build your own passthrough device capable of PIA openVPN AES 256 SHA 256 RSA-4096

[XavierMace]

I don't think that PIA is ready for pfSense. When it is I will install pfSense and hopefully have a box that can supply the encryption that I need and the speed will be good.

It is ready. There's two options.

A) The settings you are trying to use are incompatible for one reason or another.

B) You're doing it wrong.

Not trying to be a dick when I say that. But you're obviously new to this and rather than just follow one of the multiple tutorials posted you're trying to make changes/optimizations before you even get out of the gate. I would recommend you get a base pfSense with PIA setup going. THEN you can try to get your changes working.

 

[XavierMace]

don't know sdifox's experience for running pfsense in VM

In the past few days, I did experience some difficulty with running pfsense in VM.

I switched from pfSense to Sophos about a year ago, but I had no issues running pfSense as a VM (ESXI5.1 and 5.5). Sophos has been running fine since then on ESXI 5.5 and 6.0.

 

[mxnerd]

I switched from pfSense to Sophos about a year ago, but I had no issues running pfSense as a VM (ESXI5.1 and 5.5). Sophos has been running fine since then on ESXI 5.5 and 6.0.

I complained about the TinyDNS installation issue in pfsense 2.1.5 VM earlier, but later when I tried same installation in 2.2.4 VM, it went smoothly. I guess pfsenes doesn't care about old version anymore.

By the way, I run pfsense in VMware workstation, so it could be a bit different than running in ESXi.

 

[Engineer]

Removed because of cluttering up BirdDad's thread with non relevant stuff.

Sorry BirdDad.

 

[BirdDad]

It is ready. There's two options.

A) The settings you are trying to use are incompatible for one reason or another.

B) You're doing it wrong.

Not trying to be a dick when I say that. But you're obviously new to this and rather than just follow one of the multiple tutorials posted you're trying to make changes/optimizations before you even get out of the gate. I would recommend you get a base pfSense with PIA setup going. THEN you can try to get your changes working.

That is exactly what I have been doing. I have no trouble getting it to work with tutorials but the moment I change either the encryption from BF128CBC to AES256CBC or SHA-1 to SHA256 I am unable to make it work. The defaults are not good enough Blowfish 128 is just too weak. I could settle for SHA-1 if I had AES256. At this point that is all I am trying to do.

 

[mxnerd]

@BirdDad

read carefully what p3591604 said in this post

https://www.privateinternetaccess.c...93/pia-openvpn-client-encryption-patch#latest

cipher aes-256-cbc and auth sha256 does work with PIA server

If OpenVPN windows client can use these 2 options, I don't see why it wouldn't work on pfsense.

if 2.1.5 doesn't work, try 2.2.4


at first

I have been using OpenVPN GUI on Windows.

I have taken the above 64bit binaries, and replaced the ones that ship with OpenVPN GUI.

I have copied a config file, and added/changed the following:
cipher aes-256-cbc
auth sha256
ca ca_rsa4096.crt #got this file from the patch archive above
pia-signal-settings
link-mtu 1542
I can connect to the VPN fine (to remote aus.privateinternetaccess.com on port 1194), however I get the following warnings:
NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1472)

CRL: CRL crl.pem is from a different issuer than the issuer of certificate /C=US/ST=CA/L=LosAngeles/O=Private_Internet_Access/OU=Private_Internet_Access/CN=Private_Internet_Access/name=Private_Internet_Access/emailAddress=secure@privateinternetaccess.com

WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1472', remote='tun-mtu 1500'

WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'

WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'

WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

Does the above log mean that SHA256/AES256 are not being used?
Does it use the server settings instead?
Should I be connecting on a different port number or change my config in some way?

I'm also wondering if there are any changes to my MTU I should make? I'm on ADSL2, and my MTU is 1492. If setting it to something more appropriate in the OpenVPN connection config file will result in less fragmentation I'm happy to take suggestions!

at last

My log has the following:
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
As you can see 'cipher aes-256-cbc' and 'auth sha256' client options are being used even though they differ to the server settings.

This makes your statement "but please note that OpenVPN overrides the settings from the configuration with options it receives from the peer/server" seem incorrect - at least with the patched binaries I am using.

Yesterday I switched to using the "ca.crt" file included in the PIA Manager, instead of "ca_rsa4096.crt" in the PIA openvpn patch. Combined with commenting out "crl-verify crl.pem" I no longer have warnings about certificates/issuers.

So everything is fine At some point I might look at configuring the right MTU, however I won't get to that for a while.

Thanks for the discussion guys - it's always good to learn something new!

 

[BirdDad]

never mind I solved it

 

[BirdDad]

I can't get my USB 3.0 to work in Virtualbox where it had before.

 

[BirdDad]

Removed because of cluttering up BirdDad's thread with non relevant stuff.

Sorry BirdDad.

What was it? You don't have to appologise if it helps then speak. If not maybe it is something that I might like.

 

[Engineer]

What was it? You don't have to appologise if it helps then speak. If not maybe it is something that I might like.

It was about pfsense breaking Windows Media Center at my house (right before it crashed - pfsense crashed that is).

I'm sort of riding your pfsense thread as I learn how to set it up in my house but Windows Media Center is my household live TV provider so I can't afford for it to go down (Wife doesn't approve! )

 

[BirdDad]

I can certainly understand that, my wife when she wasn't infront of the TV was in front of the computer so if I wanted to do sometinkering with the network I would have to wait till an odd hour.
I am following https://forum.pfsense.org/index.php?topic=76015.0
to the letter but can't make it work. On openVPN status it shows that it is always down-Service is not running?-Unable to contact daemon- even though it shows that every service is started.

 

[BirdDad]

I'm trying IPVanish right now,am having trouble keeping the client up with the defaults.
Same story it all looks fine, client has all services running until I click on Status/OpenVPN then it says server is down.
I am using the defaults in all of these until I get them working then I will try and make little changes at a time.

 

[BirdDad]

I can't get it to work.
I apologize to whomever suggested TOR and I said it was for pirates. I thought that you meant TOR browser. I'm sorry, I did not realize that there was a VPN by that name.
I am going to try AirVPN next.If I can just figure out a way to do it with only two NICs.
Thank you all for those who have watched this thread and given me advise.

 

[XavierMace]

Why do you keep changing VPN's? If you can't get OpenVPN running properly on pfSense, changing your provider isn't going to help.

I may still have a backup of my pfSense config with OpenVPN running. I'll try to remember to check when I get home.

 

[Essence_of_War]

I can't get it to work.
I apologize to whomever suggested TOR and I said it was for pirates. I thought that you meant TOR browser. I'm sorry, I did not realize that there was a VPN by that name.

So to be clear, you're not actually apologizing, despite being objectively wrong. There are perfectly good reasons to use the TOR browser that have nothing to do with wanting to pirate things.

 

[Engineer]

OK..trying pfsense again after crashing last time. Reset to defaults and configured again. Will start adding stuff (UPNP, etc) after it proves stable for awhile.....

 

[BirdDad]

I got it working mostly... everything seems to work but I can't access https://ipleak.org

 

[Engineer]

I got it working mostly... everything seems to work but I can't access https://ipleak.org

should it be https://ipleak.net/

?

 

[BirdDad]

thank you Engineer
now it is showing my ISP so something is amiss

 

[XavierMace]

Did you set it to use the VPN providers DNS servers rather than your ISP's?

 

[BirdDad]

yes I did and took a check out of allow override

 

[BirdDad]

Maybe I am missing it
I am setting it in System/Setup Wizard/ and putting my DNS there
should it be set somewhere else also?

 

[BirdDad]

209.222.18.222
209.222.18.218
Right?

 

[XavierMace]

That looks right.

 

[BirdDad]

I don't understand why it is showing my ISP on every test. I rechecked everything and it seems right.