How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN [YouTube Release]

Additional Resources:

PIA pfsense write up
https://www.privateinternetaccess.com/helpdesk/guides/routers/pfsense/pfsense-2-4-5-openvpn-setup

Protect you privacy with a VPN from Private Internet Access
:shopping_cart: Buy VPN with Credit Card or PayPal | Private Internet Access

Our pfsense Tutorials

Connecting With Us

Lawrence Systems Shirts and Swag

►👕 https://teespring.com/stores/lawrence-technology-services

AFFILIATES & REFERRAL LINKS

Amazon Affiliate Store
:shopping_cart: https://www.amazon.com/shop/lawrencesystemspcpickup

All Of Our Affiliates that help us out and can get you discounts!
:shopping_cart: Affiliates We Love - Lawrence Technology Services

Gear we use on Kit
:shopping_cart: Kit

Try ITProTV free of charge and get 30% off!
:shopping_cart: Learn technology and pass IT certifications with ITProTV

Use OfferCode LTSERVICES to get 10% off your order at
:shopping_cart: https://www.techsupplydirect.com/

Digital Ocean Offer Code
:shopping_cart: https://m.do.co/c/85de8d181725

HostiFi UniFi Cloud Hosting Service
:shopping_cart: HostiFi - UniFi cloud hosting

Protect you privacy with a VPN from Private Internet Access
:shopping_cart: Buy VPN with Credit Card or PayPal | Private Internet Access

Patreon
:moneybag: lawrencesystems is creating Tech Tutorials & Reviews | Patreon

:stopwatch: Timestamps :stopwatch:

00:00 pfsense privavy VPN Intro
02:00 Diagrams.net Lab Setup
04:33 Imoporting the CA
05:56 Create OpenVPN Client
09:10 Adding OpenVPN Interface
10:48 Gateway Monitoring
11:20 Outbound NAT Rules
12:16 Firewall & Kill Switch Rules

#pfsense #VPN #privateinternetaccess

Specific Settings for the OpenVPN client configuration.

  • Cryptographic Settings TLS Configuration uncheck use TLS key & Choose imported Certificate
  • Tunnel Settings check both Don’t pull routes / Don’t add/remove routes
  • Under Advanced Configuration Custom Options paste in the following
persist-key;
persist-tun;
remote-cert-tls server;
reneg-sec 0;
auth-retry interact;

Also to prevent DNS leaks make sure each device you want to go out the VPN has DNS set to a public DNS server either on the device or via DHCP.

Thanks for the video Tom, very easy to follow. :+1:

I was thinking for my use case it would be handy to setup a virtual wireless network (I have a TP-Link Omada setup) that was on a VLAN that would have a default route that was the PIA VPN.

This would be easier (for me) than editing the host list on pfSense every time and reloading the rules, instead I would just switch away from the default WLAN to the one that routes through PIA.

I got the VLAN setup and linked to a virtual SSID on the Omada controller but I can’t figure out how to set the VLAN’s default gateway to the PIA gateway. Is it possible to have a VLAN have a different gateway?

Pete

That’s pretty easy, when you setup your VPN on your network, a gateway is created. Go to your rules and for your VPN vlan create a rule, under advance settings you will see an option to set the gateway. If nothing is selected it will use your default gateway, which will be your ISP.

There are various checks you can do online to determine if you are leaking your IP address from your VPN vlan which is worth double checking.

I tried this myself and couldn’t get the kill switch to work till i uncheck this option in advanced miscellaneous

Skip rules when gateway is down
Do not create rules when gateway is down
By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead.

1 Like

Thank you for the video as well Tom

Question if you don’t have the outbound NAT mapping configured for a network it cant go out the VPN connection right?

Yes, those settings are needed.

Thank you!! I was so confused. I even watched the video 4 times thinking I missed something.

Just a quick note of thanks for this video. I finally completed the setup of my Surfshark VPN with kill switch and successfully tested it. You have excellent videos. They are helpful, informative and easy to follow. THANK YOU!

1 Like

Great video. Easy to follow. However…

I’ve set things up exactly as per instructions and also unchecked the ‘Skip rules when gateway is down’ option. Everything works when the VPN is up. Devices selected to route via the VPN do so, remaining devices on LAN route via the standard WAN. All good.

However, when the VPN is down (manually disabled) the floating rule kill switch blocks ALL traffic from that LAN, not just the tagged traffic. No devices on that LAN have internet access rather than just the selected alias devices. It’s as though ALL traffic from the LAN is now being tagged, or all LAN devices have suddenly been included in the alias. Either way, there is no logic to this behaviour that I can fathom.

