This video is a grand slam home run. I've learned so much about firewall rules, routing etc. from watching your excellent videos. Learning the power of aliases in rules was the biggest single game changer for me. Because of your videos not only have I got stuff working robustly, but I actually understand *why* it works with a lot of cool knowledge tidbits along the way. Tagging the packets and setting a floating rule was a truly elegant hack that I will be putting in my back pocket for future use.
There were just a couple things different between 2.4.3 and 2.6.0 versions that were not covered by PIA in their directions. Watching this video I was able to catch what I needed to make it work. Thanks again for a great video
Excellent video, thank you for taking the time to explain the kill switch and tagging. I applied this to opnsense firewall, and got everything working.
This video is INCREDIBLE. I've been fighting with this all day, and the floating rule works GREAT for a simple and reliable kill switch. Thanks a ton for posting this! A couple of tips I'd like to add: * You WILL have a DNS leak if you stop here, which is my one criticism of this video. The router configuration is fine, but you HAVE to prevent DNS leaks by manually setting your DNS settings on the machine you're connecting to the router. In my experience this tends to be true of any OpenvVPN-on-a-router setup, but it's something that often gets overlooked in setup guides. Manually set your DNS in Windows/Linux/Mac etc. and you should be good. * In my case, my "hosts" are actually a series of Docker containers that are assigned their own IP addresses on a macvlan Docker network. These can be secured against DNS leaks as well by setting "--dns [your vpn's DNS IP]" in your "docker run" command. I struggled to learn this tip, so I hope it helps someone else. * If you're translating this to OPNsense like I am, a few options have been renamed but can be matched up by context clues. For setting tags, the first field assigns tags to packets and the second watches for tags that match what you put there. OPNsense is a little more vague in how they label these unless you turn on the "Full Help" toggle and see descriptions. * OPNsense Watchdog settings have been renamed to "Monit"
FYI another use of a floating rule is using redundant VPN tunnels. If a TCP session fails over to a different tunnel, the firewall will block that outgoing traffic because it didn’t see the handshake. Doing an outbound floating rule with quick match and allowing all TCP flags will allow that session to stay alive
I spent hours on this before watching this video. You make it so easy! Thank you so much! I now have my entire VLAN 30 going through PIA via pFSense router, with the kill switch! No chance for my IP address to accidentally appear on the internet :)
The is the best video i've seen on the subject. Thank you i learned a lot and i'm getting a better grasp of my pfsense firewall due to excellent tutorials like this
As always, this is so helpful and informative. I'll just add one note: when testing the killswitch my machine would keep the connection alive. Then I remembered ipv6. Had to duplicate rules and add the ip6 address to the alias for it to finally kill the connection.
Really enjoy your vids and how you explain the details in your steps. Thank you for that. I just completed this guide for my setup and worked great. One thing I messed up and caused me a lot of time troubleshooting was that I used the "Tag" Advanced Option instead of the "Tagged" option when setting up the Floating Rule. You were right about the details part ;)
Yeah - I can’t believe how great this video was! Had tried another convoluted method to put some of my unraid containers onto vpn with no success. With this, I can put any ip on my network behind firewall, outstanding!! Thank you!
I followed this video and together with the Netgate Documentation I got a very similar setup on ProtonVPN with WireGuard. This was invaluable. A wireguard video would be really nice for lots of folks. It is so fast and easy once the setup has been done. I did take the opposite approach and set the VPN to the default gateway and then my Firewall aliases are the list of clients that I do not want routing over the VPN but that is so that they are not broken. For instance my ISP installed a TV box for some of their bundled service that they call Rogers Ignite. The box gets blocked by Rogers if not coming from your native WAN connection. I know the video is old but it is still relevant.
Great video, I found it thoroughly useful. Thanks very much for putting it up. Got it all working well, I had setup a similar config about 5 years ago and recently went through and completed some big upgrades which broke a bunch of stuff - decided to do a bit of a refresh and rebuilt. This tutorial was excellent.
This is great stuff ... Tommy, I know you're not a genius, but you seriously are ... using the firewall to route an alias to the vpn is sweet and elegant ... many thanks !
