Private Internet Access VPN on pfSense (Last Updated 08/2020)
This guide has been updated to reflect changes made on PIA's end that stops the old guide from working
NOTE! As of 12/7/2021 I have moved away from PIA and Switched to Mullvad. So this guide will no longer be updated. I highly suggest you read that guide
If you have followed my old guide and now have a non-working setup, just follow the guide to get the new cert which you can add in to your config, and change the port number to 1198 along with the new server if you chose one, then restart the OpenVPN Client service
Here is how I have Private Internet Access (PIA) setup on both of my pfSense firewalls. This setup has worked perfectly for me and does not interfere with any other gateways.
This guide will walk you through setting up the connection to PIA, creating an interface for PIA so you can route traffic selectively over the PIA VPN, Installing and configuring the service watchdog, and going over some firewall rules. I will try to go into as much detail as possible
Server Choice
First, choose what server you want to connect to. I have found that the Dallas and Florida servers work best for me, but that might not be the best choice for you.
You can see all available in the OpenVPN Config generator here:
https://www.privateinternetaccess.com/pages/ovpn-config-generator
Since the Dallas server is geographically close to me, I will be using that one. The address is: us-texas.privacy.network
You can choose between current and nextgen, I chose the nextgen servers. The nextgen servers are newer, so I figured I'd choose that
Certificates
To import the certificate needed, choose the 1198 port option, and click generate
Now edit the file downloaded, and copy the certificate portion to your clipboard (I prefer using Notepad++)
Now log into your pfSense WebUI and navigate to System > Cert Manager and click on the "+ ADD" Button
Now change the method to "Import an existing certificate authority" and paste the copied text into the box. It should look like below
Click Save.
You should now see the certificate listed
Now we have the certificate listed, navigate to VPN > OpenVPN, then click Clients and finally click ADD
Now we will go through the configuration. I will go section by section, but it's just one long page. I will highlight changes you need to make in yellow, but also verify the rest of the config looks the same, we can't be sure the default configuration won't change in the future
General Information
Now you will want to fill in the server address you found before, I will be using us-texas.privateinternetaccess.com
Then the port which will be 1198
Then, give it a description. See my screenshot for reference. I have highlighted everything you need to change, but make sure the rest is the same too
NOTE! This screenshot was from an older guide, so you may see that I have 1194 listed. This should be 1198
User Authentication Settings
This one is pretty self explanatory, enter your PIA username and password, and don't check the box to not retry on fail
Note (1/2/19): It has been suggested that PIA sometimes has an issue with authentication retry, and that you would be better served CHECKING the box so that pfSense doesn't try and re-auth. Personally I have never had any issues with authentication, but keep this in mind
Cryptographic Settings
For this section, uncheck the TLS key box, Select your PIA-CA you created earlier and uncheck NCP
I have had nothing but issues with NCP, if you want to play around with it later you can always come back and enable it, but for this guide we are turning it off. Most of these options can be tweaked, so once you get it working come back and decide what you want to use. PIA has a list of supported algorithms
Select SHA1 as the auth digest algorithm
Tunnel Settings
Change Compression to Adaptive LZO, change topology to net30 and check the "Don't pull routes" box
If you don't check this box, all traffic will go over the VPN by default, which is probably not what you want. If that IS what you want, then leave it unchecked.
Advanced Configuration
In the custom options box, enter
remote-cert-tls server
and set the gateway creation to IPv4 only (Since PIA doesn't support IPv6 at the time of writing)
Finally, click save.
Interface Assignment
Now go to Interfaces > Assignments
On the dropdown for "Available Network Ports" you should see your PIA VPN listed. Mine is called ovpnc1 (Private Internet Access). Mine isn't listed because I already have it bound to an interface
Select yours, and click add
Now that the interface has been added, click on the interface name, here I am clicking on OPT5, but yours will be different. It should be at the bottom of the list
Now you can check the box to enable the interface, and give it a better name, I called mine PIA_VPN.
