Jump to content
Not connected, Your IP: 54.234.136.147

Recommended Posts

Installing Airvpn .ovpn and cert in pfsense is simple.Asking for a trial and testing started today,and Airvpn absolutely faster than my previous vpn provider.

 

best regards.

Share this post


Link to post

Hi I have just followed this excellent guide !

 

I have a few concerns with the guide so maybe knicker or other users could correct me if I am wrong.

 

Would it be possible to update the guide so it reads like this at the beginning of your guide?:

 

Go here to generate an openvpn config file: https://airvpn.org/generator/#

Read the More help (in blue) link if you require help to generate one.

 

 

Also here, this may look better?:

 

  • Open the CA.CRT file (right click and open with note/word pad) and copy/paste the first certificate (starting with: -----BEGIN CERTIFICATE----- and ending with: -----END CERTIFICATE-----) into the certificate data field
  • Click save (leave the other field empty)
  • Click on the tab Certificates and click on the plus button as seen here

 

Also next section and the one most get confused about !, perhaps this will look better ?

 

  • Give it a description like: certificate airvpn. Ensure that "Import an existing certificate authority" is selected.
  • Open the USER.CRT file (right click and open with note/word pad)  and copy/paste the second certificate (starting with: ---- CERTIFICATE:----- and ending with: -----END CERTIFICATE-----) into the certificate data field

So in the certificate data field it looks like this:

 

-----BEGIN CERTIFICATE-----

Should have random numbers and letters from your user crt file and then should end with

-----END CERTIFICATE-----
 

(Please note most will copy and paste the entire contents of user.crt so you will not see it begin with  -----BEGIN CERTIFICATE-----  straight away, you must scroll up or down and search for -----BEGIN CERTIFICATE----- and delete all other contents so it starts with -----BEGIN CERTIFICATE----- and make sure it is on the very top line (press backspace few times to make sure it is on top)  so it looks like the certificate data field like the above.

 

 

I think the above may sound better and help out newbies like myself, that 2nd certificate sure gives anyone fits on trying to explain and hopefully less work for airvpn staff and less headache to yourself !

 

Now the next part of your guide I found the most difficult with perhaps I am doing it incorrect but I found "interface" of WAN in the guide to never work, after installing it 4 times the only way I could get it to work was to set it to LAN instead,  is this wrong on your guide or just me ?

 

When I select WAN it brings up an error that says " the following input errors were detected an IPv4 protocol was selected but no address found"

 

So if you can clear this up would appreciate it !

 

Otherwise thank you knicker for the excellent guide, it is working ok just need to figure out how to make my other ethernet ports now work so they are under AirVPN also then I am golden !

Share this post


Link to post

First off great tutorial. Works great. I had a more advanced questions I hope you can help me with.

 

I run a home office from my house as well as about 5 computers on the network. I also have on my network a VOIP box that allows me to use Google Voice to call, and fax from. However when connected to the VPN faxing often doesn't work and kicks out. When the VPN is off faxing is fine. 

 

I have 3 NIC's on my pfsense box. One is for the WAN, the other is for the Lan which connects to a wireless AP SWITCH which feeds the rest of the computers and the box for VOIP. The 3rd NIC is not used,  

 

 

So my questions is: Is there a way that I can set the one LAN to tunnel through the VPN and the other LAN to connect as usual as if no VPN is on? I am not sure if this is possible. But it would be great if it can.

 

 

Just for more information my setup is as follows.   CABLE MODEM>PFSENSE WAN (NIC1)>LAN (AIRVPN TUNNEL)(NIC2)>GIGABIT WIRELESS AP/SWITCH>Computers/VOIP BOX.

                                 

                              What I would like If possible:  CABLE MODEM>PFSENSE WAN (NIC1)>LAN (AIRVPN TUNNEL)(NIC2)>GIGABIT WIRELESS AP/SWITCH>COMPUTERS

                                                                                                                               >LAN (NO VPN TUNNEL)(NIC3)>VOIP BOX FOR PHONE AND FAX

 

Any help would be appreciated. Thank you in advance! 

