How To Set Up pfSense 2.1 for AirVPN

[anonym 22]

Hello,

 

Does anyone know if the vulnerabilities in OpenSSL have been fixed for pfSense?

If so, how can I upgrade my pfSense box?

 

Thanks,

 

anonym

[Lee47 23]

When you log into pfsense it will do a check online to see if a new version is available, were currently on 2.1.3-RELEASE

 

I would keep an eye out for 2.1.4 or check Airs OpenSSL post here:

 

https://airvpn.org/topic/11688-completed-urgent-openssl-upgrade/?do=findComment&comment=18288

 

pfsense latest versions thread here:

 

https://forum.pfsense.org/index.php?PHPSESSID=191nq5djqbjm03ui5q6ji3ab50&board=14.0

 

Perhaps since this bug was discovered recent it may take time for it to be patched fully, Air has already patched its side though so just have to wait for pfsense to do the same.

 

Am sure more info will appear

[pfSense_fan 181]

Because it takes both client AND server being vulnerable to actually be vulnerable, it's not much of an issue. As refresh stated, AIr updated so we are covered. As for when 2.1.4 will be out to correct it, expect about a week.

 

https://forum.pfsense.org/index.php?topic=77876.msg424785#msg424785

[BanjoBill 0]

I really appreciate you making this guide. I unfortunately am having a few general problems. I followed your guide to the letter(I'm on 2.1.3) and for some reason my webgui is accessible from the WAN. I tried blocking access to 192.168.1.1 on LAN and WAN as well as port forwarding 80/443 to a different internal IP and nothing changes.

 

I'm also having some trouble accessing my NAS on 192.168.1.0/24 from 192.168.123.0/24, what's the general strategy here? 

1. LAN allow rule for 192.168.123.0/24

2. VPN_LAN allow rule for 192.168.1.100

3. A NAT of some kind?

 

I guess I don't understand how the VPN gateway is working and how to go about giving my VPN users access to the share.  

 

[sh4dow 4nim4l 1]

Does anyone know how to whitelist certain websites? For some reason lowes.com is blocked and I am not sure how to whitelist it. I also know of two others that are blocked. I know these sites will work when I bypass my pfsense router. This happend some time after getting this all set up

 

Anyone else have problems getting lowes.com to show?

 

Is it the DNS blocking it? Kinda scared to mess around to much because then I end up shutting down my whole house internet and the other people start stareing at me until it is working again   Oh well going to see if I can find anything again.

[sh4dow 4nim4l 1]

I just noticed that bestbuy.com is also blocked.

 

Access Denied

You don't have permission to access "http://www.bestbuy.com/" on this server.

 

I tried to figure out what is causing it but none of the plugins seemed to be it because I would delete each plugin and try it. It is either the VPN or the DNS settings. If I bypass the router and go straight into my computer then I can access every website no problem.

 

I guess I can try to use OpenDNS.

 

This is kind of annoying that it blocks sites like lowes.com and bestbuy.com

[sh4dow 4nim4l 1]

Ok it works now. I found out that I guess that my vpn server was being blocked. I swapped to another one and all sites are working fine and this website shows me as connected.

[pfSense_fan 181]

I really appreciate you making this guide. I unfortunately am having a few general problems. I followed your guide to the letter(I'm on 2.1.3) and for some reason my webgui is accessible from the WAN. I tried blocking access to 192.168.1.1 on LAN and WAN as well as port forwarding 80/443 to a different internal IP and nothing changes.

 

I'm also having some trouble accessing my NAS on 192.168.1.0/24 from 192.168.123.0/24, what's the general strategy here? 

1. LAN allow rule for 192.168.123.0/24

2. VPN_LAN allow rule for 192.168.1.100

3. A NAT of some kind?

 

I guess I don't understand how the VPN gateway is working and how to go about giving my VPN users access to the share.  

 

 

I'm not really sure how that happened to be honest. Many others at this point have followed the guide and had no issues of this sort to date. WebGUI access from WAN is disabled by default upon install.

