OpenVPN killswitch
-
So make it do that.
That reject floating rule will not match unless the NO_WAN_EGRESS tag is present in the traffic. If you don't want it blocked, don't set the tag on the rule that policy routes it out the VPN.
Thats how I have it setup per https://forum.pfsense.org/index.php?topic=144408.msg786896#msg786896
VPN Client A has no tag and VPN Client B has the NO_WAN_EGRESS tag.I tried a 3rd time and it is working as it is supposed to. No sure why it doesn't work all the time. Do I need to reset the state table after I make a change? I also notice on ipleak.net that sometimes my DNS is leaking but not all the time, could that have something to do with the intermittent issue?
-
Everytime you do major changes to your ruleset you're supposed to reset states to eliminate any dangling states that might allow traffic that you don't want to pass after the changes.
-
Thanks to Derelict and kpa for your help. Everyting seems to be working as expected.
-
I also notice on ipleak.net that sometimes my DNS is leaking but not all the time, could that have something to do with the intermittent issue?
That depends on how you configured the flow of your DNS.
-
I also notice on ipleak.net that sometimes my DNS is leaking but not all the time, could that have something to do with the intermittent issue?
That depends on how you configured the flow of your DNS.
Could you expand on what u mean by flow of DNS
-
What DNS servers are the clients configured to use?
If a DNS server you run, what is its configuration?
-
What DNS servers are the clients configured to use?
If a DNS server you run, what is its configuration?
in VPN/OPENVPN/Clients/edit I don't see an option for DNS servers, my System/General Setup is open DNS 208.67.222.222 and 208.67.220.220 and my DNS resolver is set to All network interfaces and All outgoing Network Interfaces
-
Right but what are the actual hosts that are asking that names be resolved using as DNS servers?
That would be either statically set on the client or in the DHCP server.
It all matters and all has to be set correctly to get the results you are looking for.
-
Right but what are the actual hosts that are asking that names be resolved using as DNS servers?
That would be either statically set on the client or in the DHCP server.
It all matters and all has to be set correctly to get the results you are looking for.
Did some research
Would this work?
System/General Setup/DNS Servers blank, DNS Server Override checked
Services/DNS resolver/General settings/Outgoing Network Interfaces/ VPN B (interface that I want my DNS to use with no leakage)
Services/DHCP Server/LAN/Add DNS to static mapping that I want those static IP to use (ie not the VPN DNS) -
I would:
Set the VPN hosts I want to route only over the VPN to use free, outside name servers (google, quad-9, level3, etc) using DHCP or Static or whatever.
Policy route the DNS queries out the VPN with all the other internet traffic.
And you're done.
Everything you just described is fine until the VPN is down and all of your DNS breaks for everything.
