Netgate SG-1000 microFirewall

Author Topic: Tutorial: Configuring pfSense as VPN client to Private Internet Access  (Read 198829 times)

0 Members and 1 Guest are viewing this topic.

Offline TechyTech

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +7/-0
  • It's the little bits that are the biggest problems
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #345 on: January 27, 2018, 11:00:49 am »

you do not need to configure an DNS outbound interface under System >> General (unless you have disabled pulling routes in the VPN client.)
It's frequently advised in the forums here to disable pulling routes in OpenVPN client config.  Lots of people do that, which helps with policy-based routing.

Disabling of pulling routes and use of policy routing is not covered in the "Tutorial", the subject of this thread, and shouldn't be for people just trying to get their VPN service up and running because policy routing can not be applied to traffic generated by the firewall such as Unbound and Squid proxy.  This is why so many people have problems with DNS & proxied traffic leaks when using Squid Proxy, even though traffic from their LAN passes (via policy rule) out the VPN.

Therefore, whether configured from the VPN's pushed configuration, or manually, you need a default route for at least one VPN link, and configure firewall services to use route table routing (via us of localhost as an outbound interface) otherwise traffic that can't go through policy routing will go out either the outbound interface{s} directly, (as both Unbound and Squid will do), or routed via whatever state the routing table is at, including the default route (if VPN is not configured as default route), such as the WAN, again resulting in traffic leaks.

The main reason I see for disabling of pulling of routes and manually managing them is due to edge cases where the default route get's mis-directed to an undesired link, or is not updated during VPN link transitions, but falls back to the default WAN, resulting again in traffic leaks.  This gets further into use of policy routing and the use of gateway groups in multi-WAN/multi-VPN, but does not eliminate the need for a properly configured default route.  But alas also, using multiple VPN links is outside the scope of a simple tutorial to get PIA VPN link up and running with pfSense, without leaking traffic out the WAN.

So in a single link scenario, better to stick to pulling route configurations and understanding default routing is necessary for firewall initiated services such as DNS and Proxy, to simplify initial configuration, for people just trying to get their VPN service configured, without leaking data.