Routing PIA VPN to select devices on LAN



  • I followed this tutorial https://forum.pfsense.org/index.php?topic=76015.0 and was able to get every device on my LAN routed through the PIA VPN server of my choice. How do I go about routing only a handful of devices through VPN and the rest of my devices to my local ISP?

    Thanks


  • LAYER 8 Global Moderator

    You place the rules for those specific clients as the source above the rules that send traffic out your vpn connection.  Post up your rules and we can discuss, etc.



  • @johnpoz:

    You place the rules for those specific clients as the source above the rules that send traffic out your vpn connection.  Post up your rules and we can discuss, etc.

    This is what I have.



  • @cobrahead:

    was able to get every device on my LAN routed through the PIA VPN server of my choice. How do I go about routing only a handful of devices through VPN and the rest of my devices to my local ISP?

    Now that you have a working VPN connection, you can do this

    • Set Advanced options>Gateway to WAN in Default allow LAN to any rule. Or select Don't add/remove routes in VPN>OpenVPN>Clients

    • Before proceeding, make sure all the devices are accessing the internet directly, and not through the VPN

    • Make new Firewall>Aliases>IP with the list of LAN IPs that has to go through VPN

    • Make Firewall>Rules>LAN rule called something like IPs via VPN, with Source: Alias, Dest: (invert match) LAN net, Advanced options>Gateway as VPN

    • Drag & drop and place the new rule anywhere above the Default allow LAN to any rule


  • LAYER 8 Global Moderator

    ^ exactly, your pulling routes from your vpn connection which is making it default route for everyone.  What you want is policy routing..  So your going to want to turn off pull routes from your client vpn connection..




  • Now that you have a working VPN connection, you can do this

    • Set Advanced options>Gateway to WAN in _Default allow LAN to any rule.
      I could not find exactly where to make this change.

      Or select Don't add/remove routes in VPN>OpenVPN>Clients

      I found this and made the change.

      • Before proceeding, make sure all the devices are accessing the internet directly, and not through the VPN

      I restarted OpenVPN and all traffic is accessing the internet direct trough my ISP.

      • Make new Firewall>Aliases>IP with the list of LAN IPs that has to go through VPN

      • Make Firewall>Rules>LAN rule called something like IPs via VPN, with Source: Alias, Dest: (invert match) LAN net, Advanced options>Gateway as VPN

      Can you explain a little more step-by-step on these?  On the Aliases page there are fields for Name/Description/Type - anything particular in those fields?

      On the Firewall>Rules>LAN should the source be set to 'Single Host or Alias'? I understand LAN net and invert match on the dest. On advanced options do I use the dropdown box on Gateway and select the OPENVPN_VPNV4 xxx.xx.xx.xx interface?_



  • On the Aliases page there are fields for Name/Description/Type - anything particular in those fields?

    Leave everything as it is (type will be Host) and fill in the IP/FQDN box

    On the Firewall>Rules>LAN should the source be set to 'Single Host or Alias'? I understand LAN net and invert match on the dest. On advanced options do I use the dropdown box on Gateway and select the OPENVPN_VPNV4 xxx.xx.xx.xx interface?

    Yes "Single Host or Alias" and in the box next to it, type the name of the Alias you created in the previous step. As you type, the name will pop up automatically - click on it with your mouse.

    ![2016-08-11 11_17_39-Firewall_ Aliases_ Edit - box.lan - Opera.jpg](/public/imported_attachments/1/2016-08-11 11_17_39-Firewall_ Aliases_ Edit - box.lan - Opera.jpg)
    ![2016-08-11 11_17_39-Firewall_ Aliases_ Edit - box.lan - Opera.jpg_thumb](/public/imported_attachments/1/2016-08-11 11_17_39-Firewall_ Aliases_ Edit - box.lan - Opera.jpg_thumb)



  • Ok, I did all of this. I noticed your screencap shows the destination 'Invert Match' is not checked, but your instructions say to check it. It seems to work when it is checked, should I uncheck it?

    After I did all this I setup a DHCP static map for a device (laptop) to test it out. It worked! At first it was attaching to a server in the UK, not the Seattle server I have assigned in pfsense. I had used the UK server before when I was running the PIA software on this laptop. After a pfsense reboot it put this device on the Seattle VPN and everything else on the LAN was routed to my ISP.

    I did try shutting down the VPN service to see what would happen on the laptop that is routed to VPN… it ended up getting a connection through my ISP. How can I prevent that from happening. Basically, if the VPN fails for whatever reason I want the device(s) routed to VPN to stop connecting to the internet, period, until the VPN is restored.

    Thanks for the help.



  • @cobrahead:

    Ok, I did all of this. I noticed your screencap shows the destination 'Invert Match' is not checked, but your instructions say to check it. It seems to work when it is checked, should I uncheck it?

    Thanks. Don't use that rule often..I fixed it.

    Basically, if the VPN fails for whatever reason I want the device(s) routed to VPN to stop connecting to the internet, period, until the VPN is restored.

    Hint: copy button- rule u made above, rule action-reject, gateway wan, place under previous rule. If it works, tell us.



  • @pf3000:

    @cobrahead:

    Basically, if the VPN fails for whatever reason I want the device(s) routed to VPN to stop connecting to the internet, period, until the VPN is restored.

    Hint: copy button- rule u made above, rule action-reject, gateway wan, place under previous rule. If it works, tell us.

    That did not work, after VPN service is stopped the device that is assigned the VPN IP reverts back to local ISP.



  • If you want the devices routed to VPN to stop connecting to the internet until the VPN is restored, you have two chances:

    1- in System/Advanced/Miscellaneous check "Skip rules when gateway is down"

    2- follow this guide https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

    The difference is that the first solution affects all the system gateways, while the second one only those selected by you.
    There is only one active VPN client in my system, so the first solution is more simple for me.
    If there were more (eg. guest wi-fi) and I would have different behaviors when a VPN connection drops I should use the second option.


  • LAYER 8 Global Moderator

    If you don't want these vpn devices to have internet while your vpn is down, then in your rules don't allow those devices to use your rules that allow other access for your other devices..

    This is how policy routing would work out of the box depending on how you did your rules..  Post up these rules you created to policy route your devices out the vpn..  Sure if you have rule after your policy around that includes the devices you want to go out the vpn, then yeah they would be go out the normal path when vpn is down.

    Just block them from using that rule..  After your policy route, create rule that just blocks them.. If your policy route isn't working then there is no way they can go your say default any any rule at the bottom.



  • @johnpoz:

    This is how policy routing would work out of the box depending on how you did your rules..  Post up these rules you created to policy route your devices out the vpn..  Sure if you have rule after your policy around that includes the devices you want to go out the vpn, then yeah they would be go out the normal path when vpn is down.

    Just block them from using that rule..  After your policy route, create rule that just blocks them.. If your policy route isn't working then there is no way they can go your say default any any rule at the bottom.

    I am attaching my rules. The REJECT rule is based off of the hint that pf3000 gave me.










  • About the reject rule, are you sure WAN_DHCP is the default gateway?
    Take a look in System / Routing / Gateways



  • @mauroman33:

    About the reject rule, are you sure WAN_DHCP is the default gateway?
    Take a look in System / Routing / Gateways

    I checked. Both WAN_DHCP and WAN_DHCP6 are default.


  • LAYER 8 Global Moderator

    why are you setting a gateway on that reject rule?



  • @johnpoz:

    why are you setting a gateway on that reject rule?

    I was trying what pf3000 suggested. What would you set gateway to in the reject rule?

    @pf3000:

    Hint: copy button- rule u made above, rule action-reject, gateway wan, place under previous rule. If it works, tell us.



  • @mauroman33:

    If you want the devices routed to VPN to stop connecting to the internet until the VPN is restored, you have two chances:

    1- in System/Advanced/Miscellaneous check "Skip rules when gateway is down"

    2- follow this guide https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

    The difference is that the first solution affects all the system gateways, while the second one only those selected by you.
    There is only one active VPN client in my system, so the first solution is more simple for me.
    If there were more (eg. guest wi-fi) and I would have different behaviors when a VPN connection drops I should use the second option.

    Very helpful. I followed the guide in the second option and it works as described!

    The only issue I need to resolve now is DNS leaking.