 

How did you diagnose this issue?

 

As for the NAS, one thing to remember with pfsense the way it is set up in the guide is that on each interface we have created a "BLOCK ALL" rule. This means you must create rules on the the affected interface as all traffic which we do not explicitly allow is blocked. This is how a true firewall behaves... so whichever interface the NAS is tied to needs rules allowing connections to it. I would create an alias that defines your local subnets (192.168.1.1/24, 192.168.123.1/24 etc) and create a firewall rule to allow connections from that alias as the source to the ip address of the NAS. PLace the firewall rule below the block dns rule. You will also need to create a static DHCP mapping for the NAS.

 

Aliases - doc.pfsense.org

[pfSense_fan 181]

Does anyone know how to whitelist certain websites? For some reason lowes.com is blocked and I am not sure how to whitelist it. I also know of two others that are blocked. I know these sites will work when I bypass my pfsense router. This happend some time after getting this all set up

 

Anyone else have problems getting lowes.com to show?

 

Is it the DNS blocking it? Kinda scared to mess around to much because then I end up shutting down my whole house internet and the other people start stareing at me until it is working again   Oh well going to see if I can find anything again.

 

 

No issues with lowes here.

 

Are you using a US Air server? Are you using 10.4.0.1 as your DNS?

 

If you are, perhaps try a different server?

 

Have you done DNS leak tests?

[Tiedemann 0]

I want to just allow some hosts through the VPN and have been semi-following this guide. Still a complete noob when it comes to pfSense (I'm used to SonicWall).

 

Not sure I'm on the right track yet cause I'm tired and need to sleep but VPN is up.

 

I got a mix of static and DHCP from 192.168.100.3-100 (not all in use ofc. but you get the idea) and they should not use the VPN at all but I need a range for VPN only too.

 

As I understand What is policy routing pfSense will take care of the routing with something like this:

 

A rule with allow 192.168.100.3-100>any with default gateway WAN DHCP

and

a rule with allow 192.168.100.101-200>any with default gateway AirVPN

 

 

Sounds too easy but I "need" static IPs anyway so I might as well just use .101 etc. for the computers that are going to use VPN only.

 

Am I missing something here?

[pfSense_fan 181]

I want to just allow some hosts through the VPN and have been semi-following this guide. Still a complete noob when it comes to pfSense (I'm used to SonicWall).

 

Not sure I'm on the right track yet cause I'm tired and need to sleep but VPN is up.

 

I got a mix of static and DHCP from 192.168.100.3-100 (not all in use ofc. but you get the idea) and they should not use the VPN at all but I need a range for VPN only too.

 

As I understand What is policy routing pfSense will take care of the routing with something like this:

 

A rule with allow 192.168.100.3-100>any with default gateway WAN DHCP

and

a rule with allow 192.168.100.101-200>any with default gateway AirVPN

 

 

Sounds too easy but I "need" static IPs anyway so I might as well just use .101 etc. for the computers that are going to use VPN only.

 

Am I missing something here?

 

 

You need to set the outbound NAT rules to correspond to the split subnet AND set an allow out firewall rule for each split of the subnet with the assigned gateway on the firewall rules page for that NIC... but yes you can do this. delete the allow out rule that allows the entire subnet.

 

When I first started this guide i had a section for this but it caused me too much grief because the average person using my guide is completely new to this... and I choose not to support it as there is too much room for error if one does not know what they are doing.

 

Mind you... you now cannot use the dns forwarder at all unless you want to lose ALL connectivity when the VPN is down. You will need to have dns served by dhcp to the clear net side or use the forwarder for both but set the dns on the general page to 10.4.0.1 only, with the gateway set to airvpn.

 

There may be other steps but I too am a bit worn out at the moment. Good luck.

[life359 2]

 

I want to just allow some hosts through the VPN and have been semi-following this guide. Still a complete noob when it comes to pfSense (I'm used to SonicWall).

 

Not sure I'm on the right track yet cause I'm tired and need to sleep but VPN is up.

