How To Set Up pfSense 2.1 for AirVPN

[Wolf666 17]

I am on 2.3 RC if you need me I am available.

 

 

Sent from my iPad using Tapatalk

[pfSense_fan 181]

I am on 2.3 RC if you need me I am available.

 

 

Sent from my iPad using Tapatalk

 

 

For sure, wouldn't hurt to have an experienced user look it over.

 

Anyone else want to have a look at it? I would like to send a group invite, hope to get a few more.

[flat4 79]

So i have ran into a bit of an issue. I've implemented my round robin config ( i copied, modified, save) this is where my issues began. VPN connected and all was fine an dandy then i notice that any device on clear net does not have internet access. I cannot ping anything outside of the network. (I can ping devices on clear net and vpn and between each other) strangely on pc on  clear net where i cannot ping or use then internet I can do a NSLOOKUP and everything I throw at it resolves. I then killed the openvpn client and boom all of the clear net devices have internet access (obviously the vpn device have not internet). I reboot pfsense and it reconnects and again no internet for clear net. devices on vpn i can can surf all day long.  Oddly enough i have two devices that run teamviewer on clear net and they are accessible even when there is no internet.  Prior to modifying the client config everything worked . The the only other thing i configured was the "UNCHECK GATEWAY MONITORING" 

 

i want to get pass this so i can moved on the more complex applications. below is my advance config. If you need any other screen shots let me know, aint scare to post them

 

##### CLIENT OPTIONS #####;
server-poll-timeout 10   ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###;
explicit-exit-notify 5;

##### TUNNEL OPTIONS #####;
### Use Multple "remote" entries with the according entry IP address of your favorite servers       ###;
### other than the server entered in the "Server Host or Address" entry above and pfSense           ###;
### will automatically recconnect in a round robin fashion if the server you are connected to       ###;
### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###;
remote 23.82.53.90 443   ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###;
remote 71.19.251.247 443   ###AirVPN_CA-Vancouver_Mimosa_UDP-443###;
remote 96.47.229.58 443   ###AirVPN_US-Miami_Cursa_UDP-443###;
remote 94.100.23.162 443   ###AirVPN_US-Fremont-California_Persei_UDP-443###;
remote 173.44.55.178 2018  ###AirVPN_US-Miami_Yildun_UDP-2018###;
rcvbuf 262144;
sndbuf 262144;
mlock   ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###;
fast-io   ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###;
###tun-mtu 1500;
###mssfix 1450;
###keepalive 5 15;

##### DATA CHANNEL ENCRYPTION OPTIONS #####;
key-direction 1;
keysize 256   ### Size of key from cipher ###;
prng SHA512 64  ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###;
### replay-window n [t]   ### Default = replay-window 64 15 ###;
### mute-replay-warnings;

##### TLS MODE OPTIONS #####;
tls-version-min 1.2   ### set the minimum TLS version we will accept from the peer ###;
key-method 2   ### client generates a random key ###;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384   ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###;
tls-timeout 2   ### Default = 2 ###;
ns-cert-type server   ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###;
remote-cert-tls server   ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###;
### reneg-sec 3600;

[pfSense_fan 181]

Those openvpn options have no affect on your interface options.

 

if your servers are accessible then I would have a look at your outbound NAT and your gateways.

[flat4 79]

Yes I would have to agree, I will do that,

Sent from my SAMSUNG-SM-N920A using Tapatalk

 

Here is my outbound NAT, this did not change 

 

Interface 	Source 	Source Port 	Destination 	Destination Port 	NAT Address 	NAT Port 	Static Port 	Description 	
	add
	icon 	WAN   	127.0.0.0/8 	* 	* 	1024:65535 	WAN address 	* 	NO 	     Localhost to WAN  	
	edit
delete 	duplicate
	icon 	WAN   	10.0.1.0/24 	* 	* 	* 	WAN address 	        * 	 NO 	       LAN to WAN  	
	edit
delete 	duplicate
	icon 	WAN   	10.0.2.0/24 	* 	* 	* 	WAN address 	* 	NO 	OpenVPN server to WAN  	
	edit
delete 	duplicate VPN_WAN   	10.0.4.0/24 	* 	* 	* 	VPN_WAN address 	* 	NO 	VPN_LAN to VPN-WAN  

[flat4 79]

Well I didn't not change any outbound rules but double check configuration and boom back on line. Now to move my server and test forwarded ports.

