OpenVPN killswitch

NasKar · Feb 24, 2018, 3:41 PM

I'm trying to create an openVPN killswitch and read numerous thread on the subject the one that I would like to enact is https://forum.pfsense.org/index.php?topic=84463.msg463226#msg463226 by Derelict.
I have created a Openvpn client that is up and a gateway using the interface attached to the openvpn client. I create the LAN rule for the computer to use the openvpn client gateway and add the the no_wan_egress tab in the adv section. As soon as I create the floating rule see below my computer is not able to access the internet. Not sure what I'm doing wrong.

Velcro · Feb 25, 2018, 1:55 AM

On the floating rule did you designate the traffic direction as "Out"?

https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

NasKar · Feb 25, 2018, 5:45 AM

@V3lcr0:

On the floating rule did you designate the traffic direction as "Out"?

https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

Yes traffic direction is out

NasKar · Feb 28, 2018, 12:20 AM

I've been playing with the settings and can use some clarification.
I have 2 VPN clients. Client A and B and a VPN server to dial into my network remotely. I have 2 rules on my LAN interface,
Client A source alias for computers on VPN A, Source Port any, Destination any, Destination port any, Gateway for VPN A.
Client B soucre alias for computers on VPN B, Source Port any, Destination any, Destination port any, Gateway for VPN B and Tag NO_WAN_EGRESS
The floating rule is quick check, WAN interface, direction out, address family IPv4, Protocol any, source any, destination any, Tag NO_WAN_EGRESS

When remotely on the VPN server I can't go to web sites unless I turn off the floating rule. I thought the floating rule would only affect VPNs with the TAG NO_WAN_EGRESS?
With the floating rule on if I turn off VPN B computers on VPN A (no TAG) can't access the internet.

Ryu945 · Mar 1, 2018, 1:32 AM

On your router:

1) Disable the LAN firewall rule that allows regular internet communication.

Have your VPN rules set up.

3) Below those rules, make a rule that stops all ip4 and ip6 traffic.

When the VPNs fail, the stop rules take over.

NasKar · Mar 1, 2018, 2:37 AM

Ryu945
Does that involve using a checkbox in System->Advanced->Miscellaneous:Skip rules when gateway is down?

Ryu945 · Mar 1, 2018, 4:57 AM

I never noticed that option before. Even not touching that setting appears to work correctly. When VPNs are down, there is no internet.

Derelict · Mar 1, 2018, 9:01 AM

Client B soucre alias for computers on VPN B, Source Port any, Destination any, Destination port any, Gateway for VPN B and Tag NO_WAN_EGRESS

You set the tag there using the Tag: NO_WAN_EGRESS field on the rule.

The floating rule is quick check, WAN interface, direction out, address family IPv4, Protocol any, source any, destination any, Tag NO_WAN_EGRESS

You match the tag there using the Tagged: NO_WAN_EGRESS field on the rule.

Different rule settings: Tag and Tagged.

NasKar · Mar 1, 2018, 11:03 PM

It seemed to work but when I tried a 2nd time turning off the VPN Client B, my computer still worked with the IP from VPN Client A. even though it's assigned to VPN Client B thru an alias. I want to have VPN Client A work even if the VPN goes down and VPN Client B to not work at all when the VPN goes down.

Derelict · Mar 1, 2018, 11:25 PM

So make it do that.

That reject floating rule will not match unless the NO_WAN_EGRESS tag is present in the traffic. If you don't want it blocked, don't set the tag on the rule that policy routes it out the VPN.

NasKar · Mar 1, 2018, 11:46 PM

@Derelict:

So make it do that.

That reject floating rule will not match unless the NO_WAN_EGRESS tag is present in the traffic. If you don't want it blocked, don't set the tag on the rule that policy routes it out the VPN.

Thats how I have it setup per https://forum.pfsense.org/index.php?topic=144408.msg786896#msg786896
VPN Client A has no tag and VPN Client B has the NO_WAN_EGRESS tag.

I tried a 3rd time and it is working as it is supposed to. No sure why it doesn't work all the time. Do I need to reset the state table after I make a change? I also notice on ipleak.net that sometimes my DNS is leaking but not all the time, could that have something to do with the intermittent issue?

kpa · Mar 2, 2018, 12:18 PM

Everytime you do major changes to your ruleset you're supposed to reset states to eliminate any dangling states that might allow traffic that you don't want to pass after the changes.

NasKar · Mar 2, 2018, 7:00 PM

Thanks to Derelict and kpa for your help. Everyting seems to be working as expected.

Derelict · Mar 2, 2018, 11:44 PM

I also notice on ipleak.net that sometimes my DNS is leaking but not all the time, could that have something to do with the intermittent issue?

That depends on how you configured the flow of your DNS.

NasKar · Mar 3, 2018, 12:54 AM

@Derelict:

I also notice on ipleak.net that sometimes my DNS is leaking but not all the time, could that have something to do with the intermittent issue?

That depends on how you configured the flow of your DNS.

Could you expand on what u mean by flow of DNS

Derelict · Mar 3, 2018, 12:59 AM

What DNS servers are the clients configured to use?

If a DNS server you run, what is its configuration?

NasKar · Mar 3, 2018, 1:35 AM

@Derelict:

What DNS servers are the clients configured to use?

If a DNS server you run, what is its configuration?

in VPN/OPENVPN/Clients/edit I don't see an option for DNS servers, my System/General Setup is open DNS 208.67.222.222 and 208.67.220.220 and my DNS resolver is set to All network interfaces and All outgoing Network Interfaces

Derelict · Mar 3, 2018, 4:41 AM

Right but what are the actual hosts that are asking that names be resolved using as DNS servers?

That would be either statically set on the client or in the DHCP server.

It all matters and all has to be set correctly to get the results you are looking for.

NasKar · Mar 3, 2018, 3:55 PM

@Derelict:

Right but what are the actual hosts that are asking that names be resolved using as DNS servers?

That would be either statically set on the client or in the DHCP server.

It all matters and all has to be set correctly to get the results you are looking for.

Did some research
Would this work?
System/General Setup/DNS Servers blank, DNS Server Override checked
Services/DNS resolver/General settings/Outgoing Network Interfaces/ VPN B (interface that I want my DNS to use with no leakage)
Services/DHCP Server/LAN/Add DNS to static mapping that I want those static IP to use (ie not the VPN DNS)

Derelict · Mar 4, 2018, 2:13 AM

I would:

Set the VPN hosts I want to route only over the VPN to use free, outside name servers (google, quad-9, level3, etc) using DHCP or Static or whatever.

Policy route the DNS queries out the VPN with all the other internet traffic.

And you're done.

Everything you just described is fine until the VPN is down and all of your DNS breaks for everything.