Setting up PIA VPN on pfSense for your whole network and Configuring Selective Routing

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

So if you create a VPN everything else defaults to go out through the VPN and you've got to choose your local devices that you want to force to go out through the default WAN...

Can you do the other way around? After setting the VPN, everything else still defaults to WAN but you can choose which of your local device that you want to go out though the VPN.

👍︎︎ 8 👤︎︎ u/backsing 📅︎︎ Apr 05 2017 🗫︎ replies

I wonder if pfSense could natively route based on domain. So an example would be route most traffic over VPN, but route traffic to Netflix.com and some others through the normal WAN interface. I've done a little research and it seems like it might be possible, but not consistent if they're using a pool of addresses. Perhaps a plug-in or using something else like HAproxy or ngnix would be a better solution.

👍︎︎ 6 👤︎︎ u/noc007 📅︎︎ Apr 05 2017 🗫︎ replies

Solid, thanks for this.

👍︎︎ 2 👤︎︎ u/[deleted] 📅︎︎ Apr 05 2017 🗫︎ replies

You just made me understand pfSense so much better! TY

👍︎︎ 1 👤︎︎ u/zvnGtV4oOCqTrodfeYa3 📅︎︎ Apr 05 2017 🗫︎ replies

I'm actually having an issue with this. When I try to make an interface for PIA in order to do selective routing the interface shows up as "Offline". If I reboot, restart the service, etc, nothing changes. I followed the instructions in the video to the letter but it won't work. Any suggestions?

👍︎︎ 1 👤︎︎ u/ehalepagneaux 📅︎︎ Apr 06 2017 🗫︎ replies

Is there a way to route by vlan?

I have Unifi Wifi and can tag by interface. I'd like to setup 3-4 Wifi interfaces "Wifi-Sweden" "Wifi-Chicago" "Wifi-Berlin" and tag them with VLANs (i.e. 10, 20, 30, etc) and have each of those go out over the appropriate VPN connection.

👍︎︎ 1 👤︎︎ u/[deleted] 📅︎︎ Apr 07 2017 🗫︎ replies

while did this work for me, i had issues with xbox live and ping times. Had to remove it till i can find out why.

👍︎︎ 1 👤︎︎ u/theobserver_ 📅︎︎ Apr 29 2017 🗫︎ replies

Thanks I needed this!

