Yes you can do that with a regular firewall rule. This walkthrough isn’t really applicable to that case however. In that case you simply need a LAN rule which blocks your source address from talking to anything which is not your destination address.
Actually I didn’t! Really wish I had found yours while I was getting this going myself because that would have been a great thing to find. I did use some work from others who worked out how to get the outbound tagging block to work which I couldn’t get done because it doesn’t work as a non-floating rule for some reason.
Hey, I’m happy to help debug this for you. I have a machine with multiple NIC’s that this is running on as well. So there are a variety of options available to you. How do you have OPT 1 configured?
You have to set “Don’t pull routes” along with “Don’t add/remove routes”
Thanks for pointing this out. Although some time has pasted since all of my clients resided on my lan interface, I don’t believe I encountered the issue you mentioned. However many changes have rotated within my setup so I could be mistaken. Since I moved the clients I wished to bypass the vpn over to a vlan this is of no consequence to my particular setup. I would like to know why you are denying the pia_redirect access to upnp instead of deny by default and entering those clients you wish to have upnp access (not knocking your setup by any means, I’m just curious and eager to continue learning). Are you able to use dnsbl for your vpn clients (again curious -pia ad blocker was not as effective as some dnsbl list). I look forward to your reply:) and believe through discussion we all may learn a little bit.
Encrypt from them everything, leave for the ISP nothing!
(paraphrased movie quote).
No worries mate! Good guide regardless!
Awesome, much appreciated. This is pretty stressful.
Besides defaults and empty fields, OPT 1 is configured as…
IPv4: Static
IPv6: None
IPv4 Address: 192.168.56.1 (upstream gateway none)
Reserved Networks: both unchecked
The address of the client I want VPN’d is static, outside the dynamic range. As for Firewall Rules, they’re exactly like your LAN’s in your example.
If the VPN goes down, which makes the DNS go down, that’s a bad thing and could leak my IP as well? Or it’s just something I would just have to restart? Because I don’t really care if I just have to restart.
Ah! I’ve almost got it! My problem was that I had forgotten that I had made my client’s DNS nameservers static to OpenVPN’s (from the client itself), which is why my IP was leaking. So now that I removed that so that the router is the one to give the DNS, now I’m getting the IPs from freeDNS servers (which I chose instead of Google’s like in your example). So now I changed them to OpenVPN’s and now I’m getting 5 IPs with “my ISP” being OpenDNS’s servers from another country (of my choosing from PIA’s).
Is this bad, though? To clarify, I don’t see my ISP IP on dnsleaktest.com or ipleak.net. I see PIA’s provided IP and then the DNS providers’ IPs on extended tests from the country I chose from PIA.
Thank you, you saved me from pulling my hair all out! Once I checked the Don’t Add/Remove Routes my setup started working.
I don’t have the second one enabled and mine’s been working fine for 6 months.
Honestly the reason I have global UPnP is I have multiple consoles in and out of the network semi-regularly and don’t want to make sure they get whitelisted IP’s every time. Unfortunately consoles really needs UPnP to function correctly. If you are not in a situation where UPnP is beneficial to you, I would just turn it off or create a whitelist scenario like you suggest.
As for DNSBL on my VPN clients, no I can’t. That is the major drawback of the external DNS solution. If I were able to get a proper failover approach working for the DNS resolver I would absolutely do it.
My current theory which I will be checking out today after work is to create a gateway group between my VPN and the WAN with failover. Then have the DNS Resolver target this group. I believe this means that the DNS Resolver will be limited to IPv4 addresses however as the VPN is limited to IPv4. A firewall rule setting the default gateway for the DNS Resolver would be vastly superior as IPv4 traffic (which is the only way VPN clients can reach it) will always go out the VPN, and IPv6 traffic will still go out WAN.
Yeah part of the reason I don’t do that is my naked internet connection is much faster than the VPN connection. Still, like the quote 
can you screenshot your rules for me please? Also show me your interfaces in the dashboard, or just make sure the VPN interface shows an IP in dashboard. Please make sure you don’t include public IP addresses in any screenshots.
Once again thanks for the reply. Using dnsbl was a must for my particular setup. I’m glad to see there are multiple ways to achieve the same goal based on our own unique setups.
Sorry for the late reply. I went to bed right after but I’ll be online all day trying to tackle this issue today. I’ll take screen shots of everything, actually. Will take me some time. Thanks! I really want to make this work since I can’t use VPN from the client itself ever since I switched from a normal router to my pfSense built!
Steps 1: https://drive.google.com/file/d/0B-mywoDtoOYkaEF4TE9qdzlZTVk/view?usp=sharing
Step 2: https://drive.google.com/file/d/0B-mywoDtoOYkM3lYV3cwSVZMbWc/view?usp=sharing
Step 3: Set up exactly like PIA’s but with “Don’t pull routes” as well
Step 4: https://drive.google.com/file/d/0B-mywoDtoOYkZFBkRVM3a081bDQ/view?usp=sharing
Step 5: http://i.imgur.com/8MqQHpq.png (this is your image because it looks identical to mine)
Step 6: https://drive.google.com/file/d/0B-mywoDtoOYkcGM3ZHo5cXltdEE/view?usp=sharing
The setup on each rule are exactly like yours, with even the tags and everything. Copied on all interfaces. On OpenVPN System Logs, I get “Initialization Sequence Completed” but I can’t connect to my VPN through the Raspberry Pi client. Before this setup, I can connect to the internet (ISP IP) but after it, I can’t connect at all but I do have internet on all other machines (regardless of interface they’re in) through ISP.
Step 7: https://drive.google.com/file/d/0B-mywoDtoOYkeDR6M2VRd24ydTg/view?usp=sharing
Step 8: https://drive.google.com/file/d/0B-mywoDtoOYkUl9jMEdhREQwLWc/view?usp=sharing
I have the kill switch FW Rule disabled on the image. When I enable it, I am completely cut off from the internet. Also, OpenVPN is down. Reloading won’t change its status Up. Oh, and rebooting the whole system doesn’t help.
https://drive.google.com/file/d/0B-mywoDtoOYkRVNLTURTSmZoT3c/view?usp=sharing
This is an image of the Gateways & part of the Dashboard (ignore OPT3, that’s my wireless router that I disconnected).
To add to the discussion, perhaps views for dns resolver would be what we’re looking for (group A would use resolver through vpn, group B would use resolver through wan). More research is needed but bind comes to mind. Any thoughts on this? Using my approach one could easily enough assign dns servers via static mapping (although this may not be optimal it would prevent the loss of total connectivity for those devices not accessing the vpn). Welcome discussion and thoughts.
Your Floating rule for PIA_NO_WAN_EGRESS is incorrect. You have it marked as “Tag” not “Tagged”. You are blocking all traffic and tagging it.
Move the PIA_NO_WAN_EGRESS to the “Tagged” box instead of the “Tag” box in the floating rule.
I believe this would require usage of bind as you suggest. Something I am rather loathe to set up just to get DNS rolling for the VPN clients. It would be nice if unbound supported views.