OpenVPN Step-by-Step Setup for pfsense [firewall/router] (with video)
( NOTE: At this point all of the steps have been updated for the new configurations! Only the video and the picture are still out of date. )
NOTE: Updates to this guide will assume you are using pfSense 2.3.1-RELEASE-p5OpenVPN Setup on pfSense [firewall/router]
=============================================
pfSense is an open source firewall/router computer software distribution based on FreeBSD. - Source wikipedia.org
Video...
...showing the following steps being done within pfSense webConfigurator
=============================================
- http://youtu.be/_lMl_fN3n28 ( ***out of date*** )
For pfSense aes256 Setup - click here
For Debian based Linux Distributions - click here
For Manjaro Linux Setup - click here
Instructions
Setting up OpenVPN on pfSense [firewall/router]
=============================================
Color Key
=============================================
Things highlighted in yellow are commands to be executed in the terminal
Things highlighted in blue are to be clicked
Things highlighted in green are to be typed
Things highlighted in violet are to be pressed on the keyboard
Things highlighted in grey are showing output
First start by downloading openvpn.zip from...
- https://www.privateinternetaccess.com/openvpn/openvpn.zip
- This supplies PIAs "ca.rsa.2048.crt" file after unzipping the openvpn.zip file.
Log into pfSense webConfigurator
- https://pfsense-LAN-IP/index.php
- Ex. https://192.168.1.1/index.php
Prevent DNS leaks by setting PIA DNS only
pfSense Setup Wizard - Video - http://youtu.be/MYXpAnDdEaI
=====================
- Click "System"
- Click "Setup Wizard"
- Click "Next"
- Click "Next"
- For "Primary DNS Server:" type in "209.222.18.218"
- For "Secondary DNS Server:" type in "209.222.18.222"
- "Override DNS:" [unchecked]
- Click "Next"
- Click "Next"
- Scroll to the bottom and click "Next"
- Click "Next"
- "Admin Password AGAIN:" type in your pfSensePassword for the WebGUI
- Click "Next"
- Click "Reload" and wait
- Click the 2nd "here" where is says...
- "Click here to continue on to pfSense webConfigurator"
Once pfSense loads up the "Status / Dashboard" your DNS section should look as follows:
- DNS server(s) 209.222.18.218
209.222.18.222
"PIA-CA-aes128" Installation
=====================
- Click "System"
- Click "Cert. Manager"
- Click "CAs"
- Click "+ Add"
- "Descriptive name" type in "PIA-CA-aes128"
- "Method" select "Import an existing Certificate Authority"
- "Certificate data" - (paste in all the content from the ca.rsa.2048.crt file)
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
- "Certificate Private Key (optional)" = (leave blank)
- "Serial for next certificate" = (leave blank)
Now click "Save"
NOTE: The following password is not valid...
...so don't waste your time trying it.
Write your "p"-username and password into the /etc/openvpn-passwd.txt file
=====================
- Click "Diagnostics"
- Click "Command Prompt"
- Under "Execute Shell Command" click into the "Command" box and type the following into that box removing the username p2099690 and password JkY6UgYHa5 and replacing them with your credentials:
echo "p2099690" > /etc/openvpn-passwd.txt; echo "JkY6UgYHa5" >> /etc/openvpn-passwd.txt
- Click "Excute"
Create OpenVPN Client
=====================
- Click "VPN"
- Click "OpenVPN"
- Click the "Client" tab
- Click "+ Add"
Configure as follows...
- "Disabled" = [unchecked]
- "Server Mode" = "Peer To Peer (SSL/TLS)"
- "Protocol" = "UDP"
- "Device Mode" = "tun"
- "Interface" = "WAN"
- "Local Port" = (leave blank)
Choose a server for "Server host or address" form the PIA list here...
https://www.privateinternetaccess.com/pages/network/#
- "Server host or address" = "us-east.privateinternetaccess.com"
- "Server Port" = "1198"
- "Proxy host or address" = (leave blank)
- "Proxy port" = (leave blank)
- "Proxy authentication extra options" = none
- "Server host name resolution" = [check] "Infinitely resolve server"
- "Description" = "PIA OpenVPN aes128"
- "TLS Authentication" = [uncheck] "Enable authentication of TLS packets."
- "Peer Certificate Authority" = "PIA-CA-aes128"
- "Client Certificate" = "webConfigurator default *In use"
- "Encryption algorithm" = "AES-128-CBC (128-bit)"
- "Auth Digest Algorithm" = "SHA1 (160-bit)"
- "Hardware Crypto" = "No Hardware Crypto Acceleration"
- "IPv4 Tunnel Network" = (leave blank)
- "IPv6 Tunnel Network" = (leave blank)
- "IPv4 Remote Network/s" = (leave blank)
- "IPv6 Remote Network/s" = (leave blank)
- "Limit outgoing bandwidth" = (leave blank)
- "Compression" = choose "Enabled with Adaptive Compression"
- "Type-of-Service" = [unchecked]
- "Disable IPv6" [check] "Don't forward IPv6 traffic."
