Tutorial: Configuring pfSense as VPN client to Private Internet Access
-
I'm not sure. It seems to be staying up.
I realised that I also have a free ipVanish account, so I'll give things a whirl with that and see how I get on :-)
-
Which IP test sites are showing the VPN address and which are showing WAN address?
Is it consistent?
-
The ipvanish site shows that I am protected, and it is the correct VPN ip address.
The BBC iPlayer site refuses to work because it knows I am behind a VPN - which is expected behaviour.
However, www.whatsmyip.org shows my proper public IP address, and my ISP details.
Also, http://mxtoolbox.com/WhatIsMyIP/ shows my proper details, and not the VPN ip address.
Very odd.
I also deleted the config and reconfigured from scratch - same result.
If I remove the firewall rule and the route-nopull from the config, then I get consistent results that I behind the VPN.
Strange!
-
Don't know what to tell you.
I just ran updates to my betas and tried it and it works just fine.
You'll have to look at states or something to see what's going on. SOMETHING you have is routing traffic out the default gateway. Have you created any floating rules?
Are you positive about the source IP address?
-
Unless of course it is going out using IPV6, but it shouldn't be - I have IPV4 as preferred.
I don't know if it makes any difference that the 192.168.1.15 server that I want protected with the VPN a) it's a VM and b) it has teamed NICs
-
If it was going out IPv6 I think both of those sites would be showing you an IPv6 address.
-
I've never messed around with windows NIC teaming. If it utilizes multiple IP addresses there's your problem. Put them all in an alias and use that as your source address list. A packet capture on LAN will show you what's happening.
-
They are just teamed into one IP address.
It's very odd..
I've just gone back to having everything protected as that works fine.
Any idea how I can add a rule to get BBC iPlayer to bypass the VPN?
-
It does also make me wonder if I have missed something, although I have redone the tutorial from scratch 3 times now.
Just to test, I created a rule for my client PC which is just normal PC single NIC and I get exactly the same results.
PIA website says I am protected and shows the VPN IP address. The others still display my ISP and unprotected public IP :-(
I am just baffled…
-
I just had a thought.. wouldn't be anything to do with Squid or Squidguard would it?
Aha..
Disabled Squid and it now all works as expected..
So do I have to change Squid to work on the VPN interface instead of LAN maybe?
-
Of course it's ^$%& squid.
-
Since enabling the VPN on my server which runs Plex, I cannot access the Plex server from my LAN via the Plex website.
To get it working previously I had to enable Pure NAT but I don't really understand the reasoning behind this.
Not sure what I need to change to be able to access the server again (I'm basically going out of the firewall, and then back in via my port forward rule to get to it)
Access from the internet to my Plex server is working fine.
-
Seems Plex suddenly started to work again today. Think may be issues with Plex, so ignore.
Thanks for all the help!
-
Yes. Just add the ports to the rule sending traffic to the VPN gateway. The rule won't match if the port is outside the set so the firewall will move on to the next rule.
I want to do the exact opposite and having trouble figuring it out…
I want all traffic from one IP to go thru the VPN except port 32400 (Plex). How can I adapt the current rules (or add another) that will send Plex traffic thru the WAN GW so the server can be reached remotely?
John
Did you figure this out? My Plex server stopped working and when I check it has my VPN address as the public IP.
I've tried creating a LAN FW rule above the VPN one to tell it that all TCP 32400 traffic should go via WAN_PPOE and not PIAVPN but it doesn't make any difference.
-
Never mind - it started working again. I'm wondering if because the VPN changes IP address so often, maybe Plex is taking too long to update it?
Oh I dunno.. clutching at straws - it all works great for a while and then will stop working, and then will work again. Hate those types of issues!
-
I think the TCP 32400 traffic is INBOUND from Plex. I refuse to use it since they don't post any source addresses so you have to allow the world in.
I believe Plex requires a port forward in on the IP address it is logging in from. So if you are trying to go OUT PIA, I think they need to forward a port to you.
I don't know. Go to a Plex forum and ask exactly what you need in a FIREWALL INDEPENDENT way (just IP/TCP/UDP/NAT/etc) and bring that info back here and it will be easier to help you with that. And you should start another thread for it.
-
I attempted to set openvpn up with PIA however I am unsuccessful at getting it to connect. Under status it says reconnecting; tls-error. When I check system logs it has this:
Mar 26 17:37:48 openvpn[8951]: Re-using SSL/TLS context
Mar 26 17:37:48 openvpn[8951]: LZO compression initialized
Mar 26 17:37:48 openvpn[8951]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Mar 26 17:37:48 openvpn[8951]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Mar 26 17:37:48 openvpn[8951]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Mar 26 17:37:48 openvpn[8951]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mar 26 17:37:48 openvpn[8951]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mar 26 17:37:48 openvpn[8951]: Local Options hash (VER=V4): '41690919'
Mar 26 17:37:48 openvpn[8951]: Expected Remote Options hash (VER=V4): '530fdded'
Mar 26 17:37:48 openvpn[8951]: UDPv4 link local (bound): [AF_INET]192.168.2.122
Mar 26 17:37:48 openvpn[8951]: UDPv4 link remote: [AF_INET]198.8.80.221:1194
Mar 26 17:37:48 openvpn[8951]: TLS: Initial packet from [AF_INET]198.8.80.221:1194, sid=246e6338 47b9e842
Mar 26 17:37:48 openvpn[8951]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Mar 26 17:37:48 openvpn[8951]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mar 26 17:37:48 openvpn[8951]: TLS Error: TLS object -> incoming plaintext read error
Mar 26 17:37:48 openvpn[8951]: TLS Error: TLS handshake failed
Mar 26 17:37:48 openvpn[8951]: TCP/UDP: Closing socket
Mar 26 17:37:48 openvpn[8951]: SIGUSR1[soft,tls-error] received, process restarting
Mar 26 17:37:48 openvpn[8951]: Restart pause, 2 second(s)Edit: well I realized the directions here are different than what is offered on PIAs website. I tried these and it seems to be working. Not sure why this does and theirs don't. Any ideas?
-
It looks like whatever you did there didn't get the correct certificate imported and trusted for that OpenVPN client connection.
-
As much as I appreciate the effort and thoroughness, the advice to simply duplicate all existing outbound nat rules is both overkill, and potentially will degrade a network.
There are often autogenerated rules that are not required.
The isakmp rule specifically cited, for example, is entirely useless on a non ipsec connection.
Nor does the loopback need to be natted in most cases.
And if one blindly duplicates existing nat rules for other vpn connections, you end up double natting those - repeating on the other end gives you quad natting….and things start to not work so much.
I went on a pruning spree the other day and eliminated most of the nat rules.
All you need is one nat rule per subnet/address you are going to route through the vpn.
-
Nor does the loopback need to be natted in most cases.
Could you share some thoughts or examples of when the loopback interface would need natting please?
