This video is a grand slam home run. I've learned so much about firewall rules, routing etc. from watching your excellent videos. Learning the power of aliases in rules was the biggest single game changer for me. Because of your videos not only have I got stuff working robustly, but I actually understand *why* it works with a lot of cool knowledge tidbits along the way. Tagging the packets and setting a floating rule was a truly elegant hack that I will be putting in my back pocket for future use.
FYI another use of a floating rule is using redundant VPN tunnels. If a TCP session fails over to a different tunnel, the firewall will block that outgoing traffic because it didn’t see the handshake. Doing an outbound floating rule with quick match and allowing all TCP flags will allow that session to stay alive
There were just a couple things different between 2.4.3 and 2.6.0 versions that were not covered by PIA in their directions. Watching this video I was able to catch what I needed to make it work. Thanks again for a great video
Excellent video, thank you for taking the time to explain the kill switch and tagging. I applied this to opnsense firewall, and got everything working.
The is the best video i've seen on the subject. Thank you i learned a lot and i'm getting a better grasp of my pfsense firewall due to excellent tutorials like this
This video is INCREDIBLE. I've been fighting with this all day, and the floating rule works GREAT for a simple and reliable kill switch. Thanks a ton for posting this! A couple of tips I'd like to add: * You WILL have a DNS leak if you stop here, which is my one criticism of this video. The router configuration is fine, but you HAVE to prevent DNS leaks by manually setting your DNS settings on the machine you're connecting to the router. In my experience this tends to be true of any OpenvVPN-on-a-router setup, but it's something that often gets overlooked in setup guides. Manually set your DNS in Windows/Linux/Mac etc. and you should be good. * In my case, my "hosts" are actually a series of Docker containers that are assigned their own IP addresses on a macvlan Docker network. These can be secured against DNS leaks as well by setting "--dns [your vpn's DNS IP]" in your "docker run" command. I struggled to learn this tip, so I hope it helps someone else. * If you're translating this to OPNsense like I am, a few options have been renamed but can be matched up by context clues. For setting tags, the first field assigns tags to packets and the second watches for tags that match what you put there. OPNsense is a little more vague in how they label these unless you turn on the "Full Help" toggle and see descriptions. * OPNsense Watchdog settings have been renamed to "Monit"
Great video, I found it thoroughly useful. Thanks very much for putting it up. Got it all working well, I had setup a similar config about 5 years ago and recently went through and completed some big upgrades which broke a bunch of stuff - decided to do a bit of a refresh and rebuilt. This tutorial was excellent.
As always, this is so helpful and informative. I'll just add one note: when testing the killswitch my machine would keep the connection alive. Then I remembered ipv6. Had to duplicate rules and add the ip6 address to the alias for it to finally kill the connection.
I spent hours on this before watching this video. You make it so easy! Thank you so much! I now have my entire VLAN 30 going through PIA via pFSense router, with the kill switch! No chance for my IP address to accidentally appear on the internet :)
I know I am way late on this one - but thank you for this video. It explained how to do what I was trying to do and as a result explained what I was doing wrong and more importantly WHY. So Thank you
Yeah - I can’t believe how great this video was! Had tried another convoluted method to put some of my unraid containers onto vpn with no success. With this, I can put any ip on my network behind firewall, outstanding!! Thank you!
I followed this video and together with the Netgate Documentation I got a very similar setup on ProtonVPN with WireGuard. This was invaluable. A wireguard video would be really nice for lots of folks. It is so fast and easy once the setup has been done. I did take the opposite approach and set the VPN to the default gateway and then my Firewall aliases are the list of clients that I do not want routing over the VPN but that is so that they are not broken. For instance my ISP installed a TV box for some of their bundled service that they call Rogers Ignite. The box gets blocked by Rogers if not coming from your native WAN connection. I know the video is old but it is still relevant.
Pretty good guide. I liked it. As someone using OPNsense now I wish there were more guides on how to do these things within that setup. I know they are similar and you can sorta follow along however OPNsense is changing very quickly and it's getting harder.
This is great stuff ... Tommy, I know you're not a genius, but you seriously are ... using the firewall to route an alias to the vpn is sweet and elegant ... many thanks !
