Last Updated on December 30, 2024 by Thiago Crepaldi
Private Internet Access (aka PIA) provides a cheap VPN service that allows up to 10 simultaneous devices. Recently I have switched from Surfshark to PIA because although Surfshark allows unlimited devices, having multiple connections in the same device (pfSense router) doesn’t always work. The reason is that different connections to different countries can have the same IP, breaking routing on pfSense. A workaround is forcing a reconnection until all connections have different IPs, but PIA doesn’t suffer from this issue and its price is great. In this tutorial we are going to configure pfSense with PIA and assign an interface to it so that we can route it to other services.
Private Internet Access information
The first step is getting your PIA information to use them on your router. Go to the login page at https://www.privateinternetaccess.com/account/client-sign-in and log in. Next, go to Downloads >> View OpenVPN Configurations and click on OpenVPN Configuration Files (Recommended Default).
Save openvpn.zip in a local folder and extract it. You should see a list of ovpn files, one for each server, for example, brazil.ovpn or us_florida.ovpn. A Authority Certificate is also present and should be name as ca.rsa.2048.crt.
pfSense configuration
Open ca.rsa.2048.crt and copy the certificate content for the next step. Once you are logged in on your pfSense, go to System >> Cert. Manager >> CAs and click on Add to create a new Certificate Authority as follows:
- Create / Edit CA
- Descriptive Name: PrivateInternetAccess_VPN
- Method: Import an existing Certificate Authority
- Trust Store: leave unchecked
- Randomize Serial: leave unchecked
- Existing Certificate Authority
- Certificate data:
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
- Certificate Private Key (optional): leave blank
- Next Certificate Serial: leave blank
Once you are done, click on Save.
The next step is creating the VPN client connection. Open one of the ovpn server files, for this example, we are going to use brazil.ovpn. Navigate to VPN >> OpenVPN >> Clients and press Add.
- General Information
- Description: Any name you like (e.g. PIA Brazil)
- Disabled:leave unchecked
- Mode Configuration
- Server mode: Peer to Peer (SSL/TLS)
- DCO: leave unchecked
- Device mode: tun – Layer 3 Tunnel Mode
- Endpoint configuration
- Protocol: UDP on IPv4 only
- Interface: WAN
- Local port: leave blank;
- Server host or address: br.privacy.network (or whatever is on “remote” entry)
- Server port: 1198
- Proxy host or address: leave blank
- Proxy port: leave blank
- Proxy Authentication: None
- User Authentication Settings
- Username: Username from PIA account
- Password: Password from PIA account
- Authentication Retry: unchecked
- Cryptographic Settings
- TLS Configuration: leave unchecked
- TLS keydir direction: Use default direction
- Peer certificate authority: PrivateInternetAccess_VPN
- Peer Certificate Revocation list: leave blank
- Client certificate: None
- Data Encryption Algorithms: AES-128-CBC (or whatever is on “cipher” entry)
- Fallback Data Encryption Algorithm: Same as above
- Auth digest algorithm: SHA1 (160-bit)
- Hardware Crypto: No hardware crypto acceleration
- Server Certificate Key Usage Validation: Checked
- Tunnel Settings
- IPv4 tunnel network: leave blank
- IPv6 tunnel network: leave blank
- IPv4 remote network(s): leave blank
- IPv6 remote network(s): leave blank
- Limit outgoing bandwidth: leave blank
- Allow Compression: Refuse any non-stub compression (Most secure)
- Topology: Subnet – One IP address per client in a common subnet
- Type-of-service: leave unchecked
- Don’t pull routes: checked
- Don’t add/remove routes: checked
- Pull DNS: leave unchecked
- Ping settings
- Inactive: 0
- Ping method: keepalive
- Interval: 10
- Timeout: 60
- Advanced Configuration
- Custom options: paste the contents below (you can find more options on your ovpn file)
tls-client;
persist-key;
persist-tun;
remote-cert-tls server;
reneg-sec 0;
disable-occ;
- Advanced Configuration
- UDP FAST I/O: leave unchecked
- Exit Notify: Disabled
- Send/Receive Buffer: Default
- Gateway creation: IPv4 only
- Verbosity level: 3 (recommended)
Press Save at the bottom of the page and Apply changes at the top of the page. Navigate to Status >> OpenVPN to verify your VPN Client is working. Check Client Instance Statistics and verify your new VPN Client connection is listed and that the Status is up.
