Is it possible to setup PIA’s wireguard service on pfSense? I looked into this back in august and was told it wasn’t possible. As I’m getting less than 30mbps down the PIA open vpn service is no longer a workable solution as it less than 3% of my actually internet speed on a REALLY good day, often I get about 1% of my total internet speed over PIA. If wireguard service is not available on pfSense, can anyone recommend a service with a modern vpn technology that works on pfSense? Also just to be clear I did talk to PIA and followed all their recommendations for how to try to improve the open vpn service.
Despite not be able to achieve much more than 10 mbps this is the response I got “Please be advised that Router-based VPN setups are by nature considerably slower than computer-based ones due to the encryption that secure VPN services utilize.”
While I understand the cryptographic load that OpenVPN puts on a processor, I’ve currently thrown 4 modern xeon e5 cores at it with aes-ni passed through to the vm running the router. The limitation is clearly the service not my hardware.
Seeing as wireguard is the modern answer lacking this setup is a make it or break it type thing, as so many others have stated.
Is it possible to setup PIA’s wireguard service on pfSense?
That’s the BSD-based firewall distro right?
PIA have released bash shell scripts which may interest you, but they’re rather clunky and you might prefer some of the third party ones, eg mine if you change out the Linux-specific stuff for pfSense equivalents - or just use it to generate a wireguard config on Linux or WSL or whatever and apply it to your pfSense thing the usual way
What CPU on your pfSense? With AES-NI support & 128-GCM it should be fast enough.
I just set up my OpenVPN with a Synology NAS DS1621+ KVM virtualized pfSense (I only give it 2 CPU cores), with AES-NI support my OpenVPN is basically running almost at line speed (by the time I tested direct connection ~260Mbps, with OpenVPN I got ~240Mbps, and CPU still less than 50% usage)
I had been looking into this but was told that PIA flushed some sort of information at random and that using such a script would work but that it would randomly break because of the way PIA handles these types of connections. I’m still a bit new to wireguard technology but have been drawn by some of the speed claims I’ve seen.
I had been looking into this but was told that PIA flushed some sort of information at random and that using such a script would work but that it would randomly break because of the way PIA handles these types of connections.
Yeah, they flush idle connections (ie no re-key events for a long time, wg re-keys every couple minutes by default) after “several hours” (6-12 hours in my experience), and also reboot their servers every “few months” (haven’t got an empirical figure for you on this one) which flushes all keys since the setup is ephemeral.
If you can get the script running locally on your pfsense box, you could just re-run it every week with eg a cron job and you’d probably be fine.
have been drawn by some of the speed claims I’ve seen.
I’ve exceeded 750Mbits/s at my workplace a few times 
It sounds like I need to experiment with the script, and like you said just rekey manually on a weekly basis. That kind of speed would make a world of difference!
manually
Heh you must be new to this sort of thing, surely your thing has some sort of cron that can run scripts for you periodically?
Lol no I have 30 years of experience behind a Unix terminal, by manually rekey I mean set a cron job.
Ah to hop endpoints in case PIA is planning to bring the server down (in which case they should pull it from their remotes list hopefully a week or two beforehand)? Yeah I see, nevermind then
Thanks for pointing me in the right direction, I appreciate it
Good luck!
I’d be curious to see how much you need to hack things up to get it working on BSD rather than Linux - I figure it should be able to do all the same stuff, but the commands to achieve them are gonna be quite different!
Wouldn’t mind a pull as long as you can do it in a way that doesn’t affect functionality on Linux
If I manage to get things working I’ll report back for sure. Like you said some commands and syntax may be different but I should in theory be able to use the existing script as a template and work down through it.
did you ever get this working?
No sorry, I think i saw somewhere that PIA has an official guide for this now.
