Is there a rule? or setting to let smtp bypass the VPN and use the Wan?  I tried a few tests, obviously unsuccessfully.  Again, great stuff!
Thanks
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 11, 2015, 04:18:34 pm
Try setting your mail server to use port 587.

Sending email is not POP3.  Sending is SMTP.  Port 587 is the SMTP submit port.  You will have to authenticate.  Hopefully your mail provider supports STARTTLS.  Make it required.

A quick telnet mailserver 587 will either result in an SMTP banner or it won't.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: User1503 on February 13, 2015, 03:33:13 am
Thanks for the response.  I'm not hosting a mail server.  What I need to do is route my SMTP requests from my pop3 outlook account thru to the wan, bypassing the PIAVPN.  Currently all LAN machines are using pfSense DHCP and pfSense is configured to automatically connect and route to PIA's VPN connection.  Can (How?) do I take an smtp request from a machine that is using the vpn connection and have it's outlook pop3 route past (bypass) the pia vpn?  Let me know if this makes sense.  Thx
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 13, 2015, 09:20:25 am
I know.

I'm sure PIA blocks port 25.  Try 587 instead.

That or make a rule above the rule that routes your traffic to PIA that routes connections to your mail ports (TCP 110,143,993,995,25,587 and 465) out your WAN gateway (or the default route).

Note that any application you use that attempts to bypass firewalling by using one of these commonly-passed ports will no longer go through the VPN either.  If you only use one to a few mail servers, you might want to create an alias using their FQDNs and set the destination address to that to limit the scope of the rule even more.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: User1503 on February 13, 2015, 11:48:03 am
Thx Derelict. Your advice on the ports worked but only without SSL so I'm not connecting securely to send/receive.  Can you outline in a few steps how to add an smtp to a rule for bypass?  smtp.out.secureserver.net is what godaddy uses for sending, if I can put that in a rule to bypass the vpn and use the wan it should work with encryption (SSL) applied. 
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 13, 2015, 01:38:53 pm
Should have nothing to do with negotiating SSL.  I don't know how that server is set up but there are two ways to get SMTP over SSL/TLS:

1) Connect on port 465.  This usually expects SSL right off the bat like an HTTPS connection.  You can test this with openssl s_client -connect smtp.out.secureserver.net:465.  Port 465 is a de facto standard for this thanks to Microsoft. YMMV.

2) Connect to port 25 or 587.  This establishes a normal SMTP or SMTP Submit connection.  The client must then issue a STARTTLS command to negotiate TLS prior to sending authentication credentials. You can test this with openssl s_client -connect smtp.out.secureserver.net:[25|587] -starttls smtp
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 13, 2015, 01:41:41 pm
Can you outline in a few steps how to add an smtp to a rule for bypass?

Post your LAN rules (or the rules for whatever interface is being used for forwarding to PIA.)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 13, 2015, 01:44:07 pm
Hmmm.  smtp.out.secureserver.net doesn't resolve.  You need to figure out where you need to send your outgoing mail.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: White Widow on February 14, 2015, 04:10:20 pm
I just started using pfSense again after a long hiatus and can't get OpenVPN to work with PIA.  I had it working in an old version of pfSense but the options are different in v2.2 and I'm tearing my hair out.  Everything looks setup right but the gateway never stays up.

After restarting the OpenVPN service the 'PIAVPN' Interface shows an IP address, but when I go to the Gateway status, the 'PIAVPN_VPNV4' gateway is always 'offline.'  According to the Gateway log:

Feb 14 14:31:57   apinger: SIGHUP received, reloading configuration.
Feb 14 14:31:57   apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.100.4.5) *** down ***
Feb 14 14:32:08   apinger: ALARM: PIAVPN_VPNV4(10.153.1.5) *** down ***
Feb 14 14:32:13   apinger: SIGHUP received, reloading configuration.
Feb 14 14:32:13   apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.153.1.5) *** down ***
Feb 14 14:32:23   apinger: ALARM: PIAVPN_VPNV4(10.183.1.5) *** down ***
Feb 14 14:33:26   apinger: SIGHUP received, reloading configuration.
Feb 14 14:33:26   apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.183.1.5) *** down ***
Feb 14 14:33:36   apinger: ALARM: PIAVPN_VPNV4(10.182.147.5) *** down ***
Feb 14 14:33:40   apinger: SIGHUP received, reloading configuration.
Feb 14 14:33:40   apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.182.147.5) *** down ***
Feb 14 14:33:50   apinger: ALARM: PIAVPN_VPNV4(10.181.1.5) *** down ***

This repeats constantly.  I checked the OpenVPN logs:

Feb 14 14:33:35   openvpn[45195]: client = ENABLED
Feb 14 14:33:35   openvpn[45195]: pull = ENABLED
Feb 14 14:33:35   openvpn[45195]: auth_user_pass_file = '/etc/openvpn-password.txt'
Feb 14 14:33:35   openvpn[45195]: OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec 1 2014
Feb 14 14:33:35   openvpn[45195]: library versions: OpenSSL 1.0.1k-freebsd 8 Jan 2015, LZO 2.08
Feb 14 14:33:35   openvpn[45195]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Feb 14 14:33:35   openvpn[45424]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 14 14:33:35   openvpn[45424]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 14 14:33:35   openvpn[45424]: LZO compression initialized
Feb 14 14:33:35   openvpn[45424]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb 14 14:33:35   openvpn[45424]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Feb 14 14:33:35   openvpn[45424]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Feb 14 14:33:35   openvpn[45424]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Feb 14 14:33:35   openvpn[45424]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Feb 14 14:33:35   openvpn[45424]: Local Options hash (VER=V4): '41690919'
Feb 14 14:33:35   openvpn[45424]: Expected Remote Options hash (VER=V4): '530fdded'
Feb 14 14:33:35   openvpn[45424]: UDPv4 link local (bound): [AF_INET]73.34.122.142
Feb 14 14:33:35   openvpn[45424]: UDPv4 link remote: [AF_INET]66.85.147.138:1194
Feb 14 14:33:35   openvpn[45424]: TLS: Initial packet from [AF_INET]66.85.147.138:1194, sid=97ab86e1 7dcc85ab
Feb 14 14:33:35   openvpn[45424]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 14 14:33:36   openvpn[45424]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Feb 14 14:33:36   openvpn[45424]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Feb 14 14:33:36   openvpn[45424]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 14 14:33:36   openvpn[45424]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 14 14:33:36   openvpn[45424]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 14 14:33:36   openvpn[45424]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 14 14:33:36   openvpn[45424]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Feb 14 14:33:36   openvpn[45424]: [Private Internet Access] Peer Connection Initiated with [AF_INET]66.85.147.138:1194
Feb 14 14:33:38   openvpn[45424]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
Feb 14 14:33:39   openvpn[45424]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.181.1.1,topology net30,ifconfig 10.181.1.6 10.181.1.5'
Feb 14 14:33:39   openvpn[45424]: OPTIONS IMPORT: timers and/or timeouts modified
Feb 14 14:33:39   openvpn[45424]: OPTIONS IMPORT: LZO parms modified
Feb 14 14:33:39   openvpn[45424]: OPTIONS IMPORT: --ifconfig/up options modified
Feb 14 14:33:39   openvpn[45424]: OPTIONS IMPORT: route options modified
Feb 14 14:33:39   openvpn[45424]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 14 14:33:39   openvpn[45424]: ROUTE_GATEWAY 73.34.122.1
Feb 14 14:33:39   openvpn[45424]: TUN/TAP device ovpnc1 exists previously, keep at program end
Feb 14 14:33:39   openvpn[45424]: TUN/TAP device /dev/tun1 opened
Feb 14 14:33:39   openvpn[45424]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Feb 14 14:33:39   openvpn[45424]: /sbin/ifconfig ovpnc1 10.181.1.6 10.181.1.5 mtu 1500 netmask 255.255.255.255 up
Feb 14 14:33:39   openvpn[45424]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.181.1.6 10.181.1.5 init
Feb 14 14:33:39   openvpn[45424]: /sbin/route add -net 66.85.147.138 73.34.122.1 255.255.255.255
Feb 14 14:33:39   openvpn[45424]: /sbin/route add -net 0.0.0.0 10.181.1.5 128.0.0.0
Feb 14 14:33:39   openvpn[45424]: /sbin/route add -net 128.0.0.0 10.181.1.5 128.0.0.0
Feb 14 14:33:39   openvpn[45424]: /sbin/route add -net 10.181.1.1 10.181.1.5 255.255.255.255
Feb 14 14:33:39   openvpn[45424]: Initialization Sequence Completed

Nothing really stands out as problematic there...nothing else gets logged  until maybe 15 minutes later when I get this:

Feb 14 14:48:59   openvpn[45424]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Feb 14 14:48:59   openvpn[45424]: MANAGEMENT: CMD 'state 1'
Feb 14 14:48:59   openvpn[45424]: MANAGEMENT: CMD 'status 2'
Feb 14 14:48:59   openvpn[45424]: MANAGEMENT: Client disconnected

Any ideas where I should be looking to resolve this?

Thanks for the help!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 14, 2015, 04:14:04 pm
Looks like it's connecting to me.  What's not working?

You probably can't ping the gateway directly.  Just turn off monitoring or find something else to use as a monitor IP.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: wiz561 on February 14, 2015, 04:53:02 pm
Thanks for the tutorial and it works....but does anybody know how to force OpenVPN to route traffic from only one vlan?  So, for example, I have the following interfaces:

WAN
LAN (10.0.1.0/24)
Guest (10.0.2.0/24)
OVPN (10.0.3.0/24)

I want the LAN and Guest get routed through WAN.  How do I make only the clients on the OVPN interface use the OpenVPN tunnel?

I've tried to limit the NAT to only the 10.0.3.0/24 net, but then the LAN (and probably Guest) wasn't routing any traffic out.  I also tried to setup some firewall rules to route the LAN to the WAN and make OVPN route it through the OpenVPN gateway, but nothing.

Thanks!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: White Widow on February 14, 2015, 05:04:18 pm
Looks like it's connecting to me.  What's not working?

You probably can't ping the gateway directly.  Just turn off monitoring or find something else to use as a monitor IP.

Thanks - the problem is that as soon as I adjust the LAN firewall rule to direct LAN traffic to the PIAVPN_VPN4 gateway, I lose all internet access.  I can't ping, traceroute, etc. anything outside my LAN.  I have outbound NAT rules setup for both WAN and PIAVPN gateways and firewall rules for each interface that are basically unrestricted:

sorry for the crappy spacing in the output below

WAN Firewall Rules:
ID   Proto      Source   Port            Destination   Port   Gateway      Queue   Schedule   Description   
   IPv4        *     *                   *         *              *                none        


PIAVPN Firewall Rules
ID   Proto      Source   Port            Destination   Port   Gateway      Queue   Schedule   Description   
   IPv4        *     *                   *         *              *                none        


OpenVPN Firewall Rules
ID   Proto      Source   Port            Destination   Port   Gateway      Queue   Schedule   Description   
   IPv4        *     *                   *         *              *                none        

LAN Firewall Rules (working)
ID   Proto      Source   Port            Destination   Port   Gateway      Queue   Schedule   Description   
   IPv4        *     *                   *         *       WAN_DHCP        none        

LAN Firewall Rules (not working)
ID   Proto      Source   Port            Destination   Port   Gateway      Queue   Schedule   Description   
   IPv4        *     *                   *         *     PIAVPN_VPNV4  none       
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 14, 2015, 05:28:19 pm
Umm.  First thing you should do is delete that WAN rule.  Do it now.  Don't delay.

Also delete the OpenVPN and PIAVPN rules.  Do it now.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 14, 2015, 05:32:46 pm
Now that you've done that.  Show us your NAT rules.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: White Widow on February 14, 2015, 06:19:35 pm
Now that you've done that.  Show us your NAT rules.

Ha!!  Yeah, those non-LAN rules were NOT active (disabled) and are now deleted - otherwise that would kind of defeat the purpose of a firewall, right? :) The *only* firewall rules I have right now are:

(http://s12.postimg.org/id0vvxptp/pf_Sense1.jpg)

The Outbound NAT Rules:

(http://s28.postimg.org/h3idcl2vx/pf_Sense3.jpg)

When I activate the "PIAVPN" version of these rules and the corresponding firewall rule, I lose all connectivity outside my LAN.

***UPDATE: It's magically decided to start working now.  I have no idea what the problem was but it's good to go now.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 14, 2015, 07:54:58 pm
You can leave the NAT rules active.  They mean nothing unless that interface is being used for egress.  They just have to be there if you're going from the source IP addresses out that interface.

Maybe PIA was having a problem?  Who knows.  Glad it's working and you don't have a pass any any rule on WAN.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: White Widow on February 15, 2015, 05:25:42 pm
One additional question: I can get the OpenVPN/PIA tunnel up and functioning, but when I come back after a while the Interface is down and the OpenVPN service needs to be restarted.  This is from the log:

Feb 14 23:26:43   openvpn[83612]: TLS: soft reset sec=0 bytes=494118/0 pkts=4201/0
Feb 14 23:26:43   openvpn[83612]: ERROR: could not read Auth username from stdin
Feb 14 23:26:43   openvpn[83612]: Exiting due to fatal error
Feb 14 23:26:43   openvpn[83612]: Closing TUN/TAP interface
Feb 14 23:26:43   openvpn[83612]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 10.179.1.6 10.179.1.5 init

Is this because I specified "auth-nocache"?  If so, shouldn't this option cause the information to be re-read from the file, not stdin?  I'll try and remove the -nocache option since, really, why should I mind having the login credentials saved in memory when it's OK to have them stored plaintext on disk...

Is it something else entirely?

Thanks,
Aaron
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 15, 2015, 05:39:13 pm
If you added auth-nocache outside of the tutorial, remove it.

https://community.openvpn.net/openvpn/ticket/225
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: plainzwalker on February 16, 2015, 05:31:32 am
Quick questions since I am still doing my research. If I wanted my VPN service (PIA) to use a different set of DNS servers, to prevent DNS leak, would it be possible? If so how would I go about setting this up? Or would pfsense as a whole have to use only one set of dns servers?

Sorry, still learning and haven't been able to get any hands on yet.

Thank you
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: zax123 on February 23, 2015, 07:46:46 am
great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.

Having TWO openVPN client setup via PIA.

So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west

The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada

Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.

I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?

Hi there,

Not sure if you solved your problem, but if you haven't passed "route-nopull" as an advanced option to the OpenVPN client, that might be your problem.  I wanted to selectively send some of my LAN clients to VPN and others not, and had to pass this option as it stopped OpenVPN from generating a default (0.0.0.0) route in my routing tables.

Good luck!

Rob
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: t3kka on February 23, 2015, 02:10:13 pm
First a huge thanks to the OP for providing this.  Exactly what I was looking for.

Second - and please bear with me as I'm new to pfSense - what is the best way to have ALL communication to the internet shut-off if for whatever reason the VPN becomes disconnected? Or maybe this is already going to occur because of the NAT rules defined?

Thanks for clarification.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 23, 2015, 02:33:16 pm
I have found the best way to do this is to edit the firewall rules that policy route traffic over the VPN.  Configure them to add a mark like VPN_ONLY.

Create an interface group for all your WAN interfaces.

Create a floating rule on the wan interface group direction out.  Make it a Reject rule, Quick, matching any traffic with mark VPN_ONLY.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: boowii on February 23, 2015, 08:10:53 pm
Hi Everyone.
I have the service up and running but for some reason i am not getting a IP address?
what have i missed?

cheers
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ghanem on March 02, 2015, 12:02:13 pm
Hey friends
Can i make a vpn in pfsense firewall between the admin in my LAN to connect 2 dedicated servers with 2 public address x.x.x.x / x.x.x.x
its urgent thanks for your answer :)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 02, 2015, 12:19:13 pm
Quote
Hey friends
Can i make a vpn in pfsense firewall between the admin in my LAN to connect 2 dedicated servers with 2 public address x.x.x.x / x.x.x.x
its urgent thanks for your answer :)
Start another thread.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: User1503 on March 13, 2015, 05:47:38 pm
Hey Derelict thanks for answering my other questiond.  My problem is..uh, I'm not the sharpest at learning; I can follow tutorials (and even wrote some for wireless) and what I need is another tutorial for setting up NAT (or LAN?) rules.  I followed this VPN tutorial and everything is running great!  But like other's have asked, I need to have 1,2 or maybe only 3 IP's (computers) use the VPN, and all other bypass the VPN and go straight to the local internet.  So the answer's I've read of 'create a Lan rule for xxx' are nice and I'm sure easy for some, but I don't know HOW to do that?  I made some LAN rules, but it blocked everything and so I just removed them.  Therefore, if you, or anyone, knows of another tutorial of 'How to create a rule for 1 IP to bypass the VPN' I sure would appreciate a link.  I can follow directions and be successful (driving, making coffee, buying groceries) but I don't know the 'how-to' of pfSense rules.   Thanks!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 13, 2015, 06:17:45 pm
Create an IP alias called vpn_hosts or something Firewall > Aliases

Add the IP addresses that you want to be forwarded through the VPN

Look at the first post in this thread.  Find the section called Routing.

