build your own passthrough device capable of PIA openVPN AES 256 SHA 256 RSA-4096

[BirdDad]

it turns out that one of the memory modules is bad. I will be pulling memory out of a spare laptop then reinstall pfSense and see if I can get it going again.

 

[BirdDad]

Still no luck, the guides are all from older versions of pfSense and a lot of the stuff got moved around or was removed-very confusing to me.

 

[JackMDS]

https://www.privateinternetaccess.c...-setup-for-pfsense-firewall-router-with-video

 

[BirdDad]

Thanks for replying JackMDS.
That is the same old page note on it - "Encryption algorithm" = "BF-CBC (128-bit)"
Everytime I try to change the encryption it refuses to connect even when I use the certificate found on this page: https://www.privateinternetaccess.com/forum/discussion/comment/38491/#Comment_38491
How do I set this up with pfSense? Doing the default works but it is not strong encryption-totally unacceptable.

 

[Essence_of_War]

Please correct me if I am wrong. My understanding of the password is this-it is used to login and be connected and is not used for the actual encryption. But if a password is like only 20 characters long it would be easy to crack and they would be able to login on my account and do stuff like download donkey shows or worse. So AirVPN is definitely out.

I don't know where you're getting the idea that 20 char passwords are intrinsically easy to crack.

https://blog.codinghorror.com/your-password-is-too-damn-short/

Perhaps you're a skeptic. That's great, me too. What happens when we try a longer random.org password on the massive cracking array?

09 char - 2 min
10 char - 2 hr
11 char - 6 days
12 char - 1 year
13 char - 64 years

The random.org generator is "only" uppercase, lowercase, and number.

20 character passwords are not easy to crack, even if their hashes are stored in disgustingly-fast-to-hash-md5, unless they're "bad" in some other way (all ones, an exact phrase that appears in a piece of literature...).

 

[mxnerd]

Intel password strength checker.

https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html

I typed 12 chars randomly and it estimate it will take about 10145 years to crack.

 

[TheRyuu]

Intel password strength checker.

https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html

I typed 12 chars randomly and it estimate it will take about 10145 years to crack.

You really can't trust stuff like that. It can depend highly on how the password was stored as well. Modern GPU's do insane amounts of SHA1/sec. If you're just randomly generating a password might as well make it something like 32 characters. You're likely to be saving it with a password manager anyway so it's not like length really matters.

I just rolled my own pw generator command line app in Windows for stuff like that. There are also bash scripts, etc. The idea here being you probably don't want to use a website to generate passwords for you, better to do that locally with your operating systems CSPRNG.

And since you're using a password manager (even the web browsers built-in one is fine for this) site specific passwords are super easy. Chrome even has a built-in random password generator if you're looking something easy to use.

Please correct me if I am wrong. My understanding of the password is this-it is used to login and be connected and is not used for the actual encryption. But if a password is like only 20 characters long it would be easy to crack and they would be able to login on my account and do stuff like download donkey shows or worse. So AirVPN is definitely out.

Keep in mind that PIA and probably most others are using TLS Auth for authentication. I believe this kind of authentication is specified in TLS and will already be using encryption. It will in all likelihood be using some kind of PFS (perfect forward secrecy) such as DHE or ECDHE. This is the control channel as described in the OpenVPN documentation.

An actual random 20 character password generated from a CSPRNG and using all printable ASCII characters seems pretty good. However I see no reason why there has to be any limit on the number of characters in the password and it seems like they just chose some arbitrary limit.

Thanks for replying JackMDS.
That is the same old page note on it - "Encryption algorithm" = "BF-CBC (128-bit)"
Everytime I try to change the encryption it refuses to connect even when I use the certificate found on this page: https://www.privateinternetaccess.com/forum/discussion/comment/38491/#Comment_38491
How do I set this up with pfSense? Doing the default works but it is not strong encryption-totally unacceptable.

Not that it really matters here but BF-CBC is a 64-bit block cipher using a 128-bit key. I'm just being pedantic here.

I posted this in the *nix thread about sort of the same thing, maybe it's also relevant here:

PIA now support AES256 over the default OpenVPN client now on certain ports[1]. Some quick googling found a guide for pfsense[2] as well, not sure if you've tried this route or not.

[1] https://www.privateinternetaccess.c...stock-openvpn-with-strong-encryption-settings
[2] https://www.privateinternetaccess.c...-setup-pfsense-with-strong-encryption-aes-256