VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?
-
VPN services like PIA make it clear that DNSSEC isn't necessary because the connection to their OWN DNS servers is already encrypted. They don't say this part, but since they already know your DNS queries, there is no reason to use DNS over TLS (Not sure if that logic is sound).
1st question. Is it even possible to configure pfSense DNS resolver to use DNS servers which support TLS with (OpenVPN) VPN services?
2nd question. If Possible*, does it make more sense to configure DNS over TLS or is it truly unnecessary with a VPN service?
I use both PIA AND NordVPN with pfSense, but I configured the unbound DNS service to only use the PIA DNS servers.
Anyone out there have pfSense configured with both DNSSEC AND a public VPN service, like PIA, NordVPN, ExpressVPN, etc?
I made a few attempts to make this work, but it never fully passed validation. I don't know if it's worth the effort.
Any sharing of experience or advice is very appreciated!
-
DNSSEC is not about and has nothing to do with hiding queries from anyone. It is about validating that the answer you got was signed by the key published for the zone from the roots on down. DNSSEC is a signing scheme, not an encryption scheme.
If you accept a default gateway from the VPN provider you should be able to put the resolver in resolver mode, enable DNSSEC, and configure your inside clients to use pfSense as their DNS server.
It is not possible to policy route traffic originating from the firewall itself so if you are policy routing to the VPN provider it gets trickier. The best answer, though nobody wants to hear it, is to run a caching resolver (or two) inside the network (off the firewall) so, when it makes queries to resolve an unknown record, those queries can be policy routed along with everything else.
Some people have some luck setting the source interface in the DNS Resolver to the OpenVPN interface but it's pretty hacky and doesn't scale well (for instance you'd have to switch it between PIA and NordVPN.
-
Okay, sorry, I was off a bit on the terminology. I was referring to DNS over TLS. When I referred to DNSSEC, I was mostly thinking of the the pfSense DNS resolver settings.
From my research, whatever way you go, the DNS queries are hidden from the ISP. In the same manner, either the VPN service will know your requests, or the DNS servers which support TLS know your requests.
I've seen an argument that if you set up several TLS supporting DNS servers, your requests will be spread across several servers, so none of them will have a full map of your browsing history. (I think the other side of that argument is that you are trusting several more DNS hosts than just one or two.
I still haven't got DNS over TLS to validate completely with my VPN services integrated into pfSense, so this question may be mute. I'm mostly trying to find out what anyone / everyone else is doing in this situation? Has anyone got DNS over TLS to validate successfully while also integrating a VPN service with all pfSense outgoing traffic?
(I think I read somewhere that DNS over TLS doesn't work over OpenVPN. So, that would mean you would have to send all DNS requests OUTSIDE your VPN tunnel, which seems... not ideal)
-
@talaverde said in VPN (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
I've seen an argument that if you set up several TLS supporting DNS servers, your requests will be spread across several servers, so none of them will have a full map of your browsing history. (I think the other side of that argument is that you are trusting several more DNS hosts than just one or two.
They might get together in their super-secret squirrel cabal meetings in the Louisiana swamps and aggregate all the data.
-
They might get together in their super-secret squirrel cabal meetings in the Louisiana swamps and aggregate all the data.
In that manner, I might as well go back to Chrome and use all their 'services'.
Anyway... I've decided to come at this DNS delema another way. I've realized there is no (theoretical) way to configure two separate VPN services and keep DNS encrypted as you would have to ensure every DNS request passes to the correct/corresponding DNS server for either VPN (Not something I even want to consider attempting).
Also, I admit, i was having issues getting both VPN services working well together. Temporarily... sure. After a bit, I wouldn't be able to connect to Amazon, my bank, etc., w/o rebooting pfSense or 'resetting' something. Clearly, I was having DNS issues.
I had a choice. Drop one of the VPN services (PIA or NordVPN) -or- give DNS over TLS another shot. I decided to give TLS another shot.
At this point, it seems like it's working. All DNS states are '853'. Browsing is actually a bit snappier (faster DNS servers probably). Time will tell if I have issues.
TLS validation (https://dnssec.vs.uni-due.de/) is still failing. Which is the most concerning. It requires Java, so I don't know if I should be too concerned. I'm looking for another way to confirm TLS is working like it should, but no luck yet.
