IP Leak issue on PF Sense

Hi,

First of all, big fan of the channel...keep up the good work. The PF Sense vid led me to building my own box. It works extremely well so thanks but I'm having an issue with my VPN that I hope someone can help me with. I have left a post on the PF sense forum but no one has responded so really hoping someone here can help. I also have had a lengthy trouble shooting session with Private Internet Access to try and route the issues out so this forum is my last hope!

The situation:

My setup includes routing certain IPs down the VPN tunnel (using Private Internet Access), while the rest just use the normal non-vpn connection. The system is all setup and running fine apart from that certain online IP leak tests result in my real IP address being shown on clients using the VPN connection. Note, it is not all websites, just a select few that reveal my actual IP on the devices using the VPN connection.

After lengthy discussion with PIA I have tried the following - I have flushed DNS on the devices, cleared cache and DNS on browers, cleared the cache on SQUID, and tried adjusting the VPN servers addresses. No luck.

After all of this one of the technicians at PIA mentioned that "if you need PPPOE for my internet connection, it should only provide the login and password for the internet access and not an actual second path which is why you are seeing a random connection of protected/not protected".

He then said he cannot offer direct support on what to do.

Does anyone know how I can resolve the above? Happy to send screenshots of my setup if necessary.

My internet box runs to a dreytek 130 modem which operates as a PPPOE to PPOA bridge for my Sky (UK) internet connection.

Thanks a lot for any help.

Are you routing all of your home traffic through PIA?

I think he/she is not

My setup includes routing certain IPs down the VPN tunnel (using Private Internet Access), while the rest just use the normal non-vpn connection.

1 Like

mind posting your routes on your system, and your router? (also note, which network goes where / which is vpn.)

i think you may have both networks in same subnets.

This is what I was thinking as well.

OP can you clarify your network setup for each of these computers? I have mine, similarly to you, setup so that my Roku and a few other things go out over internet but everything else goes out over PIA. I VLAN the networks apart though instead of doing something like DHCP static setup and assigning a pool to an interface.

Turn squid off and see if it fixes it. Last time I used squid they changed it so that it no longer honoured firewall options for gateway, so all traffic picked up by squid will use the default gateway.

Also make sure your dns server (on pfsense) is using the VPN and not the default gateway or all your dns requests will go out over the wan.

5 Likes

Thank you for your responses Sanfordvdev, Zumps, CyklonDX, Yockanookany, Dexter_Kane. It's so nice to be part of a community that is so active and willing to help.

Dexter_Kane: disabling squid worked. It must not have disabled properly when tested this previously. That's a little bitter sweet though. Do you know a work around to keep the squid functionality?

CyklonDX: I was unable to post screenshots as I was only at home briefly yesterday. I do know though that all my devices are on 192.168.1.x.

CyklonDX & Yockanookany: do you think it is better to use different subnets for the devices using the VPN. Would this not only be more secure but allow me to use squid on both?

Thanks guys

1 Like

You could make the VPN the default gateway (in the VPN settings not in the routing settings) and that way all squid traffic will go over the VPN. That may not be ideal to your situation. There isn't any way that I know of to get squid working with the pfsense firewall like it used to. You would have to run two instances of squid externally and have each one use a different gateway, then manually configure each device to use the right squid instance. But that's a lot of trouble for little (or no) benefit. Unless you need the web filtering I just wouldn't bother with it.

2 Likes

Please excuse my ignorance, what would be the implications of making all the squid traffic go down the VPN? Would that result in all traffic going through the VPN?

The two items that I wish to permanently route down the VPN are my amazon fire stick and my mobile phone. Personally, I don't care if these devices use the squid proxy, it is only really useful for the non-vpn traffic/pc's that use my network. ...Bear with me because all I know if self taught ...but what would you guys think about perhaps using a VLAN to separate my mobile and fire stick on to a separate subnet (say 192.168.5.x) while keeping the rest of the traffic on 192.168.1.x. After this is done could I not set the VPN to only work for traffic on 192.168.5.x, and I can enable Squid on 192.168.1.x with no worry about ip leaks because it is non-vpn traffic.

Let me know your thoughts.

I hope this helps others in my situation!

You don't need to use different subnets to split traffic between vpn and non vpn as you can do this at the ip level. I haven't used squid in a while so I don't remember exactly what to look for but there should be some sort of ignore list for the transparent proxy, if you add the IPs of the devices you want to send through the VPN to that and configure that in the firewall also it should work okay.

Yes, it's basically all or nothing with the current way they've implemented squid. It used to work that the the gateway settings in the firewall affected the squid traffic also but now it's default gateway only and no way to change that as far as I know. So the only way to have squid traffic go over the VPN is to have the VPN as the default gateway.

1 Like

You're absolutely right about not needing different subnets, but it just makes logical sense.

Sorry @sirhc247 if I tried to complicate your network un-neededly, but no you absolutely don't need to subnet it out. Like I said about it just makes sense when you imagine data flowing in your network. You can assign pools that point towards the VPN traffic and create NAT rules for it as well I'm sure.

@Dexter_Kane should be able to square you away here though. He has a larger knowledge of PFsense than I do... I'm a bit of a newbie myself, I just have a strong networking background to make logical sense of it.

2 Likes

Right, think I have a general idea on what to do. You both are compete legends for sharing the knowledge and helping out :) ty

You certainly can do it but if you don't have the hardware to support running two networks then it's just as easy to configure those devices to use the VPN gateway in the firewall. You'd still need to do that anyway the only difference would be you could have a rule for the whole subnet rather than the specific devices. Either way will work fine and if you were to use a second network then it's easy to disable squid on that network, but it should also be pretty straight forward to ignore certain IPs in squid too.

Making sure your DNS only goes over the VPN is a little tricky too. The problem is you can easily configure the dns server to only use the VPN interface but now pfsense can't resolve the VPN address so it won't be able to connect. The sollution to this is to set the dns server to only use the VPN interface and then create a DNS override for your VPN domain (privateinternetaccess.com or whatever it is for the actual vpn servers) that uses opendns or google or whoever as the dns server for that domain. This way when pfsense first tries to resolve the VPN server it will ask opendns instead of using the built in dns server, then after your VPN is up all dns traffic will go over the VPN.

You configure all this in the dns resolver (or dns forwarder if you're using that instead but you should use the dns resolver as the forwarder is depreciated).

Good to know. Thanks again