[Guide] Setup pfsense with Strong Encryption (AES-256)

edited January 2016 in VPN Setup Support Posts: 14
Please reference the pfsense guide for setting up PIA and pfsense.  It works perfectly and provides detailed steps I wont repeat but will reference.

I already have a working OpenVPN connection, how do I change it to use the new strong encryption?

  • What I did, to be safe, is create a new CA Certificate using 4096bit RSA CA certificate posted here and named it PIA-STRONG.  You can call it whatever you like.
  • Edit your OpenVPN Client settings and make the following configuration changes:
    • Server Port = 1197
    • Peer Certificate Authority = PIA-STRONG (or whatever you called your new Cert)
    • Encryption algorithm = AES-256-CBC (256-bit)
    • Auth Digest Algorithm = SHA256 (256-bit)
Save your config and OpenVPN should connect.  If you have an aes-ni capable CPU I suggest enabling aesni in system -> advanced -> misc and then enable encryption in your the OpenVPN client:  Hardware Crypto setting = BSD cryptodev engine


I'm setting up pfsense and PIA for the first time

Follow the pfsene guide linked at the top of this post.  For reference, here are the OpenVPN client settings:

  1. Select menu: VPN->OpenVPN
  2. Select Client tab
  3. Click Plus symbol to add client
  4. Configure as follows:
  • Disabled = unchecked
  • Server Mode = Peer To Peer (SSL/TLS)
  • Protocol = UDP
  • Device Mode = tun
  • Interface = WAN
  • Local Port  = (leave blank)
  • Server host or address = us-texas.privateinternetaccess.com (or any server you choose that PIA offers)
  • Server Port = 1197
  • Proxy host or address = (leave blank)
  • Proxy port = (leave blank)
  • Proxy authentication extra options = none
  • Server host name resolution = checked, Infinitely resolve server
  • Description = PIA OpenVPN (or whatever you desire)
  • TLS Authentication = unchecked, Enable authentication of TLS packets
  • Peer Certificate Authority = PIAVPN
  • Client Certificate = webConfigurator default *In use
  • Encryption algorithm = AES-256-CBC (256-bit)
  • Auth Digest Algorithm = SHA256 (256-bit)
  • Hardware Crypto = No Hardware Crypto Acceleration
  • IPv4 Tunnel Network = (leave blank)
  • IPv6 Tunnel Network = (leave blank)
  • IPv4 Remote Network/s = (leave blank)
  • IPv6 Remote Network/s = (leave blank)
  • Limit outgoing bandwidth = (leave blank)
  • Compression = checked, Compress tunnel packets using the LZO algorithm
  • Type-of-Service = unchecked
  • Advanced = (enter the following into the text field, one item per line with a semi-colon separating each)
    auth-user-pass /etc/openvpn-password.txt;
    verb 5;
    remote-cert-tls server
If you have an aes-ni capable CPU I suggest enabling aesni in system -> advanced -> misc and then enable encryption in your the OpenVPN client:  Hardware Crypto setting = BSD cryptodev engine


Post edited by MetalGeek on

Comments

  • Posts: 4,013
    Without making too long a post, let me simply thank you on behalf of the many users of PIA. This has been sorely needed for a long time. May this thread stay afloat forevermore. I will add a link to your thread to my OpenVPN Router Speeds thread since many who seek that thread may want this even more.
  • My pleasure!.  I hope it helps others.
  • Posts: 9
    What kind of Mbps speeds you get on pfsense running ovpn client on pia with aes128 and aes256 encryption? 

    Is this better implementation then router based ovpn?
  • I get my full 50/10  cable speed through my router with any encryption option I choose.  I chose a router based option so all my devices in my house use the VPN: 
  • Posts: 9
    Whenever I copy and paste that RSA4096 cert it has a lot of newlines with big open white spaces. Will it still work? Do I have to take out the white space?
  • Posts: 1
    Thanks for this.
  • edited September 13 Posts: 7
    Are you sure it's working with hardware acceleration? I did check it on pfSense and it's not working at all for PIA.
    Running openssl speed test with aes-256-cbc:
    - aes-ni hw acceleration: 0.03-0.41 seconds
    - without hw accel: 2.9 - 3 seconds
    Pia VPN with hw accel bsd cryptodev ... aes-256-cbc checked OR unchecked, SAME results using top in shell:
    -140mbps dl @ 35% cpu
    -14mbps ul @ 15% cpu

    I've tested this over 20 times with and without. Results are the same. Checking the log for pia vpn:
    Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 
    WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC' 

    So, I know hardware acceleration works in pfSense, but not for PIA. This lets me conclude PIA accepts it, but overrides it with the blowfish encryption... I'd love to see some factual data to confirm or deny my thought. Thanks.
    Post edited by ancap on
  • Posts: 7
    Ok, I tested further and checked logs with verb 4 instead of 3 and see cipher is used for data channel encrypt and decrypt, which is very good. The remaining problem is, how to get hardware acceleration working for the encrypted connection for pia... will test further, but until now, there are no differences between on and off, while it does for the host machine.
  • Posts: 7
    Read my posts ;https://forum.pfsense.org/index.php?topic=112877.msg747429#msg747429
    Too much wording from the analyses, observations and theories.

    To conclude:
    As for the moment, I don't know if aes-ni is enabled by default or not and the options of hardware acceleration are just obsolete, not only for aes-ni for pfsense openvpn client, but also for pfsense system->advanced->miscellaneous.

    Please enlighten me and others if you're in the ability to test this by setting vt-d and virtualization off in bios and test it in pfsense with top while doing a speedtest or iperf, as my host needs to keep runnning and can't restart/shutdown. Imho, this mystery needs to be solved. I've read about it and threads kept dying and nobody knows why and how.
Sign In or Register to comment.