Jump to content
Not connected, Your IP: 52.14.219.203
pfSense_fan

How To Set Up pfSense 2.1 for AirVPN

Recommended Posts

Actually, the reason behind the fork seems to be completely another URL 

 

https://opnsense.org/support-overview/commercial-support/

 

 

 

So far I didn't see any changes except the GUI and build-tools. And the wallet for commercial support of course.

Ouch!! thats some pretty expensive support.

 

for that kind of money i'd expect cisco 24 hr support

Share this post


Link to post

Actually, the reason behind the fork seems to be completely another URL 

 

https://opnsense.org/support-overview/commercial-support/

 

 

 

So far I didn't see any changes except the GUI and build-tools. And the wallet for commercial support of course.

 

If the commercial support allows them to build a more secure/hardened product then more power to them. But I would never pay that lol.

Share this post


Link to post

That opensense looks good, am more then happy with pfsense and its rock solid performance but the more the better.

 

Just looking at those screenshots I do like the layout and design also feels a bit more newbie friendly too.

 

For now though if it ain't broke I won't fix it

Share this post


Link to post

Great guide!  Everything is setup and running.  I do have a question about the Hardware Crypto.  I am currently running a SUPERMICRO MBD-A1SRi-2758F-O.  Would the correct hardware cypto be Intel RDRAND?  I lookedq around online but can't find a clear answer. 

 

Also, I'm noticing about a 25% drop in speed when I have the VPN on.  I'm living in S. America and the nearest server is abut 4,000 miles away.  Could this have something to do with it?

 

Share this post


Link to post

 

 

Great guide!  Everything is setup and running.  I do have a question about the Hardware Crypto.  I am currently running a SUPERMICRO MBD-A1SRi-2758F-O.  Would the correct hardware cypto be Intel RDRAND?  I lookedq around online but can't find a clear answer. 

 

Also, I'm noticing about a 25% drop in speed when I have the VPN on.  I'm living in S. America and the nearest server is abut 4,000 miles away.  Could this have something to do with it?

openssl speed -evp aes-256-cbc

openssl speed -evp aes-256-cbc -engine cryptodev

openssl speed -evp aes-256-cbc -engine rdrand

 

Run these tests in the pfSense console and look at the values you get. The higher value you have, the better the engine works on your platform.

 

Speed drops can be caused by many factors and 25% loss is generally acceptable. I suggest you open a topic in the proper section regarding speeds, since this one is related to pfSense itself.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Great guide! Everything is setup and running. I do have a question about the Hardware Crypto. I am currently running a SUPERMICRO MBD-A1SRi-2758F-O. Would the correct hardware cypto be Intel RDRAND? I lookedq around online but can't find a clear answer.

 

Also, I'm noticing about a 25% drop in speed when I have the VPN on. I'm living in S. America and the nearest server is abut 4,000 miles away. Could this have something to do with it?

openssl speed -evp aes-256-cbc

openssl speed -evp aes-256-cbc -engine cryptodev

openssl speed -evp aes-256-cbc -engine rdrand

 

Run these tests in the pfSense console and look at the values you get. The higher value you have, the better the engine works on your platform.

 

Speed drops can be caused by many factors and 25% loss is generally acceptable. I suggest you open a topic in the proper section regarding speeds, since this one is related to pfSense itself.

I use BSD Cryptodev, no problem.

 

 

Sent from my iPad using Tapatalk


- Router/Firewall pfSense 23.01 (11th Gen Intel(R) Core(TM) i5-11320H @ 3.20GHz)

- Switch Cisco SG350-10

- AP Netgear RAX200 (Stock FW)

- NAS Synology DS1621+ (5 x 5TB WD Red)

- ISP: Fiber 1000/300 (PPPoE)

 

Share this post


Link to post

IS anybody running this AirVPN setup on pfsense 2.2?

Since version 2.2 they moved away from DNS Forwarder (dnsmasq) to DNS resolver (unbound). Also some packages like pfBlockerNG2 requires you to use unbound. So currently I am moving over to unbound. What is most confusing about unbound is that there is no setting on how to query the DNS servers - sequentially or parallel?