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

[nevr0sed 0]

Hi all,

 

I went through approximatevely 10 times on this tutorial and never got it to work, at least it's what I think.

 

I would love some help here. Thank you to all those that will take time to read and answer this post.

 

 

• Firstly, here is my config:

 

I am running PFSense 2.2.6-RELEASE (i386), on a Intel Celeron CPU 1037U @ 1.80GHz.

PFsense : physical interfaces.

- 1 WAN

- 1 Pub_LAN (home public network)

- 1 Priv_LAN (home PRIVATE Network - which should be VPN'd)

 

Pub_LAN --> UN-Manageable (home) switch > PS4, Wifi, Wife's MAC, Apache Server, SQL Server.

Priv_LAN --> UN-Manageable (home) switch > 3 PC,

 

After all this tutorial, I received an IP for the AIRVPN_WAN interface (OpenVPN), 10.4.*.*

I have, as per the tutorial, and IP for the Priv_LAN which is 192.168.123.1.

 

 

• Secondly, my  issue :

 

my clients on the Priv_LAN side do not receive an IP from the DHCP server. Hence, I do not get connectivity and cannot get access to the internet, through the interface that is (should?) be AirVPN'd.

Also, during the configuration when I was asked to DNS Lookup airvpn.org, the result I got isn't the same that the one mentioned on the tutorial. Also, I have set port 53 during the configuration of the DNS Forwarder, because I wasn't able to go on with the tutorial.

 

 

• Thirdly, my questions :

 

->  Is there a major difference for this tutorial between V2.1 and V2.2 of PFsense ? If yes, what shall I look into ?

->  Is this tutorial made for more than 1 client to get connected throught the VPN'd Interface ? or for only 1 client ?

 

I am litteraly going crazy. I really need help friends... thanks...

 

If anyone could guide me on how fixing this issue I would be more than grateful.

 

Thank you very much all.

 

 

N.

[SumRndmDude 22]

This may sound simplistic, but is the DHCP server enabled  for each interface? Had a similar issue with no IP's and lo and behold, I forgot to enable the server on my public interface. Secondly, I would venture to guess if it is all enabled that it's a gateway or NAT issue preventing you from connecting to the DHCP server on that interface. Check both of those second. Lastly, no, there is no major difference between the versions that would need major changes to this guide.

[nevr0sed 0]

This may sound simplistic, but is the DHCP server enabled  for each interface? Had a similar issue with no IP's and lo and behold, I forgot to enable the server on my public interface. Secondly, I would venture to guess if it is all enabled that it's a gateway or NAT issue preventing you from connecting to the DHCP server on that interface. Check both of those second. Lastly, no, there is no major difference between the versions that would need major changes to this guide.

 

Hey,

 

Thank you for your quick reply and answering my questions.

 

Yes, I have DHCP enable on both interfaces.

 

I have a NAT Outbound Rule (as mentioned per the tutorial) AirVPN_LAN --> AirVPN_WAN. What should the (other?) rule be in order to get my clients to have an IP ?

And what shall I do in order to change the gateway ?

 

Sorry, I am still learning, and may need some more precise guidance.

 

Thanks again..

 

N.

[pfSense_fan 181]

I need feedback from users who have done a fresh install of pfSense 2.3

 

What i need to know is if the DHCPv6 server is enabled on the LAN interface by default for you.

 

Please let me know, as I am trying to accurately update the guide to 2.3.

[nevr0sed 0]

Hi all,

 

What NAT rules should I have in order to get DHCP working for the AirVPN_LAN ?

 

Thank you for your time and answers.

 

N.

[pfSense_fan 181]

Hi all,

 

What NAT rules should I have in order to get DHCP working for the AirVPN_LAN ?

 

Thank you for your time and answers.

 

N.

 

 

Do yourself a favor and wait a week or two.

 

This guide will be completely outdated in the coming days as the release of pfSense 2.3 is very near.

 

I am working on a new guide that is far more in depth than the current one, but it will take some time to edit my BBCODE and have some users test it before releasing it.

 

I wouldn't waste your time right now.

[rainmakerraw 94]

[Never mind, I mistook this for the latest thread.]

