PfSense for secure browsing from public WiFi?
-
Do any non-Windows clients have similar issues with DNS leakage to the non-VPN adapters?
Not that I know of…..
-
The "–block-outside-dns" option results in this.
Thu Apr 28 14:26:17 2016 TCP: connect to [AF_INET]192.168.2.42:1194 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
-
That log message is/seems unrelated to the block-outside-dns because it`s around for many years when block-outside-dns was non-existent ;)
Check your config.
-
It only happens with the block-outside-dns option.
The config is straight forward. Nothing exotic.
-
khorton,
As a direct answer to your #2 question: the term you are looking for is a "full-tunnel" VPN - all traffic goes through the tunnel. The opposite of this is a "split-VPN" or "split-scope VPN", where only data destined for the remote network goes over the VPN, all other data goes out the regular local internet.Best security is done with a full-tunnel VPN. This means remote user is subject to internet speeds at the host, filtering via the host, etc. Example, if a home user with a 100/20 connection connects to a full-tunnel VPN to corporate HQ, who has a 10/10 connection, then remote user is subject to all filter rules as at HQ, and only has a 10/10 connection to the Internet.
-
Ah ha. The block-outside-dns option was added in 2.3.9. I've not updated from 2.3.8 yet.
-
Yup thats right :)
-
Well latest version wasn't the solution. Still get the same error with vesion 2.3.10.
(although the message itself is apparently bogus due to use of incorrect error code library translation from what I've read.) -
Yes, it`s error 138, not only OpenVPN is "plagued" by it.
You use IP, domain or DDNS to connect?
Try IP… just a shot in the dark. -
khorton,
As a direct answer to your #2 question: the term you are looking for is a "full-tunnel" VPN - all traffic goes through the tunnel. The opposite of this is a "split-VPN" or "split-scope VPN", where only data destined for the remote network goes over the VPN, all other data goes out the regular local internet.Best security is done with a full-tunnel VPN. This means remote user is subject to internet speeds at the host, filtering via the host, etc. Example, if a home user with a 100/20 connection connects to a full-tunnel VPN to corporate HQ, who has a 10/10 connection, then remote user is subject to all filter rules as at HQ, and only has a 10/10 connection to the Internet.
Thank you very much for the terminology education. I'll look for info on full-tunnel VPN, and pfSense.
I was quite aware that I'd be getting 10/10 speed, at best. But, I'm prepared to live with that, all in the name of security when away from home.
-
Okay got it working. The "block-outside-dns" option either has to be in the client config file or push needs to be used in the pfSense advanced options: push "block-outside-dns".
I forgot about the push thing.
Don't see the blocking outside DNS and WFP log entries you show but it is blocking the local DNS. Which means no local names are resolved either. So not really very usable for me, unless there is still something not working correctly.
-
That mode listing in your APE is kind of pointless unless that is the only way to turn of its dhcp server? To use any wifi router as just an AP all that is required is turn off its dhcp server, connect it to your network with one of its lan ports.
That mode switch is the only way that I know to turn off DHCP on the Airport Extreme. If you know a beter way, I'd love to learn about it.
If you want to make it easier to manage then put its lan IP on your network. Since your not connecting anything to its wan port what it thinks is doing between a wan connection and its lan ports is completely pointless…
You've lost me here. What do you mean by "put its lan IP on your network"? How would I accomplish that?
Personally if you want wifi, get a AP.. If you want ports get a switch.. Not real big on the everything one box sort of setup.. While sure any soho router can be used as AP they are not designed to be strategically placed/mounted for best wifi coverage.. And they also need a very close power plug.
Sure if you want to reuse the hardware switch ports as a dumb switch.. sure.. But if what your after is GOOD wifi, get a AP that is poe and designed to be mounted to give you best coverage.
If I was starting from scratch today, I probably wouldn't buy the APE. But, I've got it, and I'm very happy with the WiFi coverage, so I'm not in a rush to spend a bunch of money on something "better".
-
Hey sorry Khorton, I kind of hijacked your thread here. Though the content is very relevant to the "secure browsing from public WiFi" topic.
-
Don't see the blocking outside DNS and WFP log entries
Set
verb 4
in client config.
Yeah, uhum sorry too…
-
That mode listing in your APE is kind of pointless unless that is the only way to turn of its dhcp server? To use any wifi router as just an AP all that is required is turn off its dhcp server, connect it to your network with one of its lan ports.
