pfsense OpenVPN Policy Routing With Kill Switch Using PIA / Private Internet Access

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so in this video we're gonna cover how to set up PAA with pfSense and also how to do advanced policy routing and when the policy we're gonna specifically be talking about is how to set up a kill switch in here and the goal is you may want some computers that go out over the VPN and that's fine PA has the instruction where you are gonna get to this on how to set that up and it does encapsulate the whole network over there and then I've also done a more advanced video that I'll link to below on setting it up and doing policy routing now this goes policy routing plus a kill switch so we're gonna cover some of the same things in this video and the kill switch is important because Peter census by default wants to be helpful and it's the better way to leave the default and that default is if you are routing things over the VPN and the VPN goes down it falls back to your ISP and that same thing can apply if you have a system maybe you want specifically only to run over the VPN and then the VPN goes down the system will then fall back to RESP but that's not what you want and hence we refer to it as a kill switch means it's a policy that says do not route this traffic out anything other than a VPN so basically you're breaking the helpfulness of pfSense to try to keep the traffic flowing now how this works so we're going to start with private Internet access and we've got some of this set up and you may notice it's all configured here so we're gonna walk through all the steps I did to get here and how to add more to it but let's start with why did I even choose private Internet access a few people asked me to try to review other VPNs I've tried several they work but private Internet access one of the reasons I came back to them or stuck with them I should say since what was 2016 having used them for a number of years they've been very trouble-free very headache free but as anything my caveat with VPNs is always you're just moving the point of trust so you may want to use a VPN because you don't trust your ISP not to look at your data or you want to have privacy when you're using public Wi-Fi you want to calculate all the data but then you have to trust the VPN company and I don't know any VPN companies personally so I won't put my absolute trust in them please encrypt everything um like I said you're just kicking the privacy bucket down the road want to get that out there so someone is leave a comment PP ends don't secure everything I agree with you but they can be helpful and they can hide your IP address and one of the things I liked about private Internet access and this is not sponsored by them but yes I do have an offer code that does help out the channel if you want to sign up you can click the link below not required but hey any I do appreciate the help of those you that help support the channel but private in Texas paid for the audit of Open VPN and I thought that was really cool open VPN is open source and they paid for to have security researchers validate and vet Open VPN and look for flaws in it so they took a really long look at it and that does take some time and a few dollars those security experts don't come cheap and improve it and this is just one of those hey the company is giving back and I said what am on my radar and I've been using them ever since and they seem to be a great company back to setting it up so they do have right here pfSense 2.4 3 setup guide last updated on March of 2019 and their setup guide is accurate like I said I followed the guy to get this up so I'm not gonna go in-depth that I will go over the settings so they do have an entire article if you want to get into some of the minutiae of the encryption settings and choose a stronger or lesser encryption we're just gonna use the default one they have here but you can modify this as needed so you can choose a region off their network page you choose a region you want to go into you download the CA RSA 2048 and import it so that instruction works fine and it's over here so we're gonna go over the CA and I have it imported so to import it it's really simple kind of like they show here you it imports certificate you just paste it in here that's what certificate looks like copy-pasta give it a name another P ia cuz I already have one and it'll let you import two different ones but you can see it's pretty straightforward to do that part of it it's just a it's just a text file certificates no big deal there then we're gonna go over to VPN Open VPN client I have two of them set up here we're gonna get to why in a second and the why is because well because it's cool I can have one because one computer going out one one computer going the other other reason is PA supports multiple connections up to five as of july 2019 with one account so that's actually kind of cool so you can do your whole house VPN if you want or selectively policy route only certain computers over there but as far as the connection goes you can have pfsense doing connections to different VPNs so you can have some computers going out one VPN some carriers going out the other VPN just to make the video a little bit more interesting now going down the list here of the set up so currently klein enables so this is not disabled peer-to-peer UDP layer three the Swiss server is one I chose here but this is where you put whatever server host address the port that that server