  • I solved the DNS leak enabling the DNS resolver and placing in the LAN tab the following rules

    ![DNS leak rules.png](/public/imported_attachments/1/DNS leak rules.png)
    ![DNS leak rules.png_thumb](/public/imported_attachments/1/DNS leak rules.png_thumb)



  • @mauroman33:

    I solved the DNS leak enabling the DNS resolver and placing in the LAN tab the following rules

    How do you enable the DNS resolver? Are you creating another rule from the Firewall->Rules->LAN page? Are both of the rules in your screen shot at the bottom of the list?

    My rules page is attached. I don't have any rules relating to DNS Allow/Block.



  • LAYER 8 Global Moderator

    What do you think is leaking??  Yeah if you ask pfsense for dns, and it resolves it or even forwards it which is what it is designed to do..

    If you do not want your IPs to not talk to pfsense, or use the internet then create a rule.. How is this not clear??  with your rules you have posted..  If you set pfsense to ignore rules when gateway is down then than your traffic from your clients you want to use the vpn will just go to the next rule that says go out to internet via anyway pfsense is connected, its default route, etc.  sure your can ask pfsense anything..

    If you don't want they said clients to do that, then under the rule that sends them to vpn gateway create a rule that will trigger on their IPs that blocks what you do not want them to do.. If you don't want them to talk to anything then the rule would be block/reject dest any..



  • @johnpoz:

    What do you think is leaking??  Yeah if you ask pfsense for dns, and it resolves it or even forwards it which is what it is designed to do..

    If you do not want your IPs to not talk to pfsense, or use the internet then create a rule.. How is this not clear??  with your rules you have posted..

    Sorry, I am clearly new to this, I have only been using pfsense for a week now.

    When I am using the VPN connection with PIA and I check my IP it is showing an IP on the server I have chosen, Seattle WA in my case… but when I run the DNSleaktest  it shows my local ISP address. Isn't that a DNS leak?



  • I'm sorry if my short answer may have made confusion.
    Surely what is written by johnpoz is totally correct.
    Going back to my answer, I activated the DNS resolver from Services->DNS Resolver->General Settings then I added the two previous rules in Firewall->Rules->LAN placing them immediately after the Anti-Lockout Rule.
    This way I avoided that all devices on my network can use a DNS that is different from what was set in pfSense which is, in my case, the VPN provider's DNS because in System->General Setup I did not set any DNS.



  • @mauroman33:

    I'm sorry if my short answer may have made confusion.
    Surely what is written by johnpoz is totally correct.
    Going back to my answer, I activated the DNS resolver from Services->DNS Resolver->General Settings then I added the two previous rules in Firewall->Rules->LAN placing them immediately after the Anti-Lockout Rule.
    This way I avoided that all devices on my network can use a DNS that is different from what was set in pfSense which is, in my case, the VPN provider's DNS because in System->General Setup I did not set any DNS.

    Cool. Would you mind posting those DNS rules 'edit' pages. Just want to make sure I am configuring them correctly. Thanks

    Attached are mine, something isn't set right… still getting DNS leak.



    ![dns_pass rule.png](/public/imported_attachments/1/dns_pass rule.png)
    ![dns_pass rule.png_thumb](/public/imported_attachments/1/dns_pass rule.png_thumb)


    ![services_dns resolver_general settings.png](/public/imported_attachments/1/services_dns resolver_general settings.png)
    ![services_dns resolver_general settings.png_thumb](/public/imported_attachments/1/services_dns resolver_general settings.png_thumb)



  • You're welcome.
    Here it is.

    ![Allow DNS.png](/public/imported_attachments/1/Allow DNS.png)
    ![Allow DNS.png_thumb](/public/imported_attachments/1/Allow DNS.png_thumb)
    ![Block DNS.png](/public/imported_attachments/1/Block DNS.png)
    ![Block DNS.png_thumb](/public/imported_attachments/1/Block DNS.png_thumb)



  • @mauroman33:

    You're welcome.
    Here it is.

    That's what I have. I edited my last post to include the screenshots. Not sure what I am missing.



  • You will have the same result even using a single rule.

