Jump to content
Not connected, Your IP: 18.119.125.240
pfSense_fan

How To Set Up pfSense 2.1 for AirVPN

Recommended Posts

Hi OP!​

 

​I'm a new member to AirVPN, currently testing a trial membership.

​However I am not new to Pfsense, I currently use it with PIA VPN.  PIA service has deteriorated despite the addition of many servers...  trying to pick a server with good performance during peak hours is like throwing darts in the dark... I absolutely love AirVPN network stats and transparency.   Also,several large datacenters are no longer allowing BitTorrent-heavy services on PIA networks. In response, PIA is routing traffic in a few countries through a separate VPN (VPN over VPN). Making the connection speeds even worse...Thus here I am testing AirVPN after much research.... I was going to tweak my current setup to add AirVPN to Pfsense but decided to read and follow your guide... All I have to say is WOW! That is a wonderfully written guide with not only explanation to users as to what the settings do but it provides people understanding on how Pfsense works...  Nicely done sir and thank you for taking the time to write such a wonderful guide.   I must say, I was expecting moving from PIA 128AES to 256 in AirVPN to affect my speeds but quite the contrary, my speeds are 40% faster with higher encryption completely maximizing my download/upload ISP limits (can't wait for 1Gbps to be rolled out next year in my area).  My CPU load reaches 30% max under heavy load with plenty of room to spare for when 1 Gbps arrives.... Needles to say I am impressed with AirVPN service and I will be extending the trial to a one year memberhip.  Although AirVPN is more expensive than PIA, the fact that they are not US based, OpenVPN GODS!, Bitcoin, P2P support, strong privacy history and kick ass service, makes them number 1 in my book.  Bye bye PIA.....

​Thanks again for the guide!

Share this post


Link to post

The whole project triggered my curiousity! I am going buy some low-end AMD hardware and start building the whole thing from sratch but first I need to know if:

 

  1. is it possible to wirelessly connect my wannabe pfsense router with my main router ?
    My main router is a german Fritzbox located at another room from the one I am going to install my custom pfsense-router, so I need to know first if the connection between these two can be done wirelessly.
  2. Is it possible for my wannabe pfsense-router to create it's own separate wlan, so devices (laptop, chromecast, ps4) to be connected into its wifi network instead of my fritzbox wlan ?
  3. Is it possible to automatically shutdown all network connectivity as soon as VPN is temporarily offline ?
  4. Is it possible to use (stunnel, like https://airvpn.org/ssl/ ) ? My ISP throttles so this is very important for me. Any links/guides would be helpful.

Thanks

Share this post


Link to post

don't buy AMD, stick with intel preferably with Intel NICs. Cheap hardware often causes performance issues.

I don't know about the fritzbox specifically, sorry. You should be able to do everything you asked about above and you may intact being able to replace the Fritzbox altogether if you can configure the pfSense WAN port co hook up correctly to your ISP. 

Share this post


Link to post

I don't think pfsense can do ssl+ovpn connections, just ovpn.

 

@dIecbasC

I agree @ amd, and most intel nics are really fantastic. Also might wanna make sure the chip has aes instructions. The N3150M = nice and cheap + aes.

Share this post


Link to post

I don't think pfsense can do ssl+ovpn connections, just ovpn.

 

@dIecbasC

I agree @ amd, and most intel nics are really fantastic. Also might wanna make sure the chip has aes instructions. The N3150M = nice and cheap + aes.

 

pfSense does it great, with stunnel package or port installed.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

I don't think pfsense can do ssl+ovpn connections, just ovpn.

 

@dIecbasC

I agree @ amd, and most intel nics are really fantastic. Also might wanna make sure the chip has aes instructions. The N3150M = nice and cheap + aes.

 

pfSense does it great, with stunnel package or port installed.

 

Ah good to know. I haven't used it in ages but never remembered even seeing it in that gui.

Share this post


Link to post

don't buy AMD, stick with intel preferably with Intel NICs. Cheap hardware often causes performance issues.

I don't know about the fritzbox specifically, sorry. You should be able to do everything you asked about above and you may intact being able to replace the Fritzbox altogether if you can configure the pfSense WAN port co hook up correctly to your ISP. 

