HowTo: Route part of your LAN via TorGuard or PIA.
-
My router general DNS servers have both google public dns and another dns outside of my ISP's dns. Because of this, I did not specifically add DNS settings (to the same criteria) per static mapping.
If you don't assign alternate DNS servers in the static mapping, the default will be the LAN IP. That traffic will get blocked by the rule you mentioned. That's what it's supposed to do.
Having (ex:) Google public DNS set under general won't cause your LAN devices to make queries directly to those servers. Instead, your LAN devices query the DNS Resolver and the DNS Resolver might use the servers listed under general to make upstream queries. I say might because the way it behaves is configurable in the DNS Resolver (DNS forwarding). Regardless, all traffic from the DNS Resolver routes via the WAN.
For DNS queries to be routed correctly, LAN devices must make queries directly to a DNS server that's not local. The simplest thing to do is override DNS to use Google's public DNS when creating static mappings for your vpnclients.
-
I have a question that I think is at least similar to this thread, but if I am incorrect, please direct me to any information.
I have succesfully set up a PIA VPN Gateway and can turn on the openVPN client to protect my entire network through my pfsense box. It is awesome to have everything protected for all of our devices. However, I notice that some https sites don't like being access through a VPN (like bank of america). I am wondering the best way to allow for these exceptions through the firewall.
-
Use firewall rules to block outgoing SSL (port 443) traffic from the VPN gateway, forcing that https (443) traffic to the WAN?
-
Use Squid/proxy to force all non-https traffic to the VPN and all https traffic to the WAN?
-
URL filtering to allow certain urls to use WAN gateway instead of VPN?
-
Other ideas?
Any advice, input would be helpful.
-
-
@violinjjb I wouldn't mix traffic like that and, personally, I wouldn't access my bank account via one of these VPNs. There's no benefit to it. As it is, the connection between you and your bank is already private (it's encrypted). The only thing your ISP is seeing is that you're going to the BoA site. They can guess you're a BoA customer, but that's probably not a big secret anyway.
If you mix VPN and non-VPN traffic on the same machine, there's going to be a lot of correlation that can be done. I keep my VPN activity isolated in a VM (virtual machine).
-
Update!
It was in fact IPV6 somehow leaking IPV4 information. I turned off IPV6 in Interfaces/WAN and now all that shows up is Google's DNS information in the leak tests.
So on to the next question: am I losing anything by not having IPV6 enabled and if so, how can I prevent the leak with it enabled?
I need help, followed the guide with PIA in mind, everything works great (I think) until I disable IPV6 on WAN. What follows is internet access goes down on all my hosts (connectivity to http, etc yet the status all say the internet is fine). Strange things is I can ping 8.8.8.8 from inside pfSense as well as from command line on all my hosts with no issues but nothing works in browsers. Anyone else have this issue? Any help would be greatly appreciated!
-
Bumping this up….
Followed the guide to a T with PIA and it works fine if I set the "Don't auto add/remove routes" to unchecked. Problem is, the rest of the LAN now doesn't get any joy going out with regards to DNS.
Not sure at all what is going on with just that. If I do check that box, my LAN works but my IP address leaks on clients behind the VPN.
-
Policy routing is your friend.
-
Policy routing is your friend.
Is there something I'm missing? I have PIA traffic tagged with NO_WAN_EGRESS but I want to say that is somehow messing up the rest of my LAN traffic when I have that "route add" option/checkbox.
I can't even ping out there so I'm guessing it somehow is getting tagged as well (not sure how.)
I think I might have something to test though- The rule on the PIA interface was defined as all for source (which then applies the tag) so I restricted that to my VPN subnet for source. We'll see. Not home so I can't test it.
Thanks mate
-
If you are tagging all traffic with NO_WAN_EGRESS then blocking all traffic with that tag from egressing WAN, then yes, all traffic will be blocked and nothing will work unless it is routed out the VPN.
Set NO_WAN_EGRESS on the rules that policy route traffic you want to go out the VPN out the VPN. Then it will only be set on VPN traffic.
-
If you are tagging all traffic with NO_WAN_EGRESS then blocking all traffic with that tag from egressing WAN, then yes, all traffic will be blocked and nothing will work unless it is routed out the VPN.
Set NO_WAN_EGRESS on the rules that policy route traffic you want to go out the VPN out the VPN. Then it will only be set on VPN traffic.
Think I got it- it was squid. Note to people getting this far- READ THE WHOLE THREAD.
Kinda slipped my mind somehow (I had disabled other things) but that seems to be the big hangup.Thanks OP for a fantastic guide (with pics!) and thanks Derelict for getting me looking in the right direction.
Edit- do my traffic stats jump a lot as well for the LAN? (I have traffic stats tool package installed.) It looks right for packets OUT via PIA but seems the traffic in comes via LAN (which I assume is right.) The traffic stops/starts when I stop the tunnel and restart so I assume this is correct but just double checking.
-
Did a lot of the screenshots disappear when forums migrated to netgate? :(
-
@poisonvodka said in HowTo: Route part of your LAN via TorGuard or PIA.:
Did a lot of the screenshots disappear when forums migrated to netgate? :(
Yep.
But never mind, screenshots from 2 years back aren't very useful anyway - as is probably most info in this thread.