Can You Trust Your VPN Provider…?

You obviously didn't discover the webGUI

it doesn't use iptables, but rather pf. It's a FreeBSD distro.

See the tutorial link in my sig

 

I use mirimir in many places, it's true.

But that's because I want those associated

... but not with the rest

 

the only other site on which i use the same user name is this:

http://www.imdb.com/

 

I reckon I can pick you out from a few boards I know of with a different user name. But that's because your too intelligent for most user's so you stick out.

Myself I'm not so sure, I only use this name for this forum. I'm sure somebody could analyze my writing style and put two and two together.

 

That's possible. I've become too lazy to disguise my writing. But I do aim for correct spelling and grammar. And I have run into a few people who write a lot like me. Even here, some years ago

 

Yeah was using the webgui lol

I dunno it seemed mission to get to webgui and still don't half the time, I reached the point of configuring the wan and lan and got dhcp, and was unable to see any web gui from 192.168.1.1

Yeah miss that iptable rules option... I was able to copy n paste a set of rules and wallah all leaks/disconnection issues gone in 5 seconds forever.

Seemed to sometimes work and sometimes not, got bare confusing when people on the youtube guides would unmount the pfsense iso just before rebooting, bad enough it loops all over again when you have just installed it via virtual box lol

When I did get to the openvpn section and added my certs and server info, there was no start or run option even....

Shame tomato did not do a release for PC, it was all click and run and simple I may have to look into a powerful faster router with openvpn support again.

 

Here's another way to skin the cat - 30 seconds is about right

(Note: Again, I only care about certain applications - I don't care if my AV updates outside the tunnel. I agree that blocking ALL traffic with Comodo takes more than 30 seconds, but I'd just go the router route for that).

PD

 

I rotate usernames every while or so. I have already gone through about 5 on wilders.

 

@TheCatMan

You're making it sound hard

I can set up a new pfSense VM in about 15 minutes.

The basic steps are:

1. create VM with two network adapters (NAT for 1st, and internal network "foo" for 2nd)
2. go through install process, removing ISO as first reboot starts
3. specify interfaces (em0 for WAN and em1 for LAN) on first reboot
4. reboot again
5. attach Linux VM to internal network "foo"
6. browse https://192.168.1.1
7. complete initial wizard and let reboot
8. add VPN ca.crt, and client.crt and client.key, in System / Cert Manager
9. disable Services / DNS Forwarder
10. create VPN client in VPN / OpenVPN / Client
11. get DNS server(s) pushed by VPN from Status / System Logs / OpenVPN
12. add that DNS server(s) to Services / DHCP Server
13. add OPT1 interface in Interfaces / (assign)
14. select Interfaces / OPT1, enable and rename as FooVPN
15. go to Firewall / NAT / Outbound
16. select "Manual Outbound NAT rule generation" and hit "Save"
17. delete the top three routes using WAN as gateway interface
18. go to Firewall / Rules
19. create "Allow LAN to any rule via FooVPN" rule in WAN, LAN and OpenVPN tabs
20. specify FooVPN as the gateway for each of them
21. create "Allow everything" rule in FooVPN tab
22. reboot pfSense VM from console window

It took me longer to write that than it takes to do it

 

thx mirimir going to give it a bash again tommorow !

 

protip , patience young padawan take it from someone thats already been trough that but much more even so , its easy peasy once you get the hang of it

 

After 3-4 months I figured it was just stupidity

But yeah never really asked for a step to step or full on help/

Will give it a bash later on

 

am already stuck on 10 but yeah plenty process considering could not access the web based gui !

Am stuck on:
creating a VPN client

I entered in all my details as best can

not sure if these are correct but tried

server mode : p2p ssl/tls
udp
tun
wan - for now or is it localhost ?
server (my entry vpn ip)
server port : server port

proxy authentication extra left to none
server host infinitely left unchecked
TLS authentication both left on ticked boxes
encrypt : set to AES 256 cbc as that is what my vpn uses
hardware crypto, left to none for now

not sure if above settings are right but it nags for IPV4 tunnel network when I click save, do I need to add 192.168.1.1 in there? not sure if Wan above was the right option....

Seems to ask for many settings unfamiliar with !

 

I've been using Hideman for awhile. I like the fact that one account can be in use on multiple devices at the same time.

 

I have asked my VPN provider for some help with openvpn client settings under pfsense.

While it looks like 10x more settings then my tomato router, its probably not as bad as I make out. Hopefully can get the settings and move onto step 11 and go past half way

 

Several VPN providers now have guides for setting up OpenVPN on pfSense.

Figuring out the right settings for the OpenVPN client is the hardest part.

If you can post the contents of the client.conf (or client.ovpn) file, I'll give you my best guess You can redact the server hostname if you like

 

thx mirimir yeah it threw me off those settings, checked already a guide or 2 but they have much different settings... some of the settings I can figure out ie server/port/encryption but others are new to myself.

I think its best to wait for staff or another user to come back to me with the settings for now.

I originally wished to use pfsense in a home built box... so no virtual boxes etc, just one decided box like a DIY router left 24/7, I think it maybe better then spending £150-200 on a router which may not even push good speeds on openvpn. Either way its a good testing ground to see what works and is best for myself

 

Right, anything that works in a pfSense VM will work in hardware. And pfSense will run on anything with x86 CPUs. My perimeter router/firewall is an inexpensive desktop with a low-end AMD CPU, a small SSHD and a PCIe 2 Intel server quad GB card. I don't run a VPN on it, but I could, and I could route the VPN to one LAN adapter, and straight Internet to another one. At times, I've also had two ISP connections, in failover mode.

 

Hello Mirimir,

I'm hoping you can clarify some of the settings you mentioned. My setup is traffic only out VPN tunnel, mostly what you have above, except my WAN/VPN/OpenVPN tabs for Firewall Rules are all default. WAN blocks private addresses and bogon, and VPN and OpenVPN tabs are auto blocking all (default). Somehow internet works just fine.

1. Why disable DNS Forwarder and not use the DNS configured under System>General Settings ? Your option is to configure it under DHCP Server instead. Is this more secure?
2. Step 19, I only have this for the LAN tab on my setup, and all traffic goes only out VPN interface. My VPN and OpenVPN tabs are empty. Isn't that more secure than what you propose?
3. Step 21, again mine is empty (default) and everything works. Is this needed? Isn't it less secure to allow all both ways, versus the default which I THINK only allows communications that are initiated from the LAN
4. If my OpenVPN config to VPN provider is using hostname and not IP Address (my setup), I was curious how does it resolve the hostname upon bootup? If my tunnel breaks due to VPN provider changing/update IP (once a day), it can't resolve hostname via DNS because all traffic is pointed out VPN tunnel (which is down). Reboot fixes this, but I'm not sure how it fixes it lol. Its a chicken before the egg scenario.

Sorry for necroing this thread

Thanks!

 

I've just checked, and you're right. I'm not surprised about step 19, because the "allow via VPN" rules on WAN and OpenVPN don't seem necessary. But I am surprised about the "allow everything" rule on VPN. I do have Internet connectivity without it, but I see that TCP FA and PA traffic from sites that I've visited is blocked. That's basically a "still there?" sort of incoming ping. If everything works without it, there's no need for the rule.

If you're tunneling another VPN, however, its server couldn't push configuration, I think. I'll need to test this.

Edit: I've just disabled the "allow everything" rule on VPN in the pfSense VMs for all three VPNs in this chain, and everything seems to work. Unless I find that this breaks something, I'll remove it from the guide.

I use nested VPN chains with pfSense, and want to avoid complications through DNS server forwarding from one to the next. More generally, I want to minimize DNS lookups except through the final (innermost) VPN tunnel.

The rules on WAN and OpenVPN aren't necessary, it seems. Upon reflection, it's best to omit them. I'll update my pfSense guide on iVPN accordingly. Thanks for pointing this out.

Yes, the default only allows connections from LAN via the VPN tunnel. And that is more secure. However, most VPN providers don't forward ports, and for them it doesn't matter.

Edit: Even though there's an "allow everything" rule on VPN, incoming to LAN is blocked by the "allow from LAN via VPN" rule. If you're tunneling another VPN, however, I think that the "allow everything" rule on VPN is necessary for its server to push configuration. I'll need to test this.

Edit: It's apparently not needed.

Yes, you need a DNS server in "System: General Setup" in order to resolve OpenVPN server hostnames. In your situation, just add one from the list at <http://www.wikileaks.org/wiki/Alternative_DNS>.