Not trying to make this a personal story. I figure there are others that would like their DNS "as secure as possible" with pfSense, while also using a VPN service, or even TWO VPN services!.
-
The easiest way to do that is to move your local caching resolver off the firewall, as was already stated. But people are generally not willing to make things as secure as possible since that involves sacrificing some convenience.
-
to answer this question at least: Anyone out there have pfSense configured with both DNSSEC AND a public VPN service, like PIA, NordVPN, ExpressVPN, etc?
i run Airvpn and Mullvad. 2 different tunnels obviously
i use the DNS resolver to 9.9.9.9 and cloudfare. i set it up with these instructions: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
then statically use Mullvad's server of 193.138.219.228 for the Mullvad tunnels. and they pass DNS leaks and DNSSEC.
Airvpn since you have to use 10.4.0.1 or the gateway for the Tunnel you connect to doesn't pass DNSSEC. but if fully passes all the leaks
you could probably use another provider for the DNSSSEC. but then you would not pass DNS leaks tests. since its "encrypted" it should not matter
this stuff is way over my head. but after a few years of tinkering my setup passes everything i want it to so i have left it alone
-
At least for now, this is what I've decided to do:
- I stopped using the PIA DNS servers. (Not NordVPN DNS either)
- I'm now using Cloudflare and Quad9 servers and configured pfSense for DNS over TLS (and DNSSEC ;).
- DNS request are set to ONLY go out on WAN1 or WAN2, not the VPN tunnels.
- Add firewall rule blocking all (non-domain) connections to UDP/TCP 53 Destination.
- Add firewall rule allowing domain subnet any (internal) UDP/TCP 53 connections.
Working well so far.
I've been able to get most of the DNS over TLS validation sites to return A-OK. All DNS servers only connect to TCP 853 in the states table. I struggled to get validation for quite some time. I think it's because I'm running a MS AD domain in my network. The final key was adding firewall rule(s) to block external UDP 53 access. Otherwise, my AD DNS servers would cause any test to fail.
I've found this site to be most assuring test: https://rootcanary.org/test.html
(Which is 'phase 2' of http://dnssectest.sidnlabs.nl )One reason for this decision is the PIA DNS servers are pinging at 45ms. The NordVPN DNS are even worse. As you know, Quad9 and Quad1 servers are closer to 4ms. I've already noticed my browsing is a bit snappier now but that could be my imagination.
DNS leak test now show MANY servers, instead of just one, as before. However, they are all Quad9 servers. (I guess that's intentional, right?) I'm not going to worry about a bunch of servers showing in a DNS leak test, but only as long as they all appear to be Cloudflare or Quad9 servers.
Logically, I would probably rather keep all DNS queries go to an overseas VPN service, like NordVPN. However, the added latency is the final decision point.
Option 1 - I can trust a single (secure) VPN tunnel with my DNS requests, supposedly no logs are kept. Latency of 50ms+
Option 2 - I can trust a cluster of (secure) DNS over TLS servers (Quad9 & Quad1), supposedly no logs are kept. Latency of <4msEither way, all 'non DNS' traffic i sent through a VPN tunnel.
(Side note - I'm using pfBlockerNG, so separate DNS resolvers would be a nightmare, if not impossible)
The ultra-paranoid would probably be better off sending DNS queries over their VPN tunnel. I think the trust variance is purely suspicion at this point, while the performance benefit is clearly measurable.https://rootcanary.org/test.html - results with my setup...
-
I'd like to add - Early in my testing, I observed the PIA DNS servers responded to TCP 853. So, I thought maybe they enabled DNS over TLS w/o announcing it. I tried using the PIA DNS servers and also pointing the pfSense DNS resolver to PIA. It didn't work. I could only get DNS over TLS to validate outside of a VPN tunnel (OpenVPN).
I still don't know whether VPN services simply choose not to support DNSSEC/TLS or that OpenVPN is incompatible with DNS over TLS. (If someone answered that above, sorry, I missed it.) I found one VPN service advertise that they support both 'VPN' and 'DNS over TLS'. However, it sounded more like 'either / or' -not- both. It just sounded like their DNS servers would support TLS, but it wasn't clear that it was through their VPN service (more like they inferred it was outside their VPN service).
