Routing specific traffic over PIA VPN using pfSense

While i do somewhat trust my ISP, I certainly do not trust my government. There is some traffic going in and out of my network that i’d rather not have tied back to me (Im not talking highly illegal stuff, where anyone or anything gets hurt, think more “downloading linux iso’s”.  So, i created a new VLAN for these devices and went about working on routing that traffic over my PIA VPN. Heres how.

Firstly, if you dont already have a PIA subscription, get one. They are cheap and keep no logs. Feel free to click the ad on the right, note, this is my affiliate link, i will get a kick-back from them if you do.

 

Adding the PIA CA Cert

We need to download the PIA CA Cert and the import that into pfSense.

Grab it from here:  https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt

NOTE: In these screenshots, i already have is added. Just copy what you see.

In pfSense, go to “System” then “Cert. Manager”. Yours will probably be blank, so press the “Add” button.

All we need to do here is add a “Name” and then copy and paste the contents of the CA Cert you downloaded earlier. This needs to be pasted into the “Certificate Data” box.

Then Press save.

 

OpenVPN Client Configuration

The next step is to setup your pfSense firewall as an OpenVPN client for your PIA Service. For this, go to “VPN” > “OpenVPN” > “Clients”.

Again, this will likely be blank so click the “Add” button.

These are the settings that i have used (and work for me.)

NOTE: I added an additional option to the “Customer Options” This was suggested by /u/MonsterMufffin on Reddit.

These custom options are below so you can just copy and paste them in:

persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
route-nopull

That should be all you need to bring the VPN up, go to “Status” > “OpenVPN” and you should see the tunnel is up:

Creating the Interface

This is a quick section, we need to create an interface on our pfSense machine. Go to: “Interfaces” > “Assignments”

In the “Available Network Ports” you should have the new VPN we have created, just press “Add”. In the next page just change the name and press “Save”

Creating the Gateway

For me, this was created automatically. But its work double checking that it is there. Go to: “System” > “Routing” > “Gateways” and see if you have a PIA Gateway, the list should look similar to this:

IF the gateway hasnt been created, you can use the following settings, just change the name and interface to suit your own environment / naming convention.

Adding the outbound NAT Rule

This section is probably the most difficult bit to get setup and working. Provided you follow these instructions, you should end up with a working setup (and also not hosing your current setup).

Go to “Firewall” > “NAT” > “Outbound”

Ensure the “Outbound NAT Mode” is set to “Hybrid”

Now press the “Add” Button, you want this rule to be the 1st that gets hit. So use the “Add” button with the arrow pointing up.

On the next page we need to make a few changes, use the following settings as a guide, but make sure you change the “Interface” and “Source” to your own.

All thats left now is the firewall rules themselves.

Adding the firewall rules

The final part to this run through is allowing the traffic to flow.

Firstly, id mention that that i made this VLAN specifically for these devices. So im fine to allow all traffic from all hosts in the subnet to send their traffic over the tunnel.

Go to “Firewall” > “Rules” > Then the network the devices are on (for me, “VLAN23GUESTWIFI”

The only difference with this rule and all the other rules we would normally create is we need to go into the “Advanced Settings” and change the “Gateway”. Again, follow these instructions and you should end up with a working setup.

Then press “Add” then use the following settings as a base, but changing the details to those relevant to your own network.

Then press “Save”.

That should be it. Give it a test.

 

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *