How To Set Up pfSense 2.1 for AirVPN

[SumRndmDude 22]

 

Tested the new DNS Resolver settings and 18 hours later, everything is up and running fine. Huge thanks to pfSense_fan for walking me through a few hiccups as I'm currently only using the 2 NIC setup and for helping me figure out my internal DNS issue. Cannot wait to do the full 2.3 setup.

 

so using the Resolver instead of forwarder resolved your internal DNS issues?

 

Yes and no. Because it is now handling the DNS itself rather than forwarding it ALL to Air, added with a small rule change to allow LAN clients to talk to the main interface as DNS in addition to Air, it was fixed.

[go558a83nk 362]

Just built a box for pfsense and used your guide on the first page of this thread to get things more or less working.

 

My setup is just cheap "desktop" parts but it's fast.  I'm using just 2 NICs.

 

I'd love some help/ideas on how to do the following

 

1) easiest setup for switching between various VPN providers.  This is a problem if I intend to use VPN provider DNS.

2) I actually would rather use public DNS as long as I can verify DNS requests from VPN tunneled clients are actually going through the tunnel.  Prior to this new pfsense box my router, unless I created policy rules, would send DNS requests out the WAN even for clients routed through the VPN.

3) Finally, how do I route certain LAN clients through through WAN and not VPN?

 

BTW, got a cheap AMD A6 7400K CPU, turned on AES-NI, and selected the engine in the openvpn client setup.  I was able to max out my line, 120mbit/s.  Nice!

 

Edit: I think I've figured out a couple of the questions above.  Still tinkering with the idea of using different DNS.  The reason is that often AirDNS points me to a server far away, not the nearest in a given network.

[go558a83nk 362]

another thing

 

how can I access my cable modem when the VPN is up?  my LAN subnet is 192.168.1.0/24  For some reason I can ping my cable modem (192.168.100.1) but it's going out the VPN tunnel.  Because of that I can't actually pull up the cable modem web GUI.  I've tried to put in rules to allow 192.168.100.1 to be accessed through the WAN but I guess I'm doing something wrong because it didn't change anything.

 

Edit: Got this figured out too.

[pfSense_fan 181]

Just built a box for pfsense and used your guide on the first page of this thread to get things more or less working.

 

My setup is just cheap "desktop" parts but it's fast.  I'm using just 2 NICs.

 

I'd love some help/ideas on how to do the following

 

1) easiest setup for switching between various VPN providers.  This is a problem if I intend to use VPN provider DNS.

2) I actually would rather use public DNS as long as I can verify DNS requests from VPN tunneled clients are actually going through the tunnel.  Prior to this new pfsense box my router, unless I created policy rules, would send DNS requests out the WAN even for clients routed through the VPN.

3) Finally, how do I route certain LAN clients through through WAN and not VPN?

 

BTW, got a cheap AMD A6 7400K CPU, turned on AES-NI, and selected the engine in the openvpn client setup.  I was able to max out my line, 120mbit/s.  Nice!

 

Edit: I think I've figured out a couple of the questions above.  Still tinkering with the idea of using different DNS.  The reason is that often AirDNS points me to a server far away, not the nearest in a given network.

 

If you are using the DNS Forwarder, change the DNS entries on the General settings page to your DNS of choice and select the gateway you want to make the request on in the drop down box to the right of it.

 

If you are using the Resolver, enter you DNS of choice on the General settings page, select the gateway as "None" in the drop downs. The go to the Resolver settings and select only the VPN gateway from the "Outgoing Network Interfaces".

 

 

If you are allowing clients to query other dns servers, you need to make a policy based firewall rule that tells all traffic destined for your DNS server of choice on port 53 to go out the vpn gateway. do this by selecting the gateway from the advanced otions. this firewall rule needs to be at the top of the list on the interface you are on.

[pfSense_fan 181]

REQUESTING FEEDBACK AGAIN!

 

 

As I go through and reorganize the guide, there is a need to change the "basic" firewall rules that this has utilized. I intend to be a bit more in depth going forward.

That being said, I have an tweak that I want to use, but want to make sure others agree it is a good idea. This tweak has to do with DNS and NTP.

 

More and more these days, IoT devices, apps and any number of devices are coming hard coded with DNS and NTP servers. Apple devices such as iphones and ipads query hard coded NTP.  Android apps are coded for google DNS. New Netflix apps are hard coded for google DNS as well. The list goes on. For a number of reasons, this can lead to configuration and/or security issues. Many of these devices and apps do not have an option to change these settings.

 

I can make a firewall rule that will redirect all requests for DNS and all requests for NTP to the server of our choosing, best served by pfSense itself since it acts as a DNS caching server and NTP server. In the case of trying to get such devices and apps to use AirVPN's DNS for anti georestriction reasons or other, this is the best fix.

 

I use this method and have for a few years. The question is, do you see the value in it as well? Should i include this as part of the guide? I feel like yes since this is a growing trend in devices and apps, but don't want to force my views on others.

 

Let me know, discuss.

[hammerman 3]

you have my vote on this.

i use a new roku with hard coded google dns.

a smart dns service on another router gets around this, but it would be good if i knew how to do the same thing with pfsense.

[go558a83nk 362]

Yes on DNS and NTP options/fixes.

[SumRndmDude 22]

Absolutely. I want to be the one who decides where my traffic goes, not the device manufacturers.

[Casper31 73]

 

REQUESTING FEEDBACK AGAIN!

 

 

 

I can make a firewall rule that will redirect all requests for DNS and all requests for NTP to the server of our choosing, best served by pfSense itself since it acts as a DNS caching server and NTP server. In the case of trying to get such devices and apps to use AirVPN's DNS for anti georestriction reasons or other, this is the best fix.

Let me know, discuss.

 

I like this to.Tokeep google out of the loop ,is always a good idea .

If I understand this right, you want to use the Resolver in combination with Airvpn dns?

Have a good day.

 

Gr,casper.

[airvpnincongnito 1]

pfsense_fan, any chance you can add to the tutorial as an optional a guide to setting up SSL tunnel on pfsense, unfortunately ISP are traffic shaping users using OpenVPN..... for those that are getting throttled (me), the optional guide will be a God send!

[pfSense_fan 181]

 

 

REQUESTING FEEDBACK AGAIN!

 

 

 

I can make a firewall rule that will redirect all requests for DNS and all requests for NTP to the server of our choosing, best served by pfSense itself since it acts as a DNS caching server and NTP server. In the case of trying to get such devices and apps to use AirVPN's DNS for anti georestriction reasons or other, this is the best fix.

Let me know, discuss.

 

I like this to.Tokeep google out of the loop ,is always a good idea .

If I understand this right, you want to use the Resolver in combination with Airvpn dns?

Have a good day.

 

Gr,casper.

 

Correct, the update migrates to the DNS Resolver, and the guide will focus on AirVPN DNS. The user can use the DNS of their choice.

 

 

pfsense_fan, any chance you can add to the tutorial as an optional a guide to setting up SSL tunnel on pfsense, unfortunately ISP are traffic shaping users using OpenVPN..... for those that are getting throttled (me), the optional guide will be a God send!

 

 

No joke, I thought about this as I lay in bed last night. Problem is I have never attempted it. I would like to add this but have no timetable for such an addition. Once I'm done with the core parts of the guide I will explore this, but that's not saying much for when that might be.

[dIecbasC 38]

Stunnel is pretty far from a newbie guide like this is intended to be.

Maybe a series of links to advanced topics should be included.

Here's a stunner guide for starters.....

 

https://airvpn.org/topic/12800-setting-up-pfsense-22-beta-x64-as-vpn-client-with-stunnel/

[airvpnincongnito 1]

​

​

​Cool, as long as it is in your radar, that's all I can ask for!

​

​

​

 

 

 

REQUESTING FEEDBACK AGAIN!

 

 

 

I can make a firewall rule that will redirect all requests for DNS and all requests for NTP to the server of our choosing, best served by pfSense itself since it acts as a DNS caching server and NTP server. In the case of trying to get such devices and apps to use AirVPN's DNS for anti georestriction reasons or other, this is the best fix.

Let me know, discuss.

 

I like this to.Tokeep google out of the loop ,is always a good idea .

If I understand this right, you want to use the Resolver in combination with Airvpn dns?

Have a good day.

 

Gr,casper.

 

Correct, the update migrates to the DNS Resolver, and the guide will focus on AirVPN DNS. The user can use the DNS of their choice.

 

 

>pfsense_fan, any chance you can add to the tutorial as an optional a guide to setting up SSL tunnel on pfsense, unfortunately ISP are traffic shaping users using OpenVPN..... for those that are getting throttled (me), the optional guide will be a God send!

 

 

No joke, I thought about this as I lay in bed last night. Problem is I have never attempted it. I would like to add this but have no timetable for such an addition. Once I'm done with the core parts of the guide I will explore this, but that's not saying much for when that might be.

 

[airvpnincongnito 1]

​

​

​

​

dlecbasC,

​

​This is the other "guide"....  Problem is I don't know how to tie these steps to the current configuration so as to "wrap" OpenVPN with the SSL connection to avoid DPI and subsequent throttle.... Damn ISPs with their idiotic policies...