That mode switch is the only way that I know to turn off DHCP on the Airport Extreme. If you know a beter way, I'd love to learn about it.
If you want to make it easier to manage then put its lan IP on your network. Since your not connecting anything to its wan port what it thinks is doing between a wan connection and its lan ports is completely pointless…
You've lost me here. What do you mean by "put its lan IP on your network"? How would I accomplish that?
Personally if you want wifi, get a AP.. If you want ports get a switch.. Not real big on the everything one box sort of setup.. While sure any soho router can be used as AP they are not designed to be strategically placed/mounted for best wifi coverage.. And they also need a very close power plug.
Sure if you want to reuse the hardware switch ports as a dumb switch.. sure.. But if what your after is GOOD wifi, get a AP that is poe and designed to be mounted to give you best coverage.
If I was starting from scratch today, I probably wouldn't buy the APE. But, I've got it, and I'm very happy with the WiFi coverage, so I'm not in a rush to spend a bunch of money on something "better".
Turn off the DHCP function (and any other functions you can turn off) on the APE.
If you can, configure the APE's LAN port with a static IP in the same range as the rest of your network.
Connect any of the APE's LAN ports to the switch.
Example: pfSense at 192.168.0.1, pfSense connected to dumb switch, APE at 192.168.0.2, APE LAN connected to dumb switch. pfSense offers DHCP in range of 192.168.0.100-192.168.0.199. This way everything is connected to the switch, you do not use the APE's WAN port, and the APE is not offering DHCP/DNS in competition with pfSense.
-
"Wireless Access Points" are bridges. They connect wireless networks to wired networks at layer 2. That's why Apple calls access point mode "Bridge Mode." In bridge mode the unit does not route traffic at all between interfaces. Everything is bridged. The regular wireless network is on the ethernet port untagged. The guest wireless network is tagged 1003. The AP even understands the concept of a default gateway on the regular (trusted) network so it can be easily administered remotely.
If you were to make the AirPort's guest network be the guest network, you could create a pfSense interface that was completely discrete from your regular network. Completely different firewall rules, policies, DNS, etc. This would probably entail a managed switch or at least a dedicated pfSense interface. Managed switch would be better. You can get one for < $40.
-
If you were to make the AirPort's guest network be the guest network, you could create a pfSense interface that was completely discrete from your regular network. Completely different firewall rules, policies, DNS, etc. This would probably entail a managed switch or at least a dedicated pfSense interface. Managed switch would be better. You can get one for < $40.
How would the various boxes be physically connected with this setup? Would it be:
modem <-> pfSense <-> switch <-> APE
I've pretty much decided that I will build a pfSense box, but it won't happen until June at the earliest. I'll check back in then if I need any OpenVPN assistance. I'll start a new thread in the HW section to help me decide what the best option is for the build. Thanks for everyone's assistance.
-
does the APE support vlans? If so then sure you can do all kinds of fun stuff with multi wifi ssid on different networks. If it does not support vlans and your not using it as a router then you could not leverage "its" guest network function.
It really would behoove you to get a real AP that supports vlans and a managed switch if your wanting to have multiple wifi networks on different networks, etc.
It does not matter what way you connect the stuff if your just using the APE switch ports.. When used as AP in general setup its just got wifi bridge to its lan network. so be it the ape switch is connect to pfsense and then the switch is connected to another lan port, or your switch is connected to pfsense and then the ape switch ports makes little difference.
-
does the APE support vlans? If so then sure you can do all kinds of fun stuff with multi wifi ssid on different networks. If it does not support vlans and your not using it as a router then you could not leverage "its" guest network function.
It really would behoove you to get a real AP that supports vlans and a managed switch if your wanting to have multiple wifi networks on different networks, etc.
No VLANs on the APE, as it only has a very simply user interface (typical Apple product that tries to satisfy the needs of the vast majority of users, in the simplest way possible).
I have no need for multiple WiFi networks, and I'm happy with the WiFi performance, so I see no need to spend the money for a different wireless AP. You can only spend each dollar once, and I'd rather put money in a pfSense box.
-
There are you just can't set them. Like I said the regular SSID is on the ethernet port (WAN/Inernet in bridge mode) untagged. The guest network is tagged 1003.