- "Don't pull routes" = [unchecked]
- "Don't add/remove routes" = [unchecked]
- Under "Advanced Configuration" for "Custom options" type the following in the box:
auth-user-pass /etc/openvpn-passwd.txt;
verb 5;
remote-cert-tls server
- "Verbosity level" = default
Now click "Save"
Create OpenVPN interface
=====================
- Click "Interfaces"
- Click "(assign)"
- "Available network ports:" select "ovpnc1(PIA OpenVPN aes128)"
- Click "+ Add"
Note: The new interface will be named "OPT1" with a network port of "ovpnc1(PIA OpenVPN aes128)"
- Click on "OPT1" to edit the interface
Configure as follows...
- "Enabled" = [check]
- "Description" = "OpenVPN_aes128_Interface"
- "IPv4 Configuration Type" = none
- "IPv6 Configuration Type" = none
- "MAC address" = (leave blank)
- "MTU" = (leave blank)
- "MSS" = (leave blank)
- "Block private networks" = [unchecked]
- "Block bogon networks" = [unchecked]
Now click "Save"
Now click "Apply changes"
NAT Settings
=====================
- Click "Firewall"
- Click "NAT"
- Click the "Outbound" tab
- For "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)"...
- put a (dot) in the radio button
Now click "Save"
The next step is to duplicate each of these rules...
- but change the NAT Address from WAN to OpenVPN_aes128_Interface
- Start with the first "WAN" rule by clicking the copy icon ( looks like a square in front of another square ) immediately to the right of the line to "Add a new NAT based on this one"
A new page will open configure as follows...
- "Disabled" = (do not change) [unchecked]
- "Do not NAT" = (do not change) [unchecked]
- "Interface" = OpenVPN_aes128_Interface
- "Protocol" = (do not change)
- "Source" = (do not change)
- "Destination" = (do not change)
- "Translation" = (do not change)
- "No XMLRPC Sync" = (no dot change)
- "Description" = Made for PIA_OpenVPN_aes128
Now click "Save"
IMPORTANT! Repeat this process for each of the other rules.
- When completed, it should resemble the following...
- http://i.imgur.com/zoVTbUr.png ( ***out of date*** )
Now click "Apply changes" at the top of the page
The changes have been applied successfully.
You can also monitor the filter reload progress.
Verify OpenVPN Service
=====================
At this point, your system is configured. Restart your OpenVPN service to be sure.
- "Status"
- "OpenVPN"
- "Status" should be "UP" (but it may be DOWN)
- Click the "Restart OpenVPN Service" button no matter what the status is.
- It's the button that looks like an arrow bent into a circle to the right of the service.
- "Status" should be "UP" now
Reboot the pfSense firewall now
=====================
- "Diagnostics"
- "Reboot"
- "Reboot"
- "OK"
Rebooting
Page will automatically reload in 90 seconds
Verify OpenVPN initialized correctly by checking System Logs
=====================
- "Status"
- "System Logs"
- Click the "OpenVPN" tab
- Scroll down and look for "Initialization Sequence Completed" similar to the following:
Jul 17 21:10:43 openvpn 3328 Initialization Sequence Completed
Test by opening your Internet browser and going to...
=====================
- https://www.privateinternetaccess.com/pages/whats-my-ip/
- https://ipleak.net
- http://dnsleak.com
- http://ipv6leak.com
Enjoy!
To donate, please scan the QR code to the left or send bitcoins to the following address:
17ioPjLoCLDsUKwNpGV9dGtnLmpM8ioyUn
Comments
I'd like to have selected IP's from my LAN using the PIA Interface and others using the standard WAN interface. It would be really nice for the IP's using the PIA Interface to NEVER fail over to the WAN interface and vice versa.
Can you provide additional instructions as to how this may be accomplished?
Follow the OP instructions to the end, These instructions are to be done after all the OP's instructions are followed fully and made sure your VPN is 100% working. This is only to apply rules to have VPN connection set to 1 or more static IP addresses on the LAN network so you can have multiple VPN connections as well as a usable WAN (ISP Address). This gives you the ability to run different VPN/WAN on different devices or so you can change your VPN location or change back to ISP IP on one machine with just changing the static IP address in the networking settings
Hey, You can set up Pfsense to use certain static IP addresses to connect to different VPN or WAN addresses. I have a openVPN set up locally and one for USA to watch netflix, I have each set up to be used on 10 IP slots, so to change VPN to USA I just change the static IP on the host PC and same with the WAN I can turn VPN off by switching static IP on PC.
