PfSense 2.1/OpenVPN client/PIA: Does outgoing traffic get routed over the VPN?



  • Hi.

    The concern that I have, which gives me reason to post this topic, is whether outgoing trafic gets routed over the VPN connection when PfSense 2.1 is used as an OpenVPN client. Oh, and newbie alert. Networking has never been my core competence.

    Background information:
    I have installed pfSense 2 on a VM, then upgraded to pfSense 2.1. I have configured pfSense as an OpenVPN client for the VPN provider PIA (or Private Internet Access). In order to do so, I have followed the following guides and piecemeal advices found using Google:

    https://www.privateinternetaccess.com/forum/index.php?p=/discussion/119/pfsense-openvpn-setup/p1
    http://www.komodosteve.com/archives/232

    Description of problem:
    I have configured PfSense 2.1 according to the above mentioned guides and now, when I browse the internet and use diverse "what is my IP"-sites, my external IP shows as the IP of the specific PIA VPN gateway that I am using. I have also tried downloading one of those special legal "what is my IP"-torrents, more specifically the one from TorGuard, and also it shows my external IP as the IP address of the specific PIA VPN gateway that I am using - and not an external IP of my actual ISP. So far, all seems good.

    According to most online sources, however, PIA only allows the individual user to have forwarded one incomming port. You need to set up pfSense with a script to forward this port through the firewall and I have not done so, since this is a complicated and time consuming task. My pfSense 2.1 firewall, configured according to the guides above, is wide open by the way.

    The problem is that I have tried downloading a well seeded and well leeched legal torrent for testing purposes. To my surprise, my BitTorrent client constantly uploads at very high speed in spite of the fact, that the BitTorrent client does not know the port forwarded by PIA and nothing port forwarding specific has been configured in pfSense 2.1. As far as I understand, this should not be possible. I have tried using the various diagnostic utilities of pfSense to understand what is going on, but to no avail. The observed behavior confuses me and makes me wonder whether the VPN connection is somehow bypassed in a BitTorrent scenario?



  • What do the rules on your OpenVPN interface look like? I'm not sure if Bit torrent needs port forwarding to work. If you would like to lower the speed of your seeding, usually in the client you can tell it what you want the max speed of your upload to be. At least this is the case for uTorrent.



  • @ siralos:

    So yesterday I installed pfSense 2.1 and followed the same setup as you described in your links.  I found your post searching easier instructions for port forwarding for bittorrent from a PIA VPN (and nope'd right out of that idea after trying the scripting needed).  I also describe myself as, as you so well put it, without core competency in networking.

    I was pleasantly surprised to see  how well my torrent client (Tixati) performed without any inbound connectivity.  To your specific question about being sure the outbound torrent traffic is not somehow skipping the VPN and showing up as source from your ISP IP, I found that you can set the Status: Traffic Graph to display traffic on the OpenVPN interface.  By watching this graph I am satisfied that my torrent traffic is going in/out via the VPN.  However this only proves the majority of the traffic, it does not account for small "leaks" of some type.  Tomorrow I intend to place my old Tomato router between the pfSense and the modem and watch the logs for any leaks, assuming I know what I'm looking for.  I'm sure there are better ways to accomplish this, but I do not (yet) have the inclination to learn how to use wireshark or similar tools.

    I recognize yours is a fairly old post, but I am curious if you have any insight for me in the last two months you've used this setup so nearly identical to mine.  Did you ever find a port forwarding solution that does not require the understanding of a dedicated network engineer?  I suspect that if that was working I could saturate my inbound bandwidth with popular torrents.

    Thanks!



  • Note that PIA does allow UDP hole punching on most of their proxies. I have incoming UDP traffic on my torrent client with PIA. And although I do understand the script solution they offer for port forwarding, adapting it from plain linux to integrating it with pfsense is something that is beyond my abilities. And you have to find a way to have pfsense inform your torrent client which port is forwarded. PIA chooses a random port for you which changes if you drop the VPN tunnel and reconnect. I have been using them with pfsense for 4 months now and altough it is stable, vpn disconnects do happen from time to time.

    The leak you mention is probably DNS. I can't force DNS traffic from the DNS forwarder through the VPN because pfsense needs to resolve the PIA hostname before it can bring the tunnel up. Manually entering the IP of the VPN server is not a good idea because their hostname actually represents a pool of VPN servers. A solution is to manually set an outside DNS in the DHCP server, which will send the DNS traffic from your clients through the tunnel. Or setup a second box or VM on your network to provide DNS. Since I mainly use PIA to bypass traffic shaping of my ISP, I still use the DNS forwarder which seems to resolve addreses much faster since it queries DNS servers in parallel instead of sequentially.

