HowTo: Route part of your LAN via TorGuard or PIA.

jptech

Here's a very quick, step-by-step guide that shows how I use pfSense to tunnel a subset of LAN devices via TorGuard.  These settings should be virtually identical for PIA.  I've attached a .zip file with screenshots.  It should be possible to read this post and follow along with the screenshots.

This example was created using a VM with two interfaces; WAN, LAN.  Whenever possible I used the default settings.  Please note, this configuration prevents clients being routed via the VPN from using the DNS Resolver.

Warnings

• As pointed out by @chebyshev in this reply, IPv6 must be disabled for many of the assumptions in this example to be correct.

Changes

• v1 - Original

• v2 - Removed incorrect static port selection on outbound NAT rule.

• v3 - Switched to nopull routes for the VPN client and created NO_WAN_EGRESS marking / rejection as suggested in this post.

01-setup-wizard

Pick an appropriate time zone.  If your WAN is using a private IP, unselect Block RFC1918 Private Networks.

02-adjust-dhcp-range

Adjust the DHCP IP range so it's a bit smaller.  I've used 192.168.1.62/26 which gives 62 IPs for DHCP.

03-configure-dns-resolver

The DNS Resolver is only going to be used for pfSense and devices that don't get tunnelled via the VPN.

04-create-vpnclients-alias

Create and alias that can be used to identify devices that are supposed to be tunnelled via the VPN.  I use 192.168.1.128/27 for this which gives 30 IPs for devices that need to be tunnelled via the VPN.

05-import-certificate-authority

TorGuard and PIA will provide a certificate authority certificate with their configs.  It's usually named ca.crt or something similar.  The certificate needs to be imported using pfSense's certificate manager so that it can be used when creating the OpenVPN client.  The descriptive name provided while importing can be anything.  I've used torguard-ca.  Something like pia-ca would also work.

Once the certificate authority is imported, the Distinguished Name section for the certificate should contain details about the certificate.

06-create-openvpn-client

Most of the information needed to configure the client can be found in the .ovpn files provided by TorGuard or PIA.  Here's the .ovpn config for the connection set up in this example:

client
dev tun
proto udp
remote gr.torguardvpnaccess.com 443
resolv-retry infinite
remote-cert-tls server
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca ca.crt
auth-user-pass
comp-lzo
fast-io
ping-restart 0
route-delay 2
route-method exe
script-security 3 system
mute-replay-warnings
verb 3

The directives in the .ovpn config are described in the Client Mode section of the OpenVPN manual.  If unsure about a setting, look it up.

• I start with the client disabled.  Enabling it without finishing the rest of the config will likely break internet access.  Don't forget to go back and enable it once everything else is configured.

• Use the protocol from the proto directive.  Ex: proto udp.

• Use the host / port from the remote directive.  Ex: remote gr.torguardvpnaccess.com 443.

• Use the device mode from the dev directive.  Ex: dev tun.

• Use WAN for the Interface.  This will always be WAN unless you're starting with a dual / multi-WAN configuration.

• Select Infinity resolve server.  This matches the resolv-retry infinite directive.  Even if the .ovpn config doesn't include the directive, I would still enable this.

• Enter your username and password in the authentication section.

• Disable TLS Authentication.  It's not used unless your .ovpn config contains a tls-auth directive.

• Select the CA that was imported earlier for the Peer Certificate Authority.  The list of options should include the descriptive name that was used when importing the CA.  Ex: torguard-ca.

• Select None for the Client Certificate.  Some older examples create a dummy certificate for this, but it's no longer necessary.

• Select BF-CBC for the Encryption algorithm.  This is the default.  If a different algorithm is needed your .ovpn config will contain a cipher directive.  If your .ovpn config doesn't contain a cipher directive, choose the default: BF-CBC.

• Select SHA1 for the Auth Digest Algoritm.  This is the default.  If a different algorithm is needed your .ovpn config will contain an auth directive.  If your .ovpn config doesn't contain an auth directive, choose the default: SHA1.

• Select Enable with Adaptive Compression for Compression.  This matches the comp-lzo directive.  Adaptive compression is the default type of compression used with comp-lzo.  If adaptive compression wasn't supported the .ovpn config would contain a comp-noadapt directive.

• Check the option for Don't pull routes.  This will prevent pfSense from accepting any routes that may be pushed by the server.  The main thing this accomplishes is ensuring the default route isn't updated to use the VPN gateway.  Note that when using this option care needs to be taken to make sure traffic from vpnclients isn't accidentally allowed to egress via the WAN.

