Can't access internet with pfsense and proton vpn
-
Hi I cannot seem to get internet access after setting up proton VPN on pfsense.
I have pfsense installed on a protectli vault. ISP is connected to WAN port on vault and router connected to LAN port on vault.
I set up the openVPN client with my proton VPN credentials. Checking status, it shows the VPN is connected.
At this point, before routing my traffic through VPN, I can still access internet. However, when I go to firewall>NAT and edit "auto created rule - LAN to WAN" and "Auto created rule for ISAKMP - LAN to WAN" by changing interface from WAN to OPENVPNC, I can no longer access the internet.
Hopefully someone can help me figure out whats going on
-
@backup2 said in Can't access internet with pfsense and proton vpn:
At this point, before routing my traffic through VPN, I can still access internet. However, when I go to firewall>NAT and edit "auto created rule - LAN to WAN" and "Auto created rule for ISAKMP - LAN to WAN" by changing interface from WAN to OPENVPNC, I can no longer access the internet.
That can be so, but at that moment, you're not done yet.
I'm not using Proton, but I did find their official ( ? ) setup guide.
Somewhere in step 5, you stopped after changing the mappings, and posted here.
Or did you do these steps ? -
Yes if you change the NAT rule that's allowing connections on WAN to ovpn that will break connections on WAN. You would then need to start routing traffic via VPN where the NAT rule now applies.
-
@stephenw10 @Gertjan thank you both. I should have clarified that yes I did complete all the steps in the guide. I went through entire process more than 5 times to make sure I hadn't made mistakes.
I finally was able to get internet access but it only worked briefly. After a minute or two I became unable to access the pfsense GUI.
So I decided to reflash pfsense on the protectli and the vpn seems to be working so far. Is it possible my pfsense got corrupted?
Also - I downloaded and flashed 2.7.2, but the installed version is 2.7.0, yet it says I'll on the latest version, ie no option to update to 2.7.2. Is this a bug?
-
You installed 2.7.2? But somehow shows 2.7.0?
Seems like it either didn't install or you have more than one boot device and 2.7.0 is still installed on the other one.
But you may need to run
certctl rehashto see updates from 2.7.0. -
@stephenw10 I'm pretty positive I installed it off the thumb drive
How/where do I run certctl rehash?
-
At the command line. So on the console or via ssh or (if you have to) via Diag > Command Prompt in the webgui.
But I would be checking it's actually booting from what you installed to because installing clean is a better solution.
-
@stephenw10 ok i was able to do a clean install of 2.7.2
i've run into a couple other issues hopefully you can help me with
first, rebooting pfsense always leads to dns leaks. when i set outgoing network interfaces to my OVPN interface in services > DNS resolver and save the setting, the DNS server is proton. but if i reboot pfsense and check the DNS server, it is my ISP. when i go back to services > DNS resolver, the outgoing network interface is still set at OVPN, and if i exit out and then recheck, proton is the DNS resolver. if i reboot again, DNS server will go back to ISP, and so on.
second, i have a 4 port protectli, but i cannot get the OPT1 or OPT2 ports to work. i have enabled both ports and have tried in firewall > rules to set the gateway to both WAN and OVPN, but neither gives internet access through either OPT1 or OPT2.
any help on these issues would be great
-
@backup2 said in Can't access internet with pfsense and proton vpn:
clean install of 2.7.2
The very first you should do is installing this package :
Then you get a new menu entry below "System" : Patches.
Activate (apply) all the official Netgate patches. -
@backup2 said in Can't access internet with pfsense and proton vpn:
if i reboot pfsense and check the DNS server, it is my ISP
How do you have DNS configured? What do you have set in System General Setup? Specifically do you have 'DNS Server Override' set?
-
@Gertjan said in Can't access internet with pfsense and proton vpn:
Activate (apply) all the official Netgate patches.
done
-
@stephenw10 said in Can't access internet with pfsense and proton vpn:
Specifically do you have 'DNS Server Override' set?
no. if i enable it, i lose internet access
i've rebooted now 5 times to test. the first two times the DNS server was ISP. the last 3 times i've rebooted, it's proton.
any idea what accounts for this inconstent behavior?
thanks
-
How exactly are you testing that? When you say the DNS is the ISP do you mean it actually shows the ISPs DNS servers or it shows you public WAN IP?
-
@stephenw10 I'm using dnsleaktest.com
After pfsense reboot, I go to dnsleaktest.com. the page loads and says hello "X.X.X.X" which is a proton IP address
I click on standard test and it says "your public IP: X.X.X.X" which is the same proton IP. below that, under query round, it shows an IP a address of my ISP, the name of my ISP, and my actual physical location, rather than the physical location of the proton server above.
If I go to services > DNS resolver, where OVPNC is already the selection for outgoing network interfaces, click save and apply changes, then check dnsleaktest.com again, under query it now shows proton IP address and physical location of the proton server.
if i reboot pfsense again and then check dnsleaktest.com again, it will most likely show the IP address, name, and physical location of my ISP
-
I'll give you some home work.
Click here : Google : pfsense resolver should use openvpn client WAN connection as that, imho, is your question. So : ask, and read a couple of "Google" answers. Yeah, sorry, there is no "click here and done" solutions.You'll fund the rather old, but still very valid OpenVPN as a WAN on pfSense video from the pfSense authors. This video handles all your questions - and probably more.
There are more "OpenVPN" (server and client) videos available on the Netgate Youtube channel, I highly recommend them all. -
Do you somehow have an outbound NAT rule for the protonvpn address via the WAN?
You could add a block rule to prevent outbound DNS queries on WAN, though you shouldn't need it.
Is the client you're testing from actually using pfSense for DNS? If it's hard coded to use something else or is using DoT or DoH then that could be routed via the WAN before the VPN comes up. Check the states when it's happening.
-
@backup2 said in Can't access internet with pfsense and proton vpn:
second, i have a 4 port protectli, but i cannot get the OPT1 or OPT2 ports to work. i have enabled both ports and have tried in firewall > rules to set the gateway to both WAN and OVPN, but neither gives internet access through either OPT1 or OPT2.
any chance you can help with this issue also?
thanks!
-
@backup2 said in Can't access internet with pfsense and proton vpn:
i have enabled both ports and have tried in firewall > rules to set the gateway to both WAN and OVPN, but ...
Look at your LAN interface.
You have this :( disregard the IPv6 configuration for the moment )
You saw the "IPv4 upstream gateway" (green) set to None ?!
For other LAN type interfaces, like the OPT1, OPT2 etc, you set that setting to the same "None". -
@backup2 said in Can't access internet with pfsense and proton vpn:
any chance you can help with this issue also?
What firewall rules have you added there? There are none by default.
Did you enable dhcp on the new interfaces? Are connected clients pulling an IP correctly?