The walkthrough changes the LAN IPv4 Rule so it forwards all of LAN Net to PIAVPN_VPN4.  You want to make a rule just like it but ABOVE it with the source network set to the alias instead of LAN net.  Then change the LAN net rule back to Gateway: default
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: User1503 on March 15, 2015, 06:07:36 am
Thanks for the steps.  I just can't get it to work.  I either have  No outbound connection; Everything thru VPN; or Everything Open, not vpn'd.  The IP's are set in the 'VPN Out IPs' and the gateway is 'default' under the 2nd LAN rule.  Just not getting it I suppose.  Thanks for the help.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 15, 2015, 06:18:23 am
That should work.  You sure PIA is up when you try?  Did you clear states?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 02:53:29 am
I have very similar set up and same issues.

As I have it set up now, everything goes through the VPN. All I want is 192.168.0.102 to go on the VPN, all other traffic through ISP.

What have I got wrong here?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 16, 2015, 10:29:00 am
Probably a default route from the VPN provider.

on 2.2, check Don't pull routes in the OpenVPN client config.  on 2.1.5 add route-nopull; to the advanced section.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 01:06:51 pm
Derelict thanks for the reply,

I seem to of messed something up. :-[ :-[

A few questions:
1. Every time I enable and disable the VPN Client (which I do a lot while trying to set this up) it gives me a new IP which I then have to add to the firewall rules, is there a easier way of doing this?

2. I seem to of lost ability to have traffic go through the VPN (I could once have all or nothing), I can see small amount of traffic on the VPN but when I check my IP I get my ISPs. What did I do?

3. What did checking "Don't add/remove routes" do?

I seem to go one step forward and two steps back every time I make a change on this.

Thanks,
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 16, 2015, 01:57:07 pm
What rules are you talking about?  You don't need to care what address they give you.  That's the PIAVPN_V4 address and all pfSense does is NAT to it.  That can change all the time.  You are concerned with your client's LAN address that doesn't change unless you change it (presuming it's static or at least a DHCP Static Mapping which is advisable when you start policy routing based on the source address.

Many VPN providers push a default route to you so all your traffic gets sent through them.  Checking that box adds route-nopull; to your client configuration which tells the client to ignore all the routes pushed to you.  This leaves it up to you to policy route the traffic you want to go to the VPN.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 02:20:41 pm
I will attach what I think might be useful, let me know if anything else is needed.

I also noticed when I check the gateway that the VPN shows online but then quickly goes offline after enabling. Any thoughts on that?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 16, 2015, 02:37:31 pm
Which rule do you think you have to change?  What, exactly, is the problem?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 02:47:37 pm
I have to disable that top rule to reply.

When all the rules are enabled, on the BJENVY pc, it doesn't seem to have internet for some time, then it comes for a few seconds, I can check the ip and it is my WAN IP and then it stops responding.

Should I be concerned about the Gateway showing offline?

scratching my head... ???
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: User1503 on March 16, 2015, 04:11:11 pm
Thanks to Derelict for keeping me at it.  I got the separate IP's working out thru the VPN and all others thru normal gateway/router. 
bj24 - Follow the steps in Derlict's post for making an alias.  Add the IP's you want going out thru the VPN to it.  Give it a name like 'IPs_Out_VPN' or something you will recognize. 
Then go to Firewall-Rules-Lan
Click the plus to create a new rule based on LAN net
Action=Pass, Interface=LAN, TCP/IP=IPv4, Protocol=any, Source=Type:Single host or alias, Address: IPs_Out_VPN; Destination=any, Description=LAN PIA_VPN Specific IP address Out
Advanced features:  Gateway=PIAVPN_VPN4-some.ip. (this should be in the list if you followed the tutorial)
Save, Apply Changes
In Firewall: Rules - LAN   Click the rule you just made in the checkbox on the left;  Then point at the Arrow to the right of the LAN net rule, and move your IP out rule above it.  It should now be the first rule.
Go to Status-Services, Restart DHCP, Restart OpenVPN.
Give your computers 1-2 minutes to get a refreshed IP and see if your computers are running thru the interface you want.
**** Mine Didn't*** Because I had to go change this:
Firewall-Rules-LAN
Choose your IPv4 LAN net (gateway should be '*')  click Edit
Advanced features - Gateway:  Choose 'WAN_DHCP - 192.168.x.x' 
Save- Apply changes.   
Go to Status-Services, Restart DHCP, Restart OpenVPN.
Give your computers 1-2 minutes to get a refreshed IP and see if your computers are running thru the interface you want.
If all works, save this to your notepad along with the tutorial and you're good to go!   
Let me know if you need the individual steps for making the Alias list, it's pretty straightforward but until you do it you can be poking around. 
Thanks Derelict and others for getting us going!


Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 06:15:58 pm
This is very frustrating.

I have it as you two have said as far as I can tell and it does not work as expected.

Should I be concerned that the Gateway for the VPN shows offline?!

What logs should I be looking at or screens? I have found another laptop to use as a tester so I stop losing internet when I test on myself. I have added its IP to the list with a Alias of IPs_Out_VPN.
I have made a Lan rule with the Gateway selected to use the VPN.

I restarted the 2 services.

I test the computer, it still has my ISPs IP address and after a less than 2 minutes internet stops completely on it.

Should I start to suspect PIA? Like I've wondered, the Gateway keeps going from online to offline.

puzzled....
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 16, 2015, 06:27:40 pm
Disable gateway monitoring on that gateway.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 07:03:13 pm
Thank you, that has solved the gateway offline issue.

However still no routing of IPs_Out_VPN to go out the VPN.

progress!!...
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 16, 2015, 07:10:18 pm
Why are your NAT entries back here: https://forum.pfsense.org/index.php?topic=76015.msg500950#msg500950 for 192.168.1.0 and your policy route is for 192.168.0.102?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 07:27:30 pm
I hope thats the issue. I corrected that to 192.168.0.0 but still nothing.

Here is my updated NAT list, do I need to keep all 7?

tested it now and still on the ISP IP.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 07:28:18 pm
oops, heres the NAT list
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 16, 2015, 07:45:47 pm
What are the contents of alias BJENVY?

What is the IP address of the host you're testing from?

Is the VPN up?

Please post evidence so we can see everything is as it should be.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 09:16:32 pm
I have changed the alias name to IP_out_VPN, it has 2 ips in it 192.168.0.102 and .115

I am testing from both of those 2 IPs, 192.168.0.102 and .115

What is the best evidence that the VPN is up? I believe it is as far as I can see.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 16, 2015, 09:19:00 pm
I guess I don't know.  You've got something wrong somewhere.  Delete it all and start over maybe.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 16, 2015, 09:21:33 pm
 :)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 17, 2015, 02:33:53 pm
Will start fresh and see how it goes... cross your fingers  ;)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 17, 2015, 02:37:59 pm
HOLD UP.  My last post I noticed my IP address in the lower right corner and it wasn't mine, it was the IP of the VPN!! So something is working.

I go to speedtest.net and it shows my current location and ISP IP.
I go to whatismyip.org and it shows my ISP IP and location.

What is going on? Why did my post or this forum recognize the VPN but nothing else seemingly?

steps forward...
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 17, 2015, 05:17:14 pm
There is nothing in your config that cares about the destination unless you're not telling us everything.  Is your VPN going up and down?  Lots of sites report IP addresses.  What does www.ipecho.net say?  What does www.wimi.com say?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 17, 2015, 10:10:44 pm
Derelict,

What do you imply that I wouldn't be telling?

Every time I check the status of the VPN it is up and well. When I use the PC application the VPN is very stable. The logs for openVPN don't show anything strange.

Both of those site showed my ISP IP.

Any other logs I should be looking at?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 17, 2015, 10:14:32 pm
Status > OpenVPN has a connected since column.

I say there's something else afoot because if there wasn't it would be working.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 17, 2015, 10:19:42 pm
I checked the connection time and it was up for almost a day now.

I tried unchecking the "Don't add/remove routes" box. To my amazement when I checked the IP it was my VPN! How ever when I checked it on a PC that should be on the ISP is was showing the VPN. I changed it back.

I tried checking "Don't pull routes" too but that didn't seem to help.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 18, 2015, 02:27:38 am
If I use the website ipleak.net I get these results...

Showing my ISP IP 50.*** and also my VPN IP 104.***

what gives?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 18, 2015, 07:50:22 am
Are you running squid?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 18, 2015, 10:01:45 am
I do have squid
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 18, 2015, 10:08:24 am
I do have squid

You're on your own then.  Unbelievable.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 18, 2015, 11:50:27 am
I turned off squid and it works as expected now.  :o ::) :-[

I had no idea squid would be interfering especially if I am going to uncached never before visited sites like the ones you suggested to try.

Thank you for the suggestion!

So no squid + VPN setup? Or will more configuring will be required if I want both?

Thanks again, I can live without squid I think.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 18, 2015, 11:58:02 am
Quote
Thanks again, I can live without squid I think.
Most people don't need it.  it just breaks things.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 18, 2015, 12:08:16 pm
proven  ;D

thanks again!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: stanthewizard on March 27, 2015, 05:04:42 am
Thanks It works for specific IP (static) in the LAN

Is there a way to route the traffic based on IP or URL ? (for netflix for exemple)

Thanks
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 28, 2015, 05:32:25 pm
It is very similar to routing static IPs.

Under Firewall rules : LAN you'll want to make a rule for:

Source: being your static IPs being routed, or leave blank if all

Destination: being the IP address of the website you are trying to route

Gateway: being the VPN or default as need requires
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: stanthewizard on March 28, 2015, 05:36:01 pm
Thanks

I already have some IP that are routed to openvpn

I wanted to know if all IP coudl be routed based only on url ?

 :D
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bj24 on March 28, 2015, 07:08:16 pm
Source: *

Destination: being the IP address of the website you are trying to route

Gateway: being the VPN
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 28, 2015, 07:17:59 pm
The trouble is a "website" will load assets from many different domains.  Run NoScript for a while.  And that'll just show you all the different places the site is trying to pull javascript from.  Not images, etc.

You can make aliases that periodically look up FQDNs and put all the IP addresses in a table.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: saytar on March 28, 2015, 09:41:13 pm
Thanks for the steps.  I just can't get it to work.  I either have  No outbound connection; Everything thru VPN; or Everything Open, not vpn'd.  The IP's are set in the 'VPN Out IPs' and the gateway is 'default' under the 2nd LAN rule.  Just not getting it I suppose.  Thanks for the help.

A little late to the Party, but..................

With PIA you have 2 WAN's in effect. Pfsense gives the VPN priority......I tried the NO_PULL route, doesn't work at least I never could get it to.

MY SOLUTION....Set fixed IP's or find the static IP's of the TV,s devices you wish to run outside the vpn. Then You make rules on the LAN interface (NAT will bring them back in, most likely will not need little if any tweaking ) and on your gateway set the gateway in the rule to PIA interface name, THEN click the little box above it to NOT use it........anything you want out and NOT thru PIA you'll want to do this way. Set mine this way 6-8 months ago and is working perfectly with Netfilx, Ebay, etc as they are also blacklisting PIA IP's.
On your Email with PIA.....click on their help or send an email to them, tell them what email servers (you need the actual numerical IP) you will be using and that you need to get smtp on 25 opened for you on those........their tech will "adjust" the setting for you....they just don't want someone using PIA for spamming. As long as your traffic is average you won't have a problem......You will also need to adjust the email program setting to use the numerical IP's instead of the resolved name. Been working for me for over a year now. I leave my VPN running 24/7 (on the Pfsense box)...you can also run PIA within PIA I have. I have posted a screen shot of  the my firewall rules. The ones with the !No PIA.net are the ones bypassing the VPN..
Notice they are at the bottom..........I let default be PIA and EXCEPTED the oddballs, that way anything else I plug in will automatically go to PIA by default.

I have my Roku Box and my VIZIO TV set to NOT PIA works fine. I flip my PC when needed or wanted............or use their windows app. I prefer the Pfsense tunnel.
Our cell phones are WIFI SIP phones, using wifi when around wifi and cellular when wifi not available.....................Worked from day one, no special config was needed to get them up and running.

Stinking Netflix, Hulu, Ebay and CBS............ >:( >:(

If you WANT to use the VPN, just edit the rule back to * all. Give it a couple of minutes and you'll be on vpn or visa versa.

SEE ATTACHED SCREEN SHOTS

Not sure about the NAT with the 2.2.1 version yet, I had custom NAT rules. It appears that the Default or Hybrid would work.....depends on how intricate or simple your install is.....the more "intricate" the more your NAT or rules will have to be.......
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: saytar on March 28, 2015, 09:51:15 pm
The trouble is a "website" will load assets from many different domains.  Run NoScript for a while.  And that'll just show you all the different places the site is trying to pull javascript from.  Not images, etc.

You can make aliases that periodically look up FQDNs and put all the IP addresses in a table.

Agreed, found it out the hard way trying to uhhhh time shift some, Netflix breaks a movie into at least 40 pieces or more (or clips) and they all get a different IP designation, and they pull in each segment as needed with your device caching each segment or part of. Your IP would litterally be a moving target...................that's why its more productive to identify the device that needs clear internet set it to use unencrypted WAN, If the NSA want to watch a movie with me (80% is granddaughter and my little pony or pinky..no state secrets) so be it....anything I don't wish to watch with them I use the PC on encrypted.......set everything else encrypted by default and only adjust as required.

Before this last update Pfsense and PIA were up for 59 days uninterrupted (I have UPS)

But the Update DID break my PIA vpn and screwed up my NTP forward for Layer 3 switch (a play toy, still haven't got IT all figured out yet) and references. It (even with a backup reloaded, forgot to backup config.xml file) lost my login and password file and I had reconfigure  a firewall bypass for NTP....seems they changed something with the NAT, not clear just yet how that was "readjusted" by the Dev's..............minor tweaks, buuuuttt. I had to make an entire new password file with login and password, then worked fine.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: saytar on March 28, 2015, 10:16:25 pm
I have to disable that top rule to reply.

When all the rules are enabled, on the BJENVY pc, it doesn't seem to have internet for some time, then it comes for a few seconds, I can check the ip and it is my WAN IP and then it stops responding.

Should I be concerned about the Gateway showing offline?

scratching my head... ???

Mine has ALWAYS shown as down on the Dashboard Gateway Panel. But checking on Service status is mean and green.........that's a quirk they have never "fixed".
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: stanthewizard on March 29, 2015, 12:59:29 am


You can make aliases that periodically look up FQDNs and put all the IP addresses in a table.

How do you mke such aliases ?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 29, 2015, 01:04:29 am
Create the alias.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: stanthewizard on March 29, 2015, 01:20:29 am
Thanks
I tried previously to create that kind of aliases in url
Didn't worked  :o

In IP it works
I created an aliases for what is my ip adress and changed a rule ... Every IP inside my lan show an adress from the vpn when accessing what is my ip adress. With an other service like what is my ip, I have the adress from my ISP.

So it works !

But not success with netflix
In the netflix alieses I have this

netflix.com

lnwd.net

nflximg.com

edgesuite.net

nflximg.net


Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 29, 2015, 01:22:42 am
Sorry, but I don't play whack-a-mole.

The URL aliases are for downloading the content of the aliases from a URL, not for creating an alias based on a FQDN.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: stanthewizard on March 29, 2015, 01:24:22 am
Thank you for your help
I think that is a good start

 ;D
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: louicruz88 on April 03, 2015, 10:50:06 am
THIS IS PFSENSE GOLD!!!!
I am having one issue though. SMTP Notifications seem to not work when PIAVPN/OpenVPN is running.
I stopped the OpenVPN service and notifications worked just fine.
Logs state:

Quote
"php-fpm[38529]: /system_advanced_notifications.php: Could not send the message to myemailadress@xxxx.com -- Error: could not resolve host "smtp.xxxxx.com"

Any ideas on a possible fix?

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: YoMan on April 03, 2015, 01:08:01 pm
The tutorial states to turn off hardware encryption and to use BL-128.  Is there anyway to use AES-256 instead and use hardware encryption?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: louicruz88 on April 03, 2015, 03:59:55 pm
Found out tha PIA blocks smtp servers by default due to spam.
Had to open a ticket with PIA for them to test the smtp server and whitelist it
SMTP notifications are working fine now!!!!!


