Your home router. It sucks. Like
get rid of it now it's stuck, but why does it suck? Well, it's probably slow and it's insecure
and worst of all, it's not very fun. That's why we're going to replace your
home router with something like this, something very secure,
something very fun. PF sense. First, let me tell you about our sponsor
at red hat and their upcoming event. Ansible Fest at 2021. Now, if
you don't know what Ansible is, it's an amazing way to automate your
infrastructure networking systems. Oh my gosh. I love it. In fact, I've
made a few videos about it already, so it's obviously a no brainer for
you to attend their virtual event on September 29th and 30th. It's
virtual. So jump in there now. I don't know if you know this, but AutoNation's kind of
taking over the industry. So any chance you can get to expand
your automation skills, take it. And this is a key event to do that. You're going to hear some crazy
informative sessions from leaders in the industry. You'll also get
to learn from your peers, people that do the same thing you do,
which is probably the coolest part, because you got all these people in all
these organizations doing automation from small to large, they're doing some crazy stuff and you
get a chance to see that and learn from it. So, yeah, you don't want to miss this. If you care anything about automation,
which if you don't care about automation, then what are you doing? Link below
September 29th and 30th. Again, it's virtual. So check it out. PF sense
is a beast. This thing does everything. It's awesome. PF sense is router
and firewall software. It's free. It's open source. And did I
already mention it's a beast? Yes. The sucker does everything. Yeah. It's
going to protect your network. IDs, IPS, snore, all kinds of stuff. It's got you
more than covered on the security stuff. It's got your back, but it
also has a ton of fun stuff. Just built into it like a dynamic DNS
yet just built in you just turn it on. You can also send all of your
network traffic over ADPN provider, like nor VPN or private internet
access. Again, it does everything, but the best thing it gives you is control
and the ability to have fun with your network, which is
awesome. So in this video, I'm going to show you how
to set this sucker up. We're going to replace that dumb
home router. You got trash burn it. I don't care. Beat it with a bat office
space style. Yeah, do that. Actually. No, we can still use it. Don't worry.
I'll talk about it here in a moment. First, we'll start with the basics.
Like how to get PF sentence set up. What do you need to actually do all
this? And then we'll do a basic setup. It's really, really fast, super easy. Then we'll have some fun making some
awesome config changes that will get you started down a crazy path
of just network. Goodness. So I'll show you things like
port-forwarding dynamic, DNS and the coolest thing ever
forwarding all your traffic over VPN. I'm going to walk you
through two providers, private internet access and nor VPN I'm
actually using both. It's super cool. So now what do you need to do this? Well, first just know that PF sense is software, which means you need to install
it on something. Now for this, you do have a few options. I
chose this appliance right here. This is the protect Lee volts.
And it's a bit of a beast. It's a little overkill. Actually it cost
about $350, which if you can get this, that's fine, but don't
let it scare you away. There are cheaper options
like this smaller guy here, you can pick them up for one 70, or you can go with this little
guy right here from net gate, which is actually the official
company that runs PF sense. This'll run you about $200.
Now, again, you've got options. The cool thing about PF sense is you can
pretty much install it on any computer hardware. And before you asked me, no,
you can not do it on a raspberry PI. I tried, but if you want, you can still on your laptop
or your computer right now. It can be a virtual machine. As long
as you have enough network interfaces, you're golden. I actually used to run PF sense as a
virtual machine on my VMware server. So don't let not having an
appliance like this stop you, you can virtualize the
sucker and run it. Now, once you have where you're
going to install PF sense, let's talk about your network and
how it's going to be designed. Now this isn't required,
but highly recommended. You'll want a little switch here or
a big switch like I have right here. But whatever your taste is, whatever, it
can't really be any crappy old switch. But I do recommend getting a managed
switch that supports V lands because at that point it'll really unlock some
cool stuff you can do with your PF sense router. Now, this guy
right here is from TP link. He is a managed switch that does support
V lands. And he's only about $22. I'll have links for all of this
below. Now, as far as what you need, that's pretty much it. Oh no, no.
You do need some coffee though, that I mentioned that you gotta have
coffee for anything you do in it. It's just required. Network,
check.coffee, check it out. The how you throw a PF sense into your
network can vary based on what you have. I'm not going to go over every
option, but in a lot of cases, you're going to see something like
this. You'll have your home router. And that home router has a lot of
stuff going on. It does everything. It's your router, it's your wifi. It's
broadcasting your wireless connection. And in a lot of cases, it's
operating as your modem, which is how your router gets internet
connection from your ISP or your internet service provider. So again, that's
probably built into your router. If that is the case, here's what you can
do. Just take a cable, Ethan, a cable, not just any kind of
cable, Ethan, I cable, plug it into your router and then
plug the other end into your wand. Port on your PF sense. Firewall. Ideally you'll want to put your
existing home router into bridge mode. If it supports it, I'm not going
to cover how to do that. Here. Oftentimes just plugging another
router into it and rebooting it. We'll just put it into bridge mode
automatically. But for all of that, consult your router
documentation, talk to your ISP. They should have something
to help you do that. Now, if you don't want to do that, you don't
have to, but here's what will happen. Your Winn port on your
PF sense, firewall here, we'll get a private IP address
instead of the public one, which is what you ideally
want. This can work. I'll show you how to do it here in
a moment. It's not ideal though. So if you can put it in bridge mode now
in the case that your router does not have a modem built in and you have a
separate device operating as your modem, things are a lot simpler, which
is the case for me right now. You just plug that stink and
modem right into your wand port, and it gets a public IP
address and you're done. And then finally for your land port, which is what your devices
are going to connect to, you can plug that sucker right into
your switch or just directly into your computer. If you're just kind
of playing around right now. But ideally you plugged
into a switch. Now, one last consideration before we start
playing around and having fun with this thing, and that's wireless PF sense, really shouldn't run your wireless in
your house. Something else should do that. Ideally, if you're like me, you're going to have separate wireless
access points. I'm running unify, and that will totally work. And it's
awesome that you can also do this. You can take that old router and
repurpose it as an access point. You can put it into AP only mode, plug that into your switch and it
will be an access point for you. There are some articles on how to
do that. I'll put those links below, but those are all the considerations.