I use this for my pfSense box 

http://www.asrock.com/mb/Intel/Q1900-ITX/

 

Never uses more that 30 percent CPU even under heavy downloading. 

Share this post


Link to post

 

don't buy AMD, stick with intel preferably with Intel NICs. Cheap hardware often causes performance issues.

I don't know about the fritzbox specifically, sorry. You should be able to do everything you asked about above and you may intact being able to replace the Fritzbox altogether if you can configure the pfSense WAN port co hook up correctly to your ISP. 

I use this for my pfSense box 

http://www.asrock.com/mb/Intel/Q1900-ITX/

 

Never uses more that 30 percent CPU even under heavy downloading. 

 

They're nice little setups for sure, also makes a decent nas. Have openbsd running on the q1900m @ diskless and fanless + a couple of intel nics. I keep thinking about upgrading to the celery n3150m, some day

Share this post


Link to post

 

 

don't buy AMD, stick with intel preferably with Intel NICs. Cheap hardware often causes performance issues.

I don't know about the fritzbox specifically, sorry. You should be able to do everything you asked about above and you may intact being able to replace the Fritzbox altogether if you can configure the pfSense WAN port co hook up correctly to your ISP. 

I use this for my pfSense box 

http://www.asrock.com/mb/Intel/Q1900-ITX/

 

Never uses more that 30 percent CPU even under heavy downloading. 

 

They're nice little setups for sure, also makes a decent nas. Have openbsd running on the q1900m @ diskless and fanless + a couple of intel nics. I keep thinking about upgrading to the celery n3150m, some day

 

 

don't buy AMD, stick with intel preferably with Intel NICs. Cheap hardware often causes performance issues.

I don't know about the fritzbox specifically, sorry. You should be able to do everything you asked about above and you may intact being able to replace the Fritzbox altogether if you can configure the pfSense WAN port co hook up correctly to your ISP. 

I use this for my pfSense box 

http://www.asrock.com/mb/Intel/Q1900-ITX/

 

Never uses more that 30 percent CPU even under heavy downloading. 

 

They're nice little setups for sure, also makes a decent nas. Have openbsd running on the q1900m @ diskless and fanless + a couple of intel nics. I keep thinking about upgrading to the celery n3150m, some day

 

First, I use an AMD 5350 with realtek nics, (motherboiard = extra pci-e). It is fine up to my connection  limit i.e. > 70% idle at 150Mb/s using AirVPN on a 160Mb/s connection. It appears stable after three months use.

 

The Intel J1900 doesn't have AES-NI and hence I would expect it not to be good for high connection speeds under OpenVPN, maybe 20%? the speed of the AMD 5350.

 

The Intel n3150m or (n3700) do have AES-NI, are low power (hence no fan unlike AMD 5350) and cheap. I guess they should be good at high AirVPN speeds. Only slightly less powerful than the AMD 5350. It would be great if someone could confirm this with a real life test..

 

Finally does anyone know a good small mini-itx case that will accommodate a low profile pci-e nic adapter.

Share this post


Link to post

 

 

 

 

I use this for my pfSense box 

don't buy AMD, stick with intel preferably with Intel NICs. Cheap hardware often causes performance issues.

I don't know about the fritzbox specifically, sorry. You should be able to do everything you asked about above and you may intact being able to replace the Fritzbox altogether if you can configure the pfSense WAN port co hook up correctly to your ISP. 

http://www.asrock.com/mb/Intel/Q1900-ITX/

 

Never uses more that 30 percent CPU even under heavy downloading. 

They're nice little setups for sure, also makes a decent nas. Have openbsd running on the q1900m @ diskless and fanless + a couple of intel nics. I keep thinking about upgrading to the celery n3150m, some day

 

 

 

 

I use this for my pfSense box 

don't buy AMD, stick with intel preferably with Intel NICs. Cheap hardware often causes performance issues.

I don't know about the fritzbox specifically, sorry. You should be able to do everything you asked about above and you may intact being able to replace the Fritzbox altogether if you can configure the pfSense WAN port co hook up correctly to your ISP. 

http://www.asrock.com/mb/Intel/Q1900-ITX/

 

Never uses more that 30 percent CPU even under heavy downloading. 

