OpenVPN Step-by-Step Setup for pfsense [firewall/router] (with video)

edited August 2016 in VPN Setup Support Posts: 73

( NOTE: At this point all of the steps have been updated for the new configurations!  Only the video and the picture are still out of date. )

NOTE: Updates to this guide will assume you are using pfSense 2.3.1-RELEASE-p5

OpenVPN Setup on pfSense [firewall/router]
=============================================

pfSense is an open source firewall/router computer software distribution based on FreeBSD. - Source wikipedia.org


Video...
...showing the following steps being done within pfSense webConfigurator
=============================================
    - http://youtu.be/_lMl_fN3n28 ( ***out of date*** )

For pfSense aes256 Setup - click here
For Debian based Linux Distributions - click here
For Manjaro Linux Setup - click here


Instructions
Setting up OpenVPN on pfSense [firewall/router]
=============================================

Color Key
=============================================
Things highlighted in yellow are commands to be executed in the terminal
Things highlighted in blue are to be clicked
Things highlighted in green are to be typed
Things highlighted in violet are to be pressed on the keyboard
Things highlighted in grey are showing output


First start by downloading openvpn.zip from...
    - https://www.privateinternetaccess.com/openvpn/openvpn.zip
    - This supplies PIAs "ca.rsa.2048.crt" file after unzipping the openvpn.zip file.

Log into pfSense webConfigurator
    - https://pfsense-LAN-IP/index.php
    - Ex. https://192.168.1.1/index.php


Prevent DNS leaks by setting PIA DNS only
pfSense Setup Wizard - Video - http://youtu.be/MYXpAnDdEaI
=====================
    - Click "System"
    - Click "Setup Wizard"
    - Click "Next"
    - Click "Next"
    - For "Primary DNS Server:" type in "209.222.18.218"
    - For "Secondary DNS Server:" type in "209.222.18.222"
    - "Override DNS:" [unchecked]
    - Click "Next"
    - Click "Next"
    - Scroll to the bottom and click "Next"
    - Click "Next"
    - "Admin Password AGAIN:" type in your pfSensePassword for the WebGUI
    - Click "Next"
    - Click "Reload" and wait
    - Click the 2nd "here" where is says...
        - "Click here to continue on to pfSense webConfigurator"

Once pfSense loads up the "Status / Dashboard" your DNS section should look as follows:
    - DNS server(s)    209.222.18.218
                              209.222.18.222



"PIA-CA-aes128" Installation
=====================
    - Click "System"
    - Click "Cert. Manager"
    - Click "CAs"
    - Click "+ Add"
    - "Descriptive name" type in "PIA-CA-aes128"
    - "Method" select  "Import an existing Certificate Authority"
    - "Certificate data" - (paste in all the content from the ca.rsa.2048.crt file)

-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----

    - "Certificate Private Key (optional)" = (leave blank)
    - "Serial for next certificate" = (leave blank)
Now click "Save"


NOTE: The following password is not valid...
...so don't waste your time trying it.  ;)

Write your "p"-username and password into the /etc/openvpn-passwd.txt file
=====================
    - Click "Diagnostics"
    - Click "Command Prompt"
    - Under "Execute Shell Command" click into the "Command" box and type the following into that box removing the username p2099690 and password JkY6UgYHa5 and replacing them with your credentials:
         echo "p2099690" > /etc/openvpn-passwd.txt; echo "JkY6UgYHa5" >> /etc/openvpn-passwd.txt
    - Click "Excute"

   
Create OpenVPN Client
=====================
    - Click "VPN"
    - Click "OpenVPN"
    - Click the "Client" tab
    - Click "+ Add"

Configure as follows...
    - "Disabled" = [unchecked]
    - "Server Mode" = "Peer To Peer (SSL/TLS)"
    - "Protocol" = "UDP"
    - "Device Mode" = "tun"
    - "Interface" = "WAN"
    - "Local Port" = (leave blank)

Choose a server for "Server host or address" form the PIA list here...
    https://www.privateinternetaccess.com/pages/network/#

