Jump to content
Not connected, Your IP: 18.208.202.194

Recommended Posts

Hi all,

 

I've build a pfsense router myself because I found that speeds were dramatically dropping through my Linksys router (EA6500) or through my client. By building my own router I had more control over the hardware and firmware. I have a 200 Mb/s - 10 Mb/s ISP connection. My router build as follows:

  • Shutlle DS61 V1.1 mini ITX barebone / socket 1155 /  2 x Gbit LAN
  • 2 x 4 GB SO DDR3 Kingston HyperX
  • Intel XEON E3-1230 V2 3.10 GHz (has no graphic chip)
  • Kingston 60 GB SSD
  • In order to get graphics (which I'll need for installation, since the mini ITX motherboard doesn't support an extra graphics card) I bought an old Celeron 2.70 GHz with graphic chip. Now pfsense is installed, I will be using the Celeron for a while in case something goes wrong in pfsense settings and I'll be needing graphics again. So after I'm done with installing packages, setting up everything, I will replace it with the XEON.

 

Speedtest with the Celeron while connected to VPN

Speedtest_Celeron.png

 

I think that is pretty impressive since I had around 60 Mb/s - 9.5 Mb/s before I had this router. If you forget about the XEON and keep the Celeron (for 24/7 use, I'll take the XEON also because of it's 'AES NI' instruction within the chipset) it will cost you about 500 dollars or about 370 euro's. The XEON included adds an extra 250 dollars or 195 euro's.

 

This is a better investment than buying any other consumer router with a 600 MHz Broadcom processor.

 

This is a kick ass router!

 

For a proper installation of pfsense I can recommend this video:

 

(good packages: squid, havp, snort (get a paid oinkcode for 27 dollars/year, otherwise you'll have a 10 days delay in updates))

 

SET UP AIRVPN IN PFSENSE

 

  • Configure an airvpn *.ovpn file (use a region, airvpn will connect to the best server automatically)
  • From the pfSense interface, navigate to the dropdown menus:  System ---> Cert Manager and stay in the first tab.
  • Click the button as seen here to create a new certificate. Give it a description like: cert airvpn. Ensure that "Import an existing certificate authority" is selected.

Systsem_Cert_1.jpg

  • Open the *.ovpn file and copy/paste the first certificate (starting with: -----BEGIN CERTIFICATE----- and ending with: -----END CERTIFICATE-----) into the 1st field
  • Click save (leave the orher field empty)
  • Click on the tab Certificates and click on the plus button as seen here

Systsem_Cert_2.jpg

  • Give it a description like: certificate airvpn. Ensure that "Import an existing certificate authority" is selected.
  • Open the *.ovpn file and copy/paste the second certificate (starting with: ---- CERTIFICATE:----- and ending with: -----END CERTIFICATE-----) into the 1st field

So in the file it looks like this:

 

-----END CERTIFICATE----- (end of the first certificate we've just imported)
</ca>
<cert>
Certificate:

 

The second copy/paste should start at: Certificate:

  • copy/paste the third certificate (starting with: -----BEGIN CERTIFICATE----- and ending with: -----END CERTIFICATE-----) into the 3d field
  • Click save
  • Navigate to the system dropdown menus: VPN ---> OpenVPN
  • Click the Client tab and click on the Plus button
  • Follow below settings in the pictures where: 1. serverhost or host adres can be found in the *.ovpn file ending with probably airvpn.org, 2.The serverport can be found in the top of the *ovpn file as well.

Open_vpn_1.jpg

Open_vpn_2.jpg

  • Navigate to the system dropdown menus Interfaces ----> (assign) and click on the Plus button

Interfaces_1.jpg

-Note in the previous screenshot you will notice a StrongVPN interface. you will NOT have that on your box yet, so dont worry.

  • After clicking on the plus button pfSense will tell you it has successfully added a new interface. the network port name will most likley be named
    "ovpnc1". Ensure that the new interface is selected as "ovpnc1" (it could be ovpnc2, ovpnc3, etc... depends if you have other ovpn interfaces or not)
  • navigate to the system dropdown menus Interfaces ---> OPT1 (or whatever your new interface from the previous step is) and follow steps in below picture

Interfaces_3.jpg

  • Click save
  • Navigate to the system dropdown menus System ---> Routing and click on the Plus button

Gateways.jpg

  • Follow the settings in the picture below

Gateway_2_routing.jpg

-Note 1: The ip seen in the picture 208.67.222.222 is the ip of OpenDNS

 

-Note 2: By selecting "Default Gateway", the connection to the internet drops if the VPN connection drops. You'll have to set the WAN as default manually in the case if you need an internet connection.

