Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

[pfSense] Transparent Darknet Access

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)
User avatar

Topic Author
parityboy
Site Admin
Posts: 1104
Joined: Wed Feb 05, 2014 3:47 am

[pfSense] Transparent Darknet Access

Postby parityboy » Thu Dec 22, 2016 7:22 pm

Last night I set up a pfSense VM in VirtualBox to test out some private LAN configs. Everything is working as expected, including protecting the private LAN with a Cryptostorm instance.

However, the one thing that doesn't seem to work correctly with this config - having the router initiate the VPN connection - is the transparent .onion and .i2p access. The VMs on the private LAN use the pfSense instance as their DNS, so really the DNS forwarder should pick up the in-tunnel DNS as its authority.

In General Setup, the DNS of the test node is assigned to the network interface of the VPN connection, so really the DNS queries forwarded from the LAN should be sent along the VPN tunnel to the DNS instance on the exit node.

Without the Domain Override, I get this:

Code: Select all

Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
*** Can't find 3g2upl4pq6kufc4m.onion: No answer


Using a Domain Override I get this:

Code: Select all

Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   3g2upl4pq6kufc4m.onion
Address: 10.99.146.239


However, trying to connect to the onion site in a browser results in the browser hanging, stuck on "Looking up 3g2upl4pq6kufc4m.onion..." - this could be because the router is still attempting out-of-tunnel resolution.

Has anyone gotten this to work? Thanks. :)

User avatar

Fermi
Site Admin
Posts: 218
Joined: Tue Jun 17, 2014 11:42 am

Re: [pfSense] Transparent Darknet Access

Postby Fermi » Thu Dec 22, 2016 8:35 pm

This article, although referring to a competitor could guide you:
https://nguvu.org/pfsense/pfsense-2.3-setup/

/fermi

User avatar

Topic Author
parityboy
Site Admin
Posts: 1104
Joined: Wed Feb 05, 2014 3:47 am

Re: [pfSense] Transparent Darknet Access

Postby parityboy » Fri Dec 30, 2016 5:27 am

@Fermi

Yeah, I looked at that guide, unfortunately it was of no help. pfSense does allow its DNS server list to be overridden, but that only applies to the WAN interface, not the VPN interface.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1104
Joined: Wed Feb 05, 2014 3:47 am

Re: [pfSense] Transparent Darknet Access

Postby parityboy » Fri Dec 30, 2016 7:41 am

@Fermi

OK, I have a better sense of what is going on here. For seamless access to I2P and Tor websites, you have to create a Domain Override. However, when creating the override, you MUST specify the IP address of the DNS server sitting on that particular exit node. Alternatively, you can specify "#" and then place the DeepDNS server in System->General Setup->DNS Server Settings.

If you specify the IP address of any other DeepDNS server, you'll still get back an IP address of the range 10.x.y.z, but it won't match the range used by the VPN tunnel you're currently connected to, and any attempt to ccontact an I2P or Tor service results in a "Connection Reset" error.

Obviously this is mildly annoying when using pfSense (and maybe every other router too), because it means you have to use the same exit node all the time. The global balancer is also a no-no, because again you'd have to manually update the config with the IP of the DeepDNS instance running on the exit node you're currently connected to.

See here for a possible solution. :)


Return to “member support & tech assistance”

Who is online

Users browsing this forum: Baidu [Spider], Boorbun21 and 21 guests

Login