 

Best Regards,

JetFn1

Share this post


Link to post

Yes you can do this. I tried to write out a clear explanation but just deleted it by mistake and can't be bothered to do it again. You don't need to use the additional NIC (but you can if you really want to, as I describe below but you need to create and additional interface for the second NIC))

 

The basic idea is to add an additional rule in Firewall/Rules/LAN as described in the tutorial with two differences on the "Firewall : Rules : Edit" web page.

 

1). In the Source section set the "Type" combo box = "Single host or alias" and enter you VOIP box ip as the "address"

(or if you use the second NIC enter Type = "Your Interface" Subnet)

 

2) .Under Advanced features set the Gateway to Wan in the combo box (as opposed to the VPN gateway)

Share this post


Link to post

I would just like to add a bug or glitch I found once I followed these pfsense guides when I use AirVPN dns servers of 10.4.0.1

 

I found connecting to the internet and pulling websites down after a restart or from switching on the pc the next morning to be very hit and miss.

 

I believe it is the issue that AirVPN DNS servers are accessed privately and only work fully once connected to the Air tunnel. The issue being you need the internet access before you can do this.

 

I tried opendns servers instead and it connected instantly without issue yesterday... but ill give it a test run over the next week or 2 to confirm this is the case.

 

Am very surprised no one else noticed this issue after following this pfsense guide ? Maybe everyone is already using public or other DNS servers other then Airvpn.

Share this post


Link to post

First off great tutorial. Works great. I had a more advanced questions I hope you can help me with.

 

I run a home office from my house as well as about 5 computers on the network. I also have on my network a VOIP box that allows me to use Google Voice to call, and fax from. However when connected to the VPN faxing often doesn't work and kicks out. When the VPN is off faxing is fine. 

 

I have 3 NIC's on my pfsense box. One is for the WAN, the other is for the Lan which connects to a wireless AP SWITCH which feeds the rest of the computers and the box for VOIP. The 3rd NIC is not used,  

 

 

So my questions is: Is there a way that I can set the one LAN to tunnel through the VPN and the other LAN to connect as usual as if no VPN is on? I am not sure if this is possible. But it would be great if it can.

 

 

Just for more information my setup is as follows.   CABLE MODEM>PFSENSE WAN (NIC1)>LAN (AIRVPN TUNNEL)(NIC2)>GIGABIT WIRELESS AP/SWITCH>Computers/VOIP BOX.

                                 

                              What I would like If possible:  CABLE MODEM>PFSENSE WAN (NIC1)>LAN (AIRVPN TUNNEL)(NIC2)>GIGABIT WIRELESS AP/SWITCH>COMPUTERS

                                                                                                                               >LAN (NO VPN TUNNEL)(NIC3)>VOIP BOX FOR PHONE AND FAX

 

Any help would be appreciated. Thank you in advance! 

 

Best Regards,

JetFn1

 

 

JetFn1,

 

The issue you are having is due to the guide you followed not being entirely accurate for those of us using multiple network interface cards. I have 8 NIC's which I will not explain fully in this post. I have my reasons but mainly I needed a NIC and subnet just for VOIP, an NIC and subnet just for XBOX traffic, an NIC and subnet just for ISP facing trafic, and multiple NIC's and subnets that are routed over the VPN. This facilitates much more managable firewall rules pages for each type of traffic and reduces the chance of human error. It also makes it much easier to monitor traffic when it is seperated by interface. Anyway, moving on.

 

First of all, being that you want one NIC to face your ISP and another to face AirVPN, you do not need to follow the steps of switching the gateway of the initail "LAN" interface that is created during pfSense install. It is more trouble than it is worth renaming and editing certain characteristics of that interface, and is also uneccesary for us. Let that just be and focus on setting up the secondary NIC (which we will call AirVPN_LAN) to face airvpn by setting the advanced firewall rules to route the traffic over the AirVPN_WAN (or whatever you have named it) gateway. After this, we need to properly set up the DNS forwarder to not blindly forward the DNS servers to all NIC's, then properly set the DNS for the AirVPN_LAN.

 

Setting it this way allows you to use the DNS servers of your choice (entered where you now currently have the AirVPN DNS servers under System > General Setup > DNS Servers) for *NON* VPN traffic and network interface cards. For your uses these will be used by your LAN. I choose to use my ISP's DNS here because for gaming the latency is important. You may choose OpenDNS or any other public DNS as well here, but not the AirVPN DNS servers because as you have noticed you must be connected for those to function. We will then manually set the AirVPN_LAN interface to use only the AirVPN DNS Servers under the DHCP Server settings page. I will stess this again, DNS servers set under System > General Setup > DNS Servers) are ONLY for *NON* VPN traffic and network interface cards. To use the AirVPN DNS servers on the proper interface/s there are extra steps involved.

