 So in this video, we're going to cover how to set up PAA with PF Sense and also how to do advanced policy routing. And when the policy we're going to specifically be talking about is how to set up a kill switch in here. And the goal is you may want some computers that go out over the VPN. And that's fine. PAA has the instruction where you are going to get to this on how to set that up. And it does encapsulate the whole network over there. And then I've also done a more advanced video that I'll link to below on setting it up and doing policy routing. Now this goes policy routing plus a kill switch. So we're going to cover some of the same things in this video. And the kill switch is important because PF Sense by default wants to be helpful. And it's the better way to leave the default. And that default is if you are routing things over the VPN and the VPN goes down, it falls back to your ISP. And that same thing can apply if you have a system, maybe you want specifically only to run over the VPN. And then the VPN goes down, the system will then fall back to our ISP, but that's not what you want. And hence we refer to it as a kill switch means it's a policy that says do not route this traffic out anything other than a VPN. So basically you're breaking the helpfulness of PF Sense to try to keep the traffic flowing. Now how this works. So we're going to start with private internet access. And we've got some of this set up. And you may notice that it's all configured here. So we're going to walk through all the steps I did to get here and how to add more to it. But let's start with why did I even choose private internet access? A few people asked me to try to review other VPNs. I've tried several, they work, but private internet access, one of the reasons I came back to them or stuck with them, I should say since 2016 have been used them for a number of years. They've been very trouble free, very headache free. But as anything, my caveat with VPNs is always you're just moving the point of trust. So you may want to use a VPN because you don't trust your ISP not to look at your data or you want to have privacy when you're using public Wi-Fi and you want to encapsulate all the data. But then you have to trust the VPN company. And I don't know any VPN companies personally. So I won't put my absolute trust in them. Please encrypt everything. Like I said, you're just kicking the privacy bucket down the road. Just want to get that out there so someone does leave a comment, VPNs don't secure everything. I agree with you. It can be helpful and they can hide your IP address. And one of the things I liked about private internet access, and this is not sponsored by them, but yes, I do have an offer code that does help out the channel. If you want to sign up, you can click the link below. Not required, but hey, I do appreciate the help of those who help support the channel. But private internet access paid for the audit of open VPN. And I thought that was really cool. Open VPN is open source and they paid for it to have security researchers validate and vet open VPN and look for flaws in it. So they took a really long look at it and it does take some time and a few dollars. Those security experts don't come cheap and improved it. And this is just one of those, hey, the company is giving back and I put them on my radar and I've been using them ever since and they seem to be a great company. Back to setting it up. So they do have right here, PF Sense 2.43 setup guide last updated on March of 2019. And their setup guide is accurate. I followed the guy to get this setup. So I'm not going to go in depth, but I will go over the settings. So they do have an entire article if you want to get into some of the minutiae of the encryption settings and choose a stronger or lesser encryption. We're just going to use the default one they have here, but you can modify this as needed. So you can choose a region off their network page. You choose a region you want to go into. You download the CA.RSA 2048 and import it. So that instruction works fine. And it's over here. I'm going to go over the CA and I have it imported. So to import it, it's really simple, kind of like they show here, you hit import certificate and you just paste it in here. That's what certificate looks like, copy, pasta, give it a name, another PIA because I already have one and it'll let you import two different ones, but you can see it's pretty straightforward to do that part of it. It's just a text file certificate. No big deal there. Then we're going to go over to VPN, open VPN client. I have two of them set up here. We're going to get to Y in a second. And the Y is because, well, because it's cool. I can have one, one computer going out one, one computer going to the other. Another reason is PA supports multiple connections up to five as of July 2019 with one account. So that's actually kind of cool. So you can do your whole house VPN if you want or selectively policy route only certain computers over there. But as far as the connection goes, you can have PF sense doing connections to different VPNs. So you can have some computers going out one VPN. Some carriers going out the other VPN just to make the video a little bit more