Jump to content
Not connected, Your IP: 3.145.106.7
pfSense_fan

How To Set Up pfSense 2.1 for AirVPN

Recommended Posts

Thank you - I followed your new guide and it works perfectly. I had to erase the old settings which were hanging around and causing a conflict in some way but I got there in the end. Given my pretty simple network needs, this works brilliantly now thanks to you. I also appreciate you responding as quickly as what you did.

 

Glad to hear it worked! I just used a find and replace feature to change AirVPN_LAN to LAN, then added a few sentences. Didn't take long at all!

 

If you have not done so yet, please check for IP and DNS leaks and report back your findings!

 

http://ipleak.net/

http://www.dnsleaktest.com/

https://www.grc.com/dns/dns.htm


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Nice, glad it didn't take you too long. I suspect having read some of your other posts that I will end up adding additional NICs to enable low latency gaming / VOiP connections at some point too but for now, this simple pass-through setup covers my needs.  

 

ipleak & dnsleaktest systems report 1 DNS server found and report my end-point correctly so it looks like everything is working as it should.

grc reports three which I'm hoping is two OpenNICs and 1 AirVPN. Will check.....

EDIT: 3 servers reported: anti-spoofing = excellent. 

 

Hopefully the changes this evening are easy to re-integrate. 

 

Do you have any links to config guides you would recommend for snort & squid - Id also like to knock out some of the advertisements which plague surfing on tablets these days if possible. 

Share this post


Link to post

Nice, glad it didn't take you too long. I suspect having read some of your other posts that I will end up adding additional NICs to enable low latency gaming / VOiP connections at some point too but for now, this simple pass-through setup covers my needs.  

 

ipleak & dnsleaktest systems report 1 DNS server found and report my end-point correctly so it looks like everything is working as it should.

grc reports three which I'm hoping is two OpenNICs and 1 AirVPN. Will check.....

EDIT: 3 servers reported: anti-spoofing = excellent. 

 

If they show up as amazonaws dns servers it is the AirVPN backup. No worries there, it is normal.

 

Hopefully the changes this evening are easy to re-integrate. 

 

It should only be a few different settings honestly. I will test, view my logs for errors and post when I feel good about the updated guide. We will have to reload our certs with the new ones though.

 

Do you have any links to config guides you would recommend for snort & squid - Id also like to knock out some of the advertisements which plague surfing on tablets these days if possible. 

 

I don't at this time. I've only been using pfSense 4 months now. Still working on those things. I've learned Snort at this point, but it is difficult to learn though. Have not got ad blocking working correctly yet. In time.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Appreciate the feedback. For ad blocking Ive configured SquidGuard with Shalla's blacklist. 

Works well enough and was very simple to configure. 

Nice advantage is it strips advertising out at a core network level so all mobile platforms like iPad and nexus browsing benefit too. 

Share this post


Link to post

Great to hear the guide works fine for another fellow air. I may move try squid and shallas blacklist sounds good since hate pop ups.

 

lrj972 I take it your still hitting 111Mbps via your virgin bb running with pfsense ?

Share this post


Link to post

Few updates I have been running net.inet.ip.fastforwarding = 1

 

for the past week 24/7 and its been fine and stable.

 

Also added today the openvpn client advanced box "ns-cert-type server;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

 

Is working fine so far.

 

I would recommend anyone having stability issues with pfsense especially with the downloads starting and cutting off to try the above line in the advanced box, this fixed my downloading issues immediately.

 

I also tried the advanced tweaks setting up AES (since my cpu was supported) and also the correct temp sensor however with power saving I found adaptive or hiadaptive to give me high cpu usage and also it broke my connection making it go on and off randomly, quick look around google and some suggested to leave off the power saving and let the bios handle the power saving instead so for now am doing just that for now and its stable again.

 

Look forward to the new upgraded pfsense will need to get my certs and repaste the new ones and will await for any updates to the guide!

 

Oh also pfsense updated to 2.1.2 ! so don't forget to hit the upgrade button (backup your config first in case)

Share this post


Link to post

 ...with power saving I found adaptive or hiadaptive to give me high cpu usage and also it broke my connection making it go on and off randomly, quick look around google and some suggested to leave off the power saving and let the bios handle the power saving instead so for now am doing just that for now and its stable again.

 

This is only an issue on AMD processors. Their Bios is not compatible with PowerD, so best to leave this off for AMD.

 

It works brilliantly with Intel Speedstep however.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Hey Refresh.

I've only been up and running for about 12 hours so too early to report on performance metrics right now. 

 

What I can say is that the i5-3470T I went with (cheapest vPro, AES-NI capable) sits at 1-5% and hardly breaks a sweat. Currently idling at 41degC in a Euler case. I'll put the build thread on my blog in the next day or two.  Power consumption is 18W on minimum (i.e max power saving) and 20w when run without any PowerD stuff. 10% but in literal terms, next to nothing in it. 

 

Currently configured snort, squid, squid guard and playing about optimising their performance areas. Even 8MB of RAM which seemed like I cheaped out (it was meant to be cheap!) seems like total overkill right now. Dashboard reporting I'm using 6% of 7983MB. Really liking being able to strip adverts at the gateway to my home network as it makes browsing on tablets a much more enjoyable experience. 

Share this post


Link to post

net.inet.ip.fastforwarding = 1 & "ns-cert-type server;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

are working fine for me too so far. 

Share this post


Link to post

Hey Refresh.

I've only been up and running for about 12 hours so too early to report on performance metrics right now. 

 

What I can say is that the i5-3470T I went with (cheapest vPro, AES-NI capable) sits at 1-5% and hardly breaks a sweat. Currently idling at 41degC in a Euler case. I'll put the build thread on my blog in the next day or two.  Power consumption is 18W on minimum (i.e max power saving) and 20w when run without any PowerD stuff. 10% but in literal terms, next to nothing in it. 

 

Currently configured snort, squid, squid guard and playing about optimising their performance areas. Even 8MB of RAM which seemed like I cheaped out (it was meant to be cheap!) seems like total overkill right now. Dashboard reporting I'm using 6% of 7983MB. Really liking being able to strip adverts at the gateway to my home network as it makes browsing on tablets a much more enjoyable experience. 

 

 

Ae you running Snort on AC-NQ setting? It's the only one that truly works in real time, will make use of your memory, especially if you run it on both your WAN and AirVPN_WAN. There are other tweaks you will need if you are using em4 driver NIC's as well, will use a tad more memory.

 

I've used 9 gigs of ram running Snort, pfblocker, Squid3 with antivirus etc.

 

There are ways to make use of good hardware if you are serious about privacy and security. I found this out the hard way since there are so many people who preach low power equipment on the pfSense forums. My first build flat out was weak... too weak to use multiple instances of OpenVPN, Snort, have extremly large firewall tables and still get full ISP speeds through the VPN. This is when I learned most people over there do not care about the levels of privacy I do or ensuring full speeds over a VPN. FOr most it seems if it works it is enough... but not for me. Overkill is just enough in my opinion. I want my equipment to still work in 5 years and not be underpowered.

 

And now with 4096 bit encryption... don't regret it at all.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Ive been playing with different settings but am currently on the high performing AC-NQ setting which seems to be providing slightly better perf when filtering WAN & AirVPN_WAN.

Not sure what drivers are driving these Intel NICs - will check and see. 

Certainly would be interested in hearing your thoughts re optimal settings, this is somewhat out of my field of expertise so learning as I go. Any (more!) shortcuts very much appreciated!

 

8 munutes to kill switch - hopefully see you guys on the other '4096' side

Share this post


Link to post

Don't forget when you log in to download new certs and keys to use airvpn.org's direct ip address to be sure you are not victim of DNS hijacking.

 

https://95.211.138.143/client/

 

I also recomend the use of firefox add-on "perspectives" to verify the ssl cert. It likely will fail, but viewing the results will show the notaries in agreement for the last 3-4 days since the renew of certs after the Heartbleed fiasco.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

that wasn't too painful - nearly tripped up on TLS authentication

 

noticed some new flags in the VPN description....do I need to do anything with these?

 

persist-key
persist-tun
remote-cert-tls server
 
and 
 
comp-lzo is not set to 'no' - presumably because the data is encrypted already and wouldn't benefit from further packing?

Share this post


Link to post

Guide has been updated to the best of my understanding. I am seeing no errors in logs.

 

Pleas review the "Understanding Certificates and OpenVPN Config Files", delete old certs and keys and re-enter steps 1, 2 and 3 from scratch.

 

Of note on the client page, the Advanced settings are new,compression is no longer checked (but handled in the advanced section) and we must enter our tls-auth key.

 

Please inform me of any issues.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

that wasn't too painful - nearly tripped up on TLS authentication

 

noticed some new flags in the VPN description....do I need to do anything with these?

 

persist-key

persist-tun

remote-cert-tls server

 

and 

 

comp-lzo is not set to 'no' - presumably because the data is encrypted already and wouldn't benefit from further packing?

New recomended advanced options are "persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

3437209929.png

 

 

Confirmed downloading at 14 megabytes per second (MB/s) from usenet.

Snort running on WAN & VPN_WAN plus squid filtering, CPU at 10% utilisation, men 15% of 7983MB, temp 47 degC and power consumption at 19W.

Share this post


Link to post

3437209929.png

 

 

Confirmed downloading at 14 megabytes per second (MB/s) from usenet.

Snort running on WAN & VPN_WAN plus squid filtering, CPU at 10% utilisation, men 15% of 7983MB, temp 47 degC and power consumption at 19W.

 

Excellent speeds I hit 3-8% cpu usage but my speeds are far less like 10x less. How did you get the power consumption to 19w are you running pfense with virtualbox and then adjusting the windows power settings ?

 

I only ask since that is an impressive low power draw!

Share this post


Link to post

so how do i setup pfsense to be able to use this https://airvpn.org/ssl/

 

+1.

 

I transferred my standard pfsense to the new config ok but I have chosen today to check if my ISP is traffic shaping OpenVPN.

 

At the moment I can't even get SLL stunnel/OpenVPN to work on windows. 

 

2014.04.14 12:18:28 LOG7[6764]: No limit detected for the number of clients
2014.04.14 12:18:28 LOG5[6764]: stunnel 5.01 on x86-pc-msvc-1500 platform
2014.04.14 12:18:28 LOG5[6764]: Compiled/running with OpenSSL 1.0.1g-fips 7 Apr 2014
2014.04.14 12:18:28 LOG5[6764]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
2014.04.14 12:18:28 LOG7[6764]: errno: (*_errno())
2014.04.14 12:18:28 LOG5[6764]: Reading configuration from file stunnel.conf
2014.04.14 12:18:28 LOG5[6764]: FIPS mode disabled
2014.04.14 12:18:28 LOG7[6764]: Compression disabled
2014.04.14 12:18:28 LOG7[6764]: Snagged 64 random bytes from C:/.rnd
2014.04.14 12:18:28 LOG7[6764]: Wrote 0 new random bytes to C:/.rnd
2014.04.14 12:18:28 LOG7[6764]: PRNG seeded successfully
2014.04.14 12:18:28 LOG6[6764]: Initializing service [openvpn]
2014.04.14 12:18:28 LOG7[6764]: No private key specified
2014.04.14 12:18:28 LOG7[6764]: SSL options set: 0x01000004
2014.04.14 12:18:28 LOG5[6764]: Configuration successful
2014.04.14 12:18:28 LOG7[6764]: Service [openvpn] (FD=564) bound to 127.0.0.1:1413
2014.04.14 12:19:38 LOG7[6764]: Service [openvpn] accepted (FD=600) from 127.0.0.1:54615
2014.04.14 12:19:38 LOG7[6764]: Creating a new thread
2014.04.14 12:19:38 LOG7[6764]: New thread created
2014.04.14 12:19:38 LOG7[5272]: Service [openvpn] started
2014.04.14 12:19:38 LOG5[5272]: Service [openvpn] accepted connection from 127.0.0.1:54615
2014.04.14 12:19:38 LOG6[5272]: s_connect: connecting 95.211.149.214:443
2014.04.14 12:19:38 LOG7[5272]: s_connect: s_poll_wait 95.211.149.214:443: waiting 10 seconds
2014.04.14 12:19:39 LOG3[5272]: s_connect: connect 95.211.149.214:443: Connection refused (WSAECONNREFUSED) (10061)
2014.04.14 12:19:39 LOG5[5272]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2014.04.14 12:19:39 LOG7[5272]: Local socket (FD=600) closed
2014.04.14 12:19:39 LOG7[5272]: Service [openvpn] finished (0 left)
2014.04.14 12:19:39 LOG7[5272]: str_stats: 3 block(s), 60 data byte(s), 150 control byte(s)
2014.04.14 12:19:39 LOG7[5272]: str_stats: 20 byte(s) at ..\src\network.c:413
2014.04.14 12:19:39 LOG7[5272]: str_stats: 20 byte(s) at ..\src\network.c:412
2014.04.14 12:19:39 LOG7[5272]: str_stats: 20 byte(s) at ..\src\network.c:411