 

Here is how I have mine set up:

1.) Go to Services > DNS Forwarder, then find the section titled "Interfaces".

By default all interfaces are selected. Using the Ctrl key, select only the interface/s you wish to face your ISP, and possibly localhost. (Be aware if you do choose to highlight localhost that if you do a dns lookup within pfsense (for instance from the firewall logs) this may be a potential privacy leak as this will use the ISP facing DNS servers you set under System > General Setup > DNS Servers. For my uses since I am not a whistleblower and this is not critical, I choose to have localhost highlighted. Not highlighting only affects these lookups and is not critical to the functionality of your firewall. There are a number of websites that can do this for you once you are accessing through the vpn if you need it.)

 

2.) Under this there is a check box titled "Strict Interface Binding". Check this box to enable it, then click "Save"

 

3.) Go to Services > DHCP server and select the tab for your "AirVPN_LAN"

Find the section here titled "DNS Servers" and enter your AirVPN DNS server/s here (10.4.0.1 etc.) then click "Save"

 

At this point pfSense will not serve the incorrect DNS servers anywhere, but we will go one step further and create firewall rules to block any potential DNS leaks by a program that seeks another DNS server on its own. This is in a sense redundant because if you have the advanced firewal rules set for the correct gateway, these requests would be funnled through the VPN anyway, but I still use them anyway since nothing should be attempting to use any other DNS, and these rules will block any such attempt.

 

4.) Go to Firewall > Aliases

Click the [+] to "Add a new Alias"

Name = AirVPN_DNS_Servers

Description = AirVPN_DNS_Servers

Type = Hosts

Under the "Hosts" section, using the [+] near the bottom create new entries and enter two or more of the following AirVPN DNS Servers: 10.4.0.1, 10.5.0.1, 10.6.0.1, 10.7.0.1, 10.8.0.1, 10.9.0.1, 10.30.0.1, 10.50.0.1

Click "Save"

 

5.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW_AirVPN_DNS"

Action = Pass

Interface = AirVPN_LAN

TCP/IP Version = IPv4

Protocol = UDP

Source = Any

Destination = (Single host or Alias) AirVPN_DNS_Servers

Destination port range = DNS

Description = ALLOW_AirVPN_DNS

IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = AirVPN_WAN (or whatever you have named your AirVPN Gateway, it will appear in the drop down)

 

6.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS"

Action = Block

Interface = AirVPN_LAN

TCP/IP Version = IPv4

Protocol = UDP

Source = Any

Destination = Any

Destination port range = DNS

Log = Checked (this will alert you in your firewall logs if something does attempt to use alternate DNS)

Description = BLOCK_DNS_LEAKS

*** For this rule we will NOT set the advanced setting for gateway

 

7.) Go to Firewall > Rules > AirVPN_LAN

The order of the rules we just created is important!

These rules should be near the top of your firewall rules list for this interface. Ideally the only rule above them sould be a GUI lockout rule, if you have one. Further then this, the "Allow" rule MUST BE ON TOP of the "Block" rule. You can select the rules check boxes and re-orgasnize them accordingly.

 

That's it, you should be set to go. You can verify it is functioning correctly by going to any number of DNS leak test sites on anything connected to the VPN connected NIC.

 

http://www.dnsleaktest.com/

https://www.grc.com/dns/dns.htm


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

This is all assuming you have followed the other steps in the guide posted here to set up your interfaces, outbound NAT and advanced firewall routing rules to force traffic over the gateway it is intended for. My appologies if this does not help due to not covering enough steps. I have planned to make a full tutorial for those of us with multiple NIC's that is bulletproof as far as leaks. I have tested it for months and it works. I will post the tutorial as soon as I can find the time.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Thank you both for the feedback. I will probably be experimenting with these both. As of now so I don't have to change my configuration I tried your method, NickSpam. Unfortunately I was unable to get it to work. I did as you said, went to firewall rules and changed the gateway per static Ip I set up for the VOIP. It still connect through the Openvpn connection. I'm not sure why. Do I have to move the rule up the list... Not sure, I am just getting into PFsense. 