I am confused by the whole setup though. If I follow the logic right, when the VPN is disabled the LAN rule is now omitted because the gateway is down (as per the unchecked ‘Skip rules…’ option). This surely means that NO traffic is now being tagged so why does the kill switch rule work at all? Given that it is only supposed to block tagged traffic then surely it shouldn’t block anything, as opposed to blocking everything as it seems to.

I have searched extensively for some answers to this and, whilst it seems to be a problem that others have experienced, nobody can offer a solution. Can anyone here shed any light? Grateful for any help with this…

Honestly I think the best approach is to use vlans, set the gateway to your VPN. Then you know for sure any traffic on that vlan goes out via the VPN, you don’t need to think about anything.

Thanks @neogrid. I have other VLANs for specific purposes and I’m happy that I could implement a VLAN-based solution. Trouble is I would then need all sorts of rules for inter-VLAN traffic as what I want is only some of the devices on my core LAN to route via the VPN, while the rest don’t, but ALL these devices need to be on the same LAN (or VLAN, it doesn’t really matter) for non-WAN traffic.
The idea of tagging packets and using policy-based routing with a kill-switch really appeals to me because it means I avoid segmenting any internal (i.e. non-WAN) traffic. It’s great in principle but it just doesn’t work, unless you accept the all-or-nothing kill switch and have ALL traffic blocked when the VPN is down.
What frustrates me is that I can’t fathom why the policy-based kill switch doesn’t work ‘properly’. C’est la vie. :frowning:

Ah ok I understand.

I think what you are trying to do should work, as your traffic is exiting the default WAN. Perhaps the order of your rules on the LAN might be worth inspecting again.

Thank you for getting back.
It wasn’t the order of the rules. I narrowed it down to DNS, which then led to the realisation that I had routed both my Pihole VMs over the VPN. So as soon as the VPN was down, I lost all DNS – hence the whole LAN losing connectivity. Pointing Piholes back at the default WAN solved the issue and now the selective kill switch is working perfectly. Hallelujah!
This has consumed waaaaay too much of my time – because of my own stupidity! I would never have discovered it though without being told by someone who knows better that it should be working. So thanks again @neogrid.

hahaha I’m not sure I know better but I too have “invested” an ungodly amount of time getting my network to do what I want, after a while you can just sense what should be possible :sunglasses:

Hi Tom, many thanks for this and your other videos. I have one issue though with rule based routing which i am unable to solve, so i really hope you (or somebody else in this forum) knows the trick.

It is with ovpn site-to-site tunnels. I have a ovpn server, and multiple ovpn clients (sites) connecting to this server. For the tunnels to work on the server side, I have a ‘ovpn client specific override’ for each client/site. So far so good, tunnel works perfectly to all sites.

On the server side, for some devices i want to do rule based routing, so that the device goes to the internet, at a sites location. But since I am the ovpn server/host, I have only 1 interface & gateway for all sites/tunnels. How on earth can I instruct pfSense to route specific traffic to a dedicated site/tunnel? Tried so many different things, but none of them worked. Search internet many times, but never found a topic on this.

On the client side, this issue does not exist, because each client has a gateway for his own tunnel to me.
I really hope anybody knows how to do this. Eternal gratitude awaits you :wink:

Thx.

PS. Posted the same question under the youtube video comments. And then heard you saying about this forum, which was new to me. Again thx for the informative videos.

A bit hard to follow your actual setup, but I’m guessing you have a hub and spoke type of setup and want to get back from your server network to your client networks. That can be done by adding a static route under System > Routing > Static Routes

Hi Neogrid,

Thanks for your respone!

Yes it is a hub and spoke. I do not think there is another way you can setup openvpn, unless you use a dedicated openvpn server for each site (being more overhead).

If you add a static route, then you only tell pfsense which network is behind a gateway (in my opinion the same result as the ‘client specific override’ setting in openvpn). That still does not tell pfsense how to route through a specific tunnel, because I only have 1 gateway for all tunnels (me being the hub).

Ok I see what you have done, I think you need to google star topology, personally I would have setup each site individually so I don’t have a single point of failure. I’d guess that when setting up openvpn you need to state the remote networks. Your single gateway sounds like it must then be the route those remote networks.

Yes did some more reading on star topology, and it should be the type of setup for my situation, but nobody is talking about rule based routing in this setup. In the pfsense documentation, they explain rule based routing in a star topology when you use wireguard, but i do not want to get that way. Openvpn is working fine for me. When I have the time, I will indeed transform the star topology to dedicated site-to-site tunnels. Will give me some small overhead, but will make it easier to do special things.
Thx for your suggestions.