Netgate SG-1000 microFirewall

Author Topic: Tutorial: Configuring pfSense as VPN client to Private Internet Access  (Read 178067 times)

0 Members and 1 Guest are viewing this topic.

Offline Moatilliata

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #60 on: January 31, 2015, 10:04:22 pm »
Thanks for this guide, I got PIA up and running for just my FireTV and the rest of my devices go through the normal WAN.

The problem I'm having now is I'm trying to access content on hulu and watch Disney Junior with my FireTV, but it says I'm outside of the US (I'm not, and I'm using the PIA California server, I know that Hulu has blocked a lot of VPNs). I don't care if the traffic for Hulu and Disney aren't over PIA, I want to make a rule to bypass the VPN for Hulu, Disney, and potentially a couple of other streaming services. I've tried creating an alias for hulu.com and then I made a firewall rule (placed before my VPN hosts rule) that said if the destination was the hulu alias it would use the WAN gateway instead of the PIA gateway, but I still got the same outside of the US or private network error. I've also added an ipcheck to the alias to make sure it was working and it returned the IP address I wanted when the rule was applied, so it worked for that site at least.

Any ideas how to get this to work? I don't really want to have to turn the VPN off each time I want to turn on Disney Junior for the kids.

Offline kintaroju

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #61 on: February 01, 2015, 11:39:27 pm »
hi moatilliata,

instead of rerouting the traffic you could try to use a dnsmasq server to forward your dns request so you can use the PIA vpn still.

One service that could work although I haven't tried it before is using UnoTelly:

https://www2.unotelly.com/home#2-channels

Offline Moatilliata

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #62 on: February 02, 2015, 03:24:08 pm »
hi moatilliata,

instead of rerouting the traffic you could try to use a dnsmasq server to forward your dns request so you can use the PIA vpn still.

One service that could work although I haven't tried it before is using UnoTelly:

https://www2.unotelly.com/home#2-channels

Well the sites work on my other PC's and iPad, and I'm pretty sure the DNS being sent on my normal WAN is still the PIA DNS, the only difference is the IP address. There must be a DNS or IP that's not included in my alias for Disney and Hulu when my location is being checked on the devices behind the VPN.

Hulu isn't my real problem because my TV has an app, but I don't have an app for Disney. I guess I'll just use the iPad and Chromecast, but that's just one more thing I have to teach my wife how to do.

Offline kintaroju

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #63 on: February 02, 2015, 04:14:45 pm »
One thing I was thinking if you are testing multiple devices, you should test if the registered external IP is the VPN IP or not?

Also you should do a DNS leak test to ensure that the DNS resolution is coming from the correct DNS server, be it be the VPN or local DNS server.

So what I do to troubleshoot the VPN issues is to use the below:

https://www.dnsleaktest.com/
http://whatismyipaddress.com/


Offline Moatilliata

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #64 on: February 03, 2015, 01:36:49 pm »
I've done both of those things already.

The DNS that comes back on DNS leak is always the VPN DNS, but when I'm on my normal WAN the inaccessible content is accessible.

As far as IP check, behind the VPN I'm getting my VPN IP and on the WAN I'm getting my normal IP from my ISP.

That's why I think my alias for Hulu and Disney are incomplete.  They must connect to another DNS or IP that I'm not bypassing in my alias.  I've pretty much given up on it for now. I just wanted it to the convenience of accessing those apps from the Fire TV.

Is there a way to make it so certain source IP's use the VPN DNS and my sources going through WAN use the local DNS? I couldn't figure this out without having a DNS leak which is why I just left it on the VPN DNS.

Offline kintaroju

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #65 on: February 03, 2015, 01:44:00 pm »
if you want to have specific DNS for specific interfaces, you can do it two ways.

One you forward all DNS requests via the firewall to the interface you want to the specific DNS server OR

Go to System -> General Setup. Under DNS servers you can specify specific DNS servers based on the Gateway, or in your case the "VPN Gateway"

Let me know if that helps your cause or not.