Create a Alias:
To do this first head over to firewall / Aliases. Under IP click the add new alias
Then fill in the info like so
Name: Name it what ever for example "PIASydneyIP" (can named anything)
Description: Not needed.
Type: Host(s)
Host(s): Click add entry and enter a IP you want to use for the static IP to use for VPN. Click add again to add another. Mine I added 10 IP addresses but you can add only one or how ever many you like. So mine is 192.168.1.130 - 192.168.1.139
Then if you want to have several OpenVPN connections IE another to USA like I have repeat the original post to add a new OpenVPN on a different connection. Then repeat the above to set a new range of IP addresses I have 192.168.1.150 - 192.168.1.159 For the USA VPN.
Create Pass threw Rule:
Now you need to make a rule so that the aliases you set above over rule the WAN rule. So go into Firewall / Rules / LAN.
Click Add New Rule. and change these.
Protocol: ANY
Source: Type in your alias name I made it "PIASydneyIP'
Description: Give it a name like "Sydney VPN Passthrew"
In advance features change this.
Gateway: Your OpenVPN gateway you want to use
Now save the rule. Repeat this if you want to set another VPN connection location for different IP addresses.
Set Up WAN Addresses:
Now you need to set a rule for WAN you could set it to connect to certain IP like the above rules, But I have it using all the rest of the available IP addresses left to do that this is how.
In Firewall / Rules / LAN
add new rule.
change this settings.
Protocol: any
Source: LAN Net (from drop down box)
Description: WAN Passthrew
Gateway: WAN (from drop down box)
Click save.
Change the order:
Now back in Firewall / Rules you will need to put rearrange the order of the rules. It should but like this (the order of the OpenVPN rules do not matter as long as they are above WAN)
LocalVPN
USAVPN
WAN Passthrew
Any rules left over
As the rules at the top over ride the rules underneath you want the VPN on top then any IP addresses the VPN rules are not using the WAN will use. On your desktop set the static IP like normal but change IP to the connection you want to access.
Say I want just VPN I put 192.168.131 and it will be on local VPN
Say I want to watch netflix from USA on my TV I change it to 192.168.1.151
Say I want to use ISP IP on my tablet to play games I set it to 192.168.1.110
Now you can have as many devices you want connected to any of the networks all at the same time and changing VPN connection on the fly on any device is easy just change your static IP.
Another advantage of this if the VPN drops out it will not revert back to your WAN connection as its on a separate IP your internet will just fail to load pages so you will know when the VPN drops out.
Set up website based fall back to WAN from VPN connection:
You can also set a rule to exclude websites to use the VPN so it will bypass the VPN even when your connected to it. I do this with cloudflare as I have been banned from sites using cloudflare while I was on VPN. So I have put a rule in so I dont have to change to WAN when I access them.
Here is how to setup for cloudflare but you can add alias like above for several sites if you like but you need to use the sites IP not address.
First off go to Aliases / URLs as cloudflare have a text file to add as there is to many addresses to add manually.
click add new aliases.
Name: CloudFlareIP
Description: can be blank
Type: URL Table (IPs)
URL Table (IPs): https://www.cloudflare.com/ips-v4
put in the amount of days you want it to update, I am not sure if they do update it or not but I put 30.
You can make your own rule for single sites the same as you made the aliases for the openVPN
Go to firewall / Rules / LAN
Add New Rule.
Change these
Protocols: any
Source: LAN
Destination: CloudFlareIP (or any other alias you set)
Description: ClourFlareBypass
Gateway: WAN
Now save and back on the LAN page make sure this rule is at the very top above the VPN rules
To check whether the CloudFlare bypass works go to iplocation.net as it uses cloudflare. It should show your ISP address then go to https://www.privateinternetaccess.com/pages/whats-my-ip/ and it should show your VPN IP.
Change static IP and check IP again to make sure its all working.
Of course if you want only 1 VPN to not use the VPN for cloudflare sites then change the order. So say we want cloudflare to bypass LocalVPN but the USAVPN to be a closed VPN with no bypass your order will need to be like this.
USAVPN
CloudFlareIP
LocalVPN
WAN
hope that makes sense I am not real good at explaining things lol
like to get a germany.privateinternetaccess.com server at one point.
at what point I replace the WAN with the "new local LAN ip" like 192.168.1.130 port, when I setup a new OpenVPN?
