My solution to fixing DNS leak on pfsense.

[farquaad 14]

If you are looking on how to configure AirVPN on pfSEnse, please follow this great post

The following are just a few changes I made that worked for me and that might help someone with the same problems I had. Mostly, avoiding a DNS leak.

Note that I am not an expert so anyone is welcome to comment if you think I'm doing something wrong. What follows is just a patch of multiple ideas on the net that led me to a working solution.

1. Create the VPN Certificates you need

Go to AirVPN and download a config file (.ovpn)
https://airvpn.org/generator/

Now go to pfSense and create a CA for AirVPN

Descriptive name: [AirVPN CA]
Method: [import an existing Certificate Authority]
Certificate data: [Open .ovpn file and insert data found between <ca> and </ca>]
Save

Now open the Certificates tab and create a new certificate

Method: [import an existing certificate]
Descriptive name: [AirVPN Client]
Certificate data: [Open .ovpn file and insert data found between <cert> and </cert>]
Private key data: [Open .ovpn file and insert data found between <key> and </key>]

2. Create an OpenVPN connection
https://rtr.noh.lan/vpn_openvpn_server.php

Follow the document mentioned above and make the following modifications to it,

Go to the Clients tab and make sure that:

- You use an IP as the Server host to make sure you can re-connect if the line goes down. If the DNS you use is the one from AirVPN, the VPN connection has to be up before you can access it...

- Add the following options:

 

server-poll-timeout 10;
explicit-exit-notify 5;
auth-nocache
mlock;
fast-io;
key-direction 1;
prng SHA512 64;
tls-version-min 1.2;
key-method 2;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
tls-timeout 2;
remote-cert-tls server;

remote 185.206.225.58 443  # no.vpn.airdns.org
remote 82.102.27.194 443  # no.vpn.airdns.org
remote 91.207.102.162 443  # ro.vpn.airdns.org
remote 86.105.9.66 443  # ro.vpn.airdns.org
 

The "remote" entries allow your VPN to connect to another server if the VPN connection drops.


3. The resolver settings I have

General Settings
 

 

Enable: [X]
Listen Port: [Blank]
Network Interfaces: [LAN] + any other local network you may have
Outgoing Network Interfaces: [Your VPN Interface]
System Domain Local Zone Type: [Transparent]
DNSSEC: [X]
DNS Query Forwarding: [ ]
DHCP Registration: [ ]
Static DHCP: [X]
OpenVPN Clients: [ ]
Custom options:
   forward-zone:
   name: "."
   forward-addr: 10.4.0.1
 

 

Note that the Custom settings forward to an AirVPN internal DNS. Depending on the type of connection you use, the IP will change so check our it will fail.


Advanced Settings
 

 

Hide Identity: [x]
Hide Version: [X]
Prefetch Support: [X]
Prefetch DNS Key Support: [X]
Harden DNSSEC Data: [X]
Serve Expired : [ ]

 

 

The rest I have left as default.

Now go to DNSLeakTest and test!

 

I hope this helped someone.

[twan69666 1]

I had some sudden leaks I couldn't figure out, but changing a few settings that you mentioned in the DNS resolver helped. Thanks!

[farquaad 14]

Happy to see I can give back. You are welcome.

[cm0s 118]

that's a box i'd like to build myself and test on for a while

 

need to put a pfsense box on the local maybe go from the

 

cable modem to the ddwrt then to the pfsense box

 

add some nics or extend with another router

 

in switch mode basically see what i can come up with

Edited ... by tokzco

[z0mghax0r 0]

+1 used these after following the pfSense guide and got my leaky DNS fixed.

[Casper31 73]

According ipleak,I had no leaks...,but with your dns settings ,it works completely.No need for  eddie anymore for "some" us sites.

Thanks for sharing this info.

Gr,Casper

[chuckhammerberry 2]

i am using DHCP server and specificying the Airvpn DNS Ips in there to apss on to the clients. I removed that and tried your DNS resolver settings (with dns forwarder disbaled) and no internet connectivity (cannot resolve a web address) what am i missing here?

What i actually want to do is pass on Family Open DNS to clients for added safety. Probelm is when i enter those DNS ips (or any others bedies the air vpn's) i get no connectivity

[Healey 0]

Hi

I am very interested in trying your suggestion, but it looks like the link to the openVPN document mentioned in point 2 is not working !

At least it is not working for me anyway.

Thanks