Netgate SG-1000 microFirewall

Author Topic: Tutorial: Configuring pfSense as VPN client to Private Internet Access  (Read 198226 times)

0 Members and 1 Guest are viewing this topic.

Offline Dave R

  • Newbie
  • *
  • Posts: 21
  • Karma: +1/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #330 on: January 04, 2018, 05:18:34 am »
180 is the static ip address of my tv

I'm not sure I understand. Are you just filtering by source IP rather than by a zillion Netflix destinations?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10260
  • Karma: +1177/-313
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #331 on: January 04, 2018, 05:25:29 am »
Yes. He's telling it to put everything FROM that device out WAN regardless of destination. Far easier than trying to single out "Netflix."
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Dave R

  • Newbie
  • *
  • Posts: 21
  • Karma: +1/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #332 on: January 04, 2018, 05:56:54 am »
Good idea. Unfortunately, I have a mix of devices on the LAN which also access Netflix.  For now, I've added around 30+ subnets to my Netflix Alias. It's not great but it keeps the tablets/phones on the VPN for everything but Netflix.

Offline Dave R

  • Newbie
  • *
  • Posts: 21
  • Karma: +1/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #333 on: January 04, 2018, 06:01:37 am »
If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?
« Last Edit: January 04, 2018, 06:30:57 am by Dave R »

Offline Finger79

  • Full Member
  • ***
  • Posts: 195
  • Karma: +18/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #334 on: January 05, 2018, 06:15:25 pm »
If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?
To fix this, go to Services / DNS Resolver and under "Outgoing Network Interfaces," select only your PIA VPN interface(s) and make sure "All' and "WAN" aren't selected.

This fixes the DNS leak over your regular WAN but introduces the problem that if your VPN ever goes down, pfSense will not be able to resolve DNS to reconnect the VPN.  To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing (Google, OpenDNS, Level 3, Verisign, etc.).  This setting only affects outbound DNS queries by localhost, not by anything on your LAN, which should go out the PIA VPN only via unbound.
« Last Edit: January 05, 2018, 06:23:15 pm by Finger79 »

Offline Dave R

  • Newbie
  • *
  • Posts: 21
  • Karma: +1/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #335 on: January 06, 2018, 05:14:37 am »
Thanks! Precisely what I was wanting. em0 egress is looking better now.

To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing

I'm assuming the screenshot is correct?

Offline bcruze

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +4/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #336 on: January 06, 2018, 07:13:25 am »
Thanks! Precisely what I was wanting. em0 egress is looking better now.

To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing

I'm assuming the screenshot is correct?

see now this is when my head starts hurting.    the  instructions never say to create a new interface.  so when i got home i disabled, the PIA interface to test my connection to see if it still worked and it did.  so i deleted the openvpn/ PIA interface.    so i can't change this setting.

so are you saying on the standard PIA instructions your data is not routed correctly on the outgoing interface..?

when i go to PIA.com i have a protected IP.   and i am getting my normal speeds and i have not for some time.   i really don't want to alter this unless i have too




Offline Dave R

  • Newbie
  • *
  • Posts: 21
  • Karma: +1/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #337 on: January 06, 2018, 11:43:58 am »

so are you saying on the standard PIA instructions your data is not routed correctly on the outgoing interface..?


My setup is a little different than "VPN all the things!" which is the direction given by all the tutorials I've found anyway. Straight off, yes all my traffic was egressing the VPN tunnel as it should but I don't want Steam going over it, and Netflix absolutely refuses to run as well. Fiddling around with splitting the traffic over multiple interfaces is inherently problematic because now I need to use IP addresses, protocol and port to determine what goes where. And that's not always a straightforward thing (Especially for Netflix. I'm a little surpised my setup is working at all with all the Aliases I had to configure.)

That said, I'm continually impressed by pfSense. It's enterprise grade software in features, quality and functionality. I'm very grateful for the tutorial in this thread and all the support from the forum folks. Thanks all.

PS: Um..not sure I follow what you mean about creating a new interface. Isn't it right there in the first post under "Create OpenVPN interface" ?
« Last Edit: January 06, 2018, 11:47:16 am by Dave R »

Offline bcruze

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +4/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #338 on: January 06, 2018, 12:57:24 pm »
i am following the newest guide:

https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1


i also posted an updated link just about the top page of 22.  from a PIA staff
« Last Edit: January 06, 2018, 01:00:55 pm by bcruze »

Offline Finger79

  • Full Member
  • ***
  • Posts: 195
  • Karma: +18/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #339 on: January 06, 2018, 10:37:16 pm »
i am following the newest guide:

https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-pia-on-pfsense-2-4?new=1


i also posted an updated link just about the top page of 22.  from a PIA staff
Their guides are never perfect.

Quote from: Guide
14.) Ensure NCP is checked.
       Remove AES-128-GCM and AES-256-GCM by clicking on them in the darkened box in NCP Algorithms
       Add AES-128-CBC and AES-256-CBC  by selecting them in the left box.
This is stupid and defeats the purpose of NCP in OpenVPN 2.4 which automatically negotiates the NCP ciphers if both client and server support NCP.  NCP should remain set to AES-256-GCM and/or AES-128-GCM.  And the traditional cipher should be set to AES-256-CBC or AES-128-CBC.

Quote from: Guide
17.) Custom Options: Add these parameters:

          persist-key
          persist-tun
          remote-cert-tls server
          reneg-sec 0

"persist-key" and "persist-tun" are already hard-coded in pfSense's OpenVPN implementation and are redundant if specified here.  They should be left out because all this does is list the directives twice in the config file.

Mine are currently set to:

Quote
# Advanced Configuration Settings from GUI
remote-cert-tls server
auth-nocache
tls-version-min 1.2
reneg-sec 0
pull-filter ignore "auth-token"

I learned a lot from reading the OpenVPN 2.4 Manual.  Took several hours over several days before I had a basic understanding of how to harden the config settings.  The pull-filter ignore "auth-token" is my latest addition since I was having issues with the session token expiring and the VPN would never automatically reconnect by itself.  Adding that directive keeps pfSense connected to PIA 24/7 and automatically reconnects.
« Last Edit: January 06, 2018, 10:43:51 pm by Finger79 »

Offline Dave R

  • Newbie
  • *
  • Posts: 21
  • Karma: +1/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #340 on: January 07, 2018, 06:43:18 am »
"persist-key" and "persist-tun" are already hard-coded in pfSense's OpenVPN implementation and are redundant if specified here.  They should be left out because all this does is list the directives twice in the config file.

It's worth noting  (and this may have been stated already in the previous 20 pages of thread) that the tutorial in this thread also configures /etc/openvpn-password.txt for the vpn user and password. I've omitted this portion since there is a configuration field in the UI for both of these (I presume earlier versions of pfSense did not have this feature). Either method *does* seem to work but I prefer keeping config items in one place when possible. Not to mention the added potential problems with cleartext files and permissions.

Offline nasolsi

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-1
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #341 on: January 26, 2018, 07:49:25 am »
First thank you for taking the time to write this tutorial.

I went through it but got stuck to the point where no traffic goes through VPN interface and couldn't find how to resolve it.

pfSense's WAN and VPN interfaces are up and running, WAN and VPN's gateways are also online, and OpenVPN client instance to our VPN's Provider server is also up (please see attached file), I'm able to ping VPN's Hong Kong server from pfSense's WAN interface but not form VPN and LAN's interfaces. I know it's something wrong with firewall rules or DNS that not been configured properly.

I did upgrade pfSense to the latest version 2.4.2-RELEASE-p1 (amd64).

Could you please help me on where else to look into to fix this.

Offline mtarbox

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +2/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #342 on: January 26, 2018, 12:47:14 pm »
I've been dealing with Jeremy from PIA as I discovered that I had a DNS leak, using their DNS servers. I even used their servers on the modem. If I used their dnsleak.com test it all came back fine but if I used a different service, dnsleaktest.com and ran the extended test it came back to my home address and not the PIA address.

Here is my latest:

Thank you for that information, Looking through the log it looks like you are using either a firewall rule or some piece of code that is incorrect. Looking this up online it looks like the block-outside-dns is not compatible with the openvpn version running inside PfSense. This could of been added recently and may not have anything to do with the leak but I just wanted to make sure.

These leaks may be attributed to not creating the firewall and NAT rules protecting your connection. Please follow this more up to date pfsense guide fully to ensure that the VPN is set up correctly including the correct firewall rules. Here is the guide if you get stuck please let me know.

The guide: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/115005760606-Setting-up-a-Router-running-pfSense-Firmware  which says to use 1194 as the port, and when I do that I receive TLS errors I've been using 1198 and it connects without an issue. I do not have TLS configuration checked as it fails to connect when I do.

I just sent him a reply with screenies showing him the rules I've used, through this guide. I eagerly await his reply.

Offline TechyTech

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +7/-0
  • It's the little bits that are the biggest problems
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #343 on: January 26, 2018, 01:12:49 pm »
If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?
To fix this, go to Services / DNS Resolver and under "Outgoing Network Interfaces," select only your PIA VPN interface(s) and make sure "All' and "WAN" aren't selected.

This fixes the DNS leak over your regular WAN but introduces the problem that if your VPN ever goes down, pfSense will not be able to resolve DNS to reconnect the VPN.  To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing (Google, OpenDNS, Level 3, Verisign, etc.).  This setting only affects outbound DNS queries by localhost, not by anything on your LAN, which should go out the PIA VPN only via unbound.

This is not entirely true.  You do not need to add a 3rd party DNS for WAN use.