The video is good thanks. Something to be added to this is if you use more than 1 VPN connection (with all of them having the same rule based killswitches), you might want to make each of those VPN gateways (System / Routing / Gateways) to have also the "Disable Gateway Monitoring Action" checkbox ON. I believe I had issues from pfsense probably trying to route one VPN connection to another VPN connection, and to my understanding that happens when pfSense gateway monitoring notices the gateway is not working, so pfSense tries to find different gateway - and that checkbox ticked it should be prevented to do so. The video works fine with just 1 VPN connection because there is only one another gateway that is WAN. For more connections than just 1 WAN and 1 VPN, you probably need to make more settings, as the killswitch example works only for traffic trying to escape from VPN to WAN, and I believe that gateway monitoring action disabling should help there. It would be nice if this could be confirmed true by someone.
As alwasys thank you Tom... finally I don't have to remember to make sure my "special" machines are on Nord... now it's automatic and the killswitch feature is a huge plus!
For preventing DNS leaks: to get the VPN over the DNS provided by the VPN: 1. Go to Services → DNS Resolver 2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (the one you've made). Please note that this setting is very important as it prevents DNS leaks). 3. Disable DNS query Forwarding if it's enabled because this wil use the defined DNS at the General page (that you don´t want Leaks DNS). That´s it!
Just a few days ago I gave this a go with Nord and couldn't seem to get PfSense to actually send data out that interface. I'll have to give it a go again. Thanks!
Great video!! I did originally have problems making pfblocker and vpnservice work together, but think i've got that working, along with your genius with the tagging! Very clever, love it. Had to make a few adjustments to make sure no dnsleaks with pfblocker. Originally made my own VPN gateway with linux firewall rules (a lot of rules and scripts and crontab), but was always a little dubious, even though no dnsleaks etc. Really love the level of detail you go into, many thanks :)
@@Skylinar Hello. After passing my LFCS, i ended up overhauling my networking setup, to exclusively use Linux for networking/firewall, so my pfsense is no more. I think my original setup resolved locally, but i cant remember the name of it now, and if i remember right, i had issues when I wanted different routes to have different DNS, so I will guess that i changed the pfblockers DNS resolver in some way, to use the VPN provider for the web downstream rather than local/isp, otherwise it would have been leaks galore. Wish i could remember, or documented what i did, sorry
I recently switch to PIA from another VPN provider and the rule that I had established for routing Netflix and Amazon Prime video were not working. All traffic was routing through the VPN. I'm guessing my previous provide did not pull and add routes but as you indicated that PIA, ticking the Don't Pull Routes and Don't Add/Remove routes fixed the problem. THANKS!
Good video. I just use DNS over TLS and SSL based websites. If my ISP knows I'm hitting a website it just doesn't matter much. I see VPN's for a few uses, accessing a business network, accessing your home network, and everything illegal. The later I don't partake in.
My dad bragged, when inquired about his home security, that he was using the Norton VPN. This has led me to the conclusion that modern vpn solutions are more akin to a police escort, rather then a balaclava.
I followed all of these steps. And I even rebooted all devices involved, including the router itself. And the device I am trying to tunnel through the VPN, still has the same IP address.
Hi Tom, Great video but I have some trouble with the DNS LEAKS. My devices get a different IP from the VPN I provided but when I do a DNS leak test it's failing. How can I fix that?
Hi Tom, to get the VPN over the DNS provided by the VPN: 1. Go to Services → DNS Resolver 2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (the one you've made). Please note that this setting is very important as it prevents DNS leaks). 3. Disable DNS query Forwarding if it's enabled because this wil use the defined DNS at the General page (that you don´t want Leaks DNS). That´s it!
@@michnl1772 Hi Mich, I have forwarding mode enabled because most of my devices are routed out over the WAN with DoT configured. I want a couple of devices as Tom has shown in the above video to route out over Pia without DNS leaks. Do you have a solution for that as well? thx for your response!
Great video as usual ! Could you please make a complementary video describing how to set up PIA DNS servers over TLS ? Thank you for sharing your huge knowledge !
Have you used 2 VPN connections in same network 16:20 so that while the floating rule in WAN blocks the WAN connections, the pfsense can inadvertently start routing through the other VPN connection when the first VPN happens to go offline? Basically, do just like you do in this video, but instead of having just one VPN connection, have two VPN connections, lets say France and Brazil, and have several computers. Some use the France and some use the Brazil connection. If the computer configured to France VPN loses its connection, then pfsense might try to start routing that France VPN connection to Brazil VPN, the floating rule on WAN side doesn't prevent the switching from one VPN connection to another VPN connection?
Hi Tom, just noticed that your Draw.IO looks very different from the regular offline desktop version. Are you using a different version? Happy New Year! from Ontario Canada and always love your technical videos!
Great video! One question out of curiosity, since the only NAT outbound rules you created mapped LAN2 to the VPN interface, if the VPN interface goes down, doesn't that mean no traffic will be able to reach WAN, essentially creating a killswitch without the need for creating that tagging rule? I've done this method for a kill switch (Only creating a NAT Outbound rule to the VPN Interface) in the past and am wondering if I'm missing something. Thanks!
at 10:48 as soon as I add a monitor address to my VPN in routing, it shows 100% loss and offline, tried quad 9, quad 8 and quad 1 just to troubleshoot but got the same result. any ideas?
Hi Lawrence, great video, however you said you were gonna cover DNS leaks but i didnt see it in the video. Did i miss something? If no could you pickup that topic please. Thanks
Really great video thanks! I couldn’t get the kill switch to work though. It just wouldn’t block any traffic. Identical config from what I can tell to yours.
Very interesting Topic. I tried applying this scheme and still having issues when adding a port mapping from the VPN Interface to a host on the IOT network. It appears the SYN is properly mapped to the IOT Host, but the Syn ACK is routed back through the WAN, preventing proper connection establishment. Any ideas how to get the SYN-ACK mapped to the proper state entry and routed back through VPN Interface?
Hi Tom, great content, thanks. Going a little furder on your settings, is it possible to have 2 wans with 2 different vpn providers at the same time with pfsense? Is it possible? Ex. ISP 1 - pia vpn , ISP 2 - nord vpn. I tried it but pfsense becomes unstable, the gateways freak out.....you´ve tried?
Some websites don't accept traffic from my IPv4 because I'm running a Tor relay so I set up rules on pfSense to route said traffic over an external VPN provider. My specific use case would have been useful to include in this video.
Great video. But when I enable this to route my main desktop through the PIA VPN WAN I created, I am unable to access local services I run on my network. I can get to pfsense but not unRAID or any of the containers its running. Nor can I access my esxi rig or its vms. I set the rule to lan2 and moved my desktop to that interface, so its the only one on LAN2, but when I have the VPN I am blocked from all local services *note they all run on LAN1
I have similar issue. All my LAN interfaces (except LAN1) can't get out to the internet while PIA service is up. DNS not resolving. I have EXACT setup using NordVPN and it works so this is super puzzling.
I dont think so, I dont have this currently setup. I may try it again and see if I can use the VPN and still have access to my local services. @@roycethefox
You dont say anything about DNS-config, this will work but if you test it on DNS-leak you will get a warning. I have a little problem getting the resolver to choose the right DNS-server. I also noticed that one device thats on the alias get out on vpn, it can also reach other vlans its not supose to get to.. the firewall is one example....
I've tried to install Express VPN to pfsense many times in different ways, also official guide on Express VPN website, but no success. Would be great if you make a video about this installation. Thank you
Got VPN up and Online using AirVPN. When I start to route IP's out over it, maybe after a few hours or so, the VPN gateway goes down (latency?) then that seems to cause my default WAN to fail. I then have to reboot router and it will fail again within random times. I am not sure why....it seems if I don't route any devices, it seems to stay online. Do I have to add any firewall rules to the OpenVPN or the VPN Interface I created so this doesn't happen? Any thoughts?
Thanks for video. I followed all the settings and checked over them several times. The kill switch works but when the VPN comes back after being out a few minutes the network VPN users are still blocked. I need to reload the filters and then all VPN users get unblocked. Anyone have any ideas? Thanks.
thank you so much for this,it works amazing on my opnsense, but im unable to access home assistant over wifi on my phone when im running vpn,but as soon as i stop the vpn services it works as usuall.. im not sure what im doing wrong .. can you help with what i can trouble shoot.(my homeassistant in running on it own bare metal computer connected via lan to my opnsense).... ty
Hi Lawrence, Just to confirm the best way to assign the VPN DNS to the client is to set it up through DHCP static mapping? This is the way I have been doing it as well as manually setting the DNS on the client itself. I always had a thought that there might be a better way to do it (e.g. tell pfsense that all clients under the alias to only use a specific DNS). I also presume even though the floating rule comes first, that the 'vpn traffic tag' is assigned to the traffic before being process by the rules themselves?
I also missed this discussion on the tutorial. I also do it like that (add DNS server for specific clients through DHCP server). I also add another rule blocking DNS traffic from the alias IPs to the pfsense IP, to avoid DNS leak. Just in case I forget to add the DNS server on the DHCP server for a specific client.
