A VPN provider told me to change the DNS via
Services → DHCP Server
Then changing DNS Server 1 & 2
But I already got DNS under the:
System→General Settings tab
Do these extra DHCP Server DNS settings from the VPN even matter?
A VPN provider told me to change the DNS via
Services → DHCP Server
Then changing DNS Server 1 & 2
But I already got DNS under the:
System→General Settings tab
Do these extra DHCP Server DNS settings from the VPN even matter?
They matter, but to the extent varying on your intentions with the VPN, where your DNS requests are being “leaked” to, and your requirements for internal resolution.
But let’s just clarify a few things:
Myriads of ways to design around this, again depending on your intentions:
Oh, and don’t mention DoH!
If the OpenVPN is NOT set to “Pull DNS, “Add Server Provided DNS”” under Tunnel settings, does it even consult those DHCP DNS settings?
IMO, if your paying for a VPN, then you should probably use their DNS servers. Your paying for anonymity and supposedly no logs, then why wouldn’t you use their dns servers also instead of free public ones? That way you don’t have any dns leaks. It just directs back to the same id’s as the VPN.
Gotcha okay that makes sense.
The issue is that I’m switching between different VPNs and having to change the interface, openVPN, and then the DHCP DNS settings makes it extremely burdensome to do 5-6 times a day
More than likely you can use the same dns configs on alternate vpn connections, might be a good idea try out, if works just leave the same when switching.
From a privacy perspective you’re putting faith in either vpn company from a no logging view, so could be easier to choose one set of dns configs for both
I would just use one set of VPN DNS servers (The one you trust the most (chuckle)), or you can add all the VPN DNS servers, as backup, if you really wanted to and just leave them. I wouldn’t switch back and forth for VPN DNS servers.
You can set up different VPN profiles to different IP addresses, or on the same computer just turn them on/off from the Gui dashboard. Have all the different VPN profiles set up in the GUI, turning the one you want to use on/off. Make sure you refresh the pfSense dashboard and double check to make sure the CORRECT VPN IP is active. If you don’t double check you could be on your native IP and not even realize it, thinking your going through your VPN.
https://ipchicken.com/ and What's My IP Address? | Online Privacy and Security Tool are the two I use to confirm which VPN and which IP address is active.
The correct way to turn the different VPNs on and off is by having each one as a separate interface? Because it won’t let me disable an OpenVPN while it’s interface is also on
Someone mentioned a gateway group method to do this, but I’m confused
Why not roll your own VPN server on say Linode or Digital Ocean, using Open VPN?
Wouldn’t I be the only person using this then? It’s not very anonymous
Not sure of what you are trying to accomplish. Are the users you talk about inside or outside users wanting access to your network. Point to point or remote access.?
A single user inside a pfSense firewall, wants to toggle between multiple VPNs with different DNS settings, for the purpose of being anonymous.
Try TOR. If you are connecting from a static location you will not be anonymous no matter what. the best you can do is use a VPN and TOR. Stop, think it through.
I’m running everything through a VPN at AES-256-GCM/SHA512. I have an Intel QAT card. I just run wan and lan interfaces. I’m not running separate OpenVPN interfaces so I don’t have that problem of disabling them. I’m able to switch Openvpn profiles by just turning them on/off at the gui. I think I have 56 different VPN profiles set up. You are able to switch your exit IP at will, within a minute, at the router level, from the gui, by pressing the start/stop button. You can set up multiple computers, through their IP’s, to connect to different VPN servers so each computer can have an exit IP from a different county from the same VPN.
I like AirVPN.org. I’m not sure if they have changed but they used to allow you to send in cash to pay for their VPN. It was paid to the VPN ID. So, it was the most untraceable. Just the postmark on the envelope. Most VPN’s have done away with cash and gift card purchases and just gone to cryptocurrencies.
So, toggling between different VPNs set up at the pfSense router level is easy. Different DNS settings is going to be hard because pfSense was not set up that way unless you change them each time.
For what your trying to do, you might need to use the different VPN application on your computer instead of at the router level to do switch back and forth between VPN with DNS settings without manual inputs. Then you are using the VPNs app on your computer instead of just a OpenVPN setting at the router level but it will allow you to use that particular VPN with their DNS settings. If your trying to stay anonymous then installing additional applications on your computer would seem to break that protocol.
If the govt. wants to find you they will be able to. You are not anonymous on the internet. Every device has a MAC address that can be traced. It’s just how much work it takes to find you. At some point you had to pay to gain access to the internet (the crypto used, the gift card, or the cash used) and that can be correlated and used to find you. Someone will know what IP’s you visited. You leave a trail. The US govt runs a data storage center in Utah? So they can capture all communcations and can go back in time and trace them back if need be. 60 minutes did story on it when it was being built.
TOR is not as secure as it used to be. Governments have figured out, and set up entry/exit TOR nodes so it’s plausible to trace you now.
The best you can do is encrypt your transmissions, to provide privacy, not necessarily security.
“Nothing is perfectly safe. If you are looking for something perfectly safe, I recommend going back to Ben Franklin’s opsec, which advised that a secret is safe among three, if two of them are dead. And I believe Ben was averse to using the Internet. “
Hey man I appreciate your thoughts on the DNS settings and such. But is there a way to do this through Gateway Groups?
Sorry don’t use that. Might want to post on the netgate forums?