VPN blocked?



  • Yeah, I think you are right. I will probably just start adding rules to route traffic through WAN when it is blocked. Thanks.



  • you interested me


  • LAYER 8 Moderator

    @ryanm said in VPN blocked?:

    @Gertjan I don't want to get too far off topic, but can you point me at a resource to read about making DNS safe? This is around SSL encrypted requests to your DNS provider correct? I moved to using CloudFlare's DNS (1.1.1.1 and 1.0.0.1) in my pfSense configuration. Is there a way to force the SSL version on pfSense?

    You know, that pfSense 2.4.4+ has a configuration for using DNS over TLS already implemented?
    -> Services / DNS Resolver
    => Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

    after setting that the DNS servers configured in System/General will be used for DNSoverTLS via port 853.

    But that adds the problem/discussion about having too many traffic/services centralized giving that (few) companies (too?) much power. Especially as - on their end - they could actually look what you're asking via their service (as the traffic leaves their hosts/network). Same with VPN. You connect safely to their servers but from there it goes to your target location. So the VPN provider could log/track you, too. It all boils down to trust and if centralized services are really that much better then decentralized approaches (DNS resolving instead of forwarding).



  • @jegr thank you. Yes, I had found this setting and enabled it. I also moved from CloudFlare to Quad9. Not sure who is really "better" or more privacy conscious.

    It is not that I have anything to hide, but I also have no reason to share either.

    I remember hearing an innovator speak on privacy & security. He spoke about how encryption should be strong, and on by default. He mentioned how some could make the argument "Why do you need to encrypt? What do you have to hide?", but he likened it to traditional mail. If you send a letter in an envelope, no one asks "Why do you need to put that letter in an envelope? What are you trying to hide?" because it has become the default and is not considered divergent behavior.

    I would be very interested in a blog series or forum threads specific to security. Am I overlooking something that already exists?



  • @ryanm said in VPN blocked?:

    "Why do you need to put that letter in an envelope?

    With the difference that you send all your letters in envelops to one identified intermediate facility, that knows very well who you are, they have your return address. This facility opens your envelop and reads it all out loud, with the world as it audience.
    Remember, after Quad9 or comparable, if not cached, root servers, tld servers and domain servers are still questioned as before.
    Think about it : the data path didn't change much. But in this case you're being served by a company that pays taxes. The classic path serves you with an infrastructure (root servers) being financed by your taxes.
    As with the classic postal services : the local path, the post men that walks just in front of your door is being removed from the equitation. It's the guy you probably already know - and the other way around.


  • LAYER 8 Moderator

    I also moved from CloudFlare to Quad9. Not sure who is really "better" or more privacy conscious.

    Between those two? I'd go with Cloudflare.

    He spoke about how encryption should be strong, and on by default.

    Agreed like HTTPS. But as many DNS servers don't support DNSoverTLS or DNSoverHTTPS or other encrypted features yet (a pity) that comparison is flawed as you send all traffic encrypted to e.g. Quad9 (sponsered by quite a few interesting parties...) and the Q9 servers as forward target then do the DNS resolving for you. So they know what you're searching. If you do DNS resolving by yourself in pfSense via unbound, the unbound daemon resolves it from the root servers upwards to the authoritative DNS so in essence asks exactly the right server who serves the domain for every call (and then caches it for your later use) instead of relying on a single source like quad9 to do that (and know all DNS queries coming from you). That's why quite a few DNS folks out there found the hype of centralized DoT (DNSoverTLS) to be quite debatable.



  • @gertjan so it really depends on how much you trust the one handling your envelope/DNS request.

    By your reasoning, what is stopping the postman from opening and reading your mail. Nothing, but it is a relatively easy measure to put in place that provides a reasonable level of protection/privacy, but not full protection/privacy. The same could be said about DNS providers. Find one that appears to be trustworthy and use DNS over TLS/SSL and this will provide you with a reasonable level of protection/privacy for the effort involved.

    The same could be said about VPN providers. Yes, it provides some level of privacy/protection in general, but the provider would still have the ability to see all of that data, and comes down to how trustworthy they are.

    Is this fair/accurate?

    @JeGr wait, so I want to make sure I follow what you were saying. So if I want to use DNS over TLS/SSL, I am running all of my lookup requests through 1 service, and they would have the ability to know what domains I am requesting. Correct? And it would just depend on how much I "trust" them with that data.

    Conversely, it sounds like I could use unbound to lookup requests from the root servers. So the root servers would know what I am requesting from them, but not all of my queries. So they only see a piece of my traffic. Is that the idea?


  • LAYER 8 Global Moderator

    @ryanm said in VPN blocked?:

    t I am requesting from them, but not all of my queries. So they only see a piece of my traffic. Is that the idea?

    If you do query minimization that yeah that would be true... So you would only ask the ROOTs for the NS of the tld your looking for say .com, then you would ask the .com NS hey I am looking for domain.com, you would only ask the domain.com NS for host.domain.com

    Problem is that this sort of minimization breaks down and you will find that multiple things will fail to resolve.. Mostly because of odd ball cname configurations for the domain, etc.