Assigning interface to the VPN client connection
Navigate to Interfaces >> Interface Assignments and Add PIA VPN interface.
Press on the OPT1 to the left of your assigned interface and fill in the following information:
- Enable: check
- Description: PIA VPN
- MAC Address: leave blank
- MTU: leave blank
- MSS: leave blank
Do not change anything else. Just scroll down to the bottom and press Save and Apply Changes.
Configuring DNS
This section will assume your DNS is already configured through a previous post. The next steps are just additional setting to include the VPN client on a working DNS Resolver instance.
Navigate to Services >> DNS Resolver >> General Settings and make sure that at Outgoing Network interfaces you either select All or also append your new VPN client interface as an outgoing interface. Do not remove any other interface from this list!
- Enable: must already be checked
- Outgoing Network Interfaces: PIA VPN
- Register connected OpenVPN clients in the DNS Resolver: checked
Click Save and Apply Changes.
Configuring NAT
Navigate to Firewall >> NAT -> Outbound and select Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below). Press Save and Apply Changes. Now we can create our rules for the new VPN client by clicking on Add (down arrow):
- Edit Advanced Outbound NAT Entry
- Interface: PIA VPN or whatever you called it
- Source: your LAN network (e.g. 10.0.0.0/24)
- Misc
- Description: A nice name, such as NAT outbound for PIA Brazil
Press Save and Apply changes.
Now click on Add (down arrow) again to create one more rule for ISAKMP IPsec VPN traffic:
- Edit Advanced Outbound NAT Entry
- Interface: PIA VPN or whatever you called it
- Source: same LAN network from previous rule (e.g. 10.0.0.0/24)
- Destination >> Port or Range: 500
- Translation
- Port or Range >> Static Port: checked
- Misc
- Description: A nice name, such as Manually created for ISAKMP – PIA Brazil
Press Save and Apply changes.
Configuring Firewall
Navigate to Firewall >> Rules page and click on the Interface name you created in the previous steps. Next, click on Add to create a new firewall rule that allows any traffic to go through:
- Action: Pass
- Address Family: IPv4 (I am not using IPv6 on my homelab yet)
- Protocol: Any
- Source: Any
- Destination: Any
Press Save and Apply changes.
You can repeat the steps above for different Server locations from PIA.
Now that everything is done, let’s test it. Navigate to Diagnostics >> ping:
- Hostname: google.com
- IP Protocol: IPv4
- Source Address: Select the VPN Client interface
- Maximum number of pings: 3
Click Ping and check the results. Should be something like
PING google.com (216.58.217.46): 56 data bytes
64 bytes from 216.58.217.46: icmp_seq=0 ttl=120 time=1.978ms
64 bytes from 216.58.217.46: icmp_seq=1 ttl=120 time=2.670ms
64 bytes from 216.58.217.46: icmp_seq=2 ttl=120 time=1.940ms
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.940/2.196/2.670/0.336 ms
Passing traffic through the VPN
At this point, your VPN connection is up and running, but not really in use by pfSense. There are a couple options in how to start using the VPN. In this post I will cover how to:
- Configure the VPN connection as the default gateway, so all traffic from your home goes through it
- Configure the VPN connection for specific IPs, so that only these ones goes through the new VPN client connection
Option 1: Using VPN connection as your default gateway
Navigate to Firewall >> Rules >> LAN and edit the default IPv4 rule, that is the rule that allows all traffic on your network. Its description will probably be something like Default allow LAN to any rule.
Scroll down to the bottom and press on Display Advanced at the Extra Options tab. Change Gateway to PIA VPN and click Save followed by Apply Changes.
