Tutorial: Configuring pfSense as VPN client to Private Internet Access
-
I have static DHCP mappings for all my clients, non-VPN, and VPN alike. I've tried setting my General Setup DNS to opendns. Then set the overall DNS in DHCP to opendns. Then I manually set non-VPN clients to opendns (for testing). Then I set the VPN clients to use PIA DNS addresses.
Result: The non-VPN work predictably, just like before and like they should. The VPN clients simply will not use the PIA DNS addresses, it seems.
I tried turning off all DNS server functionality of pfSense, along with a setting in DHCP, to force DHCP to deliver the actual DNS addresses to the client machines …
I released my client DHCP loans and renewed ...
Something in pfSense seems adamant that I have the PIA DNS addresses hard coded in the client machines because they still leaked the ISP address.
-
Result: The non-VPN work predictably, just like before and like they should. The VPN clients simply will not use the PIA DNS addresses, it seems.
No need for nebulous descriptions like "work predictably" and "will not use"
What DNS Server IP addresses are being assigned to the various clients?
When you attempt name lookups from those clients, what are the specific results?
This stuff is not subjective. It either works or it doesn't and there are ways to debug exactly what is failing.
ping, dig/drill, firewall logs, traceroute, etc.
-
In my pfSense DHCP server:
For non-VPN users DNS addresses are:
208.67.222.222
208.67.220.220For VPN users DNS addresses tried were:
209.222.18.222
209.222.18.218and sorry for my nebulous descriptions of things previously … I'm at work right now and will be available for testing in about 30 minutes ...
-
It doesn't matter what you entered. It matters what the clients got assigned or are otherwise trying to use.
-
General Setup DNS: 208.67.222.222 & 208.67.220.220
DHCP server DNS servers are left blank.
non-vpn client 192.168.1.208 has DHCP DNS set to: 208.67.222.222 & 208.67.220.220
VPN client 192.168.1.213 has DHCP DNS set to: 209.222.18.222 & 209.222.18.218
DNS Resolver is enabled.
DNS Forwarder is disabled.I released and renewed both machines DHCP loans.
The non-vpn client gets 192.168.1.1 (I'm guessing because the addresses in DHCP are the same as the General Setup addresses)
The vpn client get loaned 209.222.18.222 & 209.222.18.218 when I do a dnsleak.com test it shows me my ISP address right away … yet, when I do the test it shows 209.222.18.222 as the resolver.
******** Success!
Finally I made sure everything was set like it should be ... and it was.
All I did was reboot pfSense and then I tested my non-vpn clients and my vpn clients and they ALL work exactly as they should.208.67.222.222
208.67.220.220 are set in General Setup and all non-vpn clients are getting 192.168.1.1 in the DHCP loans209.222.18.222
209.222.18.218 are set in the DNS settings for each vpn client in DHCP .. all vpn clients are getting actual addresses as to the left.EVERYTHING WORKS!!! No vpn traffic leaking to the wan ... no dns leakage from vpn clients ......
Simply perfect. And Derelict --- thanks a ton, you've been great and patient. I realize that I needed to do much more homework and report results way better. Like I said in the beginning of my trek -- I'm a newbie, but again, a whole heap of thanks.
Now, where do I send a contribution? <smile>Someone should rebuild this entire thread as a concise tutorial ... the setup at the first of the thread is great ... and follow that with pictures and how-to that Derelict provided to stop leaking vpn traffic to the wan ... and using DHCP DNS entries to keep the vpn clients from dns leakage ... that would be great.
STILL BROKEN:
I have tested with a Windows 10 client and it IS getting the 209 addresses from DHCP -- and rebooted and continues to work fine.
I have tested several Windows 7 sp1 clients and they ARE not getting the 209 addresses from DHCP -- and reboot and tested --- they get 192.168.1.1 and not the 209 addresses.So, there seems to be something happening when the Win 7 DHCP getting loan versus Win 10 getting a loan.
I worked all day, played with this for an hour and quadruple checked all my settings in pfSense ... as far as I can tell they're fine.