Also make sure the reserved network checkboxes are unchecked.
Click save
Outbound NAT
Now navigate to Firewall > NAT and click out Outbound
Click the radio button to change the outbound NAT mode to Hybrid, and click Save
Now we need to create some outbound NAT rules. You only need to create the NAT rules for networks you want to reach the VPN. So you will need localhost, and then probably just your LAN network. I have added some other networks so they can access the VPN too.
I have highlighted the ones you need to make. Just make your screen look like mine!
First, the localhost to PIA rules. You can copy mine 100% for these as long as your interface is correct
The first Localhost to PIA rule
The ISAKMP Localhost to PIA rule
Moving on to the LAN rules. You need to change my 10.0.0.0/24 entry to whatever your network is!
The first LAN to PIA rule
The ISAKMP LAN to PIA rule
Done? Make sure it looks like mine does. If it looks off, go back and verify. If you need to re-order the rules, just drag them and click save in the bottom right
Gateway Monitoring
By default the PIA gateway will show as down, as it can't monitor the upstream gateway. Here we can fix that as well as change a setting which could cause traffic to leak out over the regular WAN
Go to System > Routing and click on Gateways
Now click the pencil button to edit the gateway for PIA
Now enter a monitor IP for the interface to monitor. I chose to enter 4.2.2.2
This will not give you a very accurate latency reading for your interface, but it will verify the connection is working, and if there is a connection issue like high packet loss
Click save
Now your gateway should show as connected and online
Next, go to System >Advanced > Miscellaneous and scroll down to Gateway Monitoring. Check the box to not create rules when gateway is down
Service Watchdog
Now we will install and configure the service watchdog package. This will restart the OpenVPN service and reconnect PIA if it disconnects/crashes for some reason
Click on System > Package Manager
And then click on available packages, search for "watch" to find Service_Watchdog. Finally Click Install and then confirm the install
Now go to Services > Service Watchdog and click on Add new service
From here, select your PIA service
And click add
Now its configured, and will restart the service if needed
Firewall Rules
First we will create an alias to use in the firewall rule. This will let you add and remove IP's at will without having to modify the rule and add more rules for more devices.
First, lets go to Firewall > Aliases and click on IP and then click add
Now go ahead and add the IP's for the devices you want to use the VPN only, and give them a description if you want. Click save.
Now head over to Firewall > Rules and click on LAN
Here you can see the two rules which control where the traffic goes
These rules need to be ABOVE the default Lan to Any rule, and the deny rule needs to be BELOW the rule which specifies the gateway.
The reason we have the deny rule is so that if the VPN disconnects, traffic doesn't start going over the default gateway.
Let's get into the first rule which pushes traffic across the VPN gateway. Make sure to specify the source as the alias we created. Then click on Advanced, and specify the PIA_VPN gateway, click save and apply the rule
Then, lets create the deny rule. Make sure the action is Block and you specify the alias again. We do not need to specify the gateway here as we are blocking on the default gateway
Click save, and apply the rule. Make sure they are in the correct order!
Now we have done that, you should be done. Everything on those IP's in the alias will go over the VPN. If the VPN disconnects, no internet traffic will pass and as long as the IP doesn't change, traffic CAN NOT go over the normal gateway
Important DNS Note
If you are not using DNS over TLS to a trusted, privacy oriented DNS Resolver like CloudFlare's 1.1.1.1, then you will leak your IP over DNS and this could be a problem
To get around this, you should hard code PIA's DNS servers on the system you are putting over the VPN. The DNS servers are 209.222.18.222 and 209.222.18.218
Be sure to check if your DNS requests are leaking your normal public IP: https://www.dnsleaktest.com/
Setting these DNS server will probably affect local DNS resolution, so you should really just use DNS over TLS...
https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
You could create some NAT rules to intercept DNS requests and force them elsewhere, but it's more work than just using DNS over TLS, which you REALLY should be doing anyway...
Thats it!