Introduction

For many, running a VPN on their phone or laptop is sufficient. However, if you are a bit more technically inclined, you might enjoy the benefits to running your Private Internet Access (PIA) VPN client on your custom pfSense router instead! Here are some of those benefits:

  • Increased mobile device battery life - PIA on my Xperia Z5 android phone consumed 30% of my phones battery power on average (max encryption settings).
  • Increased VPN speeds on devices that do not have the processing power to encrypt and decrypt data at peak throughput - my Xperia Z5's internet speeds were bottlenecked to 15 Mbps download with VPN versus 93 Mbps download without VPN. Whereas, my laptop could sustain 93 Mbps without VPN and 90 Mbps with VPN (max encryption settings).
  • iOS devices on PIA are capped at default encryption settings.
  • Many devices don't support VPN's at all, such as AppleTV.
  • Taking full advantage of your probably overpowered pfSense router and Private Internet Access subscription.

Sadly, Private Internet Access's guides are all for running PIA on pfSense with mediocre encryption settings: AES-128 bit Data Encryption, SHA1 (160 bit) Data Authentication and RSA-2048 Handshake. Further, all guides were before the massive pfSense 2.3 UI refresh! This to me has always seemed a little questionable, considering most pfSense routers are overpowered and are not limited by battery constraints like our mobile devices.

This guide is for those who want to setup PIA VPN on their pfSense routers from scratch using maximum encryption settings: RSA 4096, SHA256, AES-256.

Step 1. Prevent DNS Leaks

Before we begin, I recommend making a backup of your configuration just in case something goes wrong. Go to Diagnostics/Backup & Restore to make a backup of your current configuration.

In this step, we will be setting custom DNS servers that the pfSense router will will be using instead of your ISP's DNS servers.

Go to System/General Setup

Set the DNS servers to Private Internet Access's "logless" DNS servers:
209.222.18.222 & 209.222.18.218

Next, disable "DNS Server Override." This prevents any connected modem that sits between the pfSense router and your connection to your WAN from changing your DNS servers.

Lastly, disable "DNS Forwarder." This isn't strictly necessary for PIA to work on pfSense, but DNS forwarder has been replaced by DNS resolver, and checking this box to disable DNS Forwarder cannot hurt.

System/General Setup

Step 2. Certificate Authority (CA) Setup

Under System/Cert Manager/CAs, click "add."

Set a description name. I set mine to "PIA-STRONG."

In the Certificate Data textbox, paste the following:

-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
+no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
-----END CERTIFICATE-----

Click "Save."

System/Certificate Manager/CAs/Edit

Under System/Certificate Manager/CAs, click "Add" again. 

Under "Method," select "Create an internal Certificate Authority" from the dropdown.

Set a "Description name." I use "PIA-internal-CA."

Country Code, State or Province, City, Organization, Email Address can all be fake data. Just add anything (see screenshot bellow). Key length (bits), Digest Algorithm and Lifetime (days) should be left as default.

Set Common Name to "internal-ca."

Click "Save."

System/Certificate Manager/CAs/Edit

Step 3. Certificate Setup

Under System/Cert Manager/Certificates, click "Add."

Under the "Method," dropdown, select "Create an internal Certificate."

Set a "Descriptive name." I set mine to "PIA-Certificate."

Set "Certificate Authority" to "PIA-internal-CA" or whatever you named your internal certificate authority in the last step.

Country Code, State or Province, City, Organization, Email Address can all be fake data. Just add anything (see screenshot bellow). Key length (bits), Digest Algorithm and Lifetime (days) should be left as default.

Click "Save."

System/Certificate Manager/Certificates/Edit

Step 4. OpenVPN Setup

Here, we will be storing our Private Internet Access username and password in a .txt file on the pfSense hard disk for the OpenVPN client to access later.

Go to Diagnostics/Command Prompt.

Now you will need your Private Internet Access Username and Password. In the Execute Shell Command textbox, type:

echo "p1234567" > /etc/openvpn-passwd.txt; echo "BabyBaby123" >> /etc/openvpn-passwd.txt

Replace p1234567 with your username and BabyBaby123 with your password as can be seen bellow.

Press "Excecute."

Diagnostics/Dommand Prompt

Now, go to VPN/OpenVPN/Clients. Click "Add."