[clearsight 0]

Hi

 

I dont want to read all 24 Sites on this guide, therefore i ask directly.

Why cant i just change 256bit to 128bit encryption? What do i have to do, to make it work? Is it even possible or is just 256 AES-CBC allowed?

 

Thanks

[zhang888 1066]

Hi

 

I dont want to read all 24 Sites on this guide, therefore i ask directly.

Why cant i just change 256bit to 128bit encryption? What do i have to do, to make it work? Is it even possible or is just 256 AES-CBC allowed?

 

Thanks

 

 

 

Just AES-256, as per

https://airvpn.org/specs/

[clearsight 0]

 

Hi

 

I dont want to read all 24 Sites on this guide, therefore i ask directly.

Why cant i just change 256bit to 128bit encryption? What do i have to do, to make it work? Is it even possible or is just 256 AES-CBC allowed?

 

Thanks

 

 

Just AES-256, as per

https://airvpn.org/specs/

Oh, that is sad. But thanks for the information.

I just buyed a Intel Celeron N3150 MiniPC and thought with its quadcore i would have enough power for my 250mbit internetconnection. But it looks like an avarage of 85mbit/s is possible with this CPU =(. It says it supports AES-NI but nothing changes if i disable the hardware encryption in OpenVPN.

Thats why i asked if it is possible to choose 128bit.

 

Thanks for the reply and the fast clearing of my answer before.

[go558a83nk 362]

 

 

Hi

 

I dont want to read all 24 Sites on this guide, therefore i ask directly.

Why cant i just change 256bit to 128bit encryption? What do i have to do, to make it work? Is it even possible or is just 256 AES-CBC allowed?

 

Thanks

 

 

Just AES-256, as per

https://airvpn.org/specs/

Oh, that is sad. But thanks for the information.

I just buyed a Intel Celeron N3150 MiniPC and thought with its quadcore i would have enough power for my 250mbit internetconnection. But it looks like an avarage of 85mbit/s is possible with this CPU =(. It says it supports AES-NI but nothing changes if i disable the hardware encryption in OpenVPN.

Thats why i asked if it is possible to choose 128bit.

 

Thanks for the reply and the fast clearing of my answer before.

 

so on the system_advanced_misc.php page of your pfsense machine you are setting cryptographic hardware to AES-NI?  What are your choices there?

 

and in the openvpn client setup page for hardware crypto you are choosing what?  Mine says BSD cryptodev engine, but I have an AMD chip.  I don't know if it's different for an Intel CPU.

[clearsight 0]

so on the system_advanced_misc.php page of your pfsense machine you are setting cryptographic hardware to AES-NI?  What are your choices there?

 

 

Yes. But i also tried it with 'NONE' choosed.

The other option would be the AMD encryption, which of course would not make any sense for my celeron at all.

 

and in the openvpn client setup page for hardware crypto you are choosing what?  Mine says BSD cryptodev engine, but I have an AMD chip.  I don't know if it's different for an Intel CPU.

 

With the Intel CPU i would have also the choice to use 'Intel RDRAND', but i have read, that this Intel method is untrustworthy.

http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/

So i normaly would use BSD Cryptodev.

 

But it does not matter, neither with RDRAND, with BSD Cryptodev or disabled, i get the same speedresults, meaning my speed is on average about 85mbit/s. Without VPN the system is fine and reaches 260mbit/s (10mbit/s more than my provider should provide :-) )

 

So i am quiet disappointed with this quadcore celeron that cant even manage half of my connection. Beside that, it is strange, that it shows me the CPU never uses more than 35% of its capacity. I followed this guide to set up, so i dont understand why the CPU is not working hard over 35% but stil i dont get more speed.

My old pfSense router i also did with this guide and it works fine.

[go558a83nk 362]

 

so on the system_advanced_misc.php page of your pfsense machine you are setting cryptographic hardware to AES-NI?  What are your choices there?

 

 

Yes. But i also tried it with 'NONE' choosed.

The other option would be the AMD encryption, which of course would not make any sense for my celeron at all.

 

>and in the openvpn client setup page for hardware crypto you are choosing what?  Mine says BSD cryptodev engine, but I have an AMD chip.  I don't know if it's different for an Intel CPU.

 

With the Intel CPU i would have also the choice to use 'Intel RDRAND', but i have read, that this Intel method is untrustworthy.

http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/

So i normaly would use BSD Cryptodev.

