How To Set Up pfSense 2.1 for AirVPN

pfSense_fan

*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****

pfSense 2.3 WAS RELEASED APRIL 12, 2016

WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3

THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN

I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA

AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST

pfSense_fan's Guide

How To Set Up pfSense 2.1 for AirVPN

Using Three or more NIC's

Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!

Table of Contents:

pfSense_fan

Preface

Here is a guide on how to set up pfSense 2.1 as a firewall, router and OpenVPN client for connecting to AirVPN and Clear-Net using three or more NIC's.

Why pfSense?

PfSense is a firewall distribution based on FreeBSD and forked from m0n0wall. The primary focus of pfSense is security, not features as many consumer products are. It is not prone to the weak security and vulnerabilities that many consumer routers are. Because it is based on PC hardware, it is also far more powerful. As where an OpenVPN client on a consumer router might max out at 20-30 Mbit / sec, The newest generation of Xeon E3 12XX V3 could do upwards of 500 Mbit / sec on a properly configured pfSense install. For most of us that is far more than our ISP's even provide us with. Personally I have seen speeds as high as 150 Mbit / sec, and can easily get 60-75 Mbit / sec through the VPN when my use demands it, but I am limited by my ISP. If you have ever wondered how people accomplish the speeds they do on the status page, consider that I have been in that #1 spot more than once and frequently appear in the top 10.

Some other considerations on “Why pfSense”? Your entire network can be protected by a strong firewall and routing all trafic through your AirVPN connection, not just one device, without even a hint of slowing down your connection. For the more advanced user, you can even set up an OpenVPN SERVER and remotely connect your mobile phones, tablets, laptops and any other device you wish to your firewall and then route that traffic out through your AirVPN connection as well. This is exactly what I do. I route my mobile devices though the firewall which allows me to scan that traffic for viruses, firewall it and encrypt it with the VPN. At a later date I will also make a tutorial on how to accomplish this.

pfSense also has a “Packages” system for adding more things such as “pfBlocker” which is similar to peerblock. Other packages include Snort (Intrusion Detection), Squid (Caching proxy, the newest version has anti-virus and can even scan SSL on your network if you permit it) and Dansgaurdian (content filter). These can enhance your security if used properly.

There are many more reasons on top of this as well. Simply put; I have yet to find a better solution for connecting with AirVPN.

Why I made this guide.

After searching for many months on how to correctly accomplish this, I was unable to find proper documentation. After months of piecing together the information I did find combined with tedious testing of settings not documented elsewhere, I started to document what I learned as I was also helping others get set up. I also wanted to document this for my own use, although at this point I know this like the back of my hand. After seeing more and more people have questions on using pfSense on AirVPN I decided to share what I learned and continue to learn. It is my hope that in using this guide, I can help others gain confidence in understanding and using pfSense, both in general and with AirVPN.

Further more, I believe strongly in the mission statement of the folks at AirVPN, and this is my thank you to them for offering a great service and an avenue for those that truly need privacy and anonymity. I can only hope this guide will some day help someone communicate important information or avert oppression and censorship.

Things to Consider Before Following This Guide

THIS TUTORIAL IS INTENDED TO BE USED ON A FRESH INSTALL OF PFSENSE!!!

Everything in the following tutorial assumes your settings are as they were, default, after a fresh install. You most certainly can add to it, especially firewall rules, when set correctly. Many people will have many uses requiring additional settings. I consider these variables to be outside the scope of this tutorial as this is aimed at beginners. I cannot guarantee functionality if you attempt to integrate this guide into your previous settings. Therefore, these issues and settings will not be addressed in the tutorial, but are welcome in discussion in replies to the guide.

THIS TUTORIAL IS INTENDED FOR THOSE THAT NEED CONNECTIONS TO BOTH CLEAR NET AND VPN

Most users will need connections for some of their devices through the clear net just as I do for things such as VOIP and gaming. Setting it up this way also has the added benefit that if the VPN fails you do not need to reconfigure anything to test why it failed. Constantly having to reconfigure things is a quick way to forget something and poor planning with security. This is why I STRONGLY recommend the use of 3 or more network interface cards. This creates a sort of “Air Gap” between the clear-net and VPN configured networks, considering you have to physically move a network cable to access the different networks. In fact, I personally do not condone the use of only two interfaces for beginners for this reason. I have however, as a courtesy, added a basic addendum to the guide for those who choose to go this route. There is no clear-net configured interface in the two interface guide, only VPN. If the VPN goes down, internet connectivity will go down. I do not use this method myself, and made that section “in my head”. If it needs amending, users of it will need to notify me. I will update that section, although not as frequently as the main guide.

THIS TUTORIAL IS INTENDED FOR BEGINNERS AND THOSE WHO ARE OTHERWISE NOT CONFIDENT IN WHAT THEY ARE DOING

“Tim Toady” - There's more than one way to do it. As the old saying goes, there is more than one way to skin a cat. Well, on pfSense there are quite a few different ways to go about setting it up for using it with AirVPN. I want to make this clear up front that this tutorial is not the only way to set this up. I'm not going to cover them all, in fact I'm not going to cover any other method than the one I believe to be the safest, easiest and most noob proof. I have added in a few steps (Dropping all states and preventing the gateway from re-routing if the VPN drops as well as blocking all other DNS other than the one we intend to use – the AirVPN DNS or otherwise) that go beyond just “getting it to work” because they further secure the setup for VPN uses. I consider these basic security precautions part of a basic guide to using a VPN, not a later addendum. I intended this to be educational to those who don't know or are not quite confident in what they are doing. If this does not suit your uses or you have your own security policies you choose to follow, you are free to play with my settings as you see fit or use a different guide. If you have constructive criticism or insight on further security policies I’d love to hear it. This tutorial was never intended for experienced users who just wanted to get OpenVPN going. It was meant to give someone who has no previous experience with a commercial firewall the tools they need to make the jump away from weak and insecure consumer grade equipment. The focus will continue to be with that in mind.

ON THE SUBJECT OF DNS LEAKS

NOTE: READ AND UNDERSTAND THIS IN IT'S ENTIRETY

DNS leaks are not an "issue" on pfSense or its core underlying operating system, FreeBSD. DNS leaks are primarily an issue on Windows operating system. If pfSense is set correctly, the OPERATING SYSTEM will not leak a DNS request. If we tell an interface to use a specific DNS server, it will. It (pfSense) will not send a request out of an alternate interface or gateway.

That being said, an uninformed user, foreign hardware (mobile devices etc) or program may try to contact an alternate DNS server from behind the firewall. This can be harmless (an uninformed user contacting an external DNS), or this could be a malicious attack (DNS Hijacking or DNS Rebinding Attack). This is not a fault of pfSense, and the following scenario can happen on ANY platform. A virus, worm, or malicious browser code could hijack and reroute the DNS request to a poisoned or malicious server. This could lead to you seeing an incorrect hijacked web page and could be an attempt to expose you by an adversary. I have added this consideration to the firewall rules that protect against this. IT SHOULD BE NOTED HOWEVER THAT EVEN IF A USER OR PROGRAM SOMEHOW USED AN ALTERNATE EXTERNAL DNS, IT IS NOT A "LEAK" IN THE SAME SENSE THAT IS OFTEN DISCUSSED ON THE AIRVPN.ORG FORUMS. That type of leak requires that a DNS request would leave your network on an interface other than the one you intended (In our case this would mean it would leave an interface other than the AirVPN_LAN or AirVPN_WAN). In the event that a program (malicious or not) sent out a request to an EXTERNAL DNS server other than AirDNS, if all of our settings are set correctly it would still go through the VPN we have set up. While this prevents an outside observer from knowing exactly who is sending the DNS requests, it does not stop this alternate DNS from replying with a poisoned site. The only real way a DNS LEAK would happen is through user error with the DNS Forwarder settings. WE CANNOT SHARE THE DNS FORWARDER BETWEEN CLEAR-NET AND VPN CONFIGURED INTERFACES. Even though we will configure DNS for VPN interfaces through DHCP, at this point (and without further intervention) the DNS forwarder is still ACCESSIBLE from any device behind a VPN configured interface. We need to manually block this availability to prevent devices from unknowingly causing leaks. If you have a wireless network behind a VPN interface, and a mobile device with a manually configured DNS of 192.168.1.1 entered the network, it would cause a DNS leak unless we create a firewall rule to block such connectivity. THIS COULD POTENTIALLY EXPOSE THE VPN USER WITHOUT SUCH A RULE. The way the DNS forwarder works is it sends queries to and then collects (caches) information from all DNS servers entered on the general settings page. If you were to use VPN and Clear-net DNS, it would send requests potentially inside and outside (or just outside) the VPN tunnel. Avoiding this has been covered in the guide, where I explain two steps to isolate VPN DNS requests from those of clear-net requests - how to set the DNS servers for VPN interfaces through DHCP and firewall rules to block all DNS requests to anything that we do not explicitly allow, including the built in DNS forwarder. These blocks are necessary to prevent accidental or malicious DNS leaks and hijacking.

As a bonus, I have added a section at the end of the “Setting Up the DNS Forwarder” section describing how to verify your DNS settings are working within the firewall. I also added instructions at the very end of the tutorial for Windows and Wine users on how to internally and externally test for DNS leaks.

