Close

pfSense and VPN Tunnels

I have used Private Internet Access (PIA) Virtual Private Network (VPN) tunnels for a number of years now and was keen to find out what else I could do with them.

I setup a couple of VPN tunnels using OpenVPN on my pfSense firewall, one to PIA‘s London gateway and one to their Southampton gateway.

The setup was performed partly by following the Tom Lawrence‘s YouTube video, partly by reading the PIA documentation and partly guesswork and investigation.

The reason I could not follow any of the guides directly is because they are based on pfSense 2.4.5 and I am running 2.5, which seems to be significantly different in many ways, to the point that people who had working OpenVPN tunnels under 2.4.5 had broken OpenVPN tunnels after upgrading to 2.5!

After finally persuading the OpenVPN tunnels to start and adding the firewall rules, I discovered my first issue – despite having a rule that supposedly only places one device behind the firewall (my desktop), all devices are making use of the OpenVPN tunnel and appearing to have the same IP as far as the tunnel is concerned.

Previously I was using the PIA app on my iMac or iPad to provide a VPN tunnel and so the tunnel was private to that device.

Now because I have set up the VPN tunnel on the pfSense device, I now seem to have a ‘whole house’ VPN since this is a gateway device, it does not seem to differentiate between different devices.

An additional drawback I discovered was the bandwidth penalty from using the OpenVPN tunnel on the firewall.

I am used to losing a small amount of bandwidth to the VPN, but these figures were just unacceptable.

Test Case Down Up
iMac No VPN 386 20.8
iMac pfSense OpenVPN to London 152 19.8
iMac pfSense OpenVPN to Southampton 205 19.4
iMac PIA app WireGuard to London 303 19.5
iMac PIA app WireGuard to Southampton 293 19.6
iMac No VPN (CLI) 317 21.2
iMac PIA app WireGuard to London (CLI) 234 19.5
Media Server No VPN (CLI) 322 21.0
Media Server PIA WireGuard to London (CLI) 317 19.6

The first 5 tests listed above were all performed on my iMac desktop using the Ookla Speedtest desktop app for MacOS.

All the Command Line (CLI) tests were performed using a python script that can be obtained from the following location.

The WireGuard PIA connection on the media server was setup using the scripts available from the PIA GitHub repository and are presented for comparison.

The current PIA apps make use of WireGuard rather than OpenVPN, although until recently it also used OpenVPN and even with that option, I rarely lost more than 50-60 Mb/s.

I tried to setup a WireGuard connection from my pfSense firewall using the settings obtained from setting up the media server, however the VPN tunnel would not establish.

Looks like for now at least I will continue to use the local PIA VPN apps for both speed and ease of segregation.

I did also set up a Radius based VPN tunnel using OpenVPN for remote access to my servers by following another one of Tom Lawrence‘s Youtube videos.

This one works as expected and I can remotely connect to my servers from my iPad, iPhone or MacBook.

Throughput bandwitdh is not really a concern for this connection, although I may also see if I can work out how to set it up with WireGuard, although all my attempts so far have failed to connect.

Leave a Reply