interesting. Now going down the list here of the setup. So currently client enabled. So this is not disabled peer to peer, UDP, layer three, the Swiss server is when I chose here, but this is where you put whatever server host address, the port that that server runs on. I have that information in there, blank, blank, unless you have a proxy, but most people do not. PA, if you appear in such one, your username, password, put it in and confirm it, unchecked, unchecked, choose that certificate, whatever you called it. I called mine simply PA LTS is our internally signed client certificate, non username password, AES 128 GCM here, 128 GCM, AES 256 GCM here, SHA 1160 bit, no hardware acceleration, blank, blank, blank, blank, blank, blank, blank, blank, blank, blank, copy pasta from them, which is you can see they show it right here. But yeah, just copy paste this, send receive browser IPv4. Do you need more details in the logs for troubleshooting? It's saving away. Now, I'm going to do a favor for you because I ran through that quick because you can go ahead and what I'm going to do is go here. I can go to the backup and restore and I can export open VPN. And when I export my open VPN, it's not going to do the CA, so you set to the CA part, but then you can go here and I'll leave a link down in the description below, open VPN and you can then pull my open VPN config. And most of the time when people get stuck, it's they missed one little box going through there because it's a lot of details. This is a quick way to do it. I kind of wish they did this, but there is a caveat here. Please back up before you do this because when you bring in my open VPN settings, which is just an XML file, I'll show you what it looks like. This is actually one from earlier when I, from the Chicago one. But when you do this, it will overwrite your open VPN setting. So warning, you are restoring with this. So if you've got a blank machine, you're starting, no problem. It'll work. If you have a config in there and you'll go, oops, I overrode it. Yeah. You have to modify the XML if you want to add more than one in there. But I'm assuming a lot of people, if you're on the simpler side, just want to pull a file in. I'll leave it below. If not, follow the instructions. They work. Next is two pieces that we're going to do. So once you have the VPN set up and configured and you can see that it's up. It's working. It's actually going through logs. It does work. And this tells you what the local address is, what the virtual address is for the bridging, the remote host, et cetera. So we know the VPN is up and running. You can go over to ping 1.1.1. And it's always a good idea to check from here and say, hey, can I ping things? Does the data go out at all? And I do this before you start troubleshooting it from the side of the computer because then you're trying to figure out the computer, why it's not routing. There's more complexity. If it doesn't route here, it certainly won't route at the computer level. So this is like your first test. This sometimes solves some problems if you get deeper into it. So get this policy routing working. And this is actually where this stops. The only other thing that's going to have to be done is adding the outbound net rules. And we'll cover that in just a second because we're doing them a little bit different. Is getting the outbound net to work is pretty easy. You just go ahead and create these outbound net rules. And I'll show you where they're at. Net, outbound, and here they are. And you notice it says Swiss, not open VPN. That's the special part of it about how we're going to set this up. And we'll go ahead and duplicate the role. Like I said, you copy the rules. You don't really need, unless you're running a ISA KMP type VPN behind here, these are for static net ports, in case you're wondering, the 500. They're not as necessary. They do show you copying them in open VPN. But if you're not using that type of VPN behind your PF sense, like with a local workstation, they're not relevant. But you just go here, just like they show, you hit the copy rule and you add another rule. And then we're going to go ahead because I have two different networks. I have LAN 1 and LAN 2. So we're going to go ahead and add this to LAN 2. We just duplicate the WAN rule to Swiss. Save. I could add a description if I wanted to be more accurate, but now it can route out either of these. Now, this is where some people think you do the policy routing. So it only routes out of one or the other. But this is where PF sense defaults are being helpful. If, for some reason, the Swiss go down, it just outs the WAN. And that's where you want the kill switch added, which we're going to get to shortly. But first, we have to add a gateway. So to allow policy routing out of different gateways as a LAN rule, you need a gateway to route. So what you do is you go here to interfaces, assignments. And here's my standard ones. But after you add OpenVPN as a client, it also shows up as a gateway. And here's another one. Here's our Chicago one we added. And all these, it was run through that same setting. We added one for the Swiss and one for Chicago. And now we can add a Chicago one. And we've already done