    Another possible leak is IPv6, PIA does not provide IPv6, so if your ISP gives you a valid IPv6 address, your clients will prefer the IPv6 route instead of IPv4 and through the tunnel. There aren't many IPv6 sites yet but I do see more and more IPv6 addresses in my torrent traffic. I had to block all IPv6 as a result. You could sign up for a IPv6 tunnel broker and route that through the VPN tunnel if you really need IPv6.

    One other thing to keep in mind with PIA is that some of their servers are blacklisted for sending spam mail. So I would not recommend sending SMTP traffic through the VPN connection.



  • If you only need to lookup *.privateinternetaccess.com addresses over the real WAN, then you should be able to:

    1. Point the DNS forwarder at some DNS across the VPN and have all traffic default to the VPN
    2. Add a domain override for privateinternetaccess.com to point to some other DNS (e.g. 8.8.8.8)
    3. Put a specific rule or whatever to direct destination 8.8.8.8 over the ordinary WAN
      I'm sure there will be a few tricks to get it to work - but it must be possible.


  • @VTOLfreak:
    I can see that you must be correct.  I switched to an old version of uTorrent (supporting UDP tracker) and now I can get incoming connections without any manual port mapping on the pfSense or the modem/router.  It seem to work perfectly!
    Since my primary concerns are avoiding traffic shaping and letters from the ISP due to torrents so I don't think I need to be particularly worried about DNS leaks.  Even so I'll look into your advise and that from phil.davis to address that.
    Thank you for your help.



  • @VTOLfreak:

    The leak you mention is probably DNS. I can't force DNS traffic from the DNS forwarder through the VPN because pfsense needs to resolve the PIA hostname before it can bring the tunnel up. Manually entering the IP of the VPN server is not a good idea because their hostname actually represents a pool of VPN servers. A solution is to manually set an outside DNS in the DHCP server, which will send the DNS traffic from your clients through the tunnel. Or setup a second box or VM on your network to provide DNS. Since I mainly use PIA to bypass traffic shaping of my ISP, I still use the DNS forwarder which seems to resolve addreses much faster since it queries DNS servers in parallel instead of sequentially.

    I apologize for necroing this thread, but this is my specific problem that I am running into.

    I have all traffic routed out VPN tunnel, so if tunnel goes down, so does my internet access. My problem is that when PIA decides to change/update my VPN IP address (once a day it seems), the tunnel breaks and is unable to repair itself because DNS cannot resolve the *.privateinternetaccess.com hostname that I have configured for the OpenVPN client config.

    The only fix is to reboot my pfsense box, which makes zero sense how that would fix it because if all traffic is routed out VPN, how does it EVER resolve the hostname for PIA to begin with?

    Anyhow, I am not sure I understand the manual solution above. If you could please go into further detail, or provide me with a solution to my problem.

    PS: My DNS configuration under System>General Settings is two PIA DNS servers, pointed to the VPN gateway.

    Possible solution I'm thinking of is to change the DNS from polling ALL at once, to doing it in order (forget the feature in pfsense) from top to bottom, and have my PIA DNS servers first, and then have like OpenDNS as the 3rd option. Not sure if it should be set to NONE or point to my WAN interface though.

    My assumption with this is that it will fail on the first two, and then hit the 3rd, dns will work, then it brings the VPN tunnel back up, and then my DNS goes back to the first PIA DNS server (back to being secure)

    I just want to make sure everything is still secure, no dns leaks etc.

    Thanks!



  • You have to set your real WAN connection as the default gateway and then use a firewall rule to point all your LAN traffic to the VPN tunnel. In the system DNS settings you need tohave the IP's of opendns (or your ISP) set. This will get the tunnel working reliably.

    Now go into your DHCP server LAN settings and enter the opendns IP's into the DNS settings. DHCP clients will now use opendns trough the tunnel instead of the DNS forwarder in pfsense. So no more DNS leak. :)

    The downside is that not using the forwarder might resolve addreses slower and that you will not be able to use local dns names for devices on your lan. If you really need local dns names you could always setup a DNS server and DHCP server on your LAN using another machine.

    The main point to remember is to not set the VPN as the default gateway for pfsense itself. The pfsense box needs a working internet connection first, THEN you build the vpn tunnel. The reason it works on bootup in your case is because pfsense will skip to the next tier of gateway if the default is down. After openvpn starts running and creates the VPN interface you have the catch-22 problem you describe.


Log in to reply