ON THE SUBJECT OF IP LEAKS

When using a VPN configured interface according to the steps in this guide, If the VPN fails, all states are cleared and the connection is severed. Even if the connection somehow did not drop, the “Block All” firewall rule which is addressed in this guide will block any attempts for a connection that does not go out the AirVPN_WAN gateway. In this, redundancies are in place to block IP leaks.

Why multiple Network Interface Cards?

Why use both clear-net and AirVPN?

Why not force all traffic through the VPN?

These questions can all be summed up into one answer. I have many devices and many users connected in my residence. I needed a method to divide, isolate, protect and route these devices and users. With the use of multiple subnets on multiple NIC's I can achieve this while also maintaining very specific firewall rules for each interface. As an example, one setup I have used was as follows:

WAN

LAN

XBOX

VOIP

AirVPN_WAN

AirVPN_LAN_1

AirVPN_LAN_2

AirVPN_LAN_3

AirVPN_LAN_4

I needed a setup that allowed Clear-Net access for the Firewall, LAN (to ensure connectivity even if the VPN goes down), XBOX and VOIP interfaces, while requiring the AirVPN_LAN interfaces to route through my AirVPN OpenVPN client. This also required no leaks, either IP or DNS. This guide accomplishes that by explaining how to set up one interface for clear-net and another for VPN access. This can then be extrapolated for additional interfaces of either sort.

I do not suspect the average user will go the same route as I have (having 8+ NIC's), but quad port NIC's and motherboards that include quad port NIC's and on board low power VGA are becoming common and recommended for this use.

What kind of hardware can run pfSense?

While the quick answer is “pretty much any pc equipment” there are many considerations for this such as cost of hardware, energy efficiency and how it will be used. Will you use packages such as Snort? How much memory is really required? How “fast” is your internet connection? How long do you intend to use this? At the time of this writing, I personally recommend Rangely or Avoton (Rangely is intended for network devices, Avoton has turbo boost) based Intel Atom boards or the newest generation of Xeon E3 12X0 V3 processors(Ones without graphics on the chip). There is a number of motherboards from SuperMicro and ASRock that have Quad Port Intel Server Class NIC's built onto the board as well as having built on VGA. I cannot stress how much and why I recommend these. Having those on board saves a lot of money and hassle as many cheap motherbord NIC's are not supported as where the Intel Server NIC's are well supported. Those processors also have built in encryption “instructions” (AES-NI, RDRAND) that OpenVPN/OpenSSL can take advantage of and they are quite energy efficient. Energy efficiency must be considered, as the cost of electricity to run an older piece of hardware could easily pay itself off in 1-2 years of running. There certainly is nothing wrong with using equipment you have laying around, however I do not advocate seeking for purchase or “upgrading” old hardware in any way. I consider it a waste of money when considering performance and electrical/upgrading costs over that of new hardware. Ultimately you must decide what you want, what you need and how much to spend on the build.

(Eventually I will post links to the hardware I suggest with a more in depth explanation of why)

A general disclaimer about this guide

I wrote this guide under my own free will and provide it for all to use. I am not in any way affiliated with pfSense, AirVPN or any of the hardware manufacturers mentioned in this article. This guide was formed from research, trial and error and extensive testing. I make no guarantee of this article's accuracy further than to say it works for me. Under no circumstance will myself or any of the previously mentioned entities be responsible for your choice to use this guide, successes or failures in using it, or any further support. Like anything in life, you should research accordingly and use your best judgement.

Last but not least, I want to say thank you to user Refresh for his participation and support in the making of this, which without that support this may not have been possible!

Time to get started!

pfSense_fan

Understanding Certificates and OpenVPN Config Files

I noticed on the forums that many people trying to set up pfSense struggle with entering their certificates properly. I will try to be as detailed as possible here.

First, if you have not done so already, we have to download the OpenVPN Config File (.ovpn) for our preferred AirVPN entry server. You can do this by logging into airvpn.org and then proceeding to https://airvpn.org/generator/ . Choose the entry server of your choice (the air entry server can be changed later whenever you need, we will focus on one for this tutorial) by selecting the corrisponding check box the scroll down and select the “Direct, protocol UDP, port 443”. Scroll down again and select both check boxes agreeing to the AirVPN terms of service, then click the “Generate” button. Once you have the config file you can open it with your favorite text editor. What you should see will look very similar as the sample ovpn config I pasted below (this one was downloaded for a windows client). The config is broken into FIVE main parts that we will need to identify for our uses.

The five parts are as follows:

Settings and Advanced Settings
CA (Certificate Authority, everything between <ca> and </ca>)
Cert (Certificate Data, everything between <cert> and </cert>)
Key (RSA Private Key, everything between <key> and </key>)
tls-auth (2048 bit OpenVPN static key, everything between <tls-auth> and </tls-auth>)

Sample OpenVPN Config File

We will need to copy these settings from YOUR config file you downloaded from the AirVPN config generator into pfSense to set up our certificates and OpenVPN. DO NOT USE THESE, they are fictional.

# --------------------------------------------------------

# Air VPN | https://airvpn.org | Friday xxx of xxx 2014 xx:xx:xx AM

# OpenVPN Client Configuration

# AirVPN_XXXXXXXXXXX-xxxx

# --------------------------------------------------------

client

dev tun

proto udp

remote xxx.xxx.xxx.xxx 443

resolv-retry infinite

nobind

persist-key

persist-tun

remote-cert-tls server

cipher AES-256-CBC

comp-lzo no

verb 3

explicit-exit-notify 5

<ca>

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

</ca>

<cert>

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

</cert>

<key>

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

</key>

key-direction 1

<tls-auth>

#

# 2048 bit OpenVPN static key

#

-----BEGIN OpenVPN Static key V1-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END OpenVPN Static key V1-----

</tls-auth>

pfSense_fan

Understanding OpenVPN Settings on pfSense

Here is the list of settings given to us in the config files we download for a standard UDP connection. Below are descriptions of what they do and where they are located or how they are entered in pfSense.

They are as follows:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5
key-direction 1

1.) "client" – This setting denotes whether this configuration is for a OpenVPN client or server. We are connecting to AirVPN as clients. There is no corresponding setting in pfSense as we are denoting this by selecting the client tab.

2.) dev tun = "Device Mode" on the OpenVPN client settings page. This setting selects the virtual network type.

From the OpenVPN manual:

--dev tunX | tapX | null
TUN/TAP virtual network device ( X can be omitted for a dynamic device.)

See examples section below for an example on setting up a TUN device.

You must use either tun devices on both ends of the connection or tap devices
on both ends. You cannot mix them, as they represent different underlying
network layers.

tun devices encapsulate IPv4 or IPv6 (OSI Layer 3) while tap devices
encapsulate Ethernet 802.3 (OSI Layer 2).

3.) proto udp = "Protocol" drop down selection on the OpenVPN client settings page.

From the OpenVPN manual:

--proto p
Use protocol p for communicating with remote host. p can be udp, tcp-client, or tcp-server.

The default protocol is udp when --proto is not specified.

For UDP operation, --proto udp should be specified on both peers.

For TCP operation, one peer must use --proto tcp-server and the other must use --proto tcp-client. A peer started with tcp-server will wait indefinitely for an incoming connection. A peer started with tcp-client will attempt to connect, and if that fails, will sleep for 5 seconds (adjustable via the --connect-retry option) and try again infinite or up to N retries (adjustable via the --connect-retry-max option). Both TCP client and server will simulate a SIGUSR1 restart signal if either side resets the connection.

OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks.

This article outlines some of problems with tunneling IP over TCP:
http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

There are certain cases, however, where using TCP may be advantageous from a security and robustness perspective, such as tunneling non-IP or application-level UDP protocols, or tunneling protocols which don't possess a built-in reliability layer.

4.) remote xxx.xxx.xxx.xxx 443 = "Server Host or Address" AND "Server Port" entries on the pfSense client settings page. The host or address is the xxx.xxx.xxx.xxx entry replaced by the IP address or hostname of your preferred AirVPN entry server. The port is the 443 that follows, or could be any of the other optional ports you can choose with the config generator. For the purposes of this tutorial I chose to use the basic config of UDP 443.

From the OpenVPN manual:

--remote host [port] [proto]
Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different OpenVPN server. Specifying multiple --remote options for this purpose is a special case of the more general connection-profile feature. See the <connection> documentation below.

The OpenVPN client will try to connect to a server at host:port in the order specified by the list of --remote options.

proto indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp".

The client will move on to the next host in the list, in the event of connection failure. Note that at any given time, the OpenVPN client will at most be connected to one server.

Note that since UDP is connectionless, connection failure is defined by the --ping and --ping-restart options.

Note the following corner case: If you use multiple --remote options, AND you are dropping root privileges on the client with --user and/or --group, AND the client is running a non-Windows OS, if the client needs to switch to a different server, and that server pushes back different TUN/TAP or route settings, the client may lack the necessary privileges to close and reopen the TUN/TAP interface. This could cause the client to exit with a fatal error.

If --remote is unspecified, OpenVPN will listen for packets from any IP address, but will not act on those packets unless they pass all authentication tests. This requirement for authentication is binding on all potential peers, even those from known and supposedly trusted IP addresses (it is very easy to forge a source IP address on a UDP packet).

When used in TCP mode, --remote will act as a filter, rejecting connections from any host which does not match host.

