Routing PIA VPN to select devices on LAN

cobrahead

I followed this tutorial https://forum.pfsense.org/index.php?topic=76015.0 and was able to get every device on my LAN routed through the PIA VPN server of my choice. How do I go about routing only a handful of devices through VPN and the rest of my devices to my local ISP?

Thanks

johnpoz

You place the rules for those specific clients as the source above the rules that send traffic out your vpn connection.  Post up your rules and we can discuss, etc.

cobrahead

@johnpoz:

You place the rules for those specific clients as the source above the rules that send traffic out your vpn connection.  Post up your rules and we can discuss, etc.

This is what I have.

pf3000

@cobrahead:

was able to get every device on my LAN routed through the PIA VPN server of my choice. How do I go about routing only a handful of devices through VPN and the rest of my devices to my local ISP?

Now that you have a working VPN connection, you can do this

• Set Advanced options>Gateway to WAN in Default allow LAN to any rule. Or select Don't add/remove routes in VPN>OpenVPN>Clients

• Before proceeding, make sure all the devices are accessing the internet directly, and not through the VPN

• Make new Firewall>Aliases>IP with the list of LAN IPs that has to go through VPN

• Make Firewall>Rules>LAN rule called something like IPs via VPN, with Source: Alias, Dest: (invert match) LAN net, Advanced options>Gateway as VPN

• Drag & drop and place the new rule anywhere above the Default allow LAN to any rule

johnpoz

^ exactly, your pulling routes from your vpn connection which is making it default route for everyone.  What you want is policy routing..  So your going to want to turn off pull routes from your client vpn connection..

cobrahead

Now that you have a working VPN connection, you can do this

• Set Advanced options>Gateway to WAN in _Default allow LAN to any rule.
  I could not find exactly where to make this change.

  Or select Don't add/remove routes in VPN>OpenVPN>Clients

  I found this and made the change.

  • Before proceeding, make sure all the devices are accessing the internet directly, and not through the VPN

  I restarted OpenVPN and all traffic is accessing the internet direct trough my ISP.

  • Make new Firewall>Aliases>IP with the list of LAN IPs that has to go through VPN

  • Make Firewall>Rules>LAN rule called something like IPs via VPN, with Source: Alias, Dest: (invert match) LAN net, Advanced options>Gateway as VPN

  Can you explain a little more step-by-step on these?  On the Aliases page there are fields for Name/Description/Type - anything particular in those fields?

  On the Firewall>Rules>LAN should the source be set to 'Single Host or Alias'? I understand LAN net and invert match on the dest. On advanced options do I use the dropdown box on Gateway and select the OPENVPN_VPNV4 xxx.xx.xx.xx interface?_

pf3000

On the Aliases page there are fields for Name/Description/Type - anything particular in those fields?

Leave everything as it is (type will be Host) and fill in the IP/FQDN box

On the Firewall>Rules>LAN should the source be set to 'Single Host or Alias'? I understand LAN net and invert match on the dest. On advanced options do I use the dropdown box on Gateway and select the OPENVPN_VPNV4 xxx.xx.xx.xx interface?

Yes "Single Host or Alias" and in the box next to it, type the name of the Alias you created in the previous step. As you type, the name will pop up automatically - click on it with your mouse.


cobrahead

Ok, I did all of this. I noticed your screencap shows the destination 'Invert Match' is not checked, but your instructions say to check it. It seems to work when it is checked, should I uncheck it?

After I did all this I setup a DHCP static map for a device (laptop) to test it out. It worked! At first it was attaching to a server in the UK, not the Seattle server I have assigned in pfsense. I had used the UK server before when I was running the PIA software on this laptop. After a pfsense reboot it put this device on the Seattle VPN and everything else on the LAN was routed to my ISP.

I did try shutting down the VPN service to see what would happen on the laptop that is routed to VPN… it ended up getting a connection through my ISP. How can I prevent that from happening. Basically, if the VPN fails for whatever reason I want the device(s) routed to VPN to stop connecting to the internet, period, until the VPN is restored.