I know I am way late on this one - but thank you for this video. It explained how to do what I was trying to do and as a result explained what I was doing wrong and more importantly WHY. So Thank you
Pretty good guide. I liked it. As someone using OPNsense now I wish there were more guides on how to do these things within that setup. I know they are similar and you can sorta follow along however OPNsense is changing very quickly and it's getting harder.
As alwasys thank you Tom... finally I don't have to remember to make sure my "special" machines are on Nord... now it's automatic and the killswitch feature is a huge plus!
The video is good thanks. Something to be added to this is if you use more than 1 VPN connection (with all of them having the same rule based killswitches), you might want to make each of those VPN gateways (System / Routing / Gateways) to have also the "Disable Gateway Monitoring Action" checkbox ON. I believe I had issues from pfsense probably trying to route one VPN connection to another VPN connection, and to my understanding that happens when pfSense gateway monitoring notices the gateway is not working, so pfSense tries to find different gateway - and that checkbox ticked it should be prevented to do so. The video works fine with just 1 VPN connection because there is only one another gateway that is WAN. For more connections than just 1 WAN and 1 VPN, you probably need to make more settings, as the killswitch example works only for traffic trying to escape from VPN to WAN, and I believe that gateway monitoring action disabling should help there. It would be nice if this could be confirmed true by someone.
Just a few days ago I gave this a go with Nord and couldn't seem to get PfSense to actually send data out that interface. I'll have to give it a go again. Thanks!
Yes Great job. Thanks alot. I tried to follow Network Chuck great guy but he move to fast like he's rushing to get that video made. You did a great job.
I recently switch to PIA from another VPN provider and the rule that I had established for routing Netflix and Amazon Prime video were not working. All traffic was routing through the VPN. I'm guessing my previous provide did not pull and add routes but as you indicated that PIA, ticking the Don't Pull Routes and Don't Add/Remove routes fixed the problem. THANKS!
Great video!! I did originally have problems making pfblocker and vpnservice work together, but think i've got that working, along with your genius with the tagging! Very clever, love it. Had to make a few adjustments to make sure no dnsleaks with pfblocker. Originally made my own VPN gateway with linux firewall rules (a lot of rules and scripts and crontab), but was always a little dubious, even though no dnsleaks etc. Really love the level of detail you go into, many thanks :)
@@Skylinar Hello. After passing my LFCS, i ended up overhauling my networking setup, to exclusively use Linux for networking/firewall, so my pfsense is no more. I think my original setup resolved locally, but i cant remember the name of it now, and if i remember right, i had issues when I wanted different routes to have different DNS, so I will guess that i changed the pfblockers DNS resolver in some way, to use the VPN provider for the web downstream rather than local/isp, otherwise it would have been leaks galore. Wish i could remember, or documented what i did, sorry
Good video. I just use DNS over TLS and SSL based websites. If my ISP knows I'm hitting a website it just doesn't matter much. I see VPN's for a few uses, accessing a business network, accessing your home network, and everything illegal. The later I don't partake in.
My dad bragged, when inquired about his home security, that he was using the Norton VPN. This has led me to the conclusion that modern vpn solutions are more akin to a police escort, rather then a balaclava.
Great video as usual ! Could you please make a complementary video describing how to set up PIA DNS servers over TLS ? Thank you for sharing your huge knowledge !
I followed all of these steps. And I even rebooted all devices involved, including the router itself. And the device I am trying to tunnel through the VPN, still has the same IP address.
If I am okay with a device on the VPN failing over to the WAN, would I just make the floating rule a pass rule instead of block? Or do I not need a floating rule at all in that case.
Hi Tom, Great video but I have some trouble with the DNS LEAKS. My devices get a different IP from the VPN I provided but when I do a DNS leak test it's failing. How can I fix that?
@MichNL Hi Mich, I have forwarding mode enabled because most of my devices are routed out over the WAN with DoT configured. I want a couple of devices as Tom has shown in the above video to route out over Pia without DNS leaks. Do you have a solution for that as well? thx for your response!
Have you used 2 VPN connections in same network 16:20 so that while the floating rule in WAN blocks the WAN connections, the pfsense can inadvertently start routing through the other VPN connection when the first VPN happens to go offline? Basically, do just like you do in this video, but instead of having just one VPN connection, have two VPN connections, lets say France and Brazil, and have several computers. Some use the France and some use the Brazil connection. If the computer configured to France VPN loses its connection, then pfsense might try to start routing that France VPN connection to Brazil VPN, the floating rule on WAN side doesn't prevent the switching from one VPN connection to another VPN connection?
