OpenVPN to IPVanish question
-
Okay - So I have had pFsense for about a year and a half, feel like i am almost to grips with it. Decided I wanted to fiddle with it today…
Desired result: Have traffic from a transmission jail on a FreeNAS server going via my IPVanish VPN. All other traffic out WAN as normal.
What I have done: Followed a combination of various guides: set the root CA, set up the OpenVPN client, set up the interface. Interface comes up, all good so far.
Changed the outbound NAT rule to hybrid, and added: http://imgur.com/1IGpVeM
Still working so far. Then to route just the transmission jail (which has a static IP address of 192.168.1.58) out I added one rule into LAN rules. http://imgur.com/Ho3XyG8
Now the guide highlighted the fact that if the gateway went down, it would use the default gateway, so on that lan rule I added the advanced option under tag "NO_WAN_EGRESS"
Then added a floating rule http://imgur.com/6d6Zrwv In this I had the advanced field tagged set with "NO_WAN_EGRESS" and had the rule set to reject and quick match ticked.
Seems logical, rejects all traffic trying to get out the WAN that had first hit the LAN rule.
Now moment of truth, go to my FreeNAS jail, look at the public IP and sure enough, its a IPVanish IP! Success! Knock out the VPN, try and connect to the internet from the jail - and it doesn't connect! Seems like the floating rule is wokring too! exactly what I want.
However, then I discover that the laptop has also all of a sudden got an IPVanish IP address, and so does all my devices that are on the LAN. for some reason, and I can't figure out why, it is pushing all my traffic out of the VPN! not what I want.
Any thoughts on why? what am I missing? My default gateway is my WAN gateway - so the catch all LAN rule below the added LAN rule should be using the WAN? I am now stumped.
-
My guess is that under VPN/ OpenVPN / Clients the option "Don't Pull Routes" (and "Don't add/remove routes") are unchecked. I've observed that in that case the VPN will take over as default when you start it. There are more than one ways of solving your problem which will result in slightly different configurations.
If you leave the above mentioned options unchecked, you have to modify your LAN firewall rules and specifically select the WAN gateway for the "Default allow LAN rule to any rule".
In this scenario, if you go to a DNS leak website on a device that goes through the WAN interface, you'll see the IP given by your ISP (as you should) and when you do a DNS test you'll see your VPN's DNS servers (correct me if I'm wrong). If that's OK with you, you're done because you definitely won't have DNS leaks on your VPN's side. If that's a problem, I found the following to be working:Check the option "Don't Pull Routes". This will result in the following: you won't have to specify the WAN gateway for the "Default allow LAN rule to any rule" since the VPN won't take over as default when enabled. The results on the DNS leak page will show your ISP - also for the devices going through your VPN. In order the fix the leak, you can give devices that you want to go through VPN a static IP and then manually specify your VPN's DNS servers under Services / DHCP Server at the bottom "DHCP Static Mappings for this Interface". Finally, as a precaution you can set up a firewall rule as outlined under "9 - firewall rules" in this post: https://forum.pfsense.org/index.php?topic=106305.0 (this how-to is generally pretty helpful with the issue).
Keep in mind that I'm fairly new to networking and pfSense (started this project just a month ago), so someone more experienced might have even better or more accurate info.
At any rate, hope the above will help.