• Select Don't forward IPv6 traffic for Disable IPv6.  The server probably isn't going to push any IPv6 routes, so this likely doesn't matter.  I disable it anyway.

I've added the remote-cert-tls directive to the advanced configuration:

remote-cert-tls server

This ensures the certificate used by the server has TLS Web Server Authentication extended key usage which means that client certificates issued using the imported certificate authority aren't considered valid when checking the identity of the server. Omitting this directive will cause a warning to be logged:

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

I've also added 3 MTU related directives to the advanced configuration:

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

These are taken directly from the .ovpn config.  If these settings are needed, but omitted, warnings similar to the following will show up in the logs:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574'
WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'

07-configure-vpn-client-interface

Once the OpenVPN client interface is assigned, it'll be possible to use it as a gateway by modifying the outbound NAT rules.  Assign the newly created client interface and enable it.  I like to change the name to something more descriptive.  I've used TORGUARD as the interface name in this example.

08-configure-outbound-nat

There's a new(ish) hybrid mode for outbound NAT which makes this pretty easy.  Add the two rules shown in the screenshots and then set the Mode to Hybrid Outbound NAT.  I use the entire LAN subnet as the source address for these entries, but it could also be limited to the network block chosen for vpnclients (192.168.1.128/27).  I use the entire LAN subnet so I don't have to worry about updating outbound NAT rules if I want to change the vpnclients alias.

09-create-lan-firewall-rules

Add a rule to block vpnclients from making DNS queries to the LAN IP.  This prevents vpnclients from using the DNS Resolver and prevents DNS leaks if you forget to override DNS settings when adding static DHCP mappings for vpnclients.

Add a rule that creates a policy based route for vpnclients.  Traffic that matches the rule will be sent via the VPN (ex:TORGUARD) gateway.  Traffic that doesn't match will fall through to the default LAN rule.

• Don't forget to select the VPN gateway (ex: TORGUARD_VPNV4) in the Advanced features section.  This is what causes traffic from vpnclients devices to be tunnelled via the VPN.

• Don't forget to set the Advanced Option to mark matching packets with NO_WAN_EGRESS.  This is extremely important because when the VPN interface is down pfSense deletes the gateway from the rule which will cause the traffic to be routed via the routing table (aka out the default route which is the WAN).  There also must be a matching floating rule to reject the marked traffic (see below).  A good explanation of what happens can be found here.

10-create-floating-firewall-rules

Create a floating rule that watches for and rejects outbound WAN traffic that's marked NO_WAN_EGRESS.  This prevents vpnclients from connecting to the internet via the WAN when the VPN interface goes down.

11-add-static-dhcp-mapping

Add static DHCP mappings for any devices that you want using the VPN.  Assign them an IP from the 192.168.1.128/27 block and override the DNS settings to use public servers (ex: Google or OpenDNS).  All traffic for vpnclients is routed via the VPN which will include queries to public DNS servers.

Don't forget to enable the VPN client if you started with it disabled.

12-verify

Once a device has been assigned an IP from the vpnclients IP range, visit an IP lookup and DNS leak test site to verify everything is working as expected.
tg-pfsense-howto-v3.zip

pfsensory

Excellent guide!  Thank you for making the time and effort to put this together!

kesawi

Great how-to guide. A couple of suggestions for additional information.

Using Squid Proxy with the VPN
A common issue that I've seen a lot of people posting is not understanding how the squid proxy works with a VPN. Policy based routing won't work with firewall rules if clients are using the squid proxy or the transparent proxy is enabled as the traffic will originate from pfSense rather than the internal networks.

This can be overcome with some limitations by using custom ACLs in squid as I've described at /index.php?topic=106221.msg592358#msg592358. I believe if you specify the client IPs under the Bypass Proxy for These Source IPs when the transparent proxy is configured then it will also work without a custom ACL, but not if the client is configured to use the proxy.

You can also do other things with custom ACLs, such as sending specific destination domains via the VPN. For example certain websites could be blocked by your ISP on the WAN interface, so you want all traffic for those to go via the VPN. A few examples are described at /index.php?topic=104628.msg583327#msg583327

VPN Client DNS
You've suggested creating a firewall rule to block VPN clients on the subnet from using your local DNS. Is it possible with bind to create an ACL for the local VPN clients and then specify the PIA or TORGUARD VPN servers as forwarders for these clients? All other local clients would still use the default settings in bind. This way you wouldn't need to configure the external DNS server individually for each of you local VPN clients. You'd probably still want a firewall rule to block any outbound DNS requests from those clients to prevent leakage (although the packet matching floating rules would probably prevent this anyway). I don't use bind, but from what I've seen in various guides this could be possible. Not sure how this would be configured through the GUI. I don't know how DNS caching would work if there was a conflicting result between what your WAN DNS servers return and what your VPN server returns.

pfsensory

In step 3, for outgoing network interfaces, your have selected only WAN.  When I try to replicate that step on my system, I receive the following error message:  "This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces."

How were you able to avoid getting that error?

Edit:  I was able to fix this by choosing localhost for "network interfaces" and de-selcting localhost for "outgoing network interfaces"

tigs

This is an excellent guide! and @kesawi , your comment is also an excellent addition.

edit:

Hi @kesawi

I was able to follow your instruction to get this to work using "Custom Options" under squid. However, it seems that I can only access https:// websites,  not http:// sites. Any idea to fix this?

Thanks

duren

Thanks for this.. I use TorGuard and had to figure this out before you posted your guide. I have a few differences I'd like to discuss..

1. Your guide mentions how to configure the connection using the main UI but you show the actual advanced settings some of which map to what's in the UI. For consistency, I recommend ensuring options are either in the UI or in advanced settings to avoid forgetting an advanced setting that's set and wondering why a UI setting is not working. My preference is to keep as many settings in the advanced section as possible so that if I create more VPN connections, I can just cut and paste the block.

2. From the original TorGuard ovpn files, there are a few parameters I don't see you mention..
  a. persist-tun
  b. persist-key
  c. float
  d. mute-replay-warnings

What are your thoughts on including these?

3. You have different settings for
  a. resolve-retry
  b. route-delay

4. You include auth-user-pass and although so does the original config, I think this should be taken out as it requires credential input somewhere, either in a file or in the GUI. Since we use GUI, i'm pretty sure this is automatically sent by pfSense.

What are your thoughts on the original values?

5. I further minimized logging by setting
  a. mute-replay-warnings
  b. verb 1 - because the UI doesn't seem to have that option available in the dropdown.

6. I minimized warnings by setting
  a. remote-cert-tls server as you suggested
  b. route-noexec instead of route-nopull as it generated more warnings that way and I think has the same ultimate effect.
  c. adding auth-nocache

7. Stabilized connectivity by
  a. not specifying a ping-restart and thus defaulting to 120s. This is in case traffic stops flowing but the vpn stays connected.
  b. adding auth-retry nointeract because sometimes during a reconnection a BAD AUTH appeared at which point retries stopped. This solved that problem.
  c. When you configure more than one connection to TorGuard to different regions, ie 1 connection to US, 1 to Canada, the internal IPs they assign on each server can actually match! at which point pfSense gets confused and traffic stops flowing on one. Virtual IP will show ie 10.9.0.25 for both connections. To solve this I wrote a script that looks for vpn connections and their Virtual IPs and if duplicates are detected, it asks all but the first connection to cycle. This check happens on say a 1 minute interval. https://forum.pfsense.org/index.php?topic=79900.msg439018#msg439018

jptech

@kesawi

I've never tried to set up a proxy that routes via the VPN, so I don't have an opinion on anything proxy related.

As for DNS, the way I did it is simple and fails closed if you forget to set external DNS servers.

I don't think the packet matching floating rule would catch a mishandled DNS lookup.  Wouldn't mishandled DNS requests appear to be new connections originating from localhost?  When I say mishandled I mean as a result of misconfiguration, not pfSense misbehaving.

@duren

1. I don't see any duplicate advanced settings.  I only have 4 settings in the advanced config.  I noted all 4 in section 6.  Cutting and pasting most of a config into the advanced section would probably work ok.

2. Only the mute-replay-warnings option is in the original config I show.  IMO, it's better for someone to see a bit of spam in their logs and be forced to research how to squelch it than it is for them to not realized information that could be important is already squelched.

Glancing at the man page (I haven't tested these, so there's a bit of assumption), I wouldn't use any of them:

• persist-tun sounds like it lets the process restart without re-configuring the interface.  If I restart the process, it usually means I want a new tunnel.
• persist-key shouldn't matter since the openvpn client process runs as root (ps -aux | grep openvpn).
• float likely doesn't matter with something like TorGuard.  I doubt they're using dynamic IPs.  Even if they are, I don't care if my connection breaks and has to reconnect as long as no traffic leaks.

3. I explained resolve-retry in the bullet point list in section 6.  The OpenVPN manual only notes route-delay as being useful for tap interfaces.  AFAIK most (all?) VPN providers are using tun interfaces.

