 time here for more systems and we're gonna go through how to set up a privacy vpn with pf sense and then do selective policy routing for different devices that are behind there to send them out different vpn and then put a kill switch and that way if the vpn goes down it doesn't lead to something such as one of those devices just going out your van so we'll be covering all that everything's time index down below we're going to be using open vpn with pia this is not a specific endorsement of pa i trust zero of these different privacy vpn companies matter of fact a lot of people seem to have been oversold them because it's an easy thing to sell on the internet so you'll see so many different youtube channels and podcasts over hyping vpns and they are well not quite the security but they're more about privacy if you would like to hide your traffic from your isp or you would like to hide your public ip from a website or some web application you're using that's generally what these are used for as i said i trust none of these companies it's not an endorsement for pa but if you're gonna sign up for one i do have an affiliate link down below and that's as much advertising as i have for this video this was not sponsored or endorsed but hey if you're gonna use one i said why not sign up an affiliate link because i have been using privacy internet access for quite a while i like the fact that a while back they donated money to audit between vpn and open source products and i thought that was cool that they helped pay for the code audit but i don't really have any good reason to use them or not to use them here as i just want to reiterate one more time i don't know the best company for this i don't have any endorsements recommendations or sponsors on this particular video all right there'll be another company forum post down below and there's one last piece of advertising if you want to learn more about me and my company head over to learn systems.com feel like to hireshore project there's a hires button right at the top if you want to support this channel always there's affiliate links down below to get you deals and discounts on products and services we talk about on this channel and yes there's an affiliate link for piavpn now let's first start with this diagram specifically i use diagrams.net i've reviewed this tool before on my channel for doing drawings and i want to explain how the privacy vpns work so we have our lab pf sense and we have two different linux systems behind here on two separate subnets i just wanted to have a couple different subnets to expand out the way this works so you can repeat it if you do have as many people do multiple networks now with the lab pf sense the blue lines represent your normal path so it goes here to the pf sense from the pf sense we are all doing this in a lab so it has a private ip address but normally you would have your wan with a public ip address that's assigned to you by your isp and when you go to some online services the online services will see your public ip address now with a privacy vpn we take a little bit of a different approach because we use open vpn to create an encrypted tunnel the isp sees the encrypted tunnel and sees that you're using a privacy vpn but because you're encapsulating all the data within an encryption tunnel the only thing they know is that you went to the privacy vpn and then the online services don't see your public ip address they see whatever ip address was provided by the privacy vpn now of note in here we will talk about how to avoid dns leaks that's pretty simple to avoid in here but that is one more aspect where if you don't set this up properly even though your encrypted tunnel traffic goes over here your dns queries can still go out over the public internet so we will be covering that as well and the kill switch is so if for some reason this connection goes down and you have one of these devices routing through the privacy vpn it doesn't automatically start routing back out through your normal lan that can obviously cause some problems if you're trying to remain private and anonymous here but of note if you say i don't trust my isp and you've chosen to pay a privacy vpn to obscure you that means you have to trust these vpns and this is one of the reasons i said i don't have any particular recommendation or any specific one that i say i trust so heartily because all's it really takes is the privacy vpn company to work with your isp to tell whatever online service you connected to where this connection came from because the privacy vpn company knows your public ip address and the online services know the private ip address provided or public ip address provided by the privacy vpn therefore in coordination if these companies although they swear to never have any logs if they are subpoenaed or hijacked that is something that they would be able to provide so just a heads up on that i just want to make sure that part's really clear on what this actually does all right now to get into this setup on here now i downloaded the pia switch linn ovpn file this is something you can download right right from privacy internet's website i'll leave a link to there right up and i have all the download links in there to make it easy so you don't have to search your site for it but the first thing we need to do is put in a certificate open vpn does use certificates to build trust in order to have that trust we're just pulling this out you can also just download the dot crt file from there this is actually the whole open vpn file but you can simply do it right here and we want to go from begin certificate to end certificate and we're going to do a copy we go over here to our pf sense now this is version 2.5 to release this is set up in my lab and by the way this system is not running pf sense plus but it would be the same if i was using a decade to buy some pf sense plus there's really no difference if you use pf sense or pf sense plus for all the settings i'm going to be covering in this video i'm going to go to cert manager ca's and we're going to go here