runs on they have that information in there blank blank well unless you have a proxy but most people do not P AV appearance which one your username password put it in and confirm it unchecked unchecked choose that certificate whatever you call it I called mine simply PA LTS as our internally signed clients still get none using a password AES 128 GCM here 120 GCM e s 256 GCM here shot one 160 bit no hardware acceleration blank blank blank blank blank blank blank blank blank copypasta from them which is you can see they show it right here but yeah just copy-paste this send receive brother ipv4 do you need more details in the logs for troubleshooting hit save and away you go now I'm gonna do a favor for you because I ran through that quick because you can go ahead and what I'm going to do is go here I can go to the backup and restore and I can export OpenVPN and when I export my OpenVPN it's not gonna do the CAC step to the CA part but then you can go here and I'll leave a link down the description below OpenVPN and you can then pull my OpenVPN config and most the time when people get stuck it's they've missed one little box going through there because it's a lot of details this is a quick way to do it I kind of wish they did this but there is a caveat here please back up before you do this because when you bring in my open VPN settings which is just an XML file shape it looks like I this is actually one from earlier when I from the Chicago one but when you do this it will overwrite your open VPN settings so warning you are restoring with this so if you've got a blank machine you're starting no problem it'll work if you have a config in there and you'll go oops I overrode it yeah you have to modify the XML if you want to add more than one in there but I'm assuming a lot of people if you're on the simpler side just want to pull a file in I'll leave it below if not follow the instructions they work next is two pieces that we're going to do so once you have the VPN setup and configured and you can see that it's up it's working I don't have to go into logs that it does work and this tells you what the local address is with the virtual addresses for the bridging the remote host etc so we know the VPN is up and running you can go over to ping 1.1.1 and it's always a good idea to check from here and say hey can I ping things does the data go out at all and I do this before you start troubleshooting it from the side of the computer because then you're trying to figure out of the computer why it's not routing there's more complexity if it doesn't route here it certainly won't route at the computer level so this is like your first test this sometimes is solve some problem to get deeper into it to get this policy routing working and this is actually where this stops the only other thing that's gonna have to be done is adding the outbound net rules and we'll cover that in just a second because we're doing them a little bit different is getting you up on that to work is pretty easy just go ahead and create these outbound gnat rules and I'll show you where they're at net outbound and here they are and you notice it says Swiss not OpenVPN that's the special part of the bout how we're going to set this up and we'll go ahead and duplicate through all the ways that you copy the rules you don't really need unless you're running a is a km P type VPN behind here these are for static NAT ports there in case you're wondering the 500 they're not as necessary they do show you copying them in Open VPN but if you're not using that type of VPN behind your pfSense like with a local workstation they're not relevant but you just go here just like they show you hit the copy rule and you add another rule and then we're gonna go ahead because I have two different networks I have land one and land two so we're gonna go ahead and add this to land to we just duplicate the Wayne rule choose Swiss Save I could add a description if I wanted to to be more accurate but now it can route out either these now this is where some people think you do the policy routing so it only routes out of one or the other but this is where pfsense Duval's being helpful if for some reason the Swiss go down it just routes the land and that's where you want the kill switch headed we're going to get to you shortly but first we have to add a gateway so to allow policy routing out of different gateways as a land rule you need a gateway to route so what you do is you go here to interfaces assignments and here's my standard ones but after you add OpenVPN as a client it also shows up as a gateway and here's another one here's our Chicago when we added in all Z that was run through that same setting we added one for the Swiss and one for Chicago and now we can add a Chicago one and we've already done the Swiss let's walk you through how we add the Chicago ad there we go not much else go here it's called op three call it Chicago I like that name save apply now we have way on land land to Swiss and Chicago but you notice it doesn't have an IP address the reason it doesn't have an IP address is we have to restart the open VPN service so even though we added as interface we added the interface but now the service has to be restarted so he just hit restart on this and there is a pause with the interface sometimes when I restart the service pfsense keeps routing but the interface pauses while it's refreshingly I think it pauses for like 30 seconds if I try to it just sits here a second so I'll cut this part of the video out and jump to it working in 40 seconds so now the system's up and running and you can see we get PA Switzerland Pei VPN Chicago and these are the internal routing addresses now short side note PA has separate routing addresses they use but if the routing if this network and this network are in the same as one over your other network so this is ten one ten one is a slash 24 network versus this is ten thirteen 10/6 as long as there's no conflict in here there's no routing issues but just a side note if by some unusual chance that you chose exactly the same IP address that they're using you will then have to choose a different one because pfsense doesn't need to have separate networks for routing just a side note in case you run into a weird scenario like that a lot of internal people are using 192 addresses which is why they chose to use ten addresses but that is a little factor just in case you run into a weird problem because we've seen some of these very problems where someone chose the same routing as they had in here by coincidence and that was actually what was the troubleshooting problem they had so now that we've got these two gateways and you can see them here in the routing we've got our standard wanne set via DHCP then we get Chicago and Swiss and we can choose which ones the default gateway but that's important to have these gateways in here but that's not where you set the policy routing you do that on your rules and I created a rule under land to ice created an alias it says route through VPN Swiss I'll show you so here is the firewall alias called route through VPN Swiss and this just makes it easy so if I have to add another host to this add host and whatever the IP address that hosts another host save now automatically I have to and it just would take that IP and it throws it back in there and now it becomes part of the routing pool so aliases are helpful because if not you have to create individual rules for every single device and that would be tedious back coverage to the rules now this is the important policy rule you need to create and rules are processed top-down so this rule being above this rule is important so this rule is the catch-all that says routed out through DHCP this rule says if you match in your one of these IP addresses in here go ahead and route through there so we're gonna edit edit the rule to show you how we built it start with a pass interface land ipv4 protocol any single host or alias like I said you could create a rule and type each individual IP address right here but we're just using the alias and if you're not fair how aliases work I think you have a whole video on that but they autocomplete as you type single host or alias set that route these out VPN Swiss we have a name for it then normally this is hidden but we want to display the advanced and leave these blank but this is the important part now this tag does not autocomplete this is when I add I just tagged it VPN traffic that means this traffic is tagged with VPN this is find the tag so this is the adding the tag and this would be fine the tag here we're adding a tag we're creating another rule to find that tag then the Gateway we have the options of Chicago or Swiss or win this is a particular one we want for Swiss Save apply so now this page right here routes out through the Swiss PBM so we're out VPN Swiss and because i refresh the page now the other one I added on this letter tab right here shows both aliases when you mouse over so you're good there so this routes out through the Swiss and this one there now here comes the kill switch it's a floating rule now floating rules normally are processed after the other pfsense so we go here to the floating rule action block apply immediately so I said normally after so this means jump and do this rule before we go to the other rules down the list we do an any ipv4 protocol any any any because this is where some people get mixed up and think I can just grab those IPS and apply this rule you want to do it very specifically like this so any any route source any but then here comes how it finds those this is how that rule knows what to do we added the tag VPN traffic now we exactly has to be exactly the same I added the pull the tag VPN traffic so now the tag was added now the tag is pulled called VPN traffic and then this go to the bottom it's safe and what that rule is now doing if it finds the VPN traffic and you can see if I mouse over says advanced VPN traffic block it is that we're blocking going to the LAN so it's basically looking for anything destination win and you can do the same thing if you had other way and when to matter of fact you would need to select if you had to out bounce you would have to select both of them because you just don't want it going out through the ISP so when the VPN goes down so do these hosts that's the important part about this rule so we only need the one floating rule now let's actually show the rule in action so here's my yes it has a VPN and no VPN so if I curl ifconfig country it shows the United States because this is going out through the normal policy route so it's 192 168 41 1 9 so those computers 119 and 118 so when we added the rule 4 so if we do curl ifconfig country it shows Switzerland colonel ifconfig dot Co will show IP address if I did this one it would show my public IP this one shows the IP for this Swiss VPN from PA pretty straightforward and simple what if I wanted to put this one right here behind it well that's really easy we really idiot firewall alias edit I used to know this one's 1 1 9 we hit 9 save apply up arrow now it shows in Switzerland go edit the rule again or add the alias and delete this host save apply United States rules work perfectly fine it's doing what we wanted to do now here is the problem with the way the VPN works is if we stop the VPN and without firewall rules and we're gonna disable the floating so disable it apply so we go here and so yes VPN just proved once again it's on there so country Switzerland ping 1 1 1 ping in works fine like you know it's on the Internet we go over here and we remember we disabled the floating rule and then we go stop with Open VPN we're going to stop the service all right VPN stopped hey look I can ping I'm in the United States now because without that floating rule it's still on the internet and working so now we go back here show you the floating rule in action return flow ting rollback on apply no internet so it's doing what it that's the kill switch BPM went down this system goes down with it so let's go ahead and fire the VPN back up and like I said this is where it's gonna pause for 40 seconds so I'm gonna skip ahead 40 seconds in a video beep Ian's back up ping it works purl country back in Switzerland everything's back to normal Killswitch works exactly like it's supposed to so any time these go down where you go it shuts off now I added 2 VPNs like I said to make video a little bit more interesting so let's go over here to the rules again we're gonna go over to the land where these computers are and this could be completely done through land to these rules you know just doing them in here but you could do this across every one of the different segments of your network whether it's a VLAN on a regular land it doesn't really matter and let's configure that 1 1 9 address which 118 is an alias and we can create another alias called Chicago so I guess we will do that real quick so firewall alias this says route through Swiss let's add an alias route through Windy City yeah there we go Chicago is known as the Windy City for those who don't know so then we are gonna add that other address in here 40.1 1 9 the other system save apply so now we're gonna go back over to our rules land and we're just gonna copy this rule because it works so copy it all the things say same paths land ipv4 single Australia's but we're gonna delete and say we're out and now we're gonna say route through the Windy City of Chicago change the description for accuracy still let tag VPN traffic is important to have on there go down here choose this gateway as Chicago so now apply so one the rules once again top down if it matches this rule which one 18 does it goes out to this when it has this one here it matches Chicago and because we also have you mouse over this come on it's adding the tag VPN traffic to both of these so they both will get caught by the kill switch but let's say you didn't want this one to be caught ready to kill such will just remove the tag then you can go I prefer to go to Chicago but the VPNs down no big deal I just want to route out just remove that tagging and it doesn't have to hit this floating rule and then you can send things out there but you know maybe you're not worried if you're doing something and it goes out over the standard ISP but that's it so now we should be able to test and see Chicago on this one here so and it failed well don't worry I know what I'm doing Canada this is on purpose and kind of an accident when we added the Chicago we added it I realized I didn't and this is one of those things go back to the stay on track to the beginning we also have to create on this network and ability to go out to Chicago so we're gonna go ahead and we went to the outbound add again duplicate choose Chicago there we go for each VPN you create yes you do have to create a so we got the 40 Network specifically we got a win for the ISP a Chicago outbound and a Swiss outbound option so now we can go out any one of those so now doing that oh here we go working fine so VPNs up and we'll go ahead and curl I have to fake Co it returns the 100 200 and I believe it's go back to the front page here the Chicago address tip 104 200 150 391 same address on both so it's pulling the Chicago address but that's it for the policy routing and you can kind of expand from here if there's something else you wanted to do but this way you can put your devices on there now a few side notes about VPN one they have a limited amount of protection they provide they're only pushing the level of trust on the road meaning you have to trust PIAA that they are not doing something with your data it does though encapsulate it from your ISP they just see the VPN connection heading over to PAA but I also don't necessarily recommend putting like gaming servers behind here so if you want to do VPN I do recommend some things not go behind here now for example Netflix occasionally has trouble and some streaming services don't like the VPN IP addresses and even some sites straight up block you from being VPN so being able to quickly move computers around or in between them is easy turning on and off but that's while readings I frequently run a VPN locally on my computer also like at home if I have the whole home VPN setup take the gaming servers and don't put them on there they anytime you add VPN encapsulation you're going to add some overhead to it and that overhead is going to cause some problems so you can have potential latency issues and things like