Here's how to correctly setup Gateway Monitor IP for PIA VPN clients
-
For anyone who has configured their PIA VPN links and found that Gateway Monitor, ala dpinger is unable to ping the VPN link gateway, or are using DNS IP's to monitor your PIA VPN links, I figured out a solution to ping a monitor IP of the actual link that is not the gateway or a DNS server, and after a few weeks of testing seems to be stable and working without issue.
I've been scouring forums about how to configure the Monitor IP of a PIA VPN connection and so far the only kludge workaround of using an external DNS to monitor the gateway link. This poses some problems; 1) pfSense / dpinger configure a static route to the defined monitor IP (in this case a DNS server), which immediately limits the specified DNS server IP address to only use the link that it's defined as the gateway monitor IP, and 2) pinging beyond the gateway itself is subject to "Internet Weather" which results in sometimes erratic ping responses that do not reflect the actual state of the link itself, but routing issues beyond the link, and 3) if you have multiple VPN links you need to configure multiple DNS IP's each of which then gets static routed to a specific link. Not a good working solution to me.
I noticed that all PIA links I've tested always have an IP address range of 10.xx.10.yy. And digging into the configurations that PIA pushes to the client, I noticed that it's pushing a NET30, not SUBNET configuration.
More digging brought me to the pfSense docs on alternate monitor address for NET30 links (see https://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses). Though this did not directly address the PIA problem, some more playing around while remember that using non-linear / CIDR notation netmasks such as 255.0.255.0, is entirely legal, after all it's just a bit mask, and that such masks are used on some routing / NAT'ing situations.
Further playing with the pfSense Diagnostics >> Ping tool, I discovered that I can ping the VPN link "gateway" using a 10.xx.10.1 address of the link subnet. However since each re-connection to PIA changes the "xx" portion, and the fact that the pfSense configuration for the gateway monitor IP is static, I needed either a fixed address, or a way to detect the sub-net assignment and update the dpinger configuration accordingly.
Just as I was thinking this was going to take some coding to come up with a solution to monitor a dynamically changing, non-gateway IP, I fell back the non-linear bits netmask thoughts and more testing.
What I came up with is that you can ping the PIA VPN link gateway using 10.0.10.1 regardless of the dynamically assigned link subnet. And the corresponding ping times were not only much lower than pinging a DNS server beyond the link, but appeared to be far more stable as well, suggestion that using this as a monitor IP I'm getting actual link ping timings.
I also have more that one VPN link and because the monitor IP is static routed to the link it's associated too, I needed to have a unique fixed monitor IP for each VPN link. Well ping 10.2.10.1 also worked. And so far from testing I"ve been able to ping 10.0.10.1 through 10.99.10.1 (mask 255.0.255.0) with no problems. So each link gets a unique monitor IP, (10.0.10.1, 10.1.10.1, etc.), and I get real gateway latency timings that are not subject to upstream latency issues.
So for all you PIA VPN users that have needed a proper way to monitor your gateway links; configure your Gateway Monitor IP using the 10.xx.10.1 as described above, and enjoy properly configured gateway monitoring.
-
Maybe but PIA could change that at any time.
-
PIA could change that at any time.
Exactly! So for now I'm using for gw monitoring one of Level 3 resolvers - 4.2.2.[1-6]