Change the settings to as follows:

  • Disabled = unchecked
  • Server Mode = Peer To Peer (SSL/TLS)
  • Protocol = UDP
  • Device Mode = tun
  • Interface = WAN
  • Local Port= (leave blank)
  • Server host or address = us-newyorkcity.privateinternetaccess.com (or any server you choose that PIA offers - click here for list of Server Addresses for all PIA servers)
  • Server Port = 1197
  • Proxy host or address = (leave blank)
  • Proxy port = (leave blank)
  • Proxy authentication extra options = none
  • Server host name resolution = checked, Infinitely resolve server
  • Description = PIA OpenVPN (or whatever you desire)
  • TLS Authentication = unchecked, Enable authentication of TLS packets
  • Peer Certificate Authority = PIA-STRONG
  • Client Certificate = webConfigurator default *In use
  • Encryption algorithm = AES-256-CBC (256-bit)
  • Auth Digest Algorithm = SHA256 (256-bit)
  • Hardware Crypto = No Hardware Crypto Acceleration
  • IPv4 Tunnel Network = (leave blank)
  • IPv6 Tunnel Network = (leave blank)
  • IPv4 Remote Network/s = (leave blank)
  • IPv6 Remote Network/s = (leave blank)
  • Limit outgoing bandwidth = (leave blank)
  • Compression = checked, Compress tunnel packets using the LZO algorithm
  • Type-of-Service = unchecked
  • Disable IPv6 = checked
  • Advanced  Configuration = (enter the following into the text field, one item per line with a semi-colon separating each)
    auth-user-pass /etc/openvpn-password.txt;
    verb 5;
    remote-cert-tls server

NOTE: If your pfSense box has an Intel or AMD processor, you should check if it has AES-NI or AMD Geode LX Security Block encryption hardware acceleration respectively. Google your processor name and look in the specifications. In the bellow screenshot, I Googled Intel i3-3220, and scrolled to the bottom of the page to find out if the processor supported AES-NI.

Checking Intel i3-3220 processor for AES-NI Encryption Hardware Acceleration

If your processor supports encryption hardware acceleration, change Hardware Crypto = No Hardware Crypto Acceleration to = BSD cryptodev engine.

Then, go to System/Advanced/Miscellaneous and enable your hardware acceleration type under "Cryptographic Hardware." AES-Ni if you have an Intel processor, or AMD Geode LX Security Block if you have an AMD processor.

System/Advanced/Miscellaneous

Step 5. Setup OpenVPN Network Interface

Go to Interfaces/(assign)

Under the "Available network ports:" dropdown, select "ovpnc1(PIA OpenVPN)" and then click "Add."

Click on OPT1 to edit the interface:

Configure as follows...
    - "Enabled" = [check]
    - "Description" = "PIA-Interface"
    - "IPv4 Configuration Type" = none
    - "IPv6 Configuration Type" = none
    - "MAC address" = (leave blank)
    - "MTU" = (leave blank)
    - "MSS" = (leave blank)
    - "Block private networks" = [unchecked]
    - "Block bogon networks" = [unchecked]


Now click "Save"
Now click "Apply changes"

Step 6. NAT Settings

Go to Firewall/NAT/Outbound.

Under "Mode," check the checkbox for "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)."

Press "Save."

The next step is to duplicate each of these rules...
    - but change the NAT Interface from "WAN" to "PIA-Interface."
    - Start with the first rule by clicking the icon that is between the pencil icon and trash can icon under the "Actions" column. Hovering your cursor over the icon should say "add a new NAT based on this one"

A new page will open configure as follows...
    - "Disabled" = (do not change) [unchecked]
    - "Do not NAT" = (do not change) [unchecked]
    - "Interface" = PIA-Interface
    - "Protocol" = (do not change)
    - "Source" = (do not change)
    - "Destination" = (do not change)
    - "Translation" = (do not change)
    - "No XMLRPC Sync" = (do not change)
    - "Description" = Auto created rule for ISAKMP - LAN to PIA-Interface
Now click "Save"

IMPORTANT!  Repeat this process for each of the other rules. 
    - When completed, it should resemble the screenshot bellow.
Now click "Apply changes" at the top of the page

Firewall/NAT/Outbound

Step 7. Verify the OpenVPN Service

Under Status/OpenVPN/Clients, click the restart button.

Private Internet Access should now be up and running. To verify, visit http://whatismyipaddress.com/ and check if your IP address is originating from the server you specified.

Conclusion

That's it! It's painful, so I'd recommend making a backup of your new pfSense configuration by going to Diagnostics/Backup & Restore. Happily, you will not not need to configure any devices within your network to use PIA VPN. If you have any corrections, concerns or suggestions, please leave them in the comments section.

I have been debating writing a guide on how to exclude users from using the VPN by letting some IP addresses use the WAN and other IP addresses use the PIA interface. Using this method, users can manually assign a IP using DHCP to switch between VPN and WAN interfaces. Another guide I have in mind is implementing Parental Controls in the means of blocking certain users by MAC address and Static IP during certain hours of the day. Most of the guides on this topic have been rather outdated, so let me know if you are interested in more.

Comment