​

​https://airvpn.org/topic/13572-request-for-a-tutorial-on-setting-up-ssl-tunnel-on-pfsense/

​

 

Stunnel is pretty far from a newbie guide like this is intended to be.
Maybe a series of links to advanced topics should be included.
Here's a stunner guide for starters.....

https://airvpn.org/topic/12800-setting-up-pfsense-22-beta-x64-as-vpn-client-with-stunnel/

[tempair 0]

I was so excited to see this update, as this is the guide I've been using for my 2.2.x setup. I've had a lot of issues with uptime and latency, so I was hoping this would improve performance. But when I added the new advanced comments, I started getting this error:

 

Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client1.conf:44: e (2.3.8)

I literally just did a cut and paste of what was posted in Step 3, so I'm confused about what might be incorrect? I am running 2.2.6. Here is the full dump of client1.conf...

 

dev ovpnc1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xx.xx.xx.xx
engine rdrand
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote 173.44.55.178 443
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo no
resolv-retry infinite
route-nopull
route-noexec
##### CLIENT OPTIONS #####

server-poll-timeout 10   ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###

explicit-exit-notify 5


##### TUNNEL OPTIONS #####

### Use Multple "remote" entries with the according entry IP address of your favorite servers other than the server entered in the "Server Host or Address" entry above and pfSense will automatically recconnect in a round robin fashion if the server you are connected to goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###

remote 46.21.151.106 443   ###AirVPN_US-Fremont-CA_Heze_UDP-443###

###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Acamar_UDP-2018###

###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Yildun_UDP-2018###

###remote XX.XX.XX.XX 53   ###AirVPN_US-Miami_Cursa_UDP-53###

###remote XXX.XX.XX.XX 443   ###AirVPN_CA-Dheneb_UDP-443###

###remote XXX.XX.XXX.XXX 443  ###AirVPN_CA-Saiph_UDP-443###

rcvbuf 262144

sndbuf 262144

mlock   ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###

fast-io   ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###

###tun-mtu 1500

###mssfix 1450

###keepalive 5 15


##### DATA CHANNEL ENCRYPTION OPTIONS #####

key-direction 1

keysize 256   ### Size of key from cipher ###

prng SHA512 64  ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###

### replay-window n [t]   ### Default = replay-window 64 15 ###

### mute-replay-warnings


##### TLS MODE OPTIONS #####

tls-version-min 1.2   ### set the minimum TLS version we will accept from the peer ###

key-method 2   ### client generates a random key ###

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384   ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###

tls-timeout 2   ### Default = 2 ###

ns-cert-type server   ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###

remote-cert-tls server   ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###

### reneg-sec 3600

[SumRndmDude 22]

 

I was so excited to see this update, as this is the guide I've been using for my 2.2.x setup. I've had a lot of issues with uptime and latency, so I was hoping this would improve performance. But when I added the new advanced comments, I started getting this error:

 

Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client1.conf:44: e (2.3.8)

I literally just did a cut and paste of what was posted in Step 3, so I'm confused about what might be incorrect? I am running 2.2.6. Here is the full dump of client1.conf...

 

dev ovpnc1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xx.xx.xx.xx
engine rdrand
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote 173.44.55.178 443
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo no
resolv-retry infinite
route-nopull
route-noexec
##### CLIENT OPTIONS #####

server-poll-timeout 10   ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###

explicit-exit-notify 5


##### TUNNEL OPTIONS #####

### Use Multple "remote" entries with the according entry IP address of your favorite servers other than the server entered in the "Server Host or Address" entry above and pfSense will automatically recconnect in a round robin fashion if the server you are connected to goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###

remote 46.21.151.106 443   ###AirVPN_US-Fremont-CA_Heze_UDP-443###

###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Acamar_UDP-2018###

###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Yildun_UDP-2018###

###remote XX.XX.XX.XX 53   ###AirVPN_US-Miami_Cursa_UDP-53###

###remote XXX.XX.XX.XX 443   ###AirVPN_CA-Dheneb_UDP-443###

###remote XXX.XX.XXX.XXX 443  ###AirVPN_CA-Saiph_UDP-443###

rcvbuf 262144

sndbuf 262144

mlock   ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###

fast-io   ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###

###tun-mtu 1500

###mssfix 1450

###keepalive 5 15


##### DATA CHANNEL ENCRYPTION OPTIONS #####

key-direction 1

keysize 256   ### Size of key from cipher ###

prng SHA512 64  ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###

### replay-window n [t]   ### Default = replay-window 64 15 ###

### mute-replay-warnings


##### TLS MODE OPTIONS #####

tls-version-min 1.2   ### set the minimum TLS version we will accept from the peer ###

key-method 2   ### client generates a random key ###

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384   ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###

tls-timeout 2   ### Default = 2 ###

ns-cert-type server   ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###

remote-cert-tls server   ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###

### reneg-sec 3600

I had a problem with doing a straight copy and paste as well. The issue was that the commented out portions tend to overrun the 255 character per line limit. Delete any of the comments you absolutely don't need. Specifically the explanation for the server round-robin as it is quite long. Once I did that, I was golden and my client would start up.