If host is a DNS name which resolves to multiple IP addresses, one will be randomly chosen, providing a sort of basic load-balancing and failover capability.

5.) "resolv-retry infinite" = The check box next to the "Server Host Name Resolution" titled "Infinitely Resolve Server". From pfSense: "Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet."

From the OpenVPN manual:

--resolv-retry n
If hostname resolve fails for --remote, retry resolve for n seconds before failing.

Set n to "infinite" to retry indefinitely.

By default, --resolv-retry infinite is enabled. You can disable by setting n=0.

6.) nobind = “Local Port” on the OpenVPN settings page and is set by leaving the entry BLANK or entering a number “0”.

From psSense: “Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port “

From the OpenVPN manual:

--nobind
Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option.

7.) persist-key = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-key;" but without the quotes.

From the OpenVPN manual:

--persist-key
Don't re-read key files across SIGUSR1 or --ping-restart.

This option can be combined with --user nobody to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot be restarted since it will now be unable to re-read protected key files.

This option solves the problem by persisting keys across SIGUSR1 resets, so they don't need to be re-read.

8.) persist-tun = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-tun;" but without the quotes.

From the OpenVPN manual:

—persist-tun
Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.

SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.

9.) remote-cert-tls server = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "remote-cert-tls server;" but without the quotes.

From the OpenVPN manual:

--remote-cert-tls client|server
Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.

This is a useful security option for clients, to ensure that the host they connect to is a designated server.

The --remote-cert-tls client option is equivalent to --remote-cert-ku 80 08 88 --remote-cert-eku "TLS Web Client Authentication"

The key usage is digitalSignature and/or keyAgreement.

The --remote-cert-tls server option is equivalent to --remote-cert-ku a0 88 --remote-cert-eku "TLS Web Server Authentication"

The key usage is digitalSignature and ( keyEncipherment or keyAgreement ).

This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --remote-cert-tls, --verify-x509-name, or --tls-verify.

10.) cipher = "Encryption Algorythm" in the pfSense client settings page. AirVPN uses "AES-256-CBC" according to the config generator files.

From the OpenVPN manual:

--cipher alg
Encrypt packets with cipher algorithm alg. The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. Blowfish has the advantages of being fast, very secure, and allowing key sizes of up to 448 bits. Blowfish is designed to be used in situations where keys are changed infrequently.

For more information on blowfish, see http://www.counterpane.com/blowfish.html

To see other ciphers that are available with OpenVPN, use the --show-ciphers option.

OpenVPN supports the CBC, CFB, and OFB cipher modes, however CBC is recommended and CFB and OFB should be considered advanced modes.

Set alg=none to disable encryption.

11.) comp-lzo no = The check box labled “Compress tunnel packets using the LZO algorithm.” on the OpenVPN Client Settings page.

From the OpenVPN manual:

--comp-lzo [mode]
Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default).

In a server mode setup, it is possible to selectively turn compression on or off for individual clients.

First, make sure the client-side config file enables selective compression by having at least one --comp-lzo directive, such as --comp-lzo no. This will turn off compression by default, but allow a future directive push from the server to dynamically change the on/off/adaptive setting.

Next in a --client-config-dir file, specify the compression setting for the client, for example:

comp-lzo yes
push "comp-lzo yes"

The first line sets the comp-lzo setting for the server side of the link, the second sets the client side.

12.) verb 3 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "verb 3;" but without the quotes.

From the OpenVPN manual:

--verb n
Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what's happening without being swamped by output.

0 -- No output except fatal errors.
1 to 4 -- Normal usage range.
5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
6 to 11 -- Debug info range (see errlevel.h for additional information on debug levels).

13.) Explicit-exit-notify 5 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "explicit-exit-notify 5;" but without the quotes.

From the OpenVPN manual:

--explicit-exit-notify [n]
In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited. In client mode, on exit/restart, this option will tell the server to immediately close its client instance object rather than waiting for a timeout. The n parameter (default=1) controls the maximum number of attempts that the client will try to resend the exit notification message. OpenVPN will not send any exit notifications unless this option is enabled.

14.) key-direction 1 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "key-direction 1;" but without the quotes.

From the OpenVPN manual:

--key-direction 1
Alternative way of specifying the optional direction parameter for the --tls-auth and --secret options. Useful when using inline files (See section on inline files).

Here is the list of settings that are further “pushed” to us when connecting. By entering them manually we take an additional step to prevent the use of or depreciation to “lower”, less secure settings. Below are descriptions of what they do. All of these following settings are entered into the Advanced box on the OpenVPN Client page.

They are as follows:

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
keysize 256
auth SHA1
key-method 2

1.) tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA = OpenVPN > Client > Advanced: tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;

This setting is automatically “pushed” when connecting to the server. That being said, it can also be set manually which has the benefit of preventing the use of/falling back to a lower encryption version.

From the OpenVPN manual:

--tls-cipher l
A list l of allowable TLS ciphers delimited by a colon (":"). If you require a high level of security, you may want to set this parameter manually, to prevent a version rollback attack where a man-in-the-middle attacker tries to force two peers to negotiate to the lowest level of security they both support. Use --show-tls to see a list of supported TLS ciphers.

2.) keysize 256 = OpenVPN > Client > Advanced: keysize 256;

From the OpenVPN manual:

--keysize n
Size of cipher key in bits (optional). If unspecified, defaults to cipher-specific default. The --show-ciphers option (see below) shows all available OpenSSL ciphers, their default key sizes, and whether the key size can be changed. Use care in changing a cipher's default key size. Many ciphers have not been extensively cryptanalyzed with non-standard key lengths, and a larger key may offer no real guarantee of greater security, or may even reduce security.

3.) auth SHA1 = OpenVPN > Client > Advanced: auth SHA1;

From the OpenVPN manual:

--auth alg
Authenticate packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.

OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext.

In static-key encryption mode, the HMAC key is included in the key file generated by --genkey. In TLS mode, the HMAC key is dynamically generated and shared between peers via the TLS control channel. If OpenVPN receives a packet with a bad HMAC it will drop the packet. HMAC usually adds 16 or 20 bytes per packet. Set alg=none to disable authentication.

For more information on HMAC see http://www.cs.ucsd.edu/users/mihir/papers/hmac.html

4.) key-method 2 = OpenVPN > Client > Advanced: key-method 2;

From the OpenVPN manual:

--key-method m
Use data channel key negotiation method m. The key method must match on both sides of the connection.

After OpenVPN negotiates a TLS session, a new set of keys for protecting the tunnel data channel is generated and exchanged over the TLS session.

In method 1 (the default for OpenVPN 1.x), both sides generate random encrypt and HMAC-send keys which are forwarded to the other host over the TLS channel.

In method 2, (the default for OpenVPN 2.0) the client generates a random key. Both client and server also generate some random seed material. All key source material is exchanged over the TLS channel. The actual keys are generated using the TLS PRF function, taking source entropy from both client and server. Method 2 is designed to closely parallel the key generation process used by TLS 1.0.

Note that in TLS mode, two separate levels of keying occur:

(1) The TLS connection is initially negotiated, with both sides of the connection producing certificates and verifying the certificate (or other authentication info provided) of the other side. The --key-method parameter has no effect on this process.

(2) After the TLS connection is established, the tunnel session keys are separately negotiated over the existing secure TLS channel. Here, --key-method determines the derivation of the tunnel session keys.

Edited ... by Clodo

pfSense_fan

Setting Up pfSense for AirVPN

Using 3 or more NIC's

Step 1: Entering our AirVPN CA (Certificate Authority)

1.) Go to: System > Cert Manager

http://192.168.1.1/system_camanager.php
-or-
https://192.168.1.1/system_camanager.php

2.) Find and select the [+] on the lower right for “Add or Import CA”

3.) Here we will enter a descriptive name and enter our CA certificate data.

Set as follows:

Descriptive name = [✎ AirVPN_CA ]

Method = [ Import an Existing Certificate Authority ▼]

Certificate Data = [Everything BETWEEN <ca> and </ca> but NOT INCLUDING <ca> and </ca>)] - (Everything highlighted LIGHT BLUE in the Sample ovpn config):

<ca>

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

</ca>

Certificate Private Key(optional) = [_____] (Blank/Empty)

4.) Click [save]

pfSense_fan

Setting Up pfSense for AirVPN

Using 3 or more NIC's

Step 2: Entering our AirVPN Certificate and Key

1.) Go to: System > Cert Manager > Certificate Manager

http://192.168.1.1/system_certmanager.php
-or-
https://192.168.1.1/system_certmanager.php

2.) Find and select the [+] on the lower right for “Add or Import Certificate”

3.) Here we will enter a descriptive name and enter our Certificate and Key data.

Set as follows:

Descriptive name = [✎ AirVPN_CERT ]

Method = [ Import an Existing Certificate Authority ▼]

Certificate Data = [Everything BETWEEN <cert> and </cert> but NOT INCLUDING <cert> and </cert>] - (Everything highlighted ORANGE in the Sample ovpn config):

<cert>

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

</cert>

Private key data = [Everything BETWEEN <key> and </key> but NOT INCLUDING <key> and </key>] - (Everything highlighted GREEN in the Sample ovpn config):

<key>

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

</key>

4.) Click [save]

pfSense_fan

Setting Up pfSense for AirVPN

Using 3 or more NIC's

Step 3: Setting up the OpenVPN Client

1.) Go to: VPN > OpenVPN > Client

http://192.168.1.1/vpn_openvpn_client.php
-or-
https://192.168.1.1/vpn_openvpn_client.php

2.) Find and select the [+] on the lower right for “Add Client”

3.) Here we will enter our settings, a descriptive name and advanced settings. Settings that go here are taken from our OpenVPN Config file, from the section highlighted YELLOW, as well as our tls-auth cert, highlighted PINK

Set as follows:

--General information

Disabled = [_] (NOT CHECKED!!!)