👍︎︎ 1 👤︎︎ u/cwight803 📅︎︎ Apr 05 2017 🗫︎ replies
Captions
private Internet access is a pretty popular VPN provider with all the talk about the ISPs and problems I figured I'd do a video on how to encrypt all your traffic at the firewall so you don't have to do it on every individual device and I chose private Internet access they seem to be a pretty popular company the reviews are really positive on them and they have a nice support forum they have guides on how to set up on a lot of different devices they seem reasonably priced they also have some fun and interesting ways that you can pay with like anything from gift cards to Bitcoin to a lot of other options so plenty of different pay options if you want to keep yourself very disconnected from the VPN because what you're really doing is anytime you have a VPN you're just changing who you trust you know you don't trust your ISP so you encrypt your traffic so you bypass the ISP but then you have to trust your VPN provider because well there's still a connection there so that's a short of the VPN but we're going to run through the pfSense setup that they have here I went through in tested if it works good I signed up for an account we're going to show you how to do this so I'm going to keep this open another window but I'll walk you through step by step because we have a clean pfSense box that ready to go I call it my PSS demo box and it is on a private network and that's the fun thing about Open VPN it will cut through a private network and once it's blocked so this isn't my public IP address this is just an internal address for my little home lab set up here well home lab work lab is a lab okay so let's get started first step is going and putting in a certificate so Open VPN provides you certificates you're going to go over to the system and I'm at the certificate manager CA now at the top when you go through the instructions just a little download link so you can download this I downloaded it and copy it into a file so that's what their public certificate looks like so we're going to add and we're going to call it a P I a search you can call it whatever you want just call it something convenient and I just copied and pasted that in from that cert file so it's just a No pad editor let's go ahead and hit save all right that parts done step 1 real easy and we're going to go over here to the VPN OpenVPN and this is a client not a server we're connecting as a client to PIAA so we can go add and now we got to put all the settings in so we have peer-to-peer UDP ton LAN all that's pretty much default nothing special you have to do there server host address is where you choose where you want to pop out ad in the world so they have lots of different ones they got Texas Chicago California so let's put ourselves in California now I actually missed this the first time when I was setting this up for a demo and it's port 1194 it's default you want to go to 1198 if you're not you get a TLS handshake error because it's the wrong type of certificate on that port so the pull up for the certificate and Ian shut work instruction that they have on there which I'll leave a link below to it's 1198 username and password we'll put that in in just a second because you can't have my username and password you can see it's defaulting to the PA cert we do want to check this off as a disable TLS authentication TLS communication is an extra encapsulation of the packets that they are not using it is a hardening that when I set up my VPNs I add to them but on theirs they're not using that feature compression is enable adaptive compression now please note you I am doing this video in April 2017 off of an April 2017 work instruction so if there's some variation make sure you're looking at their website this will walk you through but if they add or change like the ciphers that they're using or the algorithms this will be changed as of right now they're still using AES 120 CBC which is the default and sha-1 160 bit for here for example on more robust VPNs are going to recommend something even higher for that but this is pretty secure it's just one of those future proofing so if I'm sending up a new VPN I would set it up there but you have to comply because you're the client you have to comply with the way their servers configure but at some point they may change that but as of April 2017 that's what it is all of this is all the same here we're going to disable ipv6 they give us a paste in this these are some of the custom options now everything's all set here but I'm going to skip the part where I put my username and password is but it's pretty straightforward it's just your username or password oh we also have to check infinitely resolve the server and we'll call this the PIAA BP and it's just the description that's not you call it what you want if it's another VPN provider you put it in there so let me put my username password and almost skip ahead to the next part all right if we did all this right we should be able to click the status over here and the VPN is up but the traffic is not I am NOT routing traffic lots of loss that's because the next step that you have to do is add the routing outbound for this so we're going to go over here to dance and we go to outbound now this is all the default to outbound so we're going to go to a manual nap bound net generation this one here hit save apply all right now we're almost there so this allows for the wind now what these are right here is because of the way the address randomization works for NAT is a KMP is port 500 for certain VPNs that if you're not running a VPN you don't even need to duplicate that rule if not just duplicate that rule what we do need to do is allow the traffic so it's allowed to go from this network the land network out to the land address and we click the little two pieces of paper and duplicate the rule change the interface to the Open VPN interface and then we're going to call this VPN plan too and so there we go hit save apply the changes and we are routing traffic now I have a Comcast connection so let's go over here as Google at my IP address that's not a Comcast one I think I can use IP a IP chicken so how stop my TSS com I'm on Comcast that's clearly not Comcast so I am routing traffic all the traffic on this now goes out through the VPN which is wonderful now if we stop the VPN we go over here to VPN open VPN and when you go here disable the client hit save and you can see I'm back on a Comcast address so all just by simply disabling it everything gets rerouted to your normal internet access this is grayed out so we can go back here and enable it and we're back online but if you just needed to know how to set up PIAA VPN you can stop the video here because that's as much as you need to do to get that part working so it's now setup we're now routing traffic or the VPN but let's say we want to do something more specific and I get a lot of people asking I want to selectively route things if part of the reason for that is you may want to for restrictive reasons say I want to pop out of another place but I can't have my boxes that connect to netflix doing it because they Netflix block says I've heard some of the PIAA VPN or some things don't like things going over a VPN and you can add a little bit of overhead maybe a little bit of latency so maybe you want your gaming rig nap to go over there so let's talk about these steps for that that's a little bit more advanced we're going to go over here to the interfaces we're going to assign we got two network cards in here this is the other network card I'm not doing anything with and there is our Open VPN so we're going to add that and we're going to save click on it enable the interface and this is our p.i a beep en apply the changes now when we go over here to routing we have another gateway interface on here also to get this up and running after you've added it we're going to go over here to the VPN Open VPN I've sometimes when you're editing some