 

Not sure if this is me or maybe some problem due to the new certificates?

 

However presuming it does work and makes a difference I would want to set it up on pfsense. 

Share this post


Link to post

I on the other hand have ran into a replay error in my logs. I have removed the tun-mtu and mssfix from my settings while I test.

 

Revised guide is fine am back up and running but yeah tried the "persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;verb 3;explicit-exit-notify 5;"

 

Line and it broke my stability of downloads again so tried

""persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

 

Its stable and fine so far in downloads and no replay errors in the openvpn logs was it ? everything is fine in those logs my end so far!

Share this post


Link to post

 

3437209929.png

 

 

Confirmed downloading at 14 megabytes per second (MB/s) from usenet.

Snort running on WAN & VPN_WAN plus squid filtering, CPU at 10% utilisation, men 15% of 7983MB, temp 47 degC and power consumption at 19W.

 

Excellent speeds I hit 3-8% cpu usage but my speeds are far less like 10x less. How did you get the power consumption to 19w are you running pfense with virtualbox and then adjusting the windows power settings ?

 

I only ask since that is an impressive low power draw!

 

Absolutely nothing special, just kept it simple. 

1 * Intel 35W processor, 1 30GB mSATA card, 2*4GB crucial RAM and thats it. I suspect I could under volt this setup quite a bit given its hardly breaking a sweat but lives to short worry about saving a few watts of juice. If it was a 200w saving then yes but even a 50% saving would only be 10w on this rig. 

Im umm-ing and ahh-ing about modifying the Askaka Euler case to install another couple of NICs....Im sure there is room in the for a mSATA board and shit the mSATA drive to a mSATA->SATA daughter board. Don't really need the additional ports and the benefit of sperating out my LAN nets is minimal given pretty much everything is wifi and tolerant to low pings etc. Only the gaming consoles would benefit but Im hardly online that often and I'm hardly l33t so the decreased pings probably wouldn't bother me. 

 

as I say, umming and ahhing still.....

Share this post


Link to post

@pfsense_fan: could you tell me what a replay error looks like in my logs and I'll check mine.

I can't see anything obvious and Im running your revised original new settings 

Share this post


Link to post

 

I on the other hand have ran into a replay error in my logs. I have removed the tun-mtu and mssfix from my settings while I test.

 

Revised guide is fine am back up and running but yeah tried the "persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;verb 3;explicit-exit-notify 5;"

 

Line and it broke my stability of downloads again so tried

""persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

 

Its stable and fine so far in downloads and no replay errors in the openvpn logs was it ? everything is fine in those logs my end so far!

 

 

 

Oddly enough, the tun-mtu and mssfix were causing errors on my end. Removing them fixed part of it but exposed another error. I had to increase the send and receive buffers for OpenVPN. Since then, no replay errors. I am however seeing odd results when trying to use speedtest. Everything else seems fine,


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

so how do i setup pfsense to be able to use this https://airvpn.org/ssl/

 

 

While there is a Stunnel package available for pfSense, I am learning it may not be fully featured. I am not entirely sure it is possible. your best bet would be to ask over at the pfSense forums and share what you learn here!


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...