For many, running a VPN on their phone or laptop is sufficient. However, if you are a bit more technically inclined, you might enjoy the benefits to running your Private Internet Access (PIA) VPN client on your custom pfSense router instead! Here are some of those benefits:

  • Increased mobile device battery life - PIA on my Xperia Z5 android phone consumed 30% of my phones battery power on average (max encryption settings).
  • Increased VPN speeds on devices that do not have the processing power to encrypt and decrypt data at peak throughput - my Xperia Z5's internet speeds were bottlenecked to 15 Mbps download with VPN versus 93 Mbps download without VPN. Whereas, my laptop could sustain 93 Mbps without VPN and 90 Mbps with VPN (max encryption settings).
  • iOS devices on PIA are capped at default encryption settings.
  • Many devices don't support VPN's at all, such as AppleTV.
  • Taking full advantage of your probably overpowered pfSense router and Private Internet Access subscription.

Sadly, Private Internet Access's guides are all for running PIA on pfSense with mediocre encryption settings: AES-128 bit Data Encryption, SHA1 (160 bit) Data Authentication and RSA-2048 Handshake. Further, all guides were before the massive pfSense 2.3 UI refresh! This to me has always seemed a little questionable, considering most pfSense routers are overpowered and are not limited by battery constraints like our mobile devices.

This guide is for those who want to setup PIA VPN on their pfSense routers from scratch using maximum encryption settings: RSA 4096, SHA256, AES-256.

Step 1. Prevent DNS Leaks

Before we begin, I recommend making a backup of your configuration just in case something goes wrong. Go to Diagnostics/Backup & Restore to make a backup of your current configuration.

In this step, we will be setting custom DNS servers that the pfSense router will will be using instead of your ISP's DNS servers.

Go to System/General Setup

Set the DNS servers to Private Internet Access's "logless" DNS servers: &

Next, disable "DNS Server Override." This prevents any connected modem that sits between the pfSense router and your connection to your WAN from changing your DNS servers.

Lastly, disable "DNS Forwarder." This isn't strictly necessary for PIA to work on pfSense, but DNS forwarder has been replaced by DNS resolver, and checking this box to disable DNS Forwarder cannot hurt.

System/General Setup

Step 2. Certificate Authority (CA) Setup

Under System/Cert Manager/CAs, click "add."

Set a description name. I set mine to "PIA-STRONG."

In the Certificate Data textbox, paste the following:


Click "Save."

System/Certificate Manager/CAs/Edit

Under System/Certificate Manager/CAs, click "Add" again. 

Under "Method," select "Create an internal Certificate Authority" from the dropdown.

Set a "Description name." I use "PIA-internal-CA."

Country Code, State or Province, City, Organization, Email Address can all be fake data. Just add anything (see screenshot bellow). Key length (bits), Digest Algorithm and Lifetime (days) should be left as default.

Set Common Name to "internal-ca."

Click "Save."

System/Certificate Manager/CAs/Edit

Step 3. Certificate Setup

Under System/Cert Manager/Certificates, click "Add."

Under the "Method," dropdown, select "Create an internal Certificate."

Set a "Descriptive name." I set mine to "PIA-Certificate."

Set "Certificate Authority" to "PIA-internal-CA" or whatever you named your internal certificate authority in the last step.

Country Code, State or Province, City, Organization, Email Address can all be fake data. Just add anything (see screenshot bellow). Key length (bits), Digest Algorithm and Lifetime (days) should be left as default.

Click "Save."

System/Certificate Manager/Certificates/Edit

Step 4. OpenVPN Setup

Here, we will be storing our Private Internet Access username and password in a .txt file on the pfSense hard disk for the OpenVPN client to access later.

Go to Diagnostics/Command Prompt.

Now you will need your Private Internet Access Username and Password. In the Execute Shell Command textbox, type:

echo "p1234567" > /etc/openvpn-passwd.txt; echo "BabyBaby123" >> /etc/openvpn-passwd.txt

Replace p1234567 with your username and BabyBaby123 with your password as can be seen bellow.

Press "Excecute."

Diagnostics/Dommand Prompt

Now, go to VPN/OpenVPN/Clients. Click "Add."