I can see their point (the VPN services). The VPN tunnel makes TLS redundant. Then again, going back to the difference between DNS over TLS and DNSSEC, the VPN tunnel only 'encrypts' the DNS message, it doesn't validate it. Wouldn't that imply that the combination of DNS over TLS (encryption) -and- DNSSEC (validation) trumps VPN (encryption only)?
I could be off my rocker here but thought the conversation is worth having.
-
@bcruze said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
to answer this question at least: Anyone out there have pfSense configured with both DNSSEC AND a public VPN service, like PIA, NordVPN, ExpressVPN, etc?
i run Airvpn and Mullvad. 2 different tunnels obviously
i use the DNS resolver to 9.9.9.9 and cloudfare. i set it up with these instructions: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
then statically use Mullvad's server of 193.138.219.228 for the Mullvad tunnels. and they pass DNS leaks and DNSSEC.
Airvpn since you have to use 10.4.0.1 or the gateway for the Tunnel you connect to doesn't pass DNSSEC. but if fully passes all the leaks
you could probably use another provider for the DNSSSEC. but then you would not pass DNS leaks tests. since its "encrypted" it should not matter
this stuff is way over my head. but after a few years of tinkering my setup passes everything i want it to so i have left it alone
I can be a bit dense sometimes. I didn't see this the first time I read it. Rereading your post, you're saying you send your DNS queries THROUGH the VPN, then out the other side to Quad9 or Quad1? What's the latency on that? If it truly works, it kinda seems like you're doubling up (TLS) encryption on top of (VPN) encryption. I have no problem with that, except that I'd think the latency would be horrendous. No?
-
Well, that's no different than visiting TLS web sites over the VPN. You have to encrypt the traffic or the VPN provider will spy on you just like your evil, evil ISP.
-
@talaverde said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
@bcruze said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
to answer this question at least: Anyone out there have pfSense configured with both DNSSEC AND a public VPN service, like PIA, NordVPN, ExpressVPN, etc?
i run Airvpn and Mullvad. 2 different tunnels obviously
i use the DNS resolver to 9.9.9.9 and cloudfare. i set it up with these instructions: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
then statically use Mullvad's server of 193.138.219.228 for the Mullvad tunnels. and they pass DNS leaks and DNSSEC.
Airvpn since you have to use 10.4.0.1 or the gateway for the Tunnel you connect to doesn't pass DNSSEC. but if fully passes all the leaks
you could probably use another provider for the DNSSSEC. but then you would not pass DNS leaks tests. since its "encrypted" it should not matter
this stuff is way over my head. but after a few years of tinkering my setup passes everything i want it to so i have left it alone
I can be a bit dense sometimes. I didn't see this the first time I read it. Rereading your post, you're saying you send your DNS queries THROUGH the VPN, then out the other side to Quad9 or Quad1? What's the latency on that? If it truly works, it kinda seems like you're doubling up (TLS) encryption on top of (VPN) encryption. I have no problem with that, except that I'd think the latency would be horrendous. No?
no i don't think i am that brilliant...
i have dhcp computers going over the default tunnel of Airvpn. it uses 9.9.9.9
then i created rules for certain computers to use Air and others to use Mullvad tunnel
then under services - dhcp server. i am using static dns settings for those clients to resolve over the mullvad DNS servers others using Airvpn DNS servers. so they pass DNS leak tests.
-
@bcruze said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
@talaverde said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
@bcruze said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
to answer this question at least: Anyone out there have pfSense configured with both DNSSEC AND a public VPN service, like PIA, NordVPN, ExpressVPN, etc?
i run Airvpn and Mullvad. 2 different tunnels obviously
i use the DNS resolver to 9.9.9.9 and cloudfare. i set it up with these instructions: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
then statically use Mullvad's server of 193.138.219.228 for the Mullvad tunnels. and they pass DNS leaks and DNSSEC.