of these settings you have to go to the Status page of the VPN and just restart it because it won't push when you added an interface it was bound to nothing now we bound it to an interface so now we have to get it back up and running so pending and now it's assigned so now we see an IP address here so we know it's good to go so now we have all of our learner here firewall to the rules we have the land rules the land rules the VPN and Open VPN rules now this is where it gets tricky to do selective routing but it's not that complicated just a little different so right now and we're going to open up the IP chicken site again 198th not a Comcast addressed host and itss so I'm on there it's all set up now I will admit there's some times in case you're wondering if you keep switching back and forth there may be a session or a state that gets stuck and holds on to it flow out before the state expires and you won't see your IP address change right away you can either a reboot the firewall or you may have just read one firewall generally is enough to do it it clear out the state tables or there's an option in PF sense to go here and you can just reset all the state tables reset the firewall state because as you create these rules they may not happen immediately because if there's a state open to connect to something like well the IP chicken website that hasn't timed out you'll end up with not changing the IP address of the system right away because it's still holding on to the session just a little side note sometimes it's just as rebooting it is the quickest way to clear all the states and make sure it's all working but we see everything's up we see the interfaces up it has an IP address assigned to it so we're going to firewall rules LAN now what we want to do when we going to make sure it's the top role here my computer's address is ending in dot nine so 192 168 1 9 is the computer amount and right now we're going out to the VPN so we want to make a rule so my computer specifically does not go out to the VPN so we're going to add will any single hoster alias now there's two ways to do this I can type in individual host addresses a block of addresses or I can say an alias where you create the alias is up here under alias as a firewall so there's a couple different options for purposes of this we're just going to do a single host address for assuming it's a smaller network but if you get a larger Network you could group things together create an alias or create a whole network block of them that you want to say okay push all these out over the normal Wang gateway so into one six eight dot oops one nine single host er alias then we're going to go down here to display advanced and we're going down the Gateway and we choose the land eh CB gateway not this one so here we go we hit save and it took like this so this says route all ipv4 traffic from 192 168 at 109 over LAN DHCP apply changes so we've configured a rule that's going to force mine not to be on the VPN so it's on the VPN now when we last checked we force the rule I'll clear the state table real quick or see if I have to see if the IP address changes it did not states reset states just reset all the firewall states I could reboot the firewall but this is fast it's actually a hangs up the firewall as well because you have to reestablish I can actually give for yourself it takes a few seconds all right and now my computer's on the Comcast address so as you can see this rule pushes my address specifically over to the Comcast rule now let's switch it back this is actually kind of clever I set up a different address as one is a ends and nine the other one in n dot 69 so if I switch my computer to that 69 and as you can see it's on dot 69 here refresh it and now we're on the PIAA VPN again now it's really easy to create more of these rules you just click the little duplicate change the host to whichever one you want going on there save and away you go you would do this for each individual rule I didn't make any notes but that's how you do the Selective routing so it's pretty straightforward and like I said you could alias a group of things together you could come up with selective ways to do it so you can say you know what take my gaming machine and don't put a Rose VPN because I want to you know no risk of latency or anything like that or maybe a couple devices that are Netflix that have a problem because they really test this but some people said oh yeah API a VPN doesn't really like the Netflix blocks a couple of them I don't know if it blocks all of them I don't have time to go through all of them but I want to give you guys a demo on how to do selective routing so you can use a PF sense box for your entire network but then still have a couple rules that say nope not this one or not this computer they don't go out over the VPN so thanks for watching a video hopefully that's pretty clear it's that little to set up I've seen a couple are tutorials they have you add a couple more things in here you don't really need them as you can see this works and I don't have any rules under here you don't need those rules you don't need any extra win rules you can do the Selective routing all from here and for the NAP functions on the outbound that you only need these 500 specific rules if you're using an is Kate is a KMP type of VPN like inside your network so if you have another machine so if you have your work office machine and it has a port 500 VPN that's using the ISA you type you would need to add that rule if not you don't even need to add it but obviously it's arbitrary to add or don't use that one out for a VPN because your VPN out anyways but the pretty simple system to set up I'm happy the speed is good that's it for the demo if you like the content here if you have another suggestion for a video let me know I like the quick little like button and subscribe to my channel for more updates and I'm gonna keep the videos coming thank you guys bye
Info
Channel: Lawrence Systems
Views: 69,385
Rating: undefined out of 5
Keywords: Tech, Tech Tips, pFSense, Open, Source, Opensource, VPN, PIA, Private Internet Access, VPN Service, Secure Internet, virtual private network (software genre), vpn, pia, vpn review, pia vpn, vpn service, openvpn, privacy, vpn connection, security, tutorial, networking, pfsense tutorial, pfsense setup, pfsense router, pfsense (software), network, firewall, nat
Id: ov-xddVpxhc
Channel Id: undefined
Length: 15min 37sec (937 seconds)
Published: Tue Apr 04 2017
Related Videos
pfsense OpenVPN Policy Routing With Kill Switch Using PIA / Private Internet Access
Lawrence Systems
37K
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
585K
2018 Getting started with pfsense 2.4 from install to secure! including multiple separate networks
Lawrence Systems
491K
Home Network Setup - pfSense, VLANs, VPN, HAProxy, 10G, and more
Raid Owl
16K
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1M
Tutorial: pfsense OpenVPN Configuration For Remote Users 2020
Lawrence Systems
136K
pfsense VS OPNSense
Lawrence Systems
100K
How to route traffic through a VPN client in PFsense
Revolt Computing
6.4K
Firewall Comparison, Which Ones We Use and Why We Use Them: Untangle / pfsense / Ubiquiti
Lawrence Systems
528K
Revisiting the Supercapacitor - The Wait for Graphene is Over
Undecided with Matt Ferrell
553K
DIY Home Rack Build
Lawrence Systems
389K
Install OpenVPN on pfSense - The Complete Step-by-Step Guide
Stefan Rows
9.8K
pfSense Basics - Part 3 - Private Internet Access VPN Setup
Crosstalk Solutions
39K
You Should Be Using Yubikeys!
Crosstalk Solutions
425K
Making a Simple Hydrogen Generator from Washers
Maciej Nowak Projects
2.7M
Tutorial, Setting up Snort On pfsense 2.4 With OpenappID
Lawrence Systems
123K
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
Lawrence Systems
336K
Solid State Batteries - Autumn 2021 mass production in Japan. Is it FINALLY happening?
Just Have a Think
1.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.