I set up PFSense to VPN all my DHCP clients so randos on my wifi can access the LAN and VPN, but not the pure WAN. I would like to know if my setup prevents leaking the following:
Is there a program, script, or something else I can use to test if all of the above are being secured by my PFSense config?
You can take a packet capture of the wan and look at it with wireshark, if you see any traffic that isn’t going to your VPN then it’s leaking.
Getting dns to go over vpn on pfsense seems to be tricky, but if the VPN is configured as the default gateway and you’ve disabled the wan interface in the dns server settings then it should be fine. Again the best way to check it to look at the packet capture.
The option to take a packet capture is under diagnostics or one of the menus in pfsense.
I disabled the rules that apply to nonVPN clients, which made it so only the VPN clients could connect to the internet. After farting around on the internet, I see the following:
What do you make of these?
ARP isn’t a problem, it’s just how networks work, obviously there needs to be some network traffic between you and your ISP, ARP traffic is a type of broadcast traffic and therefore cannot originate from within your network, so it’s between the router and the ISP, nothing to worry about.
The ICMP traffic is from pfsense checking the status of the network, it’s that information you see on the main page. It’s just pinging the ISP gateway to test for packet loss and latency, so it’s not a leak.
If everything else is going over the VPN then you’re good. Maybe have a double check for dns traffic and make sure you’re not see any of that.
Yep, the other packet captures I took agree with what you’re saying completely. I disabled all my firewall rules except the antilockout one so no clients could connect to the internet and packet captured. I got the same 3 sets of traffic. I checked the gateway monitor IP, and 100% of the ICMP traffic went to the new gateway monitor IP. Then I enabled all my rules and physically disconnected all but one of the VPN clients and farted around on the internet for a few minutes, sent pings, etc. Nothing new in the packet capture, all to/from PIA, gateway monitoring via ICMP, and ARP broadcasts.
I’ve changed my DNS settings in the System -> General Setup tab to use the PIA gateway. I also chagned the DNS resolver to use the PIA interface for outgoing requests. Those options will cause problems if the VPN is down, but I’m fine with that. Is there anything else I can do to funnel everything I can over the VPN?
How do I check for DNS leakage, or other more in-depth (continuous?) testing to make sure my VPN clients are isolated?
Thanks!
If you don’t see any dns traffic on the wan then there’s no dns leaks, it’ll either happen or not. I suppose you could check what happens when the VPN is down and make sure it doesn’t just use the wan for everything which is supposed to go over the VPN.
Otherwise there’s not much else to look for, the only way to check that your traffic is encrypted is to look at it with a packet sniffer.