Pfsense OpenVPN Policy Routing With Kill Switch Using PIA

Hi Tom Thank you for this excellent video!

1 I have implemented this PIA VPN on my LAN2 (DMZ) and everything seems to work. Outbound NAT rule was cloned for LAN2. The tag “vpntraffic” is present in both places as indicated in video. However, the KILL SWITCH kills ALL of my LAN1 and LAN2 traffic whenever the OpenVPN CLient stops. If I disable the Floating Kill switch rule, I still remain blocked on ALL LANS! I have checked all the settings and cannot seem to isolate the issue. Any Help is welcome!

  1. How does DNS work when using the OPENVPN client? It seems to be using the VPN exit node DNS which I assume is correct on LAN2. However LAN1 appear to be using the same DNS as LAN2? Should the DNS resolver be set to use the VPN for outgoing?

Thanks again.

PS One suggestion for the videos: instead of the pfsense Dark Theme (very hard to read on uTube) use the Light theme.

1 Like

I have not revised that video for the new 2.5.1 which may have some differences and no timeline when I will so I am not sure the answer. Most people tell me the dark theme is easier to use.

1 Like

If you search the forum the kill switch killing all connections has been raised before. I don’t fully recall the solution.

Personally I use the DNS Forwarder for my ISP and the Resolver for my VPN.

I use AirVPN, connecting to their servers with an IP address, using their DNS servers after the tunnel is up so there isn’t a DNS leak. At least the leaktest says there isn’t one.

However you setup your DNS you should check you don’t have a DNS leak. Might be different with PIA though I haven’t used them.

I just wanted to “me too” here. I fiddled with this two years ago. I could have all traffic through WAN as VPN or no VPN. Kill switch did what it said it would. It’s just not specific. All or none. I am sure there is a work around but after many hours two years ago I gave up and put VPN gateway routers (from TP-Link) behind the FireWall to get a LAN set up to go over VPN w/ a kill switch. I would love if a Pfsense dev was motivated , but the fact is - Most companies either use a VPN, or don’t , They don’t have like 2 or 4 or whatever. If they do… well they are probably in infosec and have a bunch of pfsense boxes running, multiple WAN connections and all that jazz. I guess this post doesn’t help really. Sorry about that.

If it does help. You can flash a router for pretty cheap with Open-Wrt or DD-Wrt as long as you are sure to get one that is compatible to be flashed. Some are great and some are no where near the trouble. Flash that router and here if you end up using that this is to rule I put in the firewall section under the admin tab in DD-Wrt

iptables -I FORWARD -i br0 -o ‘get_wanface’ -m state --state NEW -j REJECT --reject-with icmp-host-prohibited

I am not certain it matters but the ’ is in fact a open quote found on the ~ key in USA ANSI keyboard. one to open and one to close get_wanface

You then choose “save firewall” and you have a VPN kill switch on a consumer router that didn’t have VPN in the stock firmware. TP link Archer v2 has been good for me, but they are getting a bit dated. Cheap on Ebay though.

I hope this helps.