Whole-network VPN with pfSense Router | Level One Techs

How did you go about doing? I've been bang my head against my keyboard for weeks because netflix is causing me issues on my tv and i want to blacklist the whole TV from going through my VPN.

I have a pretty comprehensive list of netflix and AWS servers that I put into a text file and imported as an alias in pfsense. Then built a rule in the firewall to route any of that traffic through the lan interface instead of the vpn interface. I'm at the office right now so I can't look at the the setup to give you details but I set it all up based on comments on the pfsense forums.

route through wan, not lan :smiley:

1 Like

Correct. The rule goes on lan tab I believe. I can't remember all the specifics since I'm not at home to look at the configuration and I don't have mine setup to access it remotely.

Something like this?
This didn't end up working either.

Pick the wan gateway for the gateway. The video on this will be out tomorrow

3 Likes

Change the destination from WAN net to any, WAN net is the WAN subnet, which is likely a /32 subnet which is just your WAN IP address, it's not the internet. So change that to any, and change the gateway (under advanced options) to the wan gateway as wendell says.

2 Likes

That was is it!!
Thank you guys!

A little late to the party, I am concerned that the video gives the impression that once the vpn is established there is no concern over ip leaks. the problem is pfsense default behavior when the vpn tunnel isn't available is to route traffic through the wan. so should the vpn tunnel go down for any reason your ip is exposed.

Was it cut from the video? We removed lan to wan nat in the Nat screen and mentioned that eventuality.

However doing that stops you from being able to send some traffic over the WAN and other traffic over the VPN. I would suggest that a better approach would be to specify the gateway for all internet traffic in the firewall rules and enable "Skip rules when gateway is down" in system>advanced>miscellaneous to prevent it from overriding the gateway option if the gateway is down.

i tried the skip rules when gateway is down route and for some reason it did not work for me. i ended up finding a guide that showed me how to create a floating rule with a NO_WAN_EGRESS clause that got the job done.

1 Like

I wonder if anyone has ever found and used this?

https://www.softether.org

I have. It works pretty well.

Anyone here know how to get CyberGhost to work in pfsense? I know how to get the openvpn files for different countries and ca cert. I created the certificates in cert manager and configured the client and the outbound nat rules. The interface won't connect. I used the username/password created for routers, which is different that the main login.

In this videos, when creating the VPN Client certificate, you generated a self-signed certificate using your internal CA. I understand that.

However, PureVPN instructions have you importing a client certificate and cut & paste the Certificate and Private key data from files they provided (public zip, not unique to me). The ZIP is sitting out on aws link it on top of the page linked below.

Steps 4 and 5 here:
https://support.purevpn.com/pfsense-openvpn-configuration-guide

That doesn't seem right, won't all their clients be using the same certificate and key? and wouldn't anyone (including them) be able to decrypt it since the key is public?

No, the client certificate is used for authentication, not encryption. The server certificate will be used to encrypt the session key used to encrypt the VPN connection, much in the same way HTTPS works. It doesn't make much sense for them to have a public client key, but it won't allow someone to decrypt your session.

What does the log say? Look in status>system log>openvpn.

Anyone have a working Hulu ip list...my bypass is not working with there servers.

Thanks for clearing that up. I got the connection configured:

May 26 01:12:26	openvpn	35942	UDPv4 link local (bound): [AF_INET]192.168.1.8
May 26 01:12:26	openvpn	35942	UDPv4 link remote: [AF_INET] x.x.x.x:53
May 26 01:12:27	openvpn	35942	[PureVPN] Peer Connection Initiated with [AF_INET] x.x.x.x:53
May 26 01:12:29	openvpn	35942	TUN/TAP device ovpnc2 exists previously, keep at program end
May 26 01:12:29	openvpn	35942	TUN/TAP device /dev/tun2 opened
May 26 01:12:29	openvpn	35942	do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 26 01:12:29	openvpn	35942	/sbin/ifconfig ovpnc2 x.x.x.x x.x.x.x mtu 1500 netmask 255.255.255.192 up
May 26 01:12:29	openvpn	35942	/usr/local/sbin/ovpn-linkup ovpnc2 1500 1558 x.x.x.x 255.255.255.192 init
May 26 01:12:29	openvpn	35942	Initialization Sequence Completed

But then it seems like DNS stops working.... can't load pages, can't ping anything external. Had to hard code my pfSense hostname and IP into /etc/hosts just to reach the GUI again. Soon as I disable the VPN client within seconds, things are back to normal. More research to do....

Follow up.... Instead of the "default" gateway on my existing auto generated IPv4 firewall rules, I set them to default to WAN gateway and that resolved my page loading problems. My goal is to default everything over the WAN, with only a few select devices set to use VPN. back to researching....

In the VPN configuration page there's an option that says 'don't pull routes' if you check that the VPN connection won't override the default gateway so you can just specify the VPN gateway manually in the firewall rules and everything else will use wan.

1 Like