PfSense for secure browsing from public WiFi?
-
Using OpenVPN via public hotspot may not be as secure as one might expect it to be if using DNS to resolve host names. Extra care must be taken to insure that the local DNS is not used.
Local vs VPN DNS Name Resolution
https://forum.pfsense.org/index.php?topic=77421.msg422027#msg422027
https://forum.pfsense.org/index.php?topic=77421.msg422311#msg422311OpenVPN Forum Thread:
https://forums.openvpn.net/viewtopic.php?t=15939 -
Using OpenVPN via public hotspot may not be as secure as one might expect it to be if using DNS to resolve host names.
From Windows 8 and up, Microsoft introduced parallel DNS aka Smart Multi-Homed Name Resolution.
To avoid this from happening, one puts
block-outside-dns register-dnsin the client config.
The client log will then show
us=537679 Blocking outside DNS us=537679 Opening WFP engine us=537679 Adding WFP sublayer us=547679 Blocking DNS using WFP us=547679 Tap Luid: 1688849893818368 us=547679 Filter (Block IPv4 DNS) added with ID=88910 us=547679 Filter (Block IPv6 DNS) added with ID=88911 us=547679 Filter (Permit IPv4 DNS queries from TAP) added with ID=88912 us=547679 Filter (Permit IPv6 DNS queries from TAP) added with ID=88913and
C:\Windows\system32\net.exe start dnscache C:\Windows\system32\ipconfig.exe /flushdns C:\Windows\system32\ipconfig.exe /registerdns End net commands... -
Does that also block local name resolution? If so then that creates issues for using local services such as printers etc.
What I would like to see is a means to only resolve local names locally and everything else via the VPN DNS.
-
Try it, it works here.
-
Try it, it works here.
I will at some point. But not in a situation right now for doing that.
-
The "–register-dns" option appears to be what enabling the pfSense "Force DNS cache update" option does.
Force DNS cache update
Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
--block-outside-dns
Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.--register-dns
Run net stop dnscache, net start dnscache, ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.Since both of these are reliant on Windows executables and features. Do they cause any issues for non-Windows clients using the VPN?
Do any non-Windows clients have similar issues with DNS leakage to the non-VPN adapters?
-
Not sure but I have a strong feel the client will state something like this in the log:
us=327673 NOTE: --block-outside-dns is disabled since we are running on OS XXX us=327673 NOTE: --register-dns is disabled since we are running on OS XXX -
Do any non-Windows clients have similar issues with DNS leakage to the non-VPN adapters?
Not that I know of…..
-
The "–block-outside-dns" option results in this.
Thu Apr 28 14:26:17 2016 TCP: connect to [AF_INET]192.168.2.42:1194 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
-
That log message is/seems unrelated to the block-outside-dns because it`s around for many years when block-outside-dns was non-existent ;)
Check your config.
-
It only happens with the block-outside-dns option.
The config is straight forward. Nothing exotic.
-
khorton,
As a direct answer to your #2 question: the term you are looking for is a "full-tunnel" VPN - all traffic goes through the tunnel. The opposite of this is a "split-VPN" or "split-scope VPN", where only data destined for the remote network goes over the VPN, all other data goes out the regular local internet.Best security is done with a full-tunnel VPN. This means remote user is subject to internet speeds at the host, filtering via the host, etc. Example, if a home user with a 100/20 connection connects to a full-tunnel VPN to corporate HQ, who has a 10/10 connection, then remote user is subject to all filter rules as at HQ, and only has a 10/10 connection to the Internet.
-
Ah ha. The block-outside-dns option was added in 2.3.9. I've not updated from 2.3.8 yet.
-
Yup thats right :)
-
Well latest version wasn't the solution. Still get the same error with vesion 2.3.10.
(although the message itself is apparently bogus due to use of incorrect error code library translation from what I've read.) -
Yes, it`s error 138, not only OpenVPN is "plagued" by it.
You use IP, domain or DDNS to connect?
Try IP… just a shot in the dark. -
khorton,
As a direct answer to your #2 question: the term you are looking for is a "full-tunnel" VPN - all traffic goes through the tunnel. The opposite of this is a "split-VPN" or "split-scope VPN", where only data destined for the remote network goes over the VPN, all other data goes out the regular local internet.Best security is done with a full-tunnel VPN. This means remote user is subject to internet speeds at the host, filtering via the host, etc. Example, if a home user with a 100/20 connection connects to a full-tunnel VPN to corporate HQ, who has a 10/10 connection, then remote user is subject to all filter rules as at HQ, and only has a 10/10 connection to the Internet.
Thank you very much for the terminology education. I'll look for info on full-tunnel VPN, and pfSense.
I was quite aware that I'd be getting 10/10 speed, at best. But, I'm prepared to live with that, all in the name of security when away from home.
-
Okay got it working. The "block-outside-dns" option either has to be in the client config file or push needs to be used in the pfSense advanced options: push "block-outside-dns".
I forgot about the push thing.
Don't see the blocking outside DNS and WFP log entries you show but it is blocking the local DNS. Which means no local names are resolved either. So not really very usable for me, unless there is still something not working correctly.
-
That mode listing in your APE is kind of pointless unless that is the only way to turn of its dhcp server? To use any wifi router as just an AP all that is required is turn off its dhcp server, connect it to your network with one of its lan ports.
That mode switch is the only way that I know to turn off DHCP on the Airport Extreme. If you know a beter way, I'd love to learn about it.
If you want to make it easier to manage then put its lan IP on your network. Since your not connecting anything to its wan port what it thinks is doing between a wan connection and its lan ports is completely pointless…
You've lost me here. What do you mean by "put its lan IP on your network"? How would I accomplish that?
Personally if you want wifi, get a AP.. If you want ports get a switch.. Not real big on the everything one box sort of setup.. While sure any soho router can be used as AP they are not designed to be strategically placed/mounted for best wifi coverage.. And they also need a very close power plug.
Sure if you want to reuse the hardware switch ports as a dumb switch.. sure.. But if what your after is GOOD wifi, get a AP that is poe and designed to be mounted to give you best coverage.
If I was starting from scratch today, I probably wouldn't buy the APE. But, I've got it, and I'm very happy with the WiFi coverage, so I'm not in a rush to spend a bunch of money on something "better".
-
Hey sorry Khorton, I kind of hijacked your thread here. Though the content is very relevant to the "secure browsing from public WiFi" topic.