When System >> General DNS "Outgoing Network Interfaces" is configured for a given DNS server, pfSense creates a static route for that DNS entry to go out that interface, but only when that interface is up.  Otherwise the routing is subject to the current routing table default routing, thus DNS queries will go out the default route, usually the WAN.  (This also applies to policy routing rules, which are only added after the target gateway interface is online.)  So you have to plan routing and rules in two states; 1) When VPN links are down and WAN is default route, and 2) when VPN links are up.

What's missing in the DNS routing is configuring Unbound to use localhost for outbound queries so that outbound DNS queries go through default routing.  If Unbound is configured to only use the VPN links as outbound interfaces, then of course those interfaces will not be usable when the VPN is down, and Unbound will have no other interface for outbound queries.

Additionally to really prevent unexpected DNS leaks, and extra query traffic, especially when using multi-wan / multi-vpn, configure Unbound to only use localhost for outbound. 

The reason is that Unbound will try to query all configured DNS servers on each configured outbound interface directly, bypassing the route table, and then manage responses accordingly, which results in leaks if WAN is configured as an outbound interface, and lots of extra activity if you have multiple links.  Configuring Unbound to only use the localhost for outbound not only limits the amount of queries outbound attempts, but also subjects all outbound queries to NAT'ing and routing.  Thus when the VPN links are down, dns queries are routed out the default route, which should be the WAN, but when the VPN links are up and are the default route, DNS queries go out the VPN default routes (either by default or as configured for "Outgoing Network Interface" once the link is up.  When Unbound is configured to use only localhost as outbound, you do not need to configure an DNS outbound interface under System >> General (unless you have disabled pulling routes in the VPN client.) as outbound queries from localhost will go out the VPN link once it becomes the default route.

And as an added note: Since PIA does not support IPv6, Unbound needs to be configured to disable IPv6 queries, otherwise there is a bit of a performance hit with all DNS queries as it wil try to resolve both A & AAAA records for all queries.  Add the Unbound configuration directive "server: do-ip6: no" to turn off AAAA record queries.
« Last Edit: January 26, 2018, 02:19:15 pm by TechyTech »

Offline Finger79

  • Full Member
  • ***
  • Posts: 195
  • Karma: +18/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #344 on: January 26, 2018, 09:19:28 pm »
If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?
To fix this, go to Services / DNS Resolver and under "Outgoing Network Interfaces," select only your PIA VPN interface(s) and make sure "All' and "WAN" aren't selected.

This fixes the DNS leak over your regular WAN but introduces the problem that if your VPN ever goes down, pfSense will not be able to resolve DNS to reconnect the VPN.  To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing (Google, OpenDNS, Level 3, Verisign, etc.).  This setting only affects outbound DNS queries by localhost, not by anything on your LAN, which should go out the PIA VPN only via unbound.

This is not entirely true.  You do not need to add a 3rd party DNS for WAN use.

When System >> General DNS "Outgoing Network Interfaces" is configured for a given DNS server, pfSense creates a static route for that DNS entry to go out that interface, but only when that interface is up.  Otherwise the routing is subject to the current routing table default routing, thus DNS queries will go out the default route, usually the WAN.  (This also applies to policy routing rules, which are only added after the target gateway interface is online.)  So you have to plan routing and rules in two states; 1) When VPN links are down and WAN is default route, and 2) when VPN links are up.

What's missing in the DNS routing is configuring Unbound to use localhost for outbound queries so that outbound DNS queries go through default routing.  If Unbound is configured to only use the VPN links as outbound interfaces, then of course those interfaces will not be usable when the VPN is down, and Unbound will have no other interface for outbound queries.

Additionally to really prevent unexpected DNS leaks, and extra query traffic, especially when using multi-wan / multi-vpn, configure Unbound to only use localhost for outbound. 

The reason is that Unbound will try to query all configured DNS servers on each configured outbound interface directly, bypassing the route table, and then manage responses accordingly, which results in leaks if WAN is configured as an outbound interface, and lots of extra activity if you have multiple links.  Configuring Unbound to only use the localhost for outbound not only limits the amount of queries outbound attempts, but also subjects all outbound queries to NAT'ing and routing.  Thus when the VPN links are down, dns queries are routed out the default route, which should be the WAN, but when the VPN links are up and are the default route, DNS queries go out the VPN default routes (either by default or as configured for "Outgoing Network Interface" once the link is up.  When Unbound is configured to use only localhost as outbound, you do not need to configure an DNS outbound interface under System >> General (unless you have disabled pulling routes in the VPN client.) as outbound queries from localhost will go out the VPN link once it becomes the default route.

And as an added note: Since PIA does not support IPv6, Unbound needs to be configured to disable IPv6 queries, otherwise there is a bit of a performance hit with all DNS queries as it wil try to resolve both A & AAAA records for all queries.  Add the Unbound configuration directive "server: do-ip6: no" to turn off AAAA record queries.


Very interesting.  Thanks for the info!

you do not need to configure an DNS outbound interface under System >> General (unless you have disabled pulling routes in the VPN client.)
It's frequently advised in the forums here to disable pulling routes in OpenVPN client config.  Lots of people do that, which helps with policy-based routing.