[tempair 0]

Hm... interestingly enough, when I cleared out all comments and kept only statements, everything works fine. Sneak carriage return somewhere perhaps?

 

server-poll-timeout 10;
explicit-exit-notify 5;
remote 94.100.23.162 443;
rcvbuf 262144;
sndbuf 262144;
mlock;
fast-io;
key-direction 1;
keysize 256;
prng SHA512 64;
tls-version-min 1.2;
key-method 2;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
tls-timeout 2;
ns-cert-type server;
remote-cert-tls server;

[pfSense_fan 181]

It should be fixed now. That's what feedback is for.

 

I didn't know there was a line limit. Thanks for the heads up.

 

The comments are fine left in otherwise, they are there and have been in my setup, except the explanation for using remote.

[tempair 0]

I had a problem with doing a straight copy and paste as well. The issue was that the commented out portions tend to overrun the 255 character per line limit. Delete any of the comments you absolutely don't need. Specifically the explanation for the server round-robin as it is quite long. Once I did that, I was golden and my client would start up.

 

 

It should be fixed now. That's what feedback is for.

 

I didn't know there was a line limit. Thanks for the heads up.

 

The comments are fine left in otherwise, they are there and have been in my setup, except the explanation for using remote.

 

Thanks guys. I'm still so new that I have to wait for moderator clearance, and so my post came in after you replied. I assumed there was some kind of string shenanigans going on.   Glad it was something simple.

 

And pfSense_fan, as soon as I'm clear of this low post count censorship, I'll try to get you more feedback. Your guide single-handedly kept me using AirVPN. Without it I would have been lost in the sea of pfsense generic documentation.

[pfSense_fan 181]

 

I had a problem with doing a straight copy and paste as well. The issue was that the commented out portions tend to overrun the 255 character per line limit. Delete any of the comments you absolutely don't need. Specifically the explanation for the server round-robin as it is quite long. Once I did that, I was golden and my client would start up.

 

 

>It should be fixed now. That's what feedback is for.

 

I didn't know there was a line limit. Thanks for the heads up.

 

The comments are fine left in otherwise, they are there and have been in my setup, except the explanation for using remote.

 

Thanks guys. I'm still so new that I have to wait for moderator clearance, and so my post came in after you replied. I assumed there was some kind of string shenanigans going on.   Glad it was something simple.

 

And pfSense_fan, as soon as I'm clear of this low post count censorship, I'll try to get you more feedback. Your guide single-handedly kept me using AirVPN. Without it I would have been lost in the sea of pfsense generic documentation.

 

 

Thank you, that's a very nice compliment. I remember feeling that way, it's what lead me to make this. Everywhere I looked, every "guide" seemed like it was written for people who already knew how to do it. It's almost as if it is an inside joke with open source software, "Here's how to do XYZ, assuming you already know how to do ABCDEFG...". It was maddening.

 

That being said, I am working on a major update to the guide. Any interest in previewing it to help me spot any errors and possibly beta test it? I can invite one more person into the private thread. Let me know.

[tempair 0]

I would be honored to help beta test, though I am a novice in this environment.

[flat4 79]

keep it coming

[pfSense_fan 181]

I would be honored to help beta test, though I am a novice in this environment.

That's quite OK. I want this guide to be accesible so it's OK if you have a lot of questions. It will help me nail the update down.

[zhang888 1066]

So, just as expected:

https://blog.pfsense.org/?p=1997

 

Prepare a good bottle of your favorite liquer, the release is very near if nothing critical is found in the RC.

[pfSense_fan 181]

So, just as expected:

https://blog.pfsense.org/?p=1997

 

Prepare a good bottle of your favorite liquer, the release is very near if nothing critical is found in the RC.

All the same, the update I'm making should work for 2.3 as well. If not I can add the steps to the thread and add links in the index as the main guide goes to 2.3.

 

That being saidI came on here to see if there are any other takers that want to help me audit/preview the new guide before posting. Any takers? I can invite to a private thread.