THIS IS PFSENSE GOLD!!!!
I am having one issue though. SMTP Notifications seem to not work when PIAVPN/OpenVPN is running.
I stopped the OpenVPN service and notifications worked just fine.
Logs state:

Quote
"php-fpm[38529]: /system_advanced_notifications.php: Could not send the message to myemailadress@xxxx.com -- Error: could not resolve host "smtp.xxxxx.com"

Any ideas on a possible fix?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on April 03, 2015, 05:08:26 pm
A better solution would probably be to turn on route-nopull, and policy route the port 25 traffic out your WAN.

That way when PIA or the email server operator makes a change it doesn't break again.

Or move to SSL/STARTTLS and use submit port 587 with authentication.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: louicruz88 on April 04, 2015, 09:30:32 pm
Really!!! I looked but wasn't able to find ROUTE_NOPULL.
Where can I find route-nopull option????

A better solution would probably be to turn on route-nopull, and policy route the port 25 traffic out your WAN.

That way when PIA or the email server operator makes a change it doesn't break again.

Or move to SSL/STARTTLS and use submit port 587 with authentication.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on April 05, 2015, 01:59:01 am
Really!!! I looked but wasn't able to find ROUTE_NOPULL.
Where can I find route-nopull option????

A better solution would probably be to turn on route-nopull, and policy route the port 25 traffic out your WAN.

That way when PIA or the email server operator makes a change it doesn't break again.

Or move to SSL/STARTTLS and use submit port 587 with authentication.

https://forum.pfsense.org/index.php?topic=76015.msg501074;topicseen#msg501074
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: coolspot on April 07, 2015, 08:08:50 am
In the tutorial, manual NAT rules are required ... is this still required for 2.2.1 and why is this?

1. How come the OpenVPN wizard doesn't automatically add the NAT rules?
2. How come pfSense automatic NAT rules doesn't do this for you?

Just wondering why manual rules must be added.

Thanks.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: doktornotor on April 07, 2015, 08:27:12 am
1. How come the OpenVPN wizard doesn't automatically add the NAT rules?
2. How come pfSense automatic NAT rules doesn't do this for you?

Because people usually do NOT want all their Internet-bound traffic go through some slow VPN tunnel.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: coolspot on April 07, 2015, 01:41:01 pm
Because people usually do NOT want all their Internet-bound traffic go through some slow VPN tunnel.

Great thanks, so I got my tunnel up and running... however, my performance is only ~40mbps.

I'm running an Atom D525 CPU, what should be the expected performance?

When I run TOP, my WCPU for OpenVPN hovers around 50% ... however, the other cores/threads are pretty idle.

Here is my TOP output:


last pid: 15026;  load averages:  1.02,  0.61,  0.43                                                                                   up 19+02:05:29  14:33:57
210 processes: 7 running, 177 sleeping, 26 waiting
CPU:     % user,     % nice,     % system,     % interrupt,     % idle
Mem: 28M Active, 179M Inact, 542M Wired, 465M Buf, 7172M Free
Swap: 16G Total, 16G Free

  PID USERNAME      PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
   11 root          155 ki31     0K    64K CPU2    2 440.2H  79.05% idle{idle: cpu2}
   11 root          155 ki31     0K    64K CPU0    0 432.5H  78.66% idle{idle: cpu0}
   11 root          155 ki31     0K    64K RUN     3 446.5H  76.56% idle{idle: cpu3}
   11 root          155 ki31     0K    64K RUN     1 443.6H  68.16% idle{idle: cpu1}
28854 root           52    0 21728K  5752K select  0   1:06  58.40% openvpn

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: JimPhreak on April 08, 2015, 12:35:32 pm
Has anyone gotten this setup to work with Plex Media Server?  From what I've seen, most can't get Plex to publish to the internet once connected to PIA.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on April 08, 2015, 12:56:15 pm
Quote
Has anyone gotten this setup to work with Plex Media Server?  From what I've seen, most can't get Plex to publish to the internet once connected to PIA.

Publish over PIA or over the internet bypassing PIA?

For the former, PIA has to forward a port to you.  Do they support that?

For the latter, it should be a simple matter of making sure Plex policy routes out your WAN instead of PIA.

If you want the same IP address to route some things over PIA and some over WAN you have to figure out how to identify the different traffic and policy route accordingly.

IMHO, Plex requiring a port forward open to any is fail and pretty much makes it a non-starter for me.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: JimPhreak on April 08, 2015, 01:46:30 pm
Quote
Has anyone gotten this setup to work with Plex Media Server?  From what I've seen, most can't get Plex to publish to the internet once connected to PIA.

Publish over PIA or over the internet bypassing PIA?

For the former, PIA has to forward a port to you.  Do they support that?

For the latter, it should be a simple matter of making sure Plex policy routes out your WAN instead of PIA.

If you want the same IP address to route some things over PIA and some over WAN you have to figure out how to identify the different traffic and policy route accordingly.

IMHO, Plex requiring a port forward open to any is fail and pretty much makes it a non-starter for me.

PIA does support port forwarding but the port changes every time you get disconnected.

What do you use in place of Plex or do you just not have a media server you can access remotely?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: q54e3w on April 08, 2015, 01:46:50 pm
I use AirVPN but you should be able to port forward a secure OpenVPN session into your LAN and then connect to Plex over the OpenVPN connection with usual subnet routing....thats how I do it anyway. Seems secure and was simple enough to do.
I agree with Derelict though - opening a media player to to the outside world directly feels like a unnecessary risk.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: JimPhreak on April 08, 2015, 01:49:08 pm
I use AirVPN but you should be able to port forward a secure OpenVPN session into your LAN and then connect to Plex over the OpenVPN connection with usual subnet routing....thats how I do it anyway. Seems secure and was simple enough to do.
I agree with Derelict though - opening a media player to to the outside world directly feels like a unnecessary risk.

I have a bunch of family and friends that connect to it and it's just not possible for me to set them all up as VPN clients unfortunately.  I realize having it open to the public is not ideal.  However given that fact, I'm trying to make it as secure and hidden as I can.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on April 08, 2015, 02:21:21 pm
As far as I know, you have to have the Plex port open to the world just to sign it into plex.  Doesn't have anything to do with who you allow access to it.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: q54e3w on April 08, 2015, 03:02:18 pm
I use AirVPN but you should be able to port forward a secure OpenVPN session into your LAN and then connect to Plex over the OpenVPN connection with usual subnet routing....thats how I do it anyway. Seems secure and was simple enough to do.
I agree with Derelict though - opening a media player to to the outside world directly feels like a unnecessary risk.

I have a bunch of family and friends that connect to it and it's just not possible for me to set them all up as VPN clients unfortunately.  I realize having it open to the public is not ideal.  However given that fact, I'm trying to make it as secure and hidden as I can.

Yes, I can see how that would be an added inconvenience.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psxnight on April 11, 2015, 05:56:03 pm
When trying to start the VPN client connection configured for PIA, I receive the following error:

Cannot load CA certificate file /var/etc/openvpn/client1.ca (no entries were read) (OpenSSL)

I've gone through the certificate authority setup a few times and there doesn't seem to be much to it.  I did try to search through the forums for this error but didn't turn up anything that helped.  Can someone tell me what I might be missing?

Thanks
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: iculookn on April 13, 2015, 11:12:35 pm
Hi All

I used some of this tutorial and others to get OpenVPN via giganews VyprVPN working on a new SG-4860 and everytyhing is fine (apart from slow)

I just would like some help to confirm I have not opened up my network unnecessarily, so does this look all ok?

Not sure about why I had to create rules in the 2 VPN tabs. I have configured it so most traffic will go via WAN, but any devices in the "VPN Systems" alias will go via the VPN.

Thanks
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on April 13, 2015, 11:25:52 pm
The rules on the VPN tabs have nothing to do with what traffic goes out which interface.  Those regulate what connections you allow into your router from the outside.  i would delete both of those rules.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: pfanatic on April 18, 2015, 03:15:28 pm
I folowed this guide for connecting to PIA through OpenVPN and the connection seems to be working great.

However, I am having some questions/issues:

Questions
1. I am not able to complete the instructions as mentioned on step “Configure NAT Rules”. I am unable to create the NAT Rule for 127.0.0.0/8; it gives me an error

   You must supply a valid port for the NAT port entry

Issues
2. I am unable to see any of my other computers/services when connected through vpn to my network. I have created an OpenVPN connection that allows my to content to my intranet from outside and it works great when I am I disable the PIA VPN but not when it is enabled

The number 1 above does not seem to be an issue unless it is realated to number 2.

Number 2 is the most important.

I appreciate any help with the above.

Thank you!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on April 18, 2015, 07:19:48 pm
You'll have to tell us what all the firewall rules are and what all the local networks, OpenVPN tunnel networks, etc, are.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: pfanatic on April 18, 2015, 11:22:21 pm
This is my settings for VPNing to my network:

I have a Firewall: Rules – WAN
ID =
Proto = Ipv4 TCP
Source = *
Port = *
Destination = WAN address
Port = 1194 OpenVPN
Gateway = *
Queue = none
Schedule = *

and a Firewall: Rules - OpenVPN
ID =
Proto = Ipv4 *
Source = *
Port = *
Destination = *
Port = *
Gateway = *
Queue = none
Schedule =

also the OpenVPN: Server is
Protocol / Port = UDP / 1194
Tunnel Network = 172.16.2.0/24

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on April 19, 2015, 12:14:48 am
That doesn't give anyone enough information to help you.  There is probably a routing problem between all the networks involved.  You only told us what the tunnel network is.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: pfanatic on April 19, 2015, 12:39:28 am
could you be more specific as to what information i could provide?
I can provide some screenshots if that helps but i am not sure what you are looking for.

thanks,
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on April 19, 2015, 12:43:13 am
Quote
You'll have to tell us what all the firewall rules are and what all the local networks, OpenVPN tunnel networks, etc, are.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: s3rv3rn3rd on May 21, 2015, 04:16:02 pm
I've been working on an issue for a while now and I made significant progress through a person on reddit but I'm at another hurdle.

I have this setup with PIA and PFsense. I have it set to push 2 IPs through the VPN and everything else goes through my WAN. That all works great.

The issues I'm having is that I have 5 VLANs and the two IPs that are going through the VPN are not able to communicate with the rest of the devices on the network that are not within the same VLAN. I think this is some sort of firewall rule, but nothing I have tried or found here or on the Google has worked.

Each VLAN has a rule at top that allows all traffic from the 2 IPs through the VPN Gateway. Then there is a second rule that is allow all from anywhere through the default gateway. The LAN interface is also including these same rules (although without them it did not have an impact).
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on May 21, 2015, 04:22:09 pm
You need to pass traffic to your local networks above that rule.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: s3rv3rn3rd on May 21, 2015, 04:28:25 pm
When I put the rule permitting all traffic first, it no longer passes the traffic through the VPN as intended. It allows the VLANs to communicate, but it won't keep it on the VPN.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on May 21, 2015, 04:30:40 pm
Read the link again.  That's not what it says to do.  You need to pass only to local destinations.  Or maybe make an alias and pass only to that.  Or maybe make an alias for all private addresses and pass only to those:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: s3rv3rn3rd on May 21, 2015, 04:45:21 pm
Got it.

Set that up on each of the VLANs (I have not added it to the PIA INterface or the OpenVPN interface) and that seems to be working beautifully.

Thank you!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on May 21, 2015, 04:48:14 pm
Quote
Set that up on each of the VLANs
I assume you mean set that up for each of the VLANs.  The rule(s) only need to be on the interface that the hosts being routed to the VPN are on.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: s3rv3rn3rd on May 21, 2015, 04:53:58 pm
Yes - I set it on each of the VLANs. currently I have 2 of the VLANs with VPN traffic and that might expand. It appears to be working great now.

Thanks!!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Thisisvv on May 23, 2015, 02:07:35 pm
Hello All,

I am newbiew here. Just got pfsense working on vmware on my i7 desktop. I am unable to connect to PIA. I have tried multiple times the above mentioned process but nothing happens. You can see from VPN start , seems to be every service is working.

Now when i go to Status: System logs: Gateways. There is absolutely nothing....
 

I have attached most of my screenshots, please let me know where i could use help
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: doktornotor on May 23, 2015, 02:10:53 pm
No idea really what's that "free roam" doing on your WAN ??? ??? ??? Regardless, that interface tells nothing regarding the topic here.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Thisisvv on May 23, 2015, 11:22:26 pm
So am i at wrong place?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: doktornotor on May 24, 2015, 06:28:11 am
For configuring policy routing for LAN clients? Yeah, WAN is surely wrong place for that.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: TDJ211 on June 14, 2015, 11:11:34 am
The tutorial states to turn off hardware encryption and to use BL-128.  Is there anyway to use AES-256 instead and use hardware encryption?

Bump....I would like to know this as well
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on June 14, 2015, 04:00:20 pm
Not if PIA doesn't support it.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: cableguy on June 24, 2015, 07:47:43 pm
first post so scuse the newbie here....

what are the speeds you guys have been getting vs. ddwrt flashed routers? I recently upgraded to gigabit fiber, and was looking at building a machine this weekend since 40mbps through a Nighthawk leaves me a little disappointed.  I looked at the SH4860 as well, but I'd rather built something myself if I can hope for anything atleast 150-200mbps
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Bobbob on June 28, 2015, 12:34:53 pm
Hi all, newbie with a query here

I've followed this guide to get a vpn setup and working fine for normal use, my issue is that port forwarding just wont work as advertised, I have literally gone through a dozen guides, they all say basically the same thing and I swear I've done it all, but nowt actually gets through...  My VPN provider has forwarded the relevant ports to me and says its all good on their end. 

Do I need NAT reflection to forward a port through the vpn to a LAN IP?  Are my NAT rules ok? Please help, screenshots are here http://imgur.com/a/iZOwd (http://imgur.com/a/iZOwd) , I'm losing my mind here...
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on June 28, 2015, 02:12:51 pm
You didn't post your port forward config.  Firewall > NAT > Port Forward Tab.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Bobbob on June 28, 2015, 04:33:47 pm
Hiya, thanks for replying!  Its in the album now, at the bottom... 
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on June 28, 2015, 05:01:00 pm
Destination address on your port forward should not be * it should be the interface address for the appropriate VPN interface.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Bobbob on June 28, 2015, 05:32:19 pm
Thanks.  Erm, this might be a stupid question but which address is that? All traffic for that pc goes from the LAN through my Iceland VPN interface so is it the virtual address of that VPN interface or my LAN interface?  And since my VPN interfaces are using "IPv4 Configuration Type: None", wont the virtual address change over time? i dont think I can make them static...

I don't know if this will help, probs not ;) but this is a rough idea of my setup

                r  WAN <<<  Iceland-VPN Gateway <<<< 192.168.1.248
Modem<<< WAN <<<  UK-VPN Gateway        <<<< All other LAN IPs
                L  WAN xxx                                      xxxx   All LAN traffic 
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on June 28, 2015, 06:34:49 pm
In the Destination address type you select the OpenVPN interface.  If you haven't assigned an interface you need to look up OpenVPN assigned interfaces.  Port forwards won't work without one.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Bobbob on June 28, 2015, 07:29:13 pm
I assigned an interface to each of the OpenVPN clients in the screenshot above, the TORGUARDICELAND interface is the one the pc @ 192.168.1.248 is using, that OpenVPN client has the virtual address 10.8.0.6, is this what you mean or does its interface have a different address?  Do i need to setup a new interface somewhere?  Sorry to be a pain but I've googled around this and can't find anything about a separate OpenVPN interface....  Thanks for your help with this, you're a lifesaver
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on June 28, 2015, 09:06:53 pm
In your port forward entry, the Destination needs to be your OpenVPN interface address, not '*'  I don't know how to make it more clear.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Bobbob on June 30, 2015, 12:05:55 pm
Ok, I have set the destination to the VPN interface address, see screenshot, but the port is still not open, is there still something I'm missing?  Thanks again
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on June 30, 2015, 12:16:44 pm
You need to get proof that the port is properly forwarded to you.  Turn logging on on the pass rule, check the logs.  Attempt a connection, check for states.  Do a packet capture on WAN.  Do you see the inbound packets?  Do a packet capture on LAN. Do you see the outbound packets?  What is returned from 192.168.1.248?

You also need to test from outside.

Do all this.  Don't skip anything:

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Bobbob on June 30, 2015, 12:36:10 pm
Nice one, I'm on it...
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Bobbob on June 30, 2015, 05:56:01 pm
Ok, we have some results,

Firewall checks, with logging on the forwarding rule and utorrent running on 62465, I'm also repeatedly trying to connect externally using a 4g connection (timedout everytime i tried a connection):

I can find loads of outgoing LAN entries on 62465, see first screenshot, nothing at all on TORGUARDICELAND or WAN for 62465.
I cant see any logged entries with a destination port 62465 on any interface, I also cant see anything with a destination 192.168.1.248.  As far as i can tell nothing is triggering the forwarding rule.  See screenshot 2


States:

There are plenty of entries in the states table for port 62465, see screenshot 3.   I can't find my external connection in the table but since it keeps timing out that doesn't surprise me...