Airvpn since you have to use 10.4.0.1 or the gateway for the Tunnel you connect to doesn't pass DNSSEC. but if fully passes all the leaks
you could probably use another provider for the DNSSSEC. but then you would not pass DNS leaks tests. since its "encrypted" it should not matter
this stuff is way over my head. but after a few years of tinkering my setup passes everything i want it to so i have left it alone
I can be a bit dense sometimes. I didn't see this the first time I read it. Rereading your post, you're saying you send your DNS queries THROUGH the VPN, then out the other side to Quad9 or Quad1? What's the latency on that? If it truly works, it kinda seems like you're doubling up (TLS) encryption on top of (VPN) encryption. I have no problem with that, except that I'd think the latency would be horrendous. No?
no i don't think i am that brilliant...
i have dhcp computers going over the default tunnel of Airvpn. it uses 9.9.9.9
then i created rules for certain computers to use Air and others to use Mullvad tunnel
then under services - dhcp server. i am using static dns settings for those clients to resolve over the mullvad DNS servers others using Airvpn DNS servers. so they pass DNS leak tests.
Oh, I see. I thought you meant you were passing the DNSSEC tests (and leak tests).
-
@derelict said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
Well, that's no different than visiting TLS web sites over the VPN. You have to encrypt the traffic or the VPN provider will spy on you just like your evil, evil ISP.
Well the ISPs blatantly admit they are collecting, logging and selling our each and every move. The (better) VPN services claim they don't and don't appear to be. Nor are the DNS over TLS providers (i.e. Quad1 or Quad4). If you know of any stories/articles where a VPN service handed over user logs, I'd be very interested. Same with the DNS over TLS services.
-
@talaverde With Quad9 and DNS over TLS, how do I verify the server reported in dnsleaktest.com is Quad9 server?
-
@gjaltemba said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
@talaverde With Quad9 and DNS over TLS, how do I verify the server reported in dnsleaktest.com is Quad9 server?
When I do an extended test from https://www.dnsleaktest.com/ I get a WHOLE BUNCH of servers listed but they are all either named 'Cloudflare' or 'Woodynet', (which looks to be owned by Quad9, based on Internet searches.) If I ended up with a bunch of random names, I'd be concerned. It seems pretty obvious who they belong to.
-
@talaverde said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
When I do an extended test from https://www.dnsleaktest.com/ I get a WHOLE BUNCH of servers listed but they are all either named 'Cloudflare' or 'Woodynet', (which looks to be owned by Quad9, based on Internet searches.) If I ended up with a bunch of random names, I'd be concerned. It seems pretty obvious who they belong to.
Maybe I am not setup correctly. In my General Setup for DNS I have 9.9.9.9 and the gateway is my VPN.
In DNS Resolver I check
Enable DNSSEC support
Enable Forwarding Mode
Use SSL/TLS for outgoing DNS Queries to Forwarding ServersWhen I look in dnsleaktest.com it shows internet.exchange points as DNS. What is wrong?
-
How are you routing out the VPN? Policy Routing?
As I have already explained, you cannot policy route traffic generated on the firewall, which is why the single, best solution is a caching DNS resolver (or two or three) inside the firewall so the queries they make can be policy routed like the rest of the traffic. But nobody wants to make that effort.
Set your client to use 9.9.9.9 as its DNS server (either static or in DHCP for that inside network (you can only set it for one client with a static entry)) and you will see it works fine.
-
@derelict I tried routing out VPN in System->General Setup->DNS Server Settings. No good?
-
No. That has nothing to do with how traffic is routed.
-
@derelict said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
No. That has nothing to do with how traffic is routed.
But then what does setting the DNS Server gateway to my VPN interface do? I was thinking that it is the equivalent of setting Outgoing Network Interface in DNS Resolver.
-
That might work for you but you will break DNS for the whole firewall if the VPN is down.
Honestly, the best way to ensure you don't "leak" DNS is to tell your clients to use the outside DNS providers, policy route that traffic, and forget the on-firewall resolver exists.
Or, again, put an off-firewall DNS resolver together that can be policy routed like the client traffic on its way into LAN.
-
@derelict I am just starting to get your point but what I am getting at is when Quad9 goes via my VPN, dnsleaktest.com reports internet.exchange ip for DNS and not woodynet. Is this normal?
-
You'll have to post real, contrasting "leak test" results. I have no idea what you're trying to ask.
-
This post is deleted! -
I think this thread has strayed off topic. Most VPN services have instructions on how to set up pfSense with their VPN, if they are compatible. There are YouTube videos for PIA. Most of these questions would be answered in the instructions.
