Tutorial: Configuring pfSense as VPN client to Private Internet Access
-
No. pfSense is not a switch. Get a switch. The switch on the LAN side of a router used as an AP would be fine just disable its DHCP server first.
-
Ok thanks
-
Although all information are here is good enough but it you are willing to Create OpenVPN interface then you need to go with this.
- Click "Interfaces"
- Click "(assign)"
- "Available network ports:" select "ovpnc1(PIA OpenVPN)"
- Click "add selected interface" (icon is a "+" symbol on a small lined sheet of paper)
However for more vpn Configuring you may also explore vpnrnaks -
So pia vpn was working on pfsense then i started getting messages vpn host which is pia midewest is not recognized host. So i rebooted and same.
I setup everything from scratch again and now i can not get onto pia vpn. I've been trying all day today. I need some help.
I think the issue may be with NAT rules. My nat rules do not generate in 2.2.6 client as they did in this tutorial in earlier version.
But i recrated it the same way and still no luck. I can not start vpn service. Any help is very much appriciated. I'm exhusted. lolI had to clone the mac of my physical nic card (wan) in order to get isp wan address. Is that the reason why host name is not recognized ?
Here is the log
Feb 17 14:35:31 openvpn[33355]: client_connect_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: learn_address_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: client_disconnect_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: client_config_dir = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: ccd_exclusive = DISABLED
Feb 17 14:35:31 openvpn[33355]: tmp_dir = '/tmp'
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_defined = DISABLED
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_local = 0.0.0.0
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_remote_netmask = 0.0.0.0
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_ipv6_defined = DISABLED
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_ipv6_local = ::/0
Feb 17 14:35:31 openvpn[33355]: push_ifconfig_ipv6_remote = ::
Feb 17 14:35:31 openvpn[33355]: enable_c2c = DISABLED
Feb 17 14:35:31 openvpn[33355]: duplicate_cn = DISABLED
Feb 17 14:35:31 openvpn[33355]: cf_max = 0
Feb 17 14:35:31 openvpn[33355]: cf_per = 0
Feb 17 14:35:31 openvpn[33355]: max_clients = 1024
Feb 17 14:35:31 openvpn[33355]: max_routes_per_client = 256
Feb 17 14:35:31 openvpn[33355]: auth_user_pass_verify_script = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: auth_user_pass_verify_script_via_file = DISABLED
Feb 17 14:35:31 openvpn[33355]: port_share_host = '[UNDEF]'
Feb 17 14:35:31 openvpn[33355]: port_share_port = 0
Feb 17 14:35:31 openvpn[33355]: client = ENABLED
Feb 17 14:35:31 openvpn[33355]: pull = ENABLED
Feb 17 14:35:31 openvpn[33355]: auth_user_pass_file = '/etc/openvpn-password.txt'
Feb 17 14:35:31 openvpn[33355]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Feb 17 14:35:31 openvpn[33355]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Feb 17 14:35:31 openvpn[33355]: WARNING: file '/etc/openvpn-password.txt' is group or others accessible
Feb 17 14:35:31 openvpn[33627]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Feb 17 14:35:31 openvpn[33627]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Feb 17 14:35:31 openvpn[33627]: LZO compression initialized
Feb 17 14:35:31 openvpn[33627]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:3 ]
Feb 17 14:35:31 openvpn[33627]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Feb 17 14:35:47 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:35:47 openvpn[33627]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Feb 17 14:35:47 openvpn[33627]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Feb 17 14:35:47 openvpn[33627]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Feb 17 14:35:47 openvpn[33627]: Local Options hash (VER=V4): '66096c33'
Feb 17 14:35:47 openvpn[33627]: Expected Remote Options hash (VER=V4): '691e95c7'
Feb 17 14:36:14 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:36:36 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:36:57 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:37:19 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:37:56 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:38:48 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:39:40 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:40:31 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:41:22 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:42:13 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Feb 17 14:43:05 openvpn[33627]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known -
Hello guys. So i spend entire day yesterday trying to get this working and PIA must have changed some settings as this is no longer working on 128 AES.
I'm back on router and couldn't get on until i enabled TLS authentication which is disabled in this tutorial. Also obviously username and password and cert needs to be configured.
So just wanted to let everyone know. I'll try this over the weekend again but i spent too much time on getting this up. -
The answer is to set DNS servers using a DHCP static mapping to something external on the VPN-only hosts and to not set them to use pfSense itself as the DNS server. That way, the DNS queries will be just another internet packet, will be marked by the same rule, and will be blocked out WAN by policy automatically.
Trying to get pfSense DNS forwarder or resolver to behave in a specific way according to the specific source host is folly.
Is there a way to accomplish this using an alias and firewall rule? I am using an alias that I drop IPs in to direct them to the VPN GW (everything else goes through the WAN GW). Is it possible to do the same to assign DNS servers?
