This video is a grand slam home run. I've learned so much about firewall rules, routing etc. from watching your excellent videos. Learning the power of aliases in rules was the biggest single game changer for me. Because of your videos not only have I got stuff working robustly, but I actually understand *why* it works with a lot of cool knowledge tidbits along the way. Tagging the packets and setting a floating rule was a truly elegant hack that I will be putting in my back pocket for future use.
FYI another use of a floating rule is using redundant VPN tunnels. If a TCP session fails over to a different tunnel, the firewall will block that outgoing traffic because it didn’t see the handshake. Doing an outbound floating rule with quick match and allowing all TCP flags will allow that session to stay alive
There were just a couple things different between 2.4.3 and 2.6.0 versions that were not covered by PIA in their directions. Watching this video I was able to catch what I needed to make it work. Thanks again for a great video
I spent hours on this before watching this video. You make it so easy! Thank you so much! I now have my entire VLAN 30 going through PIA via pFSense router, with the kill switch! No chance for my IP address to accidentally appear on the internet :)
As always, this is so helpful and informative. I'll just add one note: when testing the killswitch my machine would keep the connection alive. Then I remembered ipv6. Had to duplicate rules and add the ip6 address to the alias for it to finally kill the connection.
Excellent video, thank you for taking the time to explain the kill switch and tagging. I applied this to opnsense firewall, and got everything working.
The is the best video i've seen on the subject. Thank you i learned a lot and i'm getting a better grasp of my pfsense firewall due to excellent tutorials like this
I know I am way late on this one - but thank you for this video. It explained how to do what I was trying to do and as a result explained what I was doing wrong and more importantly WHY. So Thank you
Great video, I found it thoroughly useful. Thanks very much for putting it up. Got it all working well, I had setup a similar config about 5 years ago and recently went through and completed some big upgrades which broke a bunch of stuff - decided to do a bit of a refresh and rebuilt. This tutorial was excellent.
Yeah - I can’t believe how great this video was! Had tried another convoluted method to put some of my unraid containers onto vpn with no success. With this, I can put any ip on my network behind firewall, outstanding!! Thank you!
I followed this video and together with the Netgate Documentation I got a very similar setup on ProtonVPN with WireGuard. This was invaluable. A wireguard video would be really nice for lots of folks. It is so fast and easy once the setup has been done. I did take the opposite approach and set the VPN to the default gateway and then my Firewall aliases are the list of clients that I do not want routing over the VPN but that is so that they are not broken. For instance my ISP installed a TV box for some of their bundled service that they call Rogers Ignite. The box gets blocked by Rogers if not coming from your native WAN connection. I know the video is old but it is still relevant.
The video is good thanks. Something to be added to this is if you use more than 1 VPN connection (with all of them having the same rule based killswitches), you might want to make each of those VPN gateways (System / Routing / Gateways) to have also the "Disable Gateway Monitoring Action" checkbox ON. I believe I had issues from pfsense probably trying to route one VPN connection to another VPN connection, and to my understanding that happens when pfSense gateway monitoring notices the gateway is not working, so pfSense tries to find different gateway - and that checkbox ticked it should be prevented to do so. The video works fine with just 1 VPN connection because there is only one another gateway that is WAN. For more connections than just 1 WAN and 1 VPN, you probably need to make more settings, as the killswitch example works only for traffic trying to escape from VPN to WAN, and I believe that gateway monitoring action disabling should help there. It would be nice if this could be confirmed true by someone.
Pretty good guide. I liked it. As someone using OPNsense now I wish there were more guides on how to do these things within that setup. I know they are similar and you can sorta follow along however OPNsense is changing very quickly and it's getting harder.
As alwasys thank you Tom... finally I don't have to remember to make sure my "special" machines are on Nord... now it's automatic and the killswitch feature is a huge plus!
For preventing DNS leaks: to get the VPN over the DNS provided by the VPN: 1. Go to Services → DNS Resolver 2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (the one you've made). Please note that this setting is very important as it prevents DNS leaks). 3. Disable DNS query Forwarding if it's enabled because this wil use the defined DNS at the General page (that you don´t want Leaks DNS). That´s it!
This is great stuff ... Tommy, I know you're not a genius, but you seriously are ... using the firewall to route an alias to the vpn is sweet and elegant ... many thanks !