Packet capture:

On WAN i get only a tiny handful of packets coming in to 62465 from outside to my WAN IP, i.e. the IP assigned to my modem. I assume this is just random non-requested traffic.  See screenshot 4.  There is plenty of 443 activity between my VPN IP and my WAN IP, i assume this is the vpn tunnel.

I can see plenty of LAN activity on 62465, both inbound and outbound, see screenshot 5.  The incoming packets and the returns have different lengths, incoming are short, are these errors of some kind?

On TORGUARDICELAND I can see some packets coming from 10.8.0.6 (the VPN interface virtual address) to my VPN IP and the other way, this seems hopeful!  See Sh 6.


I went through the common problems on the list, I think I can tick off all of them, the fact that the forwarding works when using my regular connection instead of the vpn connection dealt with most of them.

Phew, never even seen a states table before this, this is a proper learning experience ;)  Hope I've done the correct testing, interpreting these results is killing me though, anything obvious catch your eye?  Thanks
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on June 30, 2015, 06:52:17 pm
If they are supposed to be forwarding a port to you and you have logging on the pass rule for the NAT entry on TORGUARDICELAND and you never see any log entries when you try to connect to it from the outside, their forward isn't working and there is no reason to look at anything else.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Bobbob on July 02, 2015, 03:00:02 pm
Good advice!  After a spanking Torguard fessed up and got things working, the port is open :)  I swear to god I'm happier seeing this port open than I was when I saw my first girlfriends legs open, its been one frustrating week...

Mate you've been truly awesome, thanks for the help and patience
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: User1503 on July 25, 2015, 08:18:02 am
I'm trying to allow both VPN and local Lan users to access a networked printer.  Is there a way to do this?  I've searched the forums and found pieces but no straight tutorial.  Thanks!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on July 25, 2015, 02:15:58 pm
I'd start a new thread.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: lweddin1 on August 08, 2015, 03:00:17 am
slow speeds on 2.2.4?

I am not sure if it's me or something to do with the new update.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on August 08, 2015, 11:14:33 am
I'd start a new thread.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: joejoe123 on September 26, 2015, 02:15:50 am
This is probably a dumb question, but how can I make sure connections don't go out via my WAN gateway if the VPN drops? I've tried a few things, but every time I shut down the VPN service and check my connected devices they have reverted back to using my WAN gateway.

---EDIT---

Based on what I read in another thread I created a floating rule blocking WAN access to my VPN connected devices and that seems to be working okay.

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on September 26, 2015, 03:05:05 am
This is probably a dumb question, but how can I make sure connections don't go out via my WAN gateway if the VPN drops? I've tried a few things, but every time I shut down the VPN service and check my connected devices they have reverted back to using my WAN gateway.

---EDIT---

Based on what I read in another thread I created a floating rule blocking WAN access to my VPN connected devices and that seems to be working okay.

This is how I would do it:

https://forum.pfsense.org/index.php?topic=84463.msg463226#msg463226
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ThePOO on October 19, 2015, 01:17:53 am
pfSense 2.2.4:   

Thanks to Derelict --- if my VPN goes down I do not have VPN traffic getting out through my WAN interface.   yay.

My openvpn config uses us-midwest... and my DNS entries under General Setup are 208.67.222.222 and 208.67.220.220.    This works great, except I get DNS leakage on my VPN client machines.

In General Setup I changed DNS settings from opendns IP addresses to PIA IP addresses and at that point us-midwest... can't be resolved so openvpn fails to start up.

I thought about replacing the us-midwest... with its IP address --- bad idea, so I didn't do that.     Instead, I put my opendns IP addresses back in General Setup.    Then I hardcoded the PIA DNS addresses into my client computers.    The result is that each client that's using the VPN does NOT leak DNS.     While the end result is desirable, the method sucks.

I'd prefer a better solution, but I'm at a loss to figure it out.
   
It would be great if I could use opendns IP's for my traffic going out the WAN interface and PIA IP's for my traffic going out the VPN interface.    And, also that us-midwest... is resolved properly when openvpn starts up.   

-or- Use PIA IP's for all DNS resolution and, of course, have us-midwest... resolved when openvpn starts up.

Anyway, I'm for a 'best of breed' solution here.    I'll take all the help I can get, and a great big thanks ahead of time!

Please realize I'm not far from being a newbie here and gently guide me in the right direction(s).     :)


EDIT:    I decided to play around a little more and set the DNS entries under General Setup to the PIA IP addresses.   I started the reboot of pfSense and got a phone call and went away for 15 minutes.    Upon my return I was delighted to see that my openvpn actually came up!    It -did- have the us-midwest... resolution problem, like before, but apparently after a time resolved itself and came up ---- yay!     So --- it all works exactly as envisioned now.

What remains?    I'd still like to know if I could use PIA IP's for my openvpn vpn clients and opendns IP's for my WAN clients?

EDIT2:   Well, I just did a dnsleak test and it leaks .... shows the wan IP and not the pia IP ---- dang!   

ok --- I yield and wait.    Help?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 19, 2015, 03:42:06 am
The answer is to set DNS servers using a DHCP static mapping to something external on the VPN-only hosts and to not set them to use pfSense itself as the DNS server.  That way, the DNS queries will be just another internet packet, will be marked by the same rule, and will be blocked out WAN by policy automatically.

Trying to get pfSense DNS forwarder or resolver to behave in a specific way according to the specific source host is folly.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ThePOO on October 19, 2015, 04:12:49 am
Thanks for the speedy reply.

I went to my DHCP entry for 192.168.1.205 and set its DNS IP's to the PIA addresses.   (My General Setup IP's are opendns)

From the 192.168.1.205 client i flushed the dns cache and released/renewed its DHCP loan.     ipconfig shows 192.168.1.1 as the DNS server.     My hope was that DHCP would loan the actual PIA addresses and not the 192.168.1.1 that it actually loaned.

Well, the DNS leaks.

Did I take the right approach to defining the PIA DNS IP's in DHCP or am I going in the wrong direction?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 19, 2015, 08:51:49 pm
What PIA address.

Do the rules that forward your traffic (and mark it to block it out WAN) match DNS traffic?

If you are querying 192.168.1.1 for your DNS, then you are still querying pfSense and the DNS traffic is sourced from there not the VPN host.

It doesn't matter what the VPN host uses for its DNS servers as long as they are external and the rule that forwards traffic to the VPN and marks it matches the DNS requests.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ThePOO on October 20, 2015, 10:49:33 am
Sorry for the late response ... my ISP is having huge issues and I could not access anything for a while.

ok ... I have protocol set to "any" where I'm marking traffic so the rule should catch everything.

I decided to hard code the PIA DNS servers IP's into each client machine.    All non-VPN client machines are using pfSense 192.168.1.1 from DHCP.     This all works perfectly, no DNS leaks, VPN traffic of any kind does not leak to the WAN -- just works.

I only wish it was possible to have my pfSense deliver the desired PIA DNS IP's to the VPN client machines.      oh, well, dang thing marks marvelous, as long as I have the DNS IP's hardcoded so I'll stick with that I think.

But ----- again .... thanks for information about tagging the traffic so VPN traffic doesn't leak into the WAN ------ BIG kudos.      ;D
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 20, 2015, 02:28:45 pm
DHCP static mappings will set the right DHCP servers for those clients.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ThePOO on October 20, 2015, 03:58:06 pm
I have static DHCP mappings for all my clients, non-VPN, and VPN alike.      I've tried setting my General Setup DNS to opendns.    Then set the overall DNS in DHCP to opendns.     Then I manually set non-VPN clients to opendns (for testing).     Then I set the VPN clients to use PIA DNS addresses.

Result:    The non-VPN work predictably, just like before and like they should.     The VPN clients simply will not use the PIA DNS addresses, it seems.       

I tried turning off all DNS server functionality of pfSense, along with a setting in DHCP, to force DHCP to deliver the actual DNS addresses to the client machines ...

I released my client DHCP loans and renewed ...

Something in pfSense seems adamant that I have the PIA DNS addresses hard coded in the client machines because they still leaked the ISP address.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 20, 2015, 04:35:35 pm
Quote
Result:    The non-VPN work predictably, just like before and like they should.     The VPN clients simply will not use the PIA DNS addresses, it seems.

No need for nebulous descriptions like "work predictably" and "will not use"

What DNS Server IP addresses are being assigned to the various clients?

When you attempt name lookups from those clients, what are the specific results?

This stuff is not subjective.  It either works or it doesn't and there are ways to debug exactly what is failing.

ping, dig/drill, firewall logs, traceroute, etc.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ThePOO on October 20, 2015, 05:31:34 pm
In my pfSense DHCP server:

For non-VPN users DNS addresses are:

208.67.222.222
208.67.220.220

For VPN users DNS addresses tried were:

209.222.18.222
209.222.18.218


and sorry for my nebulous descriptions of things previously ... I'm at work right now and will be available for testing in about 30 minutes ...
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 20, 2015, 05:33:14 pm
It doesn't matter what you entered.  It matters what the clients got assigned or are otherwise trying to use.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: ThePOO on October 20, 2015, 06:14:28 pm
General Setup DNS:  208.67.222.222  &  208.67.220.220

DHCP server DNS servers are left blank.

non-vpn client 192.168.1.208 has DHCP DNS set to:  208.67.222.222  &  208.67.220.220

VPN client 192.168.1.213 has DHCP DNS set to:   209.222.18.222  &  209.222.18.218

DNS Resolver is enabled.
DNS Forwarder is disabled.

I released and renewed both machines DHCP loans.

The non-vpn client gets 192.168.1.1  (I'm guessing because the addresses in DHCP are the same as the General Setup addresses)

The vpn client get loaned 209.222.18.222 & 209.222.18.218 when I do a dnsleak.com test it shows me my ISP address right away ... yet, when I do the test it shows 209.222.18.222 as the resolver.


********  Success!

Finally I made sure everything was set like it should be ... and it was.
All I did was reboot pfSense and then I tested my non-vpn clients and my vpn clients and they ALL work exactly as they should.

208.67.222.222
208.67.220.220 are set in General Setup and all non-vpn clients are getting 192.168.1.1 in the DHCP loans

209.222.18.222
209.222.18.218 are set in the DNS settings for each vpn client in DHCP .. all vpn clients are getting actual addresses as to the left.

EVERYTHING WORKS!!!     No vpn traffic leaking to the wan ...    no dns leakage from vpn clients ......

Simply perfect.    And Derelict --- thanks a ton, you've been great and patient.    I realize that I needed to do much more homework and report results way better.    Like I said in the beginning of my trek -- I'm a newbie, but again, a whole heap of thanks.

Now, where do I send a contribution?   <smile>



Someone should rebuild this entire thread as a concise tutorial ... the setup at the first of the thread is great ... and follow that with pictures and how-to that Derelict provided to stop leaking vpn traffic to the wan ... and using DHCP DNS entries to keep the vpn clients from dns leakage ... that would be great.



STILL BROKEN:

I have tested with a Windows 10 client and it IS getting the 209 addresses from DHCP -- and rebooted and continues to work fine.
I have tested several Windows 7 sp1 clients and they ARE not getting the 209 addresses from DHCP -- and reboot and tested --- they get 192.168.1.1 and not the 209 addresses.

So, there seems to be something happening when the Win 7 DHCP getting loan versus Win 10 getting a loan.

I worked all day, played with this for an hour and quadruple checked all my settings in pfSense ... as far as I can tell they're fine.
I checked with multiple client machines, checked their settings, rebooted, tested them .... Win 7 DHCP is somehow different thatn Win 10 DHCP and what they get from pfSense loans.

I'm really tired and going to bed.     Anyone care to test this -- I'll check in about 10 hours.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: drpete12 on October 20, 2015, 07:38:57 pm
Hi Guys,

I am running 2.2.4. In open vpn client tab there is user authentication settings and I have entered my PIA username password here. Do I still need to create that text file that contains my username password?

I am able to get connection established with PIA and can see outgoing traffic but no incoming traffic is seen and I have no internet once openvpn is running. I followed tutorial exactly except for the text file.

Thanks for the help
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: drpete12 on October 20, 2015, 10:03:06 pm
I got it working  :) :) :)

Super excited...thanks for the tutorial on the first page of this thread.

Only question I have is how do I create the following rule:

I want everything to got thru regular internet (non-vpn) except the following: port 65389

I am running bit torrent on my unraid server (as well as several vm's) so I can not create firewall rule based on that ip or my plex will have issues. I can force the bit torrent thru that one port. So if the rule can say anything from that port go thru vpn and everything else can just be routed as normal.

Seems like it should be simple but any rule I make forces all traffic thru vpn.

Thanks again for all the help

 
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 20, 2015, 10:31:16 pm
I don't think you can force outbound bittorrent connections to one specific port because what you connect to depends on what port the receiving system is listening on and that could be just about anything.

If your client lets you specify an unchanging source port you could policy route on that.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: drpete12 on October 21, 2015, 06:40:10 am
Hi Derilict,

My client does let me choose what port or port range I can use. I have tested it using only one specific port and it works. I just need to come up with the firewall rule that forces that one port thru vpn no matter where the port is coming from. Only that one machine will use that one specific port so If I can do this then it should :) work fine.

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 21, 2015, 10:01:13 am
Destination port or source port?  Outbound connections or inbound?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: drpete12 on October 21, 2015, 05:51:53 pm
Don't really have those answers for you. Here is what I can tell you and perhaps you can decipher it :)

on machine ip 192.168.0.151 I want inbound port 62958 and outbound port 62959 to go thru the PIAVPN gateway.
Everything else from this machine or anything else in my network can go thru the regular internet.

Just not sure where or how to create this rule

I hope this gives you enough info to help. Sorry firewalling is not my expertise...still a noobie

thanks again
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 21, 2015, 06:19:13 pm
This really should be another thread.  Start one and post a screenshot of the torrent software config page where you're setting these ports.

Again, you really can't set an outbound destination port for torrents because you have to connect to whatever port the peer is listening on.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: drpete12 on October 21, 2015, 07:08:21 pm
Thanks...Ill start e new thread..sorry to have hijacked this one ;D
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: drpete12 on October 23, 2015, 07:38:54 am
When I start openvpn then my Unbound DNS Resolver service gets stopped everytime. Why? when I restart it then the ntp time service gets stopped. I then no longer have internet access even thru default gateway or vpn. Have I done something wrong?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 23, 2015, 10:58:08 am
Start another thread.  Nobody is going to see it here.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: lt1360hp on November 29, 2015, 10:38:59 pm
My PIA vpn died for unknown reasons and during the setup process thought I would for shits go to the PIA support site and see if there was anything new.  I was really looking to see if they were finally supporting better encryption.  I ran across this: https://www.youtube.com/watch?v=IymMdq5Ovls (https://www.youtube.com/watch?v=IymMdq5Ovls) which simplifies the auth process using the username and password in the OpenVPN  - Client section rather than creating the openvpn-password test file.

 PIA seems to still not support better encryption.  >:(
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on November 29, 2015, 10:52:38 pm
Yeah that was added in 2.2
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: lt1360hp on November 29, 2015, 11:26:37 pm
Just saw that further up the thread chain.  Should have figured I wasn't the first one.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: rmpfyf on January 01, 2016, 04:04:32 am
An awesome tutorial, we have the house under PIA. I added some WAN rules to allow DNS servers, pfsense upgrade and time servers through, a second-last rule to allow traffic through the VPN server, and to block all else (I want strict control of what goes through the VPN).

Thanks to this thread I was also able to exclude our lounge room smart TV from the VPN.

I'm running into issues getting port forwarding running over the lounge room TV - or even getting basic ports to show that probably don't need to be forwarded at all. The TV needs 80, 443 and 48705 open. I can't get even 80 or 443 to show as open on the IP address reserved for the TV. It is routing outside the VPN, which is a start. This happens whether I have port forwarding enabled or not.

If I suspend the LAN rule allowing an IP address to run outside the VPN, 80 and 443 are open (seen externally and internally with reflection on).

Any help appreciated. I feel I've missed something obvious throughout this thread.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 01, 2016, 12:59:22 pm
You should probably start your own thread and post more details about what you have done. Nobody can really offer any help with what has been provided.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: rmpfyf on January 02, 2016, 03:13:46 pm
Thanks for responding.

