Possible? Android (away from home) --> OpenVPN to Home --> pfSense Router --> Out to WAN via PIA?

Hello,

So what I want to do is run OpenVPN to my home network to have access to my DNS server (PiHole), file server, and other things. If I want to access the WAN, what would happen is that the connection would then leave from my home network, to PIA (a VPN provider), and then out to whatever website/service I am using.

So pretty much:

Android (away from home) --> OpenVPN to Home --> pfSense Router --> Out to WAN via PIA

Is this possible, and if so, HOW do I do it on pfSense.

Thanks :slight_smile:

Edit: If what I said makes no sense, ask me to elaborate.

It seems totally viable, but I’m curious why you want to use your own DNS, and therefore round-trip though there, rather than go directly to PIA from your phone? That seems like it would be simpler.

That’s definitely possible. I have been very happy with OpenVPN for android.

My pixel connected to Verizon

From verizon, connect to my home openvpn server, my traffic now looks like it comes from my home

Your openvpn config can use your local DNS

Add some simple routing rules on my router and my cell traffic now looks like it comes from my AWS ec2 instance
clifford@router:~$ sudo ip rule add from 10.8.10.6 table AWS priority 50
clifford@router:~$ sudo ip -6 rule add from 2600:8801:2907:b03::1000 table AWS priority 50

Cox's 150/10 really bottleneck's that configuration though

It's better to connect directly to my VPC

I have no doubt pfsense can handle the same routing rule and openvpn instances as vanilla debian.

One reason is my internal DNS has entries for my domain that are not publicly available. So when I connect to my network, it’s nice to be able to access my internal services.

Yeah all you need to do is set your pihole server as the dns server in your openvpn client on android and then on pfsense create the appropriate firewall rules on the openvpn tab

Although if you just want to do dns blocking on your phone there are easier and more efficient (faster) ways of doing it

Another thing you can do is just make the DNS public. Domain names are only ~$20/year and AWS Charge $0.50 per month for a public hosted zone. Sometimes public is easier.

Is it even possible to go from Android --> PIA --> My home network? I didn’t think that would be possible?

Can use PiHole to block a whole bunch of trackers, plus, I don’t only use DNS while on OpenVPN;


How doe?

What do you actually have set up? Do you have an openvpn server that you can connect to?

I’m running OpenVPN on pfSense (which is how I connect to my internal network, remotely), since there is no way I’m going through the process of install OpenVPN via a terminal and keeping it updated that way, and the Virtual Appliance doesn’t satisfy my needs.

Right, so all you need to do is change the config for your openvpn client on your phone to use the IP of your DNS server and then on pfsense in the openvpn tab of the firewall rules you need to have rules for accessing your internal network and also a rule for accessing the internet with the gateway set to your PIA gateway, unless you have that as your default gateway then you can just use that.

Could you link to a tutorial as to how to do all that?

I’m really noobie with pfSense and firewall rules, so I’m bound to fuck it up if I do it without help.

If you set up OpenVPN to get to your router and your whole internet at home is setup to get to the internet through PIA you don’t need to do much more than set up OpenVPN.

If you just want the OpenVPN connection to get you to the internet through PIA you’ll need to create a Docker container set up with the OpenVPN server, PiHole and PIA.
The setup would be something like:
Android phone -> OpenVPN server -> PiHole/DNS server -> PIA -> internet. The PIA would be set up for the whole container so doesen’t require any special setting because every connection made to get out of the container goes through it. To get PiHole to work with OpenVPN you can use THIS guide.

Nuuuuuu. So I guess I’ll have to stop running OpenVPN on pfSense? There’s no way to do what I want while keeping the OpenVPN server running on pfSense?

I guess you could make a second OpenVPN istance in a Docker container that goes through PIA to the internet.

You don’t need to run openvpn outside of pfsense to make this work, it should be fairly trivial and in fact if PIA is your default gateway then it should just work by default.

How would I do that all?

If I can keep OpenVPN running of pfSense, that would be optimal.

Many years ago, I had a forum member help me setup OpenVPN in a VM, with nogui, and I had 0 idea as to what was going on. I’d really rather avoid doing that again, hence why I want to do everything via pfSense’s OpenVPN GUI.

If you are still trying to setup:

You need to 2 openvpn instances on your local network (it’s perfectly acceptable to have both instances running on your router), one in server mode accepting connections (It sounds like you already have this working). You need a second openvpn instance in client mode connected to PIA.

You then need to swizzle the routing correctly and there are several ways to do it.

I find the simplest method (I do use debian instead of bsd and AWS instead of PIA, but those are interchangeable) is to setup a second routing table that has its default route the openvpn client’s interface).

So my main routing table (ipv4 version for brevity) remains unmodified:

main routing table
clifford@router:~$ ip route show
default via 68.224.108.1 dev enp6s0
10.0.0.0/24 dev enp7s0  proto kernel  scope link  src 10.0.0.3
10.0.10.0/24 dev enp2s0  proto kernel  scope link  src 10.0.10.3
10.0.20.0/24 dev br2  proto kernel  scope link  src 10.0.20.3
10.8.0.0/24 via 10.0.20.11 dev br2
10.8.10.0/24 via 10.0.20.20 dev br2
68.224.108.0/24 dev enp6s0  proto kernel  scope link  src 68.224.108.64
192.168.1.0/24 via 10.0.20.11 dev br2
alternate routing table with openvpn client default route
clifford@router:~$ ip route show table AWS
default via 10.0.20.11 dev br2
10.0.0.0/24 dev enp7s0  scope link
10.0.10.0/24 dev enp2s0  scope link
10.0.20.0/24 dev br2  scope link
10.8.0.0/24 via 10.0.20.11 dev br2
10.8.10.0/24 via 10.0.20.20 dev br2
68.224.108.0/24 dev enp6s0  scope link
192.168.1.0/24 via 10.0.20.11 dev br2

I find it convenient to have my openvpn client instance running in an LXC container acting as router, but you don’t have to do that, you can just as easily have the default route of your alternate routing table be the local peer address of the openvpn client’s tun interface:

default via (tun# peer address) dev tun#

Which is exactly what the routing table looks like in my openvpn client container:

openvpn client container's routing table
clifford@router:~$ sudo lxc-attach -n aws-openvpn-container -- ip route show
default via 10.8.0.5 dev tun0
10.0.0.0/24 via 10.0.20.3 dev eth0
10.0.10.0/24 via 10.0.20.3 dev eth0
10.0.20.0/24 dev eth0  proto kernel  scope link  src 10.0.20.11
10.8.0.0/24 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0  proto kernel  scope link  src 10.8.0.6
10.8.10.0/24 via 10.0.20.3 dev eth0
192.168.1.0/24 via 10.8.0.5 dev tun0

None of that is unique to debian/aws (except for the actual commands), it’s the same concepts on a BSD/PIA solution.

1 Like

You guys are making this more complicated than it needs to be. Do you have PIA working on pfsense? If so can you post screenshots of your lan and vpn firewall rule pages. Also your outbound NAT page.