Hi Tom, just noticed that your Draw.IO looks very different from the regular offline desktop version. Are you using a different version? Happy New Year! from Ontario Canada and always love your technical videos!
Some websites don't accept traffic from my IPv4 because I'm running a Tor relay so I set up rules on pfSense to route said traffic over an external VPN provider. My specific use case would have been useful to include in this video.
Really great video thanks! I couldn’t get the kill switch to work though. It just wouldn’t block any traffic. Identical config from what I can tell to yours.
Great video! One question out of curiosity, since the only NAT outbound rules you created mapped LAN2 to the VPN interface, if the VPN interface goes down, doesn't that mean no traffic will be able to reach WAN, essentially creating a killswitch without the need for creating that tagging rule? I've done this method for a kill switch (Only creating a NAT Outbound rule to the VPN Interface) in the past and am wondering if I'm missing something. Thanks!
at 10:48 as soon as I add a monitor address to my VPN in routing, it shows 100% loss and offline, tried quad 9, quad 8 and quad 1 just to troubleshoot but got the same result. any ideas?
Thanks for video. I followed all the settings and checked over them several times. The kill switch works but when the VPN comes back after being out a few minutes the network VPN users are still blocked. I need to reload the filters and then all VPN users get unblocked. Anyone have any ideas? Thanks.
Very interesting Topic. I tried applying this scheme and still having issues when adding a port mapping from the VPN Interface to a host on the IOT network. It appears the SYN is properly mapped to the IOT Host, but the Syn ACK is routed back through the WAN, preventing proper connection establishment. Any ideas how to get the SYN-ACK mapped to the proper state entry and routed back through VPN Interface?
I've tried to install Express VPN to pfsense many times in different ways, also official guide on Express VPN website, but no success. Would be great if you make a video about this installation. Thank you
Great video. But when I enable this to route my main desktop through the PIA VPN WAN I created, I am unable to access local services I run on my network. I can get to pfsense but not unRAID or any of the containers its running. Nor can I access my esxi rig or its vms. I set the rule to lan2 and moved my desktop to that interface, so its the only one on LAN2, but when I have the VPN I am blocked from all local services *note they all run on LAN1
I have similar issue. All my LAN interfaces (except LAN1) can't get out to the internet while PIA service is up. DNS not resolving. I have EXACT setup using NordVPN and it works so this is super puzzling.
I dont think so, I dont have this currently setup. I may try it again and see if I can use the VPN and still have access to my local services. @@roycethefox
Got VPN up and Online using AirVPN. When I start to route IP's out over it, maybe after a few hours or so, the VPN gateway goes down (latency?) then that seems to cause my default WAN to fail. I then have to reboot router and it will fail again within random times. I am not sure why....it seems if I don't route any devices, it seems to stay online. Do I have to add any firewall rules to the OpenVPN or the VPN Interface I created so this doesn't happen? Any thoughts?
Hi Tom, great content, thanks. Going a little furder on your settings, is it possible to have 2 wans with 2 different vpn providers at the same time with pfsense? Is it possible? Ex. ISP 1 - pia vpn , ISP 2 - nord vpn. I tried it but pfsense becomes unstable, the gateways freak out.....you´ve tried?
By the sound of this (so far, im not too far in) it sounds like what im looking for. I want to route a program through a secondary nic (bound to it) through a vpn without having to mess with the vpn software messing up my pc that said program is on. Im assuming it would have to be a vlan of its own on my unifi/opnsense?!?
@@LAWRENCESYSTEMS One thing I did notice, for the Rules for LAN 2, you would have to move the blocks before the route out over PIA. Otherwise the devices will ignore blocks. Top down I suppose.
Hi Lawrence, great video, however you said you were gonna cover DNS leaks but i didnt see it in the video. Did i miss something? If no could you pickup that topic please. Thanks
Hi! I have a question about the Virtual IP of PIA interface. For the purpose of the video the IP is a private IP, but on a real case it should be a public IP? Otherwise I don't understand how a private IP can go outside to network to the remote PIA VPN server. I hope I have explained my doubt clearly. Thanks for the video!