 

But it does not matter, neither with RDRAND, with BSD Cryptodev or disabled, i get the same speedresults, meaning my speed is on average about 85mbit/s. Without VPN the system is fine and reaches 260mbit/s (10mbit/s more than my provider should provide :-) )

 

So i am quiet disappointed with this quadcore celeron that cant even manage half of my connection. Beside that, it is strange, that it shows me the CPU never uses more than 35% of its capacity. I followed this guide to set up, so i dont understand why the CPU is not working hard over 35% but stil i dont get more speed.

My old pfSense router i also did with this guide and it works fine.

 

 

what version of pfsense are you using?

 

perhaps your speed is being limited by something else, not the pfsense machine?

[dIecbasC 38]

Your VPN encryption runs on a single thread, you need a better CPU.

If you look at 'top' you'll see one core pegged and three idling away.

To see 250mbit/s through OpenVPN you'll be needing a C2758 or faster CPU.

[clearsight 0]

 

 

what version of pfsense are you using?

perhaps your speed is being limited by something else, not the pfsense machine?

2.3.2-RELEASE-p1 (amd64)

built on Tue Sep 27 12:13:07 CDT 2016

FreeBSD 10.3-RELEASE-p9

 

that is the latest version. it has to be limited by OpenVPN in some way. before i set up OpenVPN i tested it as a normal router, and got 260mbit/s.

 

Your VPN encryption runs on a single thread, you need a better CPU.

If you look at 'top' you'll see one core pegged and three idling away.

To see 250mbit/s through OpenVPN you'll be needing a C2758 or faster CPU.

As far as i know pfSense supports SMP (multithread/multicore) since version 2.2.

So the question is, do i need somewhere to activate all cores?

And how can i check if all core are being used or not, what do you mean with 'Top'?

[zhang888 1066]

80Mbit on your Celeron is considered good already, and places you in Top 10 users speed of all Air users.

OpenVPN will use only 1 core so the OS SMP support is irrelevant for this case.

For better speed you will need a better CPU and more optimal ISP peering from you to the server you connect to.

[clearsight 0]

80Mbit on your Celeron is considered good already, and places you in Top 10 users speed of all Air users.

OpenVPN will use only 1 core so the OS SMP support is irrelevant for this case.

For better speed you will need a better CPU and more optimal ISP peering from you to the server you connect to.

Ahhhh. Now i understand it better. That is the reason why the CPU usage goes maximum 35% and still OpenVPN cant be faster etc.

This is still disappointing, since OpenVPN is not a tiny application in the web but considered pretty big in the field of free encryption :-(

 

So this means i have to go back to my Core i3 4130T =( there i can use 250mbit/s fully.

Man.... i thought this Zotac NANO was perfect with its N3150, very small and silent and very little power consumption =(

 

But thanks for the informations. Now i understand it better.

[go558a83nk 362]

according to some tests that try to point to a theoretical max for CPUs running openvpn the N3150 should be able to do about 125mbit/s.  if I understand correctly some people are consistently hitting that limit which makes my wonder why yours isn't a little faster.

 

https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743

https://forum.pfsense.org/index.php?topic=115673.0

 

I have an AMD A6 7400K http://cpuboss.com/cpu/AMD-A6-7400K and my theoretical limit (according to the links above) is 329mbit/s but my line speed is only ~115mbit/s.

 

Your CPU is http://cpuboss.com/cpu/Intel-Celeron-N3150

[clearsight 0]

according to some tests that try to point to a theoretical max for CPUs running openvpn the N3150 should be able to do about 125mbit/s.  if I understand correctly some people are consistently hitting that limit which makes my wonder why yours isn't a little faster.

 

Like i said, the avg is 85mbit/s sometimes it hitted the 100mbit/s mark aswell, but on the long run the middle was 85mbit/s.

 

But does not matter now, i reinstalled pfsense on my 4130t intel zotac mini-pc and applied the guide. so i have my old system back with taking advantage of the full 250mbit/s internet connection.

If i would had have only a 100mbit/s internet connection i would not have cared to get 'only' 85mbit/s tunneled connection. But if anybody else now searches for information about the n3150, we know and can say it is only for internet connections in the field of 100mbit/s and below of interest.