Get your coffee ready? Let's start configuring PF
sense right now. Now again, you can install PF sense on a lot
of things, but for the sake of time, I'm going to show you how to
do it on this appliance here. The good news is it shouldn't be very
different on other hardware. In fact, if you've ever installed any kind of
operating system on any kind of device, including your computer, it's going
to feel like this. So here we go. First thing we'll need is a USB flash
drive, which I didn't mention that before. Oh, that was cool. I didn't even
mean to do that. Like a wizard. If you do need a USB flash drive, so
have that and let's go download PF sense. I got a link below here. We're
going to select our architecture. That's going to be AMD 64
and the installer will be a
USB memory stick installer console. We're going to do a VGA and then mirror
choose the location closest to you. Hey Austin, because I'm
in Dallas. Here we go. And click on download perfect
time for a coffee break. Now, adding to the list of things
I keep forgetting to mention. You will need a monitor and keyboard
to walk through the installer on the sucker. So I'm gonna plug
my stuff in right now, monitor this thing has two HTMI
ports, which is killer and keyboard. My download is complete and now I need
to write that sucker to a USB flash drive. The one I have here. So I'm
going to download Rufus for windows, for Mac or Lennox. You can use
Balena etcher, but anyways, I'll download Rufus right
here. Run that sucker, gotta plug my flash drive in and
know it's not a bad USB. So I'm fine. Make sure you use one that you buy.
And that one you find out the street. Cause these suckers are bad video up here.
Somewhere. Something just fell on me. I thought that was a spider
anyways. So I'll select my device. I'll select my image, which was the one I just downloaded
and I'll click on start. Yeah, that's gonna erase everything I know.
Yeah, yeah, yeah. Okay. Do your thing. And mine is finished. I'm gonna go grab it and plug
that sucker into my appliance. There we go. And then
we'll plug the power in and she'll start coming up
here in a moment. All right. This should boot right in. And
it should be very quick. Yes. I wanna install PF sense. Let's go.
Default key map. Yes. Auto CFS. Yes. Install. Yes. Stripe is fine. Yes. And
then I'll select where to install it. It's going to be on that
protect leaf 32 gig. Em, SEDA. It's like that with my space bar
hit enter for. Okay. Last chance. I know let's do this and it's going
to be you wicked fast time for a quick coffee break. It's done. Don't
want to make changes. No, go ahead and reboot that
bad boy. And we're good. So at this point you can unplug your
monitor keyboard and all that jazz, which I'm going to do and USB flash drive. Ah, don't you like that? I love what
things have noises. Okay. It's ready. And as you can see on my screen here, it's got an IP address in a land of
one nine, two.one, six, eight.one.one. Remember that we're going to
access it on the IP address, which means it's now time to plug in our
network. So I'll plug in my land first. This is going to my switch or I
can go directly to your computer. And then I'll plug in my wind,
which is going to my modem. Play that into the wind port. Now also make sure you plug your
computer into that switch or again, plug it directly into
your PF sense appliance. And now we're really getting into the
fun parts because we're going to be configuring RPF since
firewall. Let's do this first. I'll make sure I actually got an IP
address from my PF sense. So out here, a Linux, I'm gonna do IP
address and boom right there. 1 9 2 1 6 8 1 dot 10. If you're
on windows, it'll be IP config. Now let's fire up our web browser and
we're going to go out to one nine, two.one six, eight.one.one. The IP address or the current IP
address of our PF sense. Firewall. Yeah, it's insecure. I'll accept the risks.
Let's do this. And here we are. Let's get assigned it. Default login. We'll be admin as the username
and the password will be PF sense. All lower case. P F since
it Ooh and beeped at me. I'm configuring R2D2. The first
things first, we got a little wizard, little Harry Potter magic to help us
set this up. Let's go ahead and do this. This is super easy and basic and quick.
So click on next right here. Yeah, yeah. Yeah. You got support. We're not going
to pay for that click on next post name. I like that host name. PF sense.
I'm gonna leave it that way. Domain. You can leave it@home.arpa, whatever I'm going to change
mine to not turn Allie dot local. Do you know what that means? Let
me know. Below primary DNS server, I want to send mine to Cloudflare's DNS
and then back up Google's DNS and I'm going to uncheck override
DNS. Boom, moving right along, click on next NTP server. I
will use theirs. That's fine. And then check your time zone. I'm going
to be in central change that bad boy. Here we go. Yes. Click on next.
Now for our web interface. Now here for most of you, you
won't change the dang thing. That's going to pull an IP address via
DHCP from your modem or your router. For me, that's exactly
what I wanted to happen. One more thing you might want to look
at as I scroll down to the bottom here, if your PSS firewall does end up pulling
a private IP address from your router, something like one nine, two.one,
six, eight, or something like that. You'll want to uncheck, blocking private
IP addresses. But only in that case, I'm not doing that. So I'm
going to leave it checked, click on next and now for our land
interface. Whew, here we go. By default. It's going to say, Hey, do you want
1 9, 2 1, 1 6, eight.one.one. No, you stink and dope. Everyone
has that. And guess what? Hackers know you have that too.
So we're going to change that. We're going to hide it. Well, not
hide it. We're just gonna change. Pick something that's in the private
space. You can copy me exactly. If you want to, I'm going to do 10 dot
27 dot 20 seven.one. That will be the IP address of my PF
sense. Firewall on this interface again, you can copy me exactly if
you want to. So net mask, 24 golden click on next and
then lastly, admin password. We're going to change that sucker to
something secure click on next. And bam, I told you that was easy. Just click
on reload. And it's going to reload. Coffee break. Hmm? Little chili though. Split sit there for awhile. Congrats. Your PS it's firewalls
that are configured. Yes, I wasn't a very long coffee
break. So here at the bottom, we're going to click on that
cause we're finished. Now. What's going to happen here
and don't let it scare you. Is that we're no longer going to be able
to access the suck around 1 9 2 1 6 8 1 1. Why? Well, because we just
changed it. We changed it to ten.seventeen.seventeen.one
or whatever you changed yours. Now what's going to happen. Here is PF
sends, applies the setting and reloads. It's going to try and hand out a
new IP address to you through DACP. It's going to be in that 10,017 dot 17
sub-net or whatever you set yours to. So I'm going to fire up my command line
once more and just see if I got one IP address. Did I get a
new one? No, I did not. So I'm going to reset mine
real quick for Lennox. I'm gonna do pseudo DH client dash R
to release my current IP address for windows. It'll be IP
config Ford slash release. Then I'll run pseudo D H client
without the R to get me a new IP address. And for windows it'll
be IP config Ford slash Renu. Anyways, let's do IP address
to see what I got by here. We are in the sub-net 10 dash
2,727 dot 10. That is us. Let's go see if we can access our PF
sense. Firewall, man, this is so fun. Anyways. I love
networking. Uh, 10 that 27, the resi 17 before it's 27.
I'm crazy. 10 dot 27 dash 27. Dot one is his new IP address rocking
it? Yes, I'll accept the risks. And here we are. I'll log in with my new credentials
and then in my new password, beep oh, I love that. I love
the feedback and we are yeah. Copyrights or trademarks. Yeah, all
that good stuff. Oh man. We're on fire. We got this. Let's look at so good.
This is PF sense, guys. This is amazing. A couple of things real quick. I want you to scroll down just a
little bit here on our dashboard. We'll have the section called interfaces. Now I'm going to have my Whan blocked out. Cause it is my real public IP address, but you'll know everything's working
when you see an IP address here for your want. And of course we'll have
our land right here, which I just, we just set that we access the IP address. Now I know this might seem
very overwhelming. This is
a crazy looking menu. Um, all kinds of stuff going
on here. Don't worry. You're going to learn a lot about this
as we can figure some cool things. I'm going to walk you through it. Hold
your hand. Don't feel overwhelmed. You're going to have an awesome network
by the time you're done watching this video. I hope so. Anyways, real quick on the dashboard tells us
some fun stuff about what we're dealing with here. We can also customize that. We've got a plus sign up here at
the top and we can add things to it. One thing you might want to add, let
me just go ahead and click on that. Plus maybe you want to
add interface statistics, which is always good to look at and
fun. Click on that. There it goes. I'm going to close this net gate
services as a port thing right here. I don't like that. It's
retrieving interface data. Ooh, pretty let's get prettier. I'm going to
add traffic graphs. Oh, look at that. Yes, sir. Now real quick, the good news is that PF sense is active
and running and your network is looking pretty good out of the box. It's awesome. Let me show you what we configured real
quick so you can know how to get to it. The big thing we could figure to was our
interfaces. Let's take a look at them. So if you go up here to the top and our
menu, we get interfaces. Click on that. We've got three options, assignments when and land let's
go and click on assignments. And this is where we can
make some interface changes. Here are the bad boys
that we just configured. When a LAN let's go in and jump
in land real quick, click on him. And here he is, we can make changes.
If we want to the scroll down, we can see the out there's this
IP address, but he's already good. We only need to configure
him like go back. Same kind of stuff for when he's got
DHCP configuration, blah, blah, blah. So he did need to change that private
IP address. Block thing down here, you can go back in here and change that. Let me show you one more thing that
was auto configured for us through that wizard. And that was DHCP, which is how
we hand out or how our router here, Mr. PF sense, how he hands out IP addresses
to our devices when they connect like, Hey, give me an IP address. And he's
like, here you go. Whatever you want, you want for you anyways. I'm so
DHCP is pre enabled on our land. Let's can take a look at that config. So you know what it looks like because
it might be something you'll want to change in the future. So to find DHCP, we're going to go up to our menu here
and go to services and then click on DHCP server right here in the menu.
And right here, here's our land. And then here's our DHCP config for it. And we can see that it's enabled
right now, which is perfect. And we know that because we
got in an IP address via DHCP. And if you scroll down, we can
see all the information about it. One of the biggest things we care about
is the range or the pool of IP addresses that are being handed out. We're
handing out 10 through to 45, which means the IP addresses
one through 10 and 2 46 through 2 54 are reserved or can't be assigned. And of course we can change that at
any time we could add additional pools. We can customize DNS servers
down here. And as you can see, you can get pretty crazy and advanced, but you don't have to because
the way it is now, it works. And at the very bottom you can assign
static mappings for your devices. So if you have a device that you want
to have just one IP address forever, never change because they do change the
can change. You can make it static here. One more thing on DHCP. How do we know
what IP addresses are? Devices, pool. We can find that out by going up
here to the status menu option, which will show us a lot of stuff. We'll
spend a lot of time here, actually. So click on status. And then within
here we see DHCP leases. There we go. And bam, we should see one there. Or if
you, if you throw it into your network, you might see a bunch.
