[solved] OpenVPN Server and PIA Client on single PFSense router

I’m trying to create a PFSense router that secures my connection through Private Internet Access while also allowing we to access devices at home with an OpenVPN server.

I have gotten each goal working independently but have not been able to combine them. I think the issue lies within my NAT configuration. I’ve just reset the router, to start again from scratch, but was wondering if anyone knew how to do this.

My configuration is pretty much the defaults for the OpenVPN Wizard and then following the guide here:

I created an interface for the PIA VPN and duplicated the first four default NATs with this interface. There are two more that are for the VPN server. I then set that same interface to the one which the OVPN server listens on.

I then connect through my public IP given by PIA.

I’m going to follow this procedure on the fresh install. Please let me know if you see any issues or need more information.

I’m somewhat new to PFSense so explanations along with help is very much appreciated.

Are you trying to connect to your VPN server via PIA? Because that’s probably not possible. PIA would need to have port forwarding set up on their end, if they do and it’s a fixed port that doesn’t change every time then you can open the port on the PIA interface and set the openvpn server to listen on the PIA interface. However the last time I tried I could not get openvpn on pfsense to use anything other than the default gateway no matter what you set it’s listen interface to. So hopefully that’s been fixed.

Anyway, you’re better off connecting to your openvpn server on the wan interface.

That is what I was trying, I’m not sure it is the best way to go about it though. I’ve seen a couple examples of this setup on other places but was not able to get any instructions.

From a bit of research I’ve done, it does seem that I could port forward PIA. But then, as you mentioned, I would have to deal with dynamic ports and IPs.

If it is, in fact, impossible, is there a way I could achieve the same effect while connecting on the WAN interface?

My end goal is to have the server route all traffic through PIA but also give access to the local network through a separate VPN.

Yes just connect to your VPN server on the wan and make firewall rules on the VPN interface so that local traffic uses the default gateway and non local traffic uses the PIA gateway.


so as im understanding it you want to:

route some/all of your internal traffic through PIA
tunnel into home network
tunnel into home network to be seamlessly be routed through PIA

PFsense has a advanced option in NAT, you can take traffic from x port and route it to your PIA VPN

configure that while making your client config to PIA that same “home.address” : “port of firewall”

so you would have something like client config for VPN to home on 1100 and VPN to VPN on 1101 that transfers all data to the PIA “interface” per the rules

while im on this though, getting a DDNS would stop use of a IP. PFsense can update DDNSs

if that VPN link to VPN is what your wanting to do, it will add 20-60ms to your connection

its a little longer then just connecting to PIA from your client device when not home

It does seem like this would work, could you elaborate a bit on the rules?

I’m just not well versed in firewalls and NATs beyond basic port forwarding.

But thank you for your help.

As I understand, you are suggesting the same setup as Dexter_Kane? The personal VPN would connect via my ISP assigned public IP (Wan) then PFSense would route all of that traffic (which is coming on 1194) onto the PIA interface.

I will try that configuration tomorrow and report back.

Thank you kendoka

Get your VPNs set up, you don’t need to Port forward anything, just make the allow rule on the wan interface for the VPN server, which I think the wizard does by default.

For outbound nat do what the PIA guide says but make sure you make the rules for the VPN network as well as lan (and any other local networks you have).

Once you have that working go to the firewall rules for the VPN (server) interface and make these rules in this order (as in the top rule at the top and the bottom rule at the bottom):

  1. Allow protocol:any source:any destination:lan network port:any gateway:default (this is under advanced options)

  2. Allow protocol:any source:any destination:any port:any gateway:pia

That will mean that you can access the local network (lan, if you have others then make similar rules for those) from the VPN and Internet traffic will use the PIA vpn. When making rules with gateway options remember that for routing between local networks (including vpn networks) you need to use the default gateway.

No success. Both service work as expected independently however the VPN server will not connect whenever the PIA client is also running.

I have set up the NAT and Firewall as you described however there are a few points that I suspect might be the issue.

First, the OpenVPN wizard created a firewall rule on OpenVPN with any source and any destination; it is the last in the list in the image below. Should this be there? I have disabled it and moved it around in the list to no avail.

Also, should I set the additional NAT rules to OpenVPN (not a proper interface) or PIAVPN (the PIA interface)?

I’ve played around with both of these settings to no avail, so it could be something else entirely. I am still connecting through the public WAN ISP IP. This happens to be over a Google DynDNS, although I don’t think this is the issue. Google is updated correctly and a ping returns the correct IP.

I should also note that the VPN Server did seem to pick up my device (the Android client I’m using to test) and showed it’s IP. However, it would not show details since a connection was not made. My client sends out packets but receives none back.

I’ll post some images below to help any diagnostics. Let me know if you need anything else. And again, I appreciate your help!

In outbound nat you want to configure the interface and nat address as the gateways, so wan and PIA and the source as your source networks, so lan and openvpn.

You can get rid of the default firewall rule on the VPN interface that the wizard creates, the other two are correct.

Are you saying that the openvpn server doesn’t work when you have the PIA client connected? If that’s the case it could be the problem I was having with openvpn always using the default gateway. Go to your PIA client settings and check the box for “don’t pull routes”. This stops the VPN client from becoming the default gateway, but this means that you need to specify the gateway for any traffic you want to use the VPN. So on the lan interface if you only have the default allow any rule you need to set the gateway to PIA.

Wouldn’t it be better (meaning easier) to setup up two OpenVPN server’s than to try and accomplish the original poster’s goal the way suggested by @Dexter_Kane? Maybe I am missing something, but it seems to me it would be easier to setup an OpenVPN server on your network, for when you want to access your network when you are away from home and use your PIA OpenVPN to route any internet traffic he wants when he is at home.

He wants to connect to his home network via VPN but still have the internet traffic use openvpn rather than his home WAN. Once the two VPNs are working the rest is trivial.

1 Like

Success! Changing the PIA client to not pull routes and modifying the LAN firewall fixed the connectivity issues.

I will post a detailed configuration later today in case anyone is troubleshooting a similar setup in the future.

Thank you for all the help Dexter_Kane.

1 Like

For people in the future, here are some images that may be of use. Please ask if you have any questions.

LAN is and OpenVPN is

This has been really helpful, thank you I’m trying to do the same thing. I think I’ve just about got everything working. My network correctly sends traffic the way I want via PIA VPN, and I can connect from outside my home network via OpenVPN.

The issues I have are that when I am connected from outside my home network via OpenVPN, my IP address isn’t showing the assigned IP from PIA. Meaning it seems my traffic is still not going out PIA VPN.

The other issue I have is when I changed my PIA VPN client setup in pFsense to “don’t pull routes” it now leaks my true IP on a DNS leak test. I had this problem when I originally setup my PIA VPN (before trying to add remote access via OpenVPN), and the only way I solved it was to uncheck the “don’t pull routes” option.

Any thoughts on what I should check? I can post screen caps of my NAT and Outbound rules, etc. if it will help in your advice (looking at you Dexter_Kane).

Depending on how you have your rules set up, on your VPN interface (the one for the server not PIA) you need an allow to lan network (assuming you want to access your LAN remotely) using the default gateway and then below that you want an allow to any rule that uses the PIA gateway.

Essentially you need a rule for Internet traffic that uses PIA but for local network you need to use the default gateway.

This can be a bit tricky. What should work is if you go to the dns resolver (if your using the forwarder then it’s the same steps but the resolver is better) and set the outbound interface to PIA. This will mean all dns traffic goes out over the PIA interface, however this creates the problem that when the VPN is down you lose dns, which means you can’t resolve the VPN server so you can’t connect to the VPN. To get around that go down to the bottom of the dns settings page and set a domain override for your VPN server domain name (whatever you have configured in the openvpn client for PIA) and set it to use or any other public dns server.

Thay should work although I’ve been using separate dns servers for a while now and can’t really remember how I had it configured before that, but I’m sure we can figure it out.

Thanks for the help! I was actually coming back here to say that I figured out the DNS leak issue, which was exactly as you described. Disabling the “pull routes” in the PIA Client setup means that I needed to set the DNS resolver to explicitly use the PIAVPN gateway. It was set to “any” prior and I think that was causing the issue for the leaks. Good point on the problem with no DNS when the VPN is down, I’ll look into your suggestion and give that a try.

I still have the main problem which is that traffic isn’t going out the PIA VPN when I’m remoting into the network. I think I have the rules for the VPN server interface set correctly as you have described.

I do have some extra rules on my LAN interface and perhaps something there is causing the problem. On my LAN rules I have the following:

  1. I have some VPN-blocked websites that I specifically make sure when going to those that it uses the WAN.

  2. I have a few hosts that I want to make sure use the WAN.

  3. I have a few hosts I want to make sure use the PIA VPN and if its down to not work at all (killswitch).

  4. Any other scenario I want to sent to the VPN and if it is down then…

  5. finally send all other traffic out the WAN.

Lan rules won’t affect stuff on the VPN interface, the VPN rules look good. What do your outbound nat rules look like?

Actually, might be worth having an allow any to vpn address rule at the top of the VPN rules using the default gateway so that your VPN client can talk to the router for dns and stuff.