    - "Server host or address" = "us-east.privateinternetaccess.com"
    - "Server Port" = "1198"
    - "Proxy host or address" = (leave blank)
    - "Proxy port" = (leave blank)
    - "Proxy authentication extra options" = none
    - "Server host name resolution" = [check] "Infinitely resolve server"
    - "Description" = "PIA OpenVPN aes128"
    - "TLS Authentication" = [uncheck] "Enable authentication of TLS packets."
    - "Peer Certificate Authority" = "PIA-CA-aes128"
    - "Client Certificate" = "webConfigurator default *In use"
    - "Encryption algorithm" = "AES-128-CBC (128-bit)"
    - "Auth Digest Algorithm" = "SHA1 (160-bit)"
    - "Hardware Crypto" = "No Hardware Crypto Acceleration"
    - "IPv4 Tunnel Network" = (leave blank)
    - "IPv6 Tunnel Network" = (leave blank)
    - "IPv4 Remote Network/s" = (leave blank)
    - "IPv6 Remote Network/s" = (leave blank)
    - "Limit outgoing bandwidth" = (leave blank)
    - "Compression" = choose "Enabled with Adaptive Compression"
    - "Type-of-Service" = [unchecked]
    - "Disable IPv6" [check] "Don't forward IPv6 traffic."
    - "Don't pull routes" = [unchecked]
    - "Don't add/remove routes" = [unchecked]
    - Under "Advanced Configuration" for "Custom options" type the following in the box:

auth-user-pass /etc/openvpn-passwd.txt;
verb 5;
remote-cert-tls server

    - "Verbosity level" = default
Now click "Save"


Create OpenVPN interface
=====================
    - Click "Interfaces"
    - Click "(assign)"
    - "Available network ports:" select "ovpnc1(PIA OpenVPN aes128)"
    - Click "+ Add"
   
Note: The new interface will be named "OPT1" with a network port of "ovpnc1(PIA OpenVPN aes128)"
   
    - Click on "OPT1" to edit the interface

Configure as follows...
    - "Enabled" = [check]
    - "Description" = "OpenVPN_aes128_Interface"
    - "IPv4 Configuration Type" = none
    - "IPv6 Configuration Type" = none
    - "MAC address" = (leave blank)
    - "MTU" = (leave blank)
    - "MSS" = (leave blank)
    - "Block private networks" = [unchecked]
    - "Block bogon networks" = [unchecked]
Now click "Save"
Now click "Apply changes"


NAT Settings
=====================
    - Click "Firewall"
    - Click "NAT"
    - Click the "Outbound" tab
    - For "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)"...
        - put a (dot) in the radio button
Now click "Save"


The next step is to duplicate each of these rules...
    - but change the NAT Address from WAN to OpenVPN_aes128_Interface
    - Start with the first "WAN" rule by clicking the copy icon ( looks like a square in front of another square ) immediately to the right of the line to "Add a new NAT based on this one"

A new page will open configure as follows...
    - "Disabled" = (do not change) [unchecked]
    - "Do not NAT" = (do not change) [unchecked]
    - "Interface" = OpenVPN_aes128_Interface
    - "Protocol" = (do not change)
    - "Source" = (do not change)
    - "Destination" = (do not change)
    - "Translation" = (do not change)
    - "No XMLRPC Sync" = (no dot change)
    - "Description" = Made for PIA_OpenVPN_aes128
Now click "Save"

IMPORTANT!  Repeat this process for each of the other rules. 
    - When completed, it should resemble the following...
    - http://i.imgur.com/zoVTbUr.png ( ***out of date*** )
Now click "Apply changes" at the top of the page

    The changes have been applied successfully.
    You can also monitor the filter reload progress.


Verify OpenVPN Service
=====================
At this point, your system is configured. Restart your OpenVPN service to be sure.
    - "Status"
    - "OpenVPN"
    - "Status" should be "UP" (but it may be DOWN)
        - Click the "Restart OpenVPN Service" button no matter what the status is.
        - It's the button that looks like an arrow bent into a circle to the right of the service.
    - "Status" should be "UP" now


Reboot the pfSense firewall now
=====================
    - "Diagnostics"
    - "Reboot"
    - "Reboot"
    - "OK"

Rebooting
Page will automatically reload in 90 seconds

   
Verify OpenVPN initialized correctly by checking System Logs
=====================
    - "Status"
    - "System Logs"
    - Click the "OpenVPN" tab
    - Scroll down and look for "Initialization Sequence Completed" similar to the following:

Jul 17 21:10:43     openvpn     3328     Initialization Sequence Completed

       
Test by opening your Internet browser and going to...
=====================
    - https://www.privateinternetaccess.com/pages/whats-my-ip/
    - https://ipleak.net
    - http://dnsleak.com
    - http://ipv6leak.com

Enjoy!

image

To donate, please scan the QR code to the left or send bitcoins to the following address:
17ioPjLoCLDsUKwNpGV9dGtnLmpM8ioyUn

Post edited by WinstonSmith on

Comments

  • Posts: 1
    Wow.   Love the instructions.
    I'd like to have selected IP's from my LAN using  the PIA Interface and others using the standard WAN interface.    It would be really nice for the IP's using the PIA Interface to NEVER fail over to the WAN interface and vice versa.