Would be nice if a video like this could be made for Unifi Dream Machine lineup, if it even supports policy based routing with a VPN Client. Not sure it does, but would be nice if it did.
Hi, great video. I'm new to this and your videos are extremely help full. I was wondering... is there any way to chain VPN's using pfsense. Example Linux --> ISP-->VPN1-->VPN2-->Online server
possibly depending on how you set things up. You can do lot's of overly complicated things with pfsense, not that they are all good ideas, but you can do them.
You dont say anything about DNS-config, this will work but if you test it on DNS-leak you will get a warning. I have a little problem getting the resolver to choose the right DNS-server. I also noticed that one device thats on the alias get out on vpn, it can also reach other vlans its not supose to get to.. the firewall is one example....
I was wondering if it is possible to apply the same principles of using aliases, to set different VPN gateways based on geographic destination - leveraging pfblocker geoip aliases... Based on this video, it seems doable - or am I missing something?
After follow your setup, which is working. But for some rease, I can't Ping my default WAN gateway IP and can't access WebUI of my ISP modem anymore. Yes I did set this gateway default WAN on System->Routing already. Does anyone know how to fix that?
![BLACK BAG - Official Trailer [HD] - Only in Theaters March 14](http://i.ytimg.com/vi/Du0Xp8WX_7I/mqdefault.jpg)
PIA pfsense write up
www.privateinternetaccess.com/helpdesk/guides/routers/pfsense/pfsense-2-4-5-openvpn-setup
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com/pages/buy-vpn/LRNSYS
Our pfsense Tutorials
lawrence.technology/pfsense/
Related Forum Post
forums.lawrencesystems.com/t/how-to-setup-pfsense-openvpn-policy-routing-with-kill-switch-using-a-privacy-vpn-youtube-release/12441
⏱ Timestamps ⏱
00:00 pfsense privavy VPN Intro
02:00 Diagrams.net Lab Setup
04:33 Imoporting the CA
05:56 Create OpenVPN Client
09:10 Adding OpenVPN Interface
10:48 Gateway Monitoring
11:20 Outbound NAT Rules
12:16 Firewall & Kill Switch Rules
The link just does not work. Any other alternate link?
This video is a grand slam home run. I've learned so much about firewall rules, routing etc. from watching your excellent videos. Learning the power of aliases in rules was the biggest single game changer for me. Because of your videos not only have I got stuff working robustly, but I actually understand *why* it works with a lot of cool knowledge tidbits along the way. Tagging the packets and setting a floating rule was a truly elegant hack that I will be putting in my back pocket for future use.
Glad it was helpful!
Dude, you took a process that should have been annoying and make it straight forward. You have my gratitude.
I just love Lawrence for his in-depth concept explaining. Just Love You Man.
Lots of LOVE to you :D
Thanks!
There were just a couple things different between 2.4.3 and 2.6.0 versions that were not covered by PIA in their directions. Watching this video I was able to catch what I needed to make it work. Thanks again for a great video
what were the differences?
Excellent video, thank you for taking the time to explain the kill switch and tagging. I applied this to opnsense firewall, and got everything working.
This video is INCREDIBLE. I've been fighting with this all day, and the floating rule works GREAT for a simple and reliable kill switch. Thanks a ton for posting this! A couple of tips I'd like to add:
* You WILL have a DNS leak if you stop here, which is my one criticism of this video. The router configuration is fine, but you HAVE to prevent DNS leaks by manually setting your DNS settings on the machine you're connecting to the router. In my experience this tends to be true of any OpenvVPN-on-a-router setup, but it's something that often gets overlooked in setup guides. Manually set your DNS in Windows/Linux/Mac etc. and you should be good.
* In my case, my "hosts" are actually a series of Docker containers that are assigned their own IP addresses on a macvlan Docker network. These can be secured against DNS leaks as well by setting "--dns [your vpn's DNS IP]" in your "docker run" command. I struggled to learn this tip, so I hope it helps someone else.
* If you're translating this to OPNsense like I am, a few options have been renamed but can be matched up by context clues. For setting tags, the first field assigns tags to packets and the second watches for tags that match what you put there. OPNsense is a little more vague in how they label these unless you turn on the "Full Help" toggle and see descriptions.
