Routing PIA VPN to select devices on LAN

mauroman33

I'm sorry if my short answer may have made confusion.
Surely what is written by johnpoz is totally correct.
Going back to my answer, I activated the DNS resolver from Services->DNS Resolver->General Settings then I added the two previous rules in Firewall->Rules->LAN placing them immediately after the Anti-Lockout Rule.
This way I avoided that all devices on my network can use a DNS that is different from what was set in pfSense which is, in my case, the VPN provider's DNS because in System->General Setup I did not set any DNS.

cobrahead

@mauroman33:

I'm sorry if my short answer may have made confusion.
Surely what is written by johnpoz is totally correct.
Going back to my answer, I activated the DNS resolver from Services->DNS Resolver->General Settings then I added the two previous rules in Firewall->Rules->LAN placing them immediately after the Anti-Lockout Rule.
This way I avoided that all devices on my network can use a DNS that is different from what was set in pfSense which is, in my case, the VPN provider's DNS because in System->General Setup I did not set any DNS.

Cool. Would you mind posting those DNS rules 'edit' pages. Just want to make sure I am configuring them correctly. Thanks

Attached are mine, something isn't set right… still getting DNS leak.

firewall_rules.png_thumb
![dns_pass rule.png](/public/imported_attachments/1/dns_pass rule.png)
![dns_pass rule.png_thumb](/public/imported_attachments/1/dns_pass rule.png_thumb)

dns_block_rule.png_thumb
![services_dns resolver_general settings.png](/public/imported_attachments/1/services_dns resolver_general settings.png)
![services_dns resolver_general settings.png_thumb](/public/imported_attachments/1/services_dns resolver_general settings.png_thumb)

mauroman33

You're welcome.
Here it is.

![Allow DNS.png](/public/imported_attachments/1/Allow DNS.png)
![Allow DNS.png_thumb](/public/imported_attachments/1/Allow DNS.png_thumb)
![Block DNS.png](/public/imported_attachments/1/Block DNS.png)
![Block DNS.png_thumb](/public/imported_attachments/1/Block DNS.png_thumb)

cobrahead

@mauroman33:

You're welcome.
Here it is.

That's what I have. I edited my last post to include the screenshots. Not sure what I am missing.

mauroman33

You will have the same result even using a single rule.

Does it work for you?

https://dnsleaktest.com/

DNS.png_thumb

mauroman33

@cobrahead:

@mauroman33:

You're welcome.
Here it is.

That's what I have. I edited my last post to include the screenshots. Not sure what I am missing.

I don't see anything strange.
Here the other settings in my system.

General_Setup.png_thumb

DHCP_Server.png_thumb

cobrahead

@mauroman33:

You will have the same result even using a single rule.

Does it work for you?

https://dnsleaktest.com/

No. I tried changing the destination to 'Invert Match' and 'LAN Address' … same results on dnsleaktest... it comes up with my ISP.

After making these changes should I only use this rule and get rid of the DNS Allow rule?

cobrahead

@mauroman33:

Here the other settings in my system.

OK. So I went to Services -> DNS Resolver -> General Settings and changed the Outgoing Network Interface from ANY to OPENVPN and that was what I missed. DNSleak stopped… at least according to dnsleaktest.com

Thanks for your help!

mauroman33

@cobrahead:

@mauroman33:

You will have the same result even using a single rule.

Does it work for you?

https://dnsleaktest.com/

No. I tried changing the destination to 'Invert Match' and 'LAN Address' … same results on dnsleaktest... it comes up with my ISP.

After making these changes should I only use this rule and get rid of the DNS Allow rule?

Yes, it's up to you choose if you want to reach te same goal using the two previos rules or only the last one.

mauroman33

Fine.
Just a note: if you want to avoid using a DNS (eg the one of the ISP) these rules are just a precaution to prevent anyone from doing so by manually changing the DNS of the device connected to the LAN.
If you have set the DNS resolver, when you're connected to the VPN provider, the dnsleaktest should show the IP address of the VPN.

cobrahead

Got it. I have learned a lot over the last week. :D

The only thing that is not working now is stopping and re-starting the OpenVPN service. Some change(s) I made today have caused a full reboot to be necessary in order to restart OpenVPN if it goes down.

mauroman33

You could try to install Service_Watchdog from System->Package Manager->Available Packages

Then in Services->Service Watchdog->Add you can select the OpenVPN client that you're using

cobrahead

@mauroman33:

You could try to install Service_Watchdog from System->Package Manager->Available Packages

Then in Services->Service Watchdog->Add you can select the OpenVPN client that you're using

I added it and set it up. No luck though. When I manually stop OpenVPN I cannot get it to restart, without rebooting pfSense.

mauroman33

After a failed attempt, did you try to check on Status-> System Logs-> OpenVPN?

cobrahead

@mauroman33:

After a failed attempt, did you try to check on Status-> System Logs-> OpenVPN?

This is what I get after I manually shut it down and try to re-start it.

Aug 16 16:55:11 openvpn 29537 RESOLVE: Cannot resolve host address: swiss.privateinternetaccess.com: hostname nor servname provided, or not known

mauroman33

It seems there is a problem with DNS.
Sometimes it happened in my system also, so I added the unbound service in Service Watchdog and the problem has not more occurred.
Actually right now there is only the unbound service in my Service Watchdog.

cobrahead

@mauroman33:

It seems there is a problem with DNS.
Sometimes it happened in my system also, so I added the unbound service in Service Watchdog and the problem has not more occurred.
Actually right now there is only the unbound service in my Service Watchdog.

I added the unbound DNS resolver.

After I reboot pfSense I get this in the DNS Resolver Sytem Log:
Aug 16 17:44:13 unbound 32313:0 notice: init module 0: validator
Aug 16 17:44:13 unbound 32313:0 notice: init module 1: iterator
Aug 16 17:44:13 unbound 32313:0 info: start of service (unbound 1.5.9).

Then, after I take down OpenVPN and try to re-start I get this for a full page:
Aug 16 17:49:54 unbound 28726:2 error: can't bind socket: Can't assign requested address for 10.133.1.6

Watchdog.png_thumb

mauroman33

I don't know what the problem is, it would take someone with more experience.
Meanwhile you could try to add some DNS servers in System->General Setup and to check the DNS Resolver setting.
I'll show you mine.
Don't take care of the "Custom options" field content, because it's related to pfBlocker.

General_Setup.png_thumb
![DNS Resolver.png](/public/imported_attachments/1/DNS Resolver.png)
![DNS Resolver.png_thumb](/public/imported_attachments/1/DNS Resolver.png_thumb)

cobrahead

@mauroman33:

I don't know what the problem is, it would take someone with more experience.
Meanwhile you could try to add some DNS servers in System->General Setup and to check the DNS Resolver setting.
I'll show you mine.
Don't take care of the "Custom options" field content, because it's related to pfBlocker.

That was it. I added 8.8.8.8 and 8.8.4.4 and it works. Look at my DNS Resolver settings, they appear to be a little different than yours, would you change anything?

@johnpoz:

Post up your rules and we can discuss, etc.

@pf3000:

Now that you have a working VPN connection, you can do this

Thanks again! … to everyone that helped me get this setup!

![resolver settings.png](/public/imported_attachments/1/resolver settings.png)
![resolver settings.png_thumb](/public/imported_attachments/1/resolver settings.png_thumb)

mauroman33

Glad to help you! I don't think you need to change anything.