Do I have to do the "entire" setup again? or can I use old parts like the PIA-CA instillation or the password setup?
Thanks
- on the dashboard the Interfaces widget the PIAINTERFACE is not showing an IP address.
now the log file is showing that openvpn[31092]: Initialization Sequence Completed has worked.
-When trying to load pages the connection times out.
I am confused as I am a total N00B with pfSence. Help...
Hey,
Sorry I have not been on here for a bit, Follow the OP instructions fully then you will be able to put in the part I wrote.
I am not to sure what exactly you mean sorry, If you just want the VPN onto only one device (static IP on your LAN network) then you need to create a new rule for the VPN connection on that IP but in the gateway you need to select the VPN connect.
I am sorry I do not have Pfsense setup ATM as ISP put me onto a new connection and I am trying to work out how to get the modem into bridge mode and the connection looses speed once connected to PFsense so I have reset everything and have not used it for a few weeks.
But I can redo mine to take some screenshots if you like. PM me if you want me to run threw it all with you. I am not the best at explaining things sorry lol
I hope it makes more sense now.
Having some issues though trying to get Inbound port forwarding working through the VPN.
Outgoing connections all work but the firewall is not forwarding the traffic properly to the internal seed box IP. Have tried to follow some basic guides for pfsense port forwarding but the addition of the PIAINTERFACE seems to make it just that.. a PIA in terms of having basic guides apply to this configuration.
I have the seed box running on .250 IP address, with an alias set up for the last 5 IP's on that sub net to route through the VPN instead of the normal WAN connection as your detailed post shows.
with Vuze...
1 bind addresses
192.168.1.250
Testing HTTP outbound
Test successful
Testing TCP outbound
Test successful
Testing UDP outbound
Test successful
Testing TCP port 53 inbound
Test failed: NAT test failed: Error: Unexpected end of file from server
Check your port forwarding for TCP 53
Testing UDP port 53 inbound
Sending outbound packet and waiting for reply probe (timeout=5000)
Sending outbound packet and waiting for reply probe (timeout=10000)
Sending outbound packet and waiting for reply probe (timeout=15000)
Test failed: Inbound test failed
Check your port forwarding for UDP 53
Any assistance would be much appreciated.
Not sure if there is a way to find the ports PIA randomly set, I seem to get max speeds even though the port forward test fails. You may find it hard on torrents with low seeders I guess as you may not be able to connect to all of them. Also I use the proxy in the torrent client, I been meaning to turn it off to see what happens but keep forgetting lol.
So far i have conflicting information from the PIA support staff,
First agent says "
If you're connecting to the internet via a router, please ensure the following is configured in your router, to allow the VPN service to operate unimpeded:
- VPN passthrough is enabled for all protocols (If you are using our VPN software, skip this step).
- The following ports are allowed and unrestricted: UDP 1194, 8080, 9201, 53 and TCP 110, 443, 80
- QoS is not enabled
- Port forwarding is not enabled"
This T2 agent seems to know a bit more about it but still this added information confuses the configuration even more. He says:
"In your pfsense router,you can manually assign an IP. If you wish to connect top CA Toronto instead of using the hostname you could use 172.98.67.133. With this configuration in your logs you should see the internal IP given (the 10. IP) and you would know the IP given by the vpn 172.98.67.133. With that you may have more success with port forwarding on the router."
Like i said earlier confuses things even a bit more, the first reply also suggests as you have that it can not be done as soon as port forwarding is enabled on the router, and this is what you need to do to make the VPN client work in the configuration posted here no?
The second guy may be onto something with forwarding ports to a static IP instead of having the IP changing every time you connect you can just choose one IP out of that area, This may give you worse performance as I am not sure how the connection works and if it puts you on a server with least resources used or not.
Pfsense is not easy to port forward I never really have much luck when I try, The whole port forwarding over openVPN is way to confusing and I cannot find much online to explain it.
You are probably better off going over to the Pfsense forum and asking over there as they are the guru's all the stuff I do is just mirrored off stuff I seen over there but modified to suit my needs
https://www.privateinternetaccess.com/forum/discussion/21128/how-to-port-forward-with-pfsense-advanced-users
w
I hope to be able to try this out sometime!
w
NOTE: Updates to this guide will assume you are using pfSense 2.3.1-RELEASE-p5
https://www.privateinternetaccess.com/forum/discussion/18111
---
A guide of the same type for aes256 is here - https://www.privateinternetaccess.com/forum/discussion/21875/
Enjoy!
im trying to access my isp , the guide above unable to resolve my problem
I have PIA working very well thanks to you but im unable to route out to
my ISP for netflix , payments etc any help please !
Could anyone tell me where i went wrong?