Can do, along with configuration screenshots... should it go in the OpenVPN or Firewalling sub-boards?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 02, 2016, 03:15:57 pm
Probably NAT if it's a port forwarding issue.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: floyd2 on January 27, 2016, 04:59:35 pm
New here and to pfsense and having some problems getting it setup. Keep on getting error An IPv4 protocol was selected, but the selected interface has no IPv4 address.



Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 27, 2016, 05:41:51 pm
Does WAN have an IPv4 Address?

(And you can use the User Authentication Settings instead of that username/password file in advanced options.)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: floyd2 on January 30, 2016, 10:28:03 am
Thanks for the guide, finally got it set up. I have a 4 port lan card and only set up 1 lan port during setup. Is it possible to configure the other 3 to work with PIA? I've tried configuring but end up losing internet connection on the original lan port.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 30, 2016, 11:17:44 am
What are you doing with the four LAN ports? Are you creating four different networks?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: floyd2 on January 30, 2016, 11:21:49 am
What are you doing with the four LAN ports? Are you creating four different networks?

Port for Roku, TV and computer. Thinking it may be easier to to install access point off the one LAN port, but if the other ports can be used I would prefer that.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 30, 2016, 11:25:10 am
No. pfSense is not a switch. Get a switch. The switch on the LAN side of a router used as an AP would be fine just disable its DHCP server first.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: floyd2 on January 30, 2016, 11:26:14 am
Ok thanks
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: jameshouston135 on February 17, 2016, 03:08:46 am
Although all information are here is good enough but it you are willing to Create OpenVPN interface then you need to go with this.

    - Click "Interfaces"
    - Click "(assign)"
    - "Available network ports:" select "ovpnc1(PIA OpenVPN)"
    - Click "add selected interface" (icon is a "+" symbol on a small lined sheet of paper)
However for more vpn Configuring you may also explore vpnrnaks
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Rango on February 17, 2016, 08:43:43 pm
So pia vpn was working on pfsense then i started getting messages vpn host which is pia midewest is not recognized host. So i rebooted and same.
I setup everything from scratch again and now i can not get onto pia vpn. I've been trying all day today. I need some help.
I think the issue may be with NAT rules. My nat rules do not generate in 2.2.6 client as they did in this tutorial in earlier version.
But i recrated it the same way and still no luck. I can not start vpn service. Any help is very much appriciated. I'm exhusted. lol

I had to clone the mac of my physical nic card (wan) in order to get isp wan address. Is that the reason why host name is not recognized ?

Here is the log

Feb 17 14:35:31 openvpn[33355]: client_connect_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: learn_address_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: client_disconnect_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: client_config_dir = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: ccd_exclusive = DISABLED
Feb 17 14:35:31 openvpn[33355]: tmp_dir = '/tmp'
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_defined = DISABLED
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_local = 0.0.0.0
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_remote_netmask = 0.0.0.0
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_ipv6_defined = DISABLED
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_ipv6_local = ::/0
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_ipv6_remote = ::
Feb 17 14:35:31 openvpn[33355]: enable_c2c = DISABLED
Feb 17 14:35:31 openvpn[33355]: duplicate_cn = DISABLED
Feb 17 14:35:31 openvpn[33355]: cf_max = 0
Feb 17 14:35:31 openvpn[33355]: cf_per = 0
Feb 17 14:35:31 openvpn[33355]: max_clients = 1024
Feb 17 14:35:31 openvpn[33355]: max_routes_per_client = 256
Feb 17 14:35:31 openvpn[33355]: auth_user_pass_verify_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: auth_user_pass_verify_script_via_file = DISABLED
Feb 17 14:35:31 openvpn[33355]: port_share_host = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: port_share_port = 0
Feb 17 14:35:31 openvpn[33355]: client = ENABLED
Feb 17 14:35:31 openvpn[33355]: pull = ENABLED
Feb 17 14:35:31 openvpn[33355]: auth_user_pass_file = '/etc/openvpn-password.txt'
Feb 17 14:35:31 openvpn[33355]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Feb 17 14:35:31 openvpn[33355]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Feb 17 14:35:31 openvpn[33355]: WARNING: file '/etc/openvpn-password.txt' is group or others accessible
Feb 17 14:35:31 openvpn[33627]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Feb 17 14:35:31 openvpn[33627]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 17 14:35:31 openvpn[33627]: LZO compression initialized
Feb 17 14:35:31 openvpn[33627]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:3 ]
Feb 17 14:35:31 openvpn[33627]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Feb 17 14:35:47 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:35:47 openvpn[33627]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Feb 17 14:35:47 openvpn[33627]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Feb 17 14:35:47 openvpn[33627]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Feb 17 14:35:47 openvpn[33627]: Local Options hash (VER=V4): '66096c33'
Feb 17 14:35:47 openvpn[33627]: Expected Remote Options hash (VER=V4): '691e95c7'
Feb 17 14:36:14 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:36:36 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:36:57 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:37:19 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:37:56 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:38:48 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:39:40 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:40:31 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:41:22 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:42:13 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:43:05 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Rango on February 18, 2016, 11:40:39 am
Hello guys. So i spend entire day yesterday trying to get this working and PIA must have changed some settings as this is no longer working on 128 AES.
I'm back on router and couldn't get on until i enabled TLS authentication which is disabled in this tutorial. Also obviously username and password and cert needs to be configured.
So just wanted to let everyone know. I'll try this over the weekend again but i spent too much time on getting this up.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: johnodon on February 19, 2016, 08:23:36 am
The answer is to set DNS servers using a DHCP static mapping to something external on the VPN-only hosts and to not set them to use pfSense itself as the DNS server.  That way, the DNS queries will be just another internet packet, will be marked by the same rule, and will be blocked out WAN by policy automatically.

Trying to get pfSense DNS forwarder or resolver to behave in a specific way according to the specific source host is folly.

Is there a way to accomplish this using an alias and firewall rule?  I am using an alias that I drop IPs in to direct them to the VPN GW (everything else goes through the WAN GW).  Is it possible to do the same to assign DNS servers?

I basically want to assign the PIA DNS servers to the clients that I have added to the PIA alias.  All others would get the google/opendns entries I have in the General Setup.  I know I can assign these via static mappings in the DHCP server...just looking for a more efficient way.

John
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 19, 2016, 09:39:10 am
I suppose you could NAT translate all DNS requests to a specific IP address with a port forward on LAN with those IPs sourced (you can't use an alias in a NAT rule.

But DHCP static mappings is probably the proper way to get this done.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: sudomrrogers on February 20, 2016, 09:35:21 am
Derelict,

Quote
I suppose you could NAT translate all DNS requests to a specific IP address with a port forward on LAN with those IPs sourced (you can't use an alias in a NAT rule.

But DHCP static mappings is probably the proper way to get this done.

Could you please explain the NAT process. I understand DHCP would be better but my goal is to have the VPN IP range usable by anyone just by changing their IP client side. It would be nice if I did not have to provide a verbal IP and DNS address for the client to enter.

Thanks for all of your help!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 20, 2016, 10:41:56 am
Something like this would force all DNS queries from VPN_HOST to PIA_DNS_SERVER instead of whatever is configured as a DNS server.

Note that VPN_HOST and PIA_DNS_SERVER are just placeholders for IP addresses since you can't use aliases in NAT definitions.

You'd have to get creative to use two DNS Servers. Perhaps with both in a pool in the NAT IP or two different definitions.

Firewall > NAT, Port Forward tab

Interface: LAN
Protocol: TCP/UDP
Source Address: VPN_HOST
Source Ports: *
Dest Address: *
Dest Ports: 53
NAT IP: PIA_DNS_SERVER
NAT Ports: 53
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: sudomrrogers on February 21, 2016, 03:34:54 pm
Derelict,

Thanks! I think this/that is a much better solution than setting it in DHCP Static Mappings. I was able to use the same alias that I use to push the traffic through the VPN in the first place. The only negative is this does limit  the VPN to using 1 DNS server whereas using DHCP Static Mappings would allow the use of up to 4.

Just for conversations sake, because I am very happy with the current solution, is there a way to map the VPN traffic to a particular VLAN and set the VLAN to use a different DNS server?

My pfSense setup is almost perfect!
Thanks again.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 21, 2016, 03:42:19 pm
If you know the two DNS servers you can make two port forward rules matching on Destination address.  You could even set the clients to use something arbitrary like 10.11.12.1 and 10.11.12.2 and forward them each to different PIA DNS servers. You could keep the catch-all dest any rule below those to catch any other configured DNS servers and send those requests to one of the PIA DNS Servers.

Quote
is there a way to map the VPN traffic to a particular VLAN and set the VLAN to use a different DNS server?
Sorry, I don't understand what you're asking.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: xRascal on February 21, 2016, 05:39:15 pm
Wonder someone could help me got a error
failed to write

https://gyazo.com/ea1c1fa74b1b47e65e3a29afb9f27ada

i know it just user and password put it there stop people getting my info thanks ! if someone could help me or add me on skype joshhopey to show me and help me !
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: johnodon on February 22, 2016, 11:31:02 am
Yes.  Just add the ports to the rule sending traffic to the VPN gateway.  The rule won't match if the port is outside the set so the firewall will move on to the next rule.

I want to do the exact opposite and having trouble figuring it out...

I want all traffic from one IP to go thru the VPN except port 32400 (Plex).  How can I adapt the current rules (or add another) that will send Plex traffic thru the WAN GW so the server can be reached remotely?

John
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 22, 2016, 11:40:33 am
Make the rule match the characteristics.  But Plex is weird and requires inbound connections.


Just read this again.

Put a rule above the one that sends traffic to the VPN that matches the Plex traffic and has the default gateway set. Or, if you are pulling a default gateway from the VPN provider, the rule should policy route to WAN_GW.

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: User1503 on February 25, 2016, 11:41:30 am
OpenVPN/PIA link goes down; clients have no internet access.  How do I fail over to the WAN if this happens?  Configuration is DLSrouter->Pfsense giving dhcp (opvenvpn w/PIA)->clients    Sometimes, believe it or not, PIA drops.  What do I do to have pfsense or openvpn fail to the general Wan connection if this happens?  Thanks!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on February 25, 2016, 12:33:43 pm
That is the default behavior.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 11:38:11 am
I set this all up today and had it working fine.

I'm using route-nopull because I actually only need 1 server to use the VPN.

I then got a message from pfSense to say that dyndns had updated, so must have had a dynamic IP change.

Then I realised that my true public IP was visible.

Restarted the VPN and still the same - although it appeared to be intermittent with some sites reporting my true IP and some reporting the VPN IP address.

I'm not sure what has happened so I've currently removed the route-nopull option and disabled the firewall rule which forces the server to use the PIA interface.

Any ideas?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 04, 2016, 11:46:06 am
Yeah your rules must be wrong. How about letting us see them?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 01:03:36 pm
It's disabled at the moment, but these are my firewall rules.

I would have preferred to keep it on everything but BBC iPlayer stopped working due to I presume the VPN address being blocked by them, and I couldn't figure a way to allow BBC iPlayer to bypass the VPN, since it seems to use multiple IP addresses I suspect.

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 01:05:42 pm
Rule details :-

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 04, 2016, 01:13:33 pm
Doesn't show what we need to see. Just post your LAN rules list.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 01:14:04 pm
I did above it...
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 04, 2016, 01:14:55 pm
With the rule disabled it's not going to work.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 01:16:01 pm
Yes, I know. I disabled it because I removed the route-nopull since I needed the VPN to be working.

I'll try again with route-nopull and enable the rule again.


Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 01:20:23 pm
Ok, so I have the rule enabled. I have the route-nopull option.

privateinternetaccess shows my VPN address and says I am protected.

However, 2 other sites for showing IP addresses are showing my ISP public address, not the VPN one :-(
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 04, 2016, 01:33:31 pm
You sure your tunnel is staying up?

There's really nothing that can cause what you think you're seeing.

Unless there's something severely wrong with that beta version you're using.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 01:34:43 pm
I'm not sure. It seems to be staying up.

I realised that I also have a free ipVanish account, so I'll give things a whirl with that and see how I get on :-)
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 04, 2016, 02:51:37 pm
Which IP test sites are showing the VPN address and which are showing WAN address?

Is it consistent?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 02:58:20 pm
The ipvanish site shows that I am protected, and it is the correct VPN ip address.

The BBC iPlayer site refuses to work because it knows I am behind a VPN - which is expected behaviour.

However, www.whatsmyip.org shows my proper public IP address, and my ISP details.

Also, http://mxtoolbox.com/WhatIsMyIP/ shows my proper details, and not the VPN ip address.

Very odd.

I also deleted the config and reconfigured from scratch - same result.

If I remove the firewall rule and the route-nopull from the config, then I get consistent results that I behind the VPN.

Strange!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 04, 2016, 03:23:49 pm
Don't know what to tell you.

I just ran updates to my betas and tried it and it works just fine.

You'll have to look at states or something to see what's going on.  SOMETHING you have is routing traffic out the default gateway. Have you created any floating rules?

Are you positive about the source IP address?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 03:27:10 pm
Unless of course it is going out using IPV6, but it shouldn't be - I have IPV4 as preferred.

I don't know if it makes any difference that the 192.168.1.15 server that I want protected with the VPN a) it's a VM and b) it has teamed NICs
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 04, 2016, 03:33:20 pm
If it was going out IPv6 I think both of those sites would be showing you an IPv6 address.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 04, 2016, 03:42:21 pm
I've never messed around with windows NIC teaming. If it utilizes multiple IP addresses there's your problem. Put them all in an alias and use that as your source address list. A packet capture on LAN will show you what's happening.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 03:55:27 pm
They are just teamed into one IP address.

It's very odd..

I've just gone back to having everything protected as that works fine.

Any idea how I can add a rule to get BBC iPlayer to bypass the VPN?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 03:59:48 pm
It does also make me wonder if I have missed something, although I have redone the tutorial from scratch 3 times now.

Just to test, I created a rule for my client PC which is just normal PC single NIC and I get exactly the same results.

PIA website says I am protected and shows the VPN IP address. The others still display my ISP and unprotected public IP :-(

I am just baffled...
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 04:18:58 pm
I just had a thought.. wouldn't be anything to do with Squid or Squidguard would it?

Aha..

Disabled Squid and it now all works as expected..

So do I have to change Squid to work on the VPN interface instead of LAN maybe?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 04, 2016, 04:54:46 pm
Of course it's ^$%&  squid.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 04, 2016, 07:05:21 pm
Since enabling the VPN on my server which runs Plex, I cannot access the Plex server from my LAN via the Plex website.

To get it working previously I had to enable Pure NAT but I don't really understand the reasoning behind this.

Not sure what I need to change to be able to access the server again (I'm basically going out of the firewall, and then back in via my port forward rule to get to it)

Access from the internet to my Plex server is working fine.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 05, 2016, 04:30:53 am
Seems Plex suddenly started to work again today. Think may be issues with Plex, so ignore.

Thanks for all the help!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 05, 2016, 07:29:30 am
Yes.  Just add the ports to the rule sending traffic to the VPN gateway.  The rule won't match if the port is outside the set so the firewall will move on to the next rule.

I want to do the exact opposite and having trouble figuring it out...

I want all traffic from one IP to go thru the VPN except port 32400 (Plex).  How can I adapt the current rules (or add another) that will send Plex traffic thru the WAN GW so the server can be reached remotely?

John

Did you figure this out? My Plex server stopped working and when I check it has my VPN address as the public IP.

I've tried creating a LAN FW rule above the VPN one to tell it that all TCP 32400 traffic should go via WAN_PPOE and not PIAVPN but it doesn't make any difference.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: psykix on March 05, 2016, 08:20:26 am
Never mind - it started working again. I'm wondering if because the VPN changes IP address so often, maybe Plex is taking too long to update it?

Oh I dunno.. clutching at straws - it all works great for a while and then will stop working, and then will work again. Hate those types of issues!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 05, 2016, 12:13:00 pm
I think the TCP 32400 traffic is INBOUND from Plex. I refuse to use it since they don't post any source addresses so you have to allow the world in.

I believe Plex requires a port forward in on the IP address it is logging in from. So if you are trying to go OUT PIA, I think they need to forward a port to you.