and add descriptive name pia we're not going to get too creative here call it whatever you want i'm just going to call it pa then we're just going to paste that in over here and hit save and if it doesn't give an error it should work look name private internet access and now we have the cert installed for pa now we can simply go over to the open vpn by going over here and going over to open vpn and we're creating a client now this is the part you have to really make sure you get right and so i said i'll be documenting some of this in a forum post but follow along here and this is where people screw up the most is when they're going through and getting all these settings now i'll be pulling all the settings right from here so this is going to be the swiss privacy network on port 1198 you can actually create more than one of these and maybe create one for swiss one for another location there's you can just keep duplicating this and it will keep working that way but we're just going to be creating one for simplicity sake but you can actually have more than one on a pf sense system it was on port 1198 very important to make sure you get the port right there we go don't typo it like i just did so these are the really detail go through each one of these steps and make sure you have everything in here that you need put the username i have a pa username here and throw in my password and i guess i should probably give it a name here let's call this pa vpn swiss so we know which one in case you i create another one later so we've got the username the password we'll scroll down and we do not want to use the tls key so we're going to uncheck that we can leave all of this the same except for this right here peer certificate authority needs to be pa we'll leave all these the same all right let's scroll down a little bit further and this is a really important box to check or you'll be scratching your head for a little while don't pull routes by default and this is specifically a pa but i mentioned lots of other vpn companies do this they are trying to be helpful and if they pull routes they will take and say update the routing table inside of whatever device is connecting in this case pf sense and it will change all your routing so everything from your pf sense goes out the vpn maybe that's a solution you're looking for and that's fine but you'll find quickly that if you try to squeeze everything over vpn you'll not necessarily have the fastest internet you may be adding a lot of latency that's why this is about policy routing and only the things we want going out over the privacy vpn so don't pull routes because we're going to design our own routes later in the video that's just an important aspect that you really want to have in here now all this can be left the same there's really not much to do here until we get to custom option options and i'll have these so you can easily paste them in or you can just put them in persistent key persistent on remote cert dash tls server regen second and auth retry interact this is just awesome settings in case it goes down so it should hopefully connect faster for disruption to the connection uh so these are the couple custom options that they say to put in over from pia i put them in didn't really have any problems with them uh go ahead and put ipv4 then we're going to click save right now that we save that the next step is did it work and quickest easiest way to tell you can read through the logs and scratch your head a little bit i can see bytes sent bytes received i see an ip address assigned and it's working and if you want it to reconnect again i could just hit this right here and it would re-establish a connection or i can stop the particular open vpn service we want to running if you wanted to disable the vpn you can actually go back over here open vpn client edit and disable this client but for now we want it enabled the next step is in order to use this as a gateway we need to add it as a gateway and pretty simple here we're going to go to interface assignments and right there open vpn swiss click add click on it we'll call it pa swiss we're going to enable the interface that's it just like this no other settings really need to be set in here just leave it alone and hit apply and this will give it another interface actually i called it swick like better enough i was going to change it without reassigning it it's enabled but you may have noticed this says pending when you add an interface we're going to go here to open vpn look at the status and we're going to go ahead and just reload it and what this does is re-establish open vpn and now it will automatically get that ip address assigned there when you add it and that you don't restart the open vpn service you'll end up with a conflict so i just want to make note to make sure you do that so when we get back to this page here which is going to think for a minute we'll get back to the page and you'll see the open vpn established working and the ip address assigned to it and there we go we've got this internal ip address assigned to it uh it just connected so it's going to show a little bit of packet loss that's going to happen sometimes you can also choose in different gateways to monitor whether or not it goes down we're going to go over here to routing we're going to go ahead and set this so we always know that the default gateway is going to be the way in dhcp or whatever your gateway is the default gateway not this one here they're going to go and just edit and you can change whatever the monitor ip is we'll actually just choose 9.9.9.9 which is just quad 9s dns hit save apply that way it understands whether or not this gateway is down or up and what it's going to monitor but it's going to see rtt and rttsd is there so it's online it's working all right now for the next steps we go to firewall nat this is where we create our outbound nat rules first make sure this is selected with hybrid nat outbound nat rule generation automatic plus rules these are the automatic rules down here at the bottom and we're going to add another