Ensuring against IP leaks - a challenge?



  • Hi everyone,

    (first post, n00b, yes hi)

    I bought a Netgate SG-3100 at the start of the year and, apart from the occasional ups and downs, I've have been pretty pleased with it and pfSense.
    I run a few OpenVPN connections (grouped, for failover - great pfSense feature) and the majority of my network traffic runs through them. Overall, along with DNS leak prevention, privacy-wise, things seem pretty good - much thanks to the excellent guide on techhelpguides.

    I can check my exposed IP on sites like google.com, www.whatismyip.com, dnsleaktest.com, astrill.com/vpn-leak-test - any number of sites and they all report the IP of my active VPN connection.

    BUT - there is one site which reports my actual IP. The beautifully simple http://whatismyip.host - and it's driven me a bit mad!
    I even contacted them to ask how they're achieving such an excellent result and they suggested it might be my VPN provider setting the X-Forwarded-For header - but alas, I've checked and this isn't the case.

    So, my question is really - Does anyone else get unexpected results using http://whatismyip.host?


  • Netgate

    So, my question is really - Does anyone else get unexpected results using http://whatismyip.host?

    No.



  • @tonynibbles:

    So, my question is really - Does anyone else get unexpected results using http://whatismyip.host?

    No :)


  • Netgate

    This post actually looks like spam.



  • Well, it might be a bit wordy but I can assure you it's not spam - a genuine query as to whether this is just me or not.

    Thanks for the replies, I'm still at a loss as to where my fault is and why this site and only this site reports my IP, but I will persevere.


  • Rebel Alliance

    So I just turned my policy route rule to send client out vpn.  I then made sure client was using quad9 for dns vs pfsense as resolver and hit up whats my IP and your website both showing my vpn IP.. So not sure what your doing exactly.  But without details it will be impossible for anyone to help you spot what your doing wrong, etc.

    Turned policy rule off and back to my normal wan IP from isp.





  • Netgate

    @tonynibbles:

    Well, it might be a bit wordy but I can assure you it's not spam - a genuine query as to whether this is just me or not.

    Thanks for the replies, I'm still at a loss as to where my fault is and why this site and only this site reports my IP, but I will persevere.

    It is showing your IP address because you have your system configured to send it out the WAN not the OpenVPN.

    No way to know what in your configuration is wrong unless you show us what you have done.



  • Well, fwiw my system setup uses much of the advice in the techhelpguides article, VPNs are configured as a Gateway group consisting of four VPN connections, the load balancing handles when one becomes too slow.

    A firewall rule on the LAN tells all outbound traffic to use the VPN Gateway Group.

    I'm a little less familiar with the DNS setup, but I've used the DNS Resolver method ("Leak Prevention Method 2") from the tech help guides.

    My setup appears to work well, apart from this one site which reports my IP. Everything else, Google, dnsleak, ipleak, whatismyip - they all report my VPN IP. This is why it's so frustrating - something's getting through but I can't be sure how.

    There are so many settings in PFsense it seems impossible to convey every detail of my config - I suppose a better question would be, what tools do people use to debug this?

    ![Screen Shot 2018-04-16 at 23.01.14.png](/public/imported_attachments/1/Screen Shot 2018-04-16 at 23.01.14.png)
    ![Screen Shot 2018-04-16 at 23.01.14.png_thumb](/public/imported_attachments/1/Screen Shot 2018-04-16 at 23.01.14.png_thumb)


  • Netgate

    Packet captures and wireshark.

    Diagnostics > States



  • Hmmm, ok.

    Now in states, I can see that if I use Google.com, the request uses one of my VPN connections, but on the other website, the request goes out on WAN. Damn.



  • FFFFFFFF

    OK. I've got it!

    I am running pfBlocker and have it set to create an alias group of Amazon servers. Requests to these destination IPs are set to bypass the VPN (mostly for content streaming), but in this case because that website was hosted on AWS, it was being delivered on the WAN not the VPN. Hence, it could see my IP.

    This is the dumbest thing. Thanks for the heads up on figuring this out, was doing my nut in.
    What a doofus.



  • No. I am getting same IP results with whatismyip.host and other  websites such as whatismyip.live

    I am using PureVPN and visited both websites. Here are the results:

    http://whatismyip.live  IP results:

    http://whatismyip.host results:


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy