How To Set Up pfSense 2.1 for AirVPN

[pfSense_fan 181]

Thank you - I followed your new guide and it works perfectly. I had to erase the old settings which were hanging around and causing a conflict in some way but I got there in the end. Given my pretty simple network needs, this works brilliantly now thanks to you. I also appreciate you responding as quickly as what you did.

 

Glad to hear it worked! I just used a find and replace feature to change AirVPN_LAN to LAN, then added a few sentences. Didn't take long at all!

 

If you have not done so yet, please check for IP and DNS leaks and report back your findings!

 

http://ipleak.net/

http://www.dnsleaktest.com/

https://www.grc.com/dns/dns.htm

[dIecbasC 38]

Nice, glad it didn't take you too long. I suspect having read some of your other posts that I will end up adding additional NICs to enable low latency gaming / VOiP connections at some point too but for now, this simple pass-through setup covers my needs.  

 

ipleak & dnsleaktest systems report 1 DNS server found and report my end-point correctly so it looks like everything is working as it should.

grc reports three which I'm hoping is two OpenNICs and 1 AirVPN. Will check.....

EDIT: 3 servers reported: anti-spoofing = excellent. 

 

Hopefully the changes this evening are easy to re-integrate. 

 

Do you have any links to config guides you would recommend for snort & squid - Id also like to knock out some of the advertisements which plague surfing on tablets these days if possible. 

[pfSense_fan 181]

Nice, glad it didn't take you too long. I suspect having read some of your other posts that I will end up adding additional NICs to enable low latency gaming / VOiP connections at some point too but for now, this simple pass-through setup covers my needs.  

 

ipleak & dnsleaktest systems report 1 DNS server found and report my end-point correctly so it looks like everything is working as it should.

grc reports three which I'm hoping is two OpenNICs and 1 AirVPN. Will check.....

EDIT: 3 servers reported: anti-spoofing = excellent. 

 

If they show up as amazonaws dns servers it is the AirVPN backup. No worries there, it is normal.

 

Hopefully the changes this evening are easy to re-integrate. 

 

It should only be a few different settings honestly. I will test, view my logs for errors and post when I feel good about the updated guide. We will have to reload our certs with the new ones though.

 

Do you have any links to config guides you would recommend for snort & squid - Id also like to knock out some of the advertisements which plague surfing on tablets these days if possible. 

 

I don't at this time. I've only been using pfSense 4 months now. Still working on those things. I've learned Snort at this point, but it is difficult to learn though. Have not got ad blocking working correctly yet. In time.

[dIecbasC 38]

Appreciate the feedback. For ad blocking Ive configured SquidGuard with Shalla's blacklist. 

Works well enough and was very simple to configure. 

Nice advantage is it strips advertising out at a core network level so all mobile platforms like iPad and nexus browsing benefit too. 

[Lee47 23]

Great to hear the guide works fine for another fellow air. I may move try squid and shallas blacklist sounds good since hate pop ups.

 

lrj972 I take it your still hitting 111Mbps via your virgin bb running with pfsense ?

[Lee47 23]

Few updates I have been running net.inet.ip.fastforwarding = 1

 

for the past week 24/7 and its been fine and stable.

 

Also added today the openvpn client advanced box "ns-cert-type server;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

 

Is working fine so far.

 

I would recommend anyone having stability issues with pfsense especially with the downloads starting and cutting off to try the above line in the advanced box, this fixed my downloading issues immediately.

 

I also tried the advanced tweaks setting up AES (since my cpu was supported) and also the correct temp sensor however with power saving I found adaptive or hiadaptive to give me high cpu usage and also it broke my connection making it go on and off randomly, quick look around google and some suggested to leave off the power saving and let the bios handle the power saving instead so for now am doing just that for now and its stable again.

 

Look forward to the new upgraded pfsense will need to get my certs and repaste the new ones and will await for any updates to the guide!

 

Oh also pfsense updated to 2.1.2 ! so don't forget to hit the upgrade button (backup your config first in case)

[pfSense_fan 181]

 ...with power saving I found adaptive or hiadaptive to give me high cpu usage and also it broke my connection making it go on and off randomly, quick look around google and some suggested to leave off the power saving and let the bios handle the power saving instead so for now am doing just that for now and its stable again.