Because I need to have at least two DNS servers that must be should be queried in strict order: the first one is AirVPN's DNS and the second one my ISP's DNS which is only used if the first failed (strict order), like when I establish the initial connection to the european pool of AirVPN's servers.

Share this post


Link to post

IS anybody running this AirVPN setup on pfsense 2.2?

Since version 2.2 they moved away from DNS Forwarder (dnsmasq) to DNS resolver (unbound). Also some packages like pfBlockerNG2 requires you to use unbound. So currently I am moving over to unbound. What is most confusing about unbound is that there is no setting on how to query the DNS servers - sequentially or parallel?

Because I need to have at least two DNS servers that must be should be queried in strict order: the first one is AirVPN's DNS and the second one my ISP's DNS which is only used if the first failed (strict order), like when I establish the initial connection to the european pool of AirVPN's servers.

 

You can configure both in System - General Setup - DNS Servers

I have been using 2.2 from the early betas and both options work fine.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

It doesn't work like that with dns resolver I recall.

 

Set up the general page for pfsense to use for updates checking. If you don't do this you won't see any version updates.

 

DNS resolver always goes to the internets root servers which is why it's technically better, no DNS poisoning possible. Matches are cached over time too which is neat.

Select which interface it should access the DNS servers on, I ONLY use the vpn connection. My clearnet routes all lookups over my vpn line. You can not select both clearnet and vpn and they are accessed simultaneously as you will create a leak.

 

It would be possible to spin up two resolvers, one servicing vpn and one clearnet but this would be a manual process done in the SSH. I don't think its worth the additional complexity or hassle.

 

I've used this with 2.2 and pfblocker NG for 6 months plus with no issues.

Share this post


Link to post

@dIecbasC: could you be so kind to post a screenshot of how you configured DNS resolver?

As we all use multi-WAN configurations (clearnet + at least one AirVPN connection) it is neccessary to enable forwarding mode, see https://doc.pfsense.org/index.php/Unbound_DNS_Resolver.

Tho it is not explained why. With this setting enabled I assume the resolver works like the forwarder, but no option to set if queries are sent parallel or sequential?!

 

For "network devices" I have selected only "LAN". Is it advised to add localhost as well?

 

As the "Outgoing Network interfaces" I selected the normal WAN connection plus my two AirVPN WANs. How does this interfere with the DNS servers and the gateways assigned to them under System -> General Setup?

Share this post


Link to post

   Thanks for this comprehensive and detailed guide.


 

2.) Click [ DNS Lookup ]
 
3.) Verify the results:
Hostname or IP = [ airvpn.org ] = 95.211.138.143
If 95.211.138.143 was returned it is resolving correctly. Feel free to resolve as many sites as you wish! This is a useful tool to keep in mind as well.

I followed the guide to this point (2 NIC version) and have tested the DNS, however mine returns the following IP address:   213.152.180.16

 

I'm reviewing my settings for each step but can't see how I've gotten it wrong.

EDIT: At step 6 I was unable to enable the DNS Forwarder as the DNS Resolver was using the port.  I had to disable the DNS Resolver in order to have the DNS Forwarder enabled.  Seems like this could be a cause?

Share this post


Link to post

Perhaps its me or my config,but i can`t see the jpg`s anymore in pfsense_fan howto about pfsense.

Probably i can do without,but I think 100% complete has more value and more sense,specially for beginners.

 

Gr,Lins

Share this post


Link to post

I've gotten poor results with this guide.  Comprehensive as it is it appears outdated and unmaintained.  Are there any smart folks out there able to update it?  I've seen some inconsistencies with the interface which I assume are related to updates in pfSense adding functionality.  The DNS Forwarder section doesn't work as described either.  Disappointing stuff.  I'm back to blind Googling.

Share this post


Link to post

It is a bit out of date sure but the principles behind what's discussed are still largely sound.

If the differences are large enough to prevent you getting a system like this working my advice would be to improve your knowledge rather than google for s step by step guide.

Install an older version 2.1 I recall was what this guide was originally created around to remove interface differences and try and get that working. Go through it in conjunction with the pfSense manual and you should be able to learn enough to then transition to a working 2.2 build (DNS resolver vs forwarder etc).

Share this post


Link to post

is it possible to get a bit more clarification regarding post #175 and accessing devices across subnets?

 

my setup is wan, lan,  vpn1,  vpn2.

i have windows home server with movies on it on vpn2.

i want to be able to access it from vpn1.

i tried following the post but it didn't work.

i went to firewall > rules > vpn1 tab and filled it in.

there was no option for destination port range though, so i must be doing something wrong there.

am i at the right tab?  post #177 says he had to make a similar rule to the other interface.

 

could someone shed a bit of light for me?

 

thanks

Share this post


Link to post

i was able to get it working, but only if i turned off the firewall on the media server.

 

when i tried to leave the firewall on and change the scope rules to any ip address it didn't work.

 

it's not a big deal . . . just didn't want everyone to have access.

 

any suggestions?

Share this post


Link to post

Upgraded to pfsense 2.2.4 (latest) via the dashboard and it stopped pfsense from working, It could be just me or something about the DNS Forwarder DNS Resolver changing?

 

I would recommend anyone to stick with the older 2.1 or 2.2.2 is working for myself at least not unless anyone can suggest the correct settings to get it to work with the new pfsense software.

 

If you did upgrade and found it not working here is a link to the old pfsense versions :

 

http://files.nyi.pfsense.org/mirror/downloads/old/

 

I tried this one:

 

http://files.nyi.pfsense.org/mirror/downloads/old/pfSense-memstick-2.2.2-RELEASE-amd64.img.gz

I unzipped it to get the iso image and then used win32diskimager to burn to pen drive and reloaded my pfsense box back to 2.2.2 and reloaded an older saved pfs config to get it back up and running. Anyhow back up and running, wont be updating anytime soon !

Share this post


Link to post

Upgraded from 2.2.3 to 2.2.4 and no problem. I am using DNS Resolver (Unbound).

 

 

Sent from my iPad using Tapatalk


- Router/Firewall pfSense 23.01 (11th Gen Intel(R) Core(TM) i5-11320H @ 3.20GHz)

- Switch Cisco SG350-10

- AP Netgear RAX200 (Stock FW)

- NAS Synology DS1621+ (5 x 5TB WD Red)

- ISP: Fiber 1000/300 (PPPoE)

 

Share this post


Link to post

If you only have two NIC ports there are some slight differences in how to set it up that i have not had the chance to address yet.

 

First, in the DNS forwarder section, you will ONLY HIGHLIGHT LOCALHOST. This allows the firewall to connect to airdns if using url based entry servers.

 

Second, your "LAN" will be set up in the manner the "AirVPN_LAN" in my guide is. There is no need for you to make a VLAN to accomplish this. You do not need to rename it, change the IP address of the port or the DHCP settings to 192.168.123.1 etc. but all other settings will be as the AirVPN_LAN.

 

If there is more steps to it I apologize i am running out and wanted to post this quickly, i plan on making a guide for two interfaces separately soon. It would take only minimal effort for me to edit the documents i have saved. The issue is finding time. I am a few weeks away from having any of that.

 

I also have noticed that it now inputs the correct order for the firewall rules and will be editing that soon.

 

EDIT: Also consider that after tomorrow, this guide will not work until updated with the new settings that are coming our way. I have already started on the edits and should have them up soon after I get reconnected and verify all settings.

 

 

I highly suggest you update and clean the guide to clarify this.

 

Currently two NIC EU's will get to the alternative steps 6 and 7, and realize that there is no 'AirVPN_LAN' interface. If they try and make one (based on your instructions), they cannot because of lack of interfaces.

At worst, they'll end up renaming their base LAN interface, and then applying your AirVPN_LAN settings - which will subsequently lock them out of their network which is now on a different subnet.


Old Setup:

pfSense 2.1.5 on :

Dell PowerEdge R860

2x Xeon E5620 @2.6ghz
16GB DDR3 EEC
 

 

Old ISP :

BT Infinity Clearnet - 79.5mbps BRAS ; 74.3mbps DS  / 20.0mbps US
AirVPN -------------- - --------------------  ; 69.0mpbs DS /  19.50mbps US

Share this post


Link to post
Given how popular Air VPN has been, I decided to give them a try. I also noticed a few guides in the links below. Unfortunately they are centered around 2.1.x and are sometimes ambiguous - plus there are missing pictures (which contradict parts of the text any ways).

