Using openVPN client on Windows 7 through pfSense

mewsense · Apr 5, 2014, 2:26 PM

Consider my home network.

I have a Windows 7 machine in the LAN subnet with IP 10.0.0.7. It can connect to and ping 10.0.0.8, 10.0.1.1, 10.0.2.2, 192.168.0.1, 192.168.1.1 with no problems. When I connect to the internet through the www.privateinternetaccess.com (PIA) client I can only connect to and ping servers in the same subnet. So, 10.0.0.8 works, but I can't connect to 10.0.1.1, 10.0.2.2, 192.168.0.1, 192.168.1.1 from 10.0.0.7.

Any ideas? I believe the PIA client uses OpenVPN.

mewsense · Apr 5, 2014, 5:13 PM

I think I understand my problem now, but don't have a solution. If I do an ipconfig /all on the Win7 machine with PIA running I see this:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : lanthanum
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : localdomain
                                       win.testlab

Ethernet adapter Internal Network:

   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : <redacted>
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 05 April 2014 15:28:02
   Lease Expires . . . . . . . . . . : 05 April 2014 19:28:01
   Default Gateway . . . . . . . . . : 10.0.0.4
   DHCP Server . . . . . . . . . . . : 10.0.0.4
   DNS Servers . . . . . . . . . . . : 10.0.0.4
                                       10.0.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VPN Network:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Win32 Adapter V9
   Physical Address. . . . . . . . . : 00-FF-EF-C8-CE-70
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.181.1.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : 05 April 2014 18:01:42
   Lease Expires . . . . . . . . . . : 05 April 2015 18:01:41
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.181.1.5
   DNS Servers . . . . . . . . . . . : 209.222.18.222
                                       209.222.18.218
   NetBIOS over Tcpip. . . . . . . . : Enabled</redacted>

My firewall rules on the LAN interface allow LAN net * LAB1 net

However, my LAN network is 10.0.0.0 and not 10.181.1.6. So my Win7 PC is trying to access 10.0.1.1 from the VPN adapter, and not the Internal Network adapter. So i think I need to do one of two things:

Allow traffic from the LAN with address 10.181.1.6 to LAB1 net
Do something with the binding order of the adapters? Why can't my PC connect to my local subnets from the Internal Network adapter and not the VPN?

Would appreciate any clues…

viragomann · Apr 5, 2014, 7:30 PM

That is an issue of your VPN connection. You can not resolve this on your pfSens.
However, you may configure your VPN for private internet on pfSense directly as VPN client. Here you can find hints: https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-6#comment-7029

Maybe it can be configured to function on certain VPN clients. I don't know.
Otherwise, it could be a workaround to set static routes for your internal networks in Windows.

Therefor start the console with admin privileges and enter these two lines:


route -p add 10.0.0.0 mask 255.255.252.0 10.0.0.4
route -p add 192.168.0.0 mask 255.255.254.0 10.0.0.4

This should resolve the issue, however, it is to do on each PC which uses this VPN connection.

mewsense · Apr 5, 2014, 8:28 PM

That's great thanks, it worked.

Could you explain why? I have absolutely no idea, but am keen to learn if you have a few minutes to explain it! I've been trying to fix this for months!

viragomann · Apr 5, 2014, 9:22 PM

The routes define which gateway or interface is to use to reach a specific IP.
When your VPN client establishes a connection it sets a route to direct all your traffic over the VPN. Exactly it sets the route to the gateway address of the VPN. This is mostly one IP lower than your VPN clients IP. The subnet of your Ethernet however is not affected of this.

You can show routes in Windows by "route print" command.

The "route add" command you executed does exactly the same. It sets the route to direct the traffic over your LAN gateway (10.0.0.4), however in this case for your used subnets only.
The "-p" option sets the route permanantly, this obviously has priority over temporarily setting of VPN.

If you ever want to delete this routes just type "route delete 10.0.0.0". That deletes the first entry. Do the same for the second with its IP.

mewsense · Apr 7, 2014, 10:18 AM

Everything seems to be working fine, but it seems I am now leaking DNS information. My DNS settings are set like this:

My top firewall rules for the LAN interface are shown below. I have cut off the unnecessary rules lower down.

I am blocking direct DNS requests because I use openDNS to filter out dodgy sites for my kids. If I go to the PIA client and select DNS Leak Protection, and reconnect my VPN, my PC stops leaking DNS information.

All seems good. However, I now cannot access my local DNS server on the pfSense box. If I do:

ping beryllium.localdomain

I get

Ping request could not find host beryllium.localdomain. Please check the name and try again.

If I disconnect the VPN, the ping works. If I disconnect the VPN and unselect DNS Leak Protection, local DNS works but then I leak DNS information with the VPN connected. Any ideas on how to solve?

viragomann · Apr 7, 2014, 10:59 AM

If you have VPN up your computer uses the DNS Servers given by the VPN server, cause of its configuration. That is shown by ipconfig.

If you want to user your own DNS servers generally, thus for VPN also, go to the configuration interface connections in Windows an edit the properties for "TAP-Win32 Adapter V9".
Double-click at TCP/IPv4 to open its properties, select "use the following DNS server addresses" and enter beneath the servers you want to use for VPN. I think this is 10.0.0.4.

Is it that what you want? I see no other way.

phil.davis · Apr 7, 2014, 11:18 AM

It is going to be difficult to implement on a client system. You need somewhere in Windows to do "Domain Overrides" so that Windows can understand to send "*.localdomain." lookup requests to the DNS server on the local LAN, and to send all other requests to the DNS that is given by the VPN provider.
The decision needs to be made in the client (your Windows7) because the VPN uplink to the VPN provider is directly out of the client. So there is no way for anything else (like the pfSense DNS Forwarder) to make decisions and send external requests back to client, to be sent up the VPN.
Perhaps there is some freeware DNS server for Windows7 that could be installed and setup to do this sort of thing?

Or go the low-tech way and add some name/IP pairs directly to the hosts file on Windows7 for local devices that you care about. (They would have to have static local private IPs)

doktornotor · Apr 7, 2014, 11:24 AM

@phil.davis:

Perhaps there is some freeware DNS server for Windows7 that could be installed and setup to do this sort of thing?

Well, there's bind for Windows available. (Huge overkill, plus I don't get the "oh noes I leak DNS" obsession in the first place.)

mewsense · Apr 7, 2014, 1:43 PM

@viragomann:

If you have VPN up your computer uses the DNS Servers given by the VPN server, cause of its configuration. That is shown by ipconfig.

If you want to user your own DNS servers generally, thus for VPN also, go to the configuration interface connections in Windows an edit the properties for "TAP-Win32 Adapter V9".
Double-click at TCP/IPv4 to open its properties, select "use the following DNS server addresses" and enter beneath the servers you want to use for VPN. I think this is 10.0.0.4.

Is it that what you want? I see no other way.

No, what I want is when I am connected to VPN, to use the VPN DNS server for internet addresses, but still use the pfSense DNS server for local addresses. I do not want to use the local DNS server for internet addresses when connected to the VPN. The VPN will only use the VPN's DNS servers when the DNSLeak checkbox is checked. Otherwise it uses my pfSense DNS server. Trouble is if I check the DNS leak box, I cannot then use the local DNS server at all for local addresses. If I uncheck it, then the pfSense DNS server is used for local and internet addresses (and corresponding leakage).

@phil.davis:

Or go the low-tech way and add some name/IP pairs directly to the hosts file on Windows7 for local devices that you care about. (They would have to have static local private IPs)

I might have to this for the 20+ local devices I connect to by name, but would rather not if there's an alternative solution.

@doktornotor:

…plus I don't get the "oh noes I leak DNS" obsession in the first place.)

Um, because some people don't like mass surveillance by governments and large corporations? ::) I don't think I'm alone here.

phil.davis · Apr 7, 2014, 5:59 PM

Um, because some people don't like mass surveillance by governments and large corporations?

Your data and DNS requests… are encrypted between you and the VPN provider end point. But the VPN provider knows who you are, and your DNS requests go to their DNS server, and your ordinary data to and from the various public internet sites you use goes between the VPN provider and those sites as ordinary data. One has to assume that these agencies are gathering the data they want from VPN providers and matching it to user VPN accounts. So actually I don't see how any of us can really "hide".
But it might be fun to try ;)