But this right here is us, our computer that we plugged in. Awesome. And what's cool about this is if I
did want this IP address to stay my IP address forever, I can
do it from right here. I can make a static mapping by clicking
on this a little plus icon under actions and the sucker will make it a static
mapping. It's really cool. Now, if you want to stop the video
here, you can cause your PF sense, firewall and router is
working great. It's good. But if you want to have a bit more fun
and get a bit crazier, stick with me, let's do this. Cause now we're going
to talk about some fun stuff. Like, ah, port-forwarding maybe have a website
or something you want to access from outside your home. And you want to
forward that port. How do we do that here? Super simple and easy. Watch
this. So for port forwarding, we're going to go to our firewall
and you option at the top here, click a firewall and then Nat, Nat. Now we are going to come back and visit
here quite a bit and the statistical, but for now, we're going to focus on
port forward. First option. Now again, a port forward comes into place. When
you have something on your network, maybe it's a website that you want
to be able to access from the big, bad wide internet, or you
want other people to access. We have to tell our PS firewall to let
traffic through to this guy because by default, he's going to block it like he
should. That's what you want to happen. But sometimes you want to
have stuff come through. We're going to punch a hole in our
network. So real quick for demonstration, I'm going to spin up a quick,
a little Python website, Python dash M simple HTTP server. And I'll run that on port 80, 80 bam website running
SNLs creative port forward. I'm going to click on add right here.
And like most things we see in PF sense, there will be a ton of options, but only a few years really need to worry
about and care about. So for example, here in most port-forwarding situations,
that's going to involve your wan port. So leave that as default. The first thing I'll change here
is my destination port range, my websites running on port 80 80. So I'm
going to put that right here, port 80, 80, and then my redirect target IP. That's going to be the computer inside
my network or the server or whatever it is. That's hosting that website. Not for
me right now. It's the one I'm using. So I want to put it right here. A
single host, 10 dot 27 dot 27 dot 10. That's me. And then finally that redirects target
port gonna throw it in right here. Get the same port, port 80, 80. And that's
it pretty simple, right? Like, yeah, we could go crazy with other stuff, but we don't have to I'll
add a description right here
just to make things look pretty and then click on safe. May you'll see this a lot when you're
configuring your PF. Since router, it'll put a config in limbo for you
and say, okay, when you're ready, go ahead and apply the changes. Cause
you might have a few more changes. You want to apply? I'm ready right
now. So I'll click on, apply changes, going to do its thing. Probably
already did it. So let's test it out. I've got an outside connection here. I'm gonna bring my browser over
here and let's go to the public IP, which I'm going to hide from. You go
to port 80, 80, and bam. There it is. Port forward to working like a champ.
Okay? So port-forwarding men in the books. We got that time for our next few things
like dynamic DNS and routing everything over VPN, which is by far is the coolest
feature ever. I love it. Anyways, let's do this. I'm going to demo setting up CloudFlare
because I talk about CloudFlare, like all of my videos and to be able
to have this hosted on your firewall is killer. Otherwise you need something
else to do it like a raspberry PI, which I have a video on that right
here. So if you want to do that, that's pretty cool. But this is
cooler. It is. It just is. So anyways, to do this, we'll get back to
our menu here and go to services. No surprise there. And then
right here towards the middle, we have dynamic DNS click on that. This
place is ghost town. Let's change that. Let's click on, add over here. Now you can configure most
dynamic DNS providers on this. Like they have a whole list
of like instructions right
here for whatever you're gonna use. Again, we're focusing on
CloudFlare. So let's change that. So appear service type. Or
am I going to be CloudFlare? Change that to CloudFlare. It's right
here. Interface the monitor when that's, how it's going to be most of
the time and then the host name. What domain name are you going to have
changed to your public IP? For me, mine is going to be PF sense.
And then the borough.cloud, which translates to PF sense dot the
borough.cloud. That's my sub domain. If you want to just the root
URL, just the borough.cloud, you would put an at symbol right there. Take that away and just
have the add symbol and then
just leave your domain like that. Again, we have a ton of
options that you can change, but you don't have to. Next thing
I want to do is put in my username. This would be the email address I'm using
for my CloudFlare account and then the password. This will be your
global API key on CloudFlare. Let me show you where that is. If you're
hanging out in your overview page, you'll scroll down a little bit and you'll
see the option to get your API token. Now keep in mind if you have one of
those free domains from free nom, this will not work. CloudFlare does not like using
their API with those free domains. And once you're here, you
want the global API key. So we'll click on view and then prove
that we're not a robot, which is really, really hard. Elon Musk has
his work cut out for him. I'm a human let's find some trucks.
That's a truck. That's a Chuck. Chuck, Chuck, think I'm a human let's
see. And Bella password dag gum. It I'll try it again. And
once you have the API key, just paste it in there twice.
And then just describe it. Good documentation is key and click
on save and boom. It's working. I love when it works the first time.
It's the best you'll know. You're good. When you see status green check mark, one of the best symbols in the entire
world, um, the, you see your cached IP, which is your public IP address. Oh,
and it looks so good. Let's try it out. I'll pull up my outside
connection. PF sense.libero.cloud. And then I'll go to port 80,
80 to see if my, uh, networks. Yes. Oh, sorry. I love
it. When things work. So what I love about this
is it's all just PF sense. It's one device doing all of that in my
network control and power control and power. It's amazing. Anyways,
coffee break don't need more, but I'm going to do it more now for
my favorite part. It's the best part. Routing all of my traffic,
all of it over VPN. My entire house will be
encrypted. Sucker. Take that ISP. You can't see my stuff. Let's
do this now. Disclaimer, every VPN provider will
be a bit different. I'm going to demo to here
cause I have both of them, private internet access and Nord, VPN,
both great options. I've got links below, but the process should be very similar
and just refer to their documentation. They should have some for PF sense
cause it's very, very popular. That's why I love PSS. Everybody
supports most everyone supports it. I don't want to say
everyone, but most people do. Now before we do our VPN configuration, I want to show you my current IP address
so we can verify it's actually going to work. So I'll go to duck, duck, go do a good old what's my IP
address and bam right here. I'm going to blur most of the sound
except for my last octet, which is 1 28. This should be different. The
next time we do this first, we'll do private internet access. You will need an account squat
and check it out. Link below. If you want to get signed up. They're
awesome. They are what I recommend. Okay. First step. We need to open up our
private internet access. PF sense, official documentation.
We go, not this loosely. So check the link below and pretty much
the only thing we're going to do here is click on the default
configuration, going click on that. It's going to download a zip file. It's going to save that and open it up
and I'll extract it once you've extracted the file. You'll want to pick a
location. That's closest to you for me. It's going to be, let's see us,
Texas, the open VPN or a VPN. I'm going to open that file. And here, inside that file has everything I need
for my connection. So keep that open. Keep that handy. Let's keep moving
along back here in PF since land. Yes. The first place we're going to
visit is up here at our menu, click on system and then
click on cert manager. We're going to add the private
internet access search right here. We'll need that for our
configuration. Going click on, add over here on the right name. It's something descriptive like Pia
or whatever PA CA and then our method. We're going to change that. We'll change it from create to import
now and go back to the file we just opened. We're going to find
where it says begin certificate. We're going to take all that starting
right here and where it says end certificate. We're going to end right
there as well. We're going to copy that. And then right here in the certificate
data box, we're going to paste it paste. Bam, making sure we have both the certificate
and the beginning certificate as part of it as well. And that's pretty
much it scroll down, click on save, and it should look something like this,
giving you all that good information. Now, time to configure OpenVPN. So
where do you think we're going to go? Where do you think? Probably right up here where it says VPN
click on VPN and then click on open VPN from here, click on clients. And then we're going to click on
add because we're adding a client, which is RPF since router. Now
here, take a breath, take a drink, coffee real quick. It's a little sip because if you see all this as a scroll
down, we got lots of stuff's configure, man. That's a lot. Don't worry. It's
not too crazy. We'll do this together. The first big thing we're going to change
is actually right down here where we have server hosts or address
because everything up there is fine. We're going to open up our
file again that we downloaded, score the top and we'll find the server,
which is right here on line four. For me, mine was U
s-texas.privacy.network. That's the server that I'm connecting
to yours will be different based on what region you selected. So I'm going to
take that sucker. Just the address there. Copy it and paste it there. Boom. And
they're looking back at that document. Notice my port here at the end of
the address was 1198 or is 1198. That's my server port needs
to be. So right now it's 1194. I'm going to change
that to 1198 right here. And then we're going to jump on
ahead to the description field. Just describe that sucker. Pia, it's
all going to name it. That's it. And then our user authentication settings. This will be your Pia username
and password is going to
start with a P and have a string of numbers. Uh, after it, I'm going to go find my real
quick and paste it in there. I'm going to blur mine out so
you can see it and that's it. Don't do anything else. Leave that
authentication retry unchecked. Now for the cryptographic settings,
spend some time here real quick. First TLS configuration. That checkbox should be checked by
default all in check. Boom. Next, make sure the peer certificate authority
here and this little field right here matches what we imported earlier. The
Pia CA so make sure you have that there. In case you have others tickets in your
repository and then our data encryption algorithms. Now real quick, go and refer back to the file we
opened here in my file on line nine, I see the cipher is a S 1 28 CBC. That's what you kind of want to match
on your data. Encryption algorithms. Let me show you. So right here is the one here on the
right side are the ones we have selected here on the left are the ones that
we don't have selected just yet. Now Pia actually says that
the AEs 1 28 GCM is preferred. So I'm gonna keep that there, but I want to take away the other ones
by clicking on them. Goodbye, goodbye. And then I'm going to
add the AEs 1 28 CBC. This one right here is going to click
that guy welcome. And that should be good. And then down here on the fallback
data encryption algorithm, I'm just going to select the 1 28. CBC is backup and then right here
for the auth digest algorithm, again, we're gonna refer back to our, our fall.
We opened up here for me online tint. There it is right there. It's
telling me it wants Shaw one. We're going to match that. Exactly. So
click that box there and pick Shaw one. Perfect. If yours is different and
the file, you opened match that. Now here for hardware crypto, if you do want to play around
with using your hardware, acceleration for cryptographic
features, go for it. I'm not going to play with
that right now. Next steps. We're going to scroll down just a bit, cause we don't really care
about the tunnel settings. Ignore it all because he's going
actually, there is one feature right here. Don't pull routes, but here's a cool part
about this configuration we're doing. You can put your entire network behind
this VPN so that whenever someone goes out to the internet, they are
protected, which is awesome. But sometimes you may not want
that for a segment of your network. So if you want the ability to say these
devices go through VPN and these don'ts, you want to make sure you have the
don't pull routes, check box checked. If you don't care, if you want your
entire network to go through VPN, leave it unchecked. That's cool. I am going to show you how to
segment part to your network. I'm going to select that box.
Okay? We are almost on. Trust me, scroll down just a bit. Keep
going, keep going right here. Advanced configurations. We're going to
pay something here in custom options. I'll have all this data in the links
below. It's going to paste it in here. You want all of this
and the custom options, and then we're gonna keep scrolling down. I probably see we're almost
done under gateway creation. We're gonna click IPV four only.
We don't care about the IPB six. It doesn't work with
anyway. Now when I say it, I mean a private interacts us private
internet access. And that was it. That's the last setting. So I'm gonna
scroll down and click on save. Ooh. Oh wait. Oh, I guess I had a blank
space in my data. Encryption algorithms. Let me go check. Okay, cool. If you
had that there you're in trouble, but you're fine. Okay. Click
on save. Oh yes, we did it now. How do we know it's working? How do we know our username and password
was accepted? How we know what's up? Well, we checked the status, right? We'll go back up to our good old trustee
status menu option right up here. And we'll click on open VPN right here,
down towards the middle. And boom, I love this status up. Yes, sir. Choosing my real local address and
then my fake private internet access address. This is what the internet
is going to see when I access stuff. Now we're not ready yet. Yes. We have
private internet access connected. Our PSS router is a client of it, but
our traffic isn't yet going across. It let's make that happen right now. Right now we're going to
navigate back over to interfaces. So right here at the top, then you option interfaces and we're
going to select assignments and we're actually going to assign
or set up a new interface. So here we have available network
ports. We have a drop down here. We're going to select that drop down
and search for our new private internet access interface, which is right there.
