Hello Folks, I am wanting to setup my VPN on my pfsense box. I can do that easily enough, but I do have one snag. I work from home, and the company I work for is (justifiably so) very strict about routing the traffic from my work computer through my VPN. How can I bypass this? I can set up a firewall rule using an alias easily enough to get around the VPN, but how can I keep my work computer’s DNS requests from being resolved by the DNS Resolver? I did set up a static IP and specified the DNS server for my work computer, but my concern is that the DNS requests will still go through the outgoing gateway specified in the DNS resolver settings (which is the VPN) on their way to the DNS server I specified OR would DNS requests also honor the firewall rule and pass straight through to the WAN avoiding the VPNs gateway. I’m fairly confident that this is how it will work, but my employer is pretty strict about this (as they’ve said something to me about it before) so just want to be absolutely certain before I implement it.
You can do all of this in rules.
Set a rule on the LAN INTERFACE (assuming your computer is on the lan interface)
Set your computer’s IP as the source
- then if you don’t need any internal routing with that work computer - set the GATEWAY as your normal WAN
- if you DO need internal routing, you’ll have to create an Alias called “private IPs” and put all the subnets in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16. Then add that to the rule with the NOT checkbox selected, and the private IPs as the destination. This will route any IPs routed to the internet out that WAN gateway.
For your DNS, you could add the DNS servers in your static IP rule to hand out… if they are public IPs (such as 8.8.8.8) that would automatically follow the above rule.
I wouldn’t recommend trying this at all, unless you’re comfortable being fired. If I had an employee wanting to do this with company provided equipment and having a locked down system, and I found them doing this, it would be justification to show them the door. It’s company issued equipment and you have the understanding of that and using the company VPN for it’s purpose. I would tread carefully.
Your work computer should have a VPN client on it that routes everything through it. There should be no split tunneling at all
If you want to keep the Remote DNS Server, use the following settings:
# reject route all traffic through vpn
pull-filter ignore "redirect-gateway"
# route only selected traffic through vpn
route 192.168.40.0 255.255.255.0
route 192.168.50.0 255.255.255.0
route 192.168.70.0 255.255.255.0
This will route only selected traffic through the VPN (e.g. for the subnets above).
You can also do it the other way around:
## redirect another network to NOT go via the VPN
route 192.168.10.0 255.255.255.0 net_gateway
route 192.168.40.0 255.255.255.0 net_gateway
This will route everything through VPN, except the named subnets.
If you want to reject the remote DNS, use:
pull-filter ignore "dhcp-option DNS"
In this case, your local DNS will continue to be used.
If you require DNS for your office network, but want to reject office (=remote) DNS, there is afaik not way around editing the local hosts file and adding the DNS entries that you want to use manually.
Fantastic. That sounds similar to what I was thinking. Although I’ve used pfsense for a while now I’m not really that versed in networking. If I strictly need the device to function and don’t want to do anything else with it other than what I’ve already mentioned I would not need to do any internal routing correct? My network is very simple: Just the vpn, no vlans, and pfblocker. Thank you!
I’d like to say that this saved me a lot of headache. I *was* in a very similar situation, trying to setup a vLAN to keep my work computer (which has its own VPN) from using the LAN. I just couldn’t get my rules correct. When I saw this suggestion, that was it.
I’ll revisit vLANs later this week or something (I need to for IoT), but this will keep Security from getting suspicious IP alerts on the network and my work system operating normally.
Cheers!
Thanks for the advice, but I think you may be misunderstanding (maybe I just worded the post poorly). I have a personal subscription to Nord VPN that I want to set up on my pfsense box. I just want to make sure my company provided computer doesn’t mistakenly route traffic through that VPN so I can stay in line with company policy.
A lot of times yes, but my last company did everything cloud based … no vpn required through O365 or the other SSO applications. Some had 2FA enabled but from a network perspective it was a company laptop without VPN … just needed internet access
This was great because I didn’t need split tunneling for my printer , etc at home
Yep - by internal routing, I meant say you had a VLAN for IoT or Media or other stuff - on a separate network - you would need to setup your rules to support that.
If all your traffic is going strictly LAN > WAN then the above rule will work just fine.
OK, based on the way you’re describing it now, let me clarify if I’m understanding it correctly. You have a NordVPN client setup in your pfsense but you don’t want your work laptop traffic to be routed through the NordVPN at all and essentially skipped through?
If that’s the case, then yes, this can be pretty easily done, just create a LAN firewall rule and use an alias for your work laptop without a gateway that is before the firewall rule that sends everything else out the NordVPN traffic. This is actually exactly how I have my own pfsense as I selectively want only certain traffic going over my NordVPN, so I add and remove hosts from the firewall alias as necessary.
Perfect. I appreciate it!
That’s correct, yes! And if I specify the DNS in the static mapping it will also bypass the DNS resolver (since it uses the VPN as its outgoing gateway), correct?
If you set a rule for your work PC’s LAN IP, it will apply to all protocols and ports, including DNS.
In the DHCP static mapping you have for your work computer, yes, make sure to specify an alternate DNS server other than your pfsense so your work computer doesn’t send DNS requests to your pfsense.
That’s just what I thought. Thanks for the help!