    Can you provide additional instructions as to how this may be accomplished?
  • edited February 2016 Posts: 7
    ThePOO said:
    Wow.   Love the instructions.
    I'd like to have selected IP's from my LAN using  the PIA Interface and others using the standard WAN interface.    It would be really nice for the IP's using the PIA Interface to NEVER fail over to the WAN interface and vice versa.

    Can you provide additional instructions as to how this may be accomplished?

    Follow the OP instructions to the end, These instructions are to be done after all the OP's instructions are followed fully and made sure your VPN is 100% working. This is only to apply rules to have VPN connection set to 1 or more static IP addresses on the LAN network so you can have multiple VPN connections as well as a usable WAN (ISP Address). This gives you the ability to run different VPN/WAN on different devices or so you can change your VPN location or change back to ISP IP on one machine with just changing the static IP address in the networking settings 


    Hey, You can set up Pfsense to use certain static IP addresses to connect to different VPN or WAN addresses. I have a openVPN set up locally and one for USA to watch netflix, I have each set up to be used on 10 IP slots, so to change VPN to USA I just change the static IP on the host PC and same with the WAN I can turn VPN off by switching static IP on PC.

    Create a Alias:
     
    To do this first head over to firewall / Aliases. Under IP click the add new alias

    image 
    Then fill in the info like so

    Name: Name it what ever for example "PIASydneyIP" (can named anything)
    Description: Not needed.
    Type: Host(s)
    Host(s): Click add entry and enter a IP you want to use for the static IP to use for VPN. Click add again to add another. Mine I added 10 IP addresses but you can add only one or how ever many you like. So mine is 192.168.1.130 - 192.168.1.139

    image

    Then if you want to have several OpenVPN connections IE another to USA like I have repeat the original post to add a new OpenVPN on a different connection. Then repeat the above to set a new range of IP addresses I have 192.168.1.150 - 192.168.1.159 For the USA VPN.

    Create Pass threw Rule:

    Now you need to make a rule so that the aliases you set above over rule the WAN rule. So go into Firewall / Rules / LAN.

    Click Add New Rule. and change these.

    Protocol: ANY
    Source: Type in your alias name I made it "PIASydneyIP'
    Description: Give it a name like "Sydney VPN Passthrew"
    In advance features change this.
    Gateway: Your OpenVPN gateway you want to use

    image

    Now save the rule. Repeat this if you want to set another VPN connection location for different IP addresses.

    Set Up WAN Addresses:

    Now you need to set a rule for WAN you could set it to connect to certain IP like the above rules, But I have it using all the rest of the available IP addresses left to do that this is how.

    In Firewall / Rules / LAN

    add new rule.

    change this settings.

    Protocol: any
    Source: LAN Net (from drop down box)
    Description: WAN Passthrew
    Gateway: WAN (from drop down box)

    Click save.

    image

    Change the order:

    Now back in Firewall / Rules you will need to put rearrange the order of the rules. It should but like this (the order of the OpenVPN rules do not matter as long as they are above WAN)

    LocalVPN
    USAVPN
    WAN Passthrew
    Any rules left over

    image

    As the rules at the top over ride the rules underneath you want the VPN on top then any IP addresses the VPN rules are not using the WAN will use. On your desktop set the static IP like normal but change IP to the connection you want to access.

    Say I want just VPN I put 192.168.131 and it will be on local VPN
    Say I want to watch netflix from USA on my TV I change it to 192.168.1.151
    Say I want to use ISP IP on my tablet to play games I set it to 192.168.1.110

    Now you can have as many devices you want connected to any of the networks all at the same time and changing VPN connection on the fly on any device is easy just change your static IP.

    Another advantage of this if the VPN drops out it will not revert back to your WAN connection as its on a separate IP your internet will just fail to load pages so you will know when the VPN drops out.

    Set up website based fall back to WAN from VPN connection:

    You can also set a rule to exclude websites to use the VPN so it will bypass the VPN even when your connected to it. I do this with cloudflare as I have been banned from sites using cloudflare while I was on VPN. So I have put a rule in so I dont have to change to WAN when I access them.

    Here is how to setup for cloudflare but you can add alias like above for several sites if you like but you need to use the sites IP not address.