 

This is only an issue on AMD processors. Their Bios is not compatible with PowerD, so best to leave this off for AMD.

 

It works brilliantly with Intel Speedstep however.

[dIecbasC 38]

Hey Refresh.

I've only been up and running for about 12 hours so too early to report on performance metrics right now. 

 

What I can say is that the i5-3470T I went with (cheapest vPro, AES-NI capable) sits at 1-5% and hardly breaks a sweat. Currently idling at 41degC in a Euler case. I'll put the build thread on my blog in the next day or two.  Power consumption is 18W on minimum (i.e max power saving) and 20w when run without any PowerD stuff. 10% but in literal terms, next to nothing in it. 

 

Currently configured snort, squid, squid guard and playing about optimising their performance areas. Even 8MB of RAM which seemed like I cheaped out (it was meant to be cheap!) seems like total overkill right now. Dashboard reporting I'm using 6% of 7983MB. Really liking being able to strip adverts at the gateway to my home network as it makes browsing on tablets a much more enjoyable experience. 

[dIecbasC 38]

net.inet.ip.fastforwarding = 1 & "ns-cert-type server;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

are working fine for me too so far. 

[pfSense_fan 181]

Hey Refresh.

I've only been up and running for about 12 hours so too early to report on performance metrics right now. 

 

What I can say is that the i5-3470T I went with (cheapest vPro, AES-NI capable) sits at 1-5% and hardly breaks a sweat. Currently idling at 41degC in a Euler case. I'll put the build thread on my blog in the next day or two.  Power consumption is 18W on minimum (i.e max power saving) and 20w when run without any PowerD stuff. 10% but in literal terms, next to nothing in it. 

 

Currently configured snort, squid, squid guard and playing about optimising their performance areas. Even 8MB of RAM which seemed like I cheaped out (it was meant to be cheap!) seems like total overkill right now. Dashboard reporting I'm using 6% of 7983MB. Really liking being able to strip adverts at the gateway to my home network as it makes browsing on tablets a much more enjoyable experience. 

 

 

Ae you running Snort on AC-NQ setting? It's the only one that truly works in real time, will make use of your memory, especially if you run it on both your WAN and AirVPN_WAN. There are other tweaks you will need if you are using em4 driver NIC's as well, will use a tad more memory.

 

I've used 9 gigs of ram running Snort, pfblocker, Squid3 with antivirus etc.

 

There are ways to make use of good hardware if you are serious about privacy and security. I found this out the hard way since there are so many people who preach low power equipment on the pfSense forums. My first build flat out was weak... too weak to use multiple instances of OpenVPN, Snort, have extremly large firewall tables and still get full ISP speeds through the VPN. This is when I learned most people over there do not care about the levels of privacy I do or ensuring full speeds over a VPN. FOr most it seems if it works it is enough... but not for me. Overkill is just enough in my opinion. I want my equipment to still work in 5 years and not be underpowered.

 

And now with 4096 bit encryption... don't regret it at all.

[dIecbasC 38]

Ive been playing with different settings but am currently on the high performing AC-NQ setting which seems to be providing slightly better perf when filtering WAN & AirVPN_WAN.

Not sure what drivers are driving these Intel NICs - will check and see. 

Certainly would be interested in hearing your thoughts re optimal settings, this is somewhat out of my field of expertise so learning as I go. Any (more!) shortcuts very much appreciated!

 

8 munutes to kill switch - hopefully see you guys on the other '4096' side

[pfSense_fan 181]

Don't forget when you log in to download new certs and keys to use airvpn.org's direct ip address to be sure you are not victim of DNS hijacking.

 

https://95.211.138.143/client/

 

I also recomend the use of firefox add-on "perspectives" to verify the ssl cert. It likely will fail, but viewing the results will show the notaries in agreement for the last 3-4 days since the renew of certs after the Heartbleed fiasco.

[dIecbasC 38]

that wasn't too painful - nearly tripped up on TLS authentication

 

noticed some new flags in the VPN description....do I need to do anything with these?

 

persist-key

persist-tun

remote-cert-tls server

 

and 

 

comp-lzo is not set to 'no' - presumably because the data is encrypted already and wouldn't benefit from further packing?

[pfSense_fan 181]

Guide has been updated to the best of my understanding. I am seeing no errors in logs.

 

Pleas review the "Understanding Certificates and OpenVPN Config Files", delete old certs and keys and re-enter steps 1, 2 and 3 from scratch.

 

Of note on the client page, the Advanced settings are new,compression is no longer checked (but handled in the advanced section) and we must enter our tls-auth key.

 

Please inform me of any issues.

[pfSense_fan 181]

that wasn't too painful - nearly tripped up on TLS authentication

 

noticed some new flags in the VPN description....do I need to do anything with these?

 

persist-key

persist-tun

remote-cert-tls server

 

and 

 

comp-lzo is not set to 'no' - presumably because the data is encrypted already and wouldn't benefit from further packing?

New recomended advanced options are "persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

[dIecbasC 38]

 

 

Confirmed downloading at 14 megabytes per second (MB/s) from usenet.

Snort running on WAN & VPN_WAN plus squid filtering, CPU at 10% utilisation, men 15% of 7983MB, temp 47 degC and power consumption at 19W.

[pfSense_fan 181]

I on the other hand have ran into a replay error in my logs. I have removed the tun-mtu and mssfix from my settings while I test.

[finickybulgarian789563 0]

so how do i setup pfsense to be able to use this https://airvpn.org/ssl/

[Lee47 23]

 

 

Confirmed downloading at 14 megabytes per second (MB/s) from usenet.

Snort running on WAN & VPN_WAN plus squid filtering, CPU at 10% utilisation, men 15% of 7983MB, temp 47 degC and power consumption at 19W.

 

Excellent speeds I hit 3-8% cpu usage but my speeds are far less like 10x less. How did you get the power consumption to 19w are you running pfense with virtualbox and then adjusting the windows power settings ?

 

I only ask since that is an impressive low power draw!

[Ernst89 11]

so how do i setup pfsense to be able to use this https://airvpn.org/ssl/

 

+1.

 

I transferred my standard pfsense to the new config ok but I have chosen today to check if my ISP is traffic shaping OpenVPN.

 

At the moment I can't even get SLL stunnel/OpenVPN to work on windows. 

 

2014.04.14 12:18:28 LOG7[6764]: No limit detected for the number of clients

2014.04.14 12:18:28 LOG5[6764]: stunnel 5.01 on x86-pc-msvc-1500 platform

2014.04.14 12:18:28 LOG5[6764]: Compiled/running with OpenSSL 1.0.1g-fips 7 Apr 2014

2014.04.14 12:18:28 LOG5[6764]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS

2014.04.14 12:18:28 LOG7[6764]: errno: (*_errno())

2014.04.14 12:18:28 LOG5[6764]: Reading configuration from file stunnel.conf

2014.04.14 12:18:28 LOG5[6764]: FIPS mode disabled

2014.04.14 12:18:28 LOG7[6764]: Compression disabled

2014.04.14 12:18:28 LOG7[6764]: Snagged 64 random bytes from C:/.rnd

2014.04.14 12:18:28 LOG7[6764]: Wrote 0 new random bytes to C:/.rnd

2014.04.14 12:18:28 LOG7[6764]: PRNG seeded successfully

2014.04.14 12:18:28 LOG6[6764]: Initializing service [openvpn]

2014.04.14 12:18:28 LOG7[6764]: No private key specified

2014.04.14 12:18:28 LOG7[6764]: SSL options set: 0x01000004

2014.04.14 12:18:28 LOG5[6764]: Configuration successful

2014.04.14 12:18:28 LOG7[6764]: Service [openvpn] (FD=564) bound to 127.0.0.1:1413

2014.04.14 12:19:38 LOG7[6764]: Service [openvpn] accepted (FD=600) from 127.0.0.1:54615

2014.04.14 12:19:38 LOG7[6764]: Creating a new thread

2014.04.14 12:19:38 LOG7[6764]: New thread created

2014.04.14 12:19:38 LOG7[5272]: Service [openvpn] started

2014.04.14 12:19:38 LOG5[5272]: Service [openvpn] accepted connection from 127.0.0.1:54615