Offline archedraft

  • Full Member
  • ***
  • Posts: 107
  • Karma: +2/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #66 on: February 03, 2015, 05:04:02 pm »
Anyone else experiencing slower download speeds through PIA when upgrading from pfsense 2.1.5 to 2.2? My download speeds have been constantly 10-14 Mbps and with 2.1.5 they were 100+ Mbps.

Offline kintaroju

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #67 on: February 03, 2015, 05:05:58 pm »
Nope, I personally haven't had that problem. My speeds to PIA are the same before the upgrade.

Also for the record going from 2.1.5 to 2.2 solved a lot of issues that I was having when opening multiple OpenVPN clients to PIA.

Offline plainzwalker

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #68 on: February 09, 2015, 02:45:56 am »
**edit**  the firewall at my work was blocking all images.


Thank you
« Last Edit: February 09, 2015, 02:53:20 am by plainzwalker »

Offline User1503

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #69 on: February 11, 2015, 03:52:08 pm »
Great tutorial.  Setup my pfsense on the first go-round, thanks!  Now, the 2 issues.  1 is really just speed, I'm only getting 1.6-2.x mbps but that's not really a pfsense issue, more of a PIA issue.  Using Texas server seems to be fastest but still slow compared to my 50mbps VDsL.  #2,  Email.  Email pop3 doesn't work over PIA (goDaddy) and they know it.  Can receive, can't send.  Is there a rule? or setting to let smtp bypass the VPN and use the Wan?  I tried a few tests, obviously unsuccessfully.  Again, great stuff!
Thanks

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9250
  • Karma: +1054/-308
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #70 on: February 11, 2015, 04:18:34 pm »
Try setting your mail server to use port 587.

Sending email is not POP3.  Sending is SMTP.  Port 587 is the SMTP submit port.  You will have to authenticate.  Hopefully your mail provider supports STARTTLS.  Make it required.

A quick telnet mailserver 587 will either result in an SMTP banner or it won't.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline User1503

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #71 on: February 13, 2015, 03:33:13 am »
Thanks for the response.  I'm not hosting a mail server.  What I need to do is route my SMTP requests from my pop3 outlook account thru to the wan, bypassing the PIAVPN.  Currently all LAN machines are using pfSense DHCP and pfSense is configured to automatically connect and route to PIA's VPN connection.  Can (How?) do I take an smtp request from a machine that is using the vpn connection and have it's outlook pop3 route past (bypass) the pia vpn?  Let me know if this makes sense.  Thx

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9250
  • Karma: +1054/-308
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #72 on: February 13, 2015, 09:20:25 am »
I know.

I'm sure PIA blocks port 25.  Try 587 instead.

That or make a rule above the rule that routes your traffic to PIA that routes connections to your mail ports (TCP 110,143,993,995,25,587 and 465) out your WAN gateway (or the default route).

Note that any application you use that attempts to bypass firewalling by using one of these commonly-passed ports will no longer go through the VPN either.  If you only use one to a few mail servers, you might want to create an alias using their FQDNs and set the destination address to that to limit the scope of the rule even more.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline User1503

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #73 on: February 13, 2015, 11:48:03 am »
Thx Derelict. Your advice on the ports worked but only without SSL so I'm not connecting securely to send/receive.  Can you outline in a few steps how to add an smtp to a rule for bypass?  smtp.out.secureserver.net is what godaddy uses for sending, if I can put that in a rule to bypass the vpn and use the wan it should work with encryption (SSL) applied. 

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9250
  • Karma: +1054/-308
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #74 on: February 13, 2015, 01:38:53 pm »
Should have nothing to do with negotiating SSL.  I don't know how that server is set up but there are two ways to get SMTP over SSL/TLS:

1) Connect on port 465.  This usually expects SSL right off the bat like an HTTPS connection.  You can test this with openssl s_client -connect smtp.out.secureserver.net:465.  Port 465 is a de facto standard for this thanks to Microsoft. YMMV.

2) Connect to port 25 or 587.  This establishes a normal SMTP or SMTP Submit connection.  The client must then issue a STARTTLS command to negotiate TLS prior to sending authentication credentials. You can test this with openssl s_client -connect smtp.out.secureserver.net:[25|587] -starttls smtp
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM