DNS PROBLEM WITH 'LINUX VM INSTEAD OF ROUTER' | UNBOUND

charles_moody · Jul 16, 2021, 10:22 AM

After having following a lot of topics in the forums here I've got openvpn via expressvpn running and Netflix working, but AmazonPrime still detects a proxy.

The main problem as usual is DNS and I can't get them from Expressvpn (johnpoz I clearly know this has nothing to do with pfsense, and no I can't get a vps)

So I've got the Resolver doing it's thing via Quad9 on all interfaces. To circumvent the dns-no-handout of expressvpn I setup a ubuntu-vm with their app (which uses their dns); I followed this guide so the vm routes (and should masquerade) everything I point to it.

My setup in short pfsense:hw (unbound on all interfaces) > ubuntu:vm (guide above)

The problem: Client pointed to the VM

with gateway:vm and dns:vm

ping 8.8.8.8 working, google.com not

with gateway:vm and dns:auto/pfsense

ping 8.8.8.8 working, google.com working

For the life of me I can't wrap my head around this.. the resolver must somehow restrict my clients from using the dns of the vm, how could I proceed to circumvent this?

Thanks a lot in advance!

Best regards
Charles

Gertjan · Jul 16, 2021, 4:34 PM

@charles_moody said in DNS PROBLEM WITH 'LINUX VM INSTEAD OF ROUTER' | UNBOUND:

After having following a lot of topics in the forums here I've got openvpn via expressvpn running and Netflix working, but AmazonPrime still detects a proxy.

Not a problem.
"amazon" uses a list with all known VPN server addresses, and the xpressvpn server you use is on that list.
You : "Tell them to remove that IP ftom their list."
They : "It's part of the selling condition : use no proxy == VPN - use your ISP WAN IP and you'll be fine".

"netflix" : for me, the same thing : when I use my xpressvpn connection, they won't stream anything to me;

johnpoz · Jul 16, 2021, 1:46 PM

@charles_moody said in DNS PROBLEM WITH 'LINUX VM INSTEAD OF ROUTER' | UNBOUND:

and no I can't get a vps)

Why is that - expressvpn cost it seems if you pay for a year in advance "and $8.32 per month for a 12-month plan"

You can get a vps for like $15 for a YEAR... you can get others for also low I have a KVM vps currently - can do anything I want on it.. For a whole $24 year, $2 a month.. That is 1/4 the price your paying for a vpn.. Run your vpn through that - now your maybe not on a block list from whatever service your trying to use.. And you still hide your traffic from your isp.

If service blocks vpn IPs, routing traffic through some local VM that uses vpn, is going to still be coming from the vpn IP..

Gertjan · Jul 16, 2021, 1:46 PM

can't get a VPS.

Running a VPS fine, but, those can't be rented using some pseudo. The IPv4 and IPv6 will be bound to your name / address .... When you want to be part of the Internet, you become part of the public network.
The traffic is private, but the end points (IPs) are not.

@johnpoz :

maybe he didn't looked up a price yet.
not everybody has access to credit cards and/or paypal or comparable.
A VPS has to be managed. Running a (V)PS goes far beyond a "GUI and go".

johnpoz · Jul 16, 2021, 2:07 PM

Not saying it point and click ;)

But it can solve the issue of vpn IP on a block list for some service your trying to use. Now normally you would just route this traffic out your normal isp connection. Can't see why anyone would care if their isp knows they are going to amazon ;)

Normally people routing traffic through a vpn for some service like netflix or amazon prime are doing so to circumvent geoip restricts for what movies they can watch. Simple solution for this when they block known vpn providers in whatever region you want an exit IP is get a vps in that region. Almost always going to be cheaper than actual vpn anyway.

If your goal is hiding your actual IP from "whatever" your doing - and you don't want that being tracked back to you. Then use your typical vpn for that..

I don't get how someone that can have netflix and amazon prime, and pay for a vpn can not have the resources to pay for a vps ;) As a way to solve their current problem..

charles_moody · Jul 16, 2021, 4:34 PM

@gertjan said in DNS PROBLEM WITH 'LINUX VM INSTEAD OF ROUTER' | UNBOUND:

uses a list with all known VPN server addresses

I've read this on another topic, it's the same discussion - I only discovered this through your answers.

and the xpressvpn server you use is on that list

That's not entirely true

If you use their app you're using their dns and no service ever recognizes the proxy inbetween
If you use expressvpn-vpn the openvpn-way you don't get their dns, netflix won't recognize this, but az and disne still do; there is "no" way of obtaining their dns-servers (for good reason as it seems)

So what I want to accomplish is routing everything through a vm which in fact uses the official app and therefor their dns-servers.

I'm struggling over a year with this situation, not bcs I use az but my family does and they would be grateful to have german content in Italy.

I do have a work-related vps for webdev, but my hoster is pair and they don't provide any servers in germany. The vps would be my last resort, as I still need to keep the vpn-service (again for family, so they can switch between germany-swiss-austria (local/ip-tv, sky, netflix, amazon))

I'd just like to accomplish this: Route dns-requests of clients trough the said vm; I'm using the dns-resolver with quad9, which seems to interefere with this.

@johnpoz said in DNS PROBLEM WITH 'LINUX VM INSTEAD OF ROUTER' | UNBOUND:

Not saying it point and click ;)

I'm geeky, sitting in front of a pc since I'm 9. I had immense struggle with pf in the beginning bcs I stayed away from networking, especially dns, but worked up my way.

I come from opensense, and even if sometimes easier, it's not what I searched - I found that with pfsense.

circumvent geoip restricts for what movies they can watch.
Almost always going to be cheaper than actual vpn anyway.

Before I go this route and extra-cash, I will try it with the things by hand

If your goal is hiding your actual IP from "whatever" your doing - and you don't want that being tracked back to you. Then use your typical vpn for that..

Therefor I'm using a torguard-vpn, with tor on live-tails ;)

I don't get how someone that can have netflix and amazon prime, and pay for a vpn can not have the resources to pay for a vps ;) As a way to solve their current problem..

I completely understand this sentiment! Just that I'd really like to resolve it with the things by hand; the extra-vps would be a nice, clean and 'easy' solution. But it is, what it is.

So I'm kindly asking how you would accomplish this. To recap:

Unbound on all interfaces
When pointing the gateway of clients to said vm, pinging the ip and domain works
When pointing the gateway and dns-server of clients to said vm, pinging the ip works but pinging the domain doesn't

Clearly the dns-request are going somewhere else, or even better, are blocked by unbound.

How to work around this?

Thanks for answering, and have a nice evening!

Kind regards,
Charlie

Gertjan · Jul 16, 2021, 6:20 PM

@charles_moody said in DNS PROBLEM WITH 'LINUX VM INSTEAD OF ROUTER' | UNBOUND:

That's not entirely true

Still, XpressVPN owns these IP's (entire blocks), they can't hide them.
When I launch my XpressVPN client app, I get an IP in the Netherlands.
When I ask who it is :

whois 85.203.44.137
......
org-name:       EXPRESS-TELECITY-AMSTERDAM
.....

So 85.203.44/24 is probably 'listed' already.

Btw : Normally, I do not use the XpressVPN app, I prefer the OpenVPN connect app for all my OpenVPN connection.
XpressVPN says they are 'OpenVPN compatible, but what version ??
The old one, that was used with pfSense 2.4.5-p1 (OpenVPN 2.4.9 something like that) worked just fine.
The new pfSense, 2.5.2, uses :

OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021
library versions: OpenSSL 1.1.1k-freebsd  25 Mar 2021, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
.....

So 2.5.2 (purely a coincidence that that is the same number as my pfSense CE).

I haven't manged to make this one work with XpressVPN yet.
Mostly because I didn't do my home work, that is : reading the OpenVPN doc is the 2.5.x series as it bring new things and changed existing things.
I presume that XpressVPN is still using 2.4.9.xxx - but that info, they hide it well.

They say on their support pages : "we are OpenVPN compatible", but not what that OpenVPN version is.

My question : what DNS you use shouldn't have a impact.
When you visit 'amazon.com', before the connection is established, a DNS request is send out to resolve "amazon.com". The IP comes back and that IP is used.
Where you got the IP from, amazon doesn't know (does it even care ?) - it might as well being hard coded in a local file your you.

charles_moody · Jul 20, 2021, 6:54 AM

Please see my first post, I didn't want the entire discussion about the vpn/vps, just a hand or pointer to accomplish the 'gateway**+dns**'

@gertjan I'm using two openvpn-tunnel on two vlans with express, this works with dns-resolver with quad9 without leaks, and netflix works just fine. I mentioned the topic you already explained the section of ip-block and netflix/az/++ paying people to get those ips.

For at least 3 years now while using the express-app, I never had any trouble with any service detecting a proxy in-between. Using the openvpn-protocol is the hiccup here I think, and this has nothing to do with pfsense.

@johnpoz The question wasn't about express or openvpn, but if and how I could get clients to make dns-request over a specified gateway (vm with vpn-app, routing enabled trough iptables); to recap:

The problem: Client pointed to the VM

Gateway:vm and dns:auto/pfsense
-- ping 8.8.8.8 working, google.com working
Gateway:vm and dns:vm
-- ping 8.8.8.8 working, google.com not

I have the dns-resolver set on all interfaces, is it this? Or do I need nat-rules?

I am simply on a mental blank here and would hope to get some pointers how to route dns-traffic trough said vm.

Have a nice day!

johnpoz · Jul 20, 2021, 1:55 PM

@charles_moody said in DNS PROBLEM WITH 'LINUX VM INSTEAD OF ROUTER' | UNBOUND:

get some pointers how to route dns-traffic trough said vm.

Point the clients to that IP.. Not sure why this is a question? As to routing to get to what this destination IP is.. Yeah the client would have to be able to get to the IP, if ts using a vpn, its quite possible the vpn doesn't allow access other then routed through the vpn.

What does this have to do with pfsense?

If your routing traffic from this client via a policy route out some vpn connection on pfsense, and you want it to use some other IP on your network for dns. Then point the client to that IP for dns, and allow for access on 53 above your policy route.

charles_moody · Jul 20, 2021, 4:09 PM

@johnpoz So I had those clients pointed to the VM via static-mappings, and as written, dns didn't get trough said VM.

Do I understand the policy route right - that I have to create a NAT Rule above the current rule for those clients? (Will try it as soon as I get home)

johnpoz · Jul 20, 2021, 11:16 PM

You do not need to create a nat - but if your policy routing, then yes you need a rule above that policy route rule that allows where your trying to go before you policy route out a vpn.

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing