Tutorial: Configuring pfSense as VPN client to Private Internet Access
-
The answer is to set DNS servers using a DHCP static mapping to something external on the VPN-only hosts and to not set them to use pfSense itself as the DNS server. That way, the DNS queries will be just another internet packet, will be marked by the same rule, and will be blocked out WAN by policy automatically.
Trying to get pfSense DNS forwarder or resolver to behave in a specific way according to the specific source host is folly.
-
Thanks for the speedy reply.
I went to my DHCP entry for 192.168.1.205 and set its DNS IP's to the PIA addresses. (My General Setup IP's are opendns)
From the 192.168.1.205 client i flushed the dns cache and released/renewed its DHCP loan. ipconfig shows 192.168.1.1 as the DNS server. My hope was that DHCP would loan the actual PIA addresses and not the 192.168.1.1 that it actually loaned.
Well, the DNS leaks.
Did I take the right approach to defining the PIA DNS IP's in DHCP or am I going in the wrong direction?
-
What PIA address.
Do the rules that forward your traffic (and mark it to block it out WAN) match DNS traffic?
If you are querying 192.168.1.1 for your DNS, then you are still querying pfSense and the DNS traffic is sourced from there not the VPN host.
It doesn't matter what the VPN host uses for its DNS servers as long as they are external and the rule that forwards traffic to the VPN and marks it matches the DNS requests.
-
Sorry for the late response … my ISP is having huge issues and I could not access anything for a while.
ok ... I have protocol set to "any" where I'm marking traffic so the rule should catch everything.
I decided to hard code the PIA DNS servers IP's into each client machine. All non-VPN client machines are using pfSense 192.168.1.1 from DHCP. This all works perfectly, no DNS leaks, VPN traffic of any kind does not leak to the WAN -- just works.
I only wish it was possible to have my pfSense deliver the desired PIA DNS IP's to the VPN client machines. oh, well, dang thing marks marvelous, as long as I have the DNS IP's hardcoded so I'll stick with that I think.
But ----- again .... thanks for information about tagging the traffic so VPN traffic doesn't leak into the WAN ------ BIG kudos. ;D
-
DHCP static mappings will set the right DHCP servers for those clients.
-
I have static DHCP mappings for all my clients, non-VPN, and VPN alike. I've tried setting my General Setup DNS to opendns. Then set the overall DNS in DHCP to opendns. Then I manually set non-VPN clients to opendns (for testing). Then I set the VPN clients to use PIA DNS addresses.
Result: The non-VPN work predictably, just like before and like they should. The VPN clients simply will not use the PIA DNS addresses, it seems.
I tried turning off all DNS server functionality of pfSense, along with a setting in DHCP, to force DHCP to deliver the actual DNS addresses to the client machines …
I released my client DHCP loans and renewed ...
Something in pfSense seems adamant that I have the PIA DNS addresses hard coded in the client machines because they still leaked the ISP address.
-
Result: The non-VPN work predictably, just like before and like they should. The VPN clients simply will not use the PIA DNS addresses, it seems.
No need for nebulous descriptions like "work predictably" and "will not use"
What DNS Server IP addresses are being assigned to the various clients?
When you attempt name lookups from those clients, what are the specific results?
This stuff is not subjective. It either works or it doesn't and there are ways to debug exactly what is failing.
ping, dig/drill, firewall logs, traceroute, etc.
-
In my pfSense DHCP server:
For non-VPN users DNS addresses are:
208.67.222.222
208.67.220.220For VPN users DNS addresses tried were:
209.222.18.222
209.222.18.218and sorry for my nebulous descriptions of things previously … I'm at work right now and will be available for testing in about 30 minutes ...
-
It doesn't matter what you entered. It matters what the clients got assigned or are otherwise trying to use.
-
General Setup DNS: 208.67.222.222 & 208.67.220.220
DHCP server DNS servers are left blank.
non-vpn client 192.168.1.208 has DHCP DNS set to: 208.67.222.222 & 208.67.220.220
VPN client 192.168.1.213 has DHCP DNS set to: 209.222.18.222 & 209.222.18.218
DNS Resolver is enabled.
DNS Forwarder is disabled.I released and renewed both machines DHCP loans.
The non-vpn client gets 192.168.1.1 (I'm guessing because the addresses in DHCP are the same as the General Setup addresses)
The vpn client get loaned 209.222.18.222 & 209.222.18.218 when I do a dnsleak.com test it shows me my ISP address right away … yet, when I do the test it shows 209.222.18.222 as the resolver.
******** Success!
Finally I made sure everything was set like it should be ... and it was.
All I did was reboot pfSense and then I tested my non-vpn clients and my vpn clients and they ALL work exactly as they should.208.67.222.222
208.67.220.220 are set in General Setup and all non-vpn clients are getting 192.168.1.1 in the DHCP loans209.222.18.222
209.222.18.218 are set in the DNS settings for each vpn client in DHCP .. all vpn clients are getting actual addresses as to the left.EVERYTHING WORKS!!! No vpn traffic leaking to the wan ... no dns leakage from vpn clients ......
Simply perfect. And Derelict --- thanks a ton, you've been great and patient. I realize that I needed to do much more homework and report results way better. Like I said in the beginning of my trek -- I'm a newbie, but again, a whole heap of thanks.
Now, where do I send a contribution? <smile>Someone should rebuild this entire thread as a concise tutorial ... the setup at the first of the thread is great ... and follow that with pictures and how-to that Derelict provided to stop leaking vpn traffic to the wan ... and using DHCP DNS entries to keep the vpn clients from dns leakage ... that would be great.
STILL BROKEN:
I have tested with a Windows 10 client and it IS getting the 209 addresses from DHCP -- and rebooted and continues to work fine.
I have tested several Windows 7 sp1 clients and they ARE not getting the 209 addresses from DHCP -- and reboot and tested --- they get 192.168.1.1 and not the 209 addresses.So, there seems to be something happening when the Win 7 DHCP getting loan versus Win 10 getting a loan.
I worked all day, played with this for an hour and quadruple checked all my settings in pfSense ... as far as I can tell they're fine.
I checked with multiple client machines, checked their settings, rebooted, tested them .... Win 7 DHCP is somehow different thatn Win 10 DHCP and what they get from pfSense loans.I'm really tired and going to bed. Anyone care to test this -- I'll check in about 10 hours.</smile>
-
Hi Guys,
I am running 2.2.4. In open vpn client tab there is user authentication settings and I have entered my PIA username password here. Do I still need to create that text file that contains my username password?
I am able to get connection established with PIA and can see outgoing traffic but no incoming traffic is seen and I have no internet once openvpn is running. I followed tutorial exactly except for the text file.
Thanks for the help
-
I got it working :) :) :)
Super excited…thanks for the tutorial on the first page of this thread.
Only question I have is how do I create the following rule:
I want everything to got thru regular internet (non-vpn) except the following: port 65389
I am running bit torrent on my unraid server (as well as several vm's) so I can not create firewall rule based on that ip or my plex will have issues. I can force the bit torrent thru that one port. So if the rule can say anything from that port go thru vpn and everything else can just be routed as normal.
Seems like it should be simple but any rule I make forces all traffic thru vpn.
Thanks again for all the help
-
I don't think you can force outbound bittorrent connections to one specific port because what you connect to depends on what port the receiving system is listening on and that could be just about anything.
If your client lets you specify an unchanging source port you could policy route on that.
-
Hi Derilict,
My client does let me choose what port or port range I can use. I have tested it using only one specific port and it works. I just need to come up with the firewall rule that forces that one port thru vpn no matter where the port is coming from. Only that one machine will use that one specific port so If I can do this then it should :) work fine.
-
Destination port or source port? Outbound connections or inbound?
-
Don't really have those answers for you. Here is what I can tell you and perhaps you can decipher it :)
on machine ip 192.168.0.151 I want inbound port 62958 and outbound port 62959 to go thru the PIAVPN gateway.
Everything else from this machine or anything else in my network can go thru the regular internet.Just not sure where or how to create this rule
I hope this gives you enough info to help. Sorry firewalling is not my expertise…still a noobie
thanks again
-
This really should be another thread. Start one and post a screenshot of the torrent software config page where you're setting these ports.
Again, you really can't set an outbound destination port for torrents because you have to connect to whatever port the peer is listening on.
-
Thanks…Ill start e new thread..sorry to have hijacked this one ;D
-
When I start openvpn then my Unbound DNS Resolver service gets stopped everytime. Why? when I restart it then the ntp time service gets stopped. I then no longer have internet access even thru default gateway or vpn. Have I done something wrong?
-
Start another thread. Nobody is going to see it here.