    If you are sending dns over tls to some service - then yes that service sees everything you ask for, you just handed them your surfing habits on a silver platter.. I am sure they are thankful ;)

    And yes your vpn provider is going to see everything as well.. The thing I don't get is how come you distrust the company you actually pay for service so much, that your willing to pay for some other service that just because they say they don't log you trust them more?? makes Zero Sense to Me!!!

    If your going to take this distrust model to its extreme - then you should only be using burner phones that you bought with cash.. And use of CC is just plain out the window because they see all your transactions. And to be honest you can not even go outside because their are camera's everywhere and more than likely your paying tolls electronically as well..

    Be it Doh or Dot, you should really understand exactly before you go jumping on any such bandwagon if you ask me.. Keep in mine that your https traffic doesn't hide where you are going either because the domain your going to is going to be in the SNI in the clear..



  • @johnpoz It is a fair point John and I may re-evaluate my need for a VPN. It does add some frustration and nuance.

    The way I understand the query minimization is that it keeps any single entity of seeing all of your browsing habits, at the expense of dealing with some resolving issues. With a single provider having the reverse pro/con. I suppose it is weighing convenience against privacy.

    I do appreciate everyone's patience explaining these topics to me. It has been extremely educational.



  • I don't get this "rush to VPNs for privacy" thing either. It's like the VPN providers out there have used slick marketing to create a demand for their product. They get a potential goldmine of information from their users. They say they "don't log", but do you really believe that? Do you not realize that any provider in any Western democracy can easily be coerced via legal means to divulge everything about a user or even a group of users in the name of a criminal investigation or "national security". So if you are paranoid about "big brother" watching you, then a VPN provider is the very last thing you want because that just serves to draw attention to you. Why? Because the favorite haunt of cyber bad guys are services like VPNs and TOR. That's one reason VPN services have started to get on "bad reputation" IP lists.

    My beef with VPN services is that folks jump into using them without understanding the true ramifications, then they come here and to other forums whining about various "broken" things wanting to blame it on other software. For example, it's not unusual for a user to post about some issue they are blaming on a pfSense bug; but, you finally drag it out of them 4 or 5 posts later in their rant about their problem that "oh, yeah, I am using VPN provider xyz" and it turns out that is the problem because these VPN IP net blocks are winding up on so many blacklists.

    Finally, using a VPN bogs your firewall CPU down with encrypting and decrypting every single packet that traverses the wire. It also adds lots of latency to your connections as traffic has to bounce back and forth from your VPN provider's entry and exit points and your local ISP.



  • It seems I am having the same issue. I am currently using AIRVPN provider and I cannot open this forum.
    Is it possible that the AirVpn ip addresses servers are blacklisted?
    Thanks


  • LAYER 8 Rebel Alliance

    Spammers use VPNs....so they all get blacklisted bit by bit.

    -Rico



  • Fair enough even if criminals use cars, mobile phones, computers but all of those can still be bought 😂 ... I am a newbie and i am wondering if someone would be able to tell me if (and how eventually) I can bypass the VPN connection to connect to the pfsense forum without having to change network.
    Thank you very much


  • LAYER 8 Rebel Alliance

    Depending on your VPN Setup it should be no problem to policy route by setting destination IP to 208.123.73.199 (this forum) and choosing your default gateway (Advanced options in the Firewall Rule).

    -Rico


  • LAYER 8 Netgate

    @zapoteknico said in VPN blocked?:

    Fair enough even if criminals use cars, mobile phones, computers but all of those can still be bought 😂 ...

    Right but if you choose to drive a car that was just used in a bank robbery you'll get pulled over.



  • Hello Rico.
    Thank you very much.
    I understand what you say however I have no understanding of how I would be able to achieve that in pfesense.
    I understand i might be asking a lot but any help in pointing me to how to create thoae rules would really help



  • @derelict indeed... However the difference here is the brand of the car, not exactly the same car...if a Mercedes is used in a bank robbery, not all Mercedes drivers will be stopped 😜


  • LAYER 8 Rebel Alliance

    You create this Firewall Rule for the Interface you want to bypass forum.netgate.com (typically LAN) and put on top of your Rules:
    0_1552319590197_vpn1.png
    hit Display Advanced and set your ISP Gateway (or default if your ISP GW is still the system default):
    0_1552319649704_vpn2.png

    -Rico


  • LAYER 8 Global Moderator

    If your going to policy route, make sure your not pulling routes from your vpn service - most of their crap guides want you to pull their route so they are default, and most of them mistakenly tell you to do manual outbound nat, etc.



  • Thank you very much for the help but i am surrendering.
    I understand half of the things you talk about and I think i have rules setup that makes impossibile to create those exemptions (followed the above suggestions but it didn't work)
    I don't want to bother anyone more than needed as I am going to reconfigure everything tomorrow (getting a new mini pc)

    Thank you :)


Log in to reply