How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Been using this method for years, first using OpenVPN and now Wireguard (actually I have 2 Wireguard gateways and a road warrior setup), the firewall rules, NAT and alias are the important parts. Never had a kill switch before but meh seen you do it so couldn't hurt to have it as well.

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/vampyre_masquerade šŸ“…ļøŽ︎ Dec 30 2021 šŸ—«︎ replies

thank you for the detailed video.

here is my fail safe method for privacy vpn's. its using the remote command with server and port under custom options within Pfsense:

remote 1.1.1.1 1196 that is an example IP obviously 1196 is the port used

this means if the connection drops it reconnects with the next available server on the list, i've added multiple including another countries in case all of US servers go down.

reference:: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

--remote host [port] [proto]

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/Mammoth-Ad-107 šŸ“…ļøŽ︎ Dec 30 2021 šŸ—«︎ replies

I remotely access my home network to access stuff on My iPhone. Is there a way to change the outgoing gateway of my connected iPhone to one of these gateways so that when Iā€™m connected I can still remotely access my network and my outgoing traffic is still private?

I tried making an alias for my iOS stuff and made the same LAN and NAT rules for the OpenVPN interface but my outgoing traffic is still my ISP IP.

Any tips would be helpful. Thanks!

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/clickerdeveloper šŸ“…ļøŽ︎ Dec 30 2021 šŸ—«︎ replies
Captions
tom here from lawrence systems and we're going to go through how to set up a privacy vpn with pf sense and then do selective policy routing for different devices that are behind here to send them out different vpns and then put a kill switch and that way if the vpn goes down it doesn't lead to something such as one of those devices just going out your wand so we'll be covering all that everything's time indexed down below we're going to be using openvpn with pia this is not a specific endorsement of pa i trust zero of these different privacy vpn companies matter of fact a lot of people seem to have been oversold them because it's an easy thing to sell on the internet so you'll see so many different youtube channels and podcasts over hyping vpns and they are well not quite the security but they are more about privacy if you would like to hide your traffic from your isp or you would like to hide your public ip from a website or some web application you're using that's generally what these are used for as i said i trust none of these companies it's not an endorsement for pa but if you're going to sign up for one i do have an affiliate link down below and that's as much advertising as i have for this video this was not sponsored or endorsed but hey if you're going to use one i said why not sign up an affiliate link because i have been using privacy internet access for quite a while i like the fact that a while back they donated money to audit with vpn and open source products and i thought that was cool that they helped pay for the code audit but i don't really have any good reason to use them or not to use them here as i just want to reiterate one more time i don't know the best company for this uh i don't have any endorsements recommendations or sponsors on this particular video all right there'll be an accompanied forum post down below and there's one last piece of advertising if you want to learn more about me and my company head over to learnsystems.com if you like to hire sure project there's a hires button right at the top if you want to support this channel otherwise there's affiliate links down below to get you deals and discounts on products and services we talk about on this channel and yes there's an affiliate link for pia vpn now let's first start with this diagram specifically i use diagrams.net i've reviewed this tool before on my channel for doing drawings and i want to explain how the privacy vpns work so we have our lab pf sense and we have two different linux systems behind here on two separate subnets i just wanted to have a couple different subnets to expand out the way this works so you can repeat it if you do have as many people do multiple networks now with the lab pfsense the blue lines represent your normal path so it goes here to the pf sense from the pf sense we are all doing this in a lab so it has a private ip address but normally you would have your wan with a public ip address that's assigned to you by your isp and when you go to some online services the online services will see your public ip address now with a privacy vpn we take a little bit of a different approach because we use openvpn to create an encrypted tunnel the isp sees the encrypted tunnel and sees that you're using a privacy vpn but because you're encapsulating all the data within an encryption tunnel the only thing they know is that you went to the privacy vpn and then the online services don't see your public ip address they see whatever i p address was provided by the privacy vpn now of note in here we will talk about how to avoid dns leaks that's pretty simple to avoid in here but that is one more aspect where if you don't set this up properly even though your encrypted tunnel traffic goes over here your dns queries can still go out over the public internet so we will be covering that as well and the kill switch is so if for some reason this connection goes down and you have one of these devices routing through the privacy vpn it doesn't automatically start routing back out through your normal lan that can obviously cause some problems if you're trying to remain private and anonymous here but of note if you say i don't trust my isp and you've chosen to pay a privacy vpn to obscure you that means you have to trust these vpns and this is one of the reasons i said i don't have any particular recommendation or any specific one that i say i trust wholeheartedly because all it really takes is the privacy vapn company to work with your isp to tell whatever online service you connected to where this connection came from because the privacy vpn company knows your public ip address and the online services know the private ip address provided or public ip address provided by the privacy vpn therefore in coordination if these companies although they swear to never have any logs if they are subpoenaed or hijacked that is something that they would be able to provide so just a heads up on that i just want to make sure that parts really clear on what this actually does all right now to get into the setup on here now i downloaded the pia switzerland ovpn file this is something you can download right right from privacy internet's website i'll leave a link to their right up and they have all the download links in there to make it easy so you'll have to search your site for it but the first thing we need to do is put in a certificate openvpn does use certificates to build trust in order to have that trust we're just pulling this out you can also just download the crt file from there this is actually the whole openvpn file but you can simply do it right here we want to go from begin certificate to end certificate and we're going to do a copy we get over here to our pf sense now this is version 2.52 release this is set up in my lab and by the way this system is not running pfsense plus but it would be the same if i was using a decade device and psense plus there's really no difference if you use pfsense or psense plus for all the settings i'm going to be covering in this video i'm going to go to cert manager cas and we're going to go here and add descriptive name pa we're not going to get too creative here call it whatever you want i'm just going to call it pa then we're just going to paste that in over here and hit save and if it doesn't give an error it should work look name private internet access and now we have the cert installed for paa now we can simply go over to the openvpn by going over here and going over to openvpn and we're creating a client now this is the part you have to really make sure you get right and so i said i'll be documenting some of this in a forum post but follow along here and this is where people screw up the most is when they're going through and getting all these settings now i'll be pulling all the settings right from here so this is going to be the swiss privacy network on port 1198 you can actually create more than one of these and maybe create one for swiss one for another location there's you can just keep duplicating this and it will keep working that way but we're just going to be creating one for simplicity's sake but you can actually have more than one on a pf sense system it was on port 1198 very important to make sure you get the port right whoop there we go uh don't typo it like i just did so these are they're really detailed go through each one of these steps and make sure you have everything in here that you need put the username i have a pia username here and throw my password and i guess i should probably give it a name here let's call this pa vpn swiss so we know which one in case you create another one later so we've got the username the password we'll scroll down and we do not want to use the tls key so we're going to uncheck that we can leave all of this the same except for this right here here certificate authority needs bpa we'll leave all these the same all right let's scroll down a little bit further and this is a really important box to check or you'll be scratching your head for a little while don't pull routes by default and this is specifically with pia but i imagine lots of other vpn companies do this they are trying to be helpful and if they pull routes they will take and say update the routing table inside of whatever device is connecting in this case pfsense and it will change all your routing so everything from your pf sense goes out the vpn maybe that's the solution you're looking for and that's fine but you'll find quickly that if you try to squeeze everything over a vpn you'll not necessarily have the fastest internet you may be adding a lot of latency that's why this is about policy routing and only the things we want going out over the privacy vpn so don't pull routes because we're going to design our own routes later in the video that's just an important aspect that you really want to have in here now all this can be left the same there's really not much to do here until we get to custom option options and i'll have these so you can easily paste them in or you can just put them in persistent key persistent on remote assert dash tls server regen second and all three try interact this is just awesome settings in case it goes down so it should hopefully connect faster for some disruption to the connection so these are the couple custom options that they say to put in over from pia i put them in didn't really have any problems with them go ahead and put ipv4 then we're going to click save all right now that we save that the next step is did it work and quickest easiest way to tell you can read through the logs and scratch your head a little bit i can see bite sent bytes received i see an ip address assigned and it's working and if you wanted to reconnect again i could just hit this right here and it would re-establish a connector and or i can stop the particular openvpn service we want to running if you wanted to disable the vpn you can actually go back over here openvpn client edit and disable this client but for now we want it enabled the next step is in order to use this as a gateway we need to add it as a gateway and pretty simple here we're going to go to interface assignments and right there open vpn swiss click add click on it we'll call it pa swiss we're going to enable the interface that's it just like this no other settings really need to be set in here just leave it alone and hit apply and this will give it another interface actually i called it swick fair enough can i change it without reassigning it it's enabled but you may have noticed it says pending when you add an interface we're going to go here to openvpn look at the status and we're going to go ahead and just reload it and what this does is reestablish openvpn and now it will automatically get that ip address assigned there when you add it and you don't restart the openvpn service you'll end up with a conflict so i just want to make note to make sure you do that so when we get back to this page here which it's going to think for a minute we'll get back to the page and you'll see the openvpn established working and the ip address assigned to it there we go we've got this internal ip address assigned to it uh it just connected so it's going to show a little bit of packet loss that's going to happen sometimes you can also choose in different gateways to monitor whether or not it goes down we're going to go over here to routing we're going to go ahead and set this so we always know that the default gateway is going to be the wan dhcp or whatever your gateway is the default gateway not this one here so i'm going to go and just edit and you