Server Mode = [Peer to Peer (SSL/TLS) ▼]

Protocol = [uDP ▼]

Device Mode = [tun ▼]

Interface = [WAN ▼]

Local Port = [✎ _____] (Blank/Empty)

Server Host or Address = [✎ XXX.XXX.XXX.XXX] IP of your preferred AirVPN Entry (From the "remote" line in the config)

Server Port = [✎ 443] (From the "remote" line in the config)

Proxy Host or address = [✎ _____] (Blank/Empty)

Proxy Port = [✎ _____] (Blank/Empty)

Proxy Authentication Extra Options = [none ▼}

Server Host Name Resolution = [√] Infinitely Resolve Server (checked)

Description = [✎ AirVPN]

--User Authentication Settings

User name/pass Leave empty when no user name and/or password are needed.

Username: [✎ _____] (Blank/Empty)

Password: [✎ _____] (Blank/Empty)

--Cryptographic Settings

TLS Authentication = [√ ] Enable authentication of TLS packets. (CHECKED)

[_] Automatically generate a shared TLS authentication key. (NOT CHECKED)

___________________________________

| #

| # 2048 bit OpenVPN static key

| #

| -----BEGIN OpenVPN Static key V1-----

| XXXXXXXXXXXXXXXXXXXXXX

| -----END OpenVPN Static key V1-----

|____________________________________

Peer Certificate Authority = [AirVPN_CA ▼]

Cient Certificate = [ AirVPN_CERT ▼]

Encryption Algorithm = [ AES-256-CBC (256 bit) ▼]

Auth Digest Algorithm = [ SHA1 (160 bit) ▼]

Hardware Crypto = SET THIS BASED ON YOUR CPU’s CAPABILITY!!! NOTE: Ivy Bridge, Haswell and newer Intel Processors support RD-RAND. If you have a different CPU you will have to research if BSD Cryptodev is compatible with your processor. If you are unsure, set this to BSD Cryptodev, it should not harm anything even if not supported. If supported, this setting can (will) increase performance of your pfSense appliance.

--Tunnel Settings

IPv4 Tunnel Network = [✎ _____] (Blank/Empty)

IPv6 Tunnel Network = [✎ _____] (Blank/Empty)

IPv4 Remote Networks = [✎ _____] (Blank/Empty)

IPv6 Remote Networks = [✎ _____] (Blank/Empty)

Limit Outgoing Bandwidth = [✎ _____] (Blank/Empty)

Compression = [Disabled - No Compression ▼ ]

Type-of-Service = [_] (NOT CHECKED!!!)

Disable IPv6 = [✔] (CHECKED)

Don't pull routes = [✔] (CHECKED)

Don't add/remove routes = [✔] (CHECKED)

--Advanced Configuration

Advanced = (Copy and Paste The following text directly into the advanced box. Anything to the right of a # symbol is "commented out" and has no effect. I have added a few settings that make the use of pfSense and tighten up security, and have left comments with descriptions of many. Some options I have left in but commented out from use for users to have handy in the event of troubleshooting and can be ignored or deleted if not desired.)

##### CLIENT OPTIONS #####;
server-poll-timeout 10   ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###;
explicit-exit-notify 5;

##### TUNNEL OPTIONS #####;
### Use Multple "remote" entries with the according entry IP address of your favorite servers       ###;
### other than the server entered in the "Server Host or Address" entry above and pfSense           ###;
### will automatically recconnect in a round robin fashion if the server you are connected to       ###;
### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###;
###remote XX.XX.XX.XX 443   ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###;
###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Acamar_UDP-2018###;
###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Yildun_UDP-2018###;
###remote XX.XX.XX.XX 53   ###AirVPN_US-Miami_Cursa_UDP-53###;
###remote XXX.XX.XX.XX 443   ###AirVPN_CA-Dheneb_UDP-443###;
###remote XXX.XX.XXX.XXX 443  ###AirVPN_CA-Saiph_UDP-443###;
rcvbuf 262144;
sndbuf 262144;
mlock   ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###;
fast-io   ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###;
###tun-mtu 1500;
###mssfix 1450;
###keepalive 5 15;

##### DATA CHANNEL ENCRYPTION OPTIONS #####;
key-direction 1;
keysize 256   ### Size of key from cipher ###;
prng SHA512 64  ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###;
### replay-window n [t]   ### Default = replay-window 64 15 ###;
### mute-replay-warnings;

##### TLS MODE OPTIONS #####;
tls-version-min 1.2   ### set the minimum TLS version we will accept from the peer ###;
key-method 2   ### client generates a random key ###;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384   ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###;
tls-timeout 2   ### Default = 2 ###;
ns-cert-type server   ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###;
remote-cert-tls server   ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###;
### reneg-sec 3600;

Verbosity level = [ 3 (Recommended) ▼ ]

4.) Click [save]

5.) Go to: Diagnostics > Reboot System

http://192.168.1.1/reboot.php
-or-
https://192.168.1.1/reboot.php

6.) Click [Yes] to Reboot

Edited ... by pfSense_fan

pfSense_fan

Setting Up pfSense for AirVPN

Using 3 or more NIC's

Step 4: Assigning the OpenVPN Interface

1.) Go to: Interfaces > Assign

http://192.168.1.1/interfaces_assign.php
-or-
https://192.168.1.1/interfaces_assign.php

2.) Find and select the [+] on the lower right for “Add Interface”

A new interface should appear - [ovpnc1(AirVPN) ▼]

3.) Click [save]

4.) While still on the assign interfaces page, find the link for your newly created “ovpnc1” interface and select it. This will bring you to the configuration page for this interface.

Set as Follows:

--General configuration

Enable = [√] (CHECKED)

Description = [✎ AirVPN_WAN ]

IPv4 Configuration Type = [None ▼]

IPv6 Configuration Type = [None ▼]

MAC Address = [✎_____] (Blank/Empty)

MTU = [✎_____] (Blank/Empty)

MSS = [✎_____] (Blank/Empty)

--Private Networks

Block Private Networks = [_] (NOT CHECKED!!!)

Blocks Bogon Networks = [_] (NOT CHECKED!!!)

5.) Click [save]

6.) Click [Apply Changes]

pfSense_fan

Setting Up pfSense for AirVPN

Using 3 or more NIC's

Step 5: Setting the AirVPN Gateway

1.) Go to: System > Routing

http://192.168.1.1/system_gateways.php
 -or- 
https://192.168.1.1/system_gateways.php

2.) Find and select the [+] on the same line asAirVPN_WAN_VPN4

***** NOTE: BE VERY CAREFUL OF WHICH [+] YOU SELECT HERE. “MOUSING OVER” THE [+] BUTTONS WILL REVEAL THEIR TITLE. DO NOT SELECT THE ONE FOR WAN DHCP! What you will see here may vary. When I got to this point in my setup I had two gateways that were added but not yet enabled, You may only see your default/WAN gateway until you add a new one. I had AirVPN_WAN_VPN4 (IPv4) and AirVPN_WAN_VPN6 (IPv6, if you have IPv6 disabled you will not see this). You are not able to edit the names of these gateways. What I did to get around this was to create a new IPv4 gateway (by clicking the [+] on the same line as AirVPN_WAN_VPN4) and give it the name I wanted (AirVPN_WAN). Then, after saving this new interface, the old AirVPN_WAN_VPN4 Gateway will have automatically have been deleted. If IPv6 is not disable on your system, ignore the “grayed out”/disabled AirVPN_WAN_VPN6. It cannot be deleted, only made to disappear if you disable IPv6. I will not go into how to do that at this time.

3.) This will bring you to the edit gateway page for your OpenVPN IPv4 interface. Here we will enter a Name, Settings and description for it.

Set as follows:

Disabled = [_] (UNCHECKED)

Interface = [AirVPN_WAN ▼]

Address Family = [iPv4 ▼]

Name = [✎ AirVPN_WAN]

Gateway = [dynamic]

Default Gateway = [_] (*****UNCHECKED, SEE NOTES BELOW)

Disable Gateway Monitoring = [√] (CHECKED) The monitoring servicve has caused more issues then it has corrected as of late, so we will disable it.

Monitor IP = [______] (Blank) If you do decide to enable this, set it to 10.4.0.1

Mark Gateway as Down = [_] (UNCHECKED)

Advanced = **Unchanged**

Description = [✎ AirVPN_WAN]

***** NOTE: In the past, the default gateway setting was advised to be checked. This was to act as a fail-safe in the event something went wrong, all traffic would attempt to route through the VPN and have no chance of being re-routed to the clear_net. While this "works", THIS IS NOT CORRECT FROM A ROUTING STAND POINT. Trying to use it this way causes what is known as a routing loop and can quickly exhaust network buffers. This can be seen in the OpenVPN Logs when using the "verb 4" setting. It shows up as:

write UDPv4: No buffer space available (code=55)

The idea of having the VPN as the default gateway is nice on paper, but should not be used. If all other settings are correct, this is not an issue and should not be worried about. Focus instead on having all settings correct!

4.) Click [save]

5.) Click [Apply Changes]

6.) Go to: System > Advanced >Miscellaneous

http://192.168.1.1/system_advanced_misc.php
 -or- 
https://192.168.1.1/system_advanced_misc.php

7.) Find the section titled “Gateway Monitoring”

*****NOTE***** The following settings are important!!!

Set as follows:

State Killing on Gateway Failure = [_] (NOT CHECKED!!!)

Skip rules when gateway is down = [√] (CHECKED)

8.) Click [sAVE]

9.) Go to: Diagnostics > Reboot System

http://192.168.1.1/reboot.php
 -or- 
https://192.168.1.1/reboot.php

10.) Click [Yes] to Reboot

Edited ... by pfSense_fan

pfSense_fan

Setting Up pfSense for AirVPN

Using 3 or more NIC's

Step 6: Setting Up the DNS Forwarder

NOTE: Here we are going to disable the DNS Forwarder for VPN interfaces (DNS for VPN will be set through DHCP on a PER-INTERFACE BASIS), while leaving the Forwarder enabled for the LAN interface as well as the Firewall (Localhost) itself. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL/LAN (CLEAR-NET) AND THE AirVPN_LAN (VPN). THE DNS FOR THE AirVPN_LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING STEP 8 GUIDE. Please also note that if done correctly there is no chance of DNS “leaks” (As explained in the Preface), and further, we will be creating firewall rules to prevent DNS hijacking.

Pay extra attention to this section. This seems to be a troublesome area for many, and is easily the biggest concern for a “leak” (we cannot share the DNS Forwarder) if a setting were to be configured incorrectly. That being said, we need to enter DNS servers on the General Setup page for the firewall to use and for initial connection to AirVPN when using URL's such as the entry address for the whole Earth or individual countries. This method also makes the firewall run more reliably as it does not require re-configuring if the VPN fails. In the event the VPN does fail, all states are dropped and the connection is severed provided you followed the instructions on setting up the gateway correctly. I suggest using OpenNIC DNS servers, however I will use OpenDNS since I cannot look up the appropriate OpenNIC servers for you. You may use the public DNS servers of your choice or ones your ISP provides (not recommended) if you wish.

Setting DNS Options Under the General Setup Page

1.) Go to: System > General Setup: DNS servers

http://192.168.1.1/system.php
-or-
https://192.168.1.1/system.php

Set as Follows:

DNS Server –- Use gateway

[✎ 208.67.222.222 ] [ WAN_DHCP ▼]

[✎ 208.67.220.220 ] [ WAN_DHCP ▼]

[✎ (empty) ] [=== None === ▼]

[_] Allow DNS server list to be overwritten by DHCP/PPP on WAN = UNCHECKED

[_] Do not use the DNS Forwarder as a DNS server for the firewall = UNCHECKED

2.) Click [save]

Setting the DNS Forwarder Options

1.) Go to: Services > DNS Forwarder

http://192.168.1.1/services_dnsmasq.php
-or-
https://192.168.1.1/services_dnsmasq.php

Set as Follows:

--General DNS Forwarder Options

Enable = [✔] Enable DNS forwarder (CHECKED)

DHCP Registration = [_] Register DHCP leases in DNS forwarder (UNCHECKED)

Static DHCP = [_] Register DHCP static mappings in DNS forwarder (UNCHECKED)

Prefer DHCP = [_] Resolve DHCP mappings first (UNCHECKED)

DNS Query Forwarding = [_] Query DNS servers sequentially (UNCHECKED)

[_] Require domain (UNCHECKED)

[✔] Do not forward private reverse lookups (CHECKED)

Listen Port = [______] (Empty/Blank)

Interfaces = ***SEE STEPS BELOW

By default all interfaces are selected. This may show up as “All” being highlighted, or each individual interface being highlighted. Using the Ctrl key, DESELECT AS NEEDED, AND ENSURE ONLY LAN AND LOCALHOST ARE SELECTED/HIGHLIGHTED. IT IS CRITICAL YOU GET THIS SECTION CORRECT.

[✔] Strict Interface Binding

Advanced = [Advanced] - Show advanced options (UNCHANGED)

2.) Click [save]

3.) Click [ Apply Changes ]

Verifying Our DNS Settings (Optional Step)

Here we will test to see if domain names are resolving from the DNS servers we entered on the General Setup page. We will do this using the built in feature of the firewall.

1.) Go to: Dianostics > DNS Lookup

http://192.168.1.1/diag_dns.php
-or-
https://192.168.1.1/diag_dns.php

Set as Follows:

Hostname or IP = [ airvpn.org ]

2.) Click [ DNS Lookup ]

3.) Verify the results:

Hostname or IP = [ airvpn.org ] = 95.211.138.143

If 95.211.138.143 was returned it is resolving correctly. Feel free to resolve as many sites as you wish! This is a useful tool to keep in mind as well.

Edited ... by pfSense_fan

pfSense_fan

Setting Up pfSense for AirVPN

Using 3 or more NIC's

Step 7: Setting up the LAN Interface

A:) Configuring the Interface

1.) Go to Interfaces > LAN

http://192.168.1.1/interfaces.php?if=lan
-or-
https://192.168.1.1/interfaces.php?if=lan

Set it as follows:

--General configuration
Enable = [✔] (CHECKED)
Description = [✎ LAN ]
IPv4 Configuration Type = [ Static IPv4 ▼]
IPv6 Configuration Type = [ None ▼]
MAC address = [✎_____] (empty)
MTU = [✎_____] (empty)
MSS = [✎_____] (empty)
Speed and duplex = Advanced > [ Autoselect ▼]
--Static IPv4 configuration
IPv4 address = [✎ 192.168.1.1 ] / [ 24 ▼]
IPv4 Upstream Gateway = [ None ▼]
--Private networks
Block Private Networks = [_] (UNCHECKED)
Block Bogon Networks = [_] (UNCHECKED)

2.) Click [save]

3.) Click [ Apply Changes ]

B.) Setting up the DHCP Server for the LAN Interface

1.) Go to: Services > DHCP server

http://192.168.1.1/services_dhcp.php
-or-
https://192.168.1.1/services_dhcp.php

2.) Ensure the "LAN" tab is selected

3.) Set as follows: (NOTE: These options may already be set by default, change as needed.)
Enable DHCP server on LAN interface = [✔] (CHECKED)
Range = [✎ 192.168.1.100 ] to [✎ 192.168.1.199 ]

4.) Click [sAVE]

5.) Click [ Apply Changes ]

C.) Setting up the Outgoing NAT for the LAN Interface AND Localhost

1.) Go to: Firewall > NAT > Outbound

http://192.168.1.1/firewall_nat_out.php
-or-
https://192.168.1.1/firewall_nat_out.php

2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected.

3.) Click [ SAVE ]

4.) Click [ Apply Changes ]

This will likely spawn a number of automatically created outbound NAT rules. At this point you can check the box next to all of the ones directed to port 500 and delete them, we don't want them. This should leave you with a few default rules titled similarly to “Default LAN to WAN” and “Default Localhost to WAN”. Any other rules than these two should be deleted. Each of the default rules can just be edited by clicking the [e] button to the right of it. If there is not a rule for your LAN or Localhost, you will need to create one by selecting the [+] at the top right and creating a new one.

First we will set the LAN outbound NAT.

5.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ WAN ▼]
Protocol = [ any ▼]
Source = [_] Not (unchecked)
               Type: [ Network ▼]
               Address: [ 192.168.1.0 ] / [ 24 ▼]
               Source port: [_____] (empty/blank)
Destination = [_] Not (unchecked)
               Type = [ Any ▼]
               Address: [_____] / [ 24 ▼](empty/blank)
               Destination Port: [_____] (empty/blank)
Translation: Address = [ Interface Address ]
Description = [ LAN to WAN ]

6.) Click [ SAVE ]

Second we will set the Localhost outbound NAT.

7.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ WAN ▼]
Protocol = [ any ▼]
Source = [_] Not (unchecked)
               Type: [ Network ▼]
               Address: [ 127.0.0.1 ] / [ 8 ▼]
               Source port: [_____] (empty/blank)
Destination = [_] Not (unchecked)
               Type = [ Any ▼]
               Address: [_____] / [ 24 ▼](empty/blank)
               Destination Port: [ 1024:65535 ]
Translation: Address = [ Interface Address ]
Description = [ Localhost to WAN ]

8.) Click [ SAVE ]

8.) Click [ Apply Changes ]

D.) Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.

*NOTE: There are THREE necessary rules for the LAN interface. You should have two firewall rules here by default. The “anti-lockout rule” and a “default allow LAN to any” rule. Do not touch the anti-lockout rule. You can either delete or edit the default allow rule, it is up to you.

First LAN Firewall Rule:

"BLOCK_DNS_LEAKS_LAN"

The first LAN firewall rule will block all DNS requests that we do not explicitly allow. This rule will force all users on this interface to use the DNS forwarder and hence the servers we entered on the general settings page. Pay close attention to this one.

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and Select your "LAN" interface.

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_LAN".

Set as follows:
Action = [ Block ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [TCP/UDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [✔] Not (CHECKED!!!!!!!!)
                     Type: [ LAN address ▼]
                     Address: [________]
Destination port range = From: [ DNS ▼]
                                      To: [ DNS ▼]
Log = [✔] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_LAN]
*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ WAN_DHCP ▼]

3.) Click [ Save ]

4.) Click [ Apply Changes ]

Second LAN Firewall Rule:

"ALLOW LAN OUTBOUND"

1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and select your "LAN" interface.

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW LAN OUTBOUND" (Note: There may already be a rule titled " Default Allow LAN Outbound" or similar. You certainly can just edit that entry to these settings, or delete and create this.)

3.) Set as follows:
Action = [ Pass ▼]
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ LAN Subnet ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Description = [✎ ALLOW LAN OUTBOUND]
*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ WAN_DHCP ▼]

4.) Click [ SAVE ]

5.) Click [ Apply Changes ]

Third LAN Firewall Rule:

"BLOCK ALL ELSE LAN"

1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and select your "LAN" interface.

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"

3.) Set as follows:
Action = [block ▼]
Disabled = [_] (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log packets that are handled by this rule = [✔] (checked)
Description = [✎ BLOCK ALL ELSE LAN ]
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default

4.) Click [ SAVE ]

5.) Click [ Apply Changes ]

E.) Checking That Our Firewall Rules Are In The Correct Order

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and Select your "LAN" interface.

2.) The order of the rules we just created is important!
They should appear in this following order when viewed:
BLOCK DNS LEAKS LAN
ALLOW LAN OUTBOUND
BLOCK ALL ELSE LAN

ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!

Edited ... by pfSense_fan

pfSense_fan

Setting Up pfSense for AirVPN

Using 3 or more NIC's

Step 8: Setting up the AirVPN_LAN Interface

A:) Configuring the Interface

1.) Go to: Interfaces > Assign

http://192.168.1.1/interfaces_assign.php
-or-
https://192.168.1.1/interfaces_assign.php

Here you will find your assigned interfaces. If you assigned them during original install you will see however many interfaces you have and should likely have a WAN, LAN, opt1 (as well as ovpn1). If you did not assign them you will have to click the [+] button at the bottom right to assign another. Once it is assigned, click save.

2.) Select one from the optional Interfaces (likely Opt1).

Set it as follows:

--General configuration

Enable = [✔] (CHECKED)

Description = [✎ AirVPN_LAN ]

IPv4 Configuration Type = [ Static IPv4 ▼]

IPv6 Configuration Type = [ None ▼]

MAC address = [✎_____] (empty)

MTU = [✎_____] (empty)

MSS = [✎_____] (empty)

Speed and duplex = Advanced > [ Autoselect ▼]

--Static IPv4 configuration

IPv4 address = [✎ 192.168.123.1 ] / [ 24 ▼]

Gateway = [ None ▼]

--Private networks

Block Private Networks = [_] (UNCHECKED)

Block Bogon Networks = [_] (UNCHECKED)

3.) Click [save]

4.) Click [ Apply Changes ]

B.) Seting up the DHCP Server for the AirVPN_LAN Interface

1.) Go to: Services > DHCP server

http://192.168.1.1/services_dhcp.php
-or-
https://192.168.1.1/services_dhcp.php

2.) Ensure the "AirVPN_LAN" tab is selected

3.) Set as follows:

(NOTE: Only options we will change are listed for this section, leave the rest as they were by default)

Enable DHCP server on AirVPN_LAN interface = [✔] (CHECKED)

Range = [✎ 192.168.123.100 ] to [✎ 192.168.123.199 ]

DNS Servers = [✎ 10.4.0.1 ] and [✎________]

4.) Click [sAVE]

5.) Click [ Apply Changes ]

C.) Setting up the Outgoing NAT for the AirVPN_LAN Interface.

1.) Go to: Firewall > NAT > Outbound

http://192.168.1.1/firewall_nat_out.php
-or-
https://192.168.1.1/firewall_nat_out.php

2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (If it is not selected, select it, click save and apply changes.)

3.) If there is already a rule for your AirVPN_LAN interface, select the [e] button to the right of it to edit it. If there is not a rule for your AirVPN_LAN interface, you will need to create one by selecting the [+] at the top right and creating a new one.

4.) Set as follows:

Do not NAT = [_] (unchecked)

Interface = [ AirVPN_WAN ▼]

Protocol = [ Any ▼]

Source = Type: [ Network ▼]

Address: [ 192.168.123.0 ] / [ 24 ▼]

Source port: [_____] (empty/blank)

Destination: Type = [ Any ▼]

Translation: Address = [ Interface Address ]

Description = [ AirVPN_LAN -> AirVPN_WAN ]

5.) Click [ SAVE ]

6.) Click [ Apply Changes ]

D.) Setting Basic Firewall Rules for the AirVPN_LAN Interface to enforce the policy based routing and block DNS Hijacking

*NOTE: There are THREE necessary rules for the AirVPN_LAN interface. You should have no firewall rules here since this is a new interface. If there are any rules, just delete them.

First AirVPN_LAN Firewall Rule:

"BLOCK_DNS_LEAKS_VPN"

The first AirVPN_LAN rule will block all DNS requests that we do not explicitly allow. Pay close attention to this one.

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and Select your "AirVPN_LAN" interface.

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN".

Set as follows:

Action = [ Block ▼]

Disabled = [_] Disable this rule (UNCHECKED)

Interface = [AirVPN_LAN ▼]

TCP/IP Version = [iPv4 ▼]

Protocol = [TCP/UDP ▼]

Source = [_] Not (UNCHECKED)

Type: [ Any ▼]

Address: [______] (BLANK)

Destination = [✔] Not (CHECKED!!!!!!!!)

Type: [ Single host or alias ▼]

Address: [10.4.0.1]

Destination port range = From: [ DNS ▼]

To: [ DNS ▼]

Log = [✔] (CHECKED)

Description = [✎ BLOCK_DNS_LEAKS_VPN]

*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]

3.) Click [ Save ]

4.) Click [ Apply Changes ]

Second AirVPN_LAN Firewall Rule:

"Allow AirVPN_LAN Outbound"

The second AirVPN_LAN rule we will create will force traffic from the AirVPN_LAN interface to only exit via the AirVPN_WAN Gateway.

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and Select your "AirVPN_LAN" interface.

2.)Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow AirVPN_LAN to any rule"

Set as follows:

Action = [ Pass ▼]

Disabled = [_] Disable this rule (UNCHECKED)

Interface = [AirVPN_LAN ▼]

TCP/IP Version = [iPv4 ▼]

Protocol = [Any ▼]

Source = [_] Not (UNCHECKED)

Type: [ AirVPN_LAN Subnet ▼]

Address: [______] (BLANK)

Destination = [_] Not (UNCHECKED)

Type: [ Any ▼]

Address: [______] (BLANK)

Log = [_] (UNCHECKED)

Description = [✎ Allow AirVPN_LAN Outbound]

*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]

3.) Click [ Save ]

4.) Click [ Apply Changes ]

Third AirVPN_LAN Firewall Rule:

"BLOCK ALL ELSE AirVPN_LAN"

The third and final AirVPN_LAN firewall rule will block any and all traffic we do not alllow by use of other firewall rules on this interface.

1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and select your "AirVPN_LAN" interface.

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE AirVPN_LAN"

Set as follows:

Action = [block ▼]

Disabled = [_] Disable this rule (UNCHECKED)

Interface = [AirVPN_LAN ▼]

TCP/IP Version = [iPv4 ▼]

Protocol = [Any ▼]

Source = [_] Not (UNCHECKED)

Type: [ Any ▼]

Address: [______] (BLANK)

Destination = [_] Not (UNCHECKED)

Type: [ Any ▼]

Address: [______] (BLANK)

Log = [✔] (checked)

Description = [✎ BLOCK ALL ELSE AirVPN_LAN ]

*** For this rule we will NOT set the advanced setting for gateway, it should be left as default

3.) Click [ Save ]

4.) Click [ Apply Changes ]

E.) Checking That Our Firewall Rules Are In The Correct Order

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and Select your "AirVPN_LAN" interface.

2.)The order of the rules we just created is important!

They should appear in this following order when viewed:

BLOCK_DNS_LEAKS_VPN

Allow AirVPN_LAN Outbound

BLOCK ALL ELSE AirVPN_LAN

ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!

3.) Click [save]

4.) Go to: Diagnostics > Reboot System

http://192.168.1.1/reboot.php
-or-
https://192.168.1.1/reboot.php

5.) Click [Yes] to Reboot

Verifying Our BLOCK_DNS Rule is Functioning

(Optional - For Windows and WINE Users)

For this step we will need to download a program called “DNSBench”. This step is meant as a proof of concept to show that without the BLOCK_DNS firewall rules, a malicious program could indeed hijack your DNS requests. This program is a safe program, and one that I otherwise find very useful in finding low latency DNS servers. We will not however be using it as it is intended, but it is the best program I have found to simulate a program sending out DNS requests not received from the DHCP settings.

Go to:

https://www.grc.com/dns/benchmark.htm (click on the picture of the program to download it.)

