I have pfSense set up in my home which has a fairly complicated topology. I also have a second pfSense set up as a lab to play with.
I followed Tom’s video on setting up PIA with OpenVPN and its all working. In the video Tom shows how to add a rule to force a descrite IP to NOT use the VPN and I made that work.
My question is, is there a way to force all IP’s by default to NOT use the VPN and add a Rule using an Alias with only the IP’s of the devices I want to allow to use the VPN?
That would be a shorter list, doing it the other way there would be a long list and I could easily miss a device and I would have to make sure that if I add a device to the network that I went to Tom’s rule and add the new device to the rule each time. Seems it would make more sense to route everyone so they don’t use the VPN and just add the few devices that I want to use the VPN.
By default, all IP’s do not go through the PIA VPN. They will all route through your normal WAN. You would need to create a Alias called something like “VPN Use” and include either an entire subnet, VLAN, or IP specific hosts. Then create a firewall rule on the interface (or VLAN interface) to force that specific Alias to go out the PIA VPN WAN (under advanced). Also consider including another rule above that one to block that same Alias from using your regular WAN if the PIA VPN goes down. Its the same functions as a VPN Kill Switch.
If you need more help, let me know and I can provide screen captures of my setup where specific IP’s are allowed through my PIA VPN and firewall rules.
Also, if you have a need to use a Private VPN to connect lets say your phone or laptop from a remote location (anywhere but at home) back to your house, I also have mine set up for that. It goes from my phone to my home VPN which routes it out my PIA VPN then back home and back out to my phone. This enables me to use the same protections such as my pfBlocker & Suricata protections in addition to the PIA VPN from my house. One app on my phone making it all too easy to secure my mobile devices in sketchy places.
What I did for now was setup a LAN1 interface and a LAN2 interface with the devices that are on LAN1 having access to the VPN and the devices plugged into LAN2 are blocked from VPN access, seems to work.
Arron: Your setup sounds very interesting, I would love to get the info on how you did that !!!
