network diagram to use VPN with pfSense
Home network using pfSense with 2 subnets

This guide will setup VPN client at pfSense firewall so that all devices within the home network would use VPN for all Internet access.

It is assumed that you already have pfSense firewall set up and running. For more info on how to setup/install pfSense, check out Home network setup subnets with pfSense firewall.

What are used in this guide?

What do you need?

  • Certificate Authority for PIA
  • VPN Server host name & port number
  • VPN service account user name & password

Setup VPN using OpenVPN

First sign in to pfSense.

1. Import Certificate Authority from VPN provider

Which Certificate Authority to use depends on the encryption cipher you choose to use.

  • Encryption cipher to use: AES-128-GCM
  • Certificate Authority: ca.rsa.2048.crt

PIA recommends AES-128-GCM over AES-CBC. If you prefer to use a different encryption ciphers, you can check out PIA’s full list of encryption ciphers, CAs and ports.

  • go to System > Cert.Manager
  • select Add
pfsense add certificate authority

Setup Certificate Authority for PIA

  1. enter name such as PIA-2048
  2. select Import an existing Certificate Authority
  3. copy and paste content of ca.rsa.2048.crt to Certificate data
  4. click Save
import certificate authority

2. Setup OpenVPN client

  • go to VPN > OpenVPN > Clients
  • click Add
add OpenVPN client

General Information

You need to determine which VPN server to use. We will use for this guide.

  1. enter as Server host
  2. Server port: 1198
  3. optional Description about this VPN connection
VPN client general information

User Authentication Settings

  1. your VPN account username
  2. your VPN account password
  3. retype your password
user authentication settings

Cryptographic Settings

  1. TLS Configuration: unchecked
  2. Peer Certificate Authority: PIA-2048 (imported CA)
  3. Encryption Algorithm: AES-128-GCM
  4. Enable NCP: unchecked
  5. Auth digest algorithm: SHA1 (160-bit)
cryptographic settings

Tunnel Settings

  1. Compression: Adaptive LZO Compression [Legacy style, comp-lzo adaptive]
tunnel settings

Advanced Configuration

  1. Custom options:
    remote-cert-tls server
    reneg-sec 0
    auth-retry interact
  2. Gateway creation: IPv4 only
  3. click Save
advanced configuration

3. Outbound NAT rules for OpenVPN

  1. go to Firewall > NAT > Outbound
  2. select Manual Outbound NAT rule generation
  3. click Save
manual outbound nat rule

Duplicate all rules for OpenVPN

For each of the rules already have for WAN interface, we need to duplicate each one for OpenVPN interface.

So for first rule,

  • select action Add a new mapping based on this one
  1. change Interface from WAN to OpenVPN
  2. click Save

Repeat for all other rules.

IMPORTANT: when you add more subnets (interfaces) in the future, these outbound NAT rules won’t be generated automatically anymore. Therefore, for the new subnets, you would need to manually add these outbound NAT rules for both WAN & OpenVPN.

4. Check the VPN connection

Your VPN should be up and running now.

Check the status by going to Status > OpenVPN and you should see the OpenVPN client is up and running.

You can also go to PIA’s What’s My IP Address to confirm your VPN connection.

This Post Has 12 Comments

  1. Hi,
    I have read other guides like yours on VPN setup. None mention having to set firewall rules on the OpenVPN interface. Do the NAT Outgoing rules take the place of the firewall rules?


    1. There’s no need to set firewall rules on OpenVPN interface. OpenVPN interface represents the subnet from the VPN provider.
      No rules means no access from VPN provider subnet to your network.

  2. Hi Alan,

    If I want to use an additional firewall layer, how would that configuration look like?


    1. The firewall rules of your interfaces should apply to the VPN connection too.

  3. Hi Alan
    THanks it worked for my setup. But what to do if I want to add another vpn config lets say connect to Asia?

    1. You would need to create another VPN client for different server.
      Or manually change the configuration of VPN client to point to Asia instead.

  4. Brilliant and well done. Simple and to the point. Followed the instructions, and it “just worked”. Can’t say that for other guides. The “official” one at PIA was like swiss cheese. A cool follow on would be to outline adding vlans/subnets, fiddling with parameters for performance, and enhancing security.

    1. Thanks. Glad that it just worked for you. Cheers Alan

  5. Hi Alan, is it possible to create a custom rule in pfsense for streaming? I have one stream service that doesn’t work with VPN (kayo sports in Australia). I am currently using, but it seems PIA looks more attractive. Cheers

    1. Yes, you can setup rules to exclude some traffic from using the VPN.

  6. what does a rule look like to exclude traffic from the vpn?

    1. no rule needed. traffic from vpn is not allowed to your network by default.

Leave a Reply

Close Menu