Super helpful as always, @LTS_Tom! I set this up a couple of days ago, and all went to plan. I ran into one problem, however. When using the custom options you listed (from PIA), the VPN connection would drop almost immediately once I started downloading through it. Once I stopped, the VPN connection would go back to normal. I had to use these options on PIA’s site, which looks like it just includes their DNS servers (from here: PIA Support Portal):
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
auth-retry interact
dhcp-option DNS 10.0.0.241
dhcp-option DNS 10.0.0.242
Once I entered these options, the connection remained up, and without packet loss.\
Edit: I actually use Quad9’s DNS, which keeps the connection up:
dhcp-option DNS 9.9.9.9
dhcp-option DNS 149.112.112.112
Hello, I am new to the forum and, as I recently switched to pfSense as my home router, Tom’s excellent pfSense videos on Youtube brought me here. I am trying to learn pfSense as fast as I can, but in many ways I’m still a noob.
This video really helped me set up a split tunnel privacy VPN in which I divided my local network into some VLANs that access the Internet through NordVPN and some VLANs that go through the WAN (for example the streaming devices). What I do not manage to figure out is how to properly setup the DNS in an optimal way to match the split tunnel. I believe that in an optimal setup, the DNS queries for the traffic sent through NordVPN should go through the VPN tunnel as well and hence use the NordVPN DNS servers, while the DNS queries for the traffic sent through WAN should go to a DNS over TLS provider to be hidden from the ISP (or a man in the middle). How is it possible to setup this in pfSense? I have tried to specify under System → General setup two Cloudflare DNS servers for WAN (1.1.1.1 and 1.0.0.1) and two NordVPN DNS servers (103.86.96.100 and 103.86.99.100) for the NordVPN gateway, and then to setup the DNS resolver as shown in your video on DNS over TLS but I do not seem to get the desired results. Or maybe I am not checking the right way. Would it be possible to show me the relevant pfSense configuration settings to get the desired DNS setup?
I am also confused about the DNS resolver, because people always talk about using the resolver, but then almost invariably recommend to check the box “Enable Forwarding Mode”. What’s the reason for doing that and not using directly the DNS Forwarder? From what I understand, the resolver does not query “intermediate DNS servers” (such as the ISP’s, or Cloudflare’s or NordVPN’s) but it queries directly the authoritative ones. Would not this be the safest behavior? For example, wouldn’t this hide the queries to the ISP, since its DNS servers are not used? Or is there maybe still the risk that a man in the middle could sniff out info because the queries to the authoritative DNS servers are not encrypted?
I really appreciate any light you could shed on this subject that is rather obscure to me.
Thanks for this great resource! Unfortunately I still have some problems with my local DNS. For example, I can’t reach the pfSense admin panel by domain name, but the IP works.
My setup: I’m using WireGuard instead of OpenVPN, which works as expected. However, I am not sure which DNS servers to specify, and the location of the settings is also questionable for me. If I set up the DNS server addresses of my specific VPN provider in the DHCP service (on the specific network/VLAN) and therefore override the DNS servers on the general settings page, I don’t have any DNS leaks, but I can’t resolve my local DNS. If I do the opposite (set the DNS servers on the general settings page), I can resolve my local DNS, but I get DNS leaks (even though I have the correct WireGuard IP address from my provider).
Both make sense to me, but I’m too much of a noob to find the setting that provides the best of both worlds.
How can I fix this (having local DNS and routing without DNS leaks over my VPN at the same time)? I really liked Tom’s setup because I can define multiple VPN connections with one kill switch floating rule for individual networks. I need to keep it that way.
Any help would be appreciated as I don’t know what to do and have already spent quite some time trying to trace this problem.
As a third approach, I specified the local DNS address of my pfSense firewall in the DHCP-specific network settings, with the result that I reach my VPN server and local DNS while being bugged by DNS leaks (again).