2014.04.14 12:19:38 LOG6[5272]: s_connect: connecting 95.211.149.214:443

2014.04.14 12:19:38 LOG7[5272]: s_connect: s_poll_wait 95.211.149.214:443: waiting 10 seconds

2014.04.14 12:19:39 LOG3[5272]: s_connect: connect 95.211.149.214:443: Connection refused (WSAECONNREFUSED) (10061)

2014.04.14 12:19:39 LOG5[5272]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

2014.04.14 12:19:39 LOG7[5272]: Local socket (FD=600) closed

2014.04.14 12:19:39 LOG7[5272]: Service [openvpn] finished (0 left)

2014.04.14 12:19:39 LOG7[5272]: str_stats: 3 block(s), 60 data byte(s), 150 control byte(s)

2014.04.14 12:19:39 LOG7[5272]: str_stats: 20 byte(s) at ..\src\network.c:413

2014.04.14 12:19:39 LOG7[5272]: str_stats: 20 byte(s) at ..\src\network.c:412

2014.04.14 12:19:39 LOG7[5272]: str_stats: 20 byte(s) at ..\src\network.c:411

 

Not sure if this is me or maybe some problem due to the new certificates?

 

However presuming it does work and makes a difference I would want to set it up on pfsense. 

[Lee47 23]

I on the other hand have ran into a replay error in my logs. I have removed the tun-mtu and mssfix from my settings while I test.

 

Revised guide is fine am back up and running but yeah tried the "persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;verb 3;explicit-exit-notify 5;"

 

Line and it broke my stability of downloads again so tried

""persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

 

Its stable and fine so far in downloads and no replay errors in the openvpn logs was it ? everything is fine in those logs my end so far!

[dIecbasC 38]

 

 

 

Confirmed downloading at 14 megabytes per second (MB/s) from usenet.

Snort running on WAN & VPN_WAN plus squid filtering, CPU at 10% utilisation, men 15% of 7983MB, temp 47 degC and power consumption at 19W.

 

Excellent speeds I hit 3-8% cpu usage but my speeds are far less like 10x less. How did you get the power consumption to 19w are you running pfense with virtualbox and then adjusting the windows power settings ?

 

I only ask since that is an impressive low power draw!

 

Absolutely nothing special, just kept it simple. 

1 * Intel 35W processor, 1 30GB mSATA card, 2*4GB crucial RAM and thats it. I suspect I could under volt this setup quite a bit given its hardly breaking a sweat but lives to short worry about saving a few watts of juice. If it was a 200w saving then yes but even a 50% saving would only be 10w on this rig. 

Im umm-ing and ahh-ing about modifying the Askaka Euler case to install another couple of NICs....Im sure there is room in the for a mSATA board and shit the mSATA drive to a mSATA->SATA daughter board. Don't really need the additional ports and the benefit of sperating out my LAN nets is minimal given pretty much everything is wifi and tolerant to low pings etc. Only the gaming consoles would benefit but Im hardly online that often and I'm hardly l33t so the decreased pings probably wouldn't bother me. 

 

as I say, umming and ahhing still.....

[dIecbasC 38]

@pfsense_fan: could you tell me what a replay error looks like in my logs and I'll check mine.

I can't see anything obvious and Im running your revised original new settings 

[pfSense_fan 181]

 

I on the other hand have ran into a replay error in my logs. I have removed the tun-mtu and mssfix from my settings while I test.

 

Revised guide is fine am back up and running but yeah tried the "persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;verb 3;explicit-exit-notify 5;"

 

Line and it broke my stability of downloads again so tried

""persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

 

Its stable and fine so far in downloads and no replay errors in the openvpn logs was it ? everything is fine in those logs my end so far!

 

 

 

Oddly enough, the tun-mtu and mssfix were causing errors on my end. Removing them fixed part of it but exposed another error. I had to increase the send and receive buffers for OpenVPN. Since then, no replay errors. I am however seeing odd results when trying to use speedtest. Everything else seems fine,

[pfSense_fan 181]

so how do i setup pfsense to be able to use this https://airvpn.org/ssl/

 

 

While there is a Stunnel package available for pfSense, I am learning it may not be fully featured. I am not entirely sure it is possible. your best bet would be to ask over at the pfSense forums and share what you learn here!