Hi Tom, thanks for this and your other videos.I have one issue though with rule based routing which i am unable to solve, so i really hope you (or somebody else) knows the trick. It is with ovpn site-to-site tunnels. I have 1 ovpn server, and multiple ovpn clients (sites) connecting to me. For the tunnels to work on the server side, I have a 'client specific override' for each client/site. So far so good, tunnel works perfectly. On the server side, for some devices i want to do rule based routing, so that the device goes to the internet, at a sites location. But since I am the ovpn server/host, I have only 1 interface & gateway for all sites/tunnels. How on earth can I instruct pfSense to route specific traffic to a dedicated site/tunnel? Tried so many different things, but none of them worked. On the client side, this issue does not exist, because each client has a gateway for his own tunnel to me. I really hope anybody knows how to do this. Thx.
Thanks for this! Any chance you can do a video on restoring a pfsense to new unlike hardware? Every time I do this it doesn't go well. Assigning interfaces and vlans and such just doesn't restore when interfaces are different unless you rebuild it all. I'm sure there's a better way.. a tom way.
Hi! I have a question about the Virtual IP of PIA interface. For the purpose of the video the IP is a private IP, but on a real case it should be a public IP? Otherwise I don't understand how a private IP can go outside to network to the remote PIA VPN server. I hope I have explained my doubt clearly. Thanks for the video!
Would be nice if a video like this could be made for Unifi Dream Machine lineup, if it even supports policy based routing with a VPN Client. Not sure it does, but would be nice if it did.
Hi, great video. I'm new to this and your videos are extremely help full. I was wondering... is there any way to chain VPN's using pfsense. Example Linux --> ISP-->VPN1-->VPN2-->Online server
possibly depending on how you set things up. You can do lot's of overly complicated things with pfsense, not that they are all good ideas, but you can do them.
I was wondering if it is possible to apply the same principles of using aliases, to set different VPN gateways based on geographic destination - leveraging pfblocker geoip aliases... Based on this video, it seems doable - or am I missing something?
PIA pfsense write up
www.privateinternetaccess.com/helpdesk/guides/routers/pfsense/pfsense-2-4-5-openvpn-setup
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com/pages/buy-vpn/LRNSYS
Our pfsense Tutorials
lawrence.technology/pfsense/
Related Forum Post
forums.lawrencesystems.com/t/how-to-setup-pfsense-openvpn-policy-routing-with-kill-switch-using-a-privacy-vpn-youtube-release/12441
⏱ Timestamps ⏱
00:00 pfsense privavy VPN Intro
02:00 Diagrams.net Lab Setup
04:33 Imoporting the CA
05:56 Create OpenVPN Client
09:10 Adding OpenVPN Interface
10:48 Gateway Monitoring
11:20 Outbound NAT Rules
12:16 Firewall & Kill Switch Rules
The link just does not work. Any other alternate link?
This video is a grand slam home run. I've learned so much about firewall rules, routing etc. from watching your excellent videos. Learning the power of aliases in rules was the biggest single game changer for me. Because of your videos not only have I got stuff working robustly, but I actually understand *why* it works with a lot of cool knowledge tidbits along the way. Tagging the packets and setting a floating rule was a truly elegant hack that I will be putting in my back pocket for future use.
Glad it was helpful!
Dude, you took a process that should have been annoying and make it straight forward. You have my gratitude.
Great use of the floating rule. I've always wondered how it could be used.
FYI another use of a floating rule is using redundant VPN tunnels. If a TCP session fails over to a different tunnel, the firewall will block that outgoing traffic because it didn’t see the handshake. Doing an outbound floating rule with quick match and allowing all TCP flags will allow that session to stay alive
There were just a couple things different between 2.4.3 and 2.6.0 versions that were not covered by PIA in their directions. Watching this video I was able to catch what I needed to make it work. Thanks again for a great video
what were the differences?
You didn't explain about the DNS leak
Excellent video, thank you for taking the time to explain the kill switch and tagging. I applied this to opnsense firewall, and got everything working.
The is the best video i've seen on the subject. Thank you i learned a lot and i'm getting a better grasp of my pfsense firewall due to excellent tutorials like this
Man you talk fast - actually are the first person I needed to slowdown playback to follow. Thanks for the information.
This video is INCREDIBLE. I've been fighting with this all day, and the floating rule works GREAT for a simple and reliable kill switch. Thanks a ton for posting this! A couple of tips I'd like to add:
* You WILL have a DNS leak if you stop here, which is my one criticism of this video. The router configuration is fine, but you HAVE to prevent DNS leaks by manually setting your DNS settings on the machine you're connecting to the router. In my experience this tends to be true of any OpenvVPN-on-a-router setup, but it's something that often gets overlooked in setup guides. Manually set your DNS in Windows/Linux/Mac etc. and you should be good.