 

 

Thank you for your help.

Share this post


Link to post

Question for all that followed this pfsense guide:

 

I have followed this guide and it all works fine but have noticed intermittent connectivity issues, each morning I switch on my laptop or desktop I have to wait a few minutes before it connects successfully ?

 

Pfsense openvpn logs confirm its already connected so not sure why I have to wait few minutes for web pages to start working, I have tried different public and air vpn dns but no joy....

 

I also get this strange error in my openvpn logs:

 

openvpn[50203]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #555308 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

 

Any idea on this error and has anyone else had strange connectivity issues with pfsense under airvpn ?

Share this post


Link to post

Everyone’s help on this is awesome. I really think this post is going to help a lot of people set the VPN up and handle other concerns based on changing the internet gateway. And thanks’ to everyone again, especially the tech's who know this stuff inside and out.

 

Is it possible for someone who knows pfsense better to do a tutorial to do the following?:

 

Mentioned above I can't get the VOIP Box to access the internet with the firewall settings. I think this is due to me setting the VOIP box as a static so I know what IP to enter into the firewall. When static the box doesn't connect to the internet. When not static it works. How can I set the box to Static correctly, and have that static ip, the voip box, connect to my default WAN instead of VPN?

 

I would like to do this with my gaming systems as well so they do not have to go through the VPN.

 

I messed around for about 4 hours last night, I find this stuff extremely intriguing but I am lost and can't figure out the solution. If someone could please do a step by step that would be great! And I think other members would definitely appreciate it as well.

 

Regards,

JetFn1

Share this post


Link to post

Hi JetFn1

 

Yes the single ip rule (non vpn) rule needs to be above the general (vpn) rule in the list, as you suggest. You might need to reboot too, always worth trying ;o)

 

I actually have my own router set up like this, apart from I use an alias (rather than a single ip) for non vpn machines.  I know I can change a machine from using the VPN to not using the VPN just by editing the alias list, clicking save and then clicking apply changes, which take seconds. I do this all the time. 

 

Sorry I can't guarantee I have told you exactly how I set it up in the first place. I think I have told you everything now but I only did it once and that was a few months ago.

Share this post


Link to post

Unfortunatley what you told me so far is not working. Setting the IP in the firewall via alias above the VPN Rule by itself does not work ;-(. There is another step somehwere we are overlooking. I would really appreciate it if you could take a look at your connections and configuration and figure out that needed step for us. I've been trying and trying ot no avail. Searching different forums.... It's driving me absolutely crazy. If you could figure it out I would look west and prey NickSpam everday for the rest of my life hahah.

Share this post


Link to post

Everyone else who followed this guide having normal pfsense access?

 

I think I am the only one that has this strange issue with it taking 5-6 minutes before it works... strange thing is followed the guide to the latter

Share this post


Link to post

Unfortunatley what you told me so far is not working. Setting the IP in the firewall via alias above the VPN Rule by itself does not work ;-(. There is another step somehwere we are overlooking. I would really appreciate it if you could take a look at your connections and configuration and figure out that needed step for us. I've been trying and trying ot no avail. Searching different forums.... It's driving me absolutely crazy. If you could figure it out I would look west and prey NickSpam everday for the rest of my life hahah.

 

It sounds to me the missing step for what you are trying to do may be setting an outbound NAT rule for that individual static IP that also designates the correct gateway. That rule has to be above the other outbound NAT rules for that interface or it will route it through the gateway that is default for that NIC first, negating the firewall rule. You would also likely have to assign DNS to the static ip under SERVICES > DHCP SERVER.

 

Other than that, I disagree with this method as you have multiple NIC's. Each NIC should be either only for VPN or only for clear-net. Not that it cannot be done, but you have other NIC's and it is safer to isolate them. You can have VOIP, Gaming all on the original LAN from pfSense install facing clear net. Another NIC can be only VPN. A third NIC or more can be set for only VPN or only clear-net... it's up to you. But why mix gateways on one interface when you have multiple? I have given you the basics of how to set interfaces for a specific gateway. I will help if you wish to set it up for Single gateway per NIC. Soon I will have a tutorial as well.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Okay, I'm stuck. I've tried all I can think of.  I followed the instructions and all goes well. Imported (copy/paste) the certs, set up the client, gateway, and firewall rule. 

