[noob question] pfSense as a OpenVPN client for selected devices
-
@draghmar said in [noob question] pfSense as a OpenVPN client for selected devices:
Will that be enough?
The forwarding looks well, but you have also to direct that traffic to the VPN provider. This isn't done by NAT.
You have to add a policy routing rule with the VPNDNS alias as destination and set the gateway to the VPN.I saw in OpenVPN's Client Specific Overrides that I can set there DNS.
This is used by VPN access servers to set certain directives for specific clients. It cannot be used in your case.
Consider that the your "VPNAdresse"s may possibly use DoH for name resolution. To cover this, you have to direct their HTTPS upstream traffic to the VPN server by poilcy routing.
-
@viragomann said in [noob question] pfSense as a OpenVPN client for selected devices:
The forwarding looks well, but you have also to direct that traffic to the VPN provider. This isn't done by NAT.
You have to add a policy routing rule with the VPNDNS alias as destination and set the gateway to the VPN.Isn't that added automatically? I have a rule like that from creating Port Forward from the recipe. I guess I'd have to edit this new one then to set VPN Gateway in advanced settings, right?
-
@draghmar
Depends on the rule creation option:
However, pfSenes cannot create a policy rule from a NAT, since there is no gateway info.
So at best you can let it create an unassociated filter rule and edit it after to set the gateway.
-
@viragomann I think I did everything but https://dnsleaktest.com still is able to detect my IP. :( I have Port Forward set as above and in the created rule I changed gateway to VPN one. What else am I missing?
-
@draghmar
Maybe there is an other rule matching the DNS traffic before. Floating rule?Enable logging in the rule to investigate.
-
@viragomann Hm...I checked
Log packets that are handled by this rulebut I don't see anything inSystem logs->Firewallpoping up when browsing websites from device I'm testing from. And I don't have any other rule DNS related, just those two. I have fairly simple network here. No floating or anything fancy like that ;) -
@draghmar
Do you consider the possibility that the client may use DoH?
So what's about its HTTPS traffic? -
@viragomann I'm testing from FireFox on Win 10 with DoH disabled and DNS servers set to router IP.
What about HTTPS traffic? -
@draghmar
When using DoH the DNS traffic goes over HTTPS protocol.Never seen you rule set, so I cannot say if they are ok.
But for testing, direct the whole upstream traffic from the 'VPN clients' to the VPN server.
Verify that the policy routing rule matches. -
@viragomann Those are my NAT and rules:
Like I said - nothing complicated. ;) There are some NATs for web server and such. But that's it. The only additional thing are the rules for OpenVPN and for VPN interface. And those are ones we've discussed in this thread.How can I direct like you said? I thought I just did force every device that should go through VPN to VPN server. The rule for that is visible on the list above.
Is there way to make some artificial connection to the DNS server that so could be sure that the flow is correct? I mean something like trying to connect to DNS IP having DNS port. I'm thinking here that I could try connect to router IP this way to check if it's redirected. I'd like to eliminate other factors this way because the only thing I know about testing this is to simply hit some URL from specified device...
-
@draghmar
You must not set a source port in the DNS rule, it has to be any. -
@viragomann Yup, that was it! Thanks! Now everything seems to work as it should. :D
