Messages

Hi Franco,
Due to needing to get things up and running this morning, I reinstalled the router and restored a recent backup which did resolve the issue. I've taken its clone though and upgraded it to current as of this morning to play around a bit. I'm almost certain dnsmasq-hosts was 600 and indeed that would have been the source of the issue, but I can't seem to reproduce. After update the file is root:wheel and 644. I'll keep an eye on it and see if for some reason it decides to change permissions. Thanks much for your help.

Hi,

As of this morning dnsmasq host overrides return an NXDOMAIN when looked up. All other DNS lookups (those that forward to an external DNS server) work fine. Nothing in the logs at all related that I can see - resolver.log shows no updates in quite some time and just shows reloads.

Two things happened yesterday:
- I updated the box. Don't see how I can tell what updated, but dnsmasq is version 2.76,1 if it matters.
- I had a DHCP client register a hostname with a space (" "). Since removed.

Any ideas?

Self-replying, yay  :)

I have a solution to this, but part of it feels a little hacky. There are three components to this:

First, how to establish an OpenVPN connection to PIA.
Second, what you do with that connection - what gets routed over the VPN and what does not
Finally, how to ensure that you don't leak what should be VPN traffic out the WAN if the VPN goes down.

To address #1, see the excellent pfsense-based tutorial at http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/, or the pfsense tutorial provided by PIA themselves. These are both pfsense based so you'll have to tweak a bit; mostly correct but I found in the linked post he goes a bit overboard on applying rules to each interface. You only need to put your rules on the LAN interface. As such, that gets us to #2.

My LAN rules that make this work are in the first attached image; this example shows two IP's forced to use the VPN while everything else uses the local WAN connection. The only thing I can say here is go slow and bounce your VPN connection a lot when testing. I was tearing my hair out and discovered that the rules took effect only after restarting the VPN. You can tailor to your example, substituting network ranges in place of specific IP's and it should do the trick for you.

This leaves me with #3, which has been rather frustrating. I would like to configure such that if the VPN goes down, my VPN-routed IP's have no access to the outside world. I've tried various rules and various orders but I have not been able to get that to work - no matter what I did if the VPN goes down the noted IP's will simply use the WAN connection, which is not what I want. The only way I've found to do this is via an outbound nat rule using the "Do Not NAT" checkbox for those IP's. I guess that works but I'd feel better doing it through an actual firewall rule.

Hope this helps!

Happy new year from a new prospective user (and maybe contributor) - I just downloaded OPNsense and installed to a VM to play with, looking for a replacement for dd-wrt. Really liking what I see so far!

Following, as I have essentially the same question - I'd like to ensure traffic from several specific IP's on my LAN always traverses an OpenVPN tunnel and never traverses the WAN; everything else can go out the WAN. It's clearly possible via policy routing but I'm new to the platform.  I can probably piece it together given some time, but if there is a cheat sheet or someone can advise, it'd be helpful to have the jumpstart.  ;)

Thanks!