Call for comments, complaints and suggestions re my guide on pfSense VPN-client VMs

Discussion in 'privacy general' started by mirimir, Oct 3, 2014.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,373
    I'm updating my guide on using pfSense VMs as VPN clients. I'll be doing the full setup with the latest release (2.1.5 as of today) to check for broken instructions.

    Please share your comments, complaints and suggestions.

    By the way, it appears that pfSense is not affected by bash Shell Shock vulnerabilities. According to the latest security announcement:
    https://www.pfsense.org/security/advisories/pfSense-SA-14_18.packages.asc

    Edit: OK, it's updated. But comments are still welcome :)
     
    Last edited: Oct 4, 2014
  2. Wonderinguser

    Wonderinguser Registered Member

    Joined:
    Jan 12, 2017
    Posts:
    2
    Location:
    Wondering
    Hi Mirimir,

    Thanks for the guide on creating nested VPN chains which you posted on IVPN.net.

    I had a few questions on it, would be grateful if you could shed some light:

    For the alias dnssvr, which DNS server is it? The one in Services/DHCP server or System/General setup.

    I guessed you mean the one in System/General setup. However in Status/System Logs/Firewall I'm seeing a lot of blocked traffic to the DNS server in Services/DHCP server. My connection occasionally drops for a while.

    I'm also seeing traffic blocked to the ifconfig server that is shown in Status/System Logs/OpenVPN (the log item that shows this server IP is on the line item that contains " PUSH: Received control message:" at the start - the same one where the dhcp-option DNS is shown)

    Also, are you sure the vpnsvr alias does anything? I have a VPN that allows to connect to servers in different countries. I originally had the wrong country setup as the Alias - the one I had entered in the VPN client was different. I could still connect most of the time. I fixed this now and am still having connection issues sometimes as I said above though.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,373
    Sure :)
    It's the one(s) in System/General Setup. The one(s) in Services/DHCP server should only be reachable through the VPN tunnel, so there's no need for an alias. Indeed, you don't want to allow traffic to them via WAN. That would be a DNS leak.
    That's a good thing :)
    That's a distinct issue, I think.
    What follows ifconfig are the IP addresses of the VPN tunnel. I don't recall seeing those in firewall logs. But they're only valid for the VPN tunnel, and there should be no blocking rules for that, or LAN (except blocking IPv6).
    Do you have IPv4 and IPv6 block rules at the end of the WAN rules. If you do, only VPN servers in the vpnsvr alias should be reachable.
     
  4. Wonderinguser

    Wonderinguser Registered Member

    Joined:
    Jan 12, 2017
    Posts:
    2
    Location:
    Wondering
    Okay thanks for clarifying. Want to make sure I understand, DNS setup in services/DHCP server is allowed due to rule in Firewall/Rules/Lan that allows traffic from LAN to any destination via VPN gateway, right?


    So you mean traffic to ifconfig server would go through VPN from LAN and would be allowed for same reason mentioned above right?

    Yes agree probably a distinct issue. I'm also seeing a few entries in system logs/openvpn like this PID_ERR replay-window backtrack occurred. Maybe that's causing the issue.

    Yes per the guide IPv4 and IPv6 from WAN source to any destination is blocked. These rules are after the rule allowing traffic from Wan source to vpnsvr. Surprisingly however, the different servers I mentioned were reachable when I had misconfigured this rule (client was different to the servers specified in the vpnsvr alias).

    Both end in the same domain (the VPN's domain) but the first letters were different (this specifies the country - for example us.xxxxxx.xxx is USA and nl.xxxxxx.xxx is Netherlands). Maybe that rule using the alias only checks the domain and not the nl. or us. at the start?
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,373
    Yes.
    I'm not sure what you mean by "ifconfig server". The "ifconfig ..." stuff is literally an ifconfig command, which the VPN server is running on pfSense, as part of setting up the VPN tunnel.
    I see those sometimes too. UDP is a stateless protocol, and OpenVPN sometimes gets confused when multiple copies of UDP packets arrive out of order.
    Maybe I need to check that.
    I use numeric IPv4 addresses in the VPN server alias. But arguably, whatever you see is just what it does ;) If you're right, that would be a useful feature, because you'd need fewer alias lines if you're switching among many VPN servers. And that, by the way, is one frustration with pfSense. Each OpenVPN configuration has to have its own client.crt, so you need multiple copies of the client.crt in the Cert Manager. But then, more and more VPNs are dropping client.crt, because it's somewhat of a privacy vulnerability.
     
Loading...