Tutorial: Setup PIA on pfSense 2.4.2
It is recommended to update your pfSense installation to the latest version before continuing this tutorial. If for any reason pfSense does not allow you to update within the WebUI, try upgrading from the Console. It is option 13.
(If you are a home user seeking a simple and affordable way to implement pfSense & PIA on your home network, scroll down to the links at the bottom of this tutorial and check out my mini-PC recommendations. Select a system with AES-NI for fast & efficient VPN encryption. I do not get paid for any brands I promote. I'm just a sharing & caring privacy-activist.)
Before we begin, let's take a moment and learn the various encryption types & algorithms supported and recommended by Private Internet Access --> https://www.privateinternetaccess.com/pages/vpn-encryption
= Recommended by 
1.) Start by downloading one of these certificates to your computer:
Weak Security: https://www.privateinternetaccess.com/openvpn/ca.crt <—— Uses Port: 1194
Recommended: 
https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt <—— Uses Port: 1198
Strong Security: https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt <—— Uses Port: 1197
2.) Open the .crt file with a text editor and copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----
3.) Log in to your pfSense router and navigate to System > Cert. Manager > CAs and click 
4.) Name your cert similarly to the name of the cert you downloaded. (Example: Descriptive name PIA-2048)
5.) Paste the certificate text into the box at Certificate data and click 
6.) Navigate to VPN > OpenVPN > Clients and click 
Choose a PIA server you want to use --> https://www.privateinternetaccess.com/pages/network
7.) Server host or address: Input the server address you've chosen from the link above.
8.) Enter the Port number based on the Certificate you've selected:
ca.crt = 1194
ca.rsa.2048.crt = 1198
ca.rsa.4096.crt = 1197
9.) Description: Choose a description that reflects the server region you've chosen (Example: PIA Spain)
10.) User Authentication Settings: Enter your PIA Username and Password11.) TLS Configuration: Uncheck Use TLS Key
12.) Peer Certificate Authority: Select the PIA Certificate you created if it is not already selected.
13.) Encryption Algorithm: (Note: Setting this to 'Strong' security greatly increases CPU processing power which may bottleneck 100+ megabit internet speeds on lower-end hardware. If you want strong security at high speeds, you'll need a more powerful CPU. If that is the case, have a look at the Supermicro Intel Atom offerings - links at the bottom of this tutorial.)
Recommended: AES-128-CBCStrong Security: AES-256-CBC
14.) Ensure NCP is checked.
Remove AES-128-GCM and AES-256-GCM by clicking on them in the darkened box in NCP Algorithms
Add AES-128-CBC and AES-256-CBC by selecting them in the left box.
15.) Auth Digest Algorithm:
Recommended: SHA1 (160-bit)Strong Security: SHA256 (256-bit)
Hardware Crypto: If your CPU features AES-NI it is advised to select BSD cryptodev engine.
16.) Compression: Adaptive LZO Compression
17.) Custom Options: Add these parameters:
Click
18.) Navigate to Firewall -> NAT -> Outbound
Set the Mode under General Logging Options to "Manual Outbound NAT rule generation (AON)", and click 
Under the Mappings section, click the duplicate (dual-page) icon on the right for the first rule shown in the list.
Set Interface to "OpenVPN"
Repeat the last two steps for all remaining rules shown under Mappings, until every rule has a duplicate for OpenVPN.
Click 
and 
19.) Use PIA DNS servers to prevent DNS Leak:
Recommended: Navigate to System > General Setup and set DNS Servers to:
--> 209.222.18.222
--> 209.222.18.218
Click 
20.) If your CPU features AES-NI and you've enabled BSD cryptodev engine, follow these steps:
Navigate to System > Advanced > Miscellaneous: scroll down to Cryptographic & Thermal Hardware and select AES-NI and BSD Crypto Device (aesni, cryptodev)
Click 
21.) VPN KILLSWITCH
This is my favorite killswitch method in pfSense. There will be absolutely zero non-VPN leakage with this configuration. This should give absolute peace of mind to those paranoid about Kodi streaming, torrenting and Tor browsing. This is a seamless configuration, meaning that if the VPN goes down you will have zero access to the internet. When the VPN comes back online, your internet session will continue automatically and seamlessly. There is no additional tinkering inside pfSense on your part if the VPN drops out (unlike another method which uses Floating Rules to allow only UDP traffic from the VPN and rejects all other traffic).
We will configure OpenVPN to be the only active interface:
Go to Firewall > NAT > Outbound and disable (or delete) all WAN interfaces as shown in the picture below.
(If you choose to delete your WAN interfaces and eventually need them back for any reason, you can easily revive them by duplicating each of your OpenVPN interfaces and setting the duplicate interface to WAN.)
(If you need to bypass the VPN for specific devices, you will have to re-enable the WAN interfaces and configure them specifically for the IP address of the devices you want to pass through the WAN.)
Click 
and 
22.) Navigate to Status -> OpenVPN
If Status doesn't show as "up", click the circular arrow icon under 'Service' to restart the service. If it still does not come up, navigate to Diagnostics -> Reboot to restart the device.
⭐⭐⭐ Congratulations! You are all done! Enjoy using Private Internet Access on your pfSense router! ⭐⭐⭐
Here are a few simple & affordable AES-NI solutions which would be ideal for a pfSense-PIA router in a small office / home office.
(These are not affiliate links. I do not get paid to promote these product links or pfSense. I'm sharing these links simply for home users looking to implement PIA at router level in their home network using pfSense and other open-source router software)
Azzule Byte 3: https://azulletech.com/product/byte-3
Azzule Inspire: https://azulletech.com/product/inspire
Protectli Firewall Micro: https://protectli.com/product-comparison
Supermicro Atom C2558f: http://www.mitxpc.com/proddetail.php?prod=EKSMC2558M557
Supermicro Atom C2758f: http://www.mitxpc.com/proddetail.php?prod=MES-A1SRI2758F
Comments
https://forum.pfsense.org/index.php?action=post;quote=776377;topic=76015.330;last_msg=780711
Rules with Destination Port 500 are designated for IPsec and can be deleted.
Disabling NAT'ing for the WAN is AN ABSOLUTE HORRIBLE IDEA and DOES NOT STOP TRAFFIC ROUTING.
Disabling NAT address translation rules does not stop traffic from being routed out an interface if the VPN is down. It only prevents the IP addressing from being translated when traffic is routed out that interface, which can result in routing RFC1918 addressing onto the WAN.
The only way this blocks traffic is that an upstream router is most likely blocking non-internet routeable RFC1918 addresses, but at that point your traffic has already been leaked onto the WAN interface.
The better solution is to make sure unintended traffic never leaves the WAN by creating pfSense float rules that allow only DNS and OpvenVPN traffic out the WAN and block everything else going out the WAN. Such rules would only have affect when the VPN link is down and the WAN is the default route, to allow DNS lookup of the PIA host, and creating the VPN link, all other outbound traffic out the WAN should be blocked or rejected. Once the VPN link is up and becomes the default route traffic will route unblocked over the VPN link.
First thing is to make sure your OpenVPN interface is assigned by going to Interfaces --> Assignments. You should have at least one available network port which starts with ovpnc. Select that interface and hit add
Next, jump over to your firewall rules. For each of your LAN ports, you should have a "Default Allow LAN to any" rule. If you click on the Advanced Options, you will see a dropdown menu for Gateway. For the ports you wish to use your normal ISP, simply select the default WAN gateway, and for the port you want to go over VPN, select the new interface you just added.
Here is a like to a youtube video which is what I followed for my configuration..
But When I check the status for OpenVPN, it is not connected. It says:
Status: reconnecting; ping-restart
Local Address: (pending)
Remote Host: (pending)
When I check the logs I see this:
Can someone help?
This should be the PIA server IP you are trying to connect to, not your DNS server.
What have you entered as your PIA server address? It's possible that your ISP is doing DNS poisoning to block VPNs and that could explain why the ISP's DNS servers ends up there.
that IP that I removed from the log paste is: 90.255.255.14
I have changed my DNS to 1.1.1.1
And I am able to connect to PIA from the Windows client software.
I am also able to ping it and use nslookup from my windows devices
C:\Users\me>ping uk-london.privateinternetaccess.com
Pinging uk-london.privateinternetaccess.com [104.238.169.7] with 32 bytes of data:
Reply from 104.238.169.7: bytes=32 time=21ms TTL=60
Reply from 104.238.169.7: bytes=32 time=22ms TTL=60
Reply from 104.238.169.7: bytes=32 time=120ms TTL=60
Reply from 104.238.169.7: bytes=32 time=21ms TTL=60
Ping statistics for 104.238.169.7:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 120ms, Average = 46ms
C:\Users\me>nslookup uk-london.privateinternetaccess.com
Server: 1dot1dot1dot1.cloudflare-dns.com
Address: 1.1.1.1
Non-authoritative answer:
Name: uk-london.privateinternetaccess.com
Addresses: 104.238.169.24
104.238.169.27
104.238.169.46
104.238.169.55
104.238.169.58
104.238.169.68
104.238.169.70
104.238.169.86
104.238.169.88
104.238.169.98
104.238.169.108
104.238.169.120
104.238.169.130
Try connecting to that IP specifically: 104.238.169.3
Also, if you ping uk-london.privateinternetaccess.com from Command Prompt, what IP do you get there?
Thanks for your reply. I did ping it, Results on the post above.
And you were right, my ISP is blocking PIA via DNS.
So I solved this by unchecking the following box from the Setup Wizard
And I am able to connect now.