* In my case, my "hosts" are actually a series of Docker containers that are assigned their own IP addresses on a macvlan Docker network. These can be secured against DNS leaks as well by setting "--dns [your vpn's DNS IP]" in your "docker run" command. I struggled to learn this tip, so I hope it helps someone else.
* If you're translating this to OPNsense like I am, a few options have been renamed but can be matched up by context clues. For setting tags, the first field assigns tags to packets and the second watches for tags that match what you put there. OPNsense is a little more vague in how they label these unless you turn on the "Full Help" toggle and see descriptions.
* OPNsense Watchdog settings have been renamed to "Monit"
Great video, I found it thoroughly useful. Thanks very much for putting it up. Got it all working well, I had setup a similar config about 5 years ago and recently went through and completed some big upgrades which broke a bunch of stuff - decided to do a bit of a refresh and rebuilt. This tutorial was excellent.
As always, this is so helpful and informative. I'll just add one note: when testing the killswitch my machine would keep the connection alive. Then I remembered ipv6. Had to duplicate rules and add the ip6 address to the alias for it to finally kill the connection.
I spent hours on this before watching this video. You make it so easy! Thank you so much! I now have my entire VLAN 30 going through PIA via pFSense router, with the kill switch! No chance for my IP address to accidentally appear on the internet :)
I know I am way late on this one - but thank you for this video. It explained how to do what I was trying to do and as a result explained what I was doing wrong and more importantly WHY. So Thank you
Thank you for sharing and putting this intuitive guide together. I found it very helpful
Yeah - I can’t believe how great this video was! Had tried another convoluted method to put some of my unraid containers onto vpn with no success. With this, I can put any ip on my network behind firewall, outstanding!! Thank you!
Thank you for this. Easy to follow with great explanations rather than just clicking around.
I followed this video and together with the Netgate Documentation I got a very similar setup on ProtonVPN with WireGuard. This was invaluable. A wireguard video would be really nice for lots of folks. It is so fast and easy once the setup has been done. I did take the opposite approach and set the VPN to the default gateway and then my Firewall aliases are the list of clients that I do not want routing over the VPN but that is so that they are not broken. For instance my ISP installed a TV box for some of their bundled service that they call Rogers Ignite. The box gets blocked by Rogers if not coming from your native WAN connection. I know the video is old but it is still relevant.
haha noticed the I am Root shirt. 😁😁 especially with whats going on in the esport world right now. luv it nice vid always enjoy them
Pretty good guide. I liked it. As someone using OPNsense now I wish there were more guides on how to do these things within that setup. I know they are similar and you can sorta follow along however OPNsense is changing very quickly and it's getting harder.
Perfect, thank you for explaining these side by side!....👍
Amazing video, been watching this channel for ages, but today needed to apply this and it's so informative, practical, efficient. Great content.
This is great stuff ... Tommy, I know you're not a genius, but you seriously are ... using the firewall to route an alias to the vpn is sweet and elegant ... many thanks !
Wish I had watched this video first.... Always an excellent tut
The video is good thanks. Something to be added to this is if you use more than 1 VPN connection (with all of them having the same rule based killswitches), you might want to make each of those VPN gateways (System / Routing / Gateways) to have also the "Disable Gateway Monitoring Action" checkbox ON. I believe I had issues from pfsense probably trying to route one VPN connection to another VPN connection, and to my understanding that happens when pfSense gateway monitoring notices the gateway is not working, so pfSense tries to find different gateway - and that checkbox ticked it should be prevented to do so. The video works fine with just 1 VPN connection because there is only one another gateway that is WAN. For more connections than just 1 WAN and 1 VPN, you probably need to make more settings, as the killswitch example works only for traffic trying to escape from VPN to WAN, and I believe that gateway monitoring action disabling should help there. It would be nice if this could be confirmed true by someone.
As alwasys thank you Tom... finally I don't have to remember to make sure my "special" machines are on Nord... now it's automatic and the killswitch feature is a huge plus!
Man I love your videos, so comprehensive. Thanks!!
Not that i use Pfsense BUT DAMN good video as always ! Thanks sir !!
You’re a legend Tom many thanks
Excellent video, I was only looking at pfsense and openvpn recently, very timely, thank you.
Get on Tom! Very much appreciated. Legend as always.
you are an amazing person! Thanks so much for this video! :)
For preventing DNS leaks:
to get the VPN over the DNS provided by the VPN:
1. Go to Services → DNS Resolver
2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (the one you've made). Please note that this setting is very important as it prevents DNS leaks).