 

  • navigate to the system dropdown menus Firewall ---> Rules and click on the LAN tab
  • Click on the Plus button to create a new rule
  • Follow instructions in the picture below

Firewall_rules.jpg

Action: PASS
--
Interface: LAN
Protocol: ANY
Source: LAN Subnet
Destination: ANY
--
Description: LAN to Internet force through VPN


**IMPORTANT**: scroll down to "Gateway" under the "Advanced features" of the rule. Set gateway to your VPN interface (see above picture).

  • After Clicking save, you should see something like this

Firewall_rules_2.jpg

  • navigate to the system dropdown menus Firewall ---> NAT and click on the Outbound tab
  • enable "Manual Outbound NAT rule generation" and select save.

 

Reboot the router and you're done... If you want to/need to start manually, go to Status -----> Services and click on the Play button next to the VPN interface status.

 

  • Check Status ------> Dashboard for connections as seen in the picture below (in the WAN section you'll see your ISP's IP, which is connection you're coming from to Airvpn (Note from AirVPN: We inevitably know it. Any reference will be deleted when the connection is closed). Don't worry, you're visible with a different IP on the internet.

Status_Dashboard.jpg

 

The reason I choose a XEON is the 10% watt reduction and the AES NI instructions in the chip (AirVPN is 256 bit AES encrypted). This will lower my CPU usage and speed up the process. Below you find a picture with system loads while having 10 torrents running and downloading a large file at full speed from usenet (ssl encrypted)... See the CPU usage on the Celeron. That will change I think with a XEON.

 

System_load_Celeron.jpg

 

Good luck and don't forget to install Snort, HAVP and Squit on your pfsense. Good guides out there on Google...

 

knicker

Share this post


Link to post

First of all just have to say Thank you very much !


 

I have attempted to install pfsense dozens of times in the past and failed,  I posted up help a few post down regarding pfsense Airvpn settings but was still lost with the settings and I pretty much gave up on it untill I saw this post !


 

I hope Airvpn staff leave this thread open for debate since it will help a great deal of Air Customers.


 

I have a few questions before I attempt from your guide but am also planning on building a mini itx system soon with pfsense since it would be at least 5x more powerful and better then a router.


 

1)  Did you have any issues with the 2x Lans ?   I hear realtek lans are pretty poor and can be unreliable

2)  How did you get 60meg on your Linksys router under OpenVPN ?  Even the latest 1ghz dual core routers would not get that much !

3)  You picked an 60gig SSD when an 8gig ssd would have done... are you running pfsense under virtualbox alongside windows/linux ? I ask since you mentioned about the torrents hitting 93% or was it just the torrents via another machine causing that much cpu strain ?

4)  You mentioned "Note 2" about if the default gateway drops,  then so does your internet connection.   Is this not a very good option to have ?  This would prevent your real IP or DNS leaks from occurring.  I had iptable rules in my old Asus tomato router which switched off the internet if AirVPN dropped or did not allow internet if it was not connected.  Not unless you have a better alternative to this ?


 

I find it very tricky to get the hardware for pfsense right,  intel low powered cpus are so poor and never support AES,  and it does not help openvpn client is single core supported.  When openVPN 3x comes out I hope all software/clients upgrades since dual cores would have given you 200meg+.  I have however noticed AMD low end cpus even the 2 or 3ghz ones support AES and very cheap and 65watt low powered so may build it around AMD parts and a 2nd hand 4 way pci-express intel lan card for increased connections and reliability.        


 

I believe what you have done is the best option going,  at least this way your pfsense box can max out all speeds and other devices are auto AirVPNed if connected to the pfsense box.  It sure beats any tomato/ddwrt/opensource or even the fastest dual core 1ghz netgear router that just came out I believe that hits 16-20meg under openvpn limited by single core openvpn and 1ghz cpu only.  I hope you chuck in the xeon id like to see the difference.


 

I will no doubt be back to ask questions and more so once I try the guide out for myself !

Share this post


Link to post

First of all just have to say Thank you very much !

 

 

I have attempted to install pfsense dozens of times in the past and failed,  I posted up help a few post down regarding pfsense Airvpn settings but was still lost with the settings and I pretty much gave up on it untill I saw this post !

