 Private Internet Access is a pretty popular VPN provider. With all the talk about the ISPs and problems, I figured I'd do a video on how to encrypt all your traffic at the firewall so you don't have to do it on every individual device. And I chose Private Internet Access. They seem to be a pretty popular company. The reviews are really positive on them. And they have a nice support forum. They have guides on how to set up on a lot of different devices. They seem reasonably priced. They also have some fun and interesting ways that you can pay with anything from GIF cards to Bitcoin to a lot of other options. So plenty of different pay options if you want to keep yourself very disconnected from the VPN. Because what you're really doing is anytime you have a VPN, you're just changing who you trust. You don't trust your ISP, so you encrypt your traffic so you bypass the ISP, but then you have to trust your VPN provider because, well, there's still a connection there. So that's short of the VPN, but we're gonna run through the PF Sense setup that they have here. I went through and tested this. It works good. I signed up for an account. We're gonna show you how to do this. So I'm gonna keep this open another window, but I'll walk you through step by step because we have a clean PF Sense box that, ready to go, I call it my PF Sense Demo Box. And it is on a private network. And that's the fun thing about OpenVPN. It'll cut through a private network unless it's blocked. So this isn't my public IP address. This is just an internal address from my little Home Lab setup here. Well, Home Lab, Work Lab, it's a lab. Okay, so let's get started. First step is going and putting in a certificate. So OpenVPN provides you a certificate. So you're gonna go over to the system and I'm at the certificate manager CA. Now at the top, when you go through the instructions, there's a little download link so you can download this. I downloaded it and copied it into a file. So that's what their public certificate looks like. So we're gonna add and we're just gonna call it PIA cert. You can call it whatever you want. Just call it something convenient. And I just copied and pasted that in from that cert file. So it's just a notepad editor. Go ahead and hit save. All right, that part's done. Step one, real easy. And we're gonna go over here to the VPN, OpenVPN. And this is a client, not a server. We're connecting as a client to PIA. So we're gonna go add and now we gotta put all the settings in. So we have peer-to-peer, UDP, TUN, WAN. All that's pretty much default. Nothing special you have to do there. Server host address is where you choose where you wanna pop out at in the world. So they have lots of different ones. They got Texas, Chicago, California. So let's put ourselves in California. Now, I actually missed this the first time when I was setting this up for a demo and it's port 1194 is default. You wanna go to 1198. If you're not, you get a TLS handshake error because it's the wrong type of certificate on that port. So for the certificate and the work instruction that they have on there, which I'll leave a link below to, it's 1198. username and password. We'll put that in in just a second because you can't have my username and password. You can see it's defaulting to the PIA cert. We do want to check this off as in disabled TLS authentication. TLS authentication is an extra encapsulation of the packets that they're not using. It is a hardening that when I set up my VPNs, I add to them, but on theirs, they're not using that feature. Compression is an able adaptive compression. Now please note, I am doing this video in April, 2017 off of an April, 2017 work instruction. So if there are some variation, make sure you're looking at their website. This will walk you through, but if they add or change like the ciphers that they're using or the algorithms, this will be changed. As of right now, they're still using AES128CBC, which is the default and SHA116 bit for here. For example, on more robust VPNs, they're gonna recommend something even higher for that, but this is pretty secure. It's just one of those future proofing. So if I'm sending up a new VPN, I would set it up there, but you have to comply because you're the client. You have to comply with the way their server is configured. But at some point they may change that. But as of April, 2017, that's what it is. All of this is all the same here. We're gonna disable IPv6. They give us a paste in this. These are some of the custom options. Now everything's all set here, but I'm gonna skip the part where I put my username and password in, but it's pretty straightforward. It's just your username or password. Oh, we also have to check, infinitely resolve the server. And we'll call this the PIA VPN. This is just the description. That's not, you call it what you want. If it's another VPN provider, you put it in there. So let me put my username and password and then we'll skip ahead to the next part. All right, and if we did all this right, we should be able to click the status over here, and the VPN is up. But the traffic is not, I am not routing traffic, lots of loss. That's because the next step that you have to do is add the routing outbound for this. So we're gonna go over here to NAT, and we go to outbound. Now this is all the default outbound. So we're gonna go to a manual NAT bound, NAT generation. This one here, hit save, apply. All right, now we're almost there. So this allows for the WAN. Now what these are right here is because of the way the address randomization works for NAT, ISA, KMP is port 500 for certain VPNs. If you're not running a VPN, you don't even need to duplicate that rule, if not just duplicate that rule. What we do need to do is allow the traffic, so it's allowed to go from this network, the LAN network, out to the WAN address. And we click the little two pieces of paper, and duplicate the rule, change the interface to the open VPN interface, and we're gonna call this VPN LAN to WAN. So there we go, hit save, apply the changes, and we are routing traffic. Now I have a Comcast connection, so let's go over here, ask Google at my IP address, that's not a Comcast one, I think I can use IP, yeah IP chicken. So host up my TSS com, I'm on Comcast, that's clearly not Comcast, so I am routing traffic. All the traffic on this now goes out through the VPN, which is wonderful. Now if we stop the VPN, we go over here to VPN, open VPN, and we go here, disable the client, hit save, and you can see I'm back on a Comcast address. So just by simply disabling it, everything gets rerouted to your normal internet access, this is grayed out, so we can go back here to enable it, and we're back online. So if you just needed to know how to set up PIA VPN, you can stop the video here, because that's as much as you need to do to get that part working. So it's now set up, we're now routing traffic over the VPN, but let's say we want to do something more specific, and I get a lot of people asking us, I want to selectively route things, and part of the reason for