This video is INCREDIBLE. I've been fighting with this all day, and the floating rule works GREAT for a simple and reliable kill switch. Thanks a ton for posting this! A couple of tips I'd like to add: * You WILL have a DNS leak if you stop here, which is my one criticism of this video. The router configuration is fine, but you HAVE to prevent DNS leaks by manually setting your DNS settings on the machine you're connecting to the router. In my experience this tends to be true of any OpenvVPN-on-a-router setup, but it's something that often gets overlooked in setup guides. Manually set your DNS in Windows/Linux/Mac etc. and you should be good. * In my case, my "hosts" are actually a series of Docker containers that are assigned their own IP addresses on a macvlan Docker network. These can be secured against DNS leaks as well by setting "--dns [your vpn's DNS IP]" in your "docker run" command. I struggled to learn this tip, so I hope it helps someone else. * If you're translating this to OPNsense like I am, a few options have been renamed but can be matched up by context clues. For setting tags, the first field assigns tags to packets and the second watches for tags that match what you put there. OPNsense is a little more vague in how they label these unless you turn on the "Full Help" toggle and see descriptions. * OPNsense Watchdog settings have been renamed to "Monit"
Just a few days ago I gave this a go with Nord and couldn't seem to get PfSense to actually send data out that interface. I'll have to give it a go again. Thanks!
Good video. I just use DNS over TLS and SSL based websites. If my ISP knows I'm hitting a website it just doesn't matter much. I see VPN's for a few uses, accessing a business network, accessing your home network, and everything illegal. The later I don't partake in.
Great video!! I did originally have problems making pfblocker and vpnservice work together, but think i've got that working, along with your genius with the tagging! Very clever, love it. Had to make a few adjustments to make sure no dnsleaks with pfblocker. Originally made my own VPN gateway with linux firewall rules (a lot of rules and scripts and crontab), but was always a little dubious, even though no dnsleaks etc. Really love the level of detail you go into, many thanks :)
@@Skylinar Hello. After passing my LFCS, i ended up overhauling my networking setup, to exclusively use Linux for networking/firewall, so my pfsense is no more. I think my original setup resolved locally, but i cant remember the name of it now, and if i remember right, i had issues when I wanted different routes to have different DNS, so I will guess that i changed the pfblockers DNS resolver in some way, to use the VPN provider for the web downstream rather than local/isp, otherwise it would have been leaks galore. Wish i could remember, or documented what i did, sorry
I recently switch to PIA from another VPN provider and the rule that I had established for routing Netflix and Amazon Prime video were not working. All traffic was routing through the VPN. I'm guessing my previous provide did not pull and add routes but as you indicated that PIA, ticking the Don't Pull Routes and Don't Add/Remove routes fixed the problem. THANKS!
I followed all of these steps. And I even rebooted all devices involved, including the router itself. And the device I am trying to tunnel through the VPN, still has the same IP address.
My dad bragged, when inquired about his home security, that he was using the Norton VPN. This has led me to the conclusion that modern vpn solutions are more akin to a police escort, rather then a balaclava.
Hi Tom, Great video but I have some trouble with the DNS LEAKS. My devices get a different IP from the VPN I provided but when I do a DNS leak test it's failing. How can I fix that?
Hi Tom, to get the VPN over the DNS provided by the VPN: 1. Go to Services → DNS Resolver 2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (the one you've made). Please note that this setting is very important as it prevents DNS leaks). 3. Disable DNS query Forwarding if it's enabled because this wil use the defined DNS at the General page (that you don´t want Leaks DNS). That´s it!
@@michnl1772 Hi Mich, I have forwarding mode enabled because most of my devices are routed out over the WAN with DoT configured. I want a couple of devices as Tom has shown in the above video to route out over Pia without DNS leaks. Do you have a solution for that as well? thx for your response!
Great video as usual ! Could you please make a complementary video describing how to set up PIA DNS servers over TLS ? Thank you for sharing your huge knowledge !
Hi Tom, just noticed that your Draw.IO looks very different from the regular offline desktop version. Are you using a different version? Happy New Year! from Ontario Canada and always love your technical videos!
Have you used 2 VPN connections in same network 16:20 so that while the floating rule in WAN blocks the WAN connections, the pfsense can inadvertently start routing through the other VPN connection when the first VPN happens to go offline? Basically, do just like you do in this video, but instead of having just one VPN connection, have two VPN connections, lets say France and Brazil, and have several computers. Some use the France and some use the Brazil connection. If the computer configured to France VPN loses its connection, then pfsense might try to start routing that France VPN connection to Brazil VPN, the floating rule on WAN side doesn't prevent the switching from one VPN connection to another VPN connection?