 

 

I hope Airvpn staff leave this thread open for debate since it will help a great deal of Air Customers.

 

 

I have a few questions before I attempt from your guide but am also planning on building a mini itx system soon with pfsense since it would be at least 5x more powerful and better then a router.

 

 

1)  Did you have any issues with the 2x Lans ?   I hear realtek lans are pretty poor and can be unreliable

2)  How did you get 60meg on your Linksys router under OpenVPN ?  Even the latest 1ghz dual core routers would not get that much !

3)  You picked an 60gig SSD when an 8gig ssd would have done... are you running pfsense under virtualbox alongside windows/linux ? I ask since you mentioned about the torrents hitting 93% or was it just the torrents via another machine causing that much cpu strain ?

4)  You mentioned "Note 2" about if the default gateway drops,  then so does your internet connection.   Is this not a very good option to have ?  This would prevent your real IP or DNS leaks from occurring.  I had iptable rules in my old Asus tomato router which switched off the internet if AirVPN dropped or did not allow internet if it was not connected.  Not unless you have a better alternative to this ?

 

 

I find it very tricky to get the hardware for pfsense right,  intel low powered cpus are so poor and never support AES,  and it does not help openvpn client is single core supported.  When openVPN 3x comes out I hope all software/clients upgrades since dual cores would have given you 200meg+.  I have however noticed AMD low end cpus even the 2 or 3ghz ones support AES and very cheap and 65watt low powered so may build it around AMD parts and a 2nd hand 4 way pci-express intel lan card for increased connections and reliability.        

 

 

I believe what you have done is the best option going,  at least this way your pfsense box can max out all speeds and other devices are auto AirVPNed if connected to the pfsense box.  It sure beats any tomato/ddwrt/opensource or even the fastest dual core 1ghz netgear router that just came out I believe that hits 16-20meg under openvpn limited by single core openvpn and 1ghz cpu only.  I hope you chuck in the xeon id like to see the difference.

 

 

I will no doubt be back to ask questions and more so once I try the guide out for myself !

 

Hi,

 

You're most welcome!

  1. The Realtek LAN's are working fine. Just name them during the pfsense installation (i.e re0 & re1). Besides that, you'll need two connections, i.e a WAN and a LAN.
  2. I had the vpn client on my PC (old XEON quad) and din't get higher than the 60 Mb/s. Often slower...  On a WRT610N with DD-WRT installed, I got 500 Kb/s...
  3. I use a 60GB SSD in order to assign memory cache to Squid for example. You can only use around 70% of the disk if you do it right.
  4. Default Gateway = AirVPN: To me that is a good thing indeed, but I though it was worthwhile mentioning it in case someone didn't get that
  5. The hardware for pfsense combined with a 256 bit AES vpn is easy. Get enough RAMM (8 GB is a good start, also to assign RAMM cache in pfsense packages) and a processor with AES NI instructions (socket 1155 i5, i7, XEON and later) My hardware config does it for me. Although, i5 and i7 processors are designed for 8 hours/day use and XEON processors for 24/7 use. I prefere a XEON for that matter, and besides that, power consumption on a XEON is only 69 Watts and i5 and i7's on socket 155 some 75 Watts I believe.

If anyone has questions I will try to answer as quickly as possible, but sometimes my job has priority

 

Regards,

 

knicker

Share this post


Link to post

I also have a pfsense setup so can answer a couple of your questions. Caveat I have very little network expertise.

 

1)  Did you have any issues with the 2x Lans ?   I hear realtek lans are pretty poor and can be unreliable

 

My realtek nics did have problems. Attached device connections dropping and not reconnecting, even when connected via an intermediate switch. I bought an Intel HP NC360T PRO/1000 Dual Port Server NIC PCI-e GB off ebay for approx $40 which has been fine. I'm not sure realtek nics are poor, they seem to work fine with everything else it just seems there is a compatibility problem with pfsense.

 

3)  You picked an 60gig SSD when an 8gig ssd would have done... are you running pfsense under virtualbox alongside windows/linux ? I ask since you mentioned about the torrents hitting 93% or was it just the torrents via another machine causing that much cpu strain ?

 

Pretty much anything VPN slams my cpu at 100MB/s plus, due to OpenVPN and network interrupts from the Nic.  I can't see why the HDD is important?