Several users here have stumbled on this and I believe I am now in that same boat. 

 

Guide 1 (3 NIC and 2 NIC options)


 

Guide 2 (looks like 3 NIC only, as suggests using second OPT interface for a WAN connection on separate subnet)


 

 

I had originally started with 2.2.3 and then went down to 2.2.2 and finally 2.1.5 because of the changes with DNS Forwarder <> DNS Resolver

 

With 2.1.5 I have managed to get a stable connection at about 95% of my clear net speeds.

Old Setup:

pfSense 2.1.5 on :

Dell PowerEdge R860

2x Xeon E5620 @2.6ghz
16GB DDR3 EEC
 

 

Old ISP :

BT Infinity Clearnet - 79.5mbps BRAS ; 74.3mbps DS  / 20.0mbps US
AirVPN -------------- - --------------------  ; 69.0mpbs DS /  19.50mbps US

Share this post


Link to post

I was going to start a new thread but thought this would be a better place to ask. I was hoping to build a new pfSense box this week, but have hit a problem due to my ISP. I get 160/12 on my cable internet, but despite denying it my ISP are throttling OpenVPN hard.

 

Without VPN: 19 MB/sec

With VPN: 5 MB/sec

With VPN + SSL (stunnel): 18MB/sec

 

Clearly seems to indicate severe throttling from the ISP. I posted in their forums about it but they literally ignored me. Every customer thread on the page got a reply from the ISP - except mine. Still waiting 2 days later so I won't hold my breath! I also noticed that without the added SSL/stunnel, I get constant bad packet ID / possible replay warnings in the logs. As soon as I connect with extra SSL I get full speed and no more replay errors. Seems to be a side effect of their DPI systems maybe??

 

Either way it's clear I have no choice but to connect using SSL to get full use out of my connection. With stunnel and/or Eddie that's no problem, but I really wanted to put everything back on pfSense and run one connection for the whole network. Is there any way to achieve this on pfSense? I hope so. Please let me know your thoughts.

Share this post


Link to post

I recalled someone posting to say they worked it out and I knew I bookmarked it. I have not tried this myself but here is the post.

 

Edit: Just had to ask... have you tried the alternate entry and or ports? My isp throttles most, but a few slipped by them and it works fine without.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

I was going to start a new thread but thought this would be a better place to ask. I was hoping to build a new pfSense box this week, but have hit a problem due to my ISP. I get 160/12 on my cable internet, but despite denying it my ISP are throttling OpenVPN hard.

 

Without VPN: 19 MB/sec

With VPN: 5 MB/sec

With VPN + SSL (stunnel): 18MB/sec

 

Clearly seems to indicate severe throttling from the ISP. I posted in their forums about it but they literally ignored me. Every customer thread on the page got a reply from the ISP - except mine. Still waiting 2 days later so I won't hold my breath! I also noticed that without the added SSL/stunnel, I get constant bad packet ID / possible replay warnings in the logs. As soon as I connect with extra SSL I get full speed and no more replay errors. Seems to be a side effect of their DPI systems maybe??

 

Either way it's clear I have no choice but to connect using SSL to get full use out of my connection. With stunnel and/or Eddie that's no problem, but I really wanted to put everything back on pfSense and run one connection for the whole network. Is there any way to achieve this on pfSense? I hope so. Please let me know your thoughts.

rainmakerraw,

 

I just recently, within the last week, am also noticing HARD ISP throttling too. I have ATT Uverse in TX. - Who is your ISP?

 

Here are my recent DL stats:

 

Without VPN: 45 MB/sec

With VPN: 5 MB/sec

With VPN + SSL (stunnel): 35MB/sec.

 

I also just purchased a bunch of new gear to setup a PFSense box and appreciate you & pfsense_fan highlighting this issue. 

 

I'm testing different UDP/TCP/Port configs to see if like pfsense_fan mentioned I can get a port/protocol to work without have to fire up SSL everytime w/the pfsense box 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...