With all of the talk of net neutrality and the advent of home AI, I started to become a bit concerned about the whole “Big Brother” aspect of using the Internet. Please don’t mistake me as an alarmist or delusional, I’m just concerned that my privacy is not so private anymore. I really do not appreciate targeted advertising nor do I want to enable companies like Google, Microsoft and Amazon to track my families Internet usage. It’s just plain creepy. I needed private internet access at home with streaming services because I want to browse privately, but some services won’t allow the use of a VPN.
That’s why I decided to start using Private Internet Access as a VPN service for my home internet. There are many companies that offer this service, I chose this one for price and ease of use. I also like that they are US based and do not log your usage. I feel that my browsing is, for the most part, anonymous. I’ll explain the anonymity later in this article.
Private Internet Access is based on OpenVPN. To use OpenVPN you need a software client for your PC (Available for Windows, MAC and Linux) or a firewall/router that supports this protocol. Because I wanted to secure my entire home, I chose to find a firewall/router. Since most commercial products do not have support built in, I needed to cook up my own.
My base system is a fan less (quiet) Mini PC with 4 Ethernet ports that costs a little more than your typical home router. But we’re not building your typical home router here, are we? It’s not as expensive as Sonicwall and Cisco routers that don’t even support OpenVPN. An believe it or not, we are actually deploying these to our customers at work to replace the Cisco, Sonicwall and other units because of the outstanding features gained by using pfSense on this hardware at a fraction of the cost of the big boys.
To get started I had to download the latest version of pfsense and install it on to the new Mini PC. Installation is pretty straight forward, so I’ll dispense with the details. Besides since I did this project, the system I linked to now comes with pfSense pre-installed. I then connected this system to my home network, between my cable modem and my switch.
I had to put my cable modem into bridge mode to ensure that the new firewall would get an outside IP address. I’ll not get into specifics regarding this , since ever modem is different and you may need to get your ISP to do this for you, or replace your ISP’s modem if they won’t.
Now we need to configure the firewall to work on the local network and provide basic Internet Access. To do this we need to first assign our LAN and WAN interfaces:
- Logon to your pfSense installation using the IP address you assigned during installation
- Your LAN interface should already be assigned with an address during the installation process, if not make sure you assign it a static address.
- Choose the interface that is connected to your ISP and verify that the interface is enabled, the IP4 configuration type is set to DHCP and that you are blocking private, loopback and bogon networks.
At this point we should be able to use the Internet through any computer on the network.
Now we need to get our VPN running. To do this you need an account with a VPN provider. I highly recommend Private Internet Access (PIA), and this article is based on the assumption that this is the provider we are using. Once you have an account, we need to add that account information to our OpenVPN configuration in the firewall. PIA has provided this guide to help you accomplish this task.
Great! Now your internet access is secured by a VPN and you should be able to browse freely. The verify that this is the case got to this address: https://www.privateinternetaccess.com/pages/whats-my-ip/
Now the Caveat. Dang it! there is always a catch! Services like Netflix and Hulu will not allow you to use their services through a VPN. I won’t go into a long discussion on this, suffice it to say that they have contracts with studios that dictate that they must not allow viewers from certain areas, therefore a VPN could violate those agreements. So how do we get around this? We don’t really, we have to intercept that traffic and route it through our ISP instead of using the VPN. This takes a little work in the firewall rules, with a little patience and persistence you can make it work:
- Under Firewall > Aliases, we need to configure Aliases for these service providers so we can use them in rules. For our example we are going to use NEtflix, Hulu and Amazon AWS. Amazon is important, because Netflix an Hulu both use AWS for certain functions and content delivery.
- You can get the IP addresses your need to populate these lists by clicking these links:
- You will notice that I created another alias named “Netflix_AWS_HULU_Combo” which is simply a combination for the three we created. This allows me to edit the individual lists, but use one alias for my rules. It really simplifies the process of adding or changing IP’s if these services make any changes that affect me.
- Now we have to create the rules that will allow us to use these services. This is done under Firewall > Rules
- When creating this rule, we need to go to the advanced settings and set the Gateway to use our ISP instead of the VPN:
- First we open the Advanced Options
- Then we select the proper gateway for this rule:
- First we open the Advanced Options
You should now have your Internet protected, with the exception of AWS, Hulu and Netflix. At least your browsing is private…