Thanks for the help.

pf3000

@cobrahead:

Ok, I did all of this. I noticed your screencap shows the destination 'Invert Match' is not checked, but your instructions say to check it. It seems to work when it is checked, should I uncheck it?

Thanks. Don't use that rule often..I fixed it.

Basically, if the VPN fails for whatever reason I want the device(s) routed to VPN to stop connecting to the internet, period, until the VPN is restored.

Hint: copy button- rule u made above, rule action-reject, gateway wan, place under previous rule. If it works, tell us.

cobrahead

@pf3000:

@cobrahead:

Basically, if the VPN fails for whatever reason I want the device(s) routed to VPN to stop connecting to the internet, period, until the VPN is restored.

Hint: copy button- rule u made above, rule action-reject, gateway wan, place under previous rule. If it works, tell us.

That did not work, after VPN service is stopped the device that is assigned the VPN IP reverts back to local ISP.

mauroman33

If you want the devices routed to VPN to stop connecting to the internet until the VPN is restored, you have two chances:

1- in System/Advanced/Miscellaneous check "Skip rules when gateway is down"

2- follow this guide https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

The difference is that the first solution affects all the system gateways, while the second one only those selected by you.
There is only one active VPN client in my system, so the first solution is more simple for me.
If there were more (eg. guest wi-fi) and I would have different behaviors when a VPN connection drops I should use the second option.

johnpoz

If you don't want these vpn devices to have internet while your vpn is down, then in your rules don't allow those devices to use your rules that allow other access for your other devices..

This is how policy routing would work out of the box depending on how you did your rules..  Post up these rules you created to policy route your devices out the vpn..  Sure if you have rule after your policy around that includes the devices you want to go out the vpn, then yeah they would be go out the normal path when vpn is down.

Just block them from using that rule..  After your policy route, create rule that just blocks them.. If your policy route isn't working then there is no way they can go your say default any any rule at the bottom.

cobrahead

@johnpoz:

This is how policy routing would work out of the box depending on how you did your rules..  Post up these rules you created to policy route your devices out the vpn..  Sure if you have rule after your policy around that includes the devices you want to go out the vpn, then yeah they would be go out the normal path when vpn is down.

Just block them from using that rule..  After your policy route, create rule that just blocks them.. If your policy route isn't working then there is no way they can go your say default any any rule at the bottom.

I am attaching my rules. The REJECT rule is based off of the hint that pf3000 gave me.

mauroman33

About the reject rule, are you sure WAN_DHCP is the default gateway?
Take a look in System / Routing / Gateways

cobrahead

@mauroman33:

About the reject rule, are you sure WAN_DHCP is the default gateway?
Take a look in System / Routing / Gateways

I checked. Both WAN_DHCP and WAN_DHCP6 are default.

johnpoz

why are you setting a gateway on that reject rule?

cobrahead

@johnpoz:

why are you setting a gateway on that reject rule?

I was trying what pf3000 suggested. What would you set gateway to in the reject rule?

@pf3000:

Hint: copy button- rule u made above, rule action-reject, gateway wan, place under previous rule. If it works, tell us.

cobrahead

@mauroman33:

If you want the devices routed to VPN to stop connecting to the internet until the VPN is restored, you have two chances:

1- in System/Advanced/Miscellaneous check "Skip rules when gateway is down"

2- follow this guide https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

The difference is that the first solution affects all the system gateways, while the second one only those selected by you.
There is only one active VPN client in my system, so the first solution is more simple for me.
If there were more (eg. guest wi-fi) and I would have different behaviors when a VPN connection drops I should use the second option.

Very helpful. I followed the guide in the second option and it works as described!

The only issue I need to resolve now is DNS leaking.

mauroman33

I solved the DNS leak enabling the DNS resolver and placing in the LAN tab the following rules


cobrahead

@mauroman33:

I solved the DNS leak enabling the DNS resolver and placing in the LAN tab the following rules

How do you enable the DNS resolver? Are you creating another rule from the Firewall->Rules->LAN page? Are both of the rules in your screen shot at the bottom of the list?

My rules page is attached. I don't have any rules relating to DNS Allow/Block.