How do I protect my data from my ISP

Allow All rules scare the crap out of me. Make sure you change that to internal / private IPs.

I think it might be a server config issue. Here’s my config on Linux, should be similar in pfSense (just that you config in a GUI).

Server:

[Interface]
Address = 10.1.1.1/24
PrivateKey =
ListenPort = 443
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey =
AllowedIPs = 10.1.1.2/32

Client:

[Interface]
Address = 10.1.1.2
PrivateKey =

[Peer]
PublicKey =
EndPoint = ip-or-domain-name:443
AllowedIPs = 10.1.1.0/24, 192.168.1.0/24
##the above rule makes it so that only traffic going to 
##those 2 networks will be pushed through the wireguard tunnel
##I'm not sure if you can add networks coming from behind the client too, never tried

##or if you want to push all the traffic through the VPN:
#AllowedIPs = 0.0.0.0/0

Obviously, ignore the iptables rules, unless you run linux on your server. Also, I haven’t tried to push networks from the client to the server (well, Wireguard doesn’t technically have a client-server architecture, but that’s how I used it), but I mostly didn’t need to when I was using NAT.

TBH I wanted to; and I tried to; but I don’t know how to. I am still learning how to use the PFSense GUI.

Yes, I run Debian 11 on my server. I am very comfortable in Linux land, and Debian was even my second Linux Distro (my first was Raspbian). BSD land, by contrast is a bit different. There is no /etc/wireguard in PFSense for example, and it does’t have it built into the kernel.

I don’t understand. I am using NAT here too afaik. I am still new to PFSense so if it doesn’t use NAT okay, and tbh I don’t fully understand NAT - just that it stands for Network Address Translation and has something to do with DHCP I think. Technically, my PFSense router/firewall is my network. There is no network behind it - unless I am misinterpreting what you mean.

As for my server side configuration, I’ve tweaked it a bit but here it is:

[Interface]
Address = 10.0.0.1/32
Address = fd86:ea04:1115::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
FwMark = 0xca6c
PrivateKey =

[Peer]
PublicKey = 
AllowedIPs = 10.0.0.2/32

I should mention that now I don’t even get an output when I ping the server with PFSense. It just fails, which tells me that maybe I’ve messed it up even more because it no longer tries to handshake? :man_shrugging:

Also I went back to my previous ping’s output and noticed that in the second line where it says 36 bytes from 96.120.19.17: Communication prohibited by filter

My ISP owns that IP Address…
And it wasn’t the public address of my PFSsense router at the time. I knew what that address was.

Edit: Indeed, if I replicate what I did to get it to produce that output, it replies with the same message with the exact same IP address (96.120.19.17). Therefore, I don’t think it is an issue within my internal network. Please don’t tell me that they’ve blocked port forwarding on 51820.

Interesting…

I own my own modem though. I refuse to pay for the garbage that is the XFi gateway.

1 Like

As for the network configuration stuff. Hmm… how should I explain in simple terms… When you create a VPN tunnel, you are creating a new subnet (that 10.0.0.0/24). So unless you are doing NAT on your pfSense box, or you don’t give additional routes to your Linux VPS, then only the “client” / other end of the tunnel itself will be able to talk with your VPS (so just pfSense itself).

On the pfSense side, you don’t need a listening port, only the VPS needs and they will negotiate a port, so you don’t need any port forwarding on your home router, because the client is smart enough. You only need to port forward when your router will act as a sever (other clients connecting to your home network), which is not what you want in this case.

Change the config in pfSense to not have any listening ports (but obviously keep the peer endpoint’s ip:port) and try to connect. Unless they outright block outbound connections on destinations with UDP port 51820, it should work. If pfSense will be able to ping the VPS internal wireguard IP, we have a working tunnel and we can do the rest of the network configuration (preferably just routes, so you could connect to your VPS on-the-go and go to your home network through it, because obviously it seems like your ISP is not allowing some port forwarding).

If that doesn’t work, set the VPS to listen on port 443 and set the Endpoint ip with port 443 in pfSense. It’s UDP 443, but still, I don’t think they’d block it outright.

Did we discuss anonymous DNS services yet? We are talking about firewalls, vpns, even TOR but what about DNS?

