HowTo: Route part of your LAN via TorGuard or PIA.
-
I've never tried to set up a proxy that routes via the VPN, so I don't have an opinion on anything proxy related.
As for DNS, the way I did it is simple and fails closed if you forget to set external DNS servers.
I don't think the packet matching floating rule would catch a mishandled DNS lookup. Wouldn't mishandled DNS requests appear to be new connections originating from localhost? When I say mishandled I mean as a result of misconfiguration, not pfSense misbehaving.
1. I don't see any duplicate advanced settings. I only have 4 settings in the advanced config. I noted all 4 in section 6. Cutting and pasting most of a config into the advanced section would probably work ok.
2. Only the mute-replay-warnings option is in the original config I show. IMO, it's better for someone to see a bit of spam in their logs and be forced to research how to squelch it than it is for them to not realized information that could be important is already squelched.
Glancing at the man page (I haven't tested these, so there's a bit of assumption), I wouldn't use any of them:
- persist-tun sounds like it lets the process restart without re-configuring the interface. If I restart the process, it usually means I want a new tunnel.
- persist-key shouldn't matter since the openvpn client process runs as root (ps -aux | grep openvpn).
- float likely doesn't matter with something like TorGuard. I doubt they're using dynamic IPs. Even if they are, I don't care if my connection breaks and has to reconnect as long as no traffic leaks.
3. I explained resolve-retry in the bullet point list in section 6. The OpenVPN manual only notes route-delay as being useful for tap interfaces. AFAIK most (all?) VPN providers are using tun interfaces.
4. I let the GUI handle user-auth-pass. Where do you see it duplicated?
5. I like verbose logs.
6. I don't think route-noexec and route-nopull are the same. I haven't tested it, but, reading the man page, to me it sounds like route-noexec affects how routes pushed by the server are set and route-nopull affects if routes pushed by the server are set (or ignored). Put another way, if you set route-nopull then route-noexec has no effect. I mention setting route-nopull by using the Don't pull routes in section 6.
7. I don't include ping-restart in the config. Using auth-retry nointeract sounds useful. I only use 1 VPN connection.
-
I used this tutorial and everything worked great, except dnsleaktest.com still shows my ISP instead of Choopa.com (which is PIA's DNS).
Where should I start to diagnose this?
-
The key might be in section (above) - "Add a rule to block vpnclients from making DNS queries to the LAN IP. This prevents vpnclients from using the DNS Resolver and prevents DNS leaks if you forget to override DNS settings when adding static DHCP mappings for vpnclients."
Has this rule been set up?
-
Yes, I set up that rule.
-
Is your client Windows 8 or up?
Then it could be this:
https://forum.pfsense.org/index.php?topic=110910.msg617899#msg617899 -
I just tried that, but got the following in my OpenVPN log:
May 6 20:54:13 openvpn 84233 SIGTERM[hard,] received, process exiting May 6 20:54:13 openvpn 30195 Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client2.conf:31: block-outside-dns (2.3.9) May 6 20:54:13 openvpn 30195 Use --help for more information.This seems weird to me because the documentation for OpenVPN 2.3.9 seems to indicate that the –block-outside-dns option is available.
-
I just tried that, but got the following in my OpenVPN log:
May 6 20:54:13 openvpn 84233 SIGTERM[hard,] received, process exiting May 6 20:54:13 openvpn 30195 Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client2.conf:31: block-outside-dns (2.3.9) May 6 20:54:13 openvpn 30195 Use --help for more information.This seems weird to me because the documentation for OpenVPN 2.3.9 seems to indicate that the –block-outside-dns option is available.
I had to use "push block-outside-dns" which someone recommended. not sure if that is actually working or not. don't see anything in the log.
I am still having the issue where any of the leaktest sites are showing my DNS server as my IP from the ISP (not my ISPs DNS servers)
I have done all the different rules for blocking DNS and forcing certain servers. It just seems like it was working at first and now it always displays the ISP IP even when connected to VPN
I am using DNS Resolver (no forwarding and no DNS servers configured on general setup…using 127.0.0.1)
-
The "push block-outside-dns" seems to allow the client to start at least, but it didn't change anything in terms of the leak tests. You're right - they are showing my IP, not my ISP's DNS server. Strange and pretty much the opposite of what I'm looking for out of a VPN.
-
@chebyshev On the host you are performing DNS leak tests what are the configured name servers? Precisely what firewall rules did you create (screen shot would be best).
-
The host doing the leak tests gets a static IP assigned via DHCP from the pfSense box - it is assigned the Google DNS servers (8.8.8.8 and 8.8.4.4). Those are the ones that show up if I do 'ipconfig /all'. It is running Windows 10.
Screenshots of my firewall rules are attached.
-
Do you have name servers set up in System > General Setup?? What are they?
-
I just tried that, but got the following in my OpenVPN log:
May 6 20:54:13 openvpn 84233 SIGTERM[hard,] received, process exiting May 6 20:54:13 openvpn 30195 Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client2.conf:31: block-outside-dns (2.3.9) May 6 20:54:13 openvpn 30195 Use --help for more information.This seems weird to me because the documentation for OpenVPN 2.3.9 seems to indicate that the –block-outside-dns option is available.
I had to use "push block-outside-dns" which someone recommended. not sure if that is actually working or not. don't see anything in the log.
I am still having the issue where any of the leaktest sites are showing my DNS server as my IP from the ISP (not my ISPs DNS servers)
I have done all the different rules for blocking DNS and forcing certain servers. It just seems like it was working at first and now it always displays the ISP IP even when connected to VPN
I am using DNS Resolver (no forwarding and no DNS servers configured on general setup…using 127.0.0.1)
Here is my config at the moment…I have the DNS related rules disabled until I figure out the situation
-
Don't know why you have all those rules duplicated. Only the first match is going to have any effect.
-
Don't know why you have all those rules duplicated. Only the first match is going to have any effect.
some of those are due to it being 2 separate images that i should have done a better job of editing before posting :)
the others are due to being autocreated and manually created. duplicates remain disabled and were left in place only for testing -
Do you have name servers set up in System > General Setup?? What are they?
I have the Google DNS servers in there: 8.8.8.8 and 8.8.4.4.
-
I think that might be the problem. Manually set your DNS server on that host to just 4.2.2.2 and run your DNS leak test again.
-
Tried that - same result.
-
And what result is that?
-
Sorry - my IP is showing up in the DNS leak test results.
-
Hmm. When I set mine to use google for DNS all dnsleaktest.com sees is google.
You positive you're working from a host that has all traffic forwarded to the VPN?
You sure that host has google and only google set as its DNS servers?