4.  I let the GUI handle user-auth-pass.  Where do you see it duplicated?

5. I like verbose logs.

6. I don't think route-noexec and route-nopull are the same.  I haven't tested it, but, reading the man page, to me it sounds like route-noexec affects how routes pushed by the server are set and route-nopull affects if routes pushed by the server are set (or ignored).  Put another way, if you set route-nopull then route-noexec has no effect.  I mention setting route-nopull by using the Don't pull routes in section 6.

7.  I don't include ping-restart in the config.  Using auth-retry nointeract sounds useful.  I only use 1 VPN connection.

chebyshev

I used this tutorial and everything worked great, except dnsleaktest.com still shows my ISP instead of Choopa.com (which is PIA's DNS).

Where should I start to diagnose this?

pfsensory

The key might be in section (above) - "Add a rule to block vpnclients from making DNS queries to the LAN IP.  This prevents vpnclients from using the DNS Resolver and prevents DNS leaks if you forget to override DNS settings when adding static DHCP mappings for vpnclients."

Has this rule been set up?

chebyshev

Yes, I set up that rule.

Pippin

Is your client Windows 8 or up?
Then it could be this:
https://forum.pfsense.org/index.php?topic=110910.msg617899#msg617899

chebyshev

I just tried that, but got the following in my OpenVPN log:

May 6 20:54:13	openvpn	84233	SIGTERM[hard,] received, process exiting
May 6 20:54:13	openvpn	30195	Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client2.conf:31: block-outside-dns (2.3.9)
May 6 20:54:13	openvpn	30195	Use --help for more information.

This seems weird to me because the documentation for OpenVPN 2.3.9 seems to indicate that the –block-outside-dns option is available.

morreale

@chebyshev:

I just tried that, but got the following in my OpenVPN log:

May 6 20:54:13	openvpn	84233	SIGTERM[hard,] received, process exiting
May 6 20:54:13	openvpn	30195	Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client2.conf:31: block-outside-dns (2.3.9)
May 6 20:54:13	openvpn	30195	Use --help for more information.

This seems weird to me because the documentation for OpenVPN 2.3.9 seems to indicate that the –block-outside-dns option is available.

I had to use "push block-outside-dns" which someone recommended.  not sure if that is actually working or not.  don't see anything in the log.

I am still having the issue where any of the leaktest sites are showing my DNS server as my IP from the ISP (not my ISPs DNS servers)

I have done all the different rules for blocking DNS and forcing certain servers.  It just seems like it was working at first and now it always displays the ISP IP even when connected to VPN

I am using DNS Resolver (no forwarding and no DNS servers configured on general setup…using 127.0.0.1)

chebyshev

The "push block-outside-dns" seems to allow the client to start at least, but it didn't change anything in terms of the leak tests. You're right - they are showing my IP, not my ISP's DNS server. Strange and pretty much the opposite of what I'm looking for out of a VPN.

Derelict

@chebyshev On the host you are performing DNS leak tests what are the configured name servers? Precisely what firewall rules did you create (screen shot would be best).

chebyshev

The host doing the leak tests gets a static IP assigned via DHCP from the pfSense box - it is assigned the Google DNS servers (8.8.8.8 and 8.8.4.4). Those are the ones that show up if I do 'ipconfig /all'. It is running Windows 10.

Screenshots of my firewall rules are attached.

Derelict

Do you have name servers set up in System > General Setup?? What are they?

morreale

@morreale:

@chebyshev:

I just tried that, but got the following in my OpenVPN log:

May 6 20:54:13	openvpn	84233	SIGTERM[hard,] received, process exiting
May 6 20:54:13	openvpn	30195	Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client2.conf:31: block-outside-dns (2.3.9)
May 6 20:54:13	openvpn	30195	Use --help for more information.

This seems weird to me because the documentation for OpenVPN 2.3.9 seems to indicate that the –block-outside-dns option is available.

I had to use "push block-outside-dns" which someone recommended.  not sure if that is actually working or not.  don't see anything in the log.

I am still having the issue where any of the leaktest sites are showing my DNS server as my IP from the ISP (not my ISPs DNS servers)

I have done all the different rules for blocking DNS and forcing certain servers.  It just seems like it was working at first and now it always displays the ISP IP even when connected to VPN

I am using DNS Resolver (no forwarding and no DNS servers configured on general setup…using 127.0.0.1)

Here is my config at the moment…I have the DNS related rules disabled until I figure out the situation

Derelict

Don't know why you have all those rules duplicated. Only the first match is going to have any effect.

morreale

@Derelict:

Don't know why you have all those rules duplicated. Only the first match is going to have any effect.

some of those are due to it being 2 separate images that i should have done a better job of editing before posting :)
the others are due to being autocreated and manually created.  duplicates remain disabled and were left in place only for testing