Here is how I have Private Internet Access (PIA) setup on both of my pfSense firewalls. This setup has worked perfectly for me and does not interfere with any other gateways.
This guide will walk you through setting up the connection to PIA, creating an interface for PIA so you can route traffic selectively over the PIA VPN, Installing and configuring the service watchdog, and going over some firewall rules. I will try to go into as much detail as possible
First, choose what server you want to connect to. I have found that the Dallas and Florida servers work best for me, but that might not be the best choice for you.
PIA has a full list of servers available here: https://www.privateinternetaccess.com/pages/network/
Since the Dallas server is geographically close to me, I will be using that one. The address is: us-texas.privateinternetaccess.com
PIA offers three different certificates
- "Weak" security on port 1194 - https://www.privateinternetaccess.com/openvpn/ca.crt
- "Medium" security on port 1198 - https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt
- "Strong" security on port 1197 - https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt
You will probably get the best performance on port 1194 with weak security, so that is what I will be using. It's still plenty secure for my needs of just downloading linux ISO's
Go ahead and download the crt file for whichever security level you want, and then open the file with a text editor such as Notepad++
Select all of the contents, and copy to your clipboard
Now log into your pfSense WebUI and navigate to System > Cert Manager and click on the "+ ADD" Button
Now change the method to "Import an existing certificate authority" and paste the copied text into the box. It should look like below
You should now see the certificate listed
Now we have the certificate listed, navigate to VPN > OpenVPN, then click Clients and finally click ADD
Now we will go through the configuration. I will go section by section, but it's just one long page. I will highlight changes you need to make in yellow, but also verify the rest of the config looks the same, we can't be sure the default configuration won't change in the future
Now you will want to fill in the server address you found before, I will be using us-texas.privateinternetaccess.com
Then the port. This depends on which security level you picked at the beginning of the guide, I am using Weak security on port 1194
Then, give it a description. See my screenshot for reference. I have highlighted everything you need to change, but make sure the rest is the same too
User Authentication Settings
This one is pretty self explanatory, enter your PIA username and password, and don't check the box to not retry on fail
Note (1/2/19): It has been suggested that PIA sometimes has an issue with authentication retry, and that you would be better served CHECKING the box so that pfSense doesn't try and re-auth. Personally I have never had any issues with authentication, but keep this in mind
For this section, uncheck the TLS key box, Select your PIA-CA you created earlier and uncheck NCP
I have had nothing but issues with NCP, if you want to play around with it later you can always come back and enable it, but for this guide we are turning it off. Most of these options can be tweaked, so once you get it working come back and decide what you want to use. PIA has a list of supported algorithms
Select SHA1 as the auth digest algorithm
Change Compression to Adaptive LZO, change topology to net30 and check the "Don't pull routes" box
If you don't check this box, all traffic will go over the VPN by default, which is probably not what you want. If that IS what you want, then leave it unchecked.
In the custom options box, enter
and set the gateway creation to IPv4 only (Since PIA doesn't support IPv6 at the time of writing)
Finally, click save.
Now go to Interfaces > Assignments
On the dropdown for "Available Network Ports" you should see your PIA VPN listed. Mine is called ovpnc1 (Private Internet Access). Mine isn't listed because I already have it bound to an interface
Select yours, and click add
Now that the interface has been added, click on the interface name, here I am clicking on OPT5, but yours will be different. It should be at the bottom of the list
Now you can check the box to enable the interface, and give it a better name, I called mine PIA_VPN.
Also make sure the reserved network checkboxes are unchecked.
Now navigate to Firewall > NAT and click out Outbound
Click the radio button to change the outbound NAT mode to Hybrid, and click Save
Now we need to create some outbound NAT rules. You only need to create the NAT rules for networks you want to reach the VPN. So you will need localhost, and then probably just your LAN network. I have added some other networks so they can access the VPN too.
I have highlighted the ones you need to make. Just make your screen look like mine!
First, the localhost to PIA rules. You can copy mine 100% for these as long as your interface is correct
The first Localhost to PIA rule
The ISAKMP Localhost to PIA rule
Moving on to the LAN rules. You need to change my 10.0.0.0/24 entry to whatever your network is!
The first LAN to PIA rule
The ISAKMP LAN to PIA rule
Done? Make sure it looks like mine does. If it looks off, go back and verify. If you need to re-order the rules, just drag them and click save in the bottom right
By default the PIA gateway will show as down, as it can't monitor the upstream gateway. Here we can fix that
Go to System > Routing and click on Gateways
Now click the pencil button to edit the gateway for PIA
Now enter a monitor IP for the interface to monitor. I chose to enter 18.104.22.168
This will not give you a very accurate latency reading for your interface, but it will verify the connection is working, and if there is a connection issue like high packet loss
Now your gateway should show as connected and online
Now we will install and configure the service watchdog package. This will restart the OpenVPN service and reconnect PIA if it disconnects/crashes for some reason
Click on System > Package Manager
And then click on available packages, search for "watch" to find Service_Watchdog. Finally Click Install and then confirm the install
Now go to Services > Service Watchdog and click on Add new service
From here, select your PIA service
And click add
Now its configured, and will restart the service if needed
First we will create an alias to use in the firewall rule. This will let you add and remove IP's at will without having to modify the rule and add more rules for more devices.
First, lets go to Firewall > Aliases and click on IP and then click add
Now go ahead and add the IP's for the devices you want to use the VPN only, and give them a description if you want. Click save.
Now head over to Firewall > Rules and click on LAN
Here you can see the two rules which control where the traffic goes
These rules need to be ABOVE the default Lan to Any rule, and the deny rule needs to be BELOW the rule which specifies the gateway.
The reason we have the deny rule is so that if the VPN disconnects, traffic doesn't start going over the default gateway.
Let's get into the first rule which pushes traffic across the VPN gateway. Make sure to specify the source as the alias we created. Then click on Advanced, and specify the PIA_VPN gateway, click save and apply the rule
Then, lets create the deny rule. Make sure the action is Block and you specify the alias again. We do not need to specify the gateway here as we are blocking on the default gateway
Click save, and apply the rule. Make sure they are in the correct order!
Now we have done that, you should be done. Everything on those IP's in the alias will go over the VPN. If the VPN disconnects, no internet traffic will pass and as long as the IP doesn't change, traffic CAN NOT go over the normal gateway
Important DNS Note
If you are not using DNS over TLS to a trusted, privacy oriented DNS Resolver like CloudFlare's 22.214.171.124, then you will leak your IP over DNS and this could be a problem
To get around this, you should hard code PIA's DNS servers on the system you are putting over the VPN. The DNS servers are 126.96.36.199 and 188.8.131.52
Be sure to check if your DNS requests are leaking your normal public IP: https://www.dnsleaktest.com/
Setting these DNS server will probably affect local DNS resolution, so you should really just use DNS over TLS...
You could create some NAT rules to intercept DNS requests and force them elsewhere, but it's more work than just using DNS over TLS, which you REALLY should be doing anyway...