Some websites don't accept traffic from my IPv4 because I'm running a Tor relay so I set up rules on pfSense to route said traffic over an external VPN provider. My specific use case would have been useful to include in this video.
Great video! One question out of curiosity, since the only NAT outbound rules you created mapped LAN2 to the VPN interface, if the VPN interface goes down, doesn't that mean no traffic will be able to reach WAN, essentially creating a killswitch without the need for creating that tagging rule? I've done this method for a kill switch (Only creating a NAT Outbound rule to the VPN Interface) in the past and am wondering if I'm missing something. Thanks!
Really great video thanks! I couldn’t get the kill switch to work though. It just wouldn’t block any traffic. Identical config from what I can tell to yours.
I've tried to install Express VPN to pfsense many times in different ways, also official guide on Express VPN website, but no success. Would be great if you make a video about this installation. Thank you
You dont say anything about DNS-config, this will work but if you test it on DNS-leak you will get a warning. I have a little problem getting the resolver to choose the right DNS-server. I also noticed that one device thats on the alias get out on vpn, it can also reach other vlans its not supose to get to.. the firewall is one example....
Hi Lawrence, great video, however you said you were gonna cover DNS leaks but i didnt see it in the video. Did i miss something? If no could you pickup that topic please. Thanks
By the sound of this (so far, im not too far in) it sounds like what im looking for. I want to route a program through a secondary nic (bound to it) through a vpn without having to mess with the vpn software messing up my pc that said program is on. Im assuming it would have to be a vlan of its own on my unifi/opnsense?!?
Great video. But when I enable this to route my main desktop through the PIA VPN WAN I created, I am unable to access local services I run on my network. I can get to pfsense but not unRAID or any of the containers its running. Nor can I access my esxi rig or its vms. I set the rule to lan2 and moved my desktop to that interface, so its the only one on LAN2, but when I have the VPN I am blocked from all local services *note they all run on LAN1
I have similar issue. All my LAN interfaces (except LAN1) can't get out to the internet while PIA service is up. DNS not resolving. I have EXACT setup using NordVPN and it works so this is super puzzling.
I dont think so, I dont have this currently setup. I may try it again and see if I can use the VPN and still have access to my local services. @@roycethefox
Very interesting Topic. I tried applying this scheme and still having issues when adding a port mapping from the VPN Interface to a host on the IOT network. It appears the SYN is properly mapped to the IOT Host, but the Syn ACK is routed back through the WAN, preventing proper connection establishment. Any ideas how to get the SYN-ACK mapped to the proper state entry and routed back through VPN Interface?
thank you so much for this,it works amazing on my opnsense, but im unable to access home assistant over wifi on my phone when im running vpn,but as soon as i stop the vpn services it works as usuall.. im not sure what im doing wrong .. can you help with what i can trouble shoot.(my homeassistant in running on it own bare metal computer connected via lan to my opnsense).... ty
Thanks for video. I followed all the settings and checked over them several times. The kill switch works but when the VPN comes back after being out a few minutes the network VPN users are still blocked. I need to reload the filters and then all VPN users get unblocked. Anyone have any ideas? Thanks.
Hi Lawrence, Just to confirm the best way to assign the VPN DNS to the client is to set it up through DHCP static mapping? This is the way I have been doing it as well as manually setting the DNS on the client itself. I always had a thought that there might be a better way to do it (e.g. tell pfsense that all clients under the alias to only use a specific DNS). I also presume even though the floating rule comes first, that the 'vpn traffic tag' is assigned to the traffic before being process by the rules themselves?
I also missed this discussion on the tutorial. I also do it like that (add DNS server for specific clients through DHCP server). I also add another rule blocking DNS traffic from the alias IPs to the pfsense IP, to avoid DNS leak. Just in case I forget to add the DNS server on the DHCP server for a specific client.
Hi Tom, great content, thanks. Going a little furder on your settings, is it possible to have 2 wans with 2 different vpn providers at the same time with pfsense? Is it possible? Ex. ISP 1 - pia vpn , ISP 2 - nord vpn. I tried it but pfsense becomes unstable, the gateways freak out.....you´ve tried?
at 10:48 as soon as I add a monitor address to my VPN in routing, it shows 100% loss and offline, tried quad 9, quad 8 and quad 1 just to troubleshoot but got the same result. any ideas?
