Tutorial: Configuring pfSense as VPN client to Private Internet Access
-
OpenVPN/PIA link goes down; clients have no internet access. How do I fail over to the WAN if this happens? Configuration is DLSrouter->Pfsense giving dhcp (opvenvpn w/PIA)->clients Sometimes, believe it or not, PIA drops. What do I do to have pfsense or openvpn fail to the general Wan connection if this happens? Thanks!
-
That is the default behavior.
-
I set this all up today and had it working fine.
I'm using route-nopull because I actually only need 1 server to use the VPN.
I then got a message from pfSense to say that dyndns had updated, so must have had a dynamic IP change.
Then I realised that my true public IP was visible.
Restarted the VPN and still the same - although it appeared to be intermittent with some sites reporting my true IP and some reporting the VPN IP address.
I'm not sure what has happened so I've currently removed the route-nopull option and disabled the firewall rule which forces the server to use the PIA interface.
Any ideas?
-
Yeah your rules must be wrong. How about letting us see them?
-
It's disabled at the moment, but these are my firewall rules.
I would have preferred to keep it on everything but BBC iPlayer stopped working due to I presume the VPN address being blocked by them, and I couldn't figure a way to allow BBC iPlayer to bypass the VPN, since it seems to use multiple IP addresses I suspect.
-
Rule details :-
-
Doesn't show what we need to see. Just post your LAN rules list.
-
I did above it…
-
With the rule disabled it's not going to work.
-
Yes, I know. I disabled it because I removed the route-nopull since I needed the VPN to be working.
I'll try again with route-nopull and enable the rule again.
-
Ok, so I have the rule enabled. I have the route-nopull option.
privateinternetaccess shows my VPN address and says I am protected.
However, 2 other sites for showing IP addresses are showing my ISP public address, not the VPN one :-(
-
You sure your tunnel is staying up?
There's really nothing that can cause what you think you're seeing.
Unless there's something severely wrong with that beta version you're using.
-
I'm not sure. It seems to be staying up.
I realised that I also have a free ipVanish account, so I'll give things a whirl with that and see how I get on :-)
-
Which IP test sites are showing the VPN address and which are showing WAN address?
Is it consistent?
-
The ipvanish site shows that I am protected, and it is the correct VPN ip address.
The BBC iPlayer site refuses to work because it knows I am behind a VPN - which is expected behaviour.
However, www.whatsmyip.org shows my proper public IP address, and my ISP details.
Also, http://mxtoolbox.com/WhatIsMyIP/ shows my proper details, and not the VPN ip address.
Very odd.
I also deleted the config and reconfigured from scratch - same result.
If I remove the firewall rule and the route-nopull from the config, then I get consistent results that I behind the VPN.
Strange!
-
Don't know what to tell you.
I just ran updates to my betas and tried it and it works just fine.
You'll have to look at states or something to see what's going on. SOMETHING you have is routing traffic out the default gateway. Have you created any floating rules?
Are you positive about the source IP address?
-
Unless of course it is going out using IPV6, but it shouldn't be - I have IPV4 as preferred.
I don't know if it makes any difference that the 192.168.1.15 server that I want protected with the VPN a) it's a VM and b) it has teamed NICs
-
If it was going out IPv6 I think both of those sites would be showing you an IPv6 address.
-
I've never messed around with windows NIC teaming. If it utilizes multiple IP addresses there's your problem. Put them all in an alias and use that as your source address list. A packet capture on LAN will show you what's happening.
-
They are just teamed into one IP address.
It's very odd..
I've just gone back to having everything protected as that works fine.
Any idea how I can add a rule to get BBC iPlayer to bypass the VPN?