[noob question] pfSense as a OpenVPN client for selected devices
-
Hm...I did get some courage to make changes to the NAT Outbound. The main issue I had there was that I couldn't set specific IP address...So I used Alias and it looks like it works.
-
Weird behavior: I have to restart both service and device connection in order to get through VPN when changing something. For example if I change VPN server I have to restart service after saving options (that is quite logical) but then I have to disconnect device and reconnect it because without this it fell of VPN and goes through WAN.
-
@draghmar
You can check System > Advanced > Miscellaneous > Do not create rules when gateway is down to prevent this. -
@viragomann I did that before followed bits of this guide, so I do have this option checked. But maybe it needs some additional restarting to get into work?
-
@draghmar
No, it should be applied immediatly w/o a reboot. -
@viragomann Then it doesn't do what it suppose to...wonder why. Probably some config error on my side. ;)
Edit: I remembered that I unchecked your first suggestion
Don't pull routeswhen testing. Maybe it has something to do with that? I'll check what will happen with this option tomorrow. -
@draghmar
"Don't pull routes" prevents that the default route is changed to the vpn provider, when the client connection is established.
If you leave this unchecked and the provider pushes the default route to you (what I assume) the whole upstream traffic from you local network is directed over the vpn, which is not that, what you want as you stated above. -
@viragomann Hm...I get it but I didn't see that behavior. I mean, only the two devices I was testing with, had their traffic pushed through VPN. Other devices did not. Anyway, I have the whole setup disabled currently and will check that option tomorrow. Thanks for suggestions and explanation. :)
-
Another report from VPN battlefield. ;)
So it works for me but I've notice that some detection tools still know that I'm using VPN even though I tested on different servers and at least one knew my own IP for some reason. I didn't do anything to DNS settings. Should I change something? My brother suggested that services may detect VPN by checking DNS somehow, so maybe I should do something...But is there a way to make it work in a way that everything goes as usual except for VPN traffic? Maybe I should set DNS Resolver'sOutgoing Network Interfacesto everything except VPN interface? -
@draghmar
Yes, that might be detected by leaking DNS.You can setup the resolver to send request out to the VPN interface only. However, this setting is applied also to DNS requests from other devices, which possibly isn't desired.
To affect only these certain devices you're directing out to the VPN, you can simply forward DNS traffic from the concerned devices to a public DNS server and policy route this traffic to the VPN gateway.
-
@viragomann I have one rule that directs all requests that would go outside of LAN on port 53 to local. If I would put rule above that one, where specific IPs would be directed to DNS IP from VPN provider, would that work I think it should?
-
@draghmar
Should work that way. -
Because I'm a little bit afraid I'm going to break something with DNS I'll ask if what I want to do is ok. :P
I have Port Forward set using this recipe. My idea is to create alias with DNS from NordVPN and then create new Port Forward, above previous one. Choosing LAN as a interace I will add specific devices in the source field for port 53, destination will beset to
anyfor port 53 and redirect IP to VPN DNS alias.
Will that be enough?
I saw in OpenVPN'sClient Specific Overridesthat I can set there DNS. Should I do that? I'd guess not but who knows. ;) -
@draghmar said in [noob question] pfSense as a OpenVPN client for selected devices:
Will that be enough?
The forwarding looks well, but you have also to direct that traffic to the VPN provider. This isn't done by NAT.
You have to add a policy routing rule with the VPNDNS alias as destination and set the gateway to the VPN.I saw in OpenVPN's Client Specific Overrides that I can set there DNS.
This is used by VPN access servers to set certain directives for specific clients. It cannot be used in your case.
Consider that the your "VPNAdresse"s may possibly use DoH for name resolution. To cover this, you have to direct their HTTPS upstream traffic to the VPN server by poilcy routing.
-
@viragomann said in [noob question] pfSense as a OpenVPN client for selected devices:
The forwarding looks well, but you have also to direct that traffic to the VPN provider. This isn't done by NAT.
You have to add a policy routing rule with the VPNDNS alias as destination and set the gateway to the VPN.Isn't that added automatically? I have a rule like that from creating Port Forward from the recipe. I guess I'd have to edit this new one then to set VPN Gateway in advanced settings, right?
-
@draghmar
Depends on the rule creation option:
However, pfSenes cannot create a policy rule from a NAT, since there is no gateway info.
So at best you can let it create an unassociated filter rule and edit it after to set the gateway.
-
@viragomann I think I did everything but https://dnsleaktest.com still is able to detect my IP. :( I have Port Forward set as above and in the created rule I changed gateway to VPN one. What else am I missing?
-
@draghmar
Maybe there is an other rule matching the DNS traffic before. Floating rule?Enable logging in the rule to investigate.
-
@viragomann Hm...I checked
Log packets that are handled by this rulebut I don't see anything inSystem logs->Firewallpoping up when browsing websites from device I'm testing from. And I don't have any other rule DNS related, just those two. I have fairly simple network here. No floating or anything fancy like that ;) -
@draghmar
Do you consider the possibility that the client may use DoH?
So what's about its HTTPS traffic?
