DNS Routing issue - pfblockerNG and OpenVPN Client
-
Earlier this year having decided to route all external traffic from my home network via a permanent router based OpenVPN client to an external VPN provider I switched to using pfsense.
I am based in the UK and have an external VDSL FTTC WAN residential connection using a Draytek 130 modem. Whilst reasonably technically proficient, this is a big step up from the average consumer gateway product and I am acutely conscious of my ignorance!
My pfsense box also operates as the DHCP server for my single subnet.
When connecting to my OpenVPN provider I am allocated a dynamic internal IP address on their network and my Status/System Logs/Open/VPN log shows the internal DNS server address to be used (typically x.x.x.1 on the same subnet as my dynamically allocated internal VPN IP address).
In configuring my OpenVPN client setup (and following the providers instructions) I added this internal DNS server IP to the DNS server field 1 in Services/DHCP/Servers
Under System/General Setup/DNS Server Settings (again following provider instructions) I added the standard Google DNS servers
8.8.8.8 WAN_PPPOE WAN
8.8.4.4 WAN_PPPOE WANTesting from client subnet devices showed no DNS leaks (although my pfsense box is able to use the standard Google DNS servers from within Diagnostics/DNS Lookup)
This setup has operated reliably for the last 6 months.
Latterly (fed up of battling constant adverts) I have installed a pfsense package pfblockerNG and this is where all the fun commenced (and is the reason for my visit to these forums).
What I am attempting to achieve is the following
1. Continue to route all external network traffic via the VPN connection
2. No DNS leaks outside of the VPN
3. Using the pfsense DNS Resolver service to utilise the blocking functionality provided by pfblockerNG for all local DNS queries and forward upstream queries to my VPN providers DNS.
Currently I have a working solution, albeit DNS resolution is relatively slow (up to 3 seconds) achieved by:
A. Selecting only Open VPN Interface within Services/DNS Resolver/General Settings/Outgoing Network Interfaces
B. Enabling Services/DNS Resolver/General Settings/DNS Query Forwarding
C. Removing external VPN DNS server details from Services/DHCP Server/Servers
D. Adding external VPN DNS server details with relevant VPN interface gateway selected to System/ General Setup/DNS Server Settings
However on testing there are external DNS leaks. This puzzled me as I thought that in specifying only OpenVPN interface, as in step (A) above, this would prevent any forwarded queries from DNS Resolver routing outside of the VPN interface gateway.
To negate the leak I have had to remove the Google DNS entries from System/ General Setup/DNS Server Settings leaving the VPN server as the sole external DNS provider.
Obviously in doing this I will have an immediate problem if the VPN drops as external DNS resolution will fail and a reconnect will be problematical (chicken and egg!).
To try and negate this scenario (and as my VPN provider allows multiple connections) I have configured a second always on VPN interface to an alternative gateway in another country and added the associated VPN internal DNS to the System General DNS Settings field.
DNS Leak testing shows that no further DNS leaks with only the two VPN providers DNS being used.
Whilst working, this is undoubtedly a “botched” solution and in my ignorance I wonder if anyone could assist with a more elegant solution (or point out my “newbie” configuration mistakes).
I have summarised below the various current settings which I believe may be relevant to my query.
Pfsense 2.4.2 (running on a Quad core Intel Celeron CPU N3160 @ 1.60GHz with 8GB RAM)
Services/DNS Resolver
Network Interfaces → All
Outgoing Network Interfaces → vpn1 & vpn2DNSSEC support Enabled (ticked)
Forwarding Mode Enabled (ticked)
DHCP Registration Disabled (unticked)System/ General Setup
DNS Server Settings
Internal IP Address of vpn1 Gateway for vpn1 Interface selected
Internal IP Address of vpn2 Gateway for vpn2 Interface selectedDNS Server Override DHCP/PPP Disabled (unticked)
Disable DNS Forwarder Enabled (ticked)Services/DHCP Server
Enable DHCP server on LAN enabled (ticked)
Servers all blank (WINS & DNS)Other Options
Gateway -
Farrina welcome to the forum…I'll take a shot at helping you out. I went thru this about a year ago...look thru my posts and you can see my journey! A couple of caveats. I too struggled with DNS, pfBlocker(especially DNSBL which is very cool once you get it right), rules and overall tightening up my privacy(including a network VPN). I will likely use the wrong terms but defer to the forum to correct me.
Starting questions:
- What are your rules...do you have the default any/any rules in place? Here is a link with my rules: https://forum.pfsense.org/index.php?topic=140790.msg769094#msg769094 try to understand the logic vs just copying them...it will help you understand pfSense and the DNS resolver(also called "Unbound") better. The forum helped me set them up.
- What have you setup with pfBlocker? DNSBL? You need to make sure your resolver is set the way you want.
- Do you have multiple VLANs setup? Multiple interface? Devices that don't work with a VPN?
- Did your VPN provider instruct you to setup a VPN interface with NAT outgoing rules(or just the client)?
I chose to use the pfSense resolver for all devices my VPN devices vs OpenDNS, VPN providers, google or my ISP for DNS resolver...mainly for trust and privacy. However there is a good argument for other external resolvers(Forwarding) and some of my devices do use OpenDNS.
To do this I have set up my pfSense settings as follows:
Services -> DNS Resolver -> General settings
-Network Interfaces - I have only my internal interfaces selected (i.e. LAN and VLANs in my case)...you also need to select "Localhost"
-Outgoing Network Interfaces - I only have my VPN interface selectedSystem -> General Setup
- DNS Server Override and Disable DNS Forwarder are NOT checked
- No DNS Servers are selected
Services -> DHCP Server -> LAN
- No DNS Servers assigned
With this combination pfSense(Unbound) does all my resolving(i.e. does not forward to a 3rd party to do the resolving)...the gurus can explain this better then me, here is a good post: https://forum.pfsense.org/index.php?topic=136401.0
Do you trust Google, your ISP, your VPN or pfSense(Unbound) to do your resolving? For me it was a no brainer...
Other adjustments I made to keep my DNS and traffic going thru VPN include, based on my rules, include:
VPN -> OpenVPN ->Clients -> "Don't add/remove routes" is checked
Go to this link and undertsand "NO_WAN_EGRESS": https://forum.pfsense.org/index.php?topic=140790.msg769094#msg769094Additional advice: Before you do anything go to Diagnostic -> Backup & Restore and make a backup so you can undo and go back if you screw it up or it doesn't work for you.
Good luck!
-
Thank you very much for taking the time to respond to my plea for help and providing the various links.
if I understand it correctly (albeit it at a very basic level!), by operating Unbound in resolver mode, this would result in it (ie my pfsense box) querying DNS root and authoritative servers directly for secure name resolution.
I believe I am presently forwarding DNS queries via Unbound to my VPN providers DNS servers who then undertake the resolution for me. Whilst I am happy that they are not logging my actual queries (unlike my ISP!) unless their DNS servers are operating in DNSSEC mode I presume they (and I) are vulnerable to DNS cache poisoning. So for maximum security, DNSSEC would appear to be the way to proceed.
Turning to some of your specific “starting” questions.
My LAN is presently just a single subnet for all my devices.
I have configured pfblockerNG with a number of DNSBL feeds to block both malicious/advert servers, along with specific “bad” IP addresses. In configuring I found this guide quite helpful
https://forum.it-monkey.net/index.php?topic=22.0
Whilst it is only early days. it appears to be operating well and I am already seeing a lot of entries in the Alert/Log files. Most of these appear to be generated when using my iOS devices (I use NoScript on my desktop computers so that might explain the dearth of alerts from this source). To be honest I am quite shocked at the volume of outbound connections to usage monitoring sites etc. from the various applications installed on my Apple devices.
