Restrict PIA openvpn access to only ONE IP on my network…



  • and have that IP address NOT have access to the internet in the even that the PIA link goes down.

    I have been searching a way to:

    • have pfsense connect to PIA, but only certain IP addresses on my LAN to route through PIA - the rest go through my regular connection.

    • when the connection to PIA goes down, the IP addresses that connect through PIA cannot access the internet.

    I searched high and low for a solution … finding and reading numerous tutorials along the way. Such as this one:
    https://forum.pfsense.org/index.php?topic=118196.0
    and this one: https://forum.pfsense.org/index.php?topic=72902.0
    both of which were valuable but neither of which were able to get my setup to work the way I want. Here is a summary of what finally worked for my setup:

    • follow this guide from PIA website: https://www.privateinternetaccess.com/pages/client-support/pfsense
      This one may be helpful also: https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2
      Check to ensure that you have a connection to PIA.

    • Under VPN -> OpenVPN -> Clients -> "edit the client for PIA"

    • Under "Tunnel Settings", make a check in the box next to "Don't pull routes". At this point you should not be able to connect to anything.

    • Go to Firewall -> Rules -> LAN and add a rule that has the following criteria:
          a. Action: Pass
          b. Interface: LAN
          c. Protocol: Any
          d. Source: single host or alias. Select the host or alias you want to route through PIA
          e. Destination: any
          f. Gateway: PIA_OPENVPN or whatever the name of your PIA gateway is
      Save.

    At this point, you should be able to connect to the internet from the machine(s) not listed under 4d (NOT through PIA) and the machines listed under 4d (through PIA)
    The next step will block the machines listed under 4d from connecting to the internet if the connection to PIA goes down:

    • 5  Create another rule that has the following criteria:
          a. Action: Block
          b. Interface: LAN
          c. Protocol: Any
          d. Source: single host or alias. Select the host or alias you want to route through PIA
          e. Destination: Any
      Save.

    IMPORTANT: place the rule created in step 5 BELOW the one from Step 4.
    Verify that the setup works as expected by disconnecting to PIA and attempting to reach the internet from the IP address(es) listed under 4d.

    If this helps anyone out, great! If anyone sees any errors please suggest correction! Thanks to muppet in the IRC channel for helping with this.