Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    create PIA kill switch for pfswitch 2.4.5

    Scheduled Pinned Locked Moved OpenVPN
    18 Posts 5 Posters 1.9k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kewe @mcury
      last edited by

      @mcury I'm connected via openvpn currently but they changed a server name and I didn't realize for a few days and don't want this to happen again. I saw a solution here posted but I saw that it it goes down that it will block the connection was being re-established. I had a great article on a how to but now can't find it.

      1 Reply Last reply Reply Quote 0
      • M Away
        mcury Rebel Alliance
        last edited by mcury

        Pfsense has a openvpn client, are you using that?
        Or are you connecting from a Host like a Windows or Linux PC behind pfsense?

        dead on arrival, nowhere to be found.

        1 Reply Last reply Reply Quote 0
        • K Offline
          kewe
          last edited by kewe

          I'm using a negate sg-3100 box and I have several computers and phones etc behind it. The issue I have had is I was using protonvpn and maintenance has occurred during the morning and no failover is available for them and same issue I think for PIA. I want to have this Killswitch and I want to stop dns leaking. There was an article that showed how to do all of this and now gone

          Yes I'm using the openvpn on the device

          1 Reply Last reply Reply Quote 0
          • M Away
            mcury Rebel Alliance
            last edited by

            Inside the openvpn client configuration, what is ticked in:

            3d7d5de4-4d66-4386-a438-51c184aec22f-image.png

            dead on arrival, nowhere to be found.

            M 1 Reply Last reply Reply Quote 0
            • M Away
              mcury Rebel Alliance @mcury
              last edited by

              Check this link: https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/

              dead on arrival, nowhere to be found.

              1 Reply Last reply Reply Quote 0
              • K Offline
                kewe
                last edited by

                Awesome. I will try it tomorrow. Thanks for your help. Someone gave me this netgate box and I have a four port protectli. Trying to determine which one I keep

                1 Reply Last reply Reply Quote 0
                • JeGrJ Offline
                  JeGr LAYER 8 Moderator
                  last edited by

                  no_wan_egress

                  is your keyword to search for ;)

                  Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                  K 1 Reply Last reply Reply Quote 0
                  • K Offline
                    kewe @JeGr
                    last edited by

                    @JeGr Thanks

                    1 Reply Last reply Reply Quote 0
                    • B Offline
                      bcruze
                      last edited by

                      This is very simple read on the remote host command
                      https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

                      JeGrJ 1 Reply Last reply Reply Quote 0
                      • Bob.DigB Offline
                        Bob.Dig LAYER 8 @kewe
                        last edited by Bob.Dig

                        @kewe said in create PIA kill switch for pfswitch 2.4.5:

                        any guide on how to create the rules to make kill switch so if pia goes down my internet wont go out?

                        I thought a killswitch should make the internet go out.

                        1 Reply Last reply Reply Quote 0
                        • JeGrJ Offline
                          JeGr LAYER 8 Moderator @bcruze
                          last edited by JeGr

                          @bcruze said in create PIA kill switch for pfswitch 2.4.5:

                          This is very simple read on the remote host command
                          https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

                          That has nothing to do with the question the OP asked. Sorry :/

                          any guide on how to create the rules to make kill switch so if pia goes down my internet wont go out?

                          I thought a killswitch should make the internet go out.

                          I guess it was meant as "my internet will go out" :) Otherwise the kill switch makes no sense, I agree :)

                          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                          B 1 Reply Last reply Reply Quote 1
                          • B Offline
                            bcruze @JeGr
                            last edited by

                            @JeGr said in create PIA kill switch for pfswitch 2.4.5:

                            @bcruze said in create PIA kill switch for pfswitch 2.4.5:

                            This is very simple read on the remote host command
                            https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

                            That has nothing to do with the question the OP asked. Sorry :/

                            any guide on how to create the rules to make kill switch so if pia goes down my internet wont go out?