3. Disable DNS query Forwarding if it's enabled because this wil use the defined DNS at the General page (that you don´t want Leaks DNS).
That´s it!
Great video. it’s finally allowed me to get a specific vlan routing out over a vpn service
Amazing video! Very well explained and super functional one, I will put this in practice sooner for sure. Thanks Tom!
Just a few days ago I gave this a go with Nord and couldn't seem to get PfSense to actually send data out that interface. I'll have to give it a go again. Thanks!
thanks for this, you're a great teacher
Thank you for this video! Great step by step instructions!
Dont pull routes did the trick,thanks ! :D
Great video!!
I did originally have problems making pfblocker and vpnservice work together, but think i've got that working, along with your genius with the tagging! Very clever, love it. Had to make a few adjustments to make sure no dnsleaks with pfblocker.
Originally made my own VPN gateway with linux firewall rules (a lot of rules and scripts and crontab), but was always a little dubious, even though no dnsleaks etc.
Really love the level of detail you go into, many thanks :)
Can you please give more insights how you've set it up to prevent dns leaks?
@@Skylinar Hello. After passing my LFCS, i ended up overhauling my networking setup, to exclusively use Linux for networking/firewall, so my pfsense is no more. I think my original setup resolved locally, but i cant remember the name of it now, and if i remember right, i had issues when I wanted different routes to have different DNS, so I will guess that i changed the pfblockers DNS resolver in some way, to use the VPN provider for the web downstream rather than local/isp, otherwise it would have been leaks galore. Wish i could remember, or documented what i did, sorry
Thanks man, it´s working perfectly !
I recently switch to PIA from another VPN provider and the rule that I had established for routing Netflix and Amazon Prime video were not working. All traffic was routing through the VPN. I'm guessing my previous provide did not pull and add routes but as you indicated that PIA, ticking the Don't Pull Routes and Don't Add/Remove routes fixed the problem. THANKS!
Good video. I just use DNS over TLS and SSL based websites. If my ISP knows I'm hitting a website it just doesn't matter much. I see VPN's for a few uses, accessing a business network, accessing your home network, and everything illegal. The later I don't partake in.
this was so helpful ty!
This is gold thank you.
🙂
My dad bragged, when inquired about his home security, that he was using the Norton VPN. This has led me to the conclusion that modern vpn solutions are more akin to a police escort, rather then a balaclava.
I followed all of these steps. And I even rebooted all devices involved, including the router itself. And the device I am trying to tunnel through the VPN, still has the same IP address.
Thanks, I was able to replicate this on opnSense using your guide
Excellent!
Hi Tom, Great video but I have some trouble with the DNS LEAKS. My devices get a different IP from the VPN I provided but when I do a DNS leak test it's failing. How can I fix that?
Hi Tom, to get the VPN over the DNS provided by the VPN:
1. Go to Services → DNS Resolver
2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (the one you've made). Please note that this setting is very important as it prevents DNS leaks).
3. Disable DNS query Forwarding if it's enabled because this wil use the defined DNS at the General page (that you don´t want Leaks DNS).
That´s it!
@@michnl1772
Hi Mich, I have forwarding mode enabled because most of my devices are routed out over the WAN with DoT configured. I want a couple of devices as Tom has shown in the above video to route out over Pia without DNS leaks. Do you have a solution for that as well? thx for your response!
Great video as usual ! Could you please make a complementary video describing how to set up PIA DNS servers over TLS ? Thank you for sharing your huge knowledge !
Thank you so mush very very useful Tips
How about a video of how to do this with wireguard?
thank you for the videos
My pleasure!
Would this be beneficial if you plan on hosting websites. Would you just not use the vpn for the website server?
Great Video!!
Awesome video! Thank you!
Have you used 2 VPN connections in same network 16:20 so that while the floating rule in WAN blocks the WAN connections, the pfsense can inadvertently start routing through the other VPN connection when the first VPN happens to go offline? Basically, do just like you do in this video, but instead of having just one VPN connection, have two VPN connections, lets say France and Brazil, and have several computers. Some use the France and some use the Brazil connection. If the computer configured to France VPN loses its connection, then pfsense might try to start routing that France VPN connection to Brazil VPN, the floating rule on WAN side doesn't prevent the switching from one VPN connection to another VPN connection?
Hi Tom, just noticed that your Draw.IO looks very different from the regular offline desktop version. Are you using a different version?
Happy New Year! from Ontario Canada and always love your technical videos!
There are different modes that change the layout
Great video!