Although, I do admit my setup is contrary to what the VPN service recommends, hence, the thread.
I would make sure to follow the VPN service's instructions for pfSense. Make sure your results are as expected and you understand them. Only then, try using a different DNS configuration than recommended by the VPN, as I did here.
-
@talaverde said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
I'd like to add - Early in my testing, I observed the PIA DNS servers responded to TCP 853. So, I thought maybe they enabled DNS over TLS w/o announcing it. I tried using the PIA DNS servers and also pointing the pfSense DNS resolver to PIA. It didn't work. I could only get DNS over TLS to validate outside of a VPN tunnel (OpenVPN).
I still don't know whether VPN services simply choose not to support DNSSEC/TLS or that OpenVPN is incompatible with DNS over TLS. (If someone answered that above, sorry, I missed it.) I found one VPN service advertise that they support both 'VPN' and 'DNS over TLS'. However, it sounded more like 'either / or' -not- both. It just sounded like their DNS servers would support TLS, but it wasn't clear that it was through their VPN service (more like they inferred it was outside their VPN service).
I can see their point (the VPN services). The VPN tunnel makes TLS redundant. Then again, going back to the difference between DNS over TLS and DNSSEC, the VPN tunnel only 'encrypts' the DNS message, it doesn't validate it. Wouldn't that imply that the combination of DNS over TLS (encryption) -and- DNSSEC (validation) trumps VPN (encryption only)?
I could be off my rocker here but thought the conversation is worth having.
I've made a minor change to my configuration. I thought I may as well share it, to keep the explanation of my configuration accurate...
Until now, I configured my DNS Resolver to send DNS request out my WAN / Non-VPN connection. For some reason, I thought if I sent it through my VPN tunnel, it wouldn't work. I tried it and it works fine. So, my DNS requests:
- Use Quad9 & Quad1
- Use and validate to DNSSEC
- Use and validate DNS over TLS
- Are sent out through my VPN tunnel
I was reading there might be ways for an ISP to figure out your DNS requests even if you use DNS over TLS. (Just talking DNS here). Using the VPN tunnel, that won't happen. Another reason I (originally) sent the DNS request out via WAN / Non-VPN was to keep latency as low as possible on DNS requests. The VPN tunnel I'm using is the local PIA, which is the least obscure VPN connection, but a VPN tunnel, non the less. Since I'm using DNS over TLS, even the VPN won't know my DNS request anyway.
I'm feeling really good about this configuration.
-
@talaverde I gotta ask. Does dnsleaktest.com still show woodynet with quad9 and pia? For me it does not show woodynet nor pia but some internet.exchange point.
-
@gjaltemba said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
@talaverde I gotta ask. Does dnsleaktest.com still show woodynet with quad9 and pia? For me it does not show woodynet nor pia but some internet.exchange point.
Hard to answer fully w/o a screenshot. dnsleaktest.com shows your DNS request hosts, not your VPN tunnel.
-
I had multiple users ask me what 'dnsleaktest' looked like when I have Quad9 and Cloudflare (Quad1) configured as my DNS servers. This is is what it looks like. OBVIOUSLY, this is not my IP address, nor my VPN's IP address. This is a list of DNS servers that respond to Quad9 or Quad1. (WoodyNet is obviously Quad1).
-
No one has contributed to this conversation for a while, so I feel like I'm talking with myself. Maybe no one else cares. A few wanted to know how to configure their VPN, but that didn't seem on topic.
At risk of sounding like I'm starting my own blog, I just want to mention this new configuration has been working GREAT!. I'm using multiple VPN providers with pfSense. At the same time, all my DNS requests are going to DNSSEC/TLS enabled DNS servers. No issues of leakage that I'm aware of. DNS requests are much quicker than using the VPN DNS servers. Spreading out the requests makes everything even more anonymous, IMO.
If anyone want more information on how I set this up (using TLS/DNSSEC, I'm open to questions, as I don't know of anyone else trying it this way.