the Swiss. So let's walk you through how we add the Chicago. Add. There we go. Not much else. Go here. It's called op3. Call it Chicago. I like that name. Save. Apply. Now we have WAN, LAN, LAN2, Swiss, and Chicago. But you notice it doesn't have an IP address. The reason it doesn't have an IP address is we have to restart the OpenVPN service. So even though we added this interface, we added the interface, but now the service has to be restarted. So we just hit restart on this. And there is a pause with the interface. Sometimes when I restart the service, the PFSense keeps routing, but the interface pauses while it's refreshingness. I think it pauses for like 30 seconds if I try to. It just sits here a second. So I'll cut this part of the video out and jump to it working in 40 seconds. So now the system's up and running. And you can see we got PA, Switzerland, PI, VPN, Chicago. And these are the internal routing addresses. Now, short side note, PA has separate routing addresses they use. But if the routing, if this network and this network are in the same as one of your other networks, so this is 10-1, 10-1, and it's a slash 24 network versus this is 10-13, 10-slash-6, as long as there's no conflict and there's no routing issues, but just a side note, if by some unusual chance that you chose exactly the same IP address that they're using, you will then have to choose a different one because PF Sense does need to have separate networks for routing. Just a side note, in case you run into a weird scenario like that, a lot of internal people are using 192 addresses, which is why they chose to use 10 addresses. But that is a little factor just in case you run into a weird problem, because we've seen some of these weird problems where someone chose the same routing as they had in here by coincidence. And that was actually the troubleshooting problem they had. So now that we've got these two gateways and you can see them here in the routing, we've got our standard WAN set via DHCP, then we get Chicago and Swiss, and we can choose which ones that have all gateway. But that's important to have these gateways in here, but that's not where you set the policy routing. You do that under Rules, and I created a rule under Land 2. I just created an alias. It says route through VPN Swiss, and we'll show you. So here is the firewall alias called route through VPN Swiss. And this just makes it easy. So if I have to add another host to this, add host and whatever the IP address that hosts, another host, save. Now automatically I have two, and it just would take that IP and it throws it back in there, and now it becomes part of the routing pool. So aliases are helpful because if not, you have to create individual rules for every single device, and that would be tedious. Back over to the rules. Now this is the important policy rule you need to create, and rules are processed top down. So this rule being above this rule is important. So this rule is the catch all that says route it out through DHCP. This rule says if you match and you're one of these IP addresses in here, go ahead and route through there. So we're gonna edit the rules, show you how we built it. Start with a pass, interface land, IPv4, protocol, any. Single host or alias. Like I said, you could create a rule and type each individual IP address right here, but we're just using the alias. And if you're not sure how aliases work, I think I have a whole video on that, but they autocomplete as you type. Single host or alias, set that, route these out VPN, Swiss, we have a name for it. Then normally this is hidden, but we want to display the advanced and leave these blank, but this is the important part. Now this tag does not autocomplete. This is when I add, I just tagged it VPN traffic. That means this traffic is tagged with VPN. This is find the tag. So this is the adding the tag and this will be find the tag. Here we're adding the tag. We're creating another rule to find that tag. Then the gateway, we have the options of Chicago or Swiss or WAN. This is the particular one we want for Swiss, save, apply. So now this page right here, routes out through the Swiss VPN. So route out VPN Swiss. And because I refreshed the page now, the other one I added on this other tab right here shows both aliases when you mouse over. So you're good there. So this routes out through the Swiss and this one there. Now here comes the kill switch. It's a floating rule. Now floating rules normally are processed after the other rules in PMC. So we go here to the floating rule, action block, apply immediately. So I said normally after. So this means jump and do this rule before we go to the other rules on the list. We do WAN, any IPv4, protocol, any, any, any. Because this is where some people get mixed up and think I can just grab those IPs and apply this rule. You want to do it very specifically like this. So any, any, route, source any, but then here comes how it finds those. This is how that rule knows what to do. We added the tag VPN traffic. Now we exactly, it has to be exactly the same. I had to pull the tag VPN traffic. So now the tag was added. Now the tag is pulled called VPN traffic. And then just go with the bottom hit save. And what that rule