How To Set Up pfSense 2.1 for AirVPN

[Ernst89 11]

what do you run for your hyper visor? just curious.

 

I have run VM's under windows using VirtualBox and VMWare. The problem I ran into was high cpu load which I believe was due to virtualised nics (ethernet adapters). Modern CPUs can pass through devices such as a pci lan card and should minimised the problem. My CPU was not modern enough so I gave up. If I try again I will probably go with VVM.

[Ernst89 11]

 

what do you run for your hyper visor? just curious.

 

I have run VM's under windows using VirtualBox and VMWare. The problem I ran into was high cpu load which I believe was due to virtualised nics (ethernet adapters). Modern CPUs can pass through devices such as a pci lan card and should minimised the problem. My CPU was not modern enough so I gave up. If I try again I will probably go with VVM.

That should read KVM not VVM

[flat4 79]

 

 

what do you run for your hyper visor? just curious.

 

I have run VM's under windows using VirtualBox and VMWare. The problem I ran into was high cpu load which I believe was due to virtualised nics (ethernet adapters). Modern CPUs can pass through devices such as a pci lan card and should minimised the problem. My CPU was not modern enough so I gave up. If I try again I will probably go with VVM.

That should read KVM not VVM

KVM is awesome!!

[pfSense_fan 181]

For anyone who is interested, I am working on some final updates to this guide to bring it up to 2.2.6 (or 2.2.7 if they for some reason have another release before 2.3). I want to leave this guide up to date for the final 2.2.x release for those who choose not to al all or postpone updating to 2.3.

 

The main update will be including how to use the DNS Resolver. The Forwarder (DNSMasq) works fine, but the Resolver (Unbound) has some nice features up it's sleeve.

 

I am going to offer it up differently than I originally did with the forwarder. Instead of useing clear-net DNS for the system and handing out the VPN DNS via DHCP, I intend to reverse that. The system will use the VPN DNS and any Clear-Net interfaces will have to hand out external public DNS if the user desires it.

 

This could cause some confusion, as if the vpn goes down so to will the DNS Resolver. Others will find that fact desirable. I don't find it desireable myself, but to make the most use of the Resolver (Unbound) it needs to be. Unbound supports DNSSEC. This also allows users to make the most of the pfSense package "pfBlockerNG" and it's DNS block list functionality.

 

In the interim, any and all constructive criticism  is welcomed. As some know, I made this guide in my head to help users get started, my own setup is more complex, so I can't just refer to my own install. If anything else causes confusion or needs a tweak, please let me know.

[Casper31 73]

For anyone who is interested, I am working on some final updates to this guide to bring it up to 2.2.6 (or 2.2.7 if they for some reason have another release before 2.3). I want to leave this guide up to date for the final 2.2.x release for those who choose not to al all or postpone updating to 2.3.

 

The main update will be including how to use the DNS Resolver. The Forwarder (DNSMasq) works fine, but the Resolver (Unbound) has some nice features up it's sleeve.

 

I am going to offer it up differently than I originally did with the forwarder. Instead of useing clear-net DNS for the system and handing out the VPN DNS via DHCP, I intend to reverse that. The system will use the VPN DNS and any Clear-Net interfaces will have to hand out external public DNS if the user desires it.

 

This could cause some confusion, as if the vpn goes down so to will the DNS Resolver. Others will find that fact desirable. I don't find it desireable myself, but to make the most use of the Resolver (Unbound) it needs to be. Unbound supports DNSSEC. This also allows users to make the most of the pfSense package "pfBlockerNG" and it's DNS block list functionality.

 

In the interim, any and all constructive criticism  is welcomed. As some know, I made this guide in my head to help users get started, my own setup is more complex, so I can't just refer to my own install. If anything else causes confusion or needs a tweak, please let me know.

 

Yes I am interested .

Also my config of pfsense changed a lot And learned a few things.

Specially interested in pfblockerNG .

 

Tip for the pfsense user:"The comprehensive guide to pfsense 2.3."

 

https://www.youtube.com/watch?v=agieD5uiwYY

 

Greetings,casper

[Wolf666 17]

Just for info, I set my router with the guide of pfSense_fan since 2.2 beta, now I am on 2.3 beta. The only deviation is that I use unbound (DNS Resolver). Small adjustments and also with 2.3 will work.

 

 

Sent from my iPad using Tapatalk

[SumRndmDude 22]

For anyone who is interested, I am working on some final updates to this guide to bring it up to 2.2.6 (or 2.2.7 if they for some reason have another release before 2.3). I want to leave this guide up to date for the final 2.2.x release for those who choose not to al all or postpone updating to 2.3.

Very, very interested. I spent a small fortune on an Asus router with more muscle hoping it would beef up my Air connection. Having a 100/10 connection, but only getting 18/10 was killing me. The new router only gave me 25/10. Following your guide, threw some old parts together and built a powerhouse. I can max out 100 mbps connection with Air now. Looking at building a dedicted ITX Pfsense box and a new guide would be great. Thoroughly appreciate your work thus far as I've learned a lot about Pfsense and routing in general.

 

On a side note, curious if anyone is running Suricata successfully using the guide. I set it up to use the emerging threat rules and Snort VRT rules, but if I leave it running monitoring my WAN and AIRVPN_WAN, I eventually lose connectivity. If I leave it just on my WAN port, it's fine. I assume it's a setting I'm missing somewhere.

[Wolf666 17]

Snort or Suricata should run on LAN since any WAN unsollicited inbound traffic is blocked by pfSense Firewall by default. You can run also in WAN but could be useless for blocking purpose.

 

 

Sent from my iPad using Tapatalk

[pfSense_fan 181]

Step 3: Setting up the OpenVPN Client - Has been thoroughly updated to align with the GUI settings of 2.2.6, plus some other tweaks that I believe should be used.

Step 5: Setting the AirVPN Gateway - Has had minor pfSense 2.2.6 GUI appearance tweaks and minor settings tweaks (now recommend to disable gateway monitoring on all version prior to pfsense 2.3)

 

 

As always, feedback is welcome and encouraged.

[don1234 0]

Hello,

 

I'm stuck on step 6 "Setting the DNS Forwarder Options"

 

I have it setup like you instruction say but I get this when I try to save.

 

 

 

Not sure where I need to go from here.

 

Thanks

[amair 6]

This is a very good thread and I think a lot of poster here are very good at pfSense.

 

I have one question.

 

What kind of data pfsense company collect from pfsense boxes ?

 

https://forum.pfsense.org/index.php?topic=108589.0

 

Many thanks in advance!

[SumRndmDude 22]

Hello,

 

I'm stuck on step 6 "Setting the DNS Forwarder Options"

 

I have it setup like you instruction say but I get this when I try to save.

 

 

 

Not sure where I need to go from here.

 

Thanks

 

 

 

As it states, the DNS Resolver is turned on. Go to Services -> DNS Resolver and uncheck the enable box, save and then repeat the steps to setup the forwarder.

[pfSense_fan 181]

This is a very good thread and I think a lot of poster here are very good at pfSense.

 

I have one question.

 

What kind of data pfsense company collect from pfsense boxes ?

 

https://forum.pfsense.org/index.php?topic=108589.0

 

Many thanks in advance!

 

 

That would be hard to say for sure, but pfSense does not send out crash reports without you submitting it. When you get a crash report it asks you what you would like to do next.

[pfSense_fan 181]

To any users who use, rely on or are thinking about using this guide and pfSense to connect to AirVPN...

 

I AM LOOKING FOR SOME FEEDBACK BEFORE I PUT THE FINAL TOUCHES ON UPDATING THIS GUIDE!

 

In updating this guide to use the DNS Resolver instead of the DNS Forwarder, a number of changes were required. The order of the steps even had to be changed. I have worked out the new order of things, and am in the process of touching up details and the BBCODE I use. As I do that I have an itch to slightly evolve the guide to be a bit more in depth and probably a bit more complicated. With that said, it would also be more secure. I am thinking about adding in a step to create a group of aliases that would in turn assist in creating more in depth firewall rules.These settings have extensive testing by myself and others for over a year now, if not two.

 

So to you, who uses this, does that sound like something you would want to venture into, taking this to the next step?

 

Please let me know! Discuss!

[zhang888 1066]

I guess a common question was configuring 2 clients where one is connected on top of the other.

However this cannot be easily achieved on consumer devices (DD-WRT/AsusWRT) in pfSense it's fairly easy.

[SumRndmDude 22]

 

To any users who use, rely on or are thinking about using this guide and pfSense to connect to AirVPN...

 

I AM LOOKING FOR SOME FEEDBACK BEFORE I PUT THE FINAL TOUCHES ON UPDATING THIS GUIDE!

 

In updating this guide to use the DNS Resolver instead of the DNS Forwarder, a number of changes were required. The order of the steps even had to be changed. I have worked out the new order of things, and am in the process of touching up details and the BBCODE I use. As I do that I have an itch to slightly evolve the guide to be a bit more in depth and probably a bit more complicated. With that said, it would also be more secure. I am thinking about adding in a step to create a group of aliases that would in turn assist in creating more in depth firewall rules.These settings have extensive testing by myself and others for over a year now, if not two.

 

So to you, who uses this, does that sound like something you would want to venture into, taking this to the next step?

 

Please let me know! Discuss!

 

Just for the hell of it, I was browsing this guide and it is fairly in-depth as far as I can tell with the use of multiple VLAN's. Beyond the scope of my need honestly. However, I have no issues with more security and I would like to utilize the DNS resolver as I still have never been able to get internal DNS resolution working using the initial guide. I cannot ping via host names. I have a new C2758 board on the way that I plan to use as a dedicated pfSense box and replace the Core2-Duo I'm using at the moment.

[pfSense_fan 181]

Just for the hell of it, I was browsing this guide and it is fairly in-depth as far as I can tell with the use of multiple VLAN's. Beyond the scope of my need honestly. However, I have no issues with more security and I would like to utilize the DNS resolver as I still have never been able to get internal DNS resolution working using the initial guide. I cannot ping via host names. I have a new C2758 board on the way that I plan to use as a dedicated pfSense box and replace the Core2-Duo I'm using at the moment.

That guide you looked at is based off of the same alias and port sets that I am referring to. Only required outbound ports should be allowed on outbound rules, only required local ports should be allowed on local rules. The changes I am proposing would be near identical except this guide focuses on physical ports instead of VLANS.

[SumRndmDude 22]

That guide you looked at is based off of the same alias and port sets that I am referring to. Only required outbound ports should be allowed on outbound rules, only required local ports should be allowed on local rules. The changes I am proposing would be near identical except this guide focuses on physical ports instead of VLANS.

 

No issues for me here. I only have a few hardwired connections. The vast majority are through a wireless AP, so I just don't feel I need all the VLAN's in that setup. So I would be very interested in your updated perspective. I have learned a lot about pfSense since following your initial guide. Ultimately, I'd like to have it running your 3 NIC setup (when I get my C2758 board) connected to Air constantly, internal DNS resolution (via hostname) and Suricata for that extra security.

[pfSense_fan 181]

 

That guide you looked at is based off of the same alias and port sets that I am referring to. Only required outbound ports should be allowed on outbound rules, only required local ports should be allowed on local rules. The changes I am proposing would be near identical except this guide focuses on physical ports instead of VLANS.

 

No issues for me here. I only have a few hardwired connections. The vast majority are through a wireless AP, so I just don't feel I need all the VLAN's in that setup. So I would be very interested in your updated perspective. I have learned a lot about pfSense since following your initial guide. Ultimately, I'd like to have it running your 3 NIC setup (when I get my C2758 board) connected to Air constantly, internal DNS resolution (via hostname) and Suricata for that extra security.

 

Glad to hear that. It's nice to know people are still learning, just I I had a few years ago.

 

I just finished the bbcode for the DNS resolver. Care to beta test it with my guidance? I can PM you instructions.

 

Edit: I PM'd you in case you do.

Edited ... by pfSense_fan

[airvpnincongnito 1]

Sign me up also.  I would be willing to test it also!

[flat4 79]

Step 3: Setting up the OpenVPN Client - Has been thoroughly updated to align with the GUI settings of 2.2.6, plus some other tweaks that I believe should be used.

Step 5: Setting the AirVPN Gateway - Has had minor pfSense 2.2.6 GUI appearance tweaks and minor settings tweaks (now recommend to disable gateway monitoring on all version prior to pfsense 2.3)

 

 

As always, feedback is welcome and encouraged.

