pfSense Support Subscription

Author Topic: 2.1 / OpenVPN /PIA: can't get it to work  (Read 7658 times)

0 Members and 1 Guest are viewing this topic.

Offline brick41

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +2/-0
    • View Profile
Re: 2.1 / OpenVPN /PIA: can't get it to work
« Reply #30 on: April 17, 2014, 03:29:41 pm »
In versions prior to 2.1.2 the automatic outbound NAT was not making outbound NAT rules for OpenVPN clients that connected out to VPN providers. That was the intended behavior. But there was a [bug|feature] that when you switched to manual outbound NAT, the initial set of rules generated did include NAT rules for OpenVPN clients. That is why the step of switching to manual outbound NAT did the trick.
From 2.1.2, the underlying automatic outbound NAT rules and the set generated when you switch to manual outbound NAT are now the same.
You have to switch to manual outbound NAT, and then add outbound NAT rule/s for traffic leaving the OpenVPN client towards the VPN provider.

You hit the nail on the head, Phil. I have working Private Internet Access now.

For everyone else here are some directions. After you follow the directions on http://www.komodosteve.com/archives/232 make sure that Status > Gateways shows your OPT1_VPNV4 interface. If it doesn't you will have to reboot (I had to). It may show as down (screenshot) since there is no ping reply but that's ok. After the reboot it should automatically connect to PIA so check the Status > OpenVPN and then try a traceroute. You should see the traceroute is done over PIA (screenshot).

Firewall > NAT > Outbound: After switching to Manual Outbound NAT there is a rule "Auto created rule for LAN to WAN" (not the ISAKMP one). I clicked on the little + button to right of it to "add a new NAT based on this one" (tooltip text). That gave me a copy of that rule and I changed WAN to OPT1 and saved the rule as "OpenVPN (PIA)". Then it returned me to the Outbound page and I clicked the "Apply Changes" button that appeared in a red banner above the rules.


The next problem I had was DNS leaks. DNS was still going out on the WAN. Is that normal? Did I miss some OpenVPN setting? Anyway I decided to make it so that LAN traffic would go out only over the VPN. Skip the rest of these instructions if you don't want to do that. In other words traffic is blocked when the VPN is down. Here's how I did it, and if this is wrong or is leaky please let me know:

This first step was my last step. I tried several times to route traffic over the VPN but traffic kept leaking. I did some searching and read that pfSense will create failover rules when a gateway is down. To disable that you have to "skip rules":
RESOLVED : Firewall rules and OpenVPN client Vs. default gateway
System > Advanced > Miscellaneous > Gateway Monitoring > Skip rules when gateway is down > CHECK

If you're not using IPv6 you could disallow it. I'm not using it but after I disallowed it my logs were filled with IPv6 router availability broadcasts, so I turned it back on just for less noise. There is probably a way to disable IPv6 entirely. This is more of a filtering:
System > Advanced > Networking > IPv6 Options > Allow IPv6 > UNCHECK

This forces traffic to go from the LAN to the VPN, however it doesn't stop communicating with the LAN.
Firewall > Rules > LAN > Disable all rules, Make a new rule:
Action: Pass
Interface: LAN
TCP/IP Version: IPv4
Protocol: any
Source > Type: LAN net
Advanced features > Gateway: OPT1_VPNV4

I used that rule but also added two block rules (one for IPv4, one for IPv6) above it so that anything to the destination of "LAN net" is blocked. In other words no DNS requests can be sent to 192.168.10.1 (the pfSense LAN interface). Blocking all dest LAN net is pretty restrictive, you may not want it.

In any case change the DNS your LAN clients use. I changed the DHCP server for the LAN interface to use Google's DNS servers but you can also use PIA's (209.222.18.222, 209.222.18.218).
Services > DHCP server > LAN > DNS servers > 8.8.8.8, 8.8.4.4

Since I'm not using the DNS forwarder now I turned it off:
Services > DNS forwarder > General DNS Forwarder Options > Enable > UNCHECK


Two things still concern me, I see this in my OpenVPN logs:
Apr 17 00:17:49    openvpn[14080]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 17 00:17:49    openvpn[14080]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.


How do I determine the script security level? Is it recorded anywhere and can I or should I change it? And if I specified the ca certificate in the ca.crt file why does it say no verification method has been enabled?