Hi! I have a question about the Virtual IP of PIA interface. For the purpose of the video the IP is a private IP, but on a real case it should be a public IP? Otherwise I don't understand how a private IP can go outside to network to the remote PIA VPN server. I hope I have explained my doubt clearly. Thanks for the video!
Would be nice if a video like this could be made for Unifi Dream Machine lineup, if it even supports policy based routing with a VPN Client. Not sure it does, but would be nice if it did.
Ok, this is not working for me, I have 3 deco M5 , mesh tplink, în AP mode, and 1× Intel Celeron N5105/N5100 Soft Router Fanless Mini PC 4x Intel i225/i226 2.5G LAN HDMI, 256Gb ssd and 16gb ddr4 DP pfSense Firewall Appliance ESXI AES-NI, with pfsense 2.7 , bare metal install, pppoe, connection type, NordVPN, UDP, I wanted to put 2 smart-tv outside vpn and my ps5, without succes, I dropped the ipv6 settings... only ipv4, other things running on it, pfblockerng, watchdog and cron...
Got VPN up and Online using AirVPN. When I start to route IP's out over it, maybe after a few hours or so, the VPN gateway goes down (latency?) then that seems to cause my default WAN to fail. I then have to reboot router and it will fail again within random times. I am not sure why....it seems if I don't route any devices, it seems to stay online. Do I have to add any firewall rules to the OpenVPN or the VPN Interface I created so this doesn't happen? Any thoughts?
A couple of months ago I setup my VPN and everything was working perfectly. Aliases were being adhered to to. Now I have changed my VPN to my own VPN and the entire network goes onto the VPN instead of the hosts in my alias. Driving me dilly. All other configuration is exactly the same.
After follow your setup, which is working. But for some rease, I can't Ping my default WAN gateway IP and can't access WebUI of my ISP modem anymore. Yes I did set this gateway default WAN on System->Routing already. Does anyone know how to fix that?
PIA pfsense write up
www.privateinternetaccess.com/helpdesk/guides/routers/pfsense/pfsense-2-4-5-openvpn-setup
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com/pages/buy-vpn/LRNSYS
Our pfsense Tutorials
lawrence.technology/pfsense/
Related Forum Post
forums.lawrencesystems.com/t/how-to-setup-pfsense-openvpn-policy-routing-with-kill-switch-using-a-privacy-vpn-youtube-release/12441
⏱ Timestamps ⏱
00:00 pfsense privavy VPN Intro
02:00 Diagrams.net Lab Setup
04:33 Imoporting the CA
05:56 Create OpenVPN Client
09:10 Adding OpenVPN Interface
10:48 Gateway Monitoring
11:20 Outbound NAT Rules
12:16 Firewall & Kill Switch Rules
The link just does not work. Any other alternate link?
This video is a grand slam home run. I've learned so much about firewall rules, routing etc. from watching your excellent videos. Learning the power of aliases in rules was the biggest single game changer for me. Because of your videos not only have I got stuff working robustly, but I actually understand *why* it works with a lot of cool knowledge tidbits along the way. Tagging the packets and setting a floating rule was a truly elegant hack that I will be putting in my back pocket for future use.
Glad it was helpful!
Dude, you took a process that should have been annoying and make it straight forward. You have my gratitude.
Great use of the floating rule. I've always wondered how it could be used.
FYI another use of a floating rule is using redundant VPN tunnels. If a TCP session fails over to a different tunnel, the firewall will block that outgoing traffic because it didn’t see the handshake. Doing an outbound floating rule with quick match and allowing all TCP flags will allow that session to stay alive
There were just a couple things different between 2.4.3 and 2.6.0 versions that were not covered by PIA in their directions. Watching this video I was able to catch what I needed to make it work. Thanks again for a great video
what were the differences?
I spent hours on this before watching this video. You make it so easy! Thank you so much! I now have my entire VLAN 30 going through PIA via pFSense router, with the kill switch! No chance for my IP address to accidentally appear on the internet :)
You didn't explain about the DNS leak
As always, this is so helpful and informative. I'll just add one note: when testing the killswitch my machine would keep the connection alive. Then I remembered ipv6. Had to duplicate rules and add the ip6 address to the alias for it to finally kill the connection.
Excellent video, thank you for taking the time to explain the kill switch and tagging. I applied this to opnsense firewall, and got everything working.
The is the best video i've seen on the subject. Thank you i learned a lot and i'm getting a better grasp of my pfsense firewall due to excellent tutorials like this
I know I am way late on this one - but thank you for this video. It explained how to do what I was trying to do and as a result explained what I was doing wrong and more importantly WHY. So Thank you
Man you talk fast - actually are the first person I needed to slowdown playback to follow. Thanks for the information.