They're nice little setups for sure, also makes a decent nas. Have openbsd running on the q1900m @ diskless and fanless + a couple of intel nics. I keep thinking about upgrading to the celery n3150m, some day

First, I use an AMD 5350 with realtek nics, (motherboiard = extra pci-e). It is fine up to my connection  limit i.e. > 70% idle at 150Mb/s using AirVPN on a 160Mb/s connection. It appears stable after three months use.

 

The Intel J1900 doesn't have AES-NI and hence I would expect it not to be good for high connection speeds under OpenVPN, maybe 20%? the speed of the AMD 5350.

 

The Intel n3150m or (n3700) do have AES-NI, are low power (hence no fan unlike AMD 5350) and cheap. I guess they should be good at high AirVPN speeds. Only slightly less powerful than the AMD 5350. It would be great if someone could confirm this with a real life test..

 

Finally does anyone know a good small mini-itx case that will accommodate a low profile pci-e nic adapter.

Nice to know about the J1900, however for me, the most speed i can get at this time is about 30mbps so it does well. It will be eons before my rural carrier will offer gig connections. 

Share this post


Link to post

 

 

 

 

 

I use this for my pfSense box 

don't buy AMD, stick with intel preferably with Intel NICs. Cheap hardware often causes performance issues.

I don't know about the fritzbox specifically, sorry. You should be able to do everything you asked about above and you may intact being able to replace the Fritzbox altogether if you can configure the pfSense WAN port co hook up correctly to your ISP. 

http://www.asrock.com/mb/Intel/Q1900-ITX/

 

Never uses more that 30 percent CPU even under heavy downloading. 

They're nice little setups for sure, also makes a decent nas. Have openbsd running on the q1900m @ diskless and fanless + a couple of intel nics. I keep thinking about upgrading to the celery n3150m, some day

 

 

 

 

I use this for my pfSense box 

don't buy AMD, stick with intel preferably with Intel NICs. Cheap hardware often causes performance issues.

I don't know about the fritzbox specifically, sorry. You should be able to do everything you asked about above and you may intact being able to replace the Fritzbox altogether if you can configure the pfSense WAN port co hook up correctly to your ISP. 

http://www.asrock.com/mb/Intel/Q1900-ITX/

 

Never uses more that 30 percent CPU even under heavy downloading. 

They're nice little setups for sure, also makes a decent nas. Have openbsd running on the q1900m @ diskless and fanless + a couple of intel nics. I keep thinking about upgrading to the celery n3150m, some day

First, I use an AMD 5350 with realtek nics, (motherboiard = extra pci-e). It is fine up to my connection  limit i.e. > 70% idle at 150Mb/s using AirVPN on a 160Mb/s connection. It appears stable after three months use.

 

The Intel J1900 doesn't have AES-NI and hence I would expect it not to be good for high connection speeds under OpenVPN, maybe 20%? the speed of the AMD 5350.

 

The Intel n3150m or (n3700) do have AES-NI, are low power (hence no fan unlike AMD 5350) and cheap. I guess they should be good at high AirVPN speeds. Only slightly less powerful than the AMD 5350. It would be great if someone could confirm this with a real life test..

 

Finally does anyone know a good small mini-itx case that will accommodate a low profile pci-e nic adapter.

Nice to know about the J1900, however for me, the most speed i can get at this time is about 30mbps so it does well. It will be eons before my rural carrier will offer gig connections. 

 

I pushed a solid 80Mb/s through one of my q1900m setups using ssh+openvpn + running a full linux desktop on it. I don't have a 160Mb/s connection to test on but on the q1900m setup firefox used more cpu than openvpn did. One of those AES chips 3150/3700 would steam roll it.

Share this post


Link to post

I am considering running a pfSense for my home router and firewall. However I have been running Smoothwall for the last 8 years or so, and very happy with it. I was trying to setup Air on it, but was un-able to. Anyone here ever use a Smoothwall? I would consider pfSense, but would like to use what I have if I can get Air working on it.

Share this post


Link to post

Hi all! i'm struggling with my pfsense box and this manual.

