Tutorial: Configuring pfSense as VPN client to Private Internet Access

Derelict

I suppose you could NAT translate all DNS requests to a specific IP address with a port forward on LAN with those IPs sourced (you can't use an alias in a NAT rule.

But DHCP static mappings is probably the proper way to get this done.

sudomrrogers

Derelict,

I suppose you could NAT translate all DNS requests to a specific IP address with a port forward on LAN with those IPs sourced (you can't use an alias in a NAT rule.

But DHCP static mappings is probably the proper way to get this done.

Could you please explain the NAT process. I understand DHCP would be better but my goal is to have the VPN IP range usable by anyone just by changing their IP client side. It would be nice if I did not have to provide a verbal IP and DNS address for the client to enter.

Thanks for all of your help!

Derelict

Something like this would force all DNS queries from VPN_HOST to PIA_DNS_SERVER instead of whatever is configured as a DNS server.

Note that VPN_HOST and PIA_DNS_SERVER are just placeholders for IP addresses since you can't use aliases in NAT definitions.

You'd have to get creative to use two DNS Servers. Perhaps with both in a pool in the NAT IP or two different definitions.

Firewall > NAT, Port Forward tab

Interface: LAN
Protocol: TCP/UDP
Source Address: VPN_HOST
Source Ports: *
Dest Address: *
Dest Ports: 53
NAT IP: PIA_DNS_SERVER
NAT Ports: 53

sudomrrogers

Derelict,

Thanks! I think this/that is a much better solution than setting it in DHCP Static Mappings. I was able to use the same alias that I use to push the traffic through the VPN in the first place. The only negative is this does limit the VPN to using 1 DNS server whereas using DHCP Static Mappings would allow the use of up to 4.

Just for conversations sake, because I am very happy with the current solution, is there a way to map the VPN traffic to a particular VLAN and set the VLAN to use a different DNS server?

My pfSense setup is almost perfect!
Thanks again.

Derelict

If you know the two DNS servers you can make two port forward rules matching on Destination address. You could even set the clients to use something arbitrary like 10.11.12.1 and 10.11.12.2 and forward them each to different PIA DNS servers. You could keep the catch-all dest any rule below those to catch any other configured DNS servers and send those requests to one of the PIA DNS Servers.

is there a way to map the VPN traffic to a particular VLAN and set the VLAN to use a different DNS server?

Sorry, I don't understand what you're asking.

xRascal

Wonder someone could help me got a error
failed to write

https://gyazo.com/ea1c1fa74b1b47e65e3a29afb9f27ada

i know it just user and password put it there stop people getting my info thanks ! if someone could help me or add me on skype joshhopey to show me and help me !

johnodon

@Derelict:

Yes. Just add the ports to the rule sending traffic to the VPN gateway. The rule won't match if the port is outside the set so the firewall will move on to the next rule.

I want to do the exact opposite and having trouble figuring it out…

I want all traffic from one IP to go thru the VPN except port 32400 (Plex). How can I adapt the current rules (or add another) that will send Plex traffic thru the WAN GW so the server can be reached remotely?

John

Derelict

~~Make the rule match the characteristics. But Plex is weird and requires inbound connections.~~

Just read this again.

Put a rule above the one that sends traffic to the VPN that matches the Plex traffic and has the default gateway set. Or, if you are pulling a default gateway from the VPN provider, the rule should policy route to WAN_GW.

User1503

OpenVPN/PIA link goes down; clients have no internet access. How do I fail over to the WAN if this happens? Configuration is DLSrouter->Pfsense giving dhcp (opvenvpn w/PIA)->clients Sometimes, believe it or not, PIA drops. What do I do to have pfsense or openvpn fail to the general Wan connection if this happens? Thanks!

Derelict

That is the default behavior.

psykix

I set this all up today and had it working fine.

I'm using route-nopull because I actually only need 1 server to use the VPN.

I then got a message from pfSense to say that dyndns had updated, so must have had a dynamic IP change.

Then I realised that my true public IP was visible.

Restarted the VPN and still the same - although it appeared to be intermittent with some sites reporting my true IP and some reporting the VPN IP address.

I'm not sure what has happened so I've currently removed the route-nopull option and disabled the firewall rule which forces the server to use the PIA interface.

Any ideas?

Derelict

Yeah your rules must be wrong. How about letting us see them?

psykix

It's disabled at the moment, but these are my firewall rules.

I would have preferred to keep it on everything but BBC iPlayer stopped working due to I presume the VPN address being blocked by them, and I couldn't figure a way to allow BBC iPlayer to bypass the VPN, since it seems to use multiple IP addresses I suspect.

rules.PNG_thumb

psykix

Rule details :-

rule2.PNG_thumb

Derelict

Doesn't show what we need to see. Just post your LAN rules list.

psykix

I did above it…

Derelict

With the rule disabled it's not going to work.

psykix

Yes, I know. I disabled it because I removed the route-nopull since I needed the VPN to be working.

I'll try again with route-nopull and enable the rule again.

psykix

Ok, so I have the rule enabled. I have the route-nopull option.

privateinternetaccess shows my VPN address and says I am protected.

However, 2 other sites for showing IP addresses are showing my ISP public address, not the VPN one :-(

Derelict

You sure your tunnel is staying up?

There's really nothing that can cause what you think you're seeing.

Unless there's something severely wrong with that beta version you're using.