Real IP leaking even if connected through OpenVPN tunnel…!!!

  • I've set up several VPN tunnmels (PureVPN & NordVPN).
    Nearly all external IP checking sites detect the Remote IP given (e.g., etc..).


    I can change it from one tunnel to another..
    Reset states…
    Reboot pfSense...
    Tried using a VPN Gateway Group (each TIER 1)...

    .. always detecting my real IP.

    I've no clue why???

    I've the standard rules and NAT (which everyone seems to use):


    Action | Protocol | Source    | Port | Destination | Port | Gateway     | Queue | Schedule | Description
    Pass     IPv4 *     VPN_HOST    *      *             *      VPN_GW_DHCP   none               Hosts from LAN to VPN    


    Interface          | Source    | Src. Port | Destination   | Dest. Port    | NAT Adr.       | NAT Port  | Static    | Description
    VPN_IF               VPN_HOST    *           *               *               VPN_GW adress    *                       Hosts from VPN_IF to Tunnel

    Any ideas.. Would be pleased.. :)

    P.S. .. it is not WebRTC !!! Disabled on every browser…

  • PUSH..

    No one any idea…

    If I use e.g. the NordVPN Application on my laptop (goes through WAN), my real ip is hidden (same as the remote ip).
    If I send em through the pfSense tunnel, my real ip is revealed.

    There should be no difference.... OR???

  • Have you disabled WebRTC in your browser?

  • that is def a configuration issue on your devices/ router.

    i am using a sg2220 and with PIA and airvpn i do not get my "real" IP

  • Both your LAN and NAT rules use "VPN_HOST" as a source in their rule definition. This means that these rules do not take effect unless whatever is defined as "VPN_HOST" is true. But you did not specified what VPN_HOST is. Perhaps change your source to a wildcard ("*") to see if that changes the firewall & nat rule behavior, or provide clarification as to what "VPN_HOST", as a source address, is restricted too.

  • LAYER 8 Netgate

    There is no harm in just setting the Outbound NAT rule there to the whole subnet that VPN_HOST is on. Outbound NAT does not have any bearing on what traffic flows where. It only dictates what NAT occurs when traffic flows that way, so if the traffic is not routed out that interface, no outbound NAT will occur.

    But if VPN_HOST is used to both policy route and perform outbound NAT it will always match.

    Setting Outbound NAT for source any is almost never a good idea and generally ends up matching traffic that should not be natted at all.

    I policy routed a VM out a VPN and reports the VPN egress address as it should.

  • Is all your DNS traffic (or at least DNS traffic for hosts from the VPN_HOST alias) routed through your VPN tunnels too?

Log in to reply