Great video, I found it thoroughly useful. Thanks very much for putting it up. Got it all working well, I had setup a similar config about 5 years ago and recently went through and completed some big upgrades which broke a bunch of stuff - decided to do a bit of a refresh and rebuilt. This tutorial was excellent.
Yeah - I can’t believe how great this video was! Had tried another convoluted method to put some of my unraid containers onto vpn with no success. With this, I can put any ip on my network behind firewall, outstanding!! Thank you!
Thank you for sharing and putting this intuitive guide together. I found it very helpful
I followed this video and together with the Netgate Documentation I got a very similar setup on ProtonVPN with WireGuard. This was invaluable. A wireguard video would be really nice for lots of folks. It is so fast and easy once the setup has been done. I did take the opposite approach and set the VPN to the default gateway and then my Firewall aliases are the list of clients that I do not want routing over the VPN but that is so that they are not broken. For instance my ISP installed a TV box for some of their bundled service that they call Rogers Ignite. The box gets blocked by Rogers if not coming from your native WAN connection. I know the video is old but it is still relevant.
The video is good thanks. Something to be added to this is if you use more than 1 VPN connection (with all of them having the same rule based killswitches), you might want to make each of those VPN gateways (System / Routing / Gateways) to have also the "Disable Gateway Monitoring Action" checkbox ON. I believe I had issues from pfsense probably trying to route one VPN connection to another VPN connection, and to my understanding that happens when pfSense gateway monitoring notices the gateway is not working, so pfSense tries to find different gateway - and that checkbox ticked it should be prevented to do so. The video works fine with just 1 VPN connection because there is only one another gateway that is WAN. For more connections than just 1 WAN and 1 VPN, you probably need to make more settings, as the killswitch example works only for traffic trying to escape from VPN to WAN, and I believe that gateway monitoring action disabling should help there. It would be nice if this could be confirmed true by someone.
Pretty good guide. I liked it. As someone using OPNsense now I wish there were more guides on how to do these things within that setup. I know they are similar and you can sorta follow along however OPNsense is changing very quickly and it's getting harder.
Thank you for this. Easy to follow with great explanations rather than just clicking around.
As alwasys thank you Tom... finally I don't have to remember to make sure my "special" machines are on Nord... now it's automatic and the killswitch feature is a huge plus!
For preventing DNS leaks:
to get the VPN over the DNS provided by the VPN:
1. Go to Services → DNS Resolver
2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (the one you've made). Please note that this setting is very important as it prevents DNS leaks).
3. Disable DNS query Forwarding if it's enabled because this wil use the defined DNS at the General page (that you don´t want Leaks DNS).
That´s it!
This is great stuff ... Tommy, I know you're not a genius, but you seriously are ... using the firewall to route an alias to the vpn is sweet and elegant ... many thanks !
This video is INCREDIBLE. I've been fighting with this all day, and the floating rule works GREAT for a simple and reliable kill switch. Thanks a ton for posting this! A couple of tips I'd like to add:
* You WILL have a DNS leak if you stop here, which is my one criticism of this video. The router configuration is fine, but you HAVE to prevent DNS leaks by manually setting your DNS settings on the machine you're connecting to the router. In my experience this tends to be true of any OpenvVPN-on-a-router setup, but it's something that often gets overlooked in setup guides. Manually set your DNS in Windows/Linux/Mac etc. and you should be good.
* In my case, my "hosts" are actually a series of Docker containers that are assigned their own IP addresses on a macvlan Docker network. These can be secured against DNS leaks as well by setting "--dns [your vpn's DNS IP]" in your "docker run" command. I struggled to learn this tip, so I hope it helps someone else.
* If you're translating this to OPNsense like I am, a few options have been renamed but can be matched up by context clues. For setting tags, the first field assigns tags to packets and the second watches for tags that match what you put there. OPNsense is a little more vague in how they label these unless you turn on the "Full Help" toggle and see descriptions.
* OPNsense Watchdog settings have been renamed to "Monit"
Perfect, thank you for explaining these side by side!....👍
haha noticed the I am Root shirt. 😁😁 especially with whats going on in the esport world right now. luv it nice vid always enjoy them
Amazing video, been watching this channel for ages, but today needed to apply this and it's so informative, practical, efficient. Great content.
