OpenVPN Kill Switch

Derelict

Like I said in my original post, you won't be able to do ANYTHING but connect to the VPN.  If you are using a hostname instead of IP address for the VPN server you probably won't be able to resolve it, etc.  You might very well have to pass some other things (like DNS) in order to get it to work.  I don't know how paranoid you are about DNS leakage, etc.  Most people seem to be all wrapped around the axle about it when it really doesn't matter if all you're trying to do is watch TV from another location.

ETA: Note that the DNS servers used by the firewall and the DNS servers given to your client hosts to use don't have to be the same.  You could configure the rules to allow connections to your ISP DNS servers, and put those in the DNS server settings for pfSense to use (System > General Setup) but tell your client hosts to use DNS servers provided by your VPN provider.  The latter DNS servers would only be reachable if the VPN is up.

YoMan

Ok so I have changed the VPN address to the IP address instead of the name.  It appears to allow connection now with the firewall rules in place.  Is there any disadvantage to using the actual IP rather then the name?  I used the DNS reverse lookup to find it and it appears there are 4 seperate IPs can all link to the same address. I just picked one.

Derelict

If they change IPs it will break.  I'd pass DNS correctly.  It could break all kinds of things eventually like downloading bogon table updates, upgrades, etc.  Your firewall should be able to resolve DNS.

heper

@Derelict:

If they change IPs it will break.  I'd pass DNS correctly.  It could break all kinds of things eventually like downloading bogon table updates, upgrades, etc.  Your firewall should be able to resolve DNS.

exactly copy your openvpn rule and adjust it to work for DNS. pfsense webgui can/will go nuts without DNS :))

stewie2016

Will this configuration pass DNS outside of the VPN only for resolving the VPN host address when connecting to VPN (or when automatically re-connecting to VPN after an unplanned disconnection), and otherwise pass all other DNS through the VPN?

OyyoDams

Hi,

I don't like the floating rules trick because when the VPN goes down, it cannot reconnect anymore, blocked by the rule. But there is a workaround. Take a look at this post

Go to Advanced and then Miscellaneous and down in Gateway Monitoring you'll see "Skip rules when gateway is down" which on my fresh 2.1 install is off by default. It has the following description.

"By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down"

So basically when the VPN Gateway is down it puts the rule in but with the default gateway ruining the whole point.

This works for me :)

jameshouston135

This post is deleted!

Fabio72

https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

Pollerd

This post is deleted!

manjulaagarwal1955

This post is deleted!

stephenw10

Locked this, it was just a spam magnet.