can change whatever the monitor ip is we'll actually just choose 9.9.9.9 which is just quad 9's dns hit save apply that way it understands whether or not this gateway is down or up and what it's going to monitor but it's going to see rtt and rttsd is there so it's online it's working all right now for the next steps we go to firewall nat and this is where we create our outbound nat rules first make sure this is selected with hybrid nat upon that rule generation automatic plus rules these are the automatic rules down here at the bottom and we're going to add another rule interface pia swiss we only really need ipv4 for this and for each subnet you have of which we have two on this system you create the rule like so so the first one was 22.0 save and we can actually just duplicate the rule and the other one is 40.0 and repeat this if you have more networks than this and it's only relevant to what networks you're going to be creating rules on so if you only are ever going to create rules on that subnet you only really need one rule but that's just where that's created so go ahead and hit apply changes now that those are created now comes the firewall alias and i like to do this as an alias because it simplifies things a bit we have over here a computer at 192 168 22.100 and the goal is going to be to take it from where it shows in auburn hills or if we put country and this is just ifconfig dot if you curl it and put this command it'll tell you what country it thinks your ip address is if you omit country or city it just gives you the ip address so we have auburn hills here and united states so that's where it thinks i am technically i'm in southgate michigan but we'll call it close enough we're gonna go ahead and add an alias and route out over pia sounds like a good name and these are simply devices that route over vpn and we type in the ip address of each of those now doing this as an alias means it's really simple actually it's uh 22.100 is the first one some linux machine and we hit save you could add as many hosts as you want and go down here this is going to be a convenience factor if you want to dynamically move things in and out without having to edit the rules but just change the aliases you could throw something on there and right away it goes out over the vpn or delete it off there hit refresh on the rules and it goes away so this is just a convenience factor so you don't have to put this ip address in more than one time aliases are really convenient when you're building firewall rules now let's go build the rules now 22.100 was lan two so you'll see it like right here so 22.1 that's our land2 so firewall rules and land2 firewalls rules are processed in pfsense from the top down so we have an allow all rule down here and we need to create a rule above that to be processed before that other rule so we're going to hit add and hit the little up one so it goes there pass land2 ipv4 change this to any a lot of mistakes are made when you use just tcp because well anything udp or icmp etc will not work so make sure that's switched over to any source network is going to be single host or alias and we're going to use that alias that says route over pia destination any that's perfectly fine and this is ip to be routed over p i a display advanced and this is where we got to do some really specific things in here including the beginning of our kill switch we're grabbing this data and packets that come that match the ones we want routed and we want to add a tag to those packets this tag is just used internally by pf sense it doesn't do anything to the functioning of the tcpip stack it's not actually changing the packet but it's adding a tag while the packet traverses the rules within psense so we'll say private vpn only now i'm going to go ahead and copy this and actually i'm going to spell it right and then copy it so private vpn only we're going to copy this tag because unlike the aliases they don't auto-complete when you do the tags in here so private vpn only we'll get to why we did that in a second then we're going to choose gateway we don't want to go out the default gateway we specifically want to go out the pia swiss vpn interface so we're going to choose that and hit save so this is how the rule looks this rule grabs it and sends it out ip's be routed over pia now the reason for adding the tag is because we're going to create a floating rule that is the kill switch now i've seen some debates on the internet of different ways of doing it the reason for doing it this way is because if you were to simply say i'm going to route it and then put a block under it for going out the other gateway the problem can be where pf sense will if you disable the vpn or something happens the service stops and it loses the gateway things can start routing back out the default gateway so now we're going to create a floating rule to grab that tag traffic so this always tags the traffic and then goes over here to floating and we're going to hit add and we're going to create block rule and we're going to say block when any protocol any not just tcp display advanced and then instead of the tag we're going to paste in the tag name so matching tagged private vpn only block if it makes an attempt to escape from the wan address it's really that simple you're just saying don't let it escape the lan address here so actually go ahead and save and show you what the rule looks like save apply so if matches when it's going to drop it we should probably give it a name i do highly encourage everything a description block the alias or vpn going out of over when there we go just so you know what it's doing when we do this so we hit save and now you get an idea what that rule does is it apply so if that sees a packet coming and it tries to go out it's going to grab it and just stop it and throw it away of note if you have more than one wand you may want to repeat this rule for each when you have or gateway group however you may have configured it this lab setup only has a single when therefore we only create a single rule with just the wand listed in here now the next question might be does it work and let's test it so we're just going to hit an up arrow here curl ifconfig country and it thinks we're in switzerland awesome that's where it should think we are and i'll show now because i can show the ip address whatever iph is signed it's 212 102 37 202. now what happens and let's go ahead and forcibly fail openvpn so we're going to go over here to openvpn and we'll go to the client and we'll just go ahead and disable it so disable this client scroll all the way down to the bottom here hit save and this will cause it to no longer have a vpn no vpn instance defined what happened to our lab system here if we curl ifconfig actually nothing it's just going to lock up because the packets have nowhere to go now we're going back over here to firewall rules and we look at the floating we see 240 bytes because it sent some packets you know doing some requests and they have nowhere to go because this rule grabbed them and said nope because this is what it would have tried to do is try to go out the wand so pretty simple one thing of note here if we go to our openvpn in clients and we're going to go ahead and re-enable this client hit save so the vpn should be established establishes relatively quick there we go go back over here control c because it hasn't timed out yet hey still not working wonder why what happens is because we completely disabled openvpn if you have this problem or you can go over here to status and we want to go to filter reload and we want to reprocess the rules all this is is going through and grabbing and refreshing all the rules because we disabled it and actually would have broken that interface because it was completely disabled that we assigned and we reassigned it it needs the rules to be reloaded in order to grab them put them all back in this is not something that happens if the vpn connection drops necessarily this won't cause an issue matter of fact let's just go ahead and confirm it's working hey look we even got a different ip address now this time but for example if we go over to vpn openvpn status and we actually re-establish the connection just by doing this it may get a different ip address again we'll find out here in a second and we got the same ip address but without doing a rule refresh this should still work it's going to take a second to re-cue the states and there we go we're actually let's clear the screen do it again so you can see it's up and running and working i didn't have to reload the rules a second time if we say country it still thinks i'm in switzerland on this particular device it's only if the interface gets disabled reloading the filter is just an fyi in case you do something like that now this is an optional thing you can do here is go to service watchdog this is a service you can install so it's one of the packages under package manager i've already installed it you go to service watchdog and you can add openvpn as a service when you add a new service you'll see all the different ones in here and what service watchdog does is watch openvpn or whatever you specify and actually it'll watch each client you set up and if it sees the service is stopped not necessarily disconnect because it's set to auto reconnective for some reason something happens or someone at pia reboots a server it'll auto re-establish a connection but if the service itself for some reason goes down you can actually just tell service watchdog hey just restart that i haven't really seen this to be a huge issue it's more of a safety net just in case so those things keep on running in case the openvpn service for some unknown reason quits you can just tell it to do this i have on rare occasions seen it just get stuck but it's so infrequent where i don't know why it gets stuck that's basically i've seen it happen i've seen it happen once every few months maybe but not enough where i can really figure out the why but the service watchdog will restart the service and i've never happened on my computers it's just clients have told me they've seen this and comments i've seen in different forum posts so i would say this is optional but i usually if i see a service failing i want to first be notified of that service failing so i'll have it send me a notification so i can investigate usually a bigger why but i'll just mention that this is in here in case you're looking for something to restart the service now one quick and final note is we're gonna go back over here to our firewall rules and i mentioned we did this on lan two because that one device we have on here which we only added one right now was on lan two but we also still have our regular land the quickest way to get this over would be to hit the copy button on the rule change this to this one here scroll down the bottom hit save now we're over on lan as i said the rules are processed top down so you always want to make sure it catches this wool first so that ip address hits this and goes out that gateway hit apply actually you got to drag it save then apply all right now i got the rule order right and that's it now i've added it to this other lan if you had five other ones provided you also have an outbound net rule for each one of these that's how you would duplicate it that way all you have to do is go back over here to the aliases and if we wanted to add the other system we could just edit this alias add a host put in the ip address of each host we want in there and subsequently if you wanted to take that host out you would just delete it and this moment you hit save on this apply changes reloads the rules and now that one is processed as well on the vpn or off the vpn depending on however you want to set it up now hopefully this video gave you a better understanding of how policy routing works in pf sense how to use a privacy vpn as i said in the beginning i don't have any particular recommendations for one but if you want to sign up for one and help the channel out there is the affiliate link for pa down below i will have a forum link to have a more in-depth discussion on this particular topic because there's always questions or some whys and i try to explain the whys as best as i can but that's why the forums are for to have a little bit more in depth and talk about different scenarios or maybe some other unique scenarios that you have that'll be linked down below in the description along with the other things i talked about such as the pia write-up on this topic thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a short project head over to laurentsystems.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you
Info
Channel: Lawrence Systems
Views: 80,517
Rating: undefined out of 5
Keywords: LawrenceSystems, private internet access, pfsense privacy vpn, pfsense vpn, pfsense pia vpn setup, pfsense private internet access, private internet access vpn, pfsense openvpn setup, pfsense tutorial, tech tips, pfsense openvpn, private internet access vpn setup, pfsense kill switch
Id: ulRgecz0UsQ
Channel Id: undefined
Length: 25min 22sec (1522 seconds)
Published: Mon Dec 27 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.