You’re a legend Tom many thanks
Wish I had watched this video first.... Always an excellent tut
Great video. it’s finally allowed me to get a specific vlan routing out over a vpn service
Man I love your videos, so comprehensive. Thanks!!
Just a few days ago I gave this a go with Nord and couldn't seem to get PfSense to actually send data out that interface. I'll have to give it a go again. Thanks!
Excellent video, I was only looking at pfsense and openvpn recently, very timely, thank you.
Get on Tom! Very much appreciated. Legend as always.
thanks for this, you're a great teacher
Amazing video! Very well explained and super functional one, I will put this in practice sooner for sure. Thanks Tom!
Not that i use Pfsense BUT DAMN good video as always ! Thanks sir !!
Good video. I just use DNS over TLS and SSL based websites. If my ISP knows I'm hitting a website it just doesn't matter much. I see VPN's for a few uses, accessing a business network, accessing your home network, and everything illegal. The later I don't partake in.
you are an amazing person! Thanks so much for this video! :)
Thank you for this video! Great step by step instructions!
Thanks man, it´s working perfectly !
Dont pull routes did the trick,thanks ! :D
Great video!!
I did originally have problems making pfblocker and vpnservice work together, but think i've got that working, along with your genius with the tagging! Very clever, love it. Had to make a few adjustments to make sure no dnsleaks with pfblocker.
Originally made my own VPN gateway with linux firewall rules (a lot of rules and scripts and crontab), but was always a little dubious, even though no dnsleaks etc.
Really love the level of detail you go into, many thanks :)
Can you please give more insights how you've set it up to prevent dns leaks?
@@Skylinar Hello. After passing my LFCS, i ended up overhauling my networking setup, to exclusively use Linux for networking/firewall, so my pfsense is no more. I think my original setup resolved locally, but i cant remember the name of it now, and if i remember right, i had issues when I wanted different routes to have different DNS, so I will guess that i changed the pfblockers DNS resolver in some way, to use the VPN provider for the web downstream rather than local/isp, otherwise it would have been leaks galore. Wish i could remember, or documented what i did, sorry
I recently switch to PIA from another VPN provider and the rule that I had established for routing Netflix and Amazon Prime video were not working. All traffic was routing through the VPN. I'm guessing my previous provide did not pull and add routes but as you indicated that PIA, ticking the Don't Pull Routes and Don't Add/Remove routes fixed the problem. THANKS!
This is gold thank you.
🙂
I followed all of these steps. And I even rebooted all devices involved, including the router itself. And the device I am trying to tunnel through the VPN, still has the same IP address.
My dad bragged, when inquired about his home security, that he was using the Norton VPN. This has led me to the conclusion that modern vpn solutions are more akin to a police escort, rather then a balaclava.
Thanks, I was able to replicate this on opnSense using your guide
Excellent!
this was so helpful ty!
thank you for the videos
My pleasure!
Hi Tom, Great video but I have some trouble with the DNS LEAKS. My devices get a different IP from the VPN I provided but when I do a DNS leak test it's failing. How can I fix that?
Hi Tom, to get the VPN over the DNS provided by the VPN:
1. Go to Services → DNS Resolver
2. Scroll up to Outgoing Network Interfaces and select the VPN Interface (the one you've made). Please note that this setting is very important as it prevents DNS leaks).
3. Disable DNS query Forwarding if it's enabled because this wil use the defined DNS at the General page (that you don´t want Leaks DNS).
That´s it!
@@michnl1772
Hi Mich, I have forwarding mode enabled because most of my devices are routed out over the WAN with DoT configured. I want a couple of devices as Tom has shown in the above video to route out over Pia without DNS leaks. Do you have a solution for that as well? thx for your response!
Great video as usual ! Could you please make a complementary video describing how to set up PIA DNS servers over TLS ? Thank you for sharing your huge knowledge !
I found that setting System > Routing > Default Gateway to 'None' stopped VPN traffic from bypassing the VPN gateway when the VPN went down.
Thank you so mush very very useful Tips
Great Video!!
Awesome video! Thank you!
Hi Tom, just noticed that your Draw.IO looks very different from the regular offline desktop version. Are you using a different version?
Happy New Year! from Ontario Canada and always love your technical videos!