 

4)  You mentioned "Note 2" about if the default gateway drops,  then so does your internet connection.   Is this not a very good option to have ?  This would prevent your real IP or DNS leaks from occurring.  I had iptable rules in my old Asus tomato router which switched off the internet if AirVPN dropped or did not allow internet if it was not connected.  Not unless you have a better alternative to this ?

 

I don't use the VPN as default gateway. I have two firewall LAN rules. One explicitly uses the VPN gateway, one explicitly uses the non VPN gateway. I use aliases to decide which machines are Non VPN. I believe the VPN machines drop all internet if the VPN goes down, which is how I like it.

 

Also worth mentioning pfsense do a virtual appliance which is brilliant if you want to test setups or run as a virtual machine (which seems to be perfectly reliable).

Share this post


Link to post

The Shuttle came with the mini itx board and has 2 realteks. No issues here, but Intel LANs are much better in compatibillity.

 

60 GB SSD = only 40 to 42 GB since you can use 70%. I like to assign cache to Squid, etc. Hence a bigger disk. However, 60 GB is relatively small compared to what's on the SSD market today.

 

All my machines run on vpn. So if vpn drops, internet drops and that's fine with me. Airvpn has a strong and reliable network... No disconnects. None. 24/7.

 

Thnx for the input. I'm not familiar with VM's, but I heard a lot about the advantages indeed. Maybe I'll look into that.

Share this post


Link to post

Thanks Knicker & Nickspam

 

More question for both you guys,  since pfsense users are rare here!

 

Yes,  regarding the realteks nics... I hear many on pfsense forums say its hit or miss with connection drop outs or poor speeds... I too was also eyeing that "Intel HP NC360T PRO/1000 Dual Port Server NIC PCI-e GB"  since its cheap and plenty available,  but was unsure if it works so thanks nickspam I think I would need 2 of them!

 

Regarding the hard drive and size,  was not aware of pfsense packages existed but just read a bit on squid sounds great to have.... but I prefer my privacy I never save history, cache, cookies etc in my browser or computer.  I would have thought squid vs hdd stored cache would have made it slower? not unless it does many other things better ?  If there were pfsense packages such as rtorrent/utorrent/p2p and Nzb that would have really made my day but don't see any.   

 

Yes thanks again Knicker I saw your other 2 guides of leaking dns/port forwarding I will save and bookmark them !  Its a must feature for me since I worry if AirVPN stops.... but then I don't

 

Great point regarding the xeon cpu,  they are more designed for 24/7 use,  still I have used an intel quad 6700 cpu 24/7 for 5 years and never without issue.  I feel with an core i3/i5 if you can get one with AES it could still proove just as good if not cheaper.... I originally considered an intel nuc or amd sapphire mini pc,  but these little boxes are limited by 1 nic !   Using mini pic-e network cards is possible but then no one seems to have attempted it,  otherwise I felt an intel nuc with low power and with either mini-pcie network card or vlan switch would have done the job,  but then the price and power still adds up sharply over a custom AMD or intel build. 

 

Your shuttle is very nice and small and mini itx.  I still feel an AMD 4ghz dual core with AES which is cheap and a micro-atx with 1-2 pci express slots offer more connectivity and flexibility then an mini itx build.  Power should not be that much more either and its cheaper to pick up micro-atx mobo and cheap AMD cpu with 4ghz/AES but maybe wrong on this...

 

1-2 previous guys have hinted to me AES on the cpu does help but not drasticly,  ie like 20-30% less.... but I feel it was all theory talk and no one had actually tried to see the difference.  I guess in theory AES instructions should reduce the cpu overhead big time but not sure.

 

Nickspam what is your current pfsense hardware build consist off or are you running pfsense via virtualbox ?

Share this post


Link to post

Thanks Knicker & Nickspam

 

More question for both you guys,  since pfsense users are rare here!

 

Yes,  regarding the realteks nics... I hear many on pfsense forums say its hit or miss with connection drop outs or poor speeds... I too was also eyeing that "Intel HP NC360T PRO/1000 Dual Port Server NIC PCI-e GB"  since its cheap and plenty available,  but was unsure if it works so thanks nickspam I think I would need 2 of them!

 

Regarding the hard drive and size,  was not aware of pfsense packages existed but just read a bit on squid sounds great to have.... but I prefer my privacy I never save history, cache, cookies etc in my browser or computer.  I would have thought squid vs hdd stored cache would have made it slower? not unless it does many other things better ?  If there were pfsense packages such as rtorrent/utorrent/p2p and Nzb that would have really made my day but don't see any.   

 

Yes thanks again Knicker I saw your other 2 guides of leaking dns/port forwarding I will save and bookmark them !  Its a must feature for me since I worry if AirVPN stops.... but then I don't

 

Great point regarding the xeon cpu,  they are more designed for 24/7 use,  still I have used an intel quad 6700 cpu 24/7 for 5 years and never without issue.  I feel with an core i3/i5 if you can get one with AES it could still proove just as good if not cheaper.... I originally considered an intel nuc or amd sapphire mini pc,  but these little boxes are limited by 1 nic !   Using mini pic-e network cards is possible but then no one seems to have attempted it,  otherwise I felt an intel nuc with low power and with either mini-pcie network card or vlan switch would have done the job,  but then the price and power still adds up sharply over a custom AMD or intel build. 

 

Your shuttle is very nice and small and mini itx.  I still feel an AMD 4ghz dual core with AES which is cheap and a micro-atx with 1-2 pci express slots offer more connectivity and flexibility then an mini itx build.  Power should not be that much more either and its cheaper to pick up micro-atx mobo and cheap AMD cpu with 4ghz/AES but maybe wrong on this...

 

1-2 previous guys have hinted to me AES on the cpu does help but not drasticly,  ie like 20-30% less.... but I feel it was all theory talk and no one had actually tried to see the difference.  I guess in theory AES instructions should reduce the cpu overhead big time but not sure.

 

Nickspam what is your current pfsense hardware build consist off or are you running pfsense via virtualbox ?

 

You should go with a XEON... Compare this load with the one at the bottom of my post...

 

System_load_XEON.jpg

 

It doesn't get above 25% at full load...

Share this post


Link to post

Knicker: Very nice low cpu use, are you able to max out your 200m/b line on pfsense airvpn openvpn client ?

Share this post


Link to post

Hi Royee 

 

Going back to a post a while back you mentioned needing two dual NIC''s. One is all you need per pfSense installation. One port in from the Wan and the other port out to the Lan. If you need more Lan connections use a switch. pfSense isn't efficient as a LAN switch as the NICs can hit the CPU quite heavily with interrupts,

 

I run on a virtual machine using 1GB of ram and 2 cores of a i5 2500k. This can achieve 100Mb + over WAN OpenVPN, Its hard to tell whether the speed is limited by my cpu, my isp or airvpn but I have gotten pretty close to the speed of my connection.

 

As to cpu usage I think openvpn on pfSence is single threaded so 25% cpu may be openvpn maxing out a core, 

 

I use my cpu for lots of stuff apart from the router. I highly recommend it and I imagine Knickers XEON is slightly  more powerful. Two cores is probably enough for a router but its always nice to have 4 just in case you think of some other apps you need to run.

Share this post


Link to post

Very good point about the cpus nickspam,  yeah openvpn client is sadly still single core I believe when the 3.x version of openvpn client arrives it will be dualcore enabeled,  although hopefully they just make it mulitcore.

 

I have played around with pfsense under virtual box with just a single lan and yet to get it 100% running,  with this guide I can however make it!

 

But I think ill get a dedicated pc and turn it into a pfsense router box like knicker and many people do.  Im going to get one of those hp intel 4 x gigabit 364 nics you see on ebay all the time.  I think for OpenVPN this is the only soloution and best choice,  no router would ever come this close.

 

May just stick with my 4ghz dual core AMD cheap cpu with AES instructions for my pfsense build... that should in theory have much less bottlenecks

Share this post


Link to post

 

Regarding the hard drive and size,  was not aware of pfsense packages existed but just read a bit on squid sounds great to have.... but I prefer my privacy I never save history, cache, cookies etc in my browser or computer.  I would have thought squid vs hdd stored cache would have made it slower? not unless it does many other things better ?  If there were pfsense packages such as rtorrent/utorrent/p2p and Nzb that would have really made my day but don't see any.   

 

Great point regarding the xeon cpu,  they are more designed for 24/7 use,  still I have used an intel quad 6700 cpu 24/7 for 5 years and never without issue.  I feel with an core i3/i5 if you can get one with AES it could still proove just as good if not cheaper....

 

Your shuttle is very nice and small and mini itx.  I still feel an AMD 4ghz dual core with AES which is cheap and a micro-atx with 1-2 pci express slots offer more connectivity and flexibility then an mini itx build.  Power should not be that much more either and its cheaper to pick up micro-atx mobo and cheap AMD cpu with 4ghz/AES but maybe wrong on this...