I still don't understand why all traffic is directed through PIA by default, when PIA is not the default gateway (WAN1, VDSL, is).
I'm pretty sure that's OpenVPN. When you connect to a server I think it runs some command that changes your default route to the address OpenVPN was assigned. It might be the route command, I don't know. Maybe there is an OpenVPN configuration option to stop that from happening?


sorry not had chance until now to post these
If you need anymore let me know
Thanks!
« Last Edit: April 17, 2014, 05:08:54 pm by brick41 »

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
    • The FreeBSD Foundation
Re: 2.1 / OpenVPN /PIA: can't get it to work
« Reply #31 on: April 29, 2014, 10:35:48 am »
The next problem I had was DNS leaks. DNS was still going out on the WAN. Is that normal? Did I miss some OpenVPN setting? Anyway I decided to make it so that LAN traffic would go out only over the VPN. Skip the rest of these instructions if you don't want to do that. In other words traffic is blocked when the VPN is down. Here's how I did it, and if this is wrong or is leaky please let me know:


Thanks for your addition to this thread: very useful  ;D

Could I ask: how do you see if there are DNS-leaks?

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
    • The FreeBSD Foundation
Re: 2.1 / OpenVPN /PIA: can't get it to work
« Reply #32 on: April 29, 2014, 10:44:05 am »
Hmmm, this also still was an open tab in my browser:

http://homeservershow.com/forums/index.php?/topic/5958-pfsense-and-openvpn-problem/

The military man here says that the order of the rules in NAT is important (VPN should be at the top of the list), whereas some comments below it he says this is not necessary if your VPN is the default gateway. However, I have neither: my PIA VPN is not at the top of the rules in NAT, nor is it the default gateway. But I think my PIA VPN is working - looking at the traffic in the GUI, as well as when I look up my own external IP. So apparently what he writes isn't true  ???

Offline brick41

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +2/-0
    • View Profile
Re: 2.1 / OpenVPN /PIA: can't get it to work
« Reply #33 on: April 29, 2014, 01:22:07 pm »
Could I ask: how do you see if there are DNS-leaks?

You could create a firewall rule to allow and log any outgoing traffic on port 53 for the WAN. You should see the only name resolutions will be for pfSense stuff and PIA servers. What's nice about the logging is it deconstructs the packet to determine what hostname was requested to be looked up. If you are interested in logging DNS but just in general check out the thread I started here:
How can I record and maybe monitor all DNS requests and replies?

If you stop DNS outgoing on the WAN there is a "which came first, the chicken or the egg" problem because then how does pfSense lookup the address for the PIA server you're connecting to, or pfSense to check the latest version of FreeBSD?

Also keep in mind about the DNS forwarder if you have that enabled you could leak in certain scenarios. For example I have a pfSense box behind a wireless router. So my router has address 192.168.1.1 and when it assigns an IP via DHCP it offers nameserver 192.168.1.1. So the pfSense WAN IP address is something like 192.168.1.2 for example with nameserver 192.168.1.1. Then the pfSense LAN has a DHCP server (192.168.10.1) that assigns an IP 192.168.10.2 and nameserver 192.168.10.1. When client 192.168.10.2 wants to resolve it sends its request to 192.168.10.1 which is the pfSense DNS forwarder. That then sends the request to 192.168.1.1 which is the wireless router DNS forwarder. I believe that would happen even if I was routing my traffic over OpenVPN because 192.168.1.x is a local route. The setup I have right now is I disabled the pfSense LAN DNS forwarder and the pfSense LAN DHCP instead offers google nameservers. The google nameservers are not a local route so they go over VPN.

The military man here says that the order of the rules in NAT is important (VPN should be at the top of the list), whereas some comments below it he says this is not necessary if your VPN is the default gateway. However, I have neither: my PIA VPN is not at the top of the rules in NAT, nor is it the default gateway. But I think my PIA VPN is working - looking at the traffic in the GUI, as well as when I look up my own external IP. So apparently what he writes isn't true  ???

That I don't know about, you may have to start a separate thread to ask that question and get someone's attention. In my rules the OpenVPN PIA is first.



Also, unrelated, the biggest issue I've had so far with my setup has been OpenVPN continues to work even after it's terminated due to fatal error. So FYI, you may encounter that. It looks to be a bug.
« Last Edit: April 29, 2014, 01:25:20 pm by brick41 »