There are different modes that change the layout
Have you used 2 VPN connections in same network 16:20 so that while the floating rule in WAN blocks the WAN connections, the pfsense can inadvertently start routing through the other VPN connection when the first VPN happens to go offline? Basically, do just like you do in this video, but instead of having just one VPN connection, have two VPN connections, lets say France and Brazil, and have several computers. Some use the France and some use the Brazil connection. If the computer configured to France VPN loses its connection, then pfsense might try to start routing that France VPN connection to Brazil VPN, the floating rule on WAN side doesn't prevent the switching from one VPN connection to another VPN connection?
Cool solution! Thanks!
Some websites don't accept traffic from my IPv4 because I'm running a Tor relay so I set up rules on pfSense to route said traffic over an external VPN provider. My specific use case would have been useful to include in this video.
Shame on Tom for not checking with you first!
How about a video of how to do this with wireguard?
@lawrencesystems could you please redo this with WireGuard in place in the same setup now instead of OpenVPN?
Eventually I will
Great video, but I just can't get it to work. I either get all traffic going through the tunnel or no traffic.
Great video!
One question out of curiosity, since the only NAT outbound rules you created mapped LAN2 to the VPN interface, if the VPN interface goes down, doesn't that mean no traffic will be able to reach WAN, essentially creating a killswitch without the need for creating that tagging rule?
I've done this method for a kill switch (Only creating a NAT Outbound rule to the VPN Interface) in the past and am wondering if I'm missing something. Thanks!
very useful thanks a lot!
Really great video thanks! I couldn’t get the kill switch to work though. It just wouldn’t block any traffic. Identical config from what I can tell to yours.
Ty for the grate video it helped me out a lot wth my vpn provider
Gr8 Video thnx
Great video!
I've tried to install Express VPN to pfsense many times in different ways, also official guide on Express VPN website, but no success. Would be great if you make a video about this installation.
Thank you
Using this method, can websites see that you’re connected via VPN? Or would they only see the IP that you’re connected to?
I would love if you could do a couple of videos on Sophos XG firewalls.
Would this be beneficial if you plan on hosting websites. Would you just not use the vpn for the website server?
You dont say anything about DNS-config, this will work but if you test it on DNS-leak you will get a warning. I have a little problem getting the resolver to choose the right DNS-server. I also noticed that one device thats on the alias get out on vpn, it can also reach other vlans its not supose to get to.. the firewall is one example....
awesome!
Hi Lawrence, great video, however you said you were gonna cover DNS leaks but i didnt see it in the video. Did i miss something? If no could you pickup that topic please.
Thanks
I forgot to add it to the video, just assign public DNS to the devices that want behind the VPN. This can be done via DHCP reservations
@@LAWRENCESYSTEMS thanks for the reply, when doing so will the DNS query’s go through the tunnel or will they be resolved by the regular wan?
@@byarea everything originating from those devices is forced over the tunnel, including DNS.
By the sound of this (so far, im not too far in) it sounds like what im looking for. I want to route a program through a secondary nic (bound to it) through a vpn without having to mess with the vpn software messing up my pc that said program is on. Im assuming it would have to be a vlan of its own on my unifi/opnsense?!?
Yes, it can be done with a VLAN / Separate subnet.
Great video. But when I enable this to route my main desktop through the PIA VPN WAN I created, I am unable to access local services I run on my network. I can get to pfsense but not unRAID or any of the containers its running. Nor can I access my esxi rig or its vms. I set the rule to lan2 and moved my desktop to that interface, so its the only one on LAN2, but when I have the VPN I am blocked from all local services *note they all run on LAN1
I have similar issue. All my LAN interfaces (except LAN1) can't get out to the internet while PIA service is up. DNS not resolving. I have EXACT setup using NordVPN and it works so this is super puzzling.
Did you eventually resolve this?
I dont think so, I dont have this currently setup. I may try it again and see if I can use the VPN and still have access to my local services. @@roycethefox
Very interesting Topic.
I tried applying this scheme and still having issues when adding a port mapping from the VPN Interface to a host on the IOT network. It appears the SYN is properly mapped to the IOT Host, but the Syn ACK is routed back through the WAN, preventing proper connection establishment.
Any ideas how to get the SYN-ACK mapped to the proper state entry and routed back through VPN Interface?
Great video Tom. Could you please make a video on NordVPN meshnet with Nextcloud on Truenas scale?
I don't use NordVPN
Hi, thank you for you video. Can I use pfsense to filter website so kids can be safe?
The Floating rule breaks package manager and update in system menu.
Hey, in the video you switch between tabs. What interface or desktop are you using to be able to do that?