Thanks for the feedback I'll follow up and update the guide.

 

Thanks for the reply Mirimir

I did some testing on my own to figure out why DNS works at the bootup to initially bring the tunnel up, and not work when it breaks during normal operation.

So I setup a cisco switch in between my Modem and PFSENSE box and did a SPAN on a 3rd port so that I could mirror and capture all send/receive traffic in-between my modem and pfsense box.

Started the capture, and then rebooted on my pfsense box.

The Shuttle_ is my pfsense box, and the Cisco_ is my modem
The 199.193.119.32 is the random (and temporary for all you hackers) IP address provided to me by PIA


http://s22.postimg.org/qyprnl8ht/dns_1.jpg


So as you can see, during the bootup process my PIA VPN Tunnel is able to be established, because the DNS for the us-florida.privateinternetaccess.com is being resolved over the WAN interface. I am under the impression that this should NOT actually work due to the fact that all traffic is only allowed to the PIA VPN Tunnel interface. I guess the config portion of my pfsense box doesn't kick in fast enough?

Below are my DNS settings:


http://s22.postimg.org/fox1sn3gh/dns_2.jpg


If during the day PIA updates my IP address (seem to do it once a day), it breaks my tunnel and a reboot is the only fix. So I am thinking that in order to fix this, that I need to add a 3rd option under System>General Setup for DNS, pointing to like OpenDNS.

My question would be, do I set the gateway for it to my WAN or NONE ?

Would doing that fix my problem and if so, would it be considered a DNS leak? Or are DNS leaks only if my network uses my ISP provided DNS (which I have disabled).

Another theory I have is the adjusting the 'Query DNS servers sequentially' under Services>DNS Forwarder. My understanding of this is that it will use my first configured DNS server, and if it fails, go to the 2nd, and if that fails, go to the 3rd. This would bring my VPN tunnel back up, and then it would go back to the 1st. Is that correct?

http://s1.postimg.org/oivn46ybj/DNS_3.jpg

My overall goal is to ensure that all my traffic is as protected as it can be through my VPN tunnel, but there seems to be at least a small moment during DNS resolution that it has to go out the WAN instead. Not a BIG deal I suppose.

Looking forward to your reply.

Thanks again

 

Very cool

Yes, pfSense is clearly using the first DNS server in "System: General Setup" to resolve <us-florida.privateinternetaccess.com>. I don't know what's letting pfSense do the DNS lookup. Before the VPN is up, the gateway that you've specified doesn't exist.

Actually, that reminds me. I vaguely recall reading that pfSense will use the default gateway if the specified gateway isn't reachable. But I don't remember where I read that.

Even so, as long as you've specified a DNS server in "Services: DHCP server", the DNS servers specified in "System: General Setup" won't be provided to LAN clients.

As long as you've specified a DNS server in "Services: DHCP server", the DNS servers specified in "System: General Setup" won't be provided to LAN clients. Just use OpenDNS or whatever in "System: General Setup", and set the gateway to NONE. pfSense will just use that internally.

You might be right. But setting DNS servers in "System: General Setup" for pfSense use, and different DNS servers in "Services: DHCP server" for LAN clients, is cleaner, I think.

Well yes, VPN tunnels can't be established through themselves

For the first/outer pfSense VM in a chain, it's my general practice to use third-party DNS servers in "System: General Setup" (for pfSense itself) and the VPN's DNS servers in "Services: DHCP server" (for LAN clients). For the next pfSense in the chain, I specify the first VPN's DNS servers in "System: General Setup". If that doesn't work, I use other third-party DNS servers. I could just enable "Allow DNS server list to be overridden by DHCP/PPP on WAN" in "System: General Setup", but I'd rather hard code these things.

 

Actually, I have under System>Routing the VPN_IPv4 configured and set as the Default Gateway. So it's double configured to ensure that the VPN is always the default gateway. But yes, I am with you lol....i don't know why its bypassing it.

I think what you were referring to was this

http://s30.postimg.org/qgpa16gcx/gateway_hidden_rule.jpg

I have that checked so that it does not create a hidden rule to send traffic to the 'default gateway' if the VPN is down. I probably don't need this checked because my default gateway IS the VPN interface already. So its probably a moot point to check it.