Thank You
Important note to everyone trying to use PIA's Port Forwarding with this guide
Me and @PIAColleen have been banging out heads for a while trying to get Port Forwarding to work for some people having used this guide.
In step 19, assigning PIA's DNS servers to the WAN interface causes pfSense to put a direct route to that server in the routing table. That means DNS is always leaking, and also as a result the port forwarding API is also not working because the request never goes through the VPN.
Please bind it to "None" instead to avoid issues.
I am trying to get informations I could use to diagnose why my pfSense gives me several messages like the following :
There are severals and only concerns IPv6. I am trying to see if this is because IPv6 packets are not going through.
Great guide, and his kicked me off with moving away from the desktop client to policy based routing on pfSense.
I'm having an issue getting the VPN up though. Followed steps above to create OpenVPN client, and have entered the same username and password I put into the desktop client, but keep getting errors along the lines of the below:
After the instance retries, I see log entries like this:
TLS Key unchecked
PIA 4096 CA cert
No client cert
AES-128-CBC
NCP checked
NCP Algorithsm, AES 128 and 256 CBC
Auth digest SHA1
No hardware crypto
Advanced options:
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
Can anyone advise why the auth fails, as using that username and password in the desktop clients works without issue.
Cheers
Eds
auth-retry interact
The inactivity timeout at the beginning of your log can be caused by many different things, but the auth failure is due to OpenVPN sending an invalid authentication token to our servers. The above option forces the client to completely reauthenticate with your username and password. It won't stop your connection from going down, but it should force the tunnel to reestablish itself when it does.
Thanks for the suggestion.
Have tried adding that, but don't think it has helped.
Latest logs below:
Have restarted the service also, to no avail.
Have re-entered my username and password, so not sure what else would cause an auth failure.
Hoping the logs mean more to you guys than to me haha.
Thanks!
Eds
I used the 4096 CA cert downloaded from the OP, to create a CA on pfSense, but haven't selected a client cert in the OpenVPN config.
My web configurator uses a wilcard cert for my personal domain from my active directory CA.
Would that have any impact on the connection?
I don't suppose a client cert is required when I select none and simply enter my username and password?
In this instance, I have changed auth digest from SHA1 to SHA256.
Is it because if I use the 4096 cert and port 1197, AES-256-CBC, I HAVE to use SHA256 as well?
Are the encryption and auth digest values in the tutorial linked?
i.e if you use 128, use SHA1, and if you use 256, use SHA256?
Cheers
Edit: I suspect this is the case, as I have moved down to AEA 128 bit and SHA1, and the tunnel is still running without issue.
I only want one particular server on my LAN to route its traffic via my tunnel, so I have a firewall rule at the top of my list stating any traffic from a single host, to any destination, should have a gateway of my OpenVPN interface.
I then have my LAN net to any rule below.
In this case, if the tunnel drops, traffic ignores the first rule and is then aloud to go out via the second and over the WAN gateway.
My solution was going to be to add a deny rule between the two, saying anything coming from the single host to any destination, is denied, and specify the gateway as the WAN.
Would that work and achieve the same goal, of preventing traffic from this host from going out over the normal WAN?
I was also worried about DNS leak protection, as I have an active directory domain running internally, which this server is a part of.
As such, it's DNS servers were set to the domain controller, which in turn had 1.1.1.1 set as its DNS forwarder.
I suspect external DNS requests would hit the DC, then be forwarded out over the WAN and leaking the requests.
To work around this I have changed the DNS servers on this single host directly to 1.1.1.1, but worried that is going to impact domain connectivity.
I don't want other LAN devices to have DNS go over the VPN.
I can't think of any better way to have this single host have domain controller as a DNS server, but route DNS queries over the VPN. I guess it probably isn't possible?
Thanks for everyones help thus far
Eds
EDIT: I have tested creating a block or reject rule directly below my rule for host to VPN, and it seems to ignore the block rule when the VPN drops, and simply sends traffic out via my WAN.
Also, changing DNS to external directly on the host, does affect domain connectivity and internal name resolution.
Any way I can have internal and domain names resolved internally, but anything else go directly out via the VPN, or is my only option to have my domain control pass all external DNS queries out via the VPN?
EDIT 2: I tagged my outgoing traffic with NO_WAN_EGRESS, and then added a floating rule for WAN to ignore traffic with that tag, which works wonderfully! As soon as the VPN drops, outgoing traffic for that host stops.
As far as DNS goes, I tinkered with unbound of pfSense for a while, but couldn't achieve what I wanted. I ended up setting up filtering options on my domain controller, to block DNS queries not for my internal domain name, meaning the client machine would then jump to my secondary (external) DNS server for external lookups. Same thing is true, if the VPN drops, my DC won't resolve the name, and the secondary becomes unavailable, meaning no DNS leaks <span>
Can read about my tinkering here: https://forum.netgate.com/topic/131798/routing-dns-query-based-on-client-forwarded-via-domain-controll/13