* OPNsense Watchdog settings have been renamed to "Monit"
Great use of the floating rule. I've always wondered how it could be used.
FYI another use of a floating rule is using redundant VPN tunnels. If a TCP session fails over to a different tunnel, the firewall will block that outgoing traffic because it didn’t see the handshake. Doing an outbound floating rule with quick match and allowing all TCP flags will allow that session to stay alive
I spent hours on this before watching this video. You make it so easy! Thank you so much! I now have my entire VLAN 30 going through PIA via pFSense router, with the kill switch! No chance for my IP address to accidentally appear on the internet :)
The is the best video i've seen on the subject. Thank you i learned a lot and i'm getting a better grasp of my pfsense firewall due to excellent tutorials like this
As always, this is so helpful and informative. I'll just add one note: when testing the killswitch my machine would keep the connection alive. Then I remembered ipv6. Had to duplicate rules and add the ip6 address to the alias for it to finally kill the connection.
Really enjoy your vids and how you explain the details in your steps. Thank you for that. I just completed this guide for my setup and worked great. One thing I messed up and caused me a lot of time troubleshooting was that I used the "Tag" Advanced Option instead of the "Tagged" option when setting up the Floating Rule. You were right about the details part ;)
This was absolutely a critical video for me. THANK YOU!
I'll even say that it's almost a definitive guide that return to quite often.
Discovered an issue when you combine this with the buffer bloat fix, the tag gets ignored and you have to add it as an invert tag criteria.
Yeah - I can’t believe how great this video was! Had tried another convoluted method to put some of my unraid containers onto vpn with no success. With this, I can put any ip on my network behind firewall, outstanding!! Thank you!
I followed this video and together with the Netgate Documentation I got a very similar setup on ProtonVPN with WireGuard. This was invaluable. A wireguard video would be really nice for lots of folks. It is so fast and easy once the setup has been done. I did take the opposite approach and set the VPN to the default gateway and then my Firewall aliases are the list of clients that I do not want routing over the VPN but that is so that they are not broken. For instance my ISP installed a TV box for some of their bundled service that they call Rogers Ignite. The box gets blocked by Rogers if not coming from your native WAN connection. I know the video is old but it is still relevant.
Great video, I found it thoroughly useful. Thanks very much for putting it up. Got it all working well, I had setup a similar config about 5 years ago and recently went through and completed some big upgrades which broke a bunch of stuff - decided to do a bit of a refresh and rebuilt. This tutorial was excellent.
This is great stuff ... Tommy, I know you're not a genius, but you seriously are ... using the firewall to route an alias to the vpn is sweet and elegant ... many thanks !
I know I am way late on this one - but thank you for this video. It explained how to do what I was trying to do and as a result explained what I was doing wrong and more importantly WHY. So Thank you
Pretty good guide. I liked it. As someone using OPNsense now I wish there were more guides on how to do these things within that setup. I know they are similar and you can sorta follow along however OPNsense is changing very quickly and it's getting harder.
Thank you for sharing and putting this intuitive guide together. I found it very helpful
Thank you for this. Easy to follow with great explanations rather than just clicking around.
Amazing video, been watching this channel for ages, but today needed to apply this and it's so informative, practical, efficient. Great content.
As alwasys thank you Tom... finally I don't have to remember to make sure my "special" machines are on Nord... now it's automatic and the killswitch feature is a huge plus!
Perfect, thank you for explaining these side by side!....👍
The video is good thanks. Something to be added to this is if you use more than 1 VPN connection (with all of them having the same rule based killswitches), you might want to make each of those VPN gateways (System / Routing / Gateways) to have also the "Disable Gateway Monitoring Action" checkbox ON. I believe I had issues from pfsense probably trying to route one VPN connection to another VPN connection, and to my understanding that happens when pfSense gateway monitoring notices the gateway is not working, so pfSense tries to find different gateway - and that checkbox ticked it should be prevented to do so. The video works fine with just 1 VPN connection because there is only one another gateway that is WAN. For more connections than just 1 WAN and 1 VPN, you probably need to make more settings, as the killswitch example works only for traffic trying to escape from VPN to WAN, and I believe that gateway monitoring action disabling should help there. It would be nice if this could be confirmed true by someone.