that is, you may want to, for restrictive reasons, say I want to pop out of another place, but I can't have my boxes that connect to Netflix doing it, because they, Netflix blocks as I've heard, some of the PIA VPN, or some things don't like things going over a VPN, and you can add a little bit of overhead, maybe a little bit of latency, so maybe you want your gaming rig not to go over there. So let's talk about the steps for that, that's a little bit more advanced. We're gonna go over here to the interfaces, we're going to assign, and we got two network cards in here, this is the other network card I'm not doing anything with, and there is our open VPN. So we're gonna add that, and we're gonna save, click on it, enable the interface, and this is our PIA VPN, apply the changes. Now when we go over here to routing, we have another gateway interface on here. Also to get this up and running after you've added it, we're gonna go over here to the VPN, open VPN, sometimes when you're editing some of these settings, you have to go to the status page of the VPN, and just restart it, because it won't push, when you added an interface, it was bound to nothing, now we bound it to an interface, so now we have to get it back up and running, so appending, and now it's assigned. So now we see an IP address here, so we know it's good to go. So now we have all of our, we're under here, firewall to the rules, we have the WAN rules, the LAN rules, the VPN and open VPN rules. Now this is where it gets tricky to do this like the routing, but it's not that complicated, it's just a little different. So right now, and we're gonna open up the IP chicken site again, 198, not a Comcast address, host.mitss, so I'm on there, it's all set up. Now I will admit, there's sometimes in case you're wondering, if you keep switching back and forth, there may be a session or a state that gets stuck and holds onto it for a while before the state expires, and you won't see your IP address change right away, you can either A, reboot the firewall, or you may have, just reboot the firewall generally is enough to do it, to clear out the state tables, or there's an option in PF Sense to go here, and you can just reset all the state tables, reset the firewall state, because as you create these rules, they may not happen immediately, because if there's a state open to connect to something like well, the IP chicken website that hasn't timed out, you'll end up with not changing the IP address, so the system right away, because it's still holding onto the session, just a little side note, sometimes it's just as rebooting it is the quickest way to clear all the states and make sure it's all working. But we see everything's up, we see the interfaces up, it has an IP address assigned to it, so we're gonna firewall rules, LAN, now what we wanna do, and we gotta make sure it's the top rule here, my computer's address is ending in dot nine, so 192.168.19 is the computer I'm on, and right now we're going out to the VPN, so we wanna make a rule, so my computer specifically does not go out to the VPN, so we're gonna add a rule, any single host or alias, now there's two ways to do this, I can type in individual host addresses, a block of addresses, or I can say an alias where you create the aliases up here under aliases of firewalls, there's a couple different options, for purposes of this, we're just gonna do a single host address, we're assuming it's a smaller network, but if you get a larger network, you could group things together, create an alias, or create a whole network block of them that you want to say okay, push all these out over the normal WAN gateway, so 192.168.1.9, single host or alias, then we're gonna go down here to display advanced, and we're going down to gateway, and we choose the WAN DHC gateway, not this one, so here we go, we hit save, and it should look like this, so this says route all IPv4 traffic from 192.168.1.9 over WAN DHCP, apply changes, so we've configured a rule that's gonna force mine not to be on the VPN, so it's on the VPN now when we last checked, we force the rule, I'll clear the state table real quick, or see if I have to, let's just see if the IP address changes, it did not, states, reset states, just reset all the firewall states, I could reboot the firewall, but this is fast, it actually hangs up the firewall as well, because you have to reestablish a connection again for yourself, it takes a few seconds, all right, and now my computer's on the Comcast address, so as you can see, this rule pushes my address specifically over to the Comcast rule, now let's switch it back, this is actually kind of clever, I set up a different address, as one is a NZ.9, the other one in NZ.69, so if I switch my computer to .69, and as you can see it's on .69 here, refresh it, and now we're on the PIA VPN again, now it's really easy to create more of these rules, you just click the little duplicate, change the host to whichever one you want going on there, save, and away you go, you would do this for each individual rule, I didn't make any notes, but that's how you do the selective routing, so it's pretty straightforward, and as I said, you could alias a group of things together, you could come up with selective ways to do it, so you can say, you know what, take my gaming machine and don't put it over the VPN because I want no risk of latency or anything like that, or maybe a couple of devices that are on Netflix that have a problem, because I haven't really tested this, but some people said, oh yeah, PIA VPN doesn't really like the, Netflix blocks a couple of them, I don't know if it blocks all of them, I don't have time to go through all of them, but I wanted to give you guys a demo on how to do selective routing, so you can use a PF SenseBox for your entire network, but then still have a couple rules that say, nope, not this one or not this computer, they don't go out over the VPN, so thanks for watching the video, hopefully that's pretty clear, it's that little to set up, I've seen a couple of tutorials to have you add a couple more things in here, you don't really need them, as you can see this works, and I don't have any rules under here, you don't need those rules, you don't need any extra WAN rules, you can do the selective routing all from here, and for the NAT functions on the Outbound NAT, you only need these 500 specific rules if you're using an ISA KMP type of VPN, like inside your network, so if you have another machine, so if you have your work office machine and it has a port 500 VPN that's using the ISA type, you would need to add that rule, if not, you don't even need to add it, but obviously it's arbitrary to add or don't use that one out for VPN because you're VPN out anyways, but a pretty simple system to set up, I'm happy, the speed is good, that's it for the demo, if you like the content here, or if you have another suggestion for a video, let me know, I'd like to click the little like button and subscribe to my channel for more updates, and I'm gonna keep the videos coming, thank you guys, bye.