Option 2: Configuring specific IPs to use the VPN
Static DHCP Mapping on LAN
In order to use this approach, you need to reserve IP for the device(s) you want to route through the VPN. Navigate to Services >> DHCP Server >> LAN scroll down to DHCP Static Mappings for this Interface, click on Add and do as follows:
- MAC Address: xx:xx:xx:xx:xx:xx
- You can find this at Status >> DHCP Leases page
- Client identifier: The name that will show up in the DHCP lease page
- You can use the hostname
- IP Address: The static IP to use (e.g. 10.0.0.5)
- Hostname: The device host name
- Description: A friendly description to identify the device
Click Save and Apply changes. Next, disconnect and reconnect the network cable of this device so that it can take the new IP. Repeat this steps for each device you want to put under the VPN.
Now that your devices have a static IP, navigate to Firewall >> Aliases >> IP and click on Add and do as follows:
- Properties
- Name: VPNCLIENT_USA_DEVICES
- Description: Devices which are required to go through a USA OpenVPN client connection
- Type: Host(s)
- Host(s)
- IP or FQDN: <IP you want to put under the VPN> (e.g. 10.0.0.5)
- The hostname or description to help identifying the device
If you want to add more devices (hosts), click on Add Host and add the IP/FQDN + a description for each device.
When you are done, click on Save and Apply changes.
If you don’t have an alias called RFC1918 or Private_IPv4s created in previous posts, you will need to create it now. The goal for it is to help us identify what networks/IPs belong to your LAN and which belong to Internet.
Lastly, we need to update the firewall rule so that it redirects clients to the VPN based on the alias we just created. The current rule must be something like “accept any connection coming from any device going to any destination and use the default gateway (your WAN connection) for them”. What we want is: If the incoming devices belong to the alias we created, use the VPN as gateway. Otherwise, use the default gateway. Note we need two rules and they must appear in this order.
Go to Firewall >> Rules >> LAN and click on copy icon of the default IPv4 rule, that is the rule that allows all traffic on your network to for from * (any) to * (any). Its description will probably be something like Default allow LAN to any rule.
A new window will open with the same settings as the rule used as base, which you need to change the following:
- Source
- Invert match: unchecked
- Any: change it to Single host or alias
- Source address: VPNCLIENT_USA_DEVICES (this is the first alias name)
- Destination
- Invert match: checked
- Any: change it to Single host or alias
- Destination address: RFC1918 (this is the second alias name)
- Extra Options
- Description: Allow VPNCLIENT_USA_DEVICES to Internet rule through VPNClient_USA (assuming this is how you named your VPN interface)
- Click on Display Advanced.
- Advanced Options
- Gateway: Select the interface you assigned to your VPN client connection
Click on Save. You probably have to move (drag and drop) the new rule before the one you copied it from. The rule that redirects traffic to the VPN must come before the default rule. Click on Save and Apply changes.
Optional: Adding a kill switch rule
A kill switch is a mechanism in which no traffic is allowed through your ISP when the encrypted [VPN client] connection drops. This is important for the scenarios in which is preferable to loose connectivity than risking exposing data outside the tunnel
In either Option 1 or Option 2 above, you have to edit the firewall rule at Firewall >> Rules >> LAN and scroll to Advanced Options. There, change Tag field to vpntraffic.Click on Save and Apply changes.
At this point, all traffic will be tagged with vpntraffic. This will be used to identify traffic coming from VPN so that we can block it in the next step.
Go to Firewall >> Rules >> Floating and click in Add (up arrow) to create a new rule that will be applied before all others related to your WAN connection:
- Edit Firewall Rule
- Action: Block
- Disabled: unchecked
- Quick: checked
- Interface: WAN
- Direction: Any
- Address Family: IPv4
- Protocol: Any
- Source
- Invert match: unchecked
- Any
- Destination
- Invert match: unchecked
- Any
- Extra Options
- Description: Kill switch for OpenVPN client traffic
- Click on Display Advanced.
- Advanced Options
- Tagged: vpntraffic
- Action: Block
Click on Save and Apply changes.
Note that we have tagged traffic with the vpntraffic label in the LAN interface and blocked it in the Floating interface before it could reach WAN.
As a test you can disconnect the VPN connection and check your connectivity. It should be offline until you reconnect the VPN.