Wish I had watched this video first.... Always an excellent tut
Get on Tom! Very much appreciated. Legend as always.
Man I love your videos, so comprehensive. Thanks!!
this was so helpful ty!
Man you talk fast - actually are the first person I needed to slowdown playback to follow. Thanks for the information.
haha noticed the I am Root shirt. 😁😁 especially with whats going on in the esport world right now. luv it nice vid always enjoy them
Just a few days ago I gave this a go with Nord and couldn't seem to get PfSense to actually send data out that interface. I'll have to give it a go again. Thanks!
You’re a legend Tom many thanks
Great video. it’s finally allowed me to get a specific vlan routing out over a vpn service
Excellent video, I was only looking at pfsense and openvpn recently, very timely, thank you.
Yes Great job. Thanks alot. I tried to follow Network Chuck great guy but he move to fast like he's rushing to get that video made. You did a great job.
Amazing video! Very well explained and super functional one, I will put this in practice sooner for sure. Thanks Tom!
you are an amazing person! Thanks so much for this video! :)
I recently switch to PIA from another VPN provider and the rule that I had established for routing Netflix and Amazon Prime video were not working. All traffic was routing through the VPN. I'm guessing my previous provide did not pull and add routes but as you indicated that PIA, ticking the Don't Pull Routes and Don't Add/Remove routes fixed the problem. THANKS!
Great video!!
I did originally have problems making pfblocker and vpnservice work together, but think i've got that working, along with your genius with the tagging! Very clever, love it. Had to make a few adjustments to make sure no dnsleaks with pfblocker.
Originally made my own VPN gateway with linux firewall rules (a lot of rules and scripts and crontab), but was always a little dubious, even though no dnsleaks etc.
Really love the level of detail you go into, many thanks :)
Can you please give more insights how you've set it up to prevent dns leaks?
@@Skylinar Hello. After passing my LFCS, i ended up overhauling my networking setup, to exclusively use Linux for networking/firewall, so my pfsense is no more. I think my original setup resolved locally, but i cant remember the name of it now, and if i remember right, i had issues when I wanted different routes to have different DNS, so I will guess that i changed the pfblockers DNS resolver in some way, to use the VPN provider for the web downstream rather than local/isp, otherwise it would have been leaks galore. Wish i could remember, or documented what i did, sorry
Thank you for this video! Great step by step instructions!
Dont pull routes did the trick,thanks ! :D
Thanks man, it´s working perfectly !
thanks for this, you're a great teacher
Not that i use Pfsense BUT DAMN good video as always ! Thanks sir !!
Good video. I just use DNS over TLS and SSL based websites. If my ISP knows I'm hitting a website it just doesn't matter much. I see VPN's for a few uses, accessing a business network, accessing your home network, and everything illegal. The later I don't partake in.
You didn't explain about the DNS leak
My dad bragged, when inquired about his home security, that he was using the Norton VPN. This has led me to the conclusion that modern vpn solutions are more akin to a police escort, rather then a balaclava.
Thanks, I was able to replicate this on opnSense using your guide
Excellent!
This is gold thank you.
🙂
Great video as usual ! Could you please make a complementary video describing how to set up PIA DNS servers over TLS ? Thank you for sharing your huge knowledge !
Would this be beneficial if you plan on hosting websites. Would you just not use the vpn for the website server?
I followed all of these steps. And I even rebooted all devices involved, including the router itself. And the device I am trying to tunnel through the VPN, still has the same IP address.
I would love if you could do a couple of videos on Sophos XG firewalls.
Thank you so mush very very useful Tips
thank you for the videos
My pleasure!
I found that setting System > Routing > Default Gateway to 'None' stopped VPN traffic from bypassing the VPN gateway when the VPN went down.
If I am okay with a device on the VPN failing over to the WAN, would I just make the floating rule a pass rule instead of block? Or do I not need a floating rule at all in that case.
Awesome video! Thank you!
Ty for the grate video it helped me out a lot wth my vpn provider
Hi Tom, Great video but I have some trouble with the DNS LEAKS. My devices get a different IP from the VPN I provided but when I do a DNS leak test it's failing. How can I fix that?