rule interface pia swiss we only really need ipv4 for this and for each subnet you have of which we have two on this system you create the rule like so so the first one was 22.0 save and we can actually just duplicate the rule and the other one is 40.0 and repeat this if you have more networks than this and it's only relevant to what networks you're going to be creating rules on so if you only are ever going to create rules on that subnet you only really need one rule but that's just where that's created so go ahead and hit apply changes now that those are created now comes the firewall alias and i like to do this as an alias because it simplifies things a bit we have over here a computer at 192 168 22.100 and the goal is going to be to take it from where it shows in auburn hills or if we put country and this is just ifconfig.co if you curl it and put this command it'll tell you what country it thinks your ip address is if you omit country or city it just gives you the ip address so we have auburn hills here in united states so that's where it thinks i am technically i'm in south gate michigan but we'll call it close enough we're gonna go ahead and add an alias and route out over pia sounds like a good name and these are simply devices that route over vpn and we type in the ip address of each of those now doing this as an alias means it's really simple actually it's uh 22.100 is the first one some linux machine and we hit save you could add as many hosts as you want and go down here this is gonna be a convenience factor if you want to dynamically move things in and out without having to edit the rules but just change the aliases you could throw something on there and right away it goes out over the vpn or delete it off there hit refresh on the rules and it goes away so this is just a convenience factor so you don't have to put this ip address in more than one time aliases are really convenient when you're building firewall rules now let's go build the rules now 22.100 was land two so you'll see it like right here so 22.1 that's our land two so firewall rules and land two firewalls rules are processed in pf sense from the top down so we haven't allowed all rule down here and we need to create a rule above that to be processed before that other rule so we're going to hit add and hit the little up one so it goes there pass land two ipv4 change this to any lot of mistakes are made when you use just tcp because well anything udp or icmp etc will not work so make sure that's switched over to any source network is going to be single host or alias and we're going to use that alias that says route over paa destination any that's perfectly fine and this is ip to be routed over paa display advanced and this is where we got to do some really specific things in here including the beginning of our kill switch we're grabbing this data and packets that come that match the ones that we want routed and we want to add a tag to those packets this tag is just used internally by pf sense doesn't do anything to the functioning of the tcpi p stack it's not actually changing the packet but it's adding a tag while the packet traverses the rules within pf sense so we'll say private vpn only now i'm going to go ahead and copy this and actually i'm going to spell it right and then copy it so private vpn only we're going to copy this tag because it unlike the ali says they don't autocomplete when you do the tags in here so private vpn only we'll get to why we did that in a second then we're going to choose gateway we don't want to go out the default gateway we specifically want to go out the paa swiss vpn interface so we're going to choose that and hit save so this is how the rule looks this rule grabs it and sends it out ip to be routed over paa now the reason for adding the tag is because we're going to create a floating rule that is the kill switch now i've seen some debates on the internet of different ways of doing it the reason for doing it this way is because if you were to simply say i'm going to route it and then put a block under it for going out the other gateway the problem can be where pf sense will if you disable the vpn or something happens a service stops and it loses the gateway things and start routing back out the default gateway so now we're going to create a floating rule to grab that tag traffic so this always tags the traffic and when it goes over here to floating and we're going to hit add and we're going to create block rule and we're going to say block when any protocol any not just tcp display advanced and then instead of the tag we're going to paste in the tag name so matching tagged private vpn only block if it makes an attempt to escape from the wan address it's really that simple you're just saying don't let it escape the wan address here so i actually go ahead and save us here with the rule looks like save apply so if matches when it's going to drop it and we should probably give it a name i do highly encourage everything get a description block the alias or vpn going out of well over when there we go just so you know what it's doing when we do this so we hit save and now you get an idea what that rule does is it apply so if that sees a packet coming and it tries to go out it's going to grab it and just stop it and throw it away of note if you have more than one when you may want to repeat this rule for each when you have or gateway group however you may have configured it this lab setup only has a single wan therefore we only create a single rule with just the wan listed in here now the next question might be does it work and let's test it so we're just going to hit an up arrow here girl i have config country and it thinks we're in switzerland awesome that's where it should think we are and i'll show now because i can show the ip address whatever ip address signed it's 21210237202 now what happens and let's go ahead and forcibly fail open vpn so we're going to go over here to open vpn and we'll go to the client and we'll just go ahead and disable it so disable this client straw all the way down to the bottom here