My VPN provider did instruct me to setup a VPN interface with NAT outgoing (this has been done under the Manual Outbound NAT rule generation mode.
In case it is of any interest. the VPN setup guide can be viewed here https://www.ivpn.net/setup/router-pfsense.html
In Manual Outbound NAT rule generation mode I have two rules for the VPN interface and two for the WAN thus
Interface VPN
Source <single internal="" subnet="">Source Port Any
Destination Any
NAT Address VPN addresses
NAT Port Any
Static Port Randomised sourceThere is also a rule described as “auto created rule for ISAKMP LAN to VPN” configured thus
Interface VPN
Source <single internal="" subnet="">Source Port Any
Destination 500
NAT Address VPN addresses
NAT Port Any
Static Port YesThe WAN rules are similar to the above but with the exception the interface is WAN, source is 127.0.0.0/8 and NAT address is the WAN interface.
To be frank, presently the above is somewhat “over my head” – I presume it is allowing traffic on the LAN to exit via the VPN and WAN interfaces respectively on a NAT basis.
I have attempted to switch Unbound into resolver mode by making the changes suggested ie
Services -> DNS Resolver -> General settings
-Network Interfaces - I have only my internal interfaces selected (i.e. LAN and VLANs in my case)…you also need to select "Localhost"
-Outgoing Network Interfaces - I only have my VPN interface selectedSystem -> General Setup
- DNS Server Override and Disable DNS Forwarder are NOT checked
- No DNS Servers are selected
Services -> DHCP Server -> LAN
- No DNS Servers assigned
Whilst following these changes, DNS resolution is occurring, I have run into two issues.
The first one is that responses to external DNS queries appear to be returned lame (ie Non-authoritative) suggesting DNSSEC is not working – see below from a network client.
casper@ghost ~ $ nslookup
kodi
Server: 127.0.1.1
Address: 127.0.1.1#53Name: kodi.Wobble
Address: 192.168.123.122hsbc.co.uk
Server: 127.0.1.1
Address: 127.0.1.1#53Non-authoritative answer:
Name: hsbc.co.uk
Address: 193.108.75.106
Name: hsbc.co.uk
Address: 91.214.6.117Secondly, as soon as my VPN drops, it is unable to reconnect as it cannot resolve the external IP address of its gateway. Presently the only solution to this is to temporarily add Google 8.8.8.8 back in (System General Setting DNS servers) and then remove once the VPN is back up.
Presently I am feeling somewhat overwhelmed and very much like the new kid on his first day of school. I obviously need to undertake some further reading, reflection and tickering.
Once again many thanks for your interest and help.</single></single>
-
farrina good luck on your journey…
Here are a couple of tips that might ease the pain:
- Here is a German sight that I use to test DNSSEC: https://dnssec.vs.uni-due.de/ I found it also on this forum....I think it is legit. Remember the website you visit also needs to support DNSSEC(not all do)
- Make sure to use: Status->Filter Reload and Diagnostic->States->reset states tab....clicking these after changes to your firewall make sure the changes are implemented. A good old fashion reboot of your pfSense also works...I went nuts thinking my changes were not working until I discovered these.
- Get to know "aliases" Firewall->Aliases...this allows you to group clients (devices on your LAN) so you can pass some thru VPN and others thru WAN aka "Policy routing"
- You likely don't need your "ISAKMP" NAT rules and can delete those NAT Outbound rules...they are for another function that you likely don't need.
- Status->System Logs->Firewall...sound like you found this but check here when things don't work and try to interpret what is being blocked
Again make a backup prior to changes so you can make progress and not go backwards...
Good luck....
-
Hello
Thanks for the link to the German DNSSEC testing website. It confirms that Unbound on my pfsense box is operating in secure mode. Strangely when undertaking a dnslookup all my responses are still qualified as “non-authoritative”.
I have noted your various other tips (for which many thanks) and I shall bear these in mind.
Once again many thanks for your interest