    Does it work for you?

    https://dnsleaktest.com/




  • @cobrahead:

    @mauroman33:

    You're welcome.
    Here it is.

    That's what I have. I edited my last post to include the screenshots. Not sure what I am missing.

    I don't see anything strange.
    Here the other settings in my system.






  • @mauroman33:

    You will have the same result even using a single rule.

    Does it work for you?

    https://dnsleaktest.com/

    No. I tried changing the destination to 'Invert Match' and 'LAN Address' … same results on dnsleaktest... it comes up with my ISP.

    After making these changes should I only use this rule and get rid of the DNS Allow rule?



  • @mauroman33:

    Here the other settings in my system.

    OK. So I went to Services -> DNS Resolver -> General Settings and changed the Outgoing Network Interface from ANY to OPENVPN and that was what I missed. DNSleak stopped… at least according to dnsleaktest.com

    Thanks for your help!



  • @cobrahead:

    @mauroman33:

    You will have the same result even using a single rule.

    Does it work for you?

    https://dnsleaktest.com/

    No. I tried changing the destination to 'Invert Match' and 'LAN Address' … same results on dnsleaktest... it comes up with my ISP.

    After making these changes should I only use this rule and get rid of the DNS Allow rule?

    Yes, it's up to you choose if you want to reach te same goal using the two previos rules or only the last one.



  • Fine.
    Just a note:  if you want to avoid using a DNS (eg the one of the ISP) these rules are just a precaution to prevent anyone from doing so by manually changing the DNS of the device connected to the LAN.
    If you have set the DNS resolver, when you're connected to the VPN provider, the dnsleaktest should show the IP address of the VPN.



  • Got it. I have learned a lot over the last week.  :D

    The only thing that is not working now is stopping and re-starting the OpenVPN service. Some change(s) I made today have caused a full reboot to be necessary in order to restart OpenVPN if it goes down.



  • You could try to install Service_Watchdog from System->Package Manager->Available Packages

    Then in Services->Service Watchdog->Add you can select the OpenVPN client that you're using



  • @mauroman33:

    You could try to install Service_Watchdog from System->Package Manager->Available Packages

    Then in Services->Service Watchdog->Add you can select the OpenVPN client that you're using

    I added it and set it up. No luck though. When I manually stop OpenVPN I cannot get it to restart, without rebooting pfSense.



  • After a failed attempt, did you try to check on Status-> System Logs-> OpenVPN?



  • @mauroman33:

    After a failed attempt, did you try to check on Status-> System Logs-> OpenVPN?

    This is what I get after I manually shut it down and try to re-start it.

    Aug 16 16:55:11 openvpn 29537 RESOLVE: Cannot resolve host address: swiss.privateinternetaccess.com: hostname nor servname provided, or not known



  • It seems there is a problem with DNS.
    Sometimes it happened in my system also, so I added the unbound service in Service Watchdog and the problem has not more occurred.
    Actually right now there is only the unbound service in my Service Watchdog.



  • @mauroman33:

    It seems there is a problem with DNS.
    Sometimes it happened in my system also, so I added the unbound service in Service Watchdog and the problem has not more occurred.
    Actually right now there is only the unbound service in my Service Watchdog.

    I added the unbound DNS resolver.

    After I reboot pfSense I get this in the DNS Resolver Sytem Log:
    Aug 16 17:44:13 unbound 32313:0 notice: init module 0: validator
    Aug 16 17:44:13 unbound 32313:0 notice: init module 1: iterator
    Aug 16 17:44:13 unbound 32313:0 info: start of service (unbound 1.5.9).

    Then, after I take down OpenVPN and try to re-start I get this for a full page:
    Aug 16 17:49:54 unbound 28726:2 error: can't bind socket: Can't assign requested address for 10.133.1.6




  • I don't know what the problem is, it would take someone with more experience.
    Meanwhile you could try to add some DNS servers in System->General Setup and to check the DNS Resolver setting.
    I'll show you mine.
    Don't take care of the "Custom options" field content, because it's related to pfBlocker.



    ![DNS Resolver.png](/public/imported_attachments/1/DNS Resolver.png)
    ![DNS Resolver.png_thumb](/public/imported_attachments/1/DNS Resolver.png_thumb)


Log in to reply