I basically want to assign the PIA DNS servers to the clients that I have added to the PIA alias. All others would get the google/opendns entries I have in the General Setup. I know I can assign these via static mappings in the DHCP server…just looking for a more efficient way.
John
-
I suppose you could NAT translate all DNS requests to a specific IP address with a port forward on LAN with those IPs sourced (you can't use an alias in a NAT rule.
But DHCP static mappings is probably the proper way to get this done.
-
Derelict,
I suppose you could NAT translate all DNS requests to a specific IP address with a port forward on LAN with those IPs sourced (you can't use an alias in a NAT rule.
But DHCP static mappings is probably the proper way to get this done.
Could you please explain the NAT process. I understand DHCP would be better but my goal is to have the VPN IP range usable by anyone just by changing their IP client side. It would be nice if I did not have to provide a verbal IP and DNS address for the client to enter.
Thanks for all of your help!
-
Something like this would force all DNS queries from VPN_HOST to PIA_DNS_SERVER instead of whatever is configured as a DNS server.
Note that VPN_HOST and PIA_DNS_SERVER are just placeholders for IP addresses since you can't use aliases in NAT definitions.
You'd have to get creative to use two DNS Servers. Perhaps with both in a pool in the NAT IP or two different definitions.
Firewall > NAT, Port Forward tab
Interface: LAN
Protocol: TCP/UDP
Source Address: VPN_HOST
Source Ports: *
Dest Address: *
Dest Ports: 53
NAT IP: PIA_DNS_SERVER
NAT Ports: 53 -
Derelict,
Thanks! I think this/that is a much better solution than setting it in DHCP Static Mappings. I was able to use the same alias that I use to push the traffic through the VPN in the first place. The only negative is this does limit the VPN to using 1 DNS server whereas using DHCP Static Mappings would allow the use of up to 4.
Just for conversations sake, because I am very happy with the current solution, is there a way to map the VPN traffic to a particular VLAN and set the VLAN to use a different DNS server?
My pfSense setup is almost perfect!
Thanks again. -
If you know the two DNS servers you can make two port forward rules matching on Destination address. You could even set the clients to use something arbitrary like 10.11.12.1 and 10.11.12.2 and forward them each to different PIA DNS servers. You could keep the catch-all dest any rule below those to catch any other configured DNS servers and send those requests to one of the PIA DNS Servers.
is there a way to map the VPN traffic to a particular VLAN and set the VLAN to use a different DNS server?
Sorry, I don't understand what you're asking.
-
Wonder someone could help me got a error
failed to writehttps://gyazo.com/ea1c1fa74b1b47e65e3a29afb9f27ada
i know it just user and password put it there stop people getting my info thanks ! if someone could help me or add me on skype joshhopey to show me and help me !
-
Yes. Just add the ports to the rule sending traffic to the VPN gateway. The rule won't match if the port is outside the set so the firewall will move on to the next rule.
I want to do the exact opposite and having trouble figuring it out…
I want all traffic from one IP to go thru the VPN except port 32400 (Plex). How can I adapt the current rules (or add another) that will send Plex traffic thru the WAN GW so the server can be reached remotely?
John
-
Make the rule match the characteristics. But Plex is weird and requires inbound connections.Just read this again.
Put a rule above the one that sends traffic to the VPN that matches the Plex traffic and has the default gateway set. Or, if you are pulling a default gateway from the VPN provider, the rule should policy route to WAN_GW.
-
OpenVPN/PIA link goes down; clients have no internet access. How do I fail over to the WAN if this happens? Configuration is DLSrouter->Pfsense giving dhcp (opvenvpn w/PIA)->clients Sometimes, believe it or not, PIA drops. What do I do to have pfsense or openvpn fail to the general Wan connection if this happens? Thanks!
-
That is the default behavior.
-
I set this all up today and had it working fine.
I'm using route-nopull because I actually only need 1 server to use the VPN.
I then got a message from pfSense to say that dyndns had updated, so must have had a dynamic IP change.
Then I realised that my true public IP was visible.
Restarted the VPN and still the same - although it appeared to be intermittent with some sites reporting my true IP and some reporting the VPN IP address.
I'm not sure what has happened so I've currently removed the route-nopull option and disabled the firewall rule which forces the server to use the PIA interface.
Any ideas?
-
Yeah your rules must be wrong. How about letting us see them?
-
It's disabled at the moment, but these are my firewall rules.
I would have preferred to keep it on everything but BBC iPlayer stopped working due to I presume the VPN address being blocked by them, and I couldn't figure a way to allow BBC iPlayer to bypass the VPN, since it seems to use multiple IP addresses I suspect.
-
Rule details :-
