I set up a dedicated VPN VLAN on my home network this weekend with the latest version of pfSense (ver. 2.4.4 as of July 2019) for IoT and Firestick types of devices. I ran into some hiccups with older guides because a few of the settings and menu options have changed, so I’m putting together my notes here for my own reference and anyone else struggling with more recent pfSense releases and VPN/VLAN configuration.
The following assumes you have pfSense up and running with an operational WAN connection and you have a valid VPN account with PrivateInternetAccess.com (referred to as PIA throughout).
Set Up Your VLAN
Go to Interface > Assignments
Click VLANs, the click +Add
Choose a VLAN tag number and add a description.
In my case, I structure my VLAN tags in multiples of 10 and assign them subnets in multiples of 10. For example, VLAN 20 is on the subnet 10.0.20.0/24.
Next up is getting the VLAN assigned to an interface. In my case, I have a single WAN port and five available OPT ports to assign on my modded WatchDog XTM appliance and I send all my VLANs down em1.
Back at Interface > Assignments
At the bottom drop-down where it says “Available network ports“, hit the drop-down and select VLAN 20 that we configured for the VPN and assign it an interface.
Now that the interface is created, click on it from the list.
Check Enable interface
IPv4 Configuration Type should be set to Static IPv4
Now, in the Static IPv4 Configuration, set the IPv4 Address for the interface to 10.0.20.1 or whatever subnet you want to use.
Now, go to Services > DHCP Server and select VLAN 20 (or your named VPN VLAN). Enable DHCP and set the range you want it to hand out to devices on the VLAN.
There’s no connection yet from VLAN 20 to the Internet because we haven’t set a Firewall rule yet. Instead of setting up a WAN rule though, we’ll set the rule up to pass all traffic through the VPN.
Setting Up the VPN
First thing we need to do is get the Certificate Authority from PIA for the AES-128-GCM encryption cipher we’ll be using.
We’re going to use the corresponding ca.rsa.2048.crt certificate. If that download link doesn’t work, you can always find the latest setup files on PIA’s Client Support page under Advanced Router Setup as well as this Knowledgebase page. We’re using the default UDP connection over port 1198 with AES-128-CBC+SHA1.
Now that we’ve got the certificate, open it with a basic text edit program and copy the entire contents of the file using Ctrl+A with Crtl+C (Cmd+A with Cmd+C on Mac).
Back in pfSense, go to System > Cert. Manager and under CAs, click Add. Make sure the Method field is Import an existing Certificate Authority (it should be the default).
Add a description (like PIA-Cert or PIA-2048) and then paste the contents of the ca.rsa.2048.crt file into Certificate Data field. Then click Save at the bottom.
Next, go to VPNs > OpenVPN and then select the Clients tab since we are setting up our connection as a client of PIA’s VPN server. Click Add.
Here are the settings to enter on the client configuration page:
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only
Device mode: tun – Layer 3 Tunnel Mode
Interface: WAN
Server host or address: us-atlanta.privateinternetaccess.com
- Choose your own optical server! Go to the PIA’s network page to find the right server host for your connection. On this page, you can run network ping and speed tests to find your optimal server.
Server port: 1198
Description: PIA VPN (or whatever name you want to give it)
Next, in the User Authentication Settings section, you need to put your username and password that you got via email from PIA when you signed up. You should have this in an email as it is inaccessible from your account page. If you forgot your password, you’ll need to reset it so you can complete this section.
Moving on to the Cryptographic Setting section, select the certificate you created earlier (e.g., PIA-2048) in the Peer Certificate Authority dropdown.
Encryption Algorithm: AES-128-GCM
NCP Algorithms: AES-256-GCM; AES-128-GCM
Auth digest algorithm: SHA1
In Tunnel Settings, we want Topology set to Subnet — One IP address per client in a common subnet. Additionally, we want Compression set to Adaptive LZO Compression.