I checked with multiple client machines, checked their settings, rebooted, tested them .... Win 7 DHCP is somehow different thatn Win 10 DHCP and what they get from pfSense loans.I'm really tired and going to bed. Anyone care to test this -- I'll check in about 10 hours.</smile>
-
Hi Guys,
I am running 2.2.4. In open vpn client tab there is user authentication settings and I have entered my PIA username password here. Do I still need to create that text file that contains my username password?
I am able to get connection established with PIA and can see outgoing traffic but no incoming traffic is seen and I have no internet once openvpn is running. I followed tutorial exactly except for the text file.
Thanks for the help
-
I got it working :) :) :)
Super excited…thanks for the tutorial on the first page of this thread.
Only question I have is how do I create the following rule:
I want everything to got thru regular internet (non-vpn) except the following: port 65389
I am running bit torrent on my unraid server (as well as several vm's) so I can not create firewall rule based on that ip or my plex will have issues. I can force the bit torrent thru that one port. So if the rule can say anything from that port go thru vpn and everything else can just be routed as normal.
Seems like it should be simple but any rule I make forces all traffic thru vpn.
Thanks again for all the help
-
I don't think you can force outbound bittorrent connections to one specific port because what you connect to depends on what port the receiving system is listening on and that could be just about anything.
If your client lets you specify an unchanging source port you could policy route on that.
-
Hi Derilict,
My client does let me choose what port or port range I can use. I have tested it using only one specific port and it works. I just need to come up with the firewall rule that forces that one port thru vpn no matter where the port is coming from. Only that one machine will use that one specific port so If I can do this then it should :) work fine.
-
Destination port or source port? Outbound connections or inbound?
-
Don't really have those answers for you. Here is what I can tell you and perhaps you can decipher it :)
on machine ip 192.168.0.151 I want inbound port 62958 and outbound port 62959 to go thru the PIAVPN gateway.
Everything else from this machine or anything else in my network can go thru the regular internet.Just not sure where or how to create this rule
I hope this gives you enough info to help. Sorry firewalling is not my expertise…still a noobie
thanks again
-
This really should be another thread. Start one and post a screenshot of the torrent software config page where you're setting these ports.
Again, you really can't set an outbound destination port for torrents because you have to connect to whatever port the peer is listening on.
-
Thanks…Ill start e new thread..sorry to have hijacked this one ;D
-
When I start openvpn then my Unbound DNS Resolver service gets stopped everytime. Why? when I restart it then the ntp time service gets stopped. I then no longer have internet access even thru default gateway or vpn. Have I done something wrong?
-
Start another thread. Nobody is going to see it here.
-
My PIA vpn died for unknown reasons and during the setup process thought I would for shits go to the PIA support site and see if there was anything new. I was really looking to see if they were finally supporting better encryption. I ran across this: https://www.youtube.com/watch?v=IymMdq5Ovls which simplifies the auth process using the username and password in the OpenVPN - Client section rather than creating the openvpn-password test file.
PIA seems to still not support better encryption. >:(
-
Yeah that was added in 2.2
-
Just saw that further up the thread chain. Should have figured I wasn't the first one.
-
An awesome tutorial, we have the house under PIA. I added some WAN rules to allow DNS servers, pfsense upgrade and time servers through, a second-last rule to allow traffic through the VPN server, and to block all else (I want strict control of what goes through the VPN).
Thanks to this thread I was also able to exclude our lounge room smart TV from the VPN.
I'm running into issues getting port forwarding running over the lounge room TV - or even getting basic ports to show that probably don't need to be forwarded at all. The TV needs 80, 443 and 48705 open. I can't get even 80 or 443 to show as open on the IP address reserved for the TV. It is routing outside the VPN, which is a start. This happens whether I have port forwarding enabled or not.
If I suspend the LAN rule allowing an IP address to run outside the VPN, 80 and 443 are open (seen externally and internally with reflection on).
Any help appreciated. I feel I've missed something obvious throughout this thread.
-
You should probably start your own thread and post more details about what you have done. Nobody can really offer any help with what has been provided.