Now navigate to Firewall > NAT and click out OutboundĬlick the radio button to change the outbound NAT mode to Hybrid, and click Save
Now you can check the box to enable the interface, and give it a better name, I called mine PIA_VPN.Īlso make sure the reserved network checkboxes are unchecked. Now that the interface has been added, click on the interface name, here I am clicking on OPT5, but yours will be different. Mine isn't listed because I already have it bound to an interface Mine is called ovpnc1 (Private Internet Access). On the dropdown for "Available Network Ports" you should see your PIA VPN listed. In the custom options box, enter remote-cert-tls serverĪnd set the gateway creation to IPv4 only (Since PIA doesn't support IPv6 at the time of writing)įinally, click save. If that IS what you want, then leave it unchecked. If you don't check this box, all traffic will go over the VPN by default, which is probably not what you want. Select SHA1 as the auth digest algorithm Tunnel SettingsĬhange Compression to Adaptive LZO, change topology to net30 and check the "Don't pull routes" box Most of these options can be tweaked, so once you get it working come back and decide what you want to use. I have had nothing but issues with NCP, if you want to play around with it later you can always come back and enable it, but for this guide we are turning it off.
Personally I have never had any issues with authentication, but keep this in mind Cryptographic Settingsįor this section, uncheck the TLS key box, Select your PIA-CA you created earlier and uncheck NCP Note (1/2/19): It has been suggested that PIA sometimes has an issue with authentication retry, and that you would be better served CHECKING the box so that pfSense doesn't try and re-auth. This one is pretty self explanatory, enter your PIA username and password, and don't check the box to not retry on fail This should be 1198 User Authentication Settings NOTE! This screenshot was from an older guide, so you may see that I have 1194 listed. I have highlighted everything you need to change, but make sure the rest is the same too Now you will want to fill in the server address you found before, I will be using us. I will highlight changes you need to make in yellow, but also verify the rest of the config looks the same, we can't be sure the default configuration won't change in the future General Information I will go section by section, but it's just one long page. Now we will go through the configuration. Now we have the certificate listed, navigate to VPN > OpenVPN, then click Clients and finally click ADD You should now see the certificate listed Now change the method to "Import an existing certificate authority" and paste the copied text into the box. Now log into your pfSense WebUI and navigate to System > Cert Manager and click on the "+ ADD" Button Now edit the file downloaded, and copy the certificate portion to your clipboard (I prefer using Notepad++) To import the certificate needed, choose the 1198 port option, and click generate The nextgen servers are newer, so I figured I'd choose that Certificates You can choose between current and nextgen, I chose the nextgen servers. Since the Dallas server is geographically close to me, I will be using that one.
#PRIVATE INTERNET ACCESS INSTALLER HANGS GENERATOR#
You can see all available in the OpenVPN Config generator here: I have found that the Dallas and Florida servers work best for me, but that might not be the best choice for you. I will try to go into as much detail as possible Server Choiceįirst, choose what server you want to connect to. This guide will walk you through setting up the connection to PIA, creating an interface for PIA so you can route traffic selectively over the PIA VPN, Installing and configuring the service watchdog, and going over some firewall rules. This setup has worked perfectly for me and does not interfere with any other gateways. Here is how I have Private Internet Access (PIA) setup on both of my pfSense firewalls. If you have followed my old guide and now have a non-working setup, just follow the guide to get the new cert which you can add in to your config, and change the port number to 1198 along with the new server if you chose one, then restart the OpenVPN Client service