I use POP_OS
thank you so much for this,it works amazing on my opnsense, but im unable to access home assistant over wifi on my phone when im running vpn,but as soon as i stop the vpn services it works as usuall.. im not sure what im doing wrong .. can you help with what i can trouble shoot.(my homeassistant in running on it own bare metal computer connected via lan to my opnsense).... ty
Thanks for video. I followed all the settings and checked over them several times. The kill switch works but when the VPN comes back after being out a few minutes the network VPN users are still blocked. I need to reload the filters and then all VPN users get unblocked. Anyone have any ideas? Thanks.
Hi Lawrence,
Just to confirm the best way to assign the VPN DNS to the client is to set it up through DHCP static mapping? This is the way I have been doing it as well as manually setting the DNS on the client itself.
I always had a thought that there might be a better way to do it (e.g. tell pfsense that all clients under the alias to only use a specific DNS).
I also presume even though the floating rule comes first, that the 'vpn traffic tag' is assigned to the traffic before being process by the rules themselves?
I also missed this discussion on the tutorial. I also do it like that (add DNS server for specific clients through DHCP server). I also add another rule blocking DNS traffic from the alias IPs to the pfsense IP, to avoid DNS leak. Just in case I forget to add the DNS server on the DHCP server for a specific client.
This was a very nice video man, just curious can I use this to bypass CG-NAT ISP configuration...
That is not the use case for this.
Why does PIA show as 0ms on the gateway monitor?
Great info
Hi Tom, great content, thanks. Going a little furder on your settings, is it possible to have 2 wans with 2 different vpn providers at the same time with pfsense? Is it possible?
Ex. ISP 1 - pia vpn , ISP 2 - nord vpn. I tried it but pfsense becomes unstable, the gateways
freak out.....you´ve tried?
I've just given this a go but I can't get the floating rule to work. If I disable the VPN then it goes out the WAN. I'll keep working on it.
at 10:48 as soon as I add a monitor address to my VPN in routing, it shows 100% loss and offline, tried quad 9, quad 8 and quad 1 just to troubleshoot but got the same result. any ideas?
Great Video
Hi! I have a question about the Virtual IP of PIA interface. For the purpose of the video the IP is a private IP, but on a real case it should be a public IP? Otherwise I don't understand how a private IP can go outside to network to the remote PIA VPN server. I hope I have explained my doubt clearly. Thanks for the video!
That is the tunnel IP for OpenVPN assigned to pfsense.
@@LAWRENCESYSTEMS Thanks! But what is the source address and destination address of a pdu going through the VPN tunnel?
I don't understand the question.
Would be nice if a video like this could be made for Unifi Dream Machine lineup, if it even supports policy based routing with a VPN Client. Not sure it does, but would be nice if it did.
I can't make a video on something not supported on the UDM.
@@LAWRENCESYSTEMS Yes I know, just over here wishing it was. :/ Great video on the pfsense PBR.
Thank you Sir! 😭
Ok, this is not working for me, I have 3 deco M5 , mesh tplink, în AP mode, and 1× Intel Celeron N5105/N5100 Soft Router Fanless Mini PC
4x Intel i225/i226 2.5G LAN HDMI, 256Gb ssd and 16gb ddr4 DP pfSense Firewall
Appliance ESXI AES-NI, with pfsense 2.7 , bare metal install, pppoe, connection type, NordVPN, UDP, I wanted to put 2 smart-tv outside vpn and my ps5, without succes, I dropped the ipv6 settings... only ipv4, other things running on it, pfblockerng, watchdog and cron...
Got VPN up and Online using AirVPN. When I start to route IP's out over it, maybe after a few hours or so, the VPN gateway goes down (latency?) then that seems to cause my default WAN to fail. I then have to reboot router and it will fail again within random times. I am not sure why....it seems if I don't route any devices, it seems to stay online. Do I have to add any firewall rules to the OpenVPN or the VPN Interface I created so this doesn't happen? Any thoughts?
Great information, Would any firewall rules be needed on the vpn gateway for security reasons? like no access to firewall port, ect...
Only if you want to limit what the VPN has access to.
A couple of months ago I setup my VPN and everything was working perfectly. Aliases were being adhered to to. Now I have changed my VPN to my own VPN and the entire network goes onto the VPN instead of the hosts in my alias. Driving me dilly. All other configuration is exactly the same.
7:29
After follow your setup, which is working. But for some rease, I can't Ping my default WAN gateway IP and can't access WebUI of my ISP modem anymore. Yes I did set this gateway default WAN on System->Routing already. Does anyone know how to fix that?