Change the settings to as follows:

  • Disabled = unchecked
  • Server Mode = Peer To Peer (SSL/TLS)
  • Protocol = UDP
  • Device Mode = tun
  • Interface = WAN
  • Local Port= (leave blank)
  • Server host or address = (or any server you choose that PIA offers - click here for list of Server Addresses for all PIA servers)
  • Server Port = 1197
  • Proxy host or address = (leave blank)
  • Proxy port = (leave blank)
  • Proxy authentication extra options = none
  • Server host name resolution = checked, Infinitely resolve server
  • Description = PIA OpenVPN (or whatever you desire)
  • TLS Authentication = unchecked, Enable authentication of TLS packets
  • Peer Certificate Authority = PIA-STRONG
  • Client Certificate = webConfigurator default *In use
  • Encryption algorithm = AES-256-CBC (256-bit)
  • Auth Digest Algorithm = SHA256 (256-bit)
  • Hardware Crypto = No Hardware Crypto Acceleration
  • IPv4 Tunnel Network = (leave blank)
  • IPv6 Tunnel Network = (leave blank)
  • IPv4 Remote Network/s = (leave blank)
  • IPv6 Remote Network/s = (leave blank)
  • Limit outgoing bandwidth = (leave blank)
  • Compression = checked, Compress tunnel packets using the LZO algorithm
  • Type-of-Service = unchecked
  • Disable IPv6 = checked
  • Advanced  Configuration = (enter the following into the text field, one item per line with a semi-colon separating each)
    auth-user-pass /etc/openvpn-password.txt;
    verb 5;
    remote-cert-tls server

NOTE: If your pfSense box has an Intel or AMD processor, you should check if it has AES-NI or AMD Geode LX Security Block encryption hardware acceleration respectively. Google your processor name and look in the specifications. In the bellow screenshot, I Googled Intel i3-3220, and scrolled to the bottom of the page to find out if the processor supported AES-NI.

Checking Intel i3-3220 processor for AES-NI Encryption Hardware Acceleration

If your processor supports encryption hardware acceleration, change Hardware Crypto = No Hardware Crypto Acceleration to = BSD cryptodev engine.

Then, go to System/Advanced/Miscellaneous and enable your hardware acceleration type under "Cryptographic Hardware." AES-Ni if you have an Intel processor, or AMD Geode LX Security Block if you have an AMD processor.


Step 5. Setup OpenVPN Network Interface

Go to Interfaces/(assign)

Under the "Available network ports:" dropdown, select "ovpnc1(PIA OpenVPN)" and then click "Add."

Click on OPT1 to edit the interface:

Configure as follows...
    - "Enabled" = [check]
    - "Description" = "PIA-Interface"
    - "IPv4 Configuration Type" = none
    - "IPv6 Configuration Type" = none
    - "MAC address" = (leave blank)
    - "MTU" = (leave blank)
    - "MSS" = (leave blank)
    - "Block private networks" = [unchecked]
    - "Block bogon networks" = [unchecked]

Now click "Save"
Now click "Apply changes"

Step 6. NAT Settings

Go to Firewall/NAT/Outbound.

Under "Mode," check the checkbox for "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)."

Press "Save."

The next step is to duplicate each of these rules...
    - but change the NAT Interface from "WAN" to "PIA-Interface."
    - Start with the first rule by clicking the icon that is between the pencil icon and trash can icon under the "Actions" column. Hovering your cursor over the icon should say "add a new NAT based on this one"

A new page will open configure as follows...
    - "Disabled" = (do not change) [unchecked]
    - "Do not NAT" = (do not change) [unchecked]
    - "Interface" = PIA-Interface
    - "Protocol" = (do not change)
    - "Source" = (do not change)
    - "Destination" = (do not change)
    - "Translation" = (do not change)
    - "No XMLRPC Sync" = (do not change)
    - "Description" = Auto created rule for ISAKMP - LAN to PIA-Interface
Now click "Save"

IMPORTANT!  Repeat this process for each of the other rules. 
    - When completed, it should resemble the screenshot bellow.
Now click "Apply changes" at the top of the page


Step 7. Verify the OpenVPN Service

Under Status/OpenVPN/Clients, click the restart button.

Private Internet Access should now be up and running. To verify, visit and check if your IP address is originating from the server you specified.


That's it! It's painful, so I'd recommend making a backup of your new pfSense configuration by going to Diagnostics/Backup & Restore. Happily, you will not not need to configure any devices within your network to use PIA VPN. If you have any corrections, concerns or suggestions, please leave them in the comments section.

I have been debating writing a guide on how to exclude users from using the VPN by letting some IP addresses use the WAN and other IP addresses use the PIA interface. Using this method, users can manually assign a IP using DHCP to switch between VPN and WAN interfaces. Another guide I have in mind is implementing Parental Controls in the means of blocking certain users by MAC address and Static IP during certain hours of the day. Most of the guides on this topic have been rather outdated, so let me know if you are interested in more.