 

1-2 previous guys have hinted to me AES on the cpu does help but not drasticly,  ie like 20-30% less.... but I feel it was all theory talk and no one had actually tried to see the difference.  I guess in theory AES instructions should reduce the cpu overhead big time but not sure.

I

 

Thanks Knicker & Nickspam

 

More question for both you guys,  since pfsense users are rare here!

 

Yes,  regarding the realteks nics... I hear many on pfsense forums say its hit or miss with connection drop outs or poor speeds... I too was also eyeing that "Intel HP NC360T PRO/1000 Dual Port Server NIC PCI-e GB"  since its cheap and plenty available,  but was unsure if it works so thanks nickspam I think I would need 2 of them!

 

Regarding the hard drive and size,  was not aware of pfsense packages existed but just read a bit on squid sounds great to have.... but I prefer my privacy I never save history, cache, cookies etc in my browser or computer.  I would have thought squid vs hdd stored cache would have made it slower? not unless it does many other things better ?  If there were pfsense packages such as rtorrent/utorrent/p2p and Nzb that would have really made my day but don't see any.   

 

Yes thanks again Knicker I saw your other 2 guides of leaking dns/port forwarding I will save and bookmark them !  Its a must feature for me since I worry if AirVPN stops.... but then I don't

 

Great point regarding the xeon cpu,  they are more designed for 24/7 use,  still I have used an intel quad 6700 cpu 24/7 for 5 years and never without issue.  I feel with an core i3/i5 if you can get one with AES it could still proove just as good if not cheaper.... I originally considered an intel nuc or amd sapphire mini pc,  but these little boxes are limited by 1 nic !   Using mini pic-e network cards is possible but then no one seems to have attempted it,  otherwise I felt an intel nuc with low power and with either mini-pcie network card or vlan switch would have done the job,  but then the price and power still adds up sharply over a custom AMD or intel build. 

 

Your shuttle is very nice and small and mini itx.  I still feel an AMD 4ghz dual core with AES which is cheap and a micro-atx with 1-2 pci express slots offer more connectivity and flexibility then an mini itx build.  Power should not be that much more either and its cheaper to pick up micro-atx mobo and cheap AMD cpu with 4ghz/AES but maybe wrong on this...

 

1-2 previous guys have hinted to me AES on the cpu does help but not drasticly,  ie like 20-30% less.... but I feel it was all theory talk and no one had actually tried to see the difference.  I guess in theory AES instructions should reduce the cpu overhead big time but not sure.

 

Nickspam what is your current pfsense hardware build consist off or are you running pfsense via virtualbox ?

 

Hello Royee,

 

  • Regarding your privacy I surely understand that, but caching in squid while always connected through a VPN is not an issue. It becomes a different story if you use a regular connection once in a while...
  • uTorrents, p2p, etc will never be available as apackage for pfsense. It's a firewall and that's it. You cannot compare that to consumer routers.
  • Doesn't matter what cpu you use, as long as it's AES NI instructed (my cpu usage went down from 94% to maximum 25% at full speed up and downloads) and it's made for 24/7 use. I.E: a server cpu...
  • Intel i3 has no AES NI. Intel i5 and i7's socket 1155 and higher do, but not made for 24/7 use and have a higher power consumption. My XEON costs around $200... (Intel Xeon CPU E3-1220 V2 @ 3.10GHz)

Regards,

 

knicker

Share this post


Link to post

Hi knicker a question are you able to max out your 200m/b line on pfsense airvpn openvpn client under that xeon cpu ?

 

I know you hit 132 meg with the celeron but high cpu usage.

 

I am still saving up for my pfsense box build hope to do it real soon so will follow and run this guide soon !

Share this post


Link to post

Hi,

 

Nice to hear I can help you out. I've just installed my pfesense again and followed this guide. Works like a charm!

 

Speedtest

 

Speedtest_XEON.jpg

You'll never get what they promise. Without VPN I almost never get 200 Mb/s. 170 - 180 at best.

 

Not bad though, through a VPN.

 

Cheers!

 

knicker

Share this post


Link to post

Hi yeah that is awesome speeds regardless.  At least once all runs thru a VPN your safe as can be

 

I look forward to following the guide soon !

Share this post


Link to post

This sounds very interesting.

 

On the moment I have a 150 Mb/s - 20 Mb/s ISP connection and my max speed over VPN is 7Mbps

So I am astonished that it is possible to have 140Mbps; that's 20 times more!

