Netgate SG-1000 microFirewall

Author Topic: Tutorial: Configuring pfSense as VPN client to Private Internet Access  (Read 177198 times)

0 Members and 1 Guest are viewing this topic.

Offline flowrider

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #45 on: December 28, 2014, 01:55:26 am »
Thanks wbennett77 I ended up using PIA's DNS servers as well and no leaks! It was quite easy which is nice for a change! I'm pretty happy to have found this guide as it's the most comprehensive and simple to use one on the net. I'm pairing it with a Netgear R7000 right now and it seems to be working well especially in the 5gHz range.

Offline sogseal

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #46 on: December 28, 2014, 02:46:13 pm »
have anyone figure out DNS settings yet? I stumbled across a topic https://forum.pfsense.org/index.php?topic=29944.0 Step 4, i cannot test this at the moment im waiting for my new mobo. I talked to a PIA rep and he recommended to manually configure DNS and provided me with ip's 208.67.222.222 and 208.67.220.220. i should get my mobo tomorrow and will start playing with my new hardware and installing pfsense.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9212
  • Karma: +1046/-308
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #47 on: December 28, 2014, 03:49:43 pm »
Those are OpenDNS servers.

Copyright enforcement bots are not going to have access to DNS server records.  I think all you PIA, etc. users might be overthinking things a bit.  Yes, I'm making a generalization that is probably wrong.  :P

Just about anything is possible with pfSense.  If you want to make sure NOTHING from a particular internal host is transmitted out the normal WAN, set firewall rules on LAN that sets the gateway to PIA and marks the traffic with something like NO_WAN_EGRESS.

Then make a floating rule that blocks any traffic on WAN out marked with NO_WAN_EGRESS.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline sogseal

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #48 on: December 28, 2014, 06:02:27 pm »
Those are OpenDNS servers.

Copyright enforcement bots are not going to have access to DNS server records.  I think all you PIA, etc. users might be overthinking things a bit.  Yes, I'm making a generalization that is probably wrong.  :P

Just about anything is possible with pfSense.  If you want to make sure NOTHING from a particular internal host is transmitted out the normal WAN, set firewall rules on LAN that sets the gateway to PIA and marks the traffic with something like NO_WAN_EGRESS.

Then make a floating rule that blocks any traffic on WAN out marked with NO_WAN_EGRESS.

im lost :) , want to show us step by step?  ::)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9212
  • Karma: +1046/-308
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #49 on: December 28, 2014, 08:26:37 pm »
Post the rule that forwards your traffic to PIA.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline sogseal

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #50 on: December 29, 2014, 07:36:18 am »
Post the rule that forwards your traffic to PIA.

I got my new mobo coming today, ill se teverything up and post it, thank you for the help

***EDIT***

so i got my mobo MSI Z87I AC(waiting on AR9380). Pretty much i followed this guide to the end and added opendns ips( im on 2.2-RC (amd64)  built on Mon Dec 29 07:41:21 CST 2014 FreeBSD 10.1 RELEASE-p3) to System>General Setup DNS servers and i dont have nay DNS leaks
« Last Edit: December 29, 2014, 05:30:05 pm by sogseal »

Offline ryan29

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +19/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #51 on: January 09, 2015, 06:35:28 am »
After testing a bit, I see issues when using DHCP (LAN) and the DNS Forwarder.  Clients on the LAN are given the pfSense LAN IP as a DNS server and the DNS lookups done by the DNS Forwarder don't seem to be very sophisticated.  My firewall rules route a couple machines over the VPN and everything else goes over the WAN:




However, I still see geo-optimized IPs when I do DNS lookups (ex: google.com).  I changed my DNS a bit to see if I could figure out what was going on.  I set two DNS servers:



Note that one is set to use the WAN gateway and the other is set to use the TGNEWYORK gateway (I'm using TorGuard, not PIA).  After doing this, the behavior of one of my 'vpnclients' gives a good indication of what's happening.

When I do a DNS leak test I can see that both DNS servers are being used and the route depends on which DNS server is picked by the DNS Forwarder.  I can tell this because it appears that TorGuard forces all DNS requests through OpenDNS, so half the servers found are Google, half are OpenDNS.

There are two things to be careful of in my opinion.  1) Make sure all vpnclients bypass the DNS Forwarder.  2) Make sure normal connections don't use the VPN for DNS lookups.  I use a port forward rule to get the vpnclients to bypass the DNS Forwarder.  Note the rule uses the LAN interface.  Also note the firewall rule I have above to intentionally block all traffic from vpnclients to pfsense.



Another option would be to make sure the DHCP server passes non-local DNS to clients, but keeping the vpnclients and normal clients separated is a pain.  To ensure normal connections don't use the VPN for DNS, I explicitly specify the WAN gateway for DNS and don't allow the settings to be overridden by DHCP.



From the testing I did, leaving a gateway of 'none' doesn't work.  I still saw DNS lookups going over the VPN gateway.  To me this is incorrect behavior since my default gateway is the WAN gateway (only tested on 2.1.4).

Does anyone know if it's possible to get the DNS Forwarder to use a specific gateway for lookups?

Offline cybernet

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #52 on: January 17, 2015, 10:31:49 am »
Has anyone successfully gotten PIA to work with SHA256? Works flawlessly with SHA1. Also if you receive MTU or HMAC authentication errors, try another server. Some servers are acting really wonky right now.

Cheers!

Offline kintaroju

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #53 on: January 22, 2015, 02:11:47 pm »
great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.

Having TWO openVPN client setup via PIA.

So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west

The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada

Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.

I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?

Offline terryd

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #54 on: January 24, 2015, 05:31:04 am »
very good guide but mine seems to restart if put under any stress like a download
« Last Edit: January 24, 2015, 09:41:48 am by terryd »

Offline kintaroju

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #55 on: January 24, 2015, 04:43:44 pm »
TerryD, did you upgrade to the latest pfSense 2.2 that was released yesterday?

As for my issue, upgrading to 2.2 totally fixed the issues

Offline Robs

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #56 on: January 25, 2015, 03:43:06 am »
Does anyone know if it's possible to get the DNS Forwarder to use a specific gateway for lookups?

I did set it up like this, using no special rules:
check in the dns forwarder: Query DNS servers sequentially

209.222.18.218 -> pia gateway
209.222.18.222 -> pia gateway
8.8.8.8 ->  wan gateway

Offline Robs

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #57 on: January 25, 2015, 03:57:32 am »
great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.

Having TWO openVPN client setup via PIA.

So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west

The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada

Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.

I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?
Once you have one vpn gateway there isn't anything different setting up an other one and select the gateway based on lan ip.
However, there can be a situation where the vpn clients both have the same local interface ip. (the 10.x.x.x ip address)
I don't know what caused it but restarting one vpn client did solve it for me.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9212
  • Karma: +1046/-308
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #58 on: January 25, 2015, 01:55:08 pm »
Save yourself some headaches and set your IPs on subnet boundaries instead.  That'll make your rules a lot easier.

Like instead of assigning hosts IP addresses from 192.168.0.21 through 192.168.0.40, assign them 192.168.0.33 through 192.168.0.62.  You can then cover them in one rule with source IP 192.168.0.32/29 (255.255.255.248)

You could:

pass ip any source 192.168.0.32/29 dest any gateway PIA_USA_WEST # (hosts .33 through .62 - in this case you could actually use .32 and .63 too but I wouldn't)
pass ip any source 192.168.0.64/29 dest any gateway PIA_CANADA # (hosts .65 through .94)
pass ip any source LAN network dest any gateway default # everything else.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline phatty

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +3/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #59 on: January 31, 2015, 09:38:16 am »
Since the upgrade to 2.2 I have had PIA randomly disconnect and remain disconnected for me until I manually click connect again. Anyone else experience this problem? Seems to be every couple of days, on 2.1. 5 the only time I had connectivity issues when an internet issue caused a bad route to the server I had been connecting to. Other than that previously it has been very solid for me up until the upgrade.