How To Set Up pfSense 2.1 for AirVPN

rainmakerraw

I was going to start a new thread but thought this would be a better place to ask. I was hoping to build a new pfSense box this week, but have hit a problem due to my ISP. I get 160/12 on my cable internet, but despite denying it my ISP are throttling OpenVPN hard.

Without VPN: 19 MB/sec
With VPN: 5 MB/sec
With VPN + SSL (stunnel): 18MB/sec

Clearly seems to indicate severe throttling from the ISP. I posted in their forums about it but they literally ignored me. Every customer thread on the page got a reply from the ISP - except mine. Still waiting 2 days later so I won't hold my breath! I also noticed that without the added SSL/stunnel, I get constant bad packet ID / possible replay warnings in the logs. As soon as I connect with extra SSL I get full speed and no more replay errors. Seems to be a side effect of their DPI systems maybe??

Either way it's clear I have no choice but to connect using SSL to get full use out of my connection. With stunnel and/or Eddie that's no problem, but I really wanted to put everything back on pfSense and run one connection for the whole network. Is there any way to achieve this on pfSense? I hope so. Please let me know your thoughts.
rainmakerraw,

I just recently, within the last week, am also noticing HARD ISP throttling too. I have ATT Uverse in TX. - Who is your ISP?

Here are my recent DL stats:

Without VPN: 45 MB/sec
With VPN: 5 MB/sec
With VPN + SSL (stunnel): 35MB/sec.

I also just purchased a bunch of new gear to setup a PFSense box and appreciate you & pfsense_fan highlighting this issue.

I'm testing different UDP/TCP/Port configs to see if like pfsense_fan mentioned I can get a port/protocol to work without have to fire up SSL everytime w/the pfsense box

Virgin Media (UK) are the ISP.

I've just specced up a new pfSense box to play with, and though our friend pfSense_fan will shout at me (lol) I have gone AMD:

AMD Athlon 5350, AM1, Kabini, Quad Core, 2.05GHz with AES

Asus AM1M-A mATX motherboard

4GB ECC KINGSTON KVR16N11S8/4