                            I thought a killswitch should make the internet go out.

                            I guess it was meant as "my internet will go out" :) Otherwise the kill switch makes no sense, I agree :)

                            " if pia goes down my internet wont go out?"

                            that command fixes that exact request?

                            JeGrJ 1 Reply Last reply Reply Quote 0
                            • JeGrJ Offline
                              JeGr LAYER 8 Moderator @bcruze
                              last edited by

                              " if pia goes down my internet wont go out?"

                              that command fixes that exact request?

                              a) this is most likely a type and should mean "will go out" - otherwise makes no sense.
                              b) what has the "remote" statement to do with the solution either way? "remote" specifies your connection endpoint on the client side aka which server to connect to. What is that to do with "cut/don't cut connection if PIA goes down"? Perhaps I don't understand your intention but it makes no sense to me. :)

                              Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                              B 1 Reply Last reply Reply Quote 1
                              • B Offline
                                bcruze @JeGr
                                last edited by

                                @JeGr said in create PIA kill switch for pfswitch 2.4.5:

                                " if pia goes down my internet wont go out?"

                                that command fixes that exact request?

                                a) this is most likely a type and should mean "will go out" - otherwise makes no sense.
                                b) what has the "remote" statement to do with the solution either way? "remote" specifies your connection endpoint on the client side aka which server to connect to. What is that to do with "cut/don't cut connection if PIA goes down"? Perhaps I don't understand your intention but it makes no sense to me. :)

                                i am posting what i use for a openvpn tunnel that goes down... it reconnects using the command i posted :

                                –remote host [port] [proto]
                                Remote host name or IP address. On the client, multiple –remote options may be specified for redundancy, each referring to a different OpenVPN server. Specifying multiple –remote options for this purpose is a special case of the more general connection-profile feature. See the <connection> documentation below.The OpenVPN client will try to connect to a server at host:port in the order specified by the list of –remote options.

                                if i misunderstood feel free to delete my replies, but that is how i understood the question

                                1 Reply Last reply Reply Quote 0
                                • JeGrJ Offline
                                  JeGr LAYER 8 Moderator
                                  last edited by

                                  i am posting what i use for a openvpn tunnel that goes down... it reconnects using the command i posted :

                                  The remote command is always configured when setting up a client/server in pfSense. The question asked tells me the OP has already configured a PIA tunnel in pfSense as a client. So no need to configure anything with the "remote" keyword as pfSense already does that by default. As to the "reconnect", pfSense always reconnects a tunnel if it cans, that is per default, as with a client configuration, pfSense' defaults are "inactive 0; keepalive 10 60" so it will always try to reconnect.

                                  What was (possibly) asked (we don't know for sure, as the OP worded the question a bit strange) is, how he can actively disable any traffic leaving pfSense to the internet when PIA is down (e.g. tunnel has a connection problem, PIA server is down, PIA has problems etc. etc.) so his VPN tunnel is down but his connection on WAN is up. In that case pfSense would normally route traffic via WAN and unencrypted. That is when (theoretically) information leakage is going to happen and a wire tap with your provider could e.g. listen to DNS calls being made from you.

                                  That's why we recommended searching for NO_WAN_EGRESS, as there is a thread about how to setup VPN on pfSense with a "killswitch" that will block any traffic leaving WAN unencrypted (e.g. without going through the PIA tunnel).

                                  if i misunderstood feel free to delete my replies, but that is how i understood the question

                                  Misunderstandings happen, that's why I was asking what you mean by the "remote host" keyword as that is always configured per default by pfSense itself. :)

                                  Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                  K 1 Reply Last reply Reply Quote 0
                                  • K Offline
                                    kewe @JeGr
                                    last edited by

                                    @JeGr yes my goal was if PIA goes down no traffic leaves my network. I used the settings pia gave me and it works, I have tested it a few times. Also I have added it port 1194 not to be block so pia can reconnect and I blocked any rougue DNS service from running.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.