 

I got a mix of static and DHCP from 192.168.100.3-100 (not all in use ofc. but you get the idea) and they should not use the VPN at all but I need a range for VPN only too.

 

As I understand What is policy routing pfSense will take care of the routing with something like this:

 

A rule with allow 192.168.100.3-100>any with default gateway WAN DHCP

and

a rule with allow 192.168.100.101-200>any with default gateway AirVPN

 

 

Sounds too easy but I "need" static IPs anyway so I might as well just use .101 etc. for the computers that are going to use VPN only.

 

Am I missing something here?

 

 

You need to set the outbound NAT rules to correspond to the split subnet AND set an allow out firewall rule for each split of the subnet with the assigned gateway on the firewall rules page for that NIC... but yes you can do this. delete the allow out rule that allows the entire subnet.

 

When I first started this guide i had a section for this but it caused me too much grief because the average person using my guide is completely new to this... and I choose not to support it as there is too much room for error if one does not know what they are doing.

 

Mind you... you now cannot use the dns forwarder at all unless you want to lose ALL connectivity when the VPN is down. You will need to have dns served by dhcp to the clear net side or use the forwarder for both but set the dns on the general page to 10.4.0.1 only, with the gateway set to airvpn.

 

There may be other steps but I too am a bit worn out at the moment. Good luck.

 

I just finished figuring out how to split my subnet so IPs in the range of 192.168.1.2 to 192.168.1.127 go through the VPN while IPs 192.168.1.128 to 192.168.1.254 bypass the VPN.  As you stated, it does require NAT rules to be left in place when you switch to manual.

 

The trick is to duplicate each of the manually generated ones and simply change the interface to the VPN connection interface.  When finished, you should have pairs for:

• Source: subnet, Destination port 500
• Source: subnet, Destination port *
• Source 127.0.0.0/8, Destination port *

The only difference between each entry in each pair is the interface.  They should appear in that order, with each interface being covered by each source/destination port:

• Source: subnet, Destination port 500, Interface WAN
• Source: subnet, Destination port 500, Interface VPN
• Source: subnet, Destination port *, Interface WAN
• Source: subnet, Destination port *, Interface VPN
• Source 127.0.0.0/8, Destination port *, Interface WAN
• Source 127.0.0.0/8, Destination port *, Interface VPN

I then use firewall rules to guide each half of the subnet through either the VPN or through the WAN interface gateway.  I think this is very useful for folks who want to send their media players (Apple TV, etc) through the VPN while leaving their computers passing through the regular interface.

 

That being said, each person's setup is going to be unique.  I did have to refer to the guide that worked for a previous VPN to figure out why my desired setup wouldn't work given the instructions here.  That's when I realized I was missing the six NAT rules.

[Tiedemann 0]

Seems to be working fine so far. I just forgot the NAT cause I got hung up in that gateway setting in the firewall rules.

 

Added the limiter to the firewall rules too but that seems to not want to be very effective anymore but that's another story.

 

Thanks for the guide.

[sh4dow 4nim4l 1]

Does anyone has issue with the packages not being able to be seen. If I have the factory default settings the OS can find and even install the packages, but if I load the configuration the OS can no longer check for updates to pFsense nor can it see the packages to even be able to install them.

 

Any ideas?

 

I wanted to install Snort and HAVP.

[pfSense_fan 181]

Does anyone has issue with the packages not being able to be seen. If I have the factory default settings the OS can find and even install the packages, but if I load the configuration the OS can no longer check for updates to pFsense nor can it see the packages to even be able to install them.

 

Any ideas?

 

I wanted to install Snort and HAVP.

 

 

I'm not sure I follow what you're saying. Are the packages not showing up on pfsense when you click the link for packages in the GUI? If that is the case, on the dashboard does it say "unable to connect" or does it say "you are on the latest version" or similar under the System Information -> Version area?

 

If it says unable to connect or if it is not showing the packages list... your DNS for the firewall itself is likely not configured correctly.

 

How many NICs are you using?

[sh4dow 4nim4l 1]

It says Unable to Connect

 

 

When I go to System/ Packages/ Available Packages it says

"Unable to communicate with https://packages.pfsense.org. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity."

 

So it may be the DNS like you said.

 

Two NICs. Just one in and one out. I did follow the part of your guide that was for two and not three plus if I remember right.

[pfSense_fan 181]

It says Unable to Connect

 

 

When I go to System/ Packages/ Available Packages it says

"Unable to communicate with https://packages.pfsense.org. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity."

 

So it may be the DNS like you said.

 

Two NICs. Just one in and one out. I did follow the part of your guide that was for two and not three plus if I remember right.

 

 

I don't recall what I wrote for the dns section for two nics and sadly am too lazy to look at the moment. Compare what i wrote for 3 or more nics to what i wrote for 2. You may need to play with it. Let us know.

 

 

That being said... you can't use HAVP, Squid, dansgaurdian etc on the vpn side of things without creating IP leaks that are hard to detect and routing loops due to setting the VPN as default gateway. It has to do with the way pfSense routes proxied connections. I didn't learn this until recently while delving very deep into setting up an adblock style filter. proxies on pfSense currently do not support multiple WANs and it will pipe the proxied content to the default gateway. Just can't be done currently while also remaining secure and leak proof.

 

I need to correct that portion in my preface where i say you can do this...  I will soon enough.

 

Also, don't waste your time with snort. Install Suricata instead. Suricata has multi-thread support and is the way forward.... it is newer and better than snort. There is a thread on how to set up suricata in the packages subforum over at the pfsense forums.

 

Good luck with it.

[sh4dow 4nim4l 1]

Thanks I will check it out.

[dssguy11 4]

Hey guys, got this all setup but have a quick question.  I want to make multiple copies of my working client so i can quickly switch between servers.  I cannot get it working. I basically copied my first client and just changed the AirVPN server IP for the second client and it fails to connect.  If i paste the server IP into the first client it works, any ideas?

[pfSense_fan 181]

Your plan is victim to how OpenVPN interacts with the operating system.

 

Each instance of OpenVPN client you run on pfSense creates its own unique virtual adapter (TUN/TAP interface). If you are trying to run a second instance OpenVPN client, your firewall rules and NAT are not compatible with the new second (likely ovpnc2) virtual interface as they are programmed for the first (ovpnc1). You would have to go through and set up the second interface, the new gateway, outbound NAT and create new firewall rules. There are people that have suggested gateway and interfaces groups etc... but I find all that to be a bit excessive.

 

If you want to switch, just change the remote IP of the original client, it really is the easiest way.

 

To make switching easier, you can save a list of IP addresses at the end of your advanced config section. All you have to do is "comment" them out using pound signs at the beginning of a line and the text will not be read by OpenVPN, for instance:

 

 

##### AirVPN SERVER IP's #####

##### Farud xxx.xxx.xxx.xxx

##### Menkib xxx.xxx.xxx.xxx

##### Phoenicis xxx.xxx.xxx.xxx

 

You can keep a list of as many as you like, then just copy and paste as you need them.

[dssguy11 4]

that is a great way to do it, i will copy and paste a bunch at the bottom.

 

Just wanted to say thanks for doing this guide, it has made my setup very stable, really liking it, so thanks a lot.

 

I have just one last question.  I tried plugging both networks (VPN/ClearNet) into the same switch and they were fighting to hand out IPs to my devices as they powered on, etc. Am i right in thinking that each network needs to be on their own switch and separated?  Like take everything I want to go out through the VPN and plug it into switch A, and take everything i don't want to go out the VPN and plug it into switch B?  Also, is there a way to make the different segments talk to each other?

 

Thanks again pfsense_fan.

[Ernst89 11]

Hey guys, got this all setup but have a quick question.  I want to make multiple copies of my working client so i can quickly switch between servers.  I cannot get it working. I basically copied my first client and just changed the AirVPN server IP for the second client and it fails to connect.  If i paste the server IP into the first client it works, any ideas?

 

I run two AirVPN connections simultaneously, this gives me AirVPN servers situated in different countries.

 

In addition to changing the client  "Server host or address" IP you will need to set up an appropriate OpenVPN Certificate for the new server and point the "Client Certificate"  and to this certificate.

 

If you want to run the clients simultaneously you also need to give one client a non default value "IPv4 Remote Network/s"   say 10.0.9.0/24. 

 

Finally I create an additional LAN firewall rule to route a specific ip addresses though the second OpenVPN tunnel.

 

Or you could use your existing rule and flip the gateway.

 

Obviously this is my set up rather than what you want but you should be able to adapt it.

[Ernst89 11]

 

Hey guys, got this all setup but have a quick question.  I want to make multiple copies of my working client so i can quickly switch between servers.  I cannot get it working. I basically copied my first client and just changed the AirVPN server IP for the second client and it fails to connect.  If i paste the server IP into the first client it works, any ideas?

 

I run two AirVPN connections simultaneously, this gives me AirVPN servers situated in different countries.

 

In addition to changing the client  "Server host or address" IP you will need to set up an appropriate OpenVPN Certificate for the new server and point the "Client Certificate"  and to this certificate.

 

If you want to run the clients simultaneously you also need to give one client a non default value "IPv4 Remote Network/s"   say 10.0.9.0/24. 

 

Finally I create an additional LAN firewall rule to route a specific ip addresses though the second OpenVPN tunnel.

 

Or you could use your existing rule and flip the gateway.

 

Obviously this is my set up rather than what you want but you should be able to adapt it.

 

Whoops you need an extra Outbound NAT rule too.

[dssguy11 4]

Thanks for that info. Right now I have two switches with the vpn on its own switch. How do I get a machine on one switch 192.168.1.xxx to a machine on the other switch which is the vpn at 192.168.2.xxx?

[pfSense_fan 181]

Thanks for that info. Right now I have two switches with the vpn on its own switch. How do I get a machine on one switch 192.168.1.xxx to a machine on the other switch which is the vpn at 192.168.2.xxx?

 

 

How to get a machine on one subnet to communicate with a machine on another?

 

If that is what you are asking, you need to make a firewall rule on the interface or each interface that is trying to communicate as a client  to allow the communication across subnets. Making a networks alias makes this easier if you list all the local subnets you want to be able to communicate. I also use a ports alias and restrict communication on my local network to services I control. This following firewall rule is basic but should get you going if this is what you are trying to do. I use a rule like this to allow access to a network printer and a local DNS server

 

For this we will assume you have a printer on your LAN that you want to access from the AirVPN_LAN:

 

Set as follows:

Action = [ Pass ▼]

Disabled = [_] Disable this rule (UNCHECKED)

Interface = [AirVPN_LAN ▼]

TCP/IP Version = [iPv4 ▼]

Protocol = [Any ▼]  -  TCP/UDP is also a consideration if you don't need pings. Best to only allow what you need.

Source = [_] Not (UNCHECKED)

              Type: [ AirVPN_LAN net ▼]  -  (192.168.2.1 /24)

              Address: [______] (BLANK)

Destination = [_] Not (UNCHECKED)

                     Type: [ LAN net ▼]  -  (192.168.1.1 /24, or a local subnets networks alias)

                     Address: [______] (BLANK)

Destination port range = From: [Any▼], To: [Any▼]  -  (Or choose [ (other)▼]  and enter a ports alias of ports you intend to use)

Log = [_]  -  Your choice if you wish to log

Description = [✎ Allow_Local_Services ] 

 

(NOTE: DO NOT, repeat DO NOT select a gateway in the advanced options. We don't want to route it out one since it is local traffic

 

3.) Click [ Save ]

 

4.) Click [ Apply Changes ]

 

This rule MUST be placed directly above your allow all rule. Move the rule into place accordingly, save and apply changes. You will need to reboot after to make sure everything loads.