@Hollander:
Could I ask: how do you see if there are DNS-leaks?
You could create a firewall rule to allow and log any outgoing traffic on port 53 for the WAN. You should see the only name resolutions will be for pfSense stuff and PIA servers. What's nice about the logging is it deconstructs the packet to determine what hostname was requested to be looked up. If you are interested in logging DNS but just in general check out the thread I started here:
How can I record and maybe monitor all DNS requests and replies?
If you stop DNS outgoing on the WAN there is a "which came first, the chicken or the egg" problem because then how does pfSense lookup the address for the PIA server you're connecting to, or pfSense to check the latest version of FreeBSD?
Also keep in mind about the DNS forwarder if you have that enabled you could leak in certain scenarios. For example I have a pfSense box behind a wireless router. So my router has address 192.168.1.1 and when it assigns an IP via DHCP it offers nameserver 192.168.1.1. So the pfSense WAN IP address is something like 192.168.1.2 for example with nameserver 192.168.1.1. Then the pfSense LAN has a DHCP server (192.168.10.1) that assigns an IP 192.168.10.2 and nameserver 192.168.10.1. When client 192.168.10.2 wants to resolve it sends its request to 192.168.10.1 which is the pfSense DNS forwarder. That then sends the request to 192.168.1.1 which is the wireless router DNS forwarder. I believe that would happen even if I was routing my traffic over OpenVPN because 192.168.1.x is a local route. The setup I have right now is I disabled the pfSense LAN DNS forwarder and the pfSense LAN DHCP instead offers google nameservers. The google nameservers are not a local route so they go over VPN.
@Hollander:
The military man here says that the order of the rules in NAT is important (VPN should be at the top of the list), whereas some comments below it he says this is not necessary if your VPN is the default gateway. However, I have neither: my PIA VPN is not at the top of the rules in NAT, nor is it the default gateway. But I think my PIA VPN is working - looking at the traffic in the GUI, as well as when I look up my own external IP. So apparently what he writes isn't true ???
That I don't know about, you may have to start a separate thread to ask that question and get someone's attention. In my rules the OpenVPN PIA is first.
Also, unrelated, the biggest issue I've had so far with my setup has been OpenVPN continues to work even after it's terminated due to fatal error. So FYI, you may encounter that. It looks to be a bug.