Ultimate pfSense OpenVPN Guide

[Pri]

Hello everyone. A few years ago I wrote on here that I built a pfSense router and since then I've been learning more about it and trying to come up with more advanced usage scenarios for it. And combined with that due to all the anti-privacy legislation being passed around the world including in my own country I decided to subscribe to a VPN service.

So I thought I would combine the two, instead of running OpenVPN on each individual device I own I decided to set it up on pfSense but for anyone that has done this you may run into some issues. Two main ones specifically.

1. Not all websites allow VPN use (Netflix, BBC iPlayer, private Bittorrent communities etc)
2. You may not be able to saturate your internet line with your VPN due to throttling and internet peering issues.

So I set out to make a guide which solves both of these issues and shows you how to get OpenVPN setup properly while maintaining both your privacy and convenience. With the guide I've made you will be able to do the following things:

1. Max out your internet speed over OpenVPN by distributing your load across multiple OpenVPN gateways simultaneously and transparently (without any special software or equipment, just pfSense!)
2. Completely protect yourself against IP leaks caused by either VPN's going down suddenly or DNS requests.
3. Setup domain based bypasses to the VPN so you can access BBC iPlayer, Netflix and any other domain without turning your VPN off.
4. Specify only the computers on your network that should be using the VPN so Cable/Satellite boxes that need to interface with your ISP's network directly are not funnelled through your VPN.

Now the guide is pretty big, but I have done my best to break it down into consumable chunks with lots of images and descriptions that explain things as simple as possible.

Here is the link to the guide: Ultimate pfSense OpenVPN Guide - Tech Help Guides

If you have any questions please feel free to post those in this thread and I will do my best to answer. The only things you need before you start this guide are an OpenVPN server either hosted by yourself or from a company you subscribe to and a pfSense router, no other equipment or software is needed.

 

[IamSpartacus]

Very interested in this. I'll read through this at some point today/tonight. Thanks for posting!

 

[IamSpartacus]

@Pri When configuring multiple OpenVPN clients to PIA I lose internet connectivity outbound from hosts on my LAN once I enable the second client. I assume I'm missing something. Any specific changes needed when configuring a second client to PIA?

 

[Pri]

Make sure the second client is using a different server to the first one. If you've done that and you also disabled the automatic routing it should work as intended. Let me know more if this isn't the issue you're having.

 

[IamSpartacus]

Make sure the second client is using a different server to the first one. If you've done that and you also disabled the automatic routing it should work as intended. Let me know more if this isn't the issue you're having.

Yup, using a different server but same port (1198). Both clients show connected in OpenVPN status but outbound internet is lost.

 

[Pri]

Okay, using the same port is fine. Did you make a NAT entry for both OpenVPN gateways that you created? - Also did you put them in a load balancing gateway group yet?

 

[markarr]

Thanks for the guide and nice avatar.

 

[IamSpartacus]

Okay, using the same port is fine. Did you make a NAT entry for both OpenVPN gateways that you created? - Also did you put them in a load balancing gateway group yet?

All is good now that I've enabled the second interface and setup the NAT and VPN Group. I just found it weird that it would kill my internet when the second interface wasn't even assigned.

 

[Pri]

Yes that is strange, I have not had that occur on my own setup, but I do have the auto-rules for VPN's disabled perhaps you have or had that turned on? - Or just a quirk or oddity.

I'm glad you got it working

 

[IamSpartacus]

Is there any reason why going from 3 client PIA VPN connection to 5 would cause my LAN outbound NAT to stop working? I mirrored everything on these two new client connections to match the previous 3. Same OpenVPN settings, same outbound NAT, same Gateway/Gateway Group. However the moment I enable the 4th and/or 5th client connection, my LAN's outbound NAT stops working and I can't get to the internet. Here's what my Outbound NAT looks like:

 

[Pri]

Everything in that screenshot looks correct, the issue may be somewhere else. I have personally setup 4 VPN's in a load balance group without issue so pfSense can do it fine. I'd expect it to work with 20+.

One possibility is that perhaps some of the PIA VPN's use the same internal IP Addressing and that is causing a conflict of some kind?

 

[IamSpartacus]

Everything in that screenshot looks correct, the issue may be somewhere else. I have personally setup 4 VPN's in a load balance group without issue so pfSense can do it fine. I'd expect it to work with 20+.

One possibility is that perhaps some of the PIA VPN's use the same internal IP Addressing and that is causing a conflict of some kind?

Don't know how I'd determine this. Also, the issue impacts my clients NOT using the Gateway Group which really has me stumped.

 

[Pri]

Simply go to this page once all your VPN's are connected: http://Your_PFSense_Router/status_openvpn.php

And you will see the Virtual Address of each OpenVPN connection. It will look similar to this:

But I think probably there is something you're overlooking that is causing your problem. I would recommend following the guide from the start this time. Also make sure PIA allows more than 3 connections at once

 

[IamSpartacus]

Simply go to this page once all your VPN's are connected: http://Your_PFSense_Router/status_openvpn.php

And you will see the Virtual Address of each OpenVPN connection. It will look similar to this:

But I think probably there is something you're overlooking that is causing your problem. I would recommend following the guide from the start this time. Also make sure PIA allows more than 3 connections at once

Oh, yea I've been there already and confirmed all 5 virtual address are different subnets. I'll go through the guide again and see if I'm missing anything.

 

[IamSpartacus]

Found it. I didn't have "Don’t add or remove routes automatically" checked off on the two new client connections.

 

[Pri]

Found it. I didn't have "Don’t add or remove routes automatically" checked off on the two new client connections.

Excellent! - I'm glad you found the culprit

 

[IamSpartacus]

Excellent! - I'm glad you found the culprit

Unfortunately I still barely get a 1/3 of my total bandwidth (gigabit) over the VPN even with using 5 simultaneous connections .

 

[Pri]

Unfortunately I still barely get a 1/3 of my total bandwidth (gigabit) over the VPN even with using 5 simultaneous connections .

What kind of benchmarks are you performing and how is the utilisation on each VPN? You can view this from the main dashboard.

I've personally found that PIA is a very slow VPN provider, quite budget orientated ($3.33 a month when paid for anually). I recommend instead Mullvad which is $5 and IVPN which is $5 right now but $8 usually (both prices are when paying for a year up-front).

I find speedtest.net to be a good multithreaded test it will utilise 3 or more VPN's at once for its tests. But of course you're at the mercy of the speedtest.net partner server, gigabit is always going to be hard to test.

 

[IamSpartacus]

What kind of benchmarks are you performing and how is the utilisation on each VPN? You can view this from the main dashboard.

I've personally found that PIA is a very slow VPN provider, quite budget orientated ($3.33 a month when paid for anually). I recommend instead Mullvad which is $5 and IVPN which is $5 right now but $8 usually (both prices are when paying for a year up-front).

I find speedtest.net to be a good multithreaded test it will utilise 3 or more VPN's at once for its tests. But of course you're at the mercy of the speedtest.net partner server, gigabit is always going to be hard to test.

It spreads them fairly evenly. Right now a test download is going at about 220-250Mbps and it's spread pretty evenly over the 5 connections (65/60/50/30/25).

What's the privacy policy like on those other VPNs? Do they keep any activity logs?

 

[Pri]

It spreads them fairly evenly. Right now a test download is going at about 220-250Mbps and it's spread pretty evenly over the 5 connections (65/60/50/30/25).

What's the privacy policy like on those other VPNs? Do they keep any activity logs?

That's a good question. Neither of them log, they are not hosted in any Five Eyes countries (USA, Australia, UK, New Zealand or Canada). They offer very good speeds. For example I easily maximise my 200Mb connection on IVPN with just a single VPN but I use three for extra redundancy, privacy etc

As far as I'm aware they're both quite excellent VPN providers but you should do your own due-diligence. One of the main benefits of Mullvad is they allow you to open multiple port numbers on each server so it's easier to run more services through them at home. IVPN only allows a single port number on each server, so you'd need to be connected to them more than once to have multiple port numbers accessible.

Apart from the pricing, Mullvad also offers more servers than IVPN does but they both have quite a bunch. Mullvad offers a free 1 hour trial if you wanted to give that a go