Comments on: Setting up VPN client on your pfSense (Surfshark) with Kill switch

By: Thiago Crepaldi

Thiago Crepaldi — Tue, 01 Nov 2022 23:15:24 +0000

In reply to Thomasky.

How did you diagnosed the DNS leak? Have you checked https://geekistheway.com/2020/06/21/protect-your-dns-requests-using-your-pfsense/, in specific the section “Verify everything works”? It describes a possible false-positive when DNSSEC is enabled

By: Thomasky

Thomasky — Mon, 31 Oct 2022 20:43:06 +0000

HI Guys,

I have tried to follow this guide and my vpn is working fine and kill switch also works. Only I still have a DNS leak when iam connected trough my Surfshark VPN. Does someone have a solution for this?

By: Thiago Crepaldi

Thiago Crepaldi — Sat, 30 Jan 2021 23:29:49 +0000

Actually I do use several simultaneous Open VPN client connections on my pfsense and they all work. There is a catch, though. When your surfshark connections succeeded, check their “Virtual Address”. If they happen to be assigned the same address, one of them will not work. A workaround is to restart one of the connections until different virtual addressed are assigned to all of your Surfshark connections

By: Simon

Simon — Fri, 29 Jan 2021 07:42:40 +0000

Thank you so much for this great tutorial. I use option 2 with my OPNsense and it works like a charm. I tried to use a second VPN client with an other Surfshark host adress for a different PC. But 2 Surfshark VPN client instances at the same time seems not to work. I guessed the reason is that both clients use the same wan ip and come up in the same virtual network area (e.g. 10.8.8.0/24).

Greetings
Simon

By: Thiago Crepaldi

Thiago Crepaldi — Sun, 24 Jan 2021 22:02:35 +0000

Hey Michael, which part of the DNS config did you get confused? I can try to rewrite and clarify!

The RFC1918 alias is created so that we can easily create firewall rules that separate traffic from private LANs (defined at RFC 1918) from traffic coming from Internet. In this tutorial, we created a rule that allowing traffic to pass coming from the specific PCs (alias VPNCLIENT_USA_DEVICES) towards Internet (which is inverted match of RFC1918). You could get away with “any” in the destination too, but I always try to be as restrictive as possible with what the firewall allows

By: Michael Konowaluk

Michael Konowaluk — Sat, 16 Jan 2021 05:58:49 +0000

Hey thanks so much for this. I tried following the surfshark guide but it seemed so outdated. Glad to have found this. Im still trying to wrap my head around the DNS configs and use cases for RFC and why exactly it needs to be setup that way but im glad I got it working. Before I had just been setting the gateway for the rules I wanted passed but couldnt figure why it wasnt working.

By: Thiago Crepaldi

Thiago Crepaldi — Tue, 22 Dec 2020 22:28:27 +0000

It happens the Gateway field on the DNS configuration page is not used for this kind of scenario. Currently, DNS servers are a global configuration, so you have to either put pfSense behind the VPN or not. I am adopting Cloud Flare for my setup

By: buzz

buzz — Mon, 21 Dec 2020 01:01:14 +0000

any news from Netgate ????

By: Buzz

Buzz — Tue, 08 Dec 2020 16:11:56 +0000

Thx Bro,
i the mean time ..i am going to save my pfsense setup en reinstall it with your Guides

mant thx

By: Thiago Crepaldi

Thiago Crepaldi — Tue, 08 Dec 2020 02:19:08 +0000

Yup, I can confirm this is happening here. To really hide your DNS requests, you have to apply Surfshark (or even opendns server) to all your network (selection None as gateway)

I will try to find out more details with Netgate. There is something wrong about this dns gateway thing