 

When the VPN service is started, it connects and I get a 10.x.x.x IP address. The VPN log says all is well.

None of my devices can connect to the internet.  

I suspect there's something wrong with my firewall rules (or something) but I'm not familiar enough with PfSesne to figure out what's wrong.

 

It looks like this: 

ytfJqlp.png

 

THT449B.png

 

u2747Up.png

 

Any idea why this isn't working?

Share this post


Link to post

Ok, I think I figured it out. I was missing the Firewall:NAT:Outbound rules for AirVPN.  I duplicated the three rules shown above and changed the Interface to AirVPN.  I'm connected now.  

 

Speed is poor. I get almost 60 megabits without the VPN. I was getting over 50 with PIA.  Now I'm only getting 10-15 on Air.  I'm experimenting with different servers now, looking for better performance.

Share this post


Link to post

Speed is poor. I get almost 60 megabits without the VPN. I was getting over 50 with PIA.  Now I'm only getting 10-15 on Air.  I'm experimenting with different servers now, looking for better performance.

 

Hello,

 

is the Data Channel cipher the same? On boxes CPUs, AES-256-CBC is computationally heavy, but our ciphers are picked with high security in mind. As far as we know PIA uses weaker encryption for the OpenVPN Control Channel.

 

Kind regards

Share this post


Link to post

I was using Blowfish 128 bit CBC with PIA.  

 

CPU usage is very low now with Air.    I'm downloading Ubuntu Isos and the CUP is <5%.

 

I'm on Alkaid now and only getting 3 Mbps.

Share this post


Link to post

 

I was using Blowfish 128 bit CBC with PIA.  
 

 

CPU usage is very low now with Air.    I'm downloading Ubuntu Isos and the CUP is

 

I'm on Alkaid now and only getting 3 Mbps.

 

Incredible. Blowfish was designed in 1993 and his very creator Schneier recommended years ago NOT to use it. There's a class of weak keys that causes problems in picking an appropriate key and, under the user point of view, we doubt that you can have the absolute security that the keys are appropriately picked. It's somehow weird that Air is compared to such services, maybe it's a comparison not focused on security. Many experts claim that Blowfish should not be used for OpenVPN Data Channel and in general it should not be used at all. Again, Schneier himself said to switch to something else in 2007.

 

Anyway, about the CPU processing power, if the CPU usage is so low in your box then you're right, the bottleneck does not seem be there. Keep on experimenting and feel free to report back, because, as it is reported by very many customers on different threads here and also if you have a look at the top speed users in the servers monitor table, it's normal to achieve higher than 40 Mbit/s throughput on several of our servers (including Alkaid) with a line like yours. The quality of Air datacenters connectivity to tier1 and tier2 providers is surely not inferior to the datacenters we see PIA uses.

 

Assuming that you connect in UDP, (if not, please try it, performance with TCP is surely inferior) you might like to verify, first of all, if there's packet fragmentation, by checking the OpenVPN logs after some minutes of ongoing connection and normal usage.

 

Kind regards

Share this post


Link to post

Ok, I think I figured it out. I was missing the Firewall:NAT:Outbound rules for AirVPN.  I duplicated the three rules shown above and changed the Interface to AirVPN.  I'm connected now.  

 

Speed is poor. I get almost 60 megabits without the VPN. I was getting over 50 with PIA.  Now I'm only getting 10-15 on Air.  I'm experimenting with different servers now, looking for better performance.

 

Just being curious do you use virgin broadband by chance?

Share this post


Link to post

With the new upgraded AIRVPN servers utilizing a Static Key. How can I update my current config, which worked as this tutorial guided, to get my configuration working again in Pfsense?

 

Kind Regards,

Michael

Share this post


Link to post

With the new upgraded AIRVPN servers utilizing a Static Key. How can I update my current config, which worked as this tutorial guided, to get my configuration working again in Pfsense?

 

Kind Regards,

Michael

 

 

 

Follow my guide.

 

This guide was never complete. It left out two security checks, it didn't even have entries in the advanced box on the client page. Follow mine closely.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...