1.) When you open it it will say:

• • •

Verifying Internet Access

• • •

2.) Then, if up to this point it is working it will then say:

Internet DNS Access Trouble

3.) Find and click the button toward the top that says [ Ignore Test Failure ]

4.) Then it will show:

DNS Benchmark

Domain Name System Benchmark Utility

5.) Find and click the "Nameservers" tab toward the top. If the DNS Blocking rules are enabled, entered correctly and functioning you should see this:

Only the 10.4.0.1 entry should be green (signifying it can be contacted). All other entries should be red. If you view your firewall logs on pfSense now, it should have quite a few blocks triggered by destination port 53 on the AirVPN_LAN interface. If any other DNS servers are contacted and show up as Green, review the firewall settings and correct any discrepancies you find. If you find none and otherwise cannot correct the leak, feel free to ask for help by posting to this thread.

For those of you that wish to verify the proof of concept, feel free to temporarily disable the BLOCK_DNS rule and verify this yourself (You have to close and re-open DNSBench, don't worry, testing this is quite safe). You will see that had this been a malicious program it could indeed hijack your browser. Be sure to re-enable the firewall rule after!

That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the AirVPN_LAN port and you are off and running! I hope this guide helps you! Don't forget to back up your settings you just spent all this time setting up!

Edited ... by pfSense_fan

pfSense_fan

Setting Misc Advanced Options

Here is a list of other options to consider setting. Some of these are related to OpenVPN while others are just to get the operating system further set up properly for your particular hardware. For the brave there are some tweaks to the network drivers and other boot loader and “system tunables”. All of these are optional, many are highly recommended and some borderline on necessary.

General System Tweaks

Go to: System > Advanced >Miscellaneous

http://192.168.1.1/system_advanced_misc.php
-or-
https://192.168.1.1/system_advanced_misc.php

1.) Find the section titled “Power savings”

**NOTE 1: There are some known issues with this setting on AMD motherboards that support “Cool N' Quiet in the Bios. Do not enable PowerD if your AMD Motherboard uses this option, instead just let the motherboard handle this.

This options works very well with Intel speedstep though.

**NOTE 2: This setting does not affect the VPN setup, but while we are at this page, it is useful to set. It can save on your electrical bill.

Set as follows:

PowerD = [√] (checked)

On AC Power Mode: = [Adaptive ▼] (Or Hiadaptive, depending on your preference)

On Battery Power Mode: = [Minimum ▼]

2.) Find the section titled “Cryptographic Hardware Acceleration”

***NOTE : Ths option enables the AES Instruction Set on compatible CPUs. Your CPU may not support this option. If it does, you should set it appropriately. This option will increase the performance of your appliance if supported. Check here for supporting CPU's. If your CPU supports AES instructions, set this option to “AES-NI”. It should be noted that it is highly unlikely you have AMD Geode acceleration unless you purchased embedded equipment.

Set as follows:

Cryptographic Hardware = [AES-NI CPU-based Acceleration (aesni) ▼] (If supported!!!)

3.) Find the section titled “Thermal Sensors”

***NOTE: This setting does not affect the setup, but while we are at this page, it is useful to set. Your CPU may not support this feature. If it does, it will allow you to monitor the CPU temp from the Dashboard by adding the “Thermal Sensors” widget there. Most somewhat recent Intel and AMD processors should have this.

Set as follows:

Thermal Sensors = *Set according to your CPU’s capability, None, Intel or AMD*

4.) Click [sAVE]

Edited ... by pfSense_fan

pfSense_fan

Setting Up pfSense for AirVPN

System Tunables

Only one this that everyone should do here: Enable IP fastforwarding. This can GREATLY increase performance, especially on low powered systems.

1.)Go to: System > Advanced > Syatem Tunables

http://192.168.1.1/system_advanced_sysctl.php
 -or- 
https://192.168.1.1/system_advanced_sysctl.php

2.) Find "net.inet.ip.fastforwarding" (ctrl+F on windows browsers)

By default this is disabled and the setting is "0". We want to enable it. Click the [e] edit button next to the setting. Edit the "0" and change it to "1". (Without the quotes!)

3.) Click [save]

4.) Click [Apply Changes]

pfSense_fan

Optional Advanced OpenVPN Settings

This section is meant to inspire discussion of further openvpn options available to pfSense users. There are quite a few options! This list is extremely long, and I have not listed or tested all of them, but the list is large enough that I felt I should begin to share it. Over time, discussions and testing this list can grow so the community has a reference of what options work and how to use them! Options in bold work or are default (later I will color code this) Options that I have not tested but may work are followed by ???. Options that do not work in testing or in compatibility with the operating system are struck through.

Tunnel Options:

~~mode m~~

~~local host~~

remote host [port] [proto] - * (Can be used for redundant connections.)

remote-random-hostname - ???

<connection> - ???

proto-force p

remote-random

proto p * “proto udp”

connect-retry n

connect-timeout n

connect-retry-max n

~~show-proxy-settings~~ Windows Only

http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method] - ???

http-proxy-retry - ???

http-proxy-timeout n - ???

http-proxy-option type [parm] - ???

socks-proxy server [port] - ???

socks-proxy-retry - ???

resolv-retry n - *

~~float~~

~~ipchange cmd~~

~~port port~~

lport port - * (“lport 0” Used by default in place of “nobind”)

~~rport port~~

~~bind~~

~~nobind~~

dev tunX | tapX | null - * (“dev tun”)

~~dev-type device-type~~

topology mode - ** (“topology net30” pushed by default)

~~tun-ipv6~~

~~dev-node node~~

~~lladdr address~~

~~iproute cmd~~

~~ifconfig l rn~~

~~ifconfig-noexec~~

ifconfig-nowarn - Can stop “false positives” in logs when using multiple clients.

route network/IP [netmask] [gateway] [metric] - ??? (This option is in TCP-SSL AirVPN config files. pfSense has a Stunnel package. Requires research.)

~~max-routes n~~

~~route-gateway gw|'dhcp'~~

~~route-metric m~~

~~route-delay [n] [w]~~

~~route-up cmd~~

~~route-pre-down cmd~~

~~route-noexec~~

route-nopull - ???

~~allow-pull-fqdn~~

~~client-nat snat|dnat network netmask alias~~

~~redirect-gateway flags...~~

link-mtu n

~~redirect-private [flags]~~

tun-mtu n

tun-mtu-extra n - ???

~~mtu-disc type~~

mtu-test

fragment max

mssfix max

sndbuf size

rcvbuf size

~~mark value~~

socket-flags flags... - (TCP Mode only, “socket-flags TCP_NODELAY”)

~~txqueuelen n~~

shaper n - (Not Compatiple with “fast-io”)

inactive n [bytes]

ping n - * (“ping 10” pushed by default)

ping-exit n

ping-restart n * (“ping-restart 60” pushed by default)

keepalive n m

~~ping-timer-rem~~

persist-tun - *

persist-key - *

persist-local-ip - ???

persist-remote-ip - ???

mlock - (Highly recommended)

~~up cmd~~

up-delay - ???

~~down cmd~~

~~down-pre~~

up-restart - ???

~~setenv name value~~

~~setenv FORWARD_COMPATIBLE 1~~

~~setenv-safe name value~~

~~script-security level~~ - *

~~disable-occ~~

~~user user~~

~~group group~~

~~cd dir~~

~~chroot dir~~

~~setcon context~~

~~daemon [progname]~~

~~syslog [progname]~~

~~errors-to-stderr~~

~~passtos~~

~~inetd [wait|nowait] [progname]~~

log file - ???

log-append file - ???

suppress-timestamps - ???

~~writepid file~~

nice n - ???

fast-io (Recomended, Not compatible with “shaper n”)

~~multihome~~

~~echo [parms...]~~

~~remap-usr1 signal~~

verb n * (default “verb 3”, recommend “verb 4”

~~status file [n]~~

~~status-version [n]~~

mute n

comp-lzo [mode] * (comp-lzo no)

~~comp-noadapt~~

~~management IP port [pw-file]~~

~~management-client~~

~~management-query-passwords~~

~~management-query-proxy~~

~~management-query-remote~~

~~management-forget-disconnect~~

~~management-hold~~

~~management-signal~~

~~management-log-cache n~~

~~management-up-down~~

~~management-client-auth~~

~~management-client-pf~~

~~management-client-user u~~

~~management-client-group g~~

~~plugin module-pathname [init-string]~~

pfSense_fan

NOTE: THIS IS AN ALTERNATE “STEP 7”

INTENDED FOR THOSE USING 2 NIC's

IN ADDITION TO THIS, THOSE USERS MUST ALSO MODIFY THE DNS FORWARDER SETTINGS AND ENSURE THAT ONLY LOCALHOST IS SELECTED. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL (CLEAR-NET) AND THE LAN (VPN). THE DNS FOR THE LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING GUIDE.

Setting Up pfSense for AirVPN

Using 2 NIC's

Step 7: Setting up the LAN (VPN) Interface

A:) Configuring the Interface

1.) Go to: Interfaces > Assign

http://192.168.1.1/interfaces_assign.php
-or-
https://192.168.1.1/interfaces_assign.php

Here you will find your assigned interfaces. If you assigned them during original install you will have a WAN and LAN. You should also see the AirVPN_WAN interface we created earlier.

2.) Select the LAN interface.

Set it as follows: (NOTE: Some of these settings may be set by default, edit as neccesarry.)
--General configuration
Enable = [✔] (CHECKED)
Description = [✎ LAN ]
IPv4 Configuration Type = [ Static IPv4 ▼]
IPv6 Configuration Type = [ None ▼]
MAC address = [✎_____] (empty)
MTU = [✎_____] (empty)
MSS = [✎_____] (empty)
Speed and duplex = Advanced > [ Autoselect ▼]
--Static IPv4 configuration
IPv4 address = [✎ 192.168.1.1 ] / [ 24 ▼]
Gateway = [ None ▼]
--Private networks
Block Private Networks = [_] (UNCHECKED)
Block Bogon Networks = [_] (UNCHECKED)

3.) Click [save]

4.) Click [ Apply Changes ]

B.) Seting up the DHCP Server for the LAN Interface

1.) Go to: Services > DHCP server

http://192.168.1.1/services_dhcp.php
-or-
https://192.168.1.1/services_dhcp.php

2.) Ensure the "LAN" tab is selected

3.) Set as follows:
(NOTE: Only options we will change are listed for this section, leave the rest as they were by default)
Enable DHCP server on LAN interface = [✔] (CHECKED)
Range = [✎ 192.168.1.100 ] to [✎ 192.168.1.199 ]
DNS Servers = [✎ 10.4.0.1 ] and [✎________] (IMPORTANT FOR AirDNS!!!)

4.) Click [sAVE]

5.) Click [ Apply Changes ]

C.) Setting up the Outgoing NAT for the LAN Interface.

C.) NOTE: The only outbound NAT rule/s there should be are the one/s we create. If there are others that were/are automatically created, DELETE THEM!!!

1.) Go to: Firewall > NAT > Outbound

http://192.168.1.1/firewall_nat_out.php
-or-
https://192.168.1.1/firewall_nat_out.php

2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (If it is not selected, select it, click save and apply changes.)

3.) If there is already a rule for your LAN interface, select the [e] button to the right of it to edit it. If there is not a rule for your LAN interface, you will need to create one by selecting the [+] at the top right and creating a new one.

4.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ AirVPN_WAN ▼]
Protocol = [ Any ▼]
Source = Type: [ Network ▼]
Address: [ 192.168.1.0 ] / [ 24 ▼]
Source port: [_____] (empty/blank)
Destination: Type = [ Any ▼]
Translation: Address = [ Interface Address ]
Description = [ LAN -> AirVPN_WAN ]

5.) Click [ SAVE ]

6.) Click [ Apply Changes ]

D.) Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.

*NOTE: There are FOUR necessary rules for the LAN interface. If there are any other rules, just delete them.

First LAN Firewall Rule:

”ALLOW_AirVPN_DNS”

The first LAN Firewall rule will allow DNS requests only to AirVPN DNS.

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and Select your "LAN" interface.

2.) Click the [+] on the right to "Add New Rule" and[/u][/b] create a rule we will title "ALLOW_AirVPN_DNS"

Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [ LAN ▼]
TCP/IP Version = [ IPv4 ▼]
Protocol = [ UDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ LAN net ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Single host or Alias ▼]
                     Address: [ 10.4.0.1 ]
Destination port range = From: [ DNS ▼]
                                      To: [ DNS ▼]
Log = [_] (UNCHECKED)
Description = [✎ ALLOW_AirVPN_DNS]
*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]

3.) Click [ Save ]

4.) Click [ Apply Changes ]

Second LAN Firewall Rule:

"BLOCK_DNS_LEAKS_VPN"

The second LAN rule will block all DNS requests that we do not explicitly allow.

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and Select your "LAN" interface.

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN".

Set as follows:
Action = [ Reject ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [uDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Destination port range = From: [ DNS ▼]
                                      To: [ DNS ▼]
Log = [✔] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_VPN]
*** For this rule we will NOT set the advanced setting for gateway

3.) Click [ Save ]

4.) Click [ Apply Changes ]

Third LAN Firewall Rule:

"Allow LAN Outbound"

The third LAN rule we will create will force traffic from the LAN interface to only exit via the AirVPN_WAN Gateway.

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and Select your "LAN" interface.

2.)Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule"

Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ LAN net ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log = [_] (UNCHECKED)
Description = [✎ Allow LAN Outbound]
*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]

3.) Click [ Save ]

4.) Click [ Apply Changes ]

Fourth LAN Firewall Rule:

"BLOCK ALL ELSE LAN"

The Fourth and final LAN firewall rule will block any and all traffic we do not alllow by use of other firewall rules on this interface.

1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and select your "LAN" interface.

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"

Set as follows:
Action = [block ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log = [✔] (checked)
Description = [✎ BLOCK ALL ELSE LAN ]
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default

3.) Click [ Save ]

4.) Click [ Apply Changes ]

E.) Checking That Our Firewall Rules Are In The Correct Order

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php
-or-
https://192.168.1.1/firewall_rules.php

and Select your "LAN" interface.

2.)The order of the rules we just created is important!
They should appear in this following order when viewed:
ALLOW_AirVPN_DNS
BLOCK_DNS_LEAKS_VPN
Allow LAN Outbound
BLOCK ALL ELSE LAN

ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!

3.) Click [save]

4.) Go to: Diagnostics > Reboot System

http://192.168.1.1/reboot.php
-or-
https://192.168.1.1/reboot.php

5.) Click [Yes] to Reboot

That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the LAN port and you are off and running! I hope this guide helps you!

Edited ... by pfSense_fan

Lee47

This guide is excellent, thank you pfsense_fan.

If other Air users can try this guide and give feedback would appreciate it !

mikolajsobczak

Thanks for this awesome guide,

but do you use pfsense as host operating system, or can i use this guide and run pfsense within Proxmox VE?

pfSense_fan

I run it in hardware as the host OS. Although there are many people who do, I have never tried running it in a virtualized environment as I have read it slightly degrades performance. I have no doubts it can be done though. Perhaps create an account over at the pfSense forums and ask for assistance there? I'm sure the guide will work, but you would have to use virtual interfaces on some, which is over my head unfortunately.

If you do figure it out, report back and share!

mikolajsobczak

ok thank you for your reaction, i will try it first as you describe in here, don't want to make to difficult for me in the beginning.

pfSense_fan

ok thank you for your reaction, i will try it first as you describe in here, don't want to make to difficult for me in the beginning.

Absolutely! I rather enjoy learning about this and talking about it.

Two things to note if you are about to start.:

1. I am about to, after this post, update the airvpn interface firewall rules to shorten it and make it easier.

2. pfSense version 2.1.1 will be out in the next few days. These settings are fully tested for version 2.1.1, in fact I run 2.1.1 currently. There are slight differences in the verbiage, but ultimately it is exactly the same. 2.1.1 is preferred as there are bugfixes for OpenSSL, OpenVPN and Intel NIC drivers. If you start today and get it going, you will be able to update to 2.1.1 without issue though.

If you do go through the guide, let me know if the firewall rules sorted themselves or were backwards in order from my guide. I've had them come out both ways and don't know which order to list them. I could easily re-order them for the guide.

Lee47

Would really appreciate if fellow air customers can give this guide a bash and let us know how you get on !

As you can see it took a great deal of time and effort. If people wish to have a secure pfsense which looks to stop dns and ip leaks this is worth it.

Ditch them slow and bottlenecked routers and get pfsensed!

BPH2OS

It's great to see a full "start to finish" guide posted. I've been using AirVPN via pfSense for about 18 months now. It works great, and I can't imaging life without it, but it wasn't easy when I was getting started. My setup is mostly similar. Although I run multiple networks with the helps of VLANs and a VLAN capable Wireless Access Point.

For those who like switching VPN endpoints frequently, I've found it helpful to use "Interface Groups" and "Gateway Groups". These are helpful because they can be referenced in the firewall rules, so it helps simplify things. When a "Gateway Group" is configured for fail-over load balancing it allows you to switch VPN endpoints simply by disabling one client entry and enabling another.

I've also started using "Floating Firewall Rules" to help insure that no traffic intended for a VPN interface leaks out my regular WAN connection.

Just my two cents...

M0rph2020

So what hardware is everyone using? I want to build a pfsense box with a preferably small case and low power consumption but also want something that will last years. Also want something that will get me at least 50 Mb while using this VPN. Thanks in advance.

BPH2OS

So what hardware is everyone using? I want to build a pfsense box with a preferably small case and low power consumption but also want something that will last years. Also want something that will get me at least 50 Mb while using this VPN. Thanks in advance.

Personally I prefer the more embedded style hardware. For the last few years I've been using a fit-PC2i by a company called CompuLab (http://www.fit-pc.com/web). It's ideal because of it's small form factor, low power usage (about 8 watts at full load if I recall correctly) and no moving parts. It's a few years old now but their newer hardware would definitely be worth a look.

I've also had my eye on the pfSense certified hardware in the pfSense store (store.pfsense.org), and from a company called Netgate. Specifically the Netgate FW-7541 (http://store.netgate.com/mobile/Netgate-FW-7541-BTO-P1893.aspx).

Most of these are lower power options, small form factor and low-power CPUs. I can see the advantage of running something more heavy duty, but personally I'm not willing to foot the electricity bill.

I'm not affiliated with any of these companies or websites, this is just my personal opinion.

How To Set Up pfSense 2.1 for AirVPN

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation