Step 1: Download PIA OpenVPN Configuration Files
- **Download PIA OpenVPN Files**: To start, you need to download the certificate and key files from the official PIA website.
- Go to this link: [PIA OpenVPN Files](Where can I find your OVPN files? - Knowledgebase / Technical / Troubleshooting / OpenVPN - PIA Support Portal).
- Download the OpenVPN configuration files for your preferred server location (e.g., Germany, USA, etc.).
Step 2: Access the OPNsense Dashboard
- **Log into OPNsense**: Open a web browser and go to your OPNsense firewall’s IP address (e.g., `https://192.168.1.1`).
- **Log in** using your credentials.
Step 3: Import the PIA Certificate
- Go to **System > Trust > Authorities** in the OPNsense dashboard.
- Click **Add or Import CA** to create a new certificate authority (CA).
- In the **Descriptive Name** field, enter a name (e.g., “PIA CA”).
- Open the `.ovpn` file you downloaded earlier, find the certificate section (the text between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`), and paste it into the **Certificate data** box.
- Click **Save**.
Step 4: Add a New VPN Client
- Navigate to **VPN > OpenVPN > Clients**.
- Click **Add Client** to create a new VPN client.
- **Configure the OpenVPN Client** as follows:
- **Server Mode**: Peer to Peer (SSL/TLS)
- **Protocol**: UDP (you can use TCP, but UDP is typically faster)
- **Device Mode**: tun
- **Local Port**: Leave this blank
- **Server Host or Address**: Enter the PIA server address you want to connect to. This information is available in the `.ovpn` files you downloaded earlier (e.g., `germany.privateinternetaccess.com`).
- **Server Port**: Enter `1198` (or the port specified in the configuration file).
- **Authentication Method**: Leave as **None**.
- **Description**: Enter a name for this VPN connection (e.g., “PIA VPN”).
- **Username and Password**: Enter your PIA account credentials.
- **Server Hostname Resolution**: Ensure this box is **checked** (this means it will try to reconnect automatically if the connection drops).
- **Disable TLS Authentication** by unchecking “Enable Authentication of TLS Packets”.
- **Peer Certificate Authority**: Select the CA you added in Step 3 (e.g., “PIA CA”).
- **Client Certificate**: Leave this set to **None**.
- **Encryption Algorithm**: Use **AES-128-CBC** (this matches the OpenVPN configuration file from PIA).
- **Auth Digest Algorithm**: Select **SHA1**.
- **Hardware Crypto**: Leave set to **No Hardware Crypto Acceleration** (unless you have a hardware accelerator).
- **Compression**: Set this to **Enabled with Adaptive Compression**.
- **Disable IPv6**: Check the box to **Disable IPv6**. This prevents IPv6 leaks.
- **Advanced Options**: Paste the following commands into the **Advanced** box (these are options from the OpenVPN config file):
persist-key;
persist-tun;
remote-cert-tls server;
reneg-sec 0;
- Click **Save**.
Step 5: Verify OpenVPN Connection
- Navigate to **VPN > OpenVPN > Connection Status**.
- Check that the VPN connection is active. The status should show **Up**. If not, you can restart the service or wait a few moments for it to resolve.
Step 6: Set Up NAT for VPN Traffic
- Go to **Firewall > NAT > Outbound**.
- Change the mode to **Hybrid Outbound NAT Rule Generation** and click **Save**.
- Click **Apply Changes**.
- **Clone the Existing Rules**: For each outbound NAT rule listed, click the **Clone** button, then:
- Set the **Interface** to the OpenVPN interface (this will typically be called something like `ovpnc1`).
- Leave the rest as it is.
- Click **Save** and repeat for each rule.
- Click **Apply Changes** to ensure the new NAT rules are active.
Step 7: Test the VPN Connection
- **Check if the VPN is Active**: Use a web service such as [IPLeak.net](https://ipleak.net) or [WhatIsMyIP.com](https://www.whatismyip.com) to check if your IP address matches the VPN server you connected to.
- If the IP matches the VPN server, then your VPN setup is successful!