One question out of curiosity, since the only NAT outbound rules you created mapped LAN2 to the VPN interface, if the VPN interface goes down, doesn't that mean no traffic will be able to reach WAN, essentially creating a killswitch without the need for creating that tagging rule?
I've done this method for a kill switch (Only creating a NAT Outbound rule to the VPN Interface) in the past and am wondering if I'm missing something. Thanks!
Cool solution! Thanks!
at 10:48 as soon as I add a monitor address to my VPN in routing, it shows 100% loss and offline, tried quad 9, quad 8 and quad 1 just to troubleshoot but got the same result. any ideas?
I would love if you could do a couple of videos on Sophos XG firewalls.
I found that setting System > Routing > Default Gateway to 'None' stopped VPN traffic from bypassing the VPN gateway when the VPN went down.
Ty for the grate video it helped me out a lot wth my vpn provider
very useful thanks a lot!
awesome!
Hi Lawrence, great video, however you said you were gonna cover DNS leaks but i didnt see it in the video. Did i miss something? If no could you pickup that topic please.
Thanks
I forgot to add it to the video, just assign public DNS to the devices that want behind the VPN. This can be done via DHCP reservations
@@LAWRENCESYSTEMS thanks for the reply, when doing so will the DNS query’s go through the tunnel or will they be resolved by the regular wan?
@@byarea everything originating from those devices is forced over the tunnel, including DNS.
Gr8 Video thnx
Great video Tom. Could you please make a video on NordVPN meshnet with Nextcloud on Truenas scale?
I don't use NordVPN
@lawrencesystems could you please redo this with WireGuard in place in the same setup now instead of OpenVPN?
Eventually I will
Really great video thanks! I couldn’t get the kill switch to work though. It just wouldn’t block any traffic. Identical config from what I can tell to yours.
Very interesting Topic.
I tried applying this scheme and still having issues when adding a port mapping from the VPN Interface to a host on the IOT network. It appears the SYN is properly mapped to the IOT Host, but the Syn ACK is routed back through the WAN, preventing proper connection establishment.
Any ideas how to get the SYN-ACK mapped to the proper state entry and routed back through VPN Interface?
Great video, but I just can't get it to work. I either get all traffic going through the tunnel or no traffic.
Hi Tom, great content, thanks. Going a little furder on your settings, is it possible to have 2 wans with 2 different vpn providers at the same time with pfsense? Is it possible?
Ex. ISP 1 - pia vpn , ISP 2 - nord vpn. I tried it but pfsense becomes unstable, the gateways
freak out.....you´ve tried?
Hi, thank you for you video. Can I use pfsense to filter website so kids can be safe?
Great Video
Using this method, can websites see that you’re connected via VPN? Or would they only see the IP that you’re connected to?
Great info
Some websites don't accept traffic from my IPv4 because I'm running a Tor relay so I set up rules on pfSense to route said traffic over an external VPN provider. My specific use case would have been useful to include in this video.
Shame on Tom for not checking with you first!
Great video. But when I enable this to route my main desktop through the PIA VPN WAN I created, I am unable to access local services I run on my network. I can get to pfsense but not unRAID or any of the containers its running. Nor can I access my esxi rig or its vms. I set the rule to lan2 and moved my desktop to that interface, so its the only one on LAN2, but when I have the VPN I am blocked from all local services *note they all run on LAN1
I have similar issue. All my LAN interfaces (except LAN1) can't get out to the internet while PIA service is up. DNS not resolving. I have EXACT setup using NordVPN and it works so this is super puzzling.
Did you eventually resolve this?
I dont think so, I dont have this currently setup. I may try it again and see if I can use the VPN and still have access to my local services. @@roycethefox
You dont say anything about DNS-config, this will work but if you test it on DNS-leak you will get a warning. I have a little problem getting the resolver to choose the right DNS-server. I also noticed that one device thats on the alias get out on vpn, it can also reach other vlans its not supose to get to.. the firewall is one example....
I've tried to install Express VPN to pfsense many times in different ways, also official guide on Express VPN website, but no success. Would be great if you make a video about this installation.
Thank you
Got VPN up and Online using AirVPN. When I start to route IP's out over it, maybe after a few hours or so, the VPN gateway goes down (latency?) then that seems to cause my default WAN to fail. I then have to reboot router and it will fail again within random times. I am not sure why....it seems if I don't route any devices, it seems to stay online. Do I have to add any firewall rules to the OpenVPN or the VPN Interface I created so this doesn't happen? Any thoughts?
Thank you Sir! 😭
I've just given this a go but I can't get the floating rule to work. If I disable the VPN then it goes out the WAN. I'll keep working on it.
