Jump to content
Not connected, Your IP: 3.80.224.52
farquaad

My solution to fixing DNS leak on pfsense.

Recommended Posts

If you are looking on how to configure AirVPN on pfSEnse, please follow this great post

The following are just a few changes I made that worked for me and that might help someone with the same problems I had. Mostly, avoiding a DNS leak.

Note that I am not an expert so anyone is welcome to comment if you think I'm doing something wrong. What follows is just a patch of multiple ideas on the net that led me to a working solution.

1. Create the VPN Certificates you need

Go to AirVPN and download a config file (.ovpn)
https://airvpn.org/generator/

Now go to pfSense and create a CA for AirVPN

Descriptive name: [AirVPN CA]
Method: [import an existing Certificate Authority]
Certificate data: [Open .ovpn file and insert data found between <ca> and </ca>]
Save

Now open the Certificates tab and create a new certificate

Method: [import an existing certificate]
Descriptive name: [AirVPN Client]
Certificate data: [Open .ovpn file and insert data found between <cert> and </cert>]
Private key data: [Open .ovpn file and insert data found between <key> and </key>]

2. Create an OpenVPN connection
https://rtr.noh.lan/vpn_openvpn_server.php

Follow the document mentioned above and make the following modifications to it,

Go to the Clients tab and make sure that:

- You use an IP as the Server host to make sure you can re-connect if the line goes down. If the DNS you use is the one from AirVPN, the VPN connection has to be up before you can access it...

- Add the following options:

 

server-poll-timeout 10;
explicit-exit-notify 5;
auth-nocache
mlock;
fast-io;
key-direction 1;
prng SHA512 64;
tls-version-min 1.2;
key-method 2;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
tls-timeout 2;
remote-cert-tls server;

remote 185.206.225.58 443  # no.vpn.airdns.org
remote 82.102.27.194 443  # no.vpn.airdns.org
remote 91.207.102.162 443  # ro.vpn.airdns.org
remote 86.105.9.66 443  # ro.vpn.airdns.org
 

The "remote" entries allow your VPN to connect to another server if the VPN connection drops.


3. The resolver settings I have

General Settings
 

 

Enable: [X]
Listen Port: [Blank]
Network Interfaces: [LAN] + any other local network you may have
Outgoing Network Interfaces: [Your VPN Interface]
System Domain Local Zone Type: [Transparent]
DNSSEC: [X]
DNS Query Forwarding: [ ]
DHCP Registration: [ ]
Static DHCP: [X]
OpenVPN Clients: [ ]
Custom options:
   forward-zone:
   name: "."
   forward-addr: 10.4.0.1
 

 

Note that the Custom settings forward to an AirVPN internal DNS. Depending on the type of connection you use, the IP will change so check our it will fail.


Advanced Settings
 

 

Hide Identity: [x]
Hide Version: [X]
Prefetch Support: [X]
Prefetch DNS Key Support: [X]
Harden DNSSEC Data: [X]
Serve Expired : [ ]

 

 

The rest I have left as default.

Now go to DNSLeakTest and test!

 

I hope this helped someone.

Share this post


Link to post

that's a box i'd like to build myself and test on for a while

 

need to put a pfsense box on the local maybe go from the

 

cable modem to the ddwrt then to the pfsense box

 

add some nics or extend with another router

 

in switch mode basically see what i can come up with

Edited by tokzco

Share this post


Link to post

i am using DHCP server and specificying the Airvpn DNS Ips in there to apss on to the clients. I removed that and tried your DNS resolver settings (with dns forwarder disbaled) and no internet connectivity (cannot resolve a web address) what am i missing here?

What i actually want to do is pass on Family Open DNS to clients for added safety. Probelm is when i enter those DNS ips (or any others bedies the air vpn's) i get no connectivity

Share this post


Link to post

Hi

I am very interested in trying your suggestion, but it looks like the link to the openVPN document mentioned in point 2 is not working !

At least it is not working for me anyway.

Thanks

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...