PF SENSE SETUP OPEN VPN

Start by downloading our CA certificate file from

https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt. Well be using this later. You can also
find the hostnames of our gateways on our Network page here:
https://www.privateinternetaccess.com/pages/network/.

Certificate Installation
1. Ensure that the above certificate file is saved to your machine, somewhere that you can open it.
2. Log into your pfSense gateway.
3. Navigate to System -> Cert Manager -> CAs.
4. If there are any certificates on this page, remove them with the trashcan icon to the right.

5. Click on Add in the lower-right to add a new certificate.

6. Use the following details:

Descriptive name: PIA, or something else that you will remember.

Method: Import an existing Certificate Authority

Certificate Data: Open the above certificate (ca.rsa.2048.crt) in Notepad/Textedit, then copy and paste
the text into this textbox.
Certificate Private Key and Serial: Leave these blank
7. Click Save to save the certificate.

OpenVPN Setup
1. Navigate to VPN -> OpenVPN -> Clients.

2. If there are any existing VPNs on this page, remove them with the trashcan icon to the right.
3. Click on Add in the lower-right to add a new VPN connection.
4. Use the following details:

Protocol: UDP

Server port: 1198

Server hostname resolution: Ensure that "Infinitely resolve server" is checked.

User Authentication Settings: Fill the Username and Password fields with your PIA username and
password.

TLS Authentication: Ensure "Enable authentication of TLS packets" is disabled.

Peer Certificate Authority: Select the PIA CA we setup.

Client Certificate: None (Username and/or Password required)

Encryption Algorithm: AES-128-CBC (128-bit).

Auth digest algorithm: SHA1 (160-bit).

Compression: Enabled with Adaptive Compression.

Disable IPv6: Ensure "Don't forward IPv6 traffic" is checked.

Custom options: Copy and paste the following into the custom options textbox:

persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
5. Click Save to save the VPN connection.
6. Navigate to Status -> OpenVPN.
7. If Status doesn't show as "up", click the circular arrow icon under Actions to restart the service. If it still
does not come up, navigate to Diagnostics -> Reboot to restart the device.
8. Ensure that Status shows as "up" before continuing.

Mappings Setup
1. Navigate to Firewall -> NAT -> Outbound.
2. Set the Mode under General Logging Options to "Manual Outbound NAT rule generation (AON)", and
click Save.
3. Under the Mappings section, click the duplicate (dual-page) icon on the right for the first rule shown in
the list.
4. Set Interface to "OpenVPN" and click Save at the bottom.
5. Repeat the last two steps for all remaining rule shown under Mappings, until every rule has a duplicate
for OpenVPN.
6. Click Apply at the top of the page to apply all changes.

Finished!
At this point, your VPN service should be fully operational! If you find that it's not working at this point,
navigate to Diagnostics -> Reboot and restart your router.