Open VPN C one, Pia. And I'll click on. Add to add that bad boy done. Now, what I want to do real
quick is jump in there. Notice how it gave a default
name of opt to one. I like that. So I'm gonna jump in
there and do two things. We're going to enable it and
we're going to rename it, enable and I'll name it Tia. And
that's all we need here. Painless. Let's go down to the bottom, click
on save, and then we'll click on. Apply changes to make sure this bad
boy takes place. Coffee break. Hmm. Done. Here we go. All right. Now we're
getting deeper into the network weeds. We're going to talk about Nat or network
address translation. So for that, we're going to go up to her menu
once more and go to firewall. You hear love firewalls, click on
firewall and then click on Nat. Now we already came here once before,
right? We did our port forward, but now we're focused on outbound internet
traffic. Let's click on that bad boy. Now what we're doing here is we're making
sure that when our IP address is here in our network, so it's can be
10 dot 27, 20 seven.zero/ 24. All these addresses in that sub net.
When they go out into the internet, we need them translated to that
one. Private internet access IP. It's going to share one IP address,
maybe be 1 5, 4 dot or whatever. Pretend that's an IP address. We want
them all to be translated to this. That's what Nat does address translation.
So let's make that happen right now. First thing we'll do is change the mode
from automatic to hybrid outbound Nat. Now, one thing if you haven't noticed is
that when you start configuring your own network with your own firewall,
so especially PF sense, you learn a ton about networking
in the process, right? I mean, right now you're gaining
a ton of knowledge. If you
don't already have it, dude. It's awesome. And yeah, you might have
more questions than you did before. That's good as we're doing this, I'm not explaining everything
because that would take forever. But I want you to like write that down,
go research it yourself. I've got a, a networking course on my YouTube channel. My CCNA course where you can dive
deeper into these topics. It's awesome. Anyways, let's go. Let's continue.
I'll get off my soap box. Okay. So with our hybrid setting, we're when a scroll down and
we're going to add some mappings. Now notice we have automatic rules,
which we're not going to touch. Leave those alone. We're going to
add some manual mappings right here. So go ahead and click on add, first thing we'll do is
change the interface from wen
to Pia. There she is. Pia. The one we created next place we're
going to visit is right down here under source. We're going to add a
network here in this field. This is going to be for local host
traffic, one to seven.zero, zero, zero will be the sub-net. And we'll change this 24 over here to
eight bam. And that's pretty much it. We're going to scroll down and click
on save that don't apply just yet. We got a few more rules to add.
We're going to duplicate this rule. We just created by clicking on the two
papers right here to copy it over here on the right, going click on that. We're going to change one
thing here under destination. We're going to add a port to that
destination. It will be port 500, which is for Isaac camp traffic. Well then scroll down here just
a bit and under translation, we're going to check the static
port box and then click on save. And I'll just two more rules are
going to add. So don't worry. We're almost done. We'll
click on add once more. And this will be the actual rules
that will Nat or translate our land. Traffic are 10 dot 27, 27, whatever, whatever you have to PA's internet
IP address and the, to the internet. So here we go. Same as before. We're going to change our interface from
when to P I a and then for the source, we're going to add our own network
right here. Again, mine was 10 dot 27, 20 seven.zero. And for most of you, it'll
be slash 24, which is already there. And that's it. We're going to scroll
down to the bottom, click on save, and we're gonna do that. Same thing we
did before with, uh, our local traffic. We're going to click on the copy icon
next to that newly created rule to duplicate it. And we're gonna change the same
stuff over here on destination ports. We're going to add 500 for ICIC camp
and we'll scroll down just a bit, click on static port under
translation, and then click on safe. Yours should look just like this. And you
know what I realized, I forgot to, uh, save my hybrid configurations.
I want to make sure I do that. And then click on save so cool.
The rules were kind of grayed out, were there for a second. Okay. And then I'll click on apply
changes and it's doing it now. We're not quite there. Just hold
tight. We got a few more things to do. So we're done with Nat. Now we're
going to look at firewall rules. So we'll scroll back up to the
top here, back to our menu, go to firewall and select our rules
section. Actually, you know what, before we do that, I want to show
you aliases. Yes, let's do that. So click on firewall and
then click on aliases. This is simply a way for us to group
a bunch of IP addresses together or networks together and say, this is
this network. We're just labeling them, kind of grouping them together,
putting them in a Ziploc bag. So what we're doing, so
here, I'll just click on add, and I'll say PA underscore people. I'm going to specify which part
of my network, which addresses. I want to be sent across the
private internet access VPN. Now notice here when I select type
right now it's defaulted to host. So individual IP addresses. I can actually specify a bunch of
different options like ports and URLs and entire networks for now. I want to do
individual hosts, just keep it simple. So I'll do 10 dot 27
dot 27, and I'll say 10, and I'll do 10 that's 27, the 27 dots. I'll say they're 20. So that range 10 through 20 is going to
go through my private internet access VPN. So I'll click on, save
here and then apply. And boom, we just created an alias,
which again, it's just a group, a labeling of hosts, networks, whatever. And we can reference that later
in our rules. Let's do that. And actually real quick, we can go back and reference our Pia
people or whatever group we have here, our alias and our Nat rules. I'll
go change that real quick for me. You don't have to do this, but
uh, I want you to keep it clean. So I'm going back to firewall and
Nat click on outbound. Once more, look at my rules. So here I have
my source 10 dot 27 at 27 to zero. It's my entire land network.
I want to change that rule. Click on the little pencil icon, go down
here and here in the source network, I'll just start typing P I a oh,
there it is. Pia people, bam. And we'll change the 24 to a 32 because
these are individual hosts and I'll click on safe and I'll make that
same change to the second rule. There changed the network,
the sub-net and safe, and we'll apply those changes
just to make that thing cleaner. Now we're ready for firewall
rules. So go up here to the top, click on firewall and then select
a rules, firewall and rules. And we're going to click on
the land. Our land rules, each network will have
its own set of rules. And here we're going to add two
rules. So good and click on, add over here on the right,
add just a couple things. We're going to change here. Like every
time, right? First is the protocol. We're going to change that from TCP to
any cause we want all kinds of network traffic to go across any let's scroll
down a bit and we'll configure our source. It's really click the dropdown and
change this from any to a single host or alias. And our alias will be the
alias I created earlier. Now, if you're not doing an alias, if
you shouldn't do an entire network, you can do like a land net and
that'll be your entire land network. You don't have to worry about for me. I
wanted a subset of my network. So alias, Pia people, there we go. And we'll
scroll down just a bit first. We'll describe it. Cause we gotta
be descriptive here. Pia people, traffic, and then we're gonna click
on advanced. We're getting advanced. Here we go. Display advanced, really
scroll down until we see again. Lots of stuff. We're going to
ignore down until we see where yeah, buddy gateway right here,
right here for gateway. We're going to change that
from default to Pia DPN, V4. This will be using something
called policy-based routing, which we cannot cover right here. Um, but basically it's going to override what
the system would normally do until it to go out and private internet
access. And speaking of gateway, we're about to talk about that anyways.
Um, we're going to scroll down, click on safe. Amazing. Ready to go.
And we're going to add one more rule. You see, just in case my private
internet access connection goes down. I don't want these people to suddenly
just start going out the raw internet, being all without clothes
and stuff. No, no, no. We're going to block them if they
can't go out that place, let's do that. So we're going to add
one more rule, click on, add once more and apparent
our action right here. And so far we've just done like
pass, like yeah. Allow it to happen. Now we're going to tell the firewall.
Let's see what block that sucker. So let's change it to block once again.
We'll change our protocol to anything, not just TCP traffic. If
you don't know what that is. I've got a video talking about TCP and
UDP. Check it out up here somewhere. So change the N R source for me again, it's going to be a single host or
alias and I'm not Pia people for you. It could be the entire network.
That's fine. I'll describe it. No internet for you. Pia
people and click on save. Now make sure little firewall lesson here. The firewall rules are processed
top down the way it is right now. The first rule that it hits applying to
my Pia people is the one that says, um, we're going to block you notice the X
over here, the description I put there, it's going to block people. So
before it even gets to the rule, allowing them to go out to Pia and
access the internet it's blocked. So what do we do here?
Well, we changed the order. So all we got to do is
select my good rule, the one, allowing it and just drag it to just
above the block rule. So they're allowed. And if the gateways down, they're
blocked that I'll save those changes, apply those changes. And we're
solid. Now I mentioned gateways. There's one thing we
have to do at gateways. And I know this feels like a forever
thing. PS sense is complicated. Network networks are complicated. So as
we're doing all this, yes, follow along. Um, but yeah, go back and try to
figure out what we were doing before. I'm not going to explain everything,
but anyways, let's go up here to status, check on the status of our
private internet access gateway. Cause we do have one got status
and then click on gateways. Now notice something here. Our wan
gateway status is online. It's healthy, but Pia it's pending. I don't like
that. I want it to show online. We have to change just a one setting
here to make sure it shows that or the change that is setting in the gateway. So we're going to go up here to system
and our menu and select routing who love that word. And look at that. We've got
our gateways right here, hanging out. And one of those gateways is our PA a VPN
gateway. We're going to edit that guy. So click on the little pencil icon. We're going to pencil in something here
and we'll scroll down just a bit to receive monitor IP here. We're going
to give it an IP address to monitor, to make sure the Internet's up. So
if they can reach one.one.one.one, which is Cloudflare's DNS,
which is a very popular IP, always used to test internet connectivity
and the can reach that through this gateway. Then Pia is up. So we're going
to add that you can use the IP address. That's fine. Scroll down, click on,
save and then click on apply changes. So now when we go back over
to status and gateways, Pia will eventually show
up. I'll give it a second. So a couple of coffee sips later, if
I refresh the page a few more times, ban Pia is on line. Beautiful.
Now what do you say? We test a few things out so real quick.
Let me make sure this is coming through. Let's go to the firewall again. Click on
rules, go back over to land Pia people. If I hover over that,
that's so cool, right? It shows me all the addresses in
there right now. 10 that's, 27. That's 27 dot 12. That's me like if
I pull up my command prompt here, IP address, once more on the zoom in a
bit, that is who I am. Theoretically. I should be going through that. Right?
I should be going through PAA. So let's, let's see if I am. Let's see
what my public IP address is. Remember before the final
octet was 1 28 or.one 28. That's the end of my IP address? All my actual that's my actual IP
address for my actual internet. But if I'm going through PAA, I
should see something different. So let's get back out to duck. Duck,
go type in what is my IP address? Yes, yes. Look at this and now ends and
not 2, 3, 2 different location. So awesome. Yes, it works. My internet traffic is going
over private internet access. I'm not running a client
on my machine here. It's running off this bad boy right here
and I can't do anything about it unless I change my IP address. Now, one of the many amazing things about PF
sense is that you can install packages. Third-party things on top of your already
amazing firewall to add functionality. One of those things are gonna play
with right now is called service doc, like any good watchdog is going to watch
a particular service that we specify and make sure it stays up. And if it
doesn't, if it crashes or something, it's going to bring it back up.
It's going to keep an eye on it. So we're going to do that right now. We're going to do it for
private internet access. We want that VPN to always
be up. And if it goes down, we're gonna suck it back up. So let's install our first package
and it's super simple and easy. Like everything. I know some of
the firewall stuff was a bit heavy. It's okay though. So we're going to first go to system up
here at the top left click on system and then click on package manager. Uh,
currently I have no install packages. I want to click on available
packages. Look at all these things. You could have an event, a video dedicated to some of these
things like an entire video. So awesome. But we want one thing right now. Let's scroll down to the SS
service watchdog right here. I'm going to click on install to install
that guy. Confirm quick coffee break. It's not going to take long. Trust me
done. It's already done. Already done. Cool. Cool. Cool. Now
where are these packages? End up depend on what kind
of service they offer. Now this particular service
is going to be under services. So if we go to the top here, click
on services, we'll find it there. There he is right there, service watchdog. And all we got to do is
give it a service to watch. We got to train our puppy here, to
look at private internet access, to keep him up. Let's add a new service. Let's click that down box and find
him open VPN client Pia. Yes, sir. Click on add. Now it will be restarted automatically
if it crashes or anything and we can also have it notify us via email.
If something goes awry, I'm not gonna do that right now, but
dude, that's so cool. Now, one more thing. I want to show you with our dashboard.
We'll go to status, go to dashboard. I'm going to add something to
my dashboard here real quick. I'm going to add open VPN over here
on the left. Now, first of all, notice as I scroll down through my
traffic graphs, it's got Pia there. That's so cool. I can know that
stuff's going across that interface. Also down here, I've got mine open
VPN client instance, statistics, man, 10 times fast. How cool is that? Now I did say I was going to show
you Nord VPN and how to set that up. That was gonna make this video a bit
longer than I want it to be tell you what I'm going to have an extended version
of this video on my membership site, completely free check the link below, get signed up and you can watch
the extended nor VPN version. Not very different from private internet
access, but there are a few details, a few things that are different that
you need to know, but it won't be huge. So if you saw all this, it's going to
be the same kind of situation. Now, last few things with PF sense. I
want to go back to our packages. Let's go to system, go to package manager and we'll
look at our available packages. As I said earlier, there are a ton of things here that you
can play with and go crazy, dude, acne. You can get some let's encrypt
certificates automatically.
Oh my gosh. So many, um, some things I want to have you
on here though, that are just fun. First of all, in map is in here
somewhere. Ready to go and nap, dude, you can still in map on
your PF sense. Firewall. I want to do that right now and I
click install it. Confirm it. Yeah. So you can do end map scans on
your network. That's awesome. If you don't know what a map is, I got a video right here
shows you how to do it. It's that it's a network utility, but it's often used by hackers to do
some network reconnaissance or cognizant. There we go. Bam. And that
business stuff. Awesome. Let's take a look at some more. I think
there's one more I wanted to show you. It's kind of cool. Oh
yeah. Duh. Now by default, your PF sense firewall is pretty secure, but if you want to add more services or
more things in your network that rely on things coming into your networks, you're allowing the internet to
come inside your home network, light port forwarding things. Um, that becomes dangerous because at that
point it becomes more difficult for you to protect your network if
you're allowing stuff into it. So you want things like this,
a next generation firewall, PF blocker in G it's a free
to install. Totally awesome. It is different. You're going to
have to learn how to configure it, but by default it does pretty great. So if you are allowing things into
your network from the outside, if you're doing some cool services and
having fun, putting something like this, it gives you a huge peace of mind. Um, there's also other stuff I mentioned
earlier. If we scroll down here, we've got snort, which is open source. I believe Cisco bought them
and implemented them into
their services. So yes, no. It's awesome. Yeah. It's part
of their firepower. I believe. Yes. Squid and squid guard are awesome. And
Suricata heard some great things on that. Actually Lawrence systems did a bunch
of videos on Suricata and a PF blocker. If you want to learn
more about those things, I'm not going to cover them
right here. Right now. Again, all of these things could be
their own video, but yeah, that is PF sense and amazing open source, free firewall software that you can
install in pretty much anything, especially one of these beautiful boys
right here, Beasley network appliances, and you get control over
your network. It's just fun. Most of the projects I mentioned here
for like geeking out on your house and evolve your router and doing
some stuff in your network. It's hard to do that when you don't have
a router that can do cool things like dynamic, DNS and other stuff. It's,
it's so powerful, dude. It's awesome. So if you can replace your home
router with something like this. Now I know many of you
all under, well, Chuck, I thought you were a
big ubiquity guy. I am. I have both of my network right now.
I have ubiquity. I have PF sense. I love them both and their own
wasted. Um, I tell you this right now, ubiquity with the dream machine pro cannot
do the private internet access thing. You can't put all your traffic
on VPN and it can't do that. I've tried this bad boy can do it
without blinking, man. I love it. And plus I'm a huge fan of open source.
I love Linux-based things. It's just, it's so fun anyways. That's all I got. Let me know what you think of the video
in the comments below who this might have been a long video. I'm not sure. So my video editor will let me know
and let you know here soon, um, and make sure you hack YouTube today.
Hit that like button notification, bell, subscribe comment. You gotta hack YouTube
today. Ethically of course. Now again, I know there's so much more to PF sense
and what we can do with the meats. It's almost, it's pretty much an enterprise
grade firewall and there
are some things that you will want to do, especially if you have IOT in your
house that you want to segment different devices in your network, you want to
take advantage of things like feelings. So yeah, you want to do that.
So I'm going to have, again, an extended version of this video
in my membership below free sign up. I would put it here in this video, but it'd be way too long and
I don't want to do a seminar. And that's all I have because
I've had way too much coffee. I'll catch you guys next time.