I don't know. Go to a Plex forum and ask exactly what you need in a FIREWALL INDEPENDENT way (just IP/TCP/UDP/NAT/etc) and bring that info back here and it will be easier to help you with that. And you should start another thread for it.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Scorch95 on March 26, 2016, 05:41:00 pm
I attempted to set openvpn up with PIA however I am unsuccessful at getting it to connect. Under status it says reconnecting; tls-error. When I check system logs it has this:

Mar 26 17:37:48   openvpn[8951]: Re-using SSL/TLS context
Mar 26 17:37:48   openvpn[8951]: LZO compression initialized
Mar 26 17:37:48   openvpn[8951]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Mar 26 17:37:48   openvpn[8951]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Mar 26 17:37:48   openvpn[8951]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Mar 26 17:37:48   openvpn[8951]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mar 26 17:37:48   openvpn[8951]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mar 26 17:37:48   openvpn[8951]: Local Options hash (VER=V4): '41690919'
Mar 26 17:37:48   openvpn[8951]: Expected Remote Options hash (VER=V4): '530fdded'
Mar 26 17:37:48   openvpn[8951]: UDPv4 link local (bound): [AF_INET]192.168.2.122
Mar 26 17:37:48   openvpn[8951]: UDPv4 link remote: [AF_INET]198.8.80.221:1194
Mar 26 17:37:48   openvpn[8951]: TLS: Initial packet from [AF_INET]198.8.80.221:1194, sid=246e6338 47b9e842
Mar 26 17:37:48   openvpn[8951]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Mar 26 17:37:48   openvpn[8951]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mar 26 17:37:48   openvpn[8951]: TLS Error: TLS object -> incoming plaintext read error
Mar 26 17:37:48   openvpn[8951]: TLS Error: TLS handshake failed
Mar 26 17:37:48   openvpn[8951]: TCP/UDP: Closing socket
Mar 26 17:37:48   openvpn[8951]: SIGUSR1[soft,tls-error] received, process restarting
Mar 26 17:37:48   openvpn[8951]: Restart pause, 2 second(s)


Edit: well I realized the directions here are different than what is offered on PIAs website. I tried these and it seems to be working. Not sure why this does and theirs don't. Any ideas?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on March 27, 2016, 03:56:03 am
It looks like whatever you did there didn't get the correct certificate imported and trusted for that OpenVPN client connection.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: robertfranz on April 25, 2016, 06:33:49 am
As much as I appreciate the effort and thoroughness, the advice to simply duplicate all existing outbound nat rules is both overkill, and potentially will degrade a network.

There are often autogenerated rules that are not required.

The isakmp rule specifically cited, for example, is entirely useless on a non ipsec connection.

Nor does the loopback need to be natted in most cases.

And if one blindly duplicates existing nat rules for other vpn connections, you end up double natting those - repeating on the other end gives you quad natting....and things start to not work so much.

I went on a pruning spree the other day and eliminated most of the nat rules.

All you need is one nat rule per subnet/address you are going to route through the vpn.

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: q54e3w on April 26, 2016, 07:40:17 am
Nor does the loopback need to be natted in most cases.

Could you share some thoughts or examples of when the loopback interface would need natting please?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: techy82 on June 28, 2016, 03:08:58 pm
I have a I5 6400 cpu should i leave encryption to BF-CBC (128-bit) or could it be increased i have tried aes-256-cbc but i get alot of dropouts

also would i set cryptographic hardware thanks!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: reubenb87 on July 05, 2016, 05:25:49 am
Thanks for the awesome guide. I'm having some trouble getting a static IP to get routed through the VPN (all the rest I want to get through the normal WAN). I've made an alias "PIA_VPN_IPs" (IP 192.168.1.230) and made a new LAN firewall rule at the top of the list passing source "PIA_VPN_IPs" to gateway PIAVPN_GW. I can see the traffic getting passed in the log below (I was pinging www.google.com) but I don't get any replies. If I ping 8.8.8.8 it works so I must be getting to the outside world? Could there be some inbound rule that's blocking the pings coming back?

Is there any other way to see what the issue might be? I can ping from within pfsense selecting "PIAVPN" as source address and www.google.com works fine so I'm guessing my VPN connection is ok.

Here are some passed firewall entries:
Jul 5 19:33:56   LAN     192.168.1.230:49388     208.115.201.203:25915   TCP:S
Jul 5 19:33:54   LAN     192.168.1.230     8.8.8.8   ICMP
Jul 5 19:33:54   LAN     192.168.1.230:49387     208.115.201.203:25915   TCP:S
Jul 5 19:33:52   LAN     192.168.1.230:49386     150.101.60.234:443   TCP:S
Jul 5 19:33:48   LAN     192.168.1.230:49385     150.101.60.208:443   TCP:S
Jul 5 19:33:48   LAN     192.168.1.230:49384     150.101.60.208:443   TCP:S
Jul 5 19:33:44   LAN     192.168.1.230:49383     128.121.22.145:443   TCP:S
Jul 5 19:33:44   LAN     192.168.1.230     150.101.60.230   ICMP
Jul 5 19:33:44   LAN     192.168.1.230:53406     8.8.8.8:53   UDP
Jul 5 19:33:41   LAN     192.168.1.230:49382     208.115.201.203:25915   TCP:S
Jul 5 19:33:35   LAN     192.168.1.230:49381     208.115.201.203:25915   TCP:S
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: dambulti on July 12, 2016, 03:28:51 am
Albeit all data are here is adequate yet it you will Create OpenVPN interface then you have to run with this.

- Click "Interfaces"

- Click "(allocate)"

- "Accessible system ports:" select "ovpnc1(PIA OpenVPN)"

- Click "include chose interface" (symbol is a "+" image on a little lined sheet of paper)

However for more vpn Configuring you may likewise investigate toptenvpnreviews

www.toptenvpnreviews.com
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: humungus on July 12, 2016, 09:11:27 pm
Today an announcement was sent and the openvpn.zip was updated. I believe I have all of the necessary steps/changes at the bottom to come up on the new cert Please let me know if this works for you... (Relevant bit highlighted below)


To Our Beloved Users,
 
The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year. We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process. We think it’s because we are the most outspoken and only verified no-log VPN provider.

Luckily, since we do not log any traffic or session data, period, no data has been compromised. Our users are, and will always be, private and secure.

Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region.

To make it clear, the privacy and security of our users is our number one priority. For preventative reasons, we are rotating all of our certificates. Furthermore, we’re updating our client applications with improved security measures to mitigate circumstances like this in the future, on top of what is already in place. In addition, our manual configurations now support the strongest new encryption algorithms including AES-256, SHA-256, and RSA-4096.

All Private Internet Access users must update their desktop clients at https://www.privateinternetaccess.com/pages/client-support/ and our Android App at Google Play. Manual openvpn configurations users must also download the new config files from the client download page.

We have decided not to do business within the Russian territory. We’re going to be further evaluating other countries and their policies.

In any event, we are aware that there may be times that notice and due process are forgone. However, we do not log and are default secure against seizure.
 
If you have any questions, please contact us at helpdesk@privateinternetaccess.com.

Thank you for your continued support and helping us fight the good fight.
 
 
 
Sincerely,
Private Internet Access Team


*******************************************************************************************************



Steps you will need to take to continue to use this guide in the future with the new certificate or for anyone using it now who wants to use the new cert ("before/if" they revoke it.) 

1. grab the new openvpn.zip (same location as before)

1.  repaste new cert (ca.rsa.2048.crt) into field where ca.crt is/would go

2. on the openvpn client tab change to "aes-128-cbc" from the pull down options for Encryption Algorithm .

3. change server port from 1194 to 1198

4. you could restart openvpn, but I prefer a reboot. :)

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: AndrewZ on July 13, 2016, 03:58:48 am
We're not limited to AES-128 and 2048 bit cert, higher values - 256 and 4096 - are supported already, see https://forum.pfsense.org/index.php?topic=103934.msg634754#msg634754

These strong settings are available on UDP port 1197 and on TCP port 501 (at least).

Very useful article on PIA site: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: humungus on July 13, 2016, 06:24:59 am
We're not limited to AES-128 and 2048 bit cert, higher values - 256 and 4096 - are supported already, see https://forum.pfsense.org/index.php?topic=103934.msg634754#msg634754

These strong settings are available on UDP port 1197 and on TCP port 501 (at least).

Cool I'm using it now with aes-256 and port 1197 as stated default in openvpn file. This appears to be a new CA as well although made quite awhile ago. Can you verify as I wasn't using it before? Valid From: Thu, 17 Apr 2014 10:40:33 -0700 Valid Until: Wed, 12 Apr 2034 10:40:33 -0700

https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: mhertzfeld on July 14, 2016, 05:31:35 pm
The cert contained within the compressed file you linked to has been out for a while.  I've been using it for 4 months or more.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: killerb81 on July 18, 2016, 11:01:29 am
I'm wondering if someone can help clear up some confusion I'm having... that being said, my PIA is setup and working fine in pfSense.
My question is regarding some confusion with CA / certificate setup.

In this post on the PIA forums:  https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video

They say to:

Quote
Certificate Setup
=====================
    - Click "System"
    - Click "Cert Manager"
    - Click "CAs"
    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
    - "Descriptive name" type in "PIA-internal-CA"
    - "Method" select "Create an internal Certificate Authority"
    - "Key length" use "2048" bits
    - "Digest Algorithm" use "SHA256"
    - "Lifetime" type in "3650" days (10 years)
    - "Country Code :" (your choice)
    - "State or Province :" (your choice, can be invalid data)
    - "City :" (your choice, can be invalid data)
    - "Organization :" (your choice, can be invalid data)
    - "Email Address :" (your choice, can be invalid data)
    - "Common Name :" = internal-ca
Now click "Save"


System: Certificate Manager
=====================
    - Click "System"
    - Click "Cert Manager"
    - Click "Certificates"
    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
    - "Method:" select "Create an internal Certificate"
    - "Descriptive name" type in "PIA-Certificate"
    - "Key length" use "2048" bits   
    - "Digest Algorithm" use "SHA256"
    - "Lifetime" type in "3650" days (10 years)
    - "Country Code :" (your choice)
    - "State or Province :" (your choice, can be invalid data)
    - "City :" (your choice, can be invalid data)
    - "Organization :" (your choice, can be invalid data)
    - "Email Address :" (your choice, can be invalid data)
    - "Common Name :" type in "PIA-Certificate"
Now click "Save"

In this post in pfSense forums, it makes no mention to these two steps... no need to make an internal-CA (not clear on what that is)... and apparently no need to add a certificate.
So, what are these two extra steps for that are listed in the PIA forums?

Also, when adding a client, both posts agree that:
"Client Certificate" = "webConfigurator default *In use"

If you follow the guide on the PIA forum, why wouldn't you choose the client certificate that you made in the above two steps that I quoted?
If you're not choosing that, then why even make it (like in the guide posted in this thread)?

Any insight would be lovely... as I want to also setup another VPN (from another provider) in pfSense but this provider doesn't have any guides for pfSense.
I figure I can use these guides as a template if I understood the difference here.

Anyone?

Thanks!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: mhertzfeld on August 13, 2016, 10:26:04 am
I'm wondering if someone can help clear up some confusion I'm having... that being said, my PIA is setup and working fine in pfSense.
My question is regarding some confusion with CA / certificate setup.

In this post on the PIA forums:  https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video

They say to:

Quote
Certificate Setup
=====================
    - Click "System"
    - Click "Cert Manager"
    - Click "CAs"
    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
    - "Descriptive name" type in "PIA-internal-CA"
    - "Method" select "Create an internal Certificate Authority"
    - "Key length" use "2048" bits
    - "Digest Algorithm" use "SHA256"
    - "Lifetime" type in "3650" days (10 years)
    - "Country Code :" (your choice)
    - "State or Province :" (your choice, can be invalid data)
    - "City :" (your choice, can be invalid data)
    - "Organization :" (your choice, can be invalid data)
    - "Email Address :" (your choice, can be invalid data)
    - "Common Name :" = internal-ca
Now click "Save"


System: Certificate Manager
=====================
    - Click "System"
    - Click "Cert Manager"
    - Click "Certificates"
    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
    - "Method:" select "Create an internal Certificate"
    - "Descriptive name" type in "PIA-Certificate"
    - "Key length" use "2048" bits   
    - "Digest Algorithm" use "SHA256"
    - "Lifetime" type in "3650" days (10 years)
    - "Country Code :" (your choice)
    - "State or Province :" (your choice, can be invalid data)
    - "City :" (your choice, can be invalid data)
    - "Organization :" (your choice, can be invalid data)
    - "Email Address :" (your choice, can be invalid data)
    - "Common Name :" type in "PIA-Certificate"
Now click "Save"

In this post in pfSense forums, it makes no mention to these two steps... no need to make an internal-CA (not clear on what that is)... and apparently no need to add a certificate.
So, what are these two extra steps for that are listed in the PIA forums?

Also, when adding a client, both posts agree that:
"Client Certificate" = "webConfigurator default *In use"

If you follow the guide on the PIA forum, why wouldn't you choose the client certificate that you made in the above two steps that I quoted?
If you're not choosing that, then why even make it (like in the guide posted in this thread)?

Any insight would be lovely... as I want to also setup another VPN (from another provider) in pfSense but this provider doesn't have any guides for pfSense.
I figure I can use these guides as a template if I understood the difference here.

Anyone?

Thanks!

I am wondering the same thing.

This is what I can figure out with the little research I did. 

With OpenVPN the Client Certificate is used to authenticate the client.  Since PIA is using a Username and Password for authentication the Client Certificate ignored.

Here's a quote from the OpenVPN how to documentation.

Quote
Using username/password authentication as the only form of client authentication

By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated.

While it is discouraged from a security perspective, it is also possible to disable the use of client certificates, and force username/password authentication only. On the server:

    client-cert-not-required

Such configurations should usually also set:

    username-as-common-name

which will tell the server to use the username for indexing purposes as it would use the Common Name of a client which was authenticating via a client certificate.

Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.


For the Client Cert to work, PIA would need to either.
     1. generate a client certificate for each user account
     2. have each user generate a CSR and submit it to PIA who would return a client certificate to the user

Source: https://openvpn.net/index.php/open-source/documentation/howto.html
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: squiggie on August 23, 2016, 04:27:26 pm
I'm wondering if someone could offer some advice. I just followed this to setup PIA and openvpn on my pfsense. My setup is like this;

at&t router --> pfsense box --> wireless AP/switch

I got everything working with the exception of getting the openvpn client to connect via dns name. When I enter in the dns name us-midwest.privateinternetaccess.com, I get the following error in the openvpn connection logs.

Aug 23 09:28:49   openvpn[78359]: ifconfig_pool_persist_refresh_freq = 600
Aug 23 09:28:49   openvpn[78359]: ifconfig_ipv6_pool_defined = DISABLED
Aug 23 09:28:49   openvpn[78359]: ifconfig_ipv6_pool_base = ::
Aug 23 09:28:49   openvpn[78359]: ifconfig_ipv6_pool_netbits = 0
Aug 23 09:28:49   openvpn[78359]: n_bcast_buf = 256
Aug 23 09:28:49   openvpn[78359]: tcp_queue_limit = 64
Aug 23 09:28:49   openvpn[78359]: real_hash_size = 256
Aug 23 09:28:49   openvpn[78359]: virtual_hash_size = 256
Aug 23 09:28:49   openvpn[78359]: client_connect_script = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: learn_address_script = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: client_disconnect_script = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: client_config_dir = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: ccd_exclusive = DISABLED
Aug 23 09:28:49   openvpn[78359]: tmp_dir = '/tmp'
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_defined = DISABLED
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_local = 0.0.0.0
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_remote_netmask = 0.0.0.0
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_ipv6_defined = DISABLED
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_ipv6_local = ::/0
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_ipv6_remote = ::
Aug 23 09:28:49   openvpn[78359]: enable_c2c = DISABLED
Aug 23 09:28:49   openvpn[78359]: duplicate_cn = DISABLED
Aug 23 09:28:49   openvpn[78359]: cf_max = 0
Aug 23 09:28:49   openvpn[78359]: cf_per = 0
Aug 23 09:28:49   openvpn[78359]: max_clients = 1024
Aug 23 09:28:49   openvpn[78359]: max_routes_per_client = 256
Aug 23 09:28:49   openvpn[78359]: auth_user_pass_verify_script = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: auth_user_pass_verify_script_via_file = DISABLED
Aug 23 09:28:49   openvpn[78359]: port_share_host = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: port_share_port = 0
Aug 23 09:28:49   openvpn[78359]: client = ENABLED
Aug 23 09:28:49   openvpn[78359]: pull = ENABLED
Aug 23 09:28:49   openvpn[78359]: auth_user_pass_file = '/etc/openvpn-passwd.txt'
Aug 23 09:28:49   openvpn[78359]: OpenVPN 2.3.8 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Aug 23 09:28:49   openvpn[78359]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Aug 23 09:28:49   openvpn[78359]: WARNING: file '/etc/openvpn-passwd.txt' is group or others accessible
Aug 23 09:28:49   openvpn[78634]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Aug 23 09:28:49   openvpn[78634]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 23 09:28:49   openvpn[78634]: LZO compression initialized
Aug 23 09:28:49   openvpn[78634]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Aug 23 09:28:49   openvpn[78634]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Aug 23 09:28:49   openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Aug 23 09:28:49   openvpn[78634]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Aug 23 09:28:49   openvpn[78634]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug 23 09:28:49   openvpn[78634]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug 23 09:28:49   openvpn[78634]: Local Options hash (VER=V4): '41690919'
Aug 23 09:28:49   openvpn[78634]: Expected Remote Options hash (VER=V4): '530fdded'
Aug 23 09:28:49   openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Aug 23 09:28:54   openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Aug 23 09:28:59   openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known


If I enter in the IP address, it will connect and everything will work. However this isn't acceptable as every couple days the IP address changes.