@MichNL
Hi Mich, I have forwarding mode enabled because most of my devices are routed out over the WAN with DoT configured. I want a couple of devices as Tom has shown in the above video to route out over Pia without DNS leaks. Do you have a solution for that as well? thx for your response!
Hi, thank you for you video. Can I use pfsense to filter website so kids can be safe?
How about a video of how to do this with wireguard?
Have you used 2 VPN connections in same network 16:20 so that while the floating rule in WAN blocks the WAN connections, the pfsense can inadvertently start routing through the other VPN connection when the first VPN happens to go offline? Basically, do just like you do in this video, but instead of having just one VPN connection, have two VPN connections, lets say France and Brazil, and have several computers. Some use the France and some use the Brazil connection. If the computer configured to France VPN loses its connection, then pfsense might try to start routing that France VPN connection to Brazil VPN, the floating rule on WAN side doesn't prevent the switching from one VPN connection to another VPN connection?
Great video, but I just can't get it to work. I either get all traffic going through the tunnel or no traffic.
Hi Tom, just noticed that your Draw.IO looks very different from the regular offline desktop version. Are you using a different version?
Happy New Year! from Ontario Canada and always love your technical videos!
There are different modes that change the layout
Some websites don't accept traffic from my IPv4 because I'm running a Tor relay so I set up rules on pfSense to route said traffic over an external VPN provider. My specific use case would have been useful to include in this video.
Shame on Tom for not checking with you first!
Using this method, can websites see that you’re connected via VPN? Or would they only see the IP that you’re connected to?
Really great video thanks! I couldn’t get the kill switch to work though. It just wouldn’t block any traffic. Identical config from what I can tell to yours.
Great video!
One question out of curiosity, since the only NAT outbound rules you created mapped LAN2 to the VPN interface, if the VPN interface goes down, doesn't that mean no traffic will be able to reach WAN, essentially creating a killswitch without the need for creating that tagging rule?
I've done this method for a kill switch (Only creating a NAT Outbound rule to the VPN Interface) in the past and am wondering if I'm missing something. Thanks!
at 10:48 as soon as I add a monitor address to my VPN in routing, it shows 100% loss and offline, tried quad 9, quad 8 and quad 1 just to troubleshoot but got the same result. any ideas?
Cool solution! Thanks!
Hey, in the video you switch between tabs. What interface or desktop are you using to be able to do that?
I use POP_OS
@lawrencesystems could you please redo this with WireGuard in place in the same setup now instead of OpenVPN?
Eventually I will
very useful thanks a lot!
Why does PIA show as 0ms on the gateway monitor?
I've just given this a go but I can't get the floating rule to work. If I disable the VPN then it goes out the WAN. I'll keep working on it.
Thanks for video. I followed all the settings and checked over them several times. The kill switch works but when the VPN comes back after being out a few minutes the network VPN users are still blocked. I need to reload the filters and then all VPN users get unblocked. Anyone have any ideas? Thanks.
Very interesting Topic.
I tried applying this scheme and still having issues when adding a port mapping from the VPN Interface to a host on the IOT network. It appears the SYN is properly mapped to the IOT Host, but the Syn ACK is routed back through the WAN, preventing proper connection establishment.
Any ideas how to get the SYN-ACK mapped to the proper state entry and routed back through VPN Interface?
I've tried to install Express VPN to pfsense many times in different ways, also official guide on Express VPN website, but no success. Would be great if you make a video about this installation.
Thank you
Great information, Would any firewall rules be needed on the vpn gateway for security reasons? like no access to firewall port, ect...
Only if you want to limit what the VPN has access to.
Great video. But when I enable this to route my main desktop through the PIA VPN WAN I created, I am unable to access local services I run on my network. I can get to pfsense but not unRAID or any of the containers its running. Nor can I access my esxi rig or its vms. I set the rule to lan2 and moved my desktop to that interface, so its the only one on LAN2, but when I have the VPN I am blocked from all local services *note they all run on LAN1
I have similar issue. All my LAN interfaces (except LAN1) can't get out to the internet while PIA service is up. DNS not resolving. I have EXACT setup using NordVPN and it works so this is super puzzling.
Did you eventually resolve this?