Step 3, under the advanced options adding the round robin when you're connection goes down and it goes to a different server, do yo need just IP's? certs and all that info is not needed?

 

i would like to see the more secure settings also not to only improve my setup but knowledge. 

[Casper31 73]

 

To any users who use, rely on or are thinking about using this guide and pfSense to connect to AirVPN...

 

I AM LOOKING FOR SOME FEEDBACK BEFORE I PUT THE FINAL TOUCHES ON UPDATING THIS GUIDE!

 

.....

 

So to you, who uses this, does that sound like something you would want to venture into, taking this to the next step?

 

Please let me know! Discuss!

 

1.I am interested to !And have test hardware.

2.in step3

##### CLIENT OPTIONS #####;

server-poll-timeout 10  ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###;

explicit-exit-notify 5;

 

I am almost sure that you forgot the " ;" after-timeout 10 .

Can you confirm this?

 

Gr,Casper

[SumRndmDude 22]

Tested the new DNS Resolver settings and 18 hours later, everything is up and running fine. Huge thanks to pfSense_fan for walking me through a few hiccups as I'm currently only using the 2 NIC setup and for helping me figure out my internal DNS issue. Cannot wait to do the full 2.3 setup.

[flat4 79]

Tested the new DNS Resolver settings and 18 hours later, everything is up and running fine. Huge thanks to pfSense_fan for walking me through a few hiccups as I'm currently only using the 2 NIC setup and for helping me figure out my internal DNS issue. Cannot wait to do the full 2.3 setup.

 

so using the Resolver instead of forwarder resolved your internal DNS issues?

[pfSense_fan 181]

 

Step 3: Setting up the OpenVPN Client - Has been thoroughly updated to align with the GUI settings of 2.2.6, plus some other tweaks that I believe should be used.

Step 5: Setting the AirVPN Gateway - Has had minor pfSense 2.2.6 GUI appearance tweaks and minor settings tweaks (now recommend to disable gateway monitoring on all version prior to pfsense 2.3)

 

 

As always, feedback is welcome and encouraged.

Step 3, under the advanced options adding the round robin when you're connection goes down and it goes to a different server, do yo need just IP's? certs and all that info is not needed?

 

i would like to see the more secure settings also not to only improve my setup but knowledge.

 

 

Correct, just need to add the IP addresses and commented out descriptions (if desired). Yours certs do not change per server, you have one certificate tied to your account that lets you connect to any air server, the only thing that changes on the certs you download is the individual server details such as IP and port.

 

 

 

 

 

To any users who use, rely on or are thinking about using this guide and pfSense to connect to AirVPN...

 

I AM LOOKING FOR SOME FEEDBACK BEFORE I PUT THE FINAL TOUCHES ON UPDATING THIS GUIDE!

 

.....

 

So to you, who uses this, does that sound like something you would want to venture into, taking this to the next step?

 

Please let me know! Discuss!

 

 

1.I am interested to !And have test hardware.

2.in step3

##### CLIENT OPTIONS #####;

server-poll-timeout 10  ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###;

explicit-exit-notify 5;

 

I am almost sure that you forgot the " ;" after-timeout 10 .

Can you confirm this?

 

Gr,Casper

 

 

1. Perfect, glad to have another tester, that being said, our testing last night exposed some details I have to change to other steps. Once I have those done, I will PM you the new bits. Forewarned, it may be a number of days. There is a lot to consider

 

2. Nope, did not forget... it is at the end of the line. The ";" signifies a line break, it has no other function. If you wish to see what it does when you submit these entries you can go to:

 
https://192.168.1.1/edit.php

On the line toward the top that says "Save / Load from path:" Enter:

/var/etc/openvpn/client1.conf

Then click load. You should see all the entries pfSense adds through the GUI settings and all of our settings, each on it's own line.

 

 

Tested the new DNS Resolver settings and 18 hours later, everything is up and running fine. Huge thanks to pfSense_fan for walking me through a few hiccups as I'm currently only using the 2 NIC setup and for helping me figure out my internal DNS issue. Cannot wait to do the full 2.3 setup.

Glad to hear!