#UPDATE 11/05/2022

Original post date: 2023-07-29T15:38:58Z

This update details the configuration process for utilizing 4096-bit RSA keys, the SHA256 Auth digest algorithm, and AES256 encryption. The initial post used the default PIA key length of 2048, SHA1, and allowed for AES128.

Updated information will be tagged with #Update throughout this post.

Introduction

This post will guide you on how to use pfSense within a Unifi network situated behind a Unifi Gateway, specifically a Unifi Dream Machine Pro (UDMP). I will outline my network configuration, encompassing subnets, VLANs, and wireless SSIDs, that are crucial for a successful setup. The ultimate goal is to enable the addition of a client to a specific VLAN on my Unifi network, either wirelessly by connecting to a designated SSID or by tagging the client’s physical port to that VLAN. This VLAN will correspond to a subnet that directs traffic through the pfSense machine, which functions as a VPN client (using Private Internet Access). This approach allows the UDMP to maintain its role as the DHCP server for these clients while pfSense handles the anonymization and encryption of their data.

Disclosure: As an Amazon Associate, I earn from qualifying purchases. Your support helps maintain this blog. Please note that the pricing remains the same for you, regardless of whether you use my links.

Prerequisites for this setup include: a Unifi Gateway device (e.g., UDMP, Unifi Security Gateway), a pfSense machine/VM, Unifi wireless APs (necessary for adding wireless devices to the VPN), and Unifi switches (required for tagging specific switch ports to the VPN). It is also assumed that you have an active VPN service subscription. This guide primarily focuses on PIA but can potentially be adapted for other VPN providers.

We will begin by configuring pfSense and the VPN connection, followed by the Unifi setup.

pfSense Setup and Configuration

My custom pfSense machine consists of the following components: an Intel Core i5-8500 CPU, a GIGABYTE B365M DS3H motherboard, 16GB of Corsair Vengeance LPX RAM, a Thermaltake Smart 500W Power Supply, and a 4-Port PCI-E Network Interface Card.

Select a PIA Server

Start by choosing an optimal server location, typically based on your country and geographic region. Using your PIA account credentials, access the complete server list at: https://www.privateinternetaccess.com/pages/ovpn-config-generator

To import the required certificate, select the 1198 port option and click “Generate.”

#UPDATE

For enhanced security with a 4096 RSA cert, download the .CRT file from: https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt

Open the downloaded file in a text editor (e.g., Atom, Notepad++) and copy the entire content from -—-BEGIN CERTIFICATE—– to -—-END CERTIFICATE—–, as illustrated in the image below.

Create a Certificate Authority in pfSense

Navigate to System > Cert Manager in pfSense and click on the “+ ADD” button. Select “Import an existing certificate authority” as the “Method” and paste the copied certificate text into the provided field, as shown below.

Save the settings.

The imported certificate should now be visible in the list.

Configure OpenVPN Client

With the certificate imported, go to VPN > OpenVPN, then Clients, and click ADD.

Configure the OpenVPN client settings according to the following images, replacing the Server Host, PIA Username, and Password with your own details. The server host information can be found in the .ovpn file downloaded earlier from PIA. Copy and paste the following into the “Custom options” box towards the end of the configuration page:

1

remote-cert-tls server

#UPDATE

For enhanced security with the 4096 key, SHA256, and AES256 encryption, paste the following into the “Custom options” box instead of the text above:

1
2
3

remote-cert-tls server;
persist-key;
persist-tun;

#UPDATE

When opting for the 4096 key, SHA256, and AES256 encryption, use Port 1197 instead of Port 1198, as shown in the image below.

#UPDATE

For the 4096 key, SHA256, and AES256 encryption configuration, select only AES-256-CBC under “Data Encryption Algorithms”.

Choose AES-256-CBC (256 bit key, 128 bit block) for “Fallback Data Encryption Algorithm”.

Set “Auth digest algorithm” to SHA256 (256-bit).

Enabling “Hardware Crypto”, preferably Intel RDRAND engine - RAND, is highly recommended for enhanced encryption.

#UPDATE

When using the 4096 key, SHA256, and AES256 encryption, ensure to paste the following into the “Custom options” box:

1
2
3

remote-cert-tls server;
persist-key;
persist-tun;

pfSense Gateway and Interface Assignment

Now comes the more complex part. This step involves creating a Gateway on pfSense for routing traffic. My setup uses a WAN (10.99.1.0/24 subnet on Unifi), LAN (10.99.2.0/24 subnet on Unifi), VLAN500 (VLAN tag on Unifi), and a PIA interface. The configuration of each will be detailed below.

Configure the Gateway

In pfSense, go to System > Routing > Gateways and click "+ Add" to create a new Gateway. Enter the Gateway IP address of your Unifi Gateway, which in my case is 10.99.1.1, corresponding to the UDMP’s address on the 10.99.1.0/24 subnet (named pfSense WAN on Unifi). Save the configuration.