I've tried setting up my DNS servers to be the at&t router as well as the PIA DNS servers and neither seems to work.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on August 23, 2016, 08:30:39 pm
Looks like your firewall can't resolve names. Or at least that name.

What is your DNS configuration in System > General?

Can you resolve names in Diagnostics > DNS Lookup?

When you bring up Status > Dashboard does the update checker complete? Can you bring up System > Package Manager and get a list of packages?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: squiggie on August 25, 2016, 10:45:33 am
Looks like your firewall can't resolve names. Or at least that name.

What is your DNS configuration in System > General?

Can you resolve names in Diagnostics > DNS Lookup?

When you bring up Status > Dashboard does the update checker complete? Can you bring up System > Package Manager and get a list of packages?

DNS is pointing to 209.222.18.218 and 209.222.18.222 and both are using the WAN interface as gateway.

I can resolve names when I connect to the VPN via IP address but when it's trying to connect vie DNS name, it will not resolve. I get...
127.0.0.1   0 msec
209.222.18.218   No response
209.222.18.222   No response

I"m not able to see the update nor see packages when this happens.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on August 25, 2016, 11:01:52 am
209.222.18.218   No response
209.222.18.222   No response

Have to figure that out...
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: johnpoz on August 25, 2016, 11:11:48 am
;; QUESTION SECTION:
;218.18.222.209.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
218.18.222.209.in-addr.arpa. 300 IN     PTR     resolver2.privateinternetaccess.com.

So your saying pfsense can not use them..  Well pfsense doesn't go out the vpn for its own traffic..

I can use them from non privateinternaccess.  Does your normal isp block/redirect dns traffic and only allow you to use their dns?

that fqdn your trying to connect resolves just fine

;; QUESTION SECTION:
;us-midwest.privateinternetaccess.com. IN A

;; ANSWER SECTION:
us-midwest.privateinternetaccess.com. 300 IN A  104.207.136.87
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.62
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.54
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.80
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.27
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.79
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.20
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.140
us-midwest.privateinternetaccess.com. 300 IN A  104.207.136.7
us-midwest.privateinternetaccess.com. 300 IN A  108.61.101.131
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.116
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.69
us-midwest.privateinternetaccess.com. 300 IN A  104.207.136.9

;; AUTHORITY SECTION:
privateinternetaccess.com. 86400 IN     NS      ns2.p28.dynect.net.
privateinternetaccess.com. 86400 IN     NS      ns4.p28.dynect.net.
privateinternetaccess.com. 86400 IN     NS      ns3.p28.dynect.net.
privateinternetaccess.com. 86400 IN     NS      ns1.p28.dynect.net.

How do you have your pfsense setup for dns.. Looks like you point to loopback which would be a normal setup if using the resolver, but then why do you have the PIA dns listed there as well??  How do you have pfsense setup for dns, forwarder, resolver, resolver in forward mode?

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: squiggie on August 25, 2016, 11:37:54 am
Ok, I think I know what's going on here now. My pfSense WAN interface is receiving a bridged connection from the router. I'm not for sure how this was resolved but I figured that my ISP might not allow alternate DNS servers and thus the PIA servers I put in weren't being allowed. So what I did was remove those PIA DNS servers under system --> general setup and then check the box for Allow DNS server list to be overridden by DHCP/PPP on WAN. After doing that, I rebooted and then reran the test and it was successful and connected to the VPN via the DNS name instead of the IP address.

However, that allowed a DNS Leak and I don't want that. So I simply redid my settings, adding the PIA DNS entries back again under system --> general setup and unchecked the box. I'm not really sure if something is operating off a cached IP address or value but things are working now. I guess we'll see if things blow up again in a few days.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: johnpoz on August 25, 2016, 02:05:01 pm
So your using the forwarder not the resolver?

You can force the resolver to use the vpn connection I do believe.  In the resolver settings pick your vpn interface for the outgoing connection, put it in forwarder mode and put your pia nameservers in general setup and make sure you uncheck allow dhcp override your dns, etc.  dnssec prob doesn't work with their nameservers, would have to check.

So I put in that IP you listed, changed my resolver to forwarder and picked the vpn interface that I have setup to one of my vps as the outgoing interface.  Did a simple test of what is the IP of what is doing dns for me and

Code: [Select]
> dig whoami.akamai.net

; <<>> DiG 9.10.4-P2 <<>> whoami.akamai.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36815
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;whoami.akamai.net.             IN      A

;; ANSWER SECTION:
whoami.akamai.net.      180     IN      A       209.222.18.218

;; Query time: 150 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Thu Aug 25 13:58:05 Central Daylight Time 2016
;; MSG SIZE  rcvd: 62

I put it back to resolver

Code: [Select]
> dig whoami.akamai.net

; <<>> DiG 9.10.4-P2 <<>> whoami.akamai.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11143
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;whoami.akamai.net.             IN      A

;; ANSWER SECTION:
whoami.akamai.net.      180     IN      A       24.13.snipped

;; Query time: 12 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Thu Aug 25 14:02:01 Central Daylight Time 2016
;; MSG SIZE  rcvd: 62

And as expected comes back with my public IP since I am doing the resolving directly, etc.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: nitdawg1 on October 09, 2016, 02:20:55 pm
Hello,

I've been trying to configure a setup where my Plex servers torrent traffic is routed through openVPN/PIA. I would also like still access my plex server remotely. I run the plex server on a different VLAN than the rest of my network (ex. VLAN30). So, I guess in essence what I'm trying to do is setup split tunneling so all my torrent traffic is secure using openvpn/PIA and all other traffic is sent over the network as usual.

I tried to use the tutorial in this post however, after following the instruction I lost all my Vlan interfaces and only had access to the LAN interface. I used a backup config.xml to restore my old settings but I really need some help.

I'm not sure what logs or screenshots I could offer to assist with troubleshooting. Let me know and I will provide then ASAP.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: User1503 on October 10, 2016, 05:26:32 am
Great this is still alive and thanks again to everyone contributing. My [nflx-movies] were using an alias for IP's going through PIA and working fine.  Then all of a sudden quit; along with my [amzn-jungle] box which gives geo-restriction.  What changed?  Jungle always worked, didn't complain like movies which was blocked for everyone a while back.  Is there a simple setup so I can check my DNS to be correct?  Currently I have DNS Srvr 1 as PIA with the PIAopt1 interface assigned.  DNS 2 is google with the WAN_DHCP interface assigned.  My setup is ISP provider router to PFsense box which controls local Lan.  Some clients [jungle/movies] are under a firewall alias that routes everything through PIA.  Other clients just bypass PIA and go out ISP router.  All this is tested and works.  I find it hard to believe that jungle all of the sudden is geo-blocking due to PIA?  If others are seeing this please post.  Otherwise, what did I change that I need to correct?  Thanks!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Finger79 on October 18, 2016, 01:09:01 am
I'm able to connect just fine to PIA, but I'm seeing this in the logs every 10-15 seconds or so.  Can someone help me interpret this?

Oct 18 01:25:46    openvpn    13031    MANAGEMENT: CMD 'state 1'
Oct 18 01:25:46    openvpn    13031    MANAGEMENT: CMD 'status 2'
Oct 18 01:25:46    openvpn    13031    MANAGEMENT: Client disconnected
Oct 18 01:25:51    openvpn    13031    MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 18 01:25:51    openvpn    13031    MANAGEMENT: CMD 'state 1'
Oct 18 01:25:51    openvpn    13031    MANAGEMENT: CMD 'status 2'
Oct 18 01:25:51    openvpn    13031    MANAGEMENT: Client disconnected
Oct 18 01:25:58    openvpn    13031    MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 18 01:25:58    openvpn    13031    MANAGEMENT: CMD 'state 1'
Oct 18 01:25:58    openvpn    13031    MANAGEMENT: CMD 'status 2'
Oct 18 01:25:58    openvpn    13031    MANAGEMENT: Client disconnected

Advanced options as follows:

persist-key
persist-tun
remote-cert-tls server
auth-nocache
script-security 2
tls-version-min 1.2


I see the same "Management" things anyways with or without some of the above advanced options.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on October 18, 2016, 03:16:59 am
I believe those are simply logging of the Status > OpenVPN page or the OpenVPN status dashboard widget.

Turning down logging should clear those if they bother.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: thethrow on April 05, 2017, 01:36:28 am
Leaving this note for myself for 6 months when I forget.  8). Unsure if it was discussed prior, but may be worth adding to the tutorial. 

I was struggling with the routing part, as I expected the traffic to stop when my gateway went down, once I assigned a VPN gateway to the "Default allow LAN to any rule"

In order to make this work how I expected, I had to make the following change:

(System | Advanced | Miscellaneous)
Do not create rules when gateway is down
By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead.

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: CTrax on April 05, 2017, 04:02:01 pm
While I appreciate the detail of the original PIA VPN tutorial and all of the subsequent contributions, I've not been able to combine all of that into a working VPN + Bypass configuration. PIA VPN works; it's the 'bypass' exception that does not.

Problem:
I've successfully configured PIA VPN and ipecho.net confirms a PIA IP address but something is preventing any Firewall exception Rule I create (to 'bypass' VPN) from having those IP routed around VPN -- such rules appear to be just ignored. I've read, searched and tried every config modification I can find; no luck. All IPs for devices are static IPs on the same 192.168.1.X network but they all just use the tunnel.

Any idea of what to observe or what config to check or change would be appreciated. Thanks!

Intent:
Run the entire local 192.168.1.X net through the PIA VPN -- except a few specific static IP devices.

Network:
ISP - (108.x.x.x) - ISP ADSLmodem - (108.x.x.x) - SG-2440 - (172.28.x.x) - Router/SW - 192.1681.X local net
SG-2440 is at 2.3.2.p1, no added packages

Gateways:
DSLGW(default) / WAN / 108.x.x.x / 108.x.x.x / ADSL Gateway
PIAVPN_VPNV4 / WAN / 10.64.10.5 / 10.64.10.5 / Interface PIAVPN_VPNV4 (the 10.x.x.x appears dynamic)
PIAVPN_VPNV6 / WAN / <blank> / <blank> / Interface PIAVPN_VPNV4

Interfaces:
Existing defaults: WAN, LAN
Deleted: OPT2 (unused)
Renamed OPT1:  Enable[X] / Name: PIAVPN / Network port: ovpnc1(PIA openVPN)

Firewall:
NAT:
Existing: (6) WAN Mappings
Copied: (6) and rename Interface: PIAVPN

Aliases:
Roku / 192.168.1.209
VPNPath / 192.168.1.200-208 range

Rules: WAN: (only existing block private and bogon)
Rules: PIAVPN: (no rules)
Rules: OpenVPN: (no rules)

Rules: LAN:
Added: Roku / any port,dest / DSLGW gateway
Added: VPNPath / any port,dest / PIAVPN gateway
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: thethrow on April 06, 2017, 07:59:19 pm
While I appreciate the detail of the original PIA VPN tutorial and all of the subsequent contributions, I've not been able to combine all of that into a working VPN + Bypass configuration. PIA VPN works; it's the 'bypass' exception that does not.

Problem:
I've successfully configured PIA VPN and ipecho.net confirms a PIA IP address but something is preventing any Firewall exception Rule I create (to 'bypass' VPN) from having those IP routed around VPN -- such rules appear to be just ignored. I've read, searched and tried every config modification I can find; no luck. All IPs for devices are static IPs on the same 192.168.1.X network but they all just use the tunnel.

Any idea of what to observe or what config to check or change would be appreciated. Thanks!

Intent:
Run the entire local 192.168.1.X net through the PIA VPN -- except a few specific static IP devices.

Network:
ISP - (108.x.x.x) - ISP ADSLmodem - (108.x.x.x) - SG-2440 - (172.28.x.x) - Router/SW - 192.1681.X local net
SG-2440 is at 2.3.2.p1, no added packages

Gateways:
DSLGW(default) / WAN / 108.x.x.x / 108.x.x.x / ADSL Gateway
PIAVPN_VPNV4 / WAN / 10.64.10.5 / 10.64.10.5 / Interface PIAVPN_VPNV4 (the 10.x.x.x appears dynamic)
PIAVPN_VPNV6 / WAN / <blank> / <blank> / Interface PIAVPN_VPNV4

Interfaces:
Existing defaults: WAN, LAN
Deleted: OPT2 (unused)
Renamed OPT1:  Enable[X] / Name: PIAVPN / Network port: ovpnc1(PIA openVPN)

Firewall:
NAT:
Existing: (6) WAN Mappings
Copied: (6) and rename Interface: PIAVPN

Aliases:
Roku / 192.168.1.209
VPNPath / 192.168.1.200-208 range

Rules: LAN:
Added: Roku / any port,dest / DSLGW gateway
Added: VPNPath / any port,dest / PIAVPN gateway

3 things to check:
-See my post above, make the change.
-RE: LAN rules Roku is set at your "source"
-put your alias under Firewall | Aliases | IP

Also may want to try just plugging in the address to the source (e.g. 192.168.1.209 for roku), and not using an alias, just for testing.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bartgrefte on August 30, 2017, 08:06:29 am
Just now I went through this howto to set up a virtualized pfSense as VPN client. Since I do not want all traffic to go through VPN, just one or two specific programs, I figured I'd set up a virtual pc with pfSense and Squid and set the programs in question to connect to Squid so that the traffic goes through pfSense and it's VPN client.

I got a bit confused at the compression setting, there is nothing to check, instead there's a drop down menu with 5 options, I set it to "enabled with adaptive compression". Not sure if it's the right choice though...

Plus option "Auth digest algorithm" is not listed in the howto, I left the default setting as it was, SHA1 (160-bit)

After finishing following the howto, I ended up with "reconnecting; tls-error" as status and this in the log:
Quote
Aug 30 14:25:40    openvpn    26470    TLS: Initial packet from [AF_INET]46.166.137.250:1194, sid=95cdf14a 8a04e2c6
Aug 30 14:25:40    openvpn    26470    VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Aug 30 14:25:40    openvpn    26470    OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Aug 30 14:25:40    openvpn    26470    TLS_ERROR: BIO read tls_read_plaintext error
Aug 30 14:25:40    openvpn    26470    TLS Error: TLS object -> incoming plaintext read error
Aug 30 14:25:40    openvpn    26470    TLS Error: TLS handshake failed
Aug 30 14:25:40    openvpn    26470    TCP/UDP: Closing socket
Aug 30 14:25:40    openvpn    26470    SIGUSR1[soft,tls-error] received, process restarting
Aug 30 14:25:40    openvpn    26470    Restart pause, 2 second(s)
I solved that by changing the port from 1194 to 1198 and the encryption algorithm from BF-CBC (128-bit) to AES-128-CBC (for standard certificates), see https://www.privateinternetaccess.com/forum/discussion/comment/42294/#Comment_42294 for more info.

After that, the VPN showed as "up", so I accessed pfSense's console and ran both
Code: [Select]
curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//' and
Code: [Select]
curl ipinfo.io/ipBoth show an IP-address that's not my public IPv4-address issued by my ISP, nor the private address issued by my router to pfSense's WAN-interface, so I guess its working :)

I have some questions though.
- Should I disable IPv6 on pfSense? Since PIA doesn't seem to support it.
- As for the NAT-rules part of the howto, I doubled all the rules while setting the VPN as interface as instructed. Since there are now rules for two outbound interfaces, how will I know if the traffic always goes through the VPN?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: DaveB on August 31, 2017, 06:14:24 am
While I appreciate the detail of the original PIA VPN tutorial and all of the subsequent contributions, I've not been able to combine all of that into a working VPN + Bypass configuration. PIA VPN works; it's the 'bypass' exception that does not.

Problem:
I've successfully configured PIA VPN and ipecho.net confirms a PIA IP address but something is preventing any Firewall exception Rule I create (to 'bypass' VPN) from having those IP routed around VPN -- such rules appear to be just ignored. I've read, searched and tried every config modification I can find; no luck. All IPs for devices are static IPs on the same 192.168.1.X network but they all just use the tunnel.

Any idea of what to observe or what config to check or change would be appreciated. Thanks!

Intent:
Run the entire local 192.168.1.X net through the PIA VPN -- except a few specific static IP devices.

