network diagram to use VPN with pfSense
Home network using pfSense with 2 subnets

This guide will setup VPN client at pfSense firewall so that all devices within the home network would use VPN for all Internet access.

It is assumed that you already have pfSense firewall set up and running. For more info on how to setup/install pfSense, check out Home network setup subnets with pfSense firewall.

What are used in this guide?

What do you need?

  • Certificate Authority for PIA
  • VPN Server host name & port number
  • VPN service account user name & password

Setup VPN using OpenVPN

First sign in to pfSense.

1. Import Certificate Authority from VPN provider

Which Certificate Authority to use depends on the encryption cipher you choose to use.

  • Encryption cipher to use: AES-128-GCM
  • Certificate Authority: ca.rsa.2048.crt

PIA recommends AES-128-GCM over AES-CBC. If you prefer to use a different encryption ciphers, you can check out PIA’s full list of encryption ciphers, CAs and ports.

  • go to System > Cert.Manager
  • select Add
pfsense add certificate authority

Setup Certificate Authority for PIA

  1. enter name such as PIA-2048
  2. select Import an existing Certificate Authority
  3. copy and paste content of ca.rsa.2048.crt to Certificate data
  4. click Save
import certificate authority

2. Setup OpenVPN client

  • go to VPN > OpenVPN > Clients
  • click Add
add OpenVPN client

General Information

You need to determine which VPN server to use. We will use 
us-west.privateinternetaccess.com for this guide.

  1. enter us-west.privateinternetaccess.com as Server host
  2. Server port: 1198
  3. optional Description about this VPN connection
VPN client general information

User Authentication Settings

  1. your VPN account username
  2. your VPN account password
  3. retype your password
user authentication settings

Cryptographic Settings

  1. TLS Configuration: unchecked
  2. Peer Certificate Authority: PIA-2048 (imported CA)
  3. Encryption Algorithm: AES-128-GCM
  4. Enable NCP: unchecked
  5. Auth digest algorithm: SHA1 (160-bit)
cryptographic settings

Tunnel Settings

  1. Compression: Adaptive LZO Compression [Legacy style, comp-lzo adaptive]
tunnel settings

Advanced Configuration

  1. Custom options:
    persist-key
    persist-tun
    remote-cert-tls server
    reneg-sec 0
    auth-retry interact
  2. Gateway creation: IPv4 only
  3. click Save
advanced configuration

3. Outbound NAT rules for OpenVPN

  1. go to Firewall > NAT > Outbound
  2. select Manual Outbound NAT rule generation
  3. click Save
manual outbound nat rule

Duplicate all rules for OpenVPN

For each of the rules already have for WAN interface, we need to duplicate each one for OpenVPN interface.

So for first rule,

  • select action Add a new mapping based on this one
  1. change Interface from WAN to OpenVPN
  2. click Save

Repeat for all other rules.

IMPORTANT: when you add more subnets (interfaces) in the future, these outbound NAT rules won’t be generated automatically anymore. Therefore, for the new subnets, you would need to manually add these outbound NAT rules for both WAN & OpenVPN.

4. Check the VPN connection

Your VPN should be up and running now.

Check the status by going to Status > OpenVPN and you should see the OpenVPN client is up and running.

You can also go to PIA’s What’s My IP Address to confirm your VPN connection.

Leave a Reply

Close Menu