
This guide will setup VPN client at pfSense firewall so that all devices within the home network would use VPN for all Internet access.
It is assumed that you already have pfSense firewall set up and running. For more info on how to setup/install pfSense, check out Home network setup subnets with pfSense firewall.
What are used in this guide?
- pfSense firewall
- VPN protocol:
- OpenVPN
- VPN service provider: PrivateInternetAccess (PIA)
What do you need?
- Certificate Authority for PIA
- VPN Server host name & port number
- VPN service account user name & password
Setup VPN using OpenVPN
First sign in to pfSense.
1. Import Certificate Authority from VPN provider
Which Certificate Authority to use depends on the encryption cipher you choose to use.
- Encryption cipher to use: AES-128-GCM
- Certificate Authority: ca.rsa.2048.crt
PIA recommends AES-128-GCM over AES-CBC. If you prefer to use a different encryption ciphers, you can check out PIA’s full list of encryption ciphers, CAs and ports.
- go to System > Cert.Manager
- select Add

Setup Certificate Authority for PIA
- enter name such as PIA-2048
- select Import an existing Certificate Authority
- copy and paste content of ca.rsa.2048.crt to Certificate data
- click Save

2. Setup OpenVPN client
- go to VPN > OpenVPN > Clients
- click Add

General Information
You need to determine which VPN server to use. We will use
us-west.privateinternetaccess.com for this guide.
- enter us-west.privateinternetaccess.com as Server host
- Server port: 1198
- optional Description about this VPN connection

User Authentication Settings
- your VPN account username
- your VPN account password
- retype your password

Cryptographic Settings
- TLS Configuration: unchecked
- Peer Certificate Authority: PIA-2048 (imported CA)
- Encryption Algorithm: AES-128-GCM
- Enable NCP: unchecked
- Auth digest algorithm: SHA1 (160-bit)

Tunnel Settings
- Compression: Adaptive LZO Compression [Legacy style, comp-lzo adaptive]

Advanced Configuration
- Custom options:
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
auth-retry interact - Gateway creation: IPv4 only
- click Save

3. Outbound NAT rules for OpenVPN
- go to Firewall > NAT > Outbound
- select Manual Outbound NAT rule generation
- click Save

Duplicate all rules for OpenVPN
For each of the rules already have for WAN interface, we need to duplicate each one for OpenVPN interface.
So for first rule,
- select action Add a new mapping based on this one

- change Interface from WAN to OpenVPN
- click Save

Repeat for all other rules.
IMPORTANT: when you add more subnets (interfaces) in the future, these outbound NAT rules won’t be generated automatically anymore. Therefore, for the new subnets, you would need to manually add these outbound NAT rules for both WAN & OpenVPN.
4. Check the VPN connection
Your VPN should be up and running now.
Check the status by going to Status > OpenVPN and you should see the OpenVPN client is up and running.
You can also go to PIA’s What’s My IP Address to confirm your VPN connection.
Cindy
10 Apr 2020Hi,
I have read other guides like yours on VPN setup. https://netosec.com/vpn-with-pfsense/ None mention having to set firewall rules on the OpenVPN interface. Do the NAT Outgoing rules take the place of the firewall rules?
Thanks,
Cindy
Alan Chan
11 Apr 2020There’s no need to set firewall rules on OpenVPN interface. OpenVPN interface represents the subnet from the VPN provider.
No rules means no access from VPN provider subnet to your network.
Jason
8 Oct 2020Hi Alan,
If I want to use an additional firewall layer, how would that configuration look like?
Thanks.
Alan Chan
8 Oct 2020The firewall rules of your interfaces should apply to the VPN connection too.
Anonymous
26 Dec 2020Hi Alan
THanks it worked for my setup. But what to do if I want to add another vpn config lets say connect to Asia?
Alan Chan
15 Feb 2021You would need to create another VPN client for different server.
Or manually change the configuration of VPN client to point to Asia instead.
Timby
6 Feb 2021Brilliant and well done. Simple and to the point. Followed the instructions, and it “just worked”. Can’t say that for other guides. The “official” one at PIA was like swiss cheese. A cool follow on would be to outline adding vlans/subnets, fiddling with parameters for performance, and enhancing security.
Alan Chan
15 Feb 2021Thanks. Glad that it just worked for you. Cheers Alan
Anonymous
17 Jul 2021Hi Alan, is it possible to create a custom rule in pfsense for streaming? I have one stream service that doesn’t work with VPN (kayo sports in Australia). I am currently using 1.1.1.1, but it seems PIA looks more attractive. Cheers
Alan Chan
23 Aug 2021Yes, you can setup rules to exclude some traffic from using the VPN.
bobo
25 Jan 2022what does a rule look like to exclude traffic from the vpn?
Alan Chan
10 Feb 2022no rule needed. traffic from vpn is not allowed to your network by default.