DNS Leaking + quick question on killswitch



  • New pfSense user here and I am having some issues getting OpenVPN working correctly. The setup I have is slightly different than the guides I have found (but imo not actually complex afaik) and I am having issues with DNS leakage while connected to a VPN. Simply put, I want all traffic except for two computers to go out normally, but each of these computers to route out through separate VPN servers (both through PIA, just one in US and one in EU). I have set up two interfaces, one for each location and added rules to the firewall to route each of the computers through the right interface. This gets each of the computers running through the right server, but things got a bit wonky when testing for leakage.

    PC1 which I want connected to the US VPN is leaking a DNS on ipleak.net, but PC2 is showing 2 DNSs on the same site, one being the DNS that it is supposed to be using provided by PIA, and the second one looks like it is the DNS that is supposed to be used by PC1 (same location of servers). The IP that PC1 is leaking is not an IP entered into System > General Setup either and while typing this thread up I got curious and looked at the IP ipleak was showing for PC1's DNS and entering it into the URL bar brings me to pfSense's login screen, and the IP is pretty much the same as the one WAN_DHCP is using, just the last number is different the same IP as the one shown for the WAN interface. I have no clue what this means, but I hope it helps. I'm still new to pfSense, and networking in general, so I am not sure where I should be looking to fix this, but I have looked over a few guides and settings with no luck. The closest I got to fixing this was to pick one of the VPN outbound interfaces in DNS Resolver settings, but this has the side effect of using the VPN DNS servers for all the devices not running through VPN, which at least for now I really don't want.

    As for the killswitch part, I may or may not have gotten this one on my own, but in order to stop traffic from leaking when PIA's servers go down, I have added a rule in the firewall right after each entry for the PCs being pushed into the VPN that blocks access to the WAN interface for both of the PCs. Is this good enough as a killswitch? I went to Status > OpenVPN and stopped the service, and lost connectivity on the corresponding PC so it at least looks like it's working.

    Feel free to ask for more info, and thanks in advance.


  • Banned

    For the killswitch, just have all of your firewall rules that route your traffic to the VPN use the VPN interface as the gateway, if the gateway is down then the internet is down.

    For the DNS leak I think this setup would be best:

    Do what you already did (select VPN interfaces as only outbound interfaces for DNS resolver)

    Go to General Setup and check "DNS Server Override" but leave all of the fields blank (also leave all other DNS fields blank, don't put your VPN providers DNS, google DNS, etc. in any of these fields, all of them totally blank).

    On whatever clients that you don't want using VPN DNS, create a static IP, and enter the DNS server that you want that client to use.

    In this setup everything will resolve to Root servers via the VPN by default. All clients that you create a static mapping for will resolve to whatever DNS server you assign via WAN (assuming you didn't force them through the VPN with firewall rules).


Log in to reply