Interface Assignments

Navigate to Interfaces > Assignments. If a WAN interface is already assigned, proceed to edit it. Ensure the settings resemble the image below, replacing 10.99.1.15 with your preferred static WAN IP address (any address within the 10.99.1.0/24 subnet except the Gateway address, 10.99.1.1). Verify that the IPv4 Upstream gateway is set to the newly created Gateway and that the “Block bogon networks” option is checked at the bottom.

Similarly, check your existing LAN interface or create a new one with the settings shown below. This LAN interface corresponds to the 10.99.2.0/24 subnet, which is where devices tagged with VLAN 500 on Unifi will obtain their DHCP leases. Ensure the IPv4 Upstream gateway is set to “None” and DO NOT enable “Block bogon networks” for the LAN interface.

Add a PIA Interface

From the “Available Network Ports” dropdown, select your PIA VPN and click “Add.”

Once added, click on the newly added interface (e.g., OPT2, OPT3) and enable it. You can rename it for clarity (e.g., PIA_Netherlands) and ensure that the reserved network checkboxes are unchecked.

Next, go to Interfaces > VLANs and click “Add.” Choose the previously configured LAN interface as the parent interface and select a VLAN tag between 1 and 4094. This tag (500 in my case) will be used in the Unifi configuration.

Finally, connect the physical interfaces for your WAN and LAN to the pfSense box. Identifying the correct ports is crucial, especially if you have more than two NICs, as you will need to tag the LAN interface with VLAN 500 in Unifi (this can be done now or later in the Unifi setup).

Outbound NAT Rules

Go to Firewall > NAT and select the “Outbound” tab.

Change the outbound NAT mode to Hybrid and click Save.

Create rules to direct traffic to the VPN, which will be the subnet created in Unifi (e.g., 10.99.2.0/24 in my case). Create the following rules (refer to the image below): Localhost to PIA rule, ISAKMP Localhost to PIA rule, LAN (Subnet) to PIA rule, ISAKMP LAN (Subnet) to PIA rule.

Outbound NAT Rules Configuration

The settings for each rule are detailed below. Replace the placeholder values with your specific configuration.

Your “localhost” and “127.0.0.0” information will likely remain the same. Replace “PIA_CHICAGO” with your configured PIA Interface and adjust the subnet (e.g., 10.99.2.0/24) accordingly.

ISAKMP - localhost to WAN

localhost to WAN

ISAKMP - LAN (Subnet) to WAN

LAN to WAN

This completes the pfSense setup. Let’s move on to the Unifi configuration.

Unifi Setup and Configuration

In the Unifi Settings page, create two Corporate LAN networks: one for the pfSense WAN and the other for the pfSense LAN. The subnets should match those configured in pfSense (as shown in the image below).

pfSense WAN on Unifi

Create a new Corporate LAN for your pfSense WAN in Unifi, matching the options as shown in the image below. Ensure the subnet corresponds to the WAN interface subnet configured in pfSense.

pfSense LAN on Unifi

Create another Corporate LAN in Unifi for the pfSense LAN, using the settings shown in the image below as a guide. Configure the DHCP Gateway IP address to match the static IP address assigned to the pfSense LAN Interface (e.g., 10.99.2.15). Importantly, set the VLAN ID to the same value used in pfSense (e.g., VLAN 500).

Connect the pfSense physical port corresponding to the LAN interface to the Unifi network and manually configure the port to use the configured VLAN.

Tagging Ports on Unifi Switches

In the Unifi clients page, select the client you wish to add to pfSense and go to its overview. Choose the Port where the client is connected (e.g., Family Room - UniFi Switch 8 POE-60W #7, as shown below).

This will open the port configuration page, allowing you to override the settings. Select the new pfSense (500) Port Profile. If the Port Profile is not listed, refer to the troubleshooting section at the end of this guide. Once applied, the device will obtain a new DHCP lease from Unifi in the pfSense subnet, routing its traffic through PIA.

Adding Wireless Clients to pfSense on Unifi APs

Go to Settings > Wireless Networks and click “CREATE NEW WIRELESS NETWORK.” Configure the new wireless network according to the image below, ensuring that you select pfSense as the Network for the WLAN. Devices connecting to this wireless network will have their traffic routed through PIA. You can verify this by visiting “whatismyip.com” from a device connected to this WLAN.

Congratulations on successfully configuring your network!

TROUBLESHOOTING

Adding Missing Port Profiles

If the Port Profile is not automatically created, navigate to Settings > Profiles in the Unifi dashboard and switch from RADIUS to SWITCH PORTS. Click “ADD NEW PORT PROFILE,” name it, and then select “Native Network.” Assign the pfSense network to this profile, as shown below, and save the configuration. You can now return to the port assignment section and assign ports to the pfSense VPN using this new profile.