create PIA kill switch for pfswitch 2.4.5



  • any guide on how to create the rules to make kill switch so if pia goes down my internet wont go out?



  • Will you be connecting from a host behind pfsense or the connection to PIA server will be performed through the pfsense openvpn client?



  • @mcury I'm connected via openvpn currently but they changed a server name and I didn't realize for a few days and don't want this to happen again. I saw a solution here posted but I saw that it it goes down that it will block the connection was being re-established. I had a great article on a how to but now can't find it.



  • Pfsense has a openvpn client, are you using that?
    Or are you connecting from a Host like a Windows or Linux PC behind pfsense?



  • I'm using a negate sg-3100 box and I have several computers and phones etc behind it. The issue I have had is I was using protonvpn and maintenance has occurred during the morning and no failover is available for them and same issue I think for PIA. I want to have this Killswitch and I want to stop dns leaking. There was an article that showed how to do all of this and now gone

    Yes I'm using the openvpn on the device



  • Inside the openvpn client configuration, what is ticked in:

    3d7d5de4-4d66-4386-a438-51c184aec22f-image.png





  • Awesome. I will try it tomorrow. Thanks for your help. Someone gave me this netgate box and I have a four port protectli. Trying to determine which one I keep


  • LAYER 8 Moderator

    no_wan_egress

    is your keyword to search for ;)



  • @JeGr Thanks



  • This is very simple read on the remote host command
    https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/



  • @kewe said in create PIA kill switch for pfswitch 2.4.5:

    any guide on how to create the rules to make kill switch so if pia goes down my internet wont go out?

    I thought a killswitch should make the internet go out.


  • LAYER 8 Moderator

    @bcruze said in create PIA kill switch for pfswitch 2.4.5:

    This is very simple read on the remote host command
    https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

    That has nothing to do with the question the OP asked. Sorry :/

    any guide on how to create the rules to make kill switch so if pia goes down my internet wont go out?

    I thought a killswitch should make the internet go out.

    I guess it was meant as "my internet will go out" :) Otherwise the kill switch makes no sense, I agree :)



  • @JeGr said in create PIA kill switch for pfswitch 2.4.5:

    @bcruze said in create PIA kill switch for pfswitch 2.4.5:

    This is very simple read on the remote host command
    https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

    That has nothing to do with the question the OP asked. Sorry :/

    any guide on how to create the rules to make kill switch so if pia goes down my internet wont go out?

    I thought a killswitch should make the internet go out.

    I guess it was meant as "my internet will go out" :) Otherwise the kill switch makes no sense, I agree :)

    " if pia goes down my internet wont go out?"

    that command fixes that exact request?


  • LAYER 8 Moderator

    " if pia goes down my internet wont go out?"

    that command fixes that exact request?

    a) this is most likely a type and should mean "will go out" - otherwise makes no sense.
    b) what has the "remote" statement to do with the solution either way? "remote" specifies your connection endpoint on the client side aka which server to connect to. What is that to do with "cut/don't cut connection if PIA goes down"? Perhaps I don't understand your intention but it makes no sense to me. :)



  • @JeGr said in create PIA kill switch for pfswitch 2.4.5:

    " if pia goes down my internet wont go out?"

    that command fixes that exact request?

    a) this is most likely a type and should mean "will go out" - otherwise makes no sense.
    b) what has the "remote" statement to do with the solution either way? "remote" specifies your connection endpoint on the client side aka which server to connect to. What is that to do with "cut/don't cut connection if PIA goes down"? Perhaps I don't understand your intention but it makes no sense to me. :)

    i am posting what i use for a openvpn tunnel that goes down... it reconnects using the command i posted :

    –remote host [port] [proto]
    Remote host name or IP address. On the client, multiple –remote options may be specified for redundancy, each referring to a different OpenVPN server. Specifying multiple –remote options for this purpose is a special case of the more general connection-profile feature. See the <connection> documentation below.The OpenVPN client will try to connect to a server at host:port in the order specified by the list of –remote options.

    if i misunderstood feel free to delete my replies, but that is how i understood the question


  • LAYER 8 Moderator

    i am posting what i use for a openvpn tunnel that goes down... it reconnects using the command i posted :

    The remote command is always configured when setting up a client/server in pfSense. The question asked tells me the OP has already configured a PIA tunnel in pfSense as a client. So no need to configure anything with the "remote" keyword as pfSense already does that by default. As to the "reconnect", pfSense always reconnects a tunnel if it cans, that is per default, as with a client configuration, pfSense' defaults are "inactive 0; keepalive 10 60" so it will always try to reconnect.

    What was (possibly) asked (we don't know for sure, as the OP worded the question a bit strange) is, how he can actively disable any traffic leaving pfSense to the internet when PIA is down (e.g. tunnel has a connection problem, PIA server is down, PIA has problems etc. etc.) so his VPN tunnel is down but his connection on WAN is up. In that case pfSense would normally route traffic via WAN and unencrypted. That is when (theoretically) information leakage is going to happen and a wire tap with your provider could e.g. listen to DNS calls being made from you.

    That's why we recommended searching for NO_WAN_EGRESS, as there is a thread about how to setup VPN on pfSense with a "killswitch" that will block any traffic leaving WAN unencrypted (e.g. without going through the PIA tunnel).

    if i misunderstood feel free to delete my replies, but that is how i understood the question

    Misunderstandings happen, that's why I was asking what you mean by the "remote host" keyword as that is always configured per default by pfSense itself. :)



  • @JeGr yes my goal was if PIA goes down no traffic leaves my network. I used the settings pia gave me and it works, I have tested it a few times. Also I have added it port 1194 not to be block so pia can reconnect and I blocked any rougue DNS service from running.


Log in to reply