I have 2x network cards and according this manual 3 interfaces: LAN, WAN and AIRVPN_WAN

 

I configured everything; but the Alternate Step 6+7 refers to AirVPN_LAN.

Is this a mistake or mispelled? Because this is only necessary with 3 or more nics right?

 

My airvpn connection is running fine on 60mbit/sec. This is a huge improvement compared with my old asus router.

Share this post


Link to post

Hi all! i'm struggling with my pfsense box and this manual.

I have 2x network cards and according this manual 3 interfaces: LAN, WAN and AIRVPN_WAN

 

I configured everything; but the Alternate Step 6+7 refers to AirVPN_LAN.

Is this a mistake or mispelled? Because this is only necessary with 3 or more nics right?

 

My airvpn connection is running fine on 60mbit/sec. This is a huge improvement compared with my old asus router.

It states the guide is for a 3 nic setup. If you read further he details for a 2 nic setup.

 

Furthermore more he has like a 6 nic setup but he only wrote it for a 2 and 3.

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

Share this post


Link to post

 

Hi all! i'm struggling with my pfsense box and this manual.

I have 2x network cards and according this manual 3 interfaces: LAN, WAN and AIRVPN_WAN

 

I configured everything; but the Alternate Step 6+7 refers to AirVPN_LAN.

Is this a mistake or mispelled? Because this is only necessary with 3 or more nics right?

 

My airvpn connection is running fine on 60mbit/sec. This is a huge improvement compared with my old asus router.

It states the guide is for a 3 nic setup. If you read further he details for a 2 nic setup.

 

Furthermore more he has like a 6 nic setup but he only wrote it for a 2 and 3.

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

 

Sorry; What I mean is

in the block DNS leaks rule:AirVPN_LAN should be LAN

(only in the 2 cards setup.)

Share this post


Link to post

Hi pfsense fan, obviously a much better guide than mine. I'm not a network specialist, but I got it working without dns leakage. I will follow your guide now... Thank you for your excellent effort here

 

Have a good weekend,

 

KNiCKER

Share this post


Link to post

Hi,

I like you guide and it works fine for me, bute i need an additional network interface for guest wlan which also goes through airvpn-wan, i configureed another interface 1:1 but i cant go online with that, do you have any hints for me?

 

regards Martin

Share this post


Link to post

Hi,

I like you guide and it works fine for me, bute i need an additional network interface for guest wlan which also goes through airvpn-wan, i configureed another interface 1:1 but i cant go online with that, do you have any hints for me?

 

regards Martin

 

Its fairly simple to add another interface. 

 

Add interface, set its IP address to another subnet, /24 etc. 

Add DHCP settings as appropriate.

Add DNS support via resolver or forwarder as appropriate. 

I define an alias for my local subnets which includes 192.68.20.0/24, 192.168.30.0/24 etc which makes the next step simple.

Add firewall rules to new interface, in your case you should use the VPN gateway

allow traffic to NOT your local subnets

reject traffic to local subnets (this will ensure guests only access internet, but not your servers etc)

I think you will likely need to add a rule to allow guest subnet devices > guest address, i.e your pfsense box port 53 to allow DNS to work. 

Add a NAT rule to allow traffic from the guest network to VPN_WAN <-- this is the bit I think you are missing as its the most common failing.

 

hope that helps, if it doesn't, let us know more details so we can help troubleshoot, i.e, can devices get a DHCP address etc, can you ping the firewall, can you DNS lookup, can you ping airvpn.org etc. 

Share this post


Link to post

@chuck: Seems you are still running DNS forwarder. Disable it first, then set up DNS resolver.

Thanks, LazyLizard. I just had this same issue. I went to Services: DNS Resolver and unchecked Enable DNS Resolver and that let me continue.  

Share this post


Link to post

 

@chuck: Seems you are still running DNS forwarder. Disable it first, then set up DNS resolver.

Thanks, LazyLizard. I just had this same issue. I went to Services: DNS Resolver and unchecked Enable DNS Resolver and that let me continue.  

 

I had the same issue and workaround, i think theres a problem with pfsense using the dns services on different IP/Subnets with differents servicetypes.

 

@dIecbasC thx 4 help now it works i´ve redone erverything

 regards Martin

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...