(Setting up your VPN, there are many resources for that)
-
as i posted most of this is way over my head. i read/ try a few changes and use the basic tests i know to do.
i have 2 tunnels setup. neither are leaking per the providers tests.
my connection only drops with mullvad. (never with Air) but i have it configured to reconnect.
i am always curious how others are setup. but since my works near flawlessly i really don't want to tinker with it.
-
@talaverde Can you please share screenshots how u setup pfsense to use vpn provider and dns over tls.
I currently have dns over tls setup but i would like to add vpn tunnel to thisBTW have you hard about perfect privacy vpn which uses dns over tls but like you said then they can spy on you. Your method seems better. Please share. Thank you in advance.
Google this article
DNS-over-TLS: Now we offer encrypted DNS
Perfect Privacy, 7. September 2018@talaverde said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
No one has contributed to this conversation for a while, so I feel like I'm talking with myself. Maybe no one else cares. A few wanted to know how to configure their VPN, but that didn't seem on topic.
At risk of sounding like I'm starting my own blog, I just want to mention this new configuration has been working GREAT!. I'm using multiple VPN providers with pfSense. At the same time, all my DNS requests are going to DNSSEC/TLS enabled DNS servers. No issues of leakage that I'm aware of. DNS requests are much quicker than using the VPN DNS servers. Spreading out the requests makes everything even more anonymous, IMO.
If anyone want more information on how I set this up (using TLS/DNSSEC, I'm open to questions, as I don't know of anyone else trying it this way.
(Setting up your VPN, there are many resources for that)
-
@rango said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
@talaverde Can you please share screenshots how u setup pfsense to use vpn provider and dns over tls.
I currently have dns over tls setup but i would like to add vpn tunnel to this
BTW have you hard about perfect privacy vpn which uses dns over tls but like you said then they can spy on you. Your method seems better. Please share. Thank you in advance.It's difficult to provide screenshots on relevant pages w/o sharing my personal configuration/info, but we can try talking through it.
The screenshot higher on this page with Quad9 dns servers is pretty much how I have it, but I also added quad 1 as well.
As far as the rest of the configuration, it's exactly how Private Internet Access says to configure it (on their website), except that I'm not using their dns servers. I'm using the DNS SEC servers. Also, I have DNS SEC enabled in the dns resolver settings.
PIA has very good instructions. It's many steps, so it makes more sense to direct you there than me trying to re-write their instructions.
As far as Perfect Privacy, I considered it. I already have two VPN subscriptions. I might check them out, if I get bored. I would be curious what their log policy is. I would think a VPN provider would be less likely to keep logs than a public service like Quad9, but you just never know (who's not being honest). With the public providers, I can set up multiple providers, spreading my DNS requests out among many. If I used a VPN service, I would have to use that one only (though I did here hints that pfSense can be configured with multiple resolvers, but I wouldn't know how to do that at the moment.)
So, again, check out PIA instructions. Follow them to the letter. Only AFTER it's working correctly, go in and enable DNSSEC and change the DNS servers to Quad9/Quad1. Once it's working, check out the validation websites mentioned higher in this thread. If you have any specific questions, let me know.
https://www.privateinternetaccess.com/archive/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2
-
So, I had to rebuild my pfSense server(s) for various reasons. Anyway, even beforehand, I noticed PIA wasn't performing as well as it did when I first implemented it. Initially, I was getting upwards of 850 MB/s of a 1GB fiber connection over VPN. As it it got worse, I ended up going with NordVPN. Because NordVPN uses actual IP addresses instead of a URL (which points to multiple IP adddresses), I would set up multiple VPN feeds and set up a gateway group. There were definitely diminishing returns with each additional connection but it did help.
Upon rebuilding my server, I couldn't even get pfSense to work with PIA anymore. The reliability was horrendous and speeds even worse. IMHO, PIA went the way of over-growth. I've had decent luck with iVPN. All the reviews rave about ExpressVPN but I've tried the twice and both times were a complete failure. If ProtonVPN had more domestic connections, I'd give them a try, but they're too small.
I really don't thinnk VPNs are 'snake oil' as they provide a clear and defined benefit. I admit, the service level can vary, but that's just the way of the world.
I'm hoping I can find another quality VPN service and would even consider setting up a VPS, as long as it was anonymous like a VPN is.
