For those who don't know, firewall rules (certainly in pf, ipfw, iptables etc) are read and used in order from top to bottom.ĭNS is resolved separately per interface (VPN DNS per VPN interface, SecureDNS with DNSSEC over TLS for WAN). With rule 2 in place, they now simply have all their packets dropped until I fix it again. The second rule makes it impossible for the VPN to leak, as if the local clients can't resolve via the desired VPN gateway (chosen in rule 1), by default they would fall back to the 'normal' VM Gateway. * Block, Source: ANY, Destination: ANY, Gateway: VM WAN * Pass, Source: LAN NET, Destination: ANY, Gateway: 'desired VPN or WAN gateway' Now I have it set so that all VPNs idle 24/7, all have NAT routes out via the main WAN gateway, and LAN access (or even individual client access) is controlled by pf rules like this: As I said, though, I've been busy playing with FreeBSD (11.1p10, Mate Desktop) for a few days though and digging around in ports and the networking stuff. Originally I was running a single VPN and didn't know much about how to add (or even load balance between) a second or more. Extra locations and servers can be added trivially if or when the need arises. If you can't trust your ISP's DNS servers, either set up one yourself (not an option for many) or use either Google DNS or OpenDNS.With manually set outbound NAT - plus hairpin NAT and proxy helper for self-hosted domain resolution due to the VPNs - each gateway (vpn.ac, NordVPN, AirVPN, PIA) has its own route to the 'real' WAN to maintain a connection 24/7. Using the name is the only way to get the full service, anything else means you're more likely to hit various issues. So, you CAN look up the IP address and use that but it'll very likely hurt you badly sooner or later. I should also point out that the actual IP address will tend to change over time as the provider upgrade their hardware. IE it'll drop the IPs for any non-working servers from the list and if all local servers are offline it'll send you to a server group further out. It's also very likely that it'll use that to make sure people always hits a working server. The "geo" there means it's very likely it's using some kind of geo-location system to try to find the closest server. This will reset all your IP settings and should allow you to connect. Close the black command prompt window and restart the computer. You should get back something that says “Resetting Global, OK! Resetting Interface, OK! Restart the computer to complete this action.”Ĥ. Type in the following, and then hit enter:ģ. Run the Command prompt as administrator by right-clicking on it to get that option (Start > All Programs > Accessories > Command Prompt)Ģ.
0 Comments
Leave a Reply. |