Network:
ISP - (108.x.x.x) - ISP ADSLmodem - (108.x.x.x) - SG-2440 - (172.28.x.x) - Router/SW - 192.1681.X local net
SG-2440 is at 2.3.2.p1, no added packages

Gateways:
DSLGW(default) / WAN / 108.x.x.x / 108.x.x.x / ADSL Gateway
PIAVPN_VPNV4 / WAN / 10.64.10.5 / 10.64.10.5 / Interface PIAVPN_VPNV4 (the 10.x.x.x appears dynamic)
PIAVPN_VPNV6 / WAN / <blank> / <blank> / Interface PIAVPN_VPNV4

Interfaces:
Existing defaults: WAN, LAN
Deleted: OPT2 (unused)
Renamed OPT1:  Enable[X] / Name: PIAVPN / Network port: ovpnc1(PIA openVPN)

Firewall:
NAT:
Existing: (6) WAN Mappings
Copied: (6) and rename Interface: PIAVPN

Aliases:
Roku / 192.168.1.209
VPNPath / 192.168.1.200-208 range

Rules: WAN: (only existing block private and bogon)
Rules: PIAVPN: (no rules)
Rules: OpenVPN: (no rules)

Rules: LAN:
Added: Roku / any port,dest / DSLGW gateway
Added: VPNPath / any port,dest / PIAVPN gateway


Hi

Just been struggling with a similar problem and concluded that it was my settings under Firewall/NAT/Outbound - Manual Outbound that were wrong. I had overwritten the existing rules with my VPN rules rather than duplicating and then modifying.

Copy of Rules that sorted it for me is shown below.
Hope you can get it sorted.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Finger79 on August 31, 2017, 07:15:33 am
I don't think the ISAKMP/500 rules need to be created for the VPN.  Just the two (localhost to VPN and LAN to VPN).  They can be safely removed.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: fnkngrv on October 23, 2017, 01:19:20 am
I followed the PIA guide on their support page completely however it didn't work.  For grins I went in and saw that there was a system update.  I was on 2.3.4 and 2.4 released on Oct 10th.  I have no clue if the update resolved some type of internal software issue however after going back in and having to redo the configs it is now working.  Just figured that I would share for anyone that might be running into issues recently.  Thanks for the tutorial.  I will need to come back to it again for setting up a machine or two to skip using it.

On a sidenote I had followed Mark Furneaux's PFSense guide videos and had hardcoded a dozen or so DNS servers.  Would it be advisable that I have my PIA VPN up and running to remove those?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Finger79 on October 23, 2017, 07:02:51 am
On a sidenote I had followed Mark Furneaux's PFSense guide videos and had hardcoded a dozen or so DNS servers.  Would it be advisable that I have my PIA VPN up and running to remove those?
Are you using Unbound as a DNS Resolver or the old school dnsmasq for DNS Forwarding?  You can have your cake and eat it too.  Meaning, you can have all your clients' DNS queries get routed over the VPN, but the pfSense box itself still needs to be able to do DNS in case the VPN tunnel goes down.

So your list would be something like:

127.0.0.1 (this is there by default, no need to manually add)
DNS 1
DNS 2
DNS 3
etc.

This way for PIA you don't have to hardcode the IP address in the OpenVPN client configuration page.  You can actually do the FQDN us-florida.privateinternetaccess.com (or whatever).
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: gtj on November 10, 2017, 06:42:48 am
This is an excellent tutorial and in great detail.
I have set the PIA client successfully however I have also set an OpenVPN sewrver for remote access and these 2 don't seem to work together. I have to disable the server to have the PIA Client encrypting traffic while if I want to connect to my LAN from a remote location, I have to disable the PIA client.

Can anyone please advise what rules should anyone use in order to have both OpenVPN instances running at the same time?

Any help woul;d be much appreciated.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on November 10, 2017, 02:41:32 pm
They are completely separate. Just use a separate tunnel network for the Remote Access OpenVPN.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: gtj on November 10, 2017, 02:48:15 pm
They are completely separate. Just use a separate tunnel network for the Remote Access OpenVPN.

Does this mean I have to choose under Firewall - Rules - OpenVPN Server a different gateway for the server? (''clean'' WAN instead of the PIA gateway)

Thanks!
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on November 11, 2017, 09:43:56 am
You need to select the interface you expect the connections from the client to arrive on. That is probably WAN and not PIA.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: gtj on November 11, 2017, 12:13:15 pm
You need to select the interface you expect the connections from the client to arrive on. That is probably WAN and not PIA.

Still can't set it right. When a client is connected to the OpenVPN server, my PIA connection is either slow or down. I have to disable the server to get my connection back.

Do I have to create a rule for both OpenVPN and PIA interfaces or just for OpenVPN? Currently under Firewall ---> Rules ---> PIA there aren't any rules set at all.

I have created a rule for the OpenVPN interface to look like the one below:

Interface: LAN (''Bridge'' in my case as I have bridged 2 NICs to act as one)
Address Family: IPv4
Protocol: TCP/UDP
Source:Any
Destination: Any
Destination Port Range: 1194

Advanced Options -->  "Gateway"---> WAN

I apply the above but still don't see any difference.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: gtj on November 12, 2017, 08:04:02 am
Anyone that can actually help with the problem above? It will be much appreciated.

I did the following:

-I have created separate interfaces for both my PIAVPN and OpenVPN Server.

-Under NAT, I generated the default WAN ''Outbound'' values for both PIAVPN (client) & OpenVPN Server

-Created a WAN rule which allows TCP/UDP traffic to port 1194 and have selected under ''Advanced Settings'' ----> ''Gateway'' the WAN_DHCP instead of the ''Default'' I then duplicated that rule to be present under ''LAN'' as well as under ''Bridge'' tab as I have bridged the 2 NICs of my APU2C4 to act as one LAN.

-There are no rules at all under the tabs ''OpenVPN'', ''LAN2'', ''OPENVPN'', ''BR0''.
At the moment, rules are set only for ''WAN'', ''LAN'' and ''Bridge''.

On the pfSense dashboard the available interfaces are all being shown as active:

WAN         ---- up        (ip assigned)
LAN          ---- n/a
LAN2        ---- n/a
PIAVPN     ---- up        (ip assigned)
OpenVPN  ---- up        (ip assigned)
BR0          ---- up        (ip assigned)

What am I missing?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Haze028 on December 02, 2017, 12:01:34 pm
I've followed a few different guides, and googled for quite a while and can't seem to get my connection to work properly. 
My mappings are set:


(https://image.ibb.co/jrvbkG/mappings.jpg)

pfSense shows openVPN as connected, and my VPN interface has an IP assigned to it.  Everything looks like it should be good

(https://image.ibb.co/bA6Ssw/openvpnstatus.jpg)
(https://image.ibb.co/dZZaeb/vpninterfacestatus.jpg)

I have two LAN firewall rules to specify which computers use the vpn and which don't:

(https://image.ibb.co/gfJwkG/lanrules.jpg)

I am unable to access the internet when OpenVPN is connected from a VPN_Users aliased computer.
I am able to ping fine from this computer ex. www.google.ca, but when I try to load a page Firefox just sits saying "Preforming TLS Handshake with.." and never loads. As soon as I shut down OpenVPN service, internet works as normal


I've tried looking at the log, but see no mention of an error.

(https://image.ibb.co/mgeK5G/openvpnlog.jpg)


 I'm assuming this is related to my firewall not being configured properly and blocking the access.  I just don't know what I'm missing.

Any Suggestions?

 
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Finger79 on December 04, 2017, 02:50:23 am
@Haze028, I noticed your LAN network is 150.160.170.0/24, which is a public IP range.  If you haven't purchased or otherwise own this block of IPs, you should stick with private IP ranges.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bcruze on December 19, 2017, 04:31:05 pm
these are the updated instructions just provided to me:

https://helpdesk.privateinternetaccess.com/hc/en-us/articles/115005760606-Setting-up-a-Router-running-pfSense-Firmware

Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bcruze on December 20, 2017, 11:01:37 am
i've followed the instructions above and now i am getting several events in the logs

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'

WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

seems like several red flags.  what is everyone's opinion on this?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Finger79 on December 21, 2017, 06:15:28 pm
i've followed the instructions above and now i am getting several events in the logs

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'

WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

seems like several red flags.  what is everyone's opinion on this?

I get the 'link-mtu' warnings as well.  The Blowfish/SWEET32 warning is because PIA can't competently maintain their systems (and I'm a customer!) and still defaults to BF-CBC instead of at least AES-128-CBC.  They really should be using the latest OpenVPN 2.4.4 with NCP support.  As much as I like PIA, they can be a real frustrating PI[T]A....

As long as you (the client endpoint) have your config set to use AES-128-CBC or AES-256-CBC, it'll override the server settings, so don't worry about that warning.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 03, 2018, 09:49:02 am
Thanks for the guide. I was able to get this configured in about an hour or so. There are a couple of things to note:

1) OpenVPN server port numbers are different for PIA depending if you use a sha256 or sha128 cert: https://www.privateinternetaccess.com/forum/discussion/21213/sha256-with-openvpn

2) I didn't want my Steam gaming traffic going over the VPN (ports 27000-27015,...) so I used a NAT Alias to create a list of ports to apply to the outbound NAT rule.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 03, 2018, 11:45:37 am
That's great but outbound NAT rules have nothing to do with what traffic goes out which interface. They only dictate what NAT occurs when traffic is already routed out that interface by policy routing or the routing table.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 03, 2018, 12:23:18 pm
Hrm, makes sense I guess. Got a link to something explaining how to route 80/443/53 over the VPN interface while leaving all other traffic egressing the WAN ?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 03, 2018, 12:26:33 pm
Just check don't pull routes in the OpenVPN Client configuration then policy route those destination ports to the VPN Gateway followed by pass any without setting a gateway.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 03, 2018, 01:13:38 pm
Ah, I think that works but only if I specify the VPN gateway in the LAN pass rule (under Advanced).  You mention "pass any without setting a gateway." but where else would I specify the VPN gateway for those ports?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 03, 2018, 02:06:47 pm
You policy route using firewall rules as you already stated. So you make a rule specifying those destination ports and the desired gateway/gateway group.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 03, 2018, 03:26:07 pm
Thanks. Netflix won't work going over the vpn interface so I've created a hosts Alias containing the IP ranges for AS2906 (netflix) and created a second rule on the LAN to route the Netflix alias destinations over the WAN interface instead of the VPN interface. It doesn't seem to pick up the change though. I've reset under 'diagnostics > states > reset states' but the rule doesn't seem to be working. Tcpdump on the vpn interface shows the Aliased IP addresses still going over that interface. 

The docs say "first match wins" so if I have the Netflix rule at the top, and the VPN rule after that this should be working, correct? I'm assuming I'm missing some IP addresses Netflix is using but want to make sure I understand the rule ordering.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 03, 2018, 03:44:18 pm
Post your rules then. I guarantee if the alias contains the required destinations and the rules are done correctly, it works.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 03, 2018, 04:54:33 pm
The rules are working, I think I'm just missing IP ranges. I'm using tcpdump on the PFsense box to see what's egressing the vpn interface. Even after adding a new range, I'll reload Netflix in my web browser and tcpdump shows it still hitting that IP on the vpn. If I wait a minute or so, then it seems to pick it up. Are rule changes only applied to new connections?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bcruze on January 03, 2018, 05:07:53 pm
this works for me

180 is the static ip address of my tv
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 03, 2018, 07:38:24 pm
Yes, it is often easier to just exclude everything from the device from egressing the VPN than try to match every destination address and port for something like netflix.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 04, 2018, 05:18:34 am
180 is the static ip address of my tv

I'm not sure I understand. Are you just filtering by source IP rather than by a zillion Netflix destinations?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Derelict on January 04, 2018, 05:25:29 am
Yes. He's telling it to put everything FROM that device out WAN regardless of destination. Far easier than trying to single out "Netflix."
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 04, 2018, 05:56:54 am
Good idea. Unfortunately, I have a mix of devices on the LAN which also access Netflix.  For now, I've added around 30+ subnets to my Netflix Alias. It's not great but it keeps the tablets/phones on the VPN for everything but Netflix.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 04, 2018, 06:01:37 am
If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Finger79 on January 05, 2018, 06:15:25 pm
If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?
To fix this, go to Services / DNS Resolver and under "Outgoing Network Interfaces," select only your PIA VPN interface(s) and make sure "All' and "WAN" aren't selected.

This fixes the DNS leak over your regular WAN but introduces the problem that if your VPN ever goes down, pfSense will not be able to resolve DNS to reconnect the VPN.  To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing (Google, OpenDNS, Level 3, Verisign, etc.).  This setting only affects outbound DNS queries by localhost, not by anything on your LAN, which should go out the PIA VPN only via unbound.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 06, 2018, 05:14:37 am
Thanks! Precisely what I was wanting. em0 egress is looking better now.

To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing

I'm assuming the screenshot is correct?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bcruze on January 06, 2018, 07:13:25 am
Thanks! Precisely what I was wanting. em0 egress is looking better now.

To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing

I'm assuming the screenshot is correct?

see now this is when my head starts hurting.    the  instructions never say to create a new interface.  so when i got home i disabled, the PIA interface to test my connection to see if it still worked and it did.  so i deleted the openvpn/ PIA interface.    so i can't change this setting.

so are you saying on the standard PIA instructions your data is not routed correctly on the outgoing interface..?

when i go to PIA.com i have a protected IP.   and i am getting my normal speeds and i have not for some time.   i really don't want to alter this unless i have too



Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 06, 2018, 11:43:58 am

so are you saying on the standard PIA instructions your data is not routed correctly on the outgoing interface..?


My setup is a little different than "VPN all the things!" which is the direction given by all the tutorials I've found anyway. Straight off, yes all my traffic was egressing the VPN tunnel as it should but I don't want Steam going over it, and Netflix absolutely refuses to run as well. Fiddling around with splitting the traffic over multiple interfaces is inherently problematic because now I need to use IP addresses, protocol and port to determine what goes where. And that's not always a straightforward thing (Especially for Netflix. I'm a little surpised my setup is working at all with all the Aliases I had to configure.)

That said, I'm continually impressed by pfSense. It's enterprise grade software in features, quality and functionality. I'm very grateful for the tutorial in this thread and all the support from the forum folks. Thanks all.

PS: Um..not sure I follow what you mean about creating a new interface. Isn't it right there in the first post under "Create OpenVPN interface" ?
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: bcruze on January 06, 2018, 12:57:24 pm
i am following the newest guide:

https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1


i also posted an updated link just about the top page of 22.  from a PIA staff
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Finger79 on January 06, 2018, 10:37:16 pm
i am following the newest guide:

https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1


i also posted an updated link just about the top page of 22.  from a PIA staff
Their guides are never perfect.

Quote from: Guide
14.) Ensure NCP is checked.
       Remove AES-128-GCM and AES-256-GCM by clicking on them in the darkened box in NCP Algorithms
       Add AES-128-CBC and AES-256-CBC  by selecting them in the left box.
This is stupid and defeats the purpose of NCP in OpenVPN 2.4 which automatically negotiates the NCP ciphers if both client and server support NCP.  NCP should remain set to AES-256-GCM and/or AES-128-GCM.  And the traditional cipher should be set to AES-256-CBC or AES-128-CBC.

Quote from: Guide
17.) Custom Options: Add these parameters:

          persist-key
          persist-tun
          remote-cert-tls server
          reneg-sec 0

"persist-key" and "persist-tun" are already hard-coded in pfSense's OpenVPN implementation and are redundant if specified here.  They should be left out because all this does is list the directives twice in the config file.

Mine are currently set to:

Quote
# Advanced Configuration Settings from GUI
remote-cert-tls server
auth-nocache
tls-version-min 1.2
reneg-sec 0
pull-filter ignore "auth-token"

I learned a lot from reading the OpenVPN 2.4 Manual (https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage).  Took several hours over several days before I had a basic understanding of how to harden the config settings.  The pull-filter ignore "auth-token" is my latest addition since I was having issues with the session token expiring and the VPN would never automatically reconnect by itself.  Adding that directive keeps pfSense connected to PIA 24/7 and automatically reconnects.
Title: Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
Post by: Dave R on January 07, 2018, 06:43:18 am
"persist-key" and "persist-tun" are already hard-coded in pfSense's OpenVPN implementation and are redundant if specified here.  They should be left out because all this does is list the directives twice in the config file.

It's worth noting  (and this may have been stated already in the previous 20 pages of thread) that the tutorial in this thread also configures /etc/openvpn-password.txt for the vpn user and password. I've omitted this portion since there is a configuration field in the UI for both of these (I presume earlier versions of pfSense did not have this feature). Either method *does* seem to work but I prefer keeping config items in one place when possible. Not to mention the added potential problems with cleartext files and permissions.