How to setup VPN on pfSense 2.4.2

Welcome back, everyone! Today I have some more pfSense goodness for you. I will show you how to setup VPN on pfSense 2.4.2 – so that you have your VPN connection directly on the router level. With this method, all internet traffic will be routed through your VPN Tunnel.

I found that over the years PIA has proven itself to become my go-to VPN provider. I tried a couple of other options like Nord VPN but didn’t like it as much as PIA. PIA doesn’t save any user logs and also provides full-speed. So far I never had a problem, always surfing at the maximum speed that my ISP provides.

That being said, if you want to try out PIA, sign up with them over the link in the sidebar or directly here.

Alright, enough talk, let’s get started.

Step 1 – Downloading the PIA Certificate Authority

First, we need to download the PIA Certificate Authority from the PIA Website. I recommend using Google Chrome for the Download, as Firefox wants to directly import it. Just save it somewhere and right-click it and open it with a text editor like notepad. Copy all the files contents.

Step 2 – Installing the Certificate Authority in pfSense

Next, we are going to install the CA in pfSense. So log in to your pfSense firewall and navigate to System -> Certificate Manager -> CAs. Click on Add.

Paste in the text from the PIA CA and give it a name. Click Save.

Step 3 – Creating the OpenVPN Client

Navigate to VPN -> OpenVPN -> Clients and click on Add. Now you need to go ahead and choose a VPN Server from PIA. I would advise choosing one closest to your location for the best results.

Now we got to enter a couple of things:

• Server host or address: germany.privateinternetaccess.com
• Server port: 1198
• Username + Password
• Uncheck Use a TLS Key
• Peer Certificate Authority: Our PIA CA that we created earlier
• Encryption Algorithm: AES-128-CBC(128bit key, 128bit block)
• Enable NCP
• Auth digest algorithm: SHA1(160-bit)
• Hardware Crypto: No Hardware Crypto Acceleration
• Compression: Adaptive LZO Compression
• Custom Options:
  • persist-key
  • persist-tun
  • remote-cert-tls server
  • reneg-sec 0

Everything else stays on default. Use the screenshot below to verify all settings.

Phew, ok. We got that down.

Now  navigate to Status -> OpenVPN.

If you did every step correctly, you get presented with an established connection.

Step 4 – Creating NAT Rules

And we are almost done, now we just have to create some NAT Rules. Navigate to Firewall -> NAT -> Outbound.

Set the Outbound NAT Mode to Manual Outbound NAT and copy the first rule on the bottom. Change the interface to OpenVPN. Repeat this step for all the other rules too.

Finally, click on Save to apply all changes. Reboot your firewall for good measure.

Now all your internet traffic is routed over your PIA VPN Server. Easy, isn’t it? You don’t need to worry about privacy anymore, as all your devices traffic is routed over your VPN.

Until next time.