 

I thought it was not possible and that the air vpn servers were the bottleneck.

But now I am not so sure anymore about that...

Share this post


Link to post

This sounds very interesting.

 

On the moment I have a 150 Mb/s - 20 Mb/s ISP connection and my max speed over VPN is 7Mbps

So I am astonished that it is possible to have 140Mbps; that's 20 times more!

 

I thought it was not possible and that the air vpn servers were the bottleneck.

But now I am not so sure anymore about that...

I was hitting around similar with my Asus tomato router,  I ignored a few comments about people saying you wont get faster but sadly they were all right.

Eventually routers are just too slow.  Even the latest netgear router with dual core 1ghz cpu wont do much more then around 20meg under an VPN with AES encryption.

 

So its time to build a pfsense.  Many pfsense guys I noticed have just used an old pc or got a cheap pc of ebay and converted it into an router and I prefer this.  However trying to get a low powered and low wattage AES compatible CPU and one with 2-4 ethernet ports which are all compatible with pfsense is slightly tricky.  But check Knickers hardware I feel he has got it bang on.

 

I would have loved to use one of those tiny pcs that consume 15-20watts but I don't feel that is happening since they lack AES or ethernet ports.

 

Shame Shutlle DS61 V1.1 did not upgrade to a haswell system,  some core i3s @ 55watts and some cpus with 35watts even about....

Share this post


Link to post

Hi,

 

Here my CPU load on the XEOn while downloading large files from usenet. That's a big difference from the 91% load on the Celeron...

 

The AES NI instruction in the chipset and a quad core server processor capacity will do the trick...

 

@LionofOrange: I can highly recommend this set-up

 

CPU_Load_XEON.jpg

Share this post


Link to post

I contacted airvpn for a trial and asked them how to set it up in Pfsense (2.1X64). They've directed me to this thread. That didn't work, because the copy/paste from *.ovpn led Pfsense to say that the certificate wasn't valid. Support then told me to generate new, separate, files (using the 'advanced' option in the generator). Now Pfsense was happy. Still, there is a DNS-problem somewhere. I contacted support, told them that Pfsense is establishing the connection but I still can't browse, send mail, whatever. They told me to ask you here in this thread. Which I don't think is right, as Pfsense is connecting to airvpn, but after that, the servers over at airvpn don't follow up. Can't ping, can't browse, can't email. Switch back to my default gateway, and everything is fine.

Share this post


Link to post

Hello,

 

it does not seem a DNS issue: the connection to the VPN server, according to the logs you sent us in the ticket, is not established at all for a certificate error (OpenVPN exits with fatal error because it can't read a certificate). Can you please re-check certificates and key? Please make sure that there's no mismatch between ca.crt and user.crt.Also, can you please send us a screenshot of your pfsense OpenVPN configuration page?

 

Kind regards

Share this post


Link to post

Hello Dolla45,

 

They actually are right since you seem to have a connection to them. Any other problems are not theirs I guess (although they're very supportive in any matter)...

 

I'll be glad to help you out.

 

  1. Did you follow EXACTLY what to copy/paste and where to paste it? Read carefully when copy/pasting the second key! This is essential. Did you create the firewall rule in the LAN tab above in the rules section? (I made that mistake once)
  2. It's not your DNS obviously. (see above)
  3. Do you have a modem or a router from your ISP? If it's a router, how is that configured? Bridge would be the best option... If you have a modem then everything is fine anyway.
  4. I kindly ask you to check EVERY setting I've described in my guide. I've re-installed my pfsense last week and used this guide to setup the vpn again and this worked instantly. I've also used my other guides here on port forwarding and dns leaks, works like a charm. Can you send me screenshots otherwise so I can check it myself? I'm a little bit in the dark here if cannot see your settings (use the scissor tool in windows and you can black your IP's, ports and so on). For image uploading: Imagehosting and use second option (copy url) and paste here.

Regards,

 

knicker

Share this post


Link to post

Hello Dolla45,

 

They actually are right since you seem to have a connection to them. Any other problems are not theirs I guess (although they're very supportive in any matter)...

 

I'll be glad to help you out.