hit save and this will cause it to no longer have a vpn no vpn instance defined what happened to our lab system here if we'd curl i have config actually nothing it's just going to lock up because the packets have nowhere to go we're going back over here to firewall rules and we look at the floating we see 240 bytes because it sent some packets you know doing some requests and they have nowhere to go because this will grab them and said nope because this is what it would have tried to do is try to go out the wan so pretty simple one thing of note here if we go to our open vpn and clients and we're going to go ahead and re-enable this client hit save so the vpn should be established it establishes relatively quick there we go go back over here control c because i haven't timed out yet hey still not working wonder why what happens is because we completely disabled open vpn if you have this problem or you can go over here to status and we want to go to filter reload and we want to reprocess the rules all this is is going through and grabbing and refreshing all the rules because we disabled it and actually would have broken that interface because it was completely disabled that we assigned and we reassigned it it needs the rules to be reloaded in order to grab them put them all back in this is not something that happens if the vpn connection drops necessarily this won't cause an issue matter of fact let's just go and confirm it's working hey look we even got a different ip address now this time but for example if we go over to vpn open vpn status and we actually re-established the connection just by doing this it may get a different ip address again we'll find out here in a second oh we got the same ip address but without doing a rule refresh this should still work it's going to take a second to re-queue the states and there we go we're actually clear the screen do it again so you can see it's up and running and working I didn't have to reload the rules a second time and if we say country it still thinks I'm in Switzerland on this particular device it's only if the interface gets disabled reloading the filters just an FYI in case you do something like that now this is an optional thing you can do here is go to service watchdog this is a service you can install so it's one of the packages under package manager I've already installed it you go to service watchdog and you can add open vpn as a service when you add a new service you'll see all the different ones in here and what service watchdog does is watch open vpn or whatever you specify and actually it'll watch each client you set up and if it sees the service it stops not necessarily disconnect because it's set to auto reconnect if for some reason something happens or someone at paa reboots the server it'll auto re-establish connection but if the service itself for some reason goes down you can actually just tell service watchdog hey just restart that I haven't really seen this to be a huge issue it's more of a safety net just in case of those things keep on running in case the open vpn service for some unknown reason quits you can just tell it to do this I have on rare occasions seen it just get stuck but it's so infrequent where I don't know why it gets stuck that's basically I've seen it happen I've seen it happen once every few months maybe but not enough or I can really figure out the why but the service watchdog will restart the service and I've never happened on my computers it's just clients have told me they've seen this and comments I've seen in different forum posts so I would say this is optional but I usually if I see a service failing I want to first be notified of that service failing so I'll have it send me notifications so I can investigate usually a bigger why but I'll just mention that this is in here in case you're looking for something to restart the service now one quick and final note is we're going to go back over here to our firewall rules and I mentioned we did this on land 2 because that one device we have on here which we only had one right now was on land 2 but we also still have our regular land the quickest way to get this over it would be to hit the copy button on the rule change this to this one here scroll down the bottom hit save now we're over on land as I said the rules are processed top down so you want to make sure it catches this rule first so that IP address hits this and goes out that gateway hit apply actually you got to drag it save then apply right now I got the ruler right and that's it now I've added it to this other land if you had five other ones provided you also have an outbound net rule for each one of these that's how you would duplicate it that way all you have to do is go back over here to the aliases and if we want to add the other system we could just edit this alias add a host put in the IP address of each host we want in there and subsequently if you wanted to take that host out you would just delete it in this moment you hit save on this apply changes reloads the rules and now that one is processed as well on the vpn or off the vpn depending on however you want to set it up now hopefully this video gave you a better understanding of how policy routing works in pf sense how to use a privacy vpn as I said in the beginning I don't have any particular recommendations for one but if you want to sign up for one and help the channel out there is the affiliate link for pia down below I will have a forum link to have a more in-depth discussion on this particular topic because there's always questions or some whys and I try to explain the whys as best as I can but well that's why the forums are for to have a little bit more in-depth and talk about different scenarios or maybe some other unique scenarios that you have that'll be linked down below in the description along with the other things I talked about such as the pia right up on this topic thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you like to hire a short project head over to laurancesystems.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you