In the Advanced Configuration section, add the following lines to the Custom options field:
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
auth-retry interact
Continuing down the Advanced Configuration fields, set the following:
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: Default
Now, we have added our VPN client, so click Save.
Add a VPN Interface to pfSense
Now, let’s add an interface for our newly-created VPN client.
Go to Interfaces > Assignments.
Select the VPN from the Available network ports: dropdown menu and click Add.
Check Enable Interface and give it a descriptive name. Click Save.
Outbound NAT Rules
Navigate to Firewall > NAT > Outbound and set the Outbound NAT Mode to Hybrid. This gives us the flexibility of using defined manual rules for a specific VLAN, while letting automatic NAT rules generate for the rest of our network’s traffic.
Hybrid Outbound NAT: Utilizes manual rules while also using automatic rules for traffic not matched by manually entered rules. This mode is the most flexible and easy to use for administrators who need a little extra control but do not want to manage the entire list manually.
–Netgate documentation
Under the Mappings section, click the up Add button to send it to the top of the list of Outbound NAT rules.
Under Interface, select the VPN interface we created above (e.g., PIA_VPN) from the dropdown menu and then add the Source Network (e.g., 10.0.20.0/24). Now, click Save.
PIA VPN DNS Settings
We also want PIA handling all our DNS for VPN traffic, so go to System > General Setup. Under DNS Server Settings, set DNS Servers to:
209.222.18.222
209.222.18.218
Be sure to select the configured PIA VPN from the Gateway dropdown options.
VLAN Firewall Rule Setup
Now, it’s time to set up the firewall rule that will route all of our VLAN traffic over the PIA VPN interface.
Navigate to Firewall > Rules and select the tab for your VLAN that you want to put on the VPN. Click the Add button.
Action: Pass
Interface: VL20_VPN (or whatever your VLAN interface is)
Source: VL20_VPN net (or whatever your VLAN network is – note, you can limit this to a specific address but we’re doing the entire vlan, which is why our source says ‘net’ instead of ‘address’)
Now, scroll down to Advanced Options and select the PIA VPN we set up from the Gateway dropdown menu and click Save.
This should have your VPN up and running as your sole gateway for your VLAN.
Hi,
Thanks a lot for the detailed guide. I’ve tried to do the same for vpnunlimited vpn on one vlan. The problem is which the vpn connected, the vlan has connection fine with internet; but all other subnets internet has gone. I’m not sure what I’ve done wrong. Any suggestion?
Something is amiss here. After careful review, this does not appear to work.
In the last section “VLAN Firewall Rule Setup”, you forgot to detail you’d changed Protocol from TCP to Any, that could be tripping people over at the last hurdle despite it being shown in the screenshot.
Caused me some hassle as DNS and ICMP weren’t working.
For anyone having issues with a multi-VLAN setup, you most likely need to do this:
1. In your pfSense’s OpenVPN client settings, check the box “Don’t add or remove routes automatically”. This will ensure that all traffic goes through your default gateway (WAN or the likes).
2. In your firewall rules for your VPN client interface (OPT1 for example), add a rule (or adjust your primary “pass” rule) and in the “Advanced Options” section, change “Gateway” to your OpenVPN client gateway. This will ensure that the specific interface, a VLAN for instance, uses the OpenVPN client gateway instead of your default gateway (e.g. WAN).
With this setup, after following all of the above steps (including changing the NAT mode to hybrid), specific traffic (for instance, a designated VLAN) will route through your OpenVPN gateway and all other traffic (another VLAN, for example) will route through your WAN gateway. If your OpenVPN gateway goes down, the lack of a firewall rule will result in the traffic being blocked/passed, depending on your pfSense configuration (by default, it’s blocked).
Do yourself a favor and on the gateway (System -> Routing -> Gateways -> PIA_VPN or whatever), check the “Gateway Monitoring” box to *Disable Gateway Monitoring*. OpenVPN can have hiccups and if pfSense ever detects the gateway is down, it may just disable routing for it. I spent hours trying to debug my setup until this simple checkbox made everything work.