-
@talaverde said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
i was not a fan of PIA over openvpn either. their service dropped more than any provider i have used. and i have used several... you can use the nslookup command and type in the PIA server and it will display all of the servers it connects you too. and if your client is properly configured it WILL reconnect to what you tell it to... Nordvpn is not doing ANYthing special there
there are several vpn's out there that allow free trials. a couple days even
IMO nord was worst than PIA. and yes i tried them 2 times and both times laughed at their support and canceled my subscription.keep trying. as you can imagine it will vary by your location and provider
good luck -
@talaverde said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
as they provide a clear and defined benefit
Where? Other then slowing down your connection... You are just handing over your money and your trust to some other guy because you believe your ISP is spying on you.. And doing what with it exactly - handing it over to the NSA?
The only benefit they provide that is not snake oil is geo circumvention.. People that think is makes them more secure are really just drinking the koolaid they are selling you for $X a month..
-
@johnpoz said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:
Where? Other then slowing down your connection... You are just handing over your money and your trust to some other guy because you believe your ISP is spying on you.. And doing what with it exactly - handing it over to the NSA?
The only benefit they provide that is not snake oil is geo circumvention.. People that think is makes them more secure are really just drinking the koolaid they are selling you for $X a month..What?? Okay, snake oil. We get it. You don't like VPNs. You don't have to use them.
I was kinda hoping you'd give some constructive instruction on how to use a VPS rather than an VPN, or prove why you think VPNs aren't secure, but I guess it's just more of the same.
-
Who says I don't like VPNs? I use vpns all day every day... I use them to get into the work network, I use them to get into my home network from work ;)
I have multiple vps around the globe that I can vpn into if I need to make sure traffic routes one way or the other to test something.. Or sure if want to geo circumvent some sort of geoblock, etc. etc.
Everyone of my VPS I can vpn into and route whatever traffic I need to route through them..
It takes 30 seconds to fire up openvpn access server on a vps.. If you need instructions on how to apt-get install something.. Or use yum or whatever your vps is running to install openvpn-as then you should get with the OS support forums, etc.
What I don't buy off on is handing of $X a month to some snake oil company that says they don't log... Trying to hide xyz from my ISP ;) Its nothing but a bunch of koolaid.. If you need to pay for xyz service to geo circumvent so you can watch netflix in the US or BBC from the US, etc.. that sure have fun... But please don't try to blow smoke up anyones ass that your doing it to protect your privacy or such nonsense... Its a all a bunch of nonsense snake oil..
Saying to use cloud or quad for multiple dns so that neither of them get all your queries... WTF!!! Really... The one advantage of using say quad is it might block some bad site.. But then if your going to also ask cloud which doesn't filter you just through away all the good you might of gotten out of handing over quad everywhere you want to go..
You have the blind leading the blind asking the retarded for help.... That is why I try and stay out of these conversations because its all a bunch freaking koolaid nonsense... Sorry for the RANT... But ARRGHHH
Some these threads - I would think I some how ended up on pfsense facebook group ;)
My Gawd dude you don't even understand the difference between dnssec and doh and or dot, etc. But you have multiple vpn services providers your handing over cash to per month so your more secure...
Even if you hide your dns queries form player X, you know once you make the even https connection through player X network the can see where you going because of the SNI is in the clear..
If you want to hide where you go from your ISP, because they are in league with Satan... Then use a VPN and resolve through it.. Your just handing all your dns queries to exactly the the people that want them... Why and the F do you think they spun up such services in the first place.
Derelict gave the correct solution for routing your dns queries where you want to route them - and that is run it off pfsense so you can then easy policy route the traffic.
-
@johnpoz and what if the purpose of the VPN is to hide where bitorrent for example is coming from.
In countries like Germany for example, the law firms openly operate with criminal intimidation as a modus operandi for pursing someone (and the courts seem in on the game too). They get court orders for hundreds of people's IPs at a time and then pursue them even if their torrent trace shows only 30s of upload activity. The police might as well be operating in the 30/40s, they can lawfully install malware on your PC. So anything that a) can move the jurisdiction to take you out of a specific jurisdiction in terms of enforcement b) can make it more difficult to determine what you are looking out helps. And although there are free vpn providers, you get what you are paying for. If paid services have minimal bandwidth costs. I lose about 5% using speednet to test with/without vpn