is now doing, if it finds the VPN traffic, and you can see if I mouse over it says advanced VPN traffic, block it, because that we're blocking going to the WAN. So it's basically looking for anything destination WAN. And you could do the same thing if you had other WAN, WAN2. Matter of fact, you would need to select if you had two out bounds. You would have to select both of them, because you just don't want it going out through the ISP. So when the VPN goes down, so do these hosts. That's the important part about this rule. So we only need the one floating rule. Now let's actually show the rule in action. So here's my, yes, it has a VPN and no VPN. So if I curl IF config country, it shows the United States, because this is going out through the normal policy route. So it's 192.168.40.119. So this computer is 119. And 118 is what we added the rule for. So if we do curl IF config country, it shows Switzerland. Curl IF config.co will show IP address. If I did this one, it would show my public IP. This one shows the IP for the Swiss VPN from PIA. Pretty straightforward and simple. What if I wanted to put this one right here behind it? Well, that's really easy. We'll really quickly do it. Firewall, alias, edit. I just know this one's 119. We hit 9, save, apply, up arrow. Now it shows in Switzerland. Go edit the rule again or add the alias and delete this host, save, apply, United States. Rules work perfectly fine. It's good doing what we wanted to do. Now here is the problem with the way the VPN works is if we stop the VPN, and we've got firewall rules, and we're going to disable the floating. So disable it, apply. So we go here, and so yes, VPN. Just prove once again it's on there. So country, Switzerland, ping, 111. Ping in works fine, like it's on the internet. We go over here, and remember, we disable the floating rule, and then we go stop with open VPN. We're going to stop the service. All right, VPN stopped. Hey, look, I can ping. I'm in the United States now because without that floating rule, it's still on the internet and working. So now we go back here, show you the floating rule in action, return a floating rule back on, apply, no internet. So it's doing what it, that's the kill switch. VPN went down, this system goes down with it. So let's go ahead and fire the VPN back up. And like I said, this is where it's going to pause for 40 seconds. So I'm going to skip ahead 40 seconds in the video. VPN's back up, ping, it works. Pearl country, back in Switzerland. Everything's back to normal. Kill switch works exactly like it's supposed to. So anytime these go down, away you go, it shuts off. Now I added two VPNs, like I said, to make video a little bit more interesting. So let's go over here to the rules. Again, we're going to go over to the LAN where these computers are. And this could be completely done through LAN too. These rules, you know, I'm just doing them in here, but you could do this across every one of the different segments of your network, whether it's a VLAN, a regular LAN, it doesn't really matter. And let's configure that 119 address, which 118 is an alias. And we can create another alias called Chicago. So I guess we'll do that real quick. So firewall, alias. This says route through Swiss. Let's add an alias, route through Windy city. Yeah, there we go. Chicago is known as the Windy city for those who don't know. So then we are going to add that other address in here. 40.119, the other system. Save, apply. So now we're going to go back over to our rules, LAN. And we're just going to copy this rule because it works. So copy it. All the things say same pass, LAN, IPv4, single host or alias, but we're going to delete and say route. And now we're going to say route through the Windy city of Chicago. Change the description for accuracy. Still that tag VPN traffic is important to have on there. Go down here, choose this gateway as Chicago. So now apply. So the rules once again, top down. If it matches this rule, which 118 does, it goes out to this. When it has this one here, it matches Chicago. And because we also, if you mouse over this, come on. It's adding the tag VPN traffic to both of these so they both will get caught by the kill switch. But let's say you didn't want this one to be caught by the kill switch, we'll just remove the tag. Then you can go, I prefer to go to Chicago, but if the VPN's down, no big deal. I just want to route out, just remove that tag. And then it doesn't have to hit this floating rule. And then you can send things out there, but maybe you're not worried if you're doing something and it goes out over the standard ISP. But that's it. So now we should be able to test and see Chicago on this one here. So, and it failed. Well, don't worry, I know what I'm doing. Kind of did this on purpose and kind of on accident. When we added the Chicago, we added it. I realized I didn't. And this is, well, those things go back to the thing I talked about at the beginning. We also have to create on this network an ability to go out to Chicago. So we're gonna go ahead and, we went to the outbound NAT again, duplicate, choose Chicago, there we go. For each VPN you create, yes, you do have to create a, so we got the 40 network specifically. We got a WAN for the ISP, a Chicago outbound and a Swiss outbound option. So now we can go out any one of those. So now, doing that, oh, here we go, working fine. So VP ends up and we'll go ahead and curl IF config to CO. It returns the 104, 200, and I believe, let's go back to the front page here. The Chicago address, yep, 104, 200, 153, 91. Same address on both. So it's pulling the Chicago address. But that's it for the policy routing and you can kind of expand from here if there's something else you wanted to do, but this way you can put your devices on there. Now, a few side notes about VPN. One, they have a limited amount of protection they provide, they're only pushing the level of trust down the road, meaning you have to trust PAA that they're not doing something with your data. It does though encapsulate it from your ISP. They just see the VPN connection heading over to PAA. But I also don't necessarily recommend putting like gaming service behind here. So if you want to do VPN, I do recommend some things not go behind there. Now, for example, Netflix occasionally has trouble and some of the streaming services don't like the VPN IP addresses and even some sites straight up block you from being VPN. So being able to quickly move computers around or in between them is easy turning it on and off. But that's one of the reasons I frequently run a VPN locally on my computer. Also like at home, if I have the whole home VPN set up, take the gaming servers and don't put them on there. Anytime you add VPN encapsulation, you're going to add some overhead to it and that overhead is going to cause some problems. So you can have potential latency issues and things like that. So pinging things and matter of fact, Chicago is not far from a knock from us and there's like a very slight amount of latency added versus going straight through my Comcast ISP going to Chicago. Anytime you add more layers, more pieces of routing, you have more potential for slowdown. So when it comes to gaming, lag is infuriating. So keep the gaming servers off there encapsulating that traffic. People knowing what games you play seems like a pretty minimal risk in terms of Comcast going, oh, we see him connecting to XYZ gaming servers. Now we know that they like Minecraft or Call of Duty or insert whatever game. I don't know how much value that metadata is that you play games, but I will tell you you will probably be or whoever is in your house playing games will probably be super aggravated if the game doesn't work. So, well, there's a lot of lag. But that's it for policy routing. I guess that's pretty straightforward. These are the rules you set. Have them set up as a gateway, add the tag for the kill switch, that's important and follow that rule exactly for making sure everything is checked on there like the floating rule. So it's make sure it's being processed first. This is where, like I said, people find little problems in there, but do it match immediately, match each interface you also don't want to go out. So if you have three internet providers, two internet providers, WAN1, WAN2, et cetera, you have to block each of them. If not, it'll go, hey, I'm being helpful again in sending you out the failover one, for example. But that's really it. It sounds complicated first. When you start doing it, it's not too complicated. And like I said, I'll leave a link below where you can just download the VPN config just to get the basics set up. But please note it will goof things up if you have a VPN to overwrite and put my VPN settings in there, but I did leave out my username password and always back things up. Actually, before you start messing with all the policy routing and everything else, just do a backup. That way you can restore to that point because I've seen people accidentally delete things. They don't know what they deleted. They changed too many settings. Have a point of before I started this adventure backup because when you restore and reboot PF sense after restore, it will put all the settings back to that working wonderful state it was before the adventure began. But that's the fun part, you get to do it all over again until you get really good at it or you're like me and think this is, you see the smile on my face. I get excited about VPN and policy routing. I have fun doing it. So it's not just a job for me. It's actually like why I don't play video games. This is my video game. All right, thanks. Oh, if you wanna continue discussion, head over to our forums where you can carry on with this. Also, if you would like to help out the channel, please visit our sponsors page and we have a lot of affiliate links of things that may help you and do help out the channel. All right, thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you wanna subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you wanna hire us for a project that you've seen or discussed in this video, head over to launchsystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you wanna throw at us. Also, if you wanna carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going. And if you wanna help the channel out in other ways, we offer affiliate links below, which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.