PF Sense Setup

Disclaimer: Installation and use of any software made by third party developers is at your own discretion and liability. We share our best practices with third party software but do not provide customer support for them.

Start by downloading our CA certificate file from We’ll be using this later. You can also find the hostnames of our gateways on our Network page here:

Certificate Installation

  1. Ensure that the above certificate file is saved to your machine, somewhere that you can open it.
  2. Log into your pfSense gateway.
  3. Navigate to System -> Cert Manager -> CAs.
  4. If there are any certificates on this page, remove them with the trashcan icon to the right.
  5. Delete old certificates
  6. Click on Add in the lower-right to add a new certificate.
  7. Use the following details:

    Descriptive name: PIA, or something else that you will remember.

    Method: Import an existing Certificate Authority

    Certificate Data: Open the above certificate (ca.rsa.2048.crt) in Notepad/Textedit, then copy and paste the text into this textbox.

    PIA certificate

    Certificate Private Key and Serial: Leave these blank

  8. PIA certificate details
  9. Click Save to save the certificate.
  10. Saved PIA Certificate

OpenVPN Setup

  1. Navigate to VPN -> OpenVPN -> Clients.
  2. VPN page
  3. If there are any existing VPNs on this page, remove them with the trashcan icon to the right.
  4. Click on Add in the lower-right to add a new VPN connection.
  5. Use the following details:

    Protocol: UDP

    Server port: 1198

    Server hostname resolution: Ensure that "Infinitely resolve server" is checked.

    User Authentication Settings: Fill the Username and Password fields with your PIA username and password.

    TLS Authentication: Ensure "Enable authentication of TLS packets" is disabled.

    Peer Certificate Authority: Select the PIA CA we setup.

    Client Certificate: None (Username and/or Password required)

    Encryption Algorithm: AES-128-CBC (128-bit).

    Auth digest algorithm: SHA1 (160-bit).

    Compression: Enabled with Adaptive Compression.

    Disable IPv6: Ensure "Don't forward IPv6 traffic" is checked.

    Custom options: Copy and paste the following into the custom options textbox:

    remote-cert-tls server
    reneg-sec 0

  6. New VPN Details
  7. Click Save to save the VPN connection.
  8. Navigate to Status -> OpenVPN.
  9. If Status doesn't show as "up", click the circular arrow icon under Actions to restart the service. If it still does not come up, navigate to Diagnostics -> Reboot to restart the device.
  10. Ensure that Status shows as "up" before continuing.
  11. OpenVPN Status page

Mappings Setup

  1. Navigate to Firewall -> NAT -> Outbound.
  2. Set the Mode under General Logging Options to "Manual Outbound NAT rule generation (AON)", and click Save.
  3. Under the Mappings section, click the duplicate (dual-page) icon on the right for the first rule shown in the list.
  4. Set Interface to "OpenVPN" and click Save at the bottom.
  5. Repeat the last two steps for all remaining rule shown under Mappings, until every rule has a duplicate for OpenVPN.
  6. Mappings page
  7. Click Apply at the top of the page to apply all changes.


At this point, your VPN service should be fully operational! If you find that it's not working at this point, navigate to Diagnostics -> Reboot and restart your router.

Reboot page

EASY Setup Guides for Alternate Configurations (Advanced):


The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one's IP address, censorship circumvention, and geolocation.

If you need encryption, please use the Private Internet Application or OpenVPN protocol with our service.

    Although quite different from a VPN, we provide a SOCKS5 Proxy with all accounts in the event users require this feature.

    SOCKS5 Proxy Usage Guides port 1080
    Enable port forwarding in the application by entering the Advanced area, enabling port forwarding and selecting one of the following gateways:

    CA Toronto
    CA Montreal
    CA Vancouver
    Czech Republic

    After enabling port forwarding and re-connecting to one of the above gateways, please hover your mouse over the System Tray or Menu Bar icon to reveal the tooltip which will display the port number. You can then enter this port into your software.

    Port Forwarding reduces privacy. For maximum privacy, please keep port forwarding disabled.
IPv6 leak protection disables IPv6 traffic while on the VPN. This ensures that no IPv6 traffic leaks out over your normal internet connection when you are connected to the VPN. This includes 6to4 and Teredo tunneled IPv6 traffic.
    The dns leak protection feature activates VPN dns leak protection. This ensures that DNS requests are routed through the VPN. This enables the greatest level of privacy and security but may cause connectivity issues in non-standard network configurations.

    This can be enabled and disabled in the Windows application, while it is enabled by default on our macOS application.

    We use our own private DNS servers for your DNS queries while on the VPN. After connecting we set your operating system's DNS servers to and When using a DNS Leak testing site you should expect to see your DNS requests originate from the IP of the VPN gateway you are connected to.

    If you change your DNS servers manually or if for some other reason they are changed this does not necessarily mean your DNS is leaking. Even if you use different DNS servers the queries will still be routed through the VPN connection and will be anonymous.
    The internet kill switch activates VPN disconnect protection. If you disconnect from the VPN, your internet access will stop working. It will reactivate normal internet access when you deactivate the kill switch mode or exit the application.

    Users who may be connected to two connections simultaneously (ex.: wired and wireless) should not use this feature, as it will only stop 1 active connection type.

  • United States (US VPN)

  • United Kingdom (GB VPN)

  • Canada (CA VPN)

  • Australia (AU VPN)

  • New Zealand (NZ VPN)

  • Netherlands (NL VPN)

  • Sweden (SE VPN)

  • Norway (NO VPN)

  • Denmark (DK VPN)

  • Finland (FI VPN)

  • Switzerland (CH VPN)

  • France (FR VPN)

  • Germany (DE VPN)

  • Belgium (BE VPN)

  • Austria (AT VPN)

  • Czech Republic (CZ VPN)

  • Ireland (IE VPN)

  • Italy (IT VPN)

  • Spain (ES VPN)

  • Romania (RO VPN)

  • Turkey (TR VPN)

  • Hong Kong (HK VPN)

  • Singapore (SG VPN)

  • Japan (JP VPN)

  • Israel (IL VPN)

  • Mexico (MX VPN)

  • Brazil (BR VPN)

  • India (IN VPN)