Why does PIA show as 0ms on the gateway monitor?
Thanks for video. I followed all the settings and checked over them several times. The kill switch works but when the VPN comes back after being out a few minutes the network VPN users are still blocked. I need to reload the filters and then all VPN users get unblocked. Anyone have any ideas? Thanks.
This was a very nice video man, just curious can I use this to bypass CG-NAT ISP configuration...
That is not the use case for this.
Great information, Would any firewall rules be needed on the vpn gateway for security reasons? like no access to firewall port, ect...
Only if you want to limit what the VPN has access to.
thank you so much for this,it works amazing on my opnsense, but im unable to access home assistant over wifi on my phone when im running vpn,but as soon as i stop the vpn services it works as usuall.. im not sure what im doing wrong .. can you help with what i can trouble shoot.(my homeassistant in running on it own bare metal computer connected via lan to my opnsense).... ty
Hi Lawrence,
Just to confirm the best way to assign the VPN DNS to the client is to set it up through DHCP static mapping? This is the way I have been doing it as well as manually setting the DNS on the client itself.
I always had a thought that there might be a better way to do it (e.g. tell pfsense that all clients under the alias to only use a specific DNS).
I also presume even though the floating rule comes first, that the 'vpn traffic tag' is assigned to the traffic before being process by the rules themselves?
I also missed this discussion on the tutorial. I also do it like that (add DNS server for specific clients through DHCP server). I also add another rule blocking DNS traffic from the alias IPs to the pfsense IP, to avoid DNS leak. Just in case I forget to add the DNS server on the DHCP server for a specific client.
Hey, in the video you switch between tabs. What interface or desktop are you using to be able to do that?
I use POP_OS
Hi Tom, thanks for this and your other videos.I have one issue though with rule based routing which i am unable to solve, so i really hope you (or somebody else) knows the trick.
It is with ovpn site-to-site tunnels. I have 1 ovpn server, and multiple ovpn clients (sites) connecting to me. For the tunnels to work on the server side, I have a 'client specific override' for each client/site. So far so good, tunnel works perfectly.
On the server side, for some devices i want to do rule based routing, so that the device goes to the internet, at a sites location. But since I am the ovpn server/host, I have only 1 interface & gateway for all sites/tunnels. How on earth can I instruct pfSense to route specific traffic to a dedicated site/tunnel? Tried so many different things, but none of them worked.
On the client side, this issue does not exist, because each client has a gateway for his own tunnel to me.
I really hope anybody knows how to do this.
Thx.
Can't access my local server over pfsense VPN while its connected to PIA VPN any help plz
Thanks for this! Any chance you can do a video on restoring a pfsense to new unlike hardware? Every time I do this it doesn't go well. Assigning interfaces and vlans and such just doesn't restore when interfaces are different unless you rebuild it all.
I'm sure there's a better way.. a tom way.
Download the XML backup, search and replace the interface names to match the system you are restoring to.
I have done what Lawrence says here going from a pfsense 2100 to a 6100 as long as you know your interface names it’s really easy.
Hi! I have a question about the Virtual IP of PIA interface. For the purpose of the video the IP is a private IP, but on a real case it should be a public IP? Otherwise I don't understand how a private IP can go outside to network to the remote PIA VPN server. I hope I have explained my doubt clearly. Thanks for the video!
That is the tunnel IP for OpenVPN assigned to pfsense.
@@LAWRENCESYSTEMS Thanks! But what is the source address and destination address of a pdu going through the VPN tunnel?
I don't understand the question.
The Floating rule breaks package manager and update in system menu.
Would be nice if a video like this could be made for Unifi Dream Machine lineup, if it even supports policy based routing with a VPN Client. Not sure it does, but would be nice if it did.
I can't make a video on something not supported on the UDM.
@@LAWRENCESYSTEMS Yes I know, just over here wishing it was. :/ Great video on the pfsense PBR.
Hi, great video. I'm new to this and your videos are extremely help full. I was wondering... is there any way to chain VPN's using pfsense. Example Linux --> ISP-->VPN1-->VPN2-->Online server
possibly depending on how you set things up. You can do lot's of overly complicated things with pfsense, not that they are all good ideas, but you can do them.
@@LAWRENCESYSTEMS I have it setup like shown in your video. How would I chain a 2nd VPN?
I was wondering if it is possible to apply the same principles of using aliases, to set different VPN gateways based on geographic destination - leveraging pfblocker geoip aliases...
Based on this video, it seems doable - or am I missing something?
Not sure if that is possible