Routing specific traffic over a PIA VPN using PfSense
While i do somewhat trust my ISP, I certainly do not trust my government. There is some traffic going in and out of my network that i’d rather not have tied back to me (Im not talking highly illegal stuff, where anyone or anything gets hurt, think more “downloading linux iso’s” and live streaming uhh iso’s). So, i created a new VLAN for these devices and went about working on routing that traffic over my PIA VPN. Heres how.
Firstly, if you dont already have a PIA subscription, get one. They are cheap and keep no logs. Feel free to click the ad the top (or click Here), note, this is my affiliate link, i will get a kick-back from them if you do.
Adding the PIA CA Cert
We need to download the PIA CA Cert and the import that into pfSense.
Grab it from here: PIA CA Cert
NOTE: In these screenshots, i already have is added. Just copy what you see.
In pfSense, go to
Cert. Manager. Yours will probably be blank, so press the
All we need to do here is add a
Name and then copy and paste the contents of the CA Cert you downloaded earlier. This needs to be pasted into the
Certificate Data box.
Then Press save.
OpenVPN Client Configuration
The next step is to setup your pfSense firewall as an OpenVPN client for your PIA Service. For this, go to
Again, this will likely be blank so click the
These are the settings that i have used (and work for me.)
NOTE: I added an additional option to the
Custom Options This was suggested by /u/MonsterMufffin on Reddit.
These custom options are below so you can just copy and paste them in:
persist-key persist-tun remote-cert-tls server reneg-sec 0 route-nopull
That should be all you need to bring the VPN up, go to
OpenVPN and you should see the tunnel is up:
Creating the Interface
This is a quick section, we need to create an interface on our pfSense machine. Go to:
Available Network Ports you should have the new VPN we have created, just press
Add. In the next page just change the name and press
Creating the Gateway
For me, this was created automatically. But its worth double checking that it is there. Go to:
Gateways and see if you have a PIA Gateway, the list should look similar to this:
IF the gateway hasnt been created, you can use the following settings, just change the name and interface to suit your own environment / naming convention.
Adding the outbound NAT Rule
This section is probably the most difficult bit to get setup and working. Provided you follow these instructions, you should end up with a working setup (and also not hosing your current setup).
Outbound NAT Mode is set to
Now press the
Add Button, you want this rule to be the 1st that gets evaluated. So use the
Add button with the arrow pointing up.
On the next page we need to make a few changes, use the following settings as a guide, but make sure you change the
Source to your own.
All thats left now is the firewall rules themselves.
Adding the firewall rules
The final part to this run through is allowing the traffic to flow.
Firstly, id mention that that i made this VLAN specifically for these devices. So im fine to allow all traffic from all hosts in the subnet to send their traffic over the tunnel.
Rules > Then the network the devices are on (for me,
The only difference with this rule and all the other rules we would normally create is we need to go into the
Advanced Settings and change the
Gateway. Again, follow these instructions and you should end up with a working setup.
Add then use the following settings as a base, but changing the details to those relevant to your own network.
Save. Give it a test.