Netgate SG-1000 microFirewall

Author Topic: Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4  (Read 589 times)

0 Members and 1 Guest are viewing this topic.

Offline Snickerdoodoo

  • Newbie
  • *
  • Posts: 1
  • Karma: +2/-0
    • View Profile
How to configure PIA on pfSense 2.4


Link to tutorial on PIA forums: https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1

(In the coming days I will format this to make it looks nice and neat)


1.) Download one of these three certificates (listed below) to your computer.


Least Secure:     https://www.privateinternetaccess.com/openvpn/ca.crt    < Use Port: 1194

Secure:  https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt  < Use Port: 1198

Most Secure:   https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt    < Use Port: 1197



2.) Open the .crt file with a text editor and copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----




3.) Log in to your pfSense router and navigate to System > Cert. Manager > CAs and click +Add

4.) Name your cert according to the name of the cert your downloaded. (Example: Descriptive name PIA-4096)

5.) Paste the certificate text into the box at Certificate data and click Save.




6.) Navigate to VPN > OpenVPN > Clients and click +Add

-----

Choose a PIA server you want to use: https://www.privateinternetaccess.com/pages/network

-----

7.) Input the server address you chose from the link above at Server host or address.

8.) Enter the Port number based on the Certificate you selected:

          ca.crt = 1194   

          ca.rsa.2048.crt = 1198     

          ca.rsa.4096.crt = 1197     

9.) Description: choose a description that reflects the server region you chose.

10.) User Authentication Settings: Enter your PIA Username and Password

11.) TLS Configuration: Uncheck Use TLS Key

12.) Peer Certificate Authority: Select the PIA Certificate you created if it is not already selected.

13.) Encryption Algorithm: (Note: Setting this to a more secure setting utilizes more CPU processing power.)

          Secure:   AES-128-CBC
          Very Secure:   AES-256-CBC

14.) Ensure NCP is checked.
       Remove AES-128-GCM and AES-256-GCM by clicking on them in the darkened box in NCP Algorithms
       Add AES-128-CBC and AES-256-CBC  by clicking on them in the left hand list.

15.) Auth Digest Algorithm:

          Least Secure: SHA1 (160-bit)
          Most Secure: SHA256 (256-bit)

Hardware Crypto: If your CPU features AES-NI it is advised to select the BSD cryptodev engine.




16.) Compression: Omit Preference (Use OpenVPN default)

17.) Custom Options: Add these parameters:

          persist-key
          persist-tun
          remote-cert-tls server
          reneg-sec 0

18.) Click Save.




19.) Navigate to Firewall -> NAT -> Outbound
Set the Mode under General Logging Options to "Manual Outbound NAT rule generation (AON)", and click Save.

Under the Mappings section, click the duplicate (dual-page) icon on the right for the first rule shown in the list.

Set Interface to "OpenVPN"

Repeat the last two steps for all remaining rules shown under Mappings, until every rule has a duplicate for OpenVPN.

Click Save and Apply settings.




20.) Use PIA DNS servers to prevent DNS Leak:

Navigate to System > General Setup and set DNS Servers to PIA's DNS: 209.222.18.222 and 209.222.18.218




21.) If your CPU features AES-NI and you did enable the BSD cryptodev engine, follow these steps:

Navigate to System > Advanced > Miscellaneous, scroll down to Cryptographic & Thermal Hardware and select AES-NI and BSD Crypto Device (aesni, cryptodev)



22.) Navigate to Status -> OpenVPN

If Status doesn't show as "up", click the circular arrow icon under Actions to restart the service. If it still does not come up, navigate to Diagnostics -> Reboot to restart the device.





***** Congratulations! You are all done! Enjoy using Private Internet Access on your pfSense router! *****





To a safe & secure 2018!

~Snickerdoodoo

« Last Edit: January 05, 2018, 11:32:19 am by Snickerdoodoo »

Offline bcruze

  • Jr. Member
  • **
  • Posts: 64
  • Karma: +2/-0
    • View Profile
Re: Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4
« Reply #1 on: January 05, 2018, 11:46:32 am »
thank you very much!     i will compare shortly to my home setup

tibere86

  • Guest
Re: Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4
« Reply #2 on: January 05, 2018, 12:35:54 pm »
How to configure PIA on pfSense 2.4

15.) Hardware Crypto: If your CPU features AES-NI it is advised to select the BSD cryptodev engine.

21.) If your CPU features AES-NI and you did enable the BSD cryptodev engine, follow these steps:

Navigate to System > Advanced > Miscellaneous, scroll down to Cryptographic & Thermal Hardware and select AES-NI and BSD Crypto Device (aesni, cryptodev)

FWIW, I have a HP Thin Client with an AMD GX-420CA and it has AES-NI. In my testing, in step #15 choosing nothing vs BSD cryptodev engine results in better throughput and reduced CPU usage. I use AES-256-CBC and SHA256. I have AES-NI only selected in the pfSense System > Advanced > Miscellaneous settings menu.

Offline guardian

  • Full Member
  • ***
  • Posts: 264
  • Karma: +8/-0
    • View Profile
Re: Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4
« Reply #3 on: January 05, 2018, 06:12:48 pm »
I thought I would add that I was having some problems with my connection disconnecting and not reconnecting.  The VPN client was on a sub-net connected to a wireless router, so my devices would connect and get an IP, but no internet.  Someone (can't remember who) in the forum gave me some changes to the custom options that came from PIA support.

I am using the following custom options:

Code: [Select]
# Change persist-tun/persist-key (Reconnect Error)
persist-key;
remote-cert-tls server;
reneg-sec 0;
# Added auth-nocache - Reconnect Error
auth-nocache;

with a 4096 bit CA and  UDP on port 1197. 

I commented the changes to remind me what I did, just in case there were problems.  Since I made these changes, my connection seems to be working just fine.  If the connection does drop, it comes right back up without any problem.   In use I haven't noticed any problems.

Sorry, but that's all I can remember - if you want more background, search the forum (circa Oct/Nov 2017 IIRC) for my post about the problem and you'll find more details there.

UPDATE: So far this configuration seems to be working fine.  When I connect to my WiFi, there has always been internet access.  @Flamez, I can't confirm what configurations these changes work for, but I believe that they should be fine with any of the access methods as long as the rest of your configuration is OK.
« Last Edit: January 20, 2018, 11:32:47 pm by guardian »

Offline Flamez

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4
« Reply #4 on: January 27, 2018, 06:49:52 pm »
I have added them and so far it working much better.  Thank you.

Offline fastc

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4
« Reply #5 on: February 01, 2018, 02:44:14 am »
Hi!
4096 bit CA is needed to use AES-256-CBC ? i can only connect with AES-128-CBC when using the 2048 certificate :)

Offline bcruze

  • Jr. Member
  • **
  • Posts: 64
  • Karma: +2/-0
    • View Profile
Re: Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4
« Reply #6 on: February 01, 2018, 05:46:06 am »
Hi!
4096 bit CA is needed to use AES-256-CBC ? i can only connect with AES-128-CBC when using the 2048 certificate :)

that is correct.  i've followed the above tutorial and it works perfectly

with the right hardware 256 bit encryption you won't even know you are using a VPN>   and of course a fast reliable service

Offline fastc

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configure PIA (Private Internet Access) VPN on pfSense 2.4
« Reply #7 on: February 01, 2018, 05:54:14 am »
with the right hardware 256 bit encryption you won't even know you are using a VPN>   and of course a fast reliable service

thanks!
yes true with 128bit aes currently i have 400mb speed on my 400mb connection :-)