that so paying things and matter-of-fact Chicago is not far from a knock from us and there's like a very slight amount of latency added versus going straight through my Comcast ISP going in Chicago anytime you add more layers more pieces of routing you have more potential for slowdown so when it comes to gaming lag is infuriating so keep the gaming servers off they're encapsulating that traffic people knowing what games your play seems like a pretty minimal risk in terms of Comcast code we see him connecting to XYZ gaming servers now we know that they like minecraft or call of duty or insert whatever game I don't know how much value that metadata is that you play games but I will tell you you will probably be or whoever is in your house playing games will probably be super aggravated if the game doesn't work so or there's a lot of lag but that's it for policy routing I guess it's pretty straightforward these are the rules you set have them set up as a gateway add the tag for the kill switch that's important and follow that rule exactly for making sure everything is checked on there like the floating rule so it's make sure it's being processed first this is where you said people find little problems in here but do match immediately match each interface you also don't want to go out so if you have three internet providers two internet providers when one when two etc you have to block each them if not it'll go hey I'm being helpful again and sending you out the failover one for example but that's really it it's it sounds complicated first once you start doing it it's not too complicated and like I said I'll leave a link below where you can just download the VPN can pick just to get the basics set up a please note it will goof things up if you have a VPN will overwrite and put my VPN settings in here but I did leave out my username password and always back things up actually before you start messing with all the policy routing and everything else just do a backup that way you can restore to that point because I've seen people accidentally delete things they don't know what they deleted they change too many settings have a point of before I started this adventure backup because when you restore and reboot pfSense after restore it will put all the settings back to that working wonderful state it was before the adventure begun and but that's the fun part you get to do it all over again until you get really good at it or you're like me and thinks this is you see the smile on my face I get excited about VPN and policy routing on I have fun doing it so it's a not just a job for me it's actually like why I don't play video games this is my video game all right thanks oh if you want to continue discussion head over to our forums where you can carry on with this also if you would like to how about the channel please visit our sponsors page and we have a lot of affiliate links of things that may help you and do help out the channel alright thanks thanks for watching if you like this video give it a thumbs up if you want to subscribe to this channel to see more content hit that subscribe button in the Bailiwick on and maybe YouTube will sense you and notice when we post if you want to hire us for a project that you've seen or discussed in this video head over to Lauren systems comm where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us also if you want to carry on the discussion further ahead over to forum SOT Lauren systems comm where we can keep the conversation going and if you want to help the channel out in other ways we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel and once again thanks again for watching this video and see you next time
Info
Channel: Lawrence Systems
Views: 37,051
Rating: 4.9774647 out of 5
Keywords: private internet access review, pia vpn, private internet access, pfsense vpn killswitch, kill switch, vpn for the win, pia review, how to download torrents anonymously
Id: TglViu6ctWE
Channel Id: undefined
Length: 27min 38sec (1658 seconds)
Published: Fri Jul 19 2019
Related Videos
2018 Getting started with pfsense 2.4 from install to secure! including multiple separate networks
Lawrence Systems
491K
pfsense Firewall Setup and Features in Depth Version 2.4
Lawrence Systems
280K
Setting up PIA VPN on pfSense for your whole network and Configuring Selective Routing
Lawrence Systems
69K
Tutorial: pfsense OpenVPN Configuration For Remote Users 2020
Lawrence Systems
136K
pfsense and Rules For IoT Devices with mDNS
Lawrence Systems
74K
pfSense WireGuard Guide Series 001 - Mullvad Failover
Christian McDonald
7.3K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.1M
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
585K
You Should Be Using Yubikeys!
Crosstalk Solutions
425K
The REAL story About the Crash that Killed Concorde! | Air France flight 4590
Mentour Pilot
4.2M
Install OpenVPN on pfSense - The Complete Step-by-Step Guide
Stefan Rows
9.8K
Solid State Batteries - Autumn 2021 mass production in Japan. Is it FINALLY happening?
Just Have a Think
1.2M
Ubiquiti Access Points Explained
Crosstalk Solutions
1.2M
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
82K
How to route traffic through a VPN client in PFsense
Revolt Computing
6.4K
pfSense 2.4 OpenVPN Setup Foolproof Step-by-Step!
Stefan Rows
105K
How to Configure OpenVPN on TrueNas 12 - Setup your own Home VPN - Part 1
Techworks
12K
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
Lawrence Systems
336K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.