OpenVPN Kill Switch
-
I have an OpenVPN client setup and running with pfSense, where pfSense is connecting to an OpenVPN server and routing all traffic through the VPN. Everything is working great. The issue that I have is that if the VPN drops, my connection is still connecting unencrypted. Is there a way to make it so that if the VPN drops, my internet cuts off until it's restarted?
-
configure your floating firewall rules accordingly so only VPN traffic can leave WAN. pass that out on WAN, block everything else.
-
Can you please link to a reference that a non-technical person can use to do this configuration?
-
I'd actually like to see a screenshot of how this is configured myself, if anyone can post one!
-
I am also very interested to know how this is set up, if someone could explain how to ensure that the only the VPN is allowed through he WAN that would be greatly appreciated. =)
-
Firewall > Rules, Floating tab
Action: Pass
Disabled: unchecked
Quick: checked
Interface: WAN
Direction: out
TCP/IP Version: IPv4
Protocol: UDP
Source: any
Destination: any
Destination port range: 1194Then below that rule:
Action: Reject
Disabled: unchecked
Quick: checked
Interface: WAN
Direction: out
TCP/IP Version: IPv4
Protocol: any
Source: any
Destination: any
Destination port range: anyThat will allow outbound connections to any server on UDP 1194 and block everything else. You could limit the destination IP to just your VPN server's IP with a destination of single host or alias. Naturally, if you do not connect on UDP 1194 you will need to adjust the Pass rule. You will not be able to resolve DNS or anything out WAN with these rules in place. All traffic except UDP 1194 will be blocked.
-
Thank you very much. I got it working!
-
Ok so I thought it was working, well its half working. So Im using UDP port 1126 for my VPN. Anyways I realized that if I block any on protocol, my VPN cant connect for some reason even though pass UDP 1126 is the first rule. Is there any reason why the openvpn would be using some other port/protocol to initiate connection?
-
Is quick checked on the pass rule on UDP/1126 on WAN out? The source should be any any, the dest should be any UDP/1126. The dest IP address could optionally be your remote server IP address to further limit the rule.
-
Yes quick is checked on both the pass rule and the block rule.
Here is a screenshot of both my rules.
https://imgur.com/Z9ywGxZ,6vAzcwq#0The order on my floating rules is the Pass rule is on top, block rule is 2nd.
Now the issue is if I turn off the block rule, then I can connect to my VPN, I can at that point re-enable the block rule and my VPN stays connected and all is good. But if the block rule is enabled and I lose my VPN connection and it needs to reconnect, it cannot do so. I just dont want to have to manually come into pfsense each time it loses connection to turn on and off the firewall rules to reconnect.
Does OpenVPN require some other port to do the initializing sequence or something?
-
Like I said in my original post, you won't be able to do ANYTHING but connect to the VPN. If you are using a hostname instead of IP address for the VPN server you probably won't be able to resolve it, etc. You might very well have to pass some other things (like DNS) in order to get it to work. I don't know how paranoid you are about DNS leakage, etc. Most people seem to be all wrapped around the axle about it when it really doesn't matter if all you're trying to do is watch TV from another location.
ETA: Note that the DNS servers used by the firewall and the DNS servers given to your client hosts to use don't have to be the same. You could configure the rules to allow connections to your ISP DNS servers, and put those in the DNS server settings for pfSense to use (System > General Setup) but tell your client hosts to use DNS servers provided by your VPN provider. The latter DNS servers would only be reachable if the VPN is up.
-
Ok so I have changed the VPN address to the IP address instead of the name. It appears to allow connection now with the firewall rules in place. Is there any disadvantage to using the actual IP rather then the name? I used the DNS reverse lookup to find it and it appears there are 4 seperate IPs can all link to the same address. I just picked one.
-
If they change IPs it will break. I'd pass DNS correctly. It could break all kinds of things eventually like downloading bogon table updates, upgrades, etc. Your firewall should be able to resolve DNS.
-
If they change IPs it will break. I'd pass DNS correctly. It could break all kinds of things eventually like downloading bogon table updates, upgrades, etc. Your firewall should be able to resolve DNS.
exactly copy your openvpn rule and adjust it to work for DNS. pfsense webgui can/will go nuts without DNS :))
-
Will this configuration pass DNS outside of the VPN only for resolving the VPN host address when connecting to VPN (or when automatically re-connecting to VPN after an unplanned disconnection), and otherwise pass all other DNS through the VPN?
-
Hi,
I don't like the floating rules trick because when the VPN goes down, it cannot reconnect anymore, blocked by the rule. But there is a workaround. Take a look at this post
Go to Advanced and then Miscellaneous and down in Gateway Monitoring you'll see "Skip rules when gateway is down" which on my fresh 2.1 install is off by default. It has the following description.
"By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down"
So basically when the VPN Gateway is down it puts the rule in but with the default gateway ruining the whole point.
This works for me :)
-
This post is deleted! -
https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN
-
This post is deleted! -
This post is deleted!