    First off go to Aliases / URLs as cloudflare have a text file to add as there is to many addresses to add manually.

    click add new aliases.

    Name: CloudFlareIP
    Description: can be blank
    Type: URL Table (IPs)
    URL Table (IPs): https://www.cloudflare.com/ips-v4
    put in the amount of days you want it to update, I am not sure if they do update it or not but I put 30.

    image

    You can make your own rule for single sites the same as you made the aliases for the openVPN

    Go to firewall / Rules / LAN

    Add New Rule.

    Change these

    Protocols: any
    Source: LAN
    Destination: CloudFlareIP (or any other alias you set)
    Description: ClourFlareBypass
    Gateway: WAN

    image

    Now save and back on the LAN page make sure this rule is at the very top above the VPN rules

    To check whether the CloudFlare bypass works go to iplocation.net as it uses cloudflare. It should show your ISP address then go to https://www.privateinternetaccess.com/pages/whats-my-ip/ and it should show your VPN IP.

    Change static IP and  check IP again to make sure its all working.

    Of course if you want only 1 VPN to not use the VPN for cloudflare sites then change the order. So say we want cloudflare to bypass LocalVPN but the USAVPN to be a closed VPN with no bypass your order will need to be like this.

    USAVPN
    CloudFlareIP
    LocalVPN
    WAN

    image

    hope that makes sense I am not real good at explaining things lol
    Post edited by UnCoNoob on
  • Hello UnCoNoop
    like to get a germany.privateinternetaccess.com server at one point.
    at what point I replace the WAN with the "new local LAN ip" like 192.168.1.130 port, when I setup a new OpenVPN?
    Do I have to do the "entire" setup again? or can I use old parts like the PIA-CA instillation or the password setup?

    Thanks



  • okay so I followed this tutorial line by line. there are a couple of thing that do not work.
    - on the dashboard the Interfaces widget the PIAINTERFACE is not showing an IP address.
    now the log file is showing that openvpn[31092]: Initialization Sequence Completed has worked.
    -When trying to load pages the connection times out.
     I am confused as I am a total N00B with pfSence. Help...
  • Posts: 8
    Will it help kkkkk
    p3905365 said:
    okay so I followed this tutorial line by line. there are a couple of thing that do not work.
    - on the dashboard the Interfaces widget the PIAINTERFACE is not showing an IP address.
    now the log file is showing that openvpn[31092]: Initialization Sequence Completed has worked.
    -When trying to load pages the connection times out.
     I am confused as I am a total N00B with pfSence. Help...

  • Posts: 8
    hello said:
    Will it help kkkkk||calc||calc
    p3905365 said:
    okay so I followed this tutorial line by line. there are a couple of thing that do not work.
    - on the dashboard the Interfaces widget the PIAINTERFACE is not showing an IP address.
    now the log file is showing that openvpn[31092]: Initialization Sequence Completed has worked.
    -When trying to load pages the connection times out.
     I am confused as I am a total N00B with pfSence. Help...


  • Posts: 8
    hello said:
    hello said:
    Will it help kkkkk"||calc||"
    p3905365 said:
    okay so I followed this tutorial line by line. there are a couple of thing that do not work.
    - on the dashboard the Interfaces widget the PIAINTERFACE is not showing an IP address.
    now the log file is showing that openvpn[31092]: Initialization Sequence Completed has worked.
    -When trying to load pages the connection times out.
     I am confused as I am a total N00B with pfSence. Help...




  • cansat said:
    Hello UnCoNoop
    like to get a germany.privateinternetaccess.com server at one point.
    at what point I replace the WAN with the "new local LAN ip" like 192.168.1.130 port, when I setup a new OpenVPN?
    Do I have to do the "entire" setup again? or can I use old parts like the PIA-CA instillation or the password setup?

    Thanks



    Hey,

    Sorry I have not been on here for a bit, Follow the OP instructions fully then you will be able to put in the part I wrote.

    I am not to sure what exactly you mean sorry, If you just want the VPN onto only one device (static IP on your LAN network) then you need to create a new rule for the VPN connection on that IP but in the gateway you need to select the VPN connect.

    I am sorry I do not have Pfsense setup ATM as ISP put me onto a new connection and I am trying to work out how to get the modem into bridge mode and the connection looses speed once connected to PFsense so I have reset everything and have not used it for a few weeks.

    But I can redo mine to take some screenshots if you like. PM me if you want me to run threw it all with you. I am not the best at explaining things sorry lol
  • p3905365 said:
    okay so I followed this tutorial line by line. there are a couple of thing that do not work.
    - on the dashboard the Interfaces widget the PIAINTERFACE is not showing an IP address.
    now the log file is showing that openvpn[31092]: Initialization Sequence Completed has worked.
    -When trying to load pages the connection times out.
     I am confused as I am a total N00B with pfSence. Help...
    Have you put in the correct username and password? Try to reset the openVPN connection (forget where it is have not got pfsense hooked up ATM) or just restart your pfsense. It should show you the IP in there, Does it show anything or just blank? I will hook up my pfsense box later tonight or tomorrow that way I can tell you where to look for stuff lol
  • I have updated my instructions above with pictures, As I had to redo my Pfsense box.

    I hope it makes more sense now.
  • edited February 2016 Posts: 7
    Thanks for the awesome write up. Followed it and it works great.
    Having some issues though trying to get Inbound port forwarding working through the VPN.

    Outgoing connections all work but the firewall is not forwarding the traffic properly to the internal seed box IP. Have tried to follow some basic guides for pfsense port forwarding but the addition of the PIAINTERFACE seems to make it just that.. a PIA in terms of having basic guides apply to this configuration.
    I have the seed box running on .250 IP address, with an alias set up for the last 5 IP's on that sub net to route through the VPN instead of the normal WAN connection as your detailed post shows.

    with Vuze...
    1 bind addresses
        192.168.1.250
    Testing HTTP outbound
        Test successful
    Testing TCP outbound
        Test successful
    Testing UDP outbound
        Test successful
    Testing TCP port 53 inbound
        Test failed: NAT test failed: Error: Unexpected end of file from server
        Check your port forwarding for TCP 53
    Testing UDP port 53 inbound
        Sending outbound packet and waiting for reply probe (timeout=5000)
        Sending outbound packet and waiting for reply probe (timeout=10000)
        Sending outbound packet and waiting for reply probe (timeout=15000)
        Test failed: Inbound test failed
        Check your port forwarding for UDP 53

    Any assistance would be much appreciated.


    Post edited by Foonus1 on
  • Posts: 7
    As far as I know you cannot port forward on a VPN as they need to forward the ports on the VPN server not your PFsense box. I think PIA can allocate a random port they open on the desktop app but that does not work with openVPN in the router.

    Not sure if there is a way to find the ports PIA randomly set, I seem to get max speeds even though the port forward test fails. You may find it hard on torrents with low seeders I guess as you may not be able to connect to all of them. Also I use the proxy in the torrent client, I been meaning to turn it off to see what happens but keep forgetting lol.


  • Posts: 7
    UnCoNoob said:
    "As far as I know you cannot port forward on a VPN as they need to forward the ports on the VPN server not your PFsense box. I think PIA can allocate a random port they open on the desktop app but that does not work with openVPN in the router.

    Not sure if there is a way to find the ports PIA randomly set, I seem to get max speeds even though the port forward test fails...."

    This is the experience I have been having trying to run torrents through it i actually have seen almost 160Mbit on download, however very few (less than 1/3) of the uploads that connect when i run the windows client can connect through pfSense.. and this is supposed to be a SEEDBOX.

    So far i have conflicting information from the PIA support staff,

    First agent says "

    If you're connecting to the internet via a router, please ensure the following is configured in your router, to allow the VPN service to operate unimpeded:

    - VPN passthrough is enabled for all protocols (If you are using our VPN software, skip this step).
    - The following ports are allowed and unrestricted: UDP 1194, 8080, 9201, 53 and TCP 110, 443, 80
    - QoS is not enabled
    - Port forwarding is not enabled"


    This T2 agent seems to know a bit more about it but still this added information confuses the configuration even more. He says:

    "In your pfsense router,you can manually assign an IP. If you wish to connect top CA Toronto instead of using the hostname you could use 172.98.67.133. With this configuration in your logs you should see the internal IP given (the 10. IP) and you would know the IP given by the vpn 172.98.67.133. With that you may have more success with port forwarding on the router."

    Like i said earlier confuses things even a bit more, the first reply also suggests as you have that it can not be done as soon as port forwarding is enabled on the router, and this is what you need to do to make the VPN client work in the configuration posted here no?
  • Posts: 7
    Yeah seems a bit confusing lol. I think he may mean auto port forwarding like UPnP needs to be disabled which it is by default on Pfsense.