Im new to the topic of taking privacy and security seriously. I think you all know that. That being said, to my ignorance, I am learning there are many parts to the overall idea of protection. I have been using a vpn/firewall (hardware) for the first time. Then I came across some videos that stated even with these technolgies, you are not safe or secure online. One part being the ISP can still see your traffic, where it came from and where its going. This is why I did the following:

I got a vpn (software) that is outside the 14 eyes collab, I got a vpn firewall (hardware), and I started using an anonymous DNS service. (NextDNS)

I just wonder what more one needs to do to keep their searches and traffic content safe from companies?

1 Like

That’s how this started. I’ve been using NextDNS’ DoH and DoT service for a long time now… a little over a year as a matter of fact. But recently, I’ve discovered that that is not enough to protect your data from your ISP.

Read this post from earlier in the thread: How do I protect my data from my ISP - #19 by Biky

Where does DoH and DoT get the certificates and DNS records to begin? :thinking:

2 Likes

Offtopic, but Schematics or DIE :+1:

image

1 Like

Unless you’re married to pfSense for some reason, you could use a Debian system as a router/firewall… or OpenWRT… or VyOS… there’s no inherent reason one would be any safer than the other, or easier.


With wireguard, if you want to be able to receive internet traffic through an interface you need to set allowed IPs 0/0 in there. Similarly, on your proxy host (wireguard host that touches the world) you should probably set Allowed IPs to include your whole LAN at home, unless you want to NAT at home before passing packets to wireguard, … and then NAT again on Linode.

1 Like

Now that I think about it (not sure how relevant it still is to this topic), here’s PLL’s wireguard setup on Linux and on OPNsense.

2 Likes

Its got easier setup information and back story on the crypto. It’s a good guide but I’ve never updated it much for various other configs as I have no way of debugging them

1 Like

So, I did some experimentation and discovered that my server’s Wireguard configuration works perfectly. I am currently at a restaurant where I just completed said experiment using my ThinkPad T480 and my phone’s mobile hotspot, which uses the Verizon network. (Verizon throttles my hotspot to lovely 2G speeds, but continues to run that against my high speed data so this was fun because SSH was super laggy, though this may be more so the latency than anything else). I think my next step is to see if I can still connect to my server behind my home’s Xfinity-powered network. This way I can truly figure out if it is a problem with my ISP or if it is just me doing something wrong with PFSense.

Okay, I am not entirely sure yet, because I did have some filtering initially and I can’t seem to connect both my desktop and laptop peers to the server peer at the same time, but sending an ICMP request to 10.0.0.1 from my desktop worked. I am thinking that it is indeed my PFSense configuration that is incorrect.

Look what I found in my recommendations today @Biky

1 Like

Yeah, I’ve watched that 4 years ago, I can see my comment in the comment section. Back then I was asking for a tutorial on how to host your own VPN, as opposed to do a whole network VPN to a VPN Service Provider.

Also, unashamed self-promotion:

I should probably work on this, I haven’t yet added new rules in Ubuntu and haven’t updated it for Alpine.

I still haven’t figured out how to get my router to connect to my server over a VPN tunnel. Honestly, I kinda want to use wireguard because of how simple it is to configure and everything. Plus it’s supposed to be faster than OpenVPN - which matters to me tbh. I’ve successfully gotten it to connect to two clients - my laptop and my desktop. Though I haven’t managed to get simultaneous connections and I haven’t figured out how to actually route my internet traffic through the VPN tunnel.

I’ve put that on temporary hold in favor of classwork and my Devember project though.

1 Like

When you want to continue the VPN project, give me an @ here. PLL and oO.o are also likely to help if they have time.

If you put wireguard on your router, it should be as easy as adding routes in “AllowedIPs=” in the wg conf. If you did a separate VPN, you’d have to either set that as the default gateway for your devices, or create special routing rules to it for devices on the network.

However, VSPs don’t provide the same wireguard configuration, they have some custom settings and you need to use their clients, which are likely to not be available on Linux or *BSDs. So if you want a VPN to a VSP, OpenVPN like in the video Wendell did 4 years ago is an option. If you are using your own VPS for VPN, either wireguard or OpenVPN will work fine.

In my experience, wireguard was indeed faster than ovpn when it came to connection and reconnecting time, but if your server is far away, doesn’t really make a difference in speed and latency (both my wg and ovpn servers are over the pond, but now that I think about it, I think I’m more limited by the wifi n speed rather than anything else).