 

  1. Did you follow EXACTLY what to copy/paste and where to paste it? Read carefully when copy/pasting the second key! This is essential. Did you create the firewall rule in the LAN tab above in the rules section? (I made that mistake once)
  2. It's not your DNS obviously. (see above)
  3. Do you have a modem or a router from your ISP? If it's a router, how is that configured? Bridge would be the best option... If you have a modem then everything is fine anyway.
  4. I kindly ask you to check EVERY setting I've described in my guide. I've re-installed my pfsense last week and used this guide to setup the vpn again and this worked instantly. I've also used my other guides here on port forwarding and dns leaks, works like a charm. Can you send me screenshots otherwise so I can check it myself? I'm a little bit in the dark here if cannot see your settings (use the scissor tool in windows and you can black your IP's, ports and so on). For image uploading: Imagehosting and use second option (copy url) and paste here.

Regards,

 

knicker

 

Thanks for replying, Knicker; appreciated :-)

 

Well, that support tells me something else every time. The thing is: IF Pfsense (PFS) reports VPN is up, IF 1 out of every websites I try to contact DOES come up, then it seems to me that there is NOT a problem with the connection (I don't know why support posts 'OpenVPN exited, because it didn't, and it doesn't show that in the logs. OpenVPN is up, but after that it can't connect to any website. And now I can not even try it anymore, since the three days trial is over because that is how long I am messing around to get this to work. My OpenVPN worked flawlessly with strongVPN, but here I can't get it to work. And support doesn't respond when I ask for a new trial key.

 

I did create outbound NAT, firewall rules, etc. I only have a modem from my ISP, so no problems there either.

 

The problem indeed seems to be in pasting the certificates, especially the second part, just as you said. And it here it gets confusing. You say I should start with:

 

Certificate:

 

However support says:

 

 

Hello,
 
the content is not wrong. You're pasting the key instead of the certificate. Paste the appropriate certificate in the appropriate field please, beginning from "-----BEGIN CERTIFICATE".
 
user.key: this is the client secret key
ca.crt: this is the CA certificate
user.crt: this is the client certificate
 
Kind regards
AirVPN Support Team

 

So you say I should start at the top, whereas support says I should half way. I just tried what support says, but, you will have guessed it, the trial key has expired and I can not log in anymore. This is what Pfsense says now:

 

 

openvpn[67512]: SIGTERM[soft,auth-failure] received, process exiting
openvpn[67512]: AUTH: Received control message: AUTH_FAILED

 

So I can't test anything at all anymore, I have to wait if and when support sends me  new trial key.

 

But I can tell you I am not very enthusiastic about Airvpn, after three days and 2000 screen shots they suddenly tell me I should start pasting half way from the certificate. They could have said that in the first mail on day one :-(

 

Thanks again, Knickers, for your kind reply :-)

 

If and when they send a new trial key I will try once more and report back to you.

 

Thank you & bye :--)

Share this post


Link to post

@dolla45

 

Hello,

 

reviewing your ticket, it's 3 days that support tells you to paste correctly certificates and key. You have been told 3 times in the ticket and one time here that you wrongly pasted certificates. Problem was detected almost immediately and support staff could not do anything else, since you kept ignoring repeatedly the instructions...

 

Kind regards

Share this post


Link to post

Hello Dolla,

 

  • In the first section tab (CAs) copy paste from your OVPN file the first key starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.
  • In the second section tab (Cerificates) in the first space, copy paste from your OVPN file the second key starting with

Certificate:
    Data:
        Version: 3 (0x2)

                  AND SO ON AND SO ON

 

and ending with -----END CERTIFICATE-----.  (SO ALL THESE NUMBERS AND CODES INCLUDED and also the section which starts with --------begin certificate)

  • In the second section tab (Cerificates) in the second space, copy paste from your OVPN file the third key (RSA PRIVATE KEY) starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.

As you can see in the OVPN file, there are three sections that start with --------BEGIN CERTIFICATE and ----------END CERTIFICATE. Make sure you include the second in your second copy/paste. So not ONLY this key, but also the algorithms you see with all the numbers and letters lined up.

 

That's it. Just take a month subscription so you have the time to figure everything out. Airvpn is the best out there encryption wise, price/quality wise and has a very stable network without all the "extra blablabla" clients and stuff you don't need. It's only 7 euro's? What can you loose? I sure as hell don't want my vpn to run through bigger commercial companies with all kinds of other 'services' that do not serve me well. Besides that, I've spend 2 or 3 months figuring out which VPN, which router, etc etc. Investigate and decide then, not the other way around since that only frustrates yourself and by that possibly others in supporting you.

 

Kind regards,

 

knicker

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...