Tutorial: Configuring pfSense as VPN client to Private Internet Access
-
That's great but outbound NAT rules have nothing to do with what traffic goes out which interface. They only dictate what NAT occurs when traffic is already routed out that interface by policy routing or the routing table.
-
Hrm, makes sense I guess. Got a link to something explaining how to route 80/443/53 over the VPN interface while leaving all other traffic egressing the WAN ?
-
Just check don't pull routes in the OpenVPN Client configuration then policy route those destination ports to the VPN Gateway followed by pass any without setting a gateway.
-
Ah, I think that works but only if I specify the VPN gateway in the LAN pass rule (under Advanced). You mention "pass any without setting a gateway." but where else would I specify the VPN gateway for those ports?
-
You policy route using firewall rules as you already stated. So you make a rule specifying those destination ports and the desired gateway/gateway group.
-
Thanks. Netflix won't work going over the vpn interface so I've created a hosts Alias containing the IP ranges for AS2906 (netflix) and created a second rule on the LAN to route the Netflix alias destinations over the WAN interface instead of the VPN interface. It doesn't seem to pick up the change though. I've reset under 'diagnostics > states > reset states' but the rule doesn't seem to be working. Tcpdump on the vpn interface shows the Aliased IP addresses still going over that interface.
The docs say "first match wins" so if I have the Netflix rule at the top, and the VPN rule after that this should be working, correct? I'm assuming I'm missing some IP addresses Netflix is using but want to make sure I understand the rule ordering.
-
Post your rules then. I guarantee if the alias contains the required destinations and the rules are done correctly, it works.
-
The rules are working, I think I'm just missing IP ranges. I'm using tcpdump on the PFsense box to see what's egressing the vpn interface. Even after adding a new range, I'll reload Netflix in my web browser and tcpdump shows it still hitting that IP on the vpn. If I wait a minute or so, then it seems to pick it up. Are rule changes only applied to new connections?
-
this works for me
180 is the static ip address of my tv
-
Yes, it is often easier to just exclude everything from the device from egressing the VPN than try to match every destination address and port for something like netflix.
-
180 is the static ip address of my tv
I'm not sure I understand. Are you just filtering by source IP rather than by a zillion Netflix destinations?
-
Yes. He's telling it to put everything FROM that device out WAN regardless of destination. Far easier than trying to single out "Netflix."
-
Good idea. Unfortunately, I have a mix of devices on the LAN which also access Netflix. For now, I've added around 30+ subnets to my Netflix Alias. It's not great but it keeps the tablets/phones on the VPN for everything but Netflix.
-
If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?
-
If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?
To fix this, go to Services / DNS Resolver and under "Outgoing Network Interfaces," select only your PIA VPN interface(s) and make sure "All' and "WAN" aren't selected.
This fixes the DNS leak over your regular WAN but introduces the problem that if your VPN ever goes down, pfSense will not be able to resolve DNS to reconnect the VPN. To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing (Google, OpenDNS, Level 3, Verisign, etc.). This setting only affects outbound DNS queries by localhost, not by anything on your LAN, which should go out the PIA VPN only via unbound.
-
Thanks! Precisely what I was wanting. em0 egress is looking better now.
To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing
I'm assuming the screenshot is correct?
-
Thanks! Precisely what I was wanting. em0 egress is looking better now.
To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing
I'm assuming the screenshot is correct?
see now this is when my head starts hurting. the instructions never say to create a new interface. so when i got home i disabled, the PIA interface to test my connection to see if it still worked and it did. so i deleted the openvpn/ PIA interface. so i can't change this setting.
so are you saying on the standard PIA instructions your data is not routed correctly on the outgoing interface..?
when i go to PIA.com i have a protected IP. and i am getting my normal speeds and i have not for some time. i really don't want to alter this unless i have too
-
so are you saying on the standard PIA instructions your data is not routed correctly on the outgoing interface..?
My setup is a little different than "VPN all the things!" which is the direction given by all the tutorials I've found anyway. Straight off, yes all my traffic was egressing the VPN tunnel as it should but I don't want Steam going over it, and Netflix absolutely refuses to run as well. Fiddling around with splitting the traffic over multiple interfaces is inherently problematic because now I need to use IP addresses, protocol and port to determine what goes where. And that's not always a straightforward thing (Especially for Netflix. I'm a little surpised my setup is working at all with all the Aliases I had to configure.)
That said, I'm continually impressed by pfSense. It's enterprise grade software in features, quality and functionality. I'm very grateful for the tutorial in this thread and all the support from the forum folks. Thanks all.
PS: Um..not sure I follow what you mean about creating a new interface. Isn't it right there in the first post under "Create OpenVPN interface" ?
-
i am following the newest guide:
https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1
i also posted an updated link just about the top page of 22. from a PIA staff
-
i am following the newest guide:
https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1
i also posted an updated link just about the top page of 22. from a PIA staff
Their guides are never perfect.
@Guide:
14.) Ensure NCP is checked.
Remove AES-128-GCM and AES-256-GCM by clicking on them in the darkened box in NCP Algorithms
Add AES-128-CBC and AES-256-CBC by selecting them in the left box.This is stupid and defeats the purpose of NCP in OpenVPN 2.4 which automatically negotiates the NCP ciphers if both client and server support NCP. NCP should remain set to AES-256-GCM and/or AES-128-GCM. And the traditional cipher should be set to AES-256-CBC or AES-128-CBC.
@Guide:
17.) Custom Options: Add these parameters:
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0"persist-key" and "persist-tun" are already hard-coded in pfSense's OpenVPN implementation and are redundant if specified here. They should be left out because all this does is list the directives twice in the config file.
Mine are currently set to:
Advanced Configuration Settings from GUI
remote-cert-tls server
auth-nocache
tls-version-min 1.2
reneg-sec 0
pull-filter ignore "auth-token"I learned a lot from reading the OpenVPN 2.4 Manual. Took several hours over several days before I had a basic understanding of how to harden the config settings. The pull-filter ignore "auth-token" is my latest addition since I was having issues with the session token expiring and the VPN would never automatically reconnect by itself. Adding that directive keeps pfSense connected to PIA 24/7 and automatically reconnects.
