NordVPN setup on pfsense - questions about basics
-
OK I have finally found the issue and how to fix but its creating a major issue.
Under System > Routing, I changed the default IPV4 gateway to "NORDVPN" and now everything seems to be working as intended only on my VLANs that have to go thru the VPN, but traffic on the other VLANs cannot reach the web.
Most errors seems to be based on DNS resolution. I have specified DNS servers on the DHCP server of these VLANs so they can get DNS resolution and bypass Unbound and their FW rules are pretty much open and have "*" as gateway.
Do I need to do something special for the VLAN's that do not have to go thru the VPN?
-
-
Just to be clear:
System > Routing > Default Gateway=my ISP -> VLAN's to be behind VPN are DNS leaky, VLAN to be excluded from VPN works normally.
System > Routing > Default Gateway=NordVPN -> VLAN's to be behind VPN are working normally, VLAN to be excluded from VPN works normally
That's why I switched the default gateway under System>Routing...
For the FW rules, the pass rules for the VLAN's to be behind VPN have their gateway = NordVPN, and for the pass rules of the VLAN to be excluded from VPN, gateway = *
Not sure what I'm / have been doing wrong..... It make sense to me and should work. Traffic from VLAN's to be behind VPN is matching a pass rule with gateway = NordVPN, traffic is passed to a matching NAT rule which forwards traffic to NordVPN.
Why is it leaking in the first place? FYI my rules for the leaky VLAN's are in one of my previous posts on this thread. Do you spot anything wrong?
EDIT: I forgot to mention: the DHCP server of the VLAN's to be behind VPN have NO DNS servers specified. I relied on the tooltip saying that if no DNS are specified, the interface's IP will be used for DNS resolving:
Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.
-
@pftdm007 said in NordVPN setup on pfsense - questions about basics:
EDIT: I forgot to mention: the DHCP server of the VLAN's to be behind VPN have NO DNS servers specified. I relied on the tooltip saying that if no DNS are specified, the interface's IP will be used for DNS resolving:
I would do it the other way around, don't use unbound for the VPN-VLANs, they should use external DNS and use unbound only for the non VPN-VLANs.
-
Hey there, I use DNSBL and pfblocker on the VLAN's behind VPN. The VLAN to be excluded of VPN is a DMZ thats why I dont use Unbound on it and pass cloudflare DNS servers directly to its clients.
But using Unbound should it matter?
The way I see it: Client asks for DNS resolution from the VLAN interface > Unbound gets the query > Forwarding mode is enabled, so the request is passed to the DNS servers under System > General Setup which are Nord's DNS servers.
-
@pftdm007 Those servers can be awful. But it is all a matter of priorities. Because unbound is centralized in pfSense, there is only one, you have to watch closely for DNS leakage. I myself prioritize the non-vpn traffic, DNS resolution etc. and don't use DNSBL on those vpn-hosts, they just get 8.8.8.8 as their DNS and it is done.
-
I was wrong, I'm using OpenDNS not cloudflare..... but thats outside of the point of this thread
I take that what I want to do, pfsense cant do it?
-
@pftdm007 said in NordVPN setup on pfsense - questions about basics:
I take that what I want to do, pfsense cant do it?
This thread is long already, so what is it, what you want to do?
-
Its simple: If pfsense's default gateway is set to "default", pfsense DNS LEAKS on the VLAN's behind VPN. This is why I switched the default gateway to NordVPN (which you explicitely told me not to do). When the default gateway is switched to NORDVPN, DNS leakage stops.
From posts above:
Default Gateway=my ISP -> VLAN's to be behind VPN are DNS leaky, VLAN to be excluded from VPN works normally.
Default Gateway=NordVPN -> VLAN's to be behind VPN are working normally, VLAN to be excluded from VPN works normallyWhat's the problem with switching the default gateway to NordVPN?
FYI (and for others), issues before post starting with
OK I have finally found the issue and how to fix but its creating a major issue.
have been resolved for the most part. Now I am just trying to use the default gateway without pfsense leaking.... In other words I'm trying to understand why following Nord's instructions are not working with VLAN's.
-
@pftdm007 It has nothing to do with VLANs. I think in the nord tutorial, they are using only their dns servers for everything. You can do this, make them the only ones under General Setup and Enable Forwarding Mode in the resolver, no more leakage. But again, now you are using them for everything.
-
Please look at my previous posts (I know this thread is getting long...)
FW mode is already enabled in Unbound, and Nord's DNS servers are already set in General Setup. This is leaking. The only thing I found to stop the "leakage" is to change the default gateway
@pftdm007 said in NordVPN setup on pfsense - questions about basics:
The way I see it: Client asks for DNS resolution from the VLAN interface > Unbound gets the query > Forwarding mode is enabled, so the request is passed to the DNS servers under System > General Setup which are Nord's DNS servers.
-
@pftdm007 said in NordVPN setup on pfsense - questions about basics:
FW mode is already enabled in Unbound, and Nord's DNS servers are already set in General Setup. This is leaking.
Who says that it is leaking, a leaking testsite? Would be curious to know about the exact results.
Also you should create this alias I told you and make more general rules with that instead of doing it on a per port basis.