    The second guy may be onto something with forwarding ports to a static IP instead of having the IP changing every time you connect you can just choose one IP out of that area, This may give you worse performance as I am not sure how the connection works and if it puts you on a server with least resources used or not.

    Pfsense is not easy to port forward I never really have much luck when I try, The whole port forwarding over openVPN is way to confusing and I cannot find much online to explain it.

    You are probably better off going over to the Pfsense forum and asking over there as they are the guru's all the stuff I do is just mirrored off stuff I seen over there but modified to suit my needs
  • Working on a guide, however it is still a work-in-progress at this time.

    https://www.privateinternetaccess.com/forum/discussion/21128/how-to-port-forward-with-pfsense-advanced-users

    w
  • Posts: 7
    Working on a guide, however it is still a work-in-progress at this time.

    https://www.privateinternetaccess.com/forum/discussion/21128/how-to-port-forward-with-pfsense-advanced-users

    w
    Posted an updated script for pfSense 2.3 on this link, confirmed working following the guides on this forum, this was last needed step. No longer work in progress we all finally have a working solution!
  • Foonus1 said:
    Working on a guide, however it is still a work-in-progress at this time.

    https://www.privateinternetaccess.com/forum/discussion/21128/how-to-port-forward-with-pfsense-advanced-users

    w
    Posted an updated script for pfSense 2.3 on this link, confirmed working following the guides on this forum, this was last needed step. No longer work in progress we all finally have a working solution!
    Thank you Foonus1!

    I hope to be able to try this out sometime!

    w
  • Posts: 9
    Why can't I use strong encryption?
  • Posts: 4,013
    Porpuse said:
    Why can't I use strong encryption?
    If you are trying to use AES-256, change the port from 1194 to 1197.
  • Posts: 9
    Thanks OmniNegro
    Any idea on how to change it from SHA-1 to SHA-256?
  • Posts: 9
    I can't get it to work with AES256cbc on port 1197
  • Posts: 4
    Did you get this working with strong encryption?
    I can't get it to work either.. I used port 1197.. I'm not sure which AES256 bit encryption to use... 

    When I setup the initial cert, instead of using CA.crt, do you use the cert file downloaded here:   https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip

    Also, as your setting up the cert.. do you change the key length to 4096 instead of 2048 like it says in the instructions above?

    Any help would be appreciated... thanks.
  • Posts: 4
    Ok, I got it to work in pfSense using strong encryption!

    Here's what I did... first, I deleted both certs listed in System->Cert. Manager and recreated them using the above tutorial with a few important changes:

    In the above tutorial section called "PIA-CA Installation" when you paste in the certificate data from ca.crt, don't use ca.crt.. use the file ca.rsa.4096.crt that's part of this zip file:  https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip

    Next, in the "Certificate Setup" section above, change the key length to 4096.. leave all the rest the same.

    Next, in the "System: Certificate Manager" section above, change the key length to 4096.. leave all the rest the same.

    To get mine to work properly, I had to delete the previously setup client and make a new one.. so delete the one (or multiple ones) that you may have, then follow the above section called "Create OpenVPN Client). Instead of port 1194, enter port 1197. 
    For encryption algorithm, choose: AES-256-CBC (256 bits)
    and for Auth Digest Algorithm, choose: SHA256 (256 bits)

    Other than that, leave everything else the same.

    The only other thing I had to do was go into System->Routing and edit the Gateway associated with my PIA client and change the monitoring IP back to 8.8.8.8 (Googles DNS) to get the "Alive" functionality to work under the Gateways section of the pfSense dashboard page.

    Any question, let me know.   :)
  • edited July 2016 Posts: 73
    Updated! At this point all of the steps have been updated for the new configurations!  Only the video and the picture are still out of date. )

    NOTE: Updates to this guide will assume you are using pfSense 2.3.1-RELEASE-p5

    https://www.privateinternetaccess.com/forum/discussion/18111

    ---

    A guide of the same type for aes256 is here - https://www.privateinternetaccess.com/forum/discussion/21875/

    Enjoy!
    Post edited by WinstonSmith on
  • Hi Winston
       im trying to access my isp , the guide above unable to resolve my problem
    I have PIA working very well thanks to you but im unable to route out to
    my ISP for netflix , payments etc any help please !
  • @winstonsmith I am having issues with your setup. I am able to complete the setup but when its in use for more than a day my load times become very slow and I get frequest DNS errors when loading webpages. I have tried fresh installing 2.3.2, 2.3.1 release 5 and 2.2.4 but i have the same issue. Has anyone else experienmced this same issue?
Sign In or Register to comment.