I dont think so, I dont have this currently setup. I may try it again and see if I can use the VPN and still have access to my local services. @@roycethefox
Got VPN up and Online using AirVPN. When I start to route IP's out over it, maybe after a few hours or so, the VPN gateway goes down (latency?) then that seems to cause my default WAN to fail. I then have to reboot router and it will fail again within random times. I am not sure why....it seems if I don't route any devices, it seems to stay online. Do I have to add any firewall rules to the OpenVPN or the VPN Interface I created so this doesn't happen? Any thoughts?
Hi Tom, great content, thanks. Going a little furder on your settings, is it possible to have 2 wans with 2 different vpn providers at the same time with pfsense? Is it possible?
Ex. ISP 1 - pia vpn , ISP 2 - nord vpn. I tried it but pfsense becomes unstable, the gateways
freak out.....you´ve tried?
This was a very nice video man, just curious can I use this to bypass CG-NAT ISP configuration...
That is not the use case for this.
Gr8 Video thnx
By the sound of this (so far, im not too far in) it sounds like what im looking for. I want to route a program through a secondary nic (bound to it) through a vpn without having to mess with the vpn software messing up my pc that said program is on. Im assuming it would have to be a vlan of its own on my unifi/opnsense?!?
Yes, it can be done with a VLAN / Separate subnet.
Great video!
Can this be applied to whole subnet not just specific clients? I assume you select subnet instead of client IP?
Yes
@@LAWRENCESYSTEMS Worked like charm for whole subnet. Thanks. Just added Alias as a network, not host. Thanks a million. Your videos are the best.
@@LAWRENCESYSTEMS One thing I did notice, for the Rules for LAN 2, you would have to move the blocks before the route out over PIA. Otherwise the devices will ignore blocks. Top down I suppose.
Can't access my local server over pfsense VPN while its connected to PIA VPN any help plz
Hi Lawrence, great video, however you said you were gonna cover DNS leaks but i didnt see it in the video. Did i miss something? If no could you pickup that topic please.
Thanks
I forgot to add it to the video, just assign public DNS to the devices that want behind the VPN. This can be done via DHCP reservations
@@LAWRENCESYSTEMS thanks for the reply, when doing so will the DNS query’s go through the tunnel or will they be resolved by the regular wan?
@@byarea everything originating from those devices is forced over the tunnel, including DNS.
Hi! I have a question about the Virtual IP of PIA interface. For the purpose of the video the IP is a private IP, but on a real case it should be a public IP? Otherwise I don't understand how a private IP can go outside to network to the remote PIA VPN server. I hope I have explained my doubt clearly. Thanks for the video!
That is the tunnel IP for OpenVPN assigned to pfsense.
@@LAWRENCESYSTEMS Thanks! But what is the source address and destination address of a pdu going through the VPN tunnel?
I don't understand the question.
Would be nice if a video like this could be made for Unifi Dream Machine lineup, if it even supports policy based routing with a VPN Client. Not sure it does, but would be nice if it did.
I can't make a video on something not supported on the UDM.
@@LAWRENCESYSTEMS Yes I know, just over here wishing it was. :/ Great video on the pfsense PBR.
Hi, great video. I'm new to this and your videos are extremely help full. I was wondering... is there any way to chain VPN's using pfsense. Example Linux --> ISP-->VPN1-->VPN2-->Online server
possibly depending on how you set things up. You can do lot's of overly complicated things with pfsense, not that they are all good ideas, but you can do them.
@@LAWRENCESYSTEMS I have it setup like shown in your video. How would I chain a 2nd VPN?
Great Video
awesome!
Great video Tom. Could you please make a video on NordVPN meshnet with Nextcloud on Truenas scale?
I don't use NordVPN
You dont say anything about DNS-config, this will work but if you test it on DNS-leak you will get a warning. I have a little problem getting the resolver to choose the right DNS-server. I also noticed that one device thats on the alias get out on vpn, it can also reach other vlans its not supose to get to.. the firewall is one example....
I was wondering if it is possible to apply the same principles of using aliases, to set different VPN gateways based on geographic destination - leveraging pfblocker geoip aliases...
Based on this video, it seems doable - or am I missing something?
Not sure if that is possible
After follow your setup, which is working. But for some rease, I can't Ping my default WAN gateway IP and can't access WebUI of my ISP modem anymore. Yes I did set this gateway default WAN on System->Routing already. Does anyone know how to fix that?