Private Internet Access setup

5 Mins read
Networking Security

Using VPN with pfSense allows you to route traffic securely through a VPN tunnel, improving privacy and security.

Why Use PIA with pfSense?

Setting up pfSense as a VPN client for Private Internet Access (PIA) allows all network traffic to be routed securely through the PIA VPN. This enhances privacy, security, and geo-unblocking while keeping full control over your home network.

Prerequisites

  • A working pfSense firewall
  • An active Private Internet Access (PIA) subscription
  • OpenVPN credentials from PIA’s website
  • DNS configured properly (optional but recommended)

Step 1: GET PI VPN Connection Information

There is no brain here, everything is documented here . Before starting, be sure you have downloaded the (openvpn.zip) from this location and unarchive the same.

Folder has a lot of ovpn files, select the file of your region. For this guide I am using us_new_york.ovpn

Import PI Certificate

Import PI certificate into pfsense so that we can continue configuring VPN in pfsense. Access the menu using Navigate to System -> Certificates -> Add

Add Certificate

  • Set the Descriptive name to something that will be easy to identify like PIA_Cert
  • From the Method dropdown, select Import an existing Certificate Authority
  • From the extracted folder in Step1, pick a location that is close to you and for this example us_new_york.ovpn is considered.
  • Open the ovpn file in a text editor Open and copy the contents into the Certificate data field. (Note : The contents of this must include the begin and end certificate lines as well, be sure to copy the whole thing.)
  • Save the Certificate

Step 2: Make pfSense as a client to PI VPN

Time to convert this pfSense as a client to PI VPN service. Access the clients menu using Navigate to VPN -> Open VPN -> Clients -> Add

  • The Description allows you to specify an identifying name for this VPN configuration. PIA_Client
  • Set the Protocol based on line 3 in the ovpn file (proto udp) select the protocol UDP on IPV4 Only
  • Interface is WAN
  • Server host or address copy server address from the ovpn file line4 (remote us-newyorkcity.privacy.network 1198)
  • Server port 1198
  • Under User Authentication Settings update the PI username and password
  • Uncheck Use a TLS key
  • From the dropdown for Navigate to Peer Certificate Authority select the security certificate PIA_Cert created in Step 2.
  • For Encryption Algorithm select the option appropriate to your configuration Navigate to AES-128-GCM
  • Fallback Navigate to AES-128-CBC
  • For Auth digest algorithm select from the ovpn file. It is Navigate to SHA1
  • Check Don’t pull routes, if unchecked every connection from this firewall will be over VPN. If checked, only selected connections can be put on VPN.
  • Advanced configuration Copy paste the below content
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
auth-retry interact
dhcp-option DNS 10.0.0.241
dhcp-option DNS 10.0.0.243
  • Select IPv4 only in Gateway creation
  • Save

Check the connections status using Status -> OpenVPN Status

Step 3: Create Alias for the Hosts that need to always be on VPN

Navigate to Firerwall -> Aliases
  • Name: Any name (VPN_HOSTS)
  • Description: Any text
  • Type: Host(s)
  • IP or FQDN:
    • Single Host: Ipaddress of the host (192.168.1.10)
    • Range: 192.168.1.10 - 192.168.1.20 (10 IP Addresses)

Step 4: Create VPN Interface and rename

Navigate to Interfaces -> Assignments -> Interface Assignments
  • Select ovpnc1 (PIA_Client) under Available network ports
  • Click on Add
  • A new interface is created with the name OPT1
    • Select Enable Interface
    • Change the description to suit the need (PIVPN)
    • Rename if required.
  • Save and Apply Changes

Step 5: Outbound rules

Navigate to Firewall -> NAT -> Outbound
  • Under Outbound NAT Mode select Hybrid and Save. Do not forget to Save it
  • 4 Mappings to add
    • Map1
  Interface: PIVPN
  Protocol: Any
  Source: **Network or Alias**: VPN_HOSTS/32 (Alias Created in Step3)
  Save
  • Map2
  Interface: PIVPN
  Protocol: Any
  Source: **Network or Alias**: VPN_HOSTS/32 (Alias Created in Step3)
  Destination: Port or Range: 500
  Translation: Check the **Static Port**
  Save
  • Map3
  Interface: PIVPN
  Protocol: Any
  Source: **Network or Alias**: 127.0.0.0/8 
  Save
  • Map4
  Interface: PIVPN
  Protocol: Any
  Source: **Network or Alias**: 127.0.0.0/8
  Destination: Port or Range: 500
  Translation: Check the **Static Port**
  Save
Refer to the below image to compare the rules

Outbound rules

Step 6: Firewall LAN rules

Navigate to Firewall -> Rules -> LAN
  • Add Rule 1 to allow VPN_HOSTS
Interface: LAN
Address Family: IPV4
Protocol:  Any
Source: Address or Alias: VPN_HOSTS
Description: Allowing VPN Hosts traffic
Display Advanced:
Gateway: Select PIVPN_*****
Save
  • Add Rule 2 to Block VPN_HOSTS
Action: **Block**
Interface: LAN
Address Family: IPV4
Protocol:  Any
Source: Address or Alias: VPN_HOSTS
Description: Block internet to VPN Hosts on regular connection
Save
  • Most Important Drag and drop the *block rule under the allow rule.

Step 7: Gateway Monitoring

Navigate to System -> Routing -> Gateways
  • Edit the PIVPN_***
Monitor IP: 1.1.1.1
  • Save
Check the status of the Gateway after a few minutes

Navigate to Status -> Gateways
Gateway Status pfSense will route all the traffic of VPN Hosts through Private Internet VPN

What more can be done? pfSense has more hidden power, what if the service crashed, service can be started on its own

Step 8: Install Service Watchdog service

The pfSense Service Watchdog is a package that automatically monitors and restarts services if they stop running. Include OpenVPN service into the Watchdog.

Navigate to System -> Package Manager -> Available Packages
  • Search and install Service_Watchdog
Navigate to Services -> Service Watchdog
  • Add the openvpn service

Vpn PfSense Rules