DNS Leak Using Gateways Group
Hello everyone. I installed pfSense last week. I found it excellent.
I was able to configure to access the VPN (ExpressVPN) using one of its servers. Success (No DNS leaks). I decided to configure two more VPN clients. I created a rule, I changed NAT for each of the two new clients. All work perfectly independently. I then decided to create a gateway group with these 3 clients and put this gateway into a rule. I can access the internet, my IP gets switched but DNS leak occurs. In the DNS resolver service, Network Interfaces my LAN and in Outgoing Network Interfaces only the 3 gateways of the VPN interfaces. In the System / General Setup / DNS Server Settings configuration I have not set anything and "Allow DNS server list to be overridden by DHCP / PPP on WAN" is not checked. Like said everything works except that I have DNS leaks. I did a long search on Google, tried several tips but none worked.
Typically the way I see DNS leak prevention tackled via pfSense + VPN is to:
- Configure each client to use an external DNS resolver (Google, Level3, Cloudflare, or your VPN service's).
- (Optional) Create a firewall Alias for all of your client LAN IPs that will use the VPN service, and only the VPN service.
- Create a LAN firewall rule that blocks/rejects inbound port 53 (DNS requests) to This Firewall (pfSense LAN interface IP) from the new Alias you created.
- An additional Floating firewall rule at the top that blocks/rejects traffic to/from the Alias you created, for both the WAN and LAN interfaces. Do not set it as Fast mode (see next).
- The default LAN to Any rule should still let the Alias reach the firewall itself (but no longer port 53), since Floating rules are processed first, then the other rules. Without this, they can't actually communicate to the router before being tunneled over the VPN.
- I see folks block IPv6 traffic for their VPN clients, but I'm not particularly sure why. Maybe due to IPv4 over IPv6 tunneling that they weren't expecting (which might cause DNS leaks)? Beats me, but I blocked it anyway since I'm not using IPv6 for my VPN stuff.
- Set Outbound NAT to Hybrid mode, and copy a couple of the auto-generated rules for the LAN -> WAN, but this time, as LAN -> VPN.
If you don't take the above approach with two separate firewall tables, you can do two floating rules below the one above:
- One to deny the VPN clients access to the firewall's resolver/port 53.
- One to still allow the VPN clients access to the firewall at all.
But this is only sensible if you have some other Fast processing blocker below, or the default LAN to Any rule doesn't exist, etc.
Ah, and two more things:
- Don't forget to check Advanced -> Miscellaneous -> Gateway Monitoring -> Skip rules when gateway is down: Do not create rules when gateway is down. You don't want pfSense allowing the VPN client traffic over its new default gateway without the aforementioned rules applied. Let it all fail if the VPN gateway is down.
- And for the OpenVPN client settings, ensure Don't Pull Routes (or advanced setting no-pull-routes) is set. You likely have this already, but it basically ensures that your default gateway for the entire network doesn't suddenly become your VPN service.
The obvious caveat to all of this is that if the VPN is down (on that note, consider installing the Service Watchdog package and adding OpenVPN to its list of monitored services), then the aliased client systems cannot reach the Internet; I personally use this, and block my VPN clients from using the regular WAN/WAN2 without tunneling first. They are also DNS-leak free, if that's desired. System updates tend to be a bit slower since they have to occur over the VPN. You can craft rules around this, set up a local update staging host, whatever. Just pointing it out.
(edited with several refinements and additions)
Thank you kachunkachunk. In fact I believe I misinterpreted the DNS leak test provided by ExpressVPN. The test reports in the title that a DNS leak exists. However all the DNS presented are referring to each of the client services that I configured. One for each server. There are none with the subnet of my ISP or referring to my country. So there is probably no DNS leak.
However I found your configuration interesting because I can use other DNSs than those provided by ExpressVPN. I'll do a test this weekend.
Thank you for your reply.
You're welcome. Just want to also prompt you to go over it once more since I've done several edits.
Generally it should all be very much alike several guides out there for pfSense + Private Internet Access, under the context of forcing specific clients to use the VPN and fail all Internet access if it's down (implement both the VPN tunnel, and the VPN Kill Switch, at the router level).