Either way though, my overall fix was this:

1 - Disable DNS Forwarder
2 - Check the 'Do not use the DNS Forwarder as a DNS Server for the firewall' under System>General Settings
3 - Set the VPN DNS servers specifically in the DHCP Server
4 - Setup the two OpenDNS servers under System>General Settings for the pfsense box to use

I tried setting the gateway for the OpenDNS dns servers as NONE, but it did not work because I configured the default gateway as the VPN interface. So I had to specify the gateway as WAN interface

Everything is working now. If I stop and start my OpenVPN service, the connection is now able to automagically come back up since it can now resolve the DNS for the PIA hostname via the OpenDNS configuration pointing towards the WAN interface

All traffic is still routed out the VPN Tunnel and I ran some DNS Leak tests (websites) and they all came back perfect (Only using the PIA DNS).

Thanks again for the help Mirimir

 

I suspect that it's intentional. pfSense is rather designed around having WAN and LAN. If there's just one interface, it's WAN by default, and there's an "Anti-Lockout Rule" permitting WebGUI access. But as soon as you add a second interface, which is LAN by default, the "Anti-Lockout Rule" rule moves from WAN to LAN. That's totally automatic, and apparently unchangeable.

Anyway, perhaps there's something analogous that guarantees connections via WAN, which are necessary to establish the VPN tunnel. I'll look into that.

Yes, thanks. I was looking in a pfSense 2.03 VM, and it's a new feature in the 2.1 release0. It's in "System: Advanced: Miscellaneous: Gateway Monitoring", by the way.

Well, if it actually worked, the VPN wouldn't connect at boot

Yes, that's what I've generally been using.

I'm now setting the VPN as default gateway, and it works well. Thanks

OK, very cool

Thanks for your work. It's been quite a while since I got pfSense VMs to work as VPN clients, and learned how to chain them. Once I had configurations that worked, and had verified with Wireshark that they didn't leak, I didn't check very carefully for useless rules.

I know pfSense much better than I did then, and I'm very glad that you asked about these issues. The "allow from LAN via VPN gateway" rules on WAN and OpenVPN, and the "allow everything" rule on VPN, all seem to be useless. I'll update the iVPN guide about that, and also clarify specifying DNS servers in "System: General Setup" and "Services: DHCP server".

Upon reflection, I'm also adding outbound rules in WAN. Given that pfSense is just a router/firewall, and LAN access via WAN is blocked by routing and firewall rules, it's probably overkill. But hey

Basically, there are outbound pass rules on WAN for traffic from "WAN address" to needed remote hosts. At the end, there's a rule that blocks everything else from "WAN address".

If you expect pfSense itself to resolve hostnames, you must specify DNS servers by IP in "System: General Setup", with WAN as their gateway. You must also add outbound pass rules in WAN from "WAN address" to those DNS servers. You can define an alias in "Firewall: Aliases", and then use that alias in a pass rule on WAN. Aliases can point to both numeric IPs and fully-qualified hostnames, but hostnames obviously won't work for DNS servers

You also need an outbound pass rule for traffic from "WAN address" to the OpenVPN server(s). Although only numeric IPs work in firewall rules, you can create an alias for the server hostname (or multiple IPs).

Next is an outbound pass rule on WAN for traffic to NTP time servers. If you've set up DNS servers, you can just use an alias pointing to the default NTP time server (0.pfsense.pool.ntp.org). If pfSense doesn't have DNS servers for itself, you can run "host 0.pfsense.pool.ntp.org" in "Diagnostics: Execute command", and then create an alias for the IPs that you get. They're specific (at least loosely) for query IP, so you'd want to change them if you change the pfSense VM's public WAN IP.

Last, there's a rule that blocks everything else from "WAN address".

 

One last thing that just occurred to me is if I need to adjust the MTU size. If so, do I do it on the VPN interface, or the WAN interface, or both?

I tried doing some test via this command prompt command : ping www.dslreports.com -f -l 1472

1472 was the highest I could go, so add the 28 byte overhead and your back at 1500 which is the default.

But then I read that because I'm going through a VPN that those results are not valid. So I'm not really sure how to test it.

I have seen some advanced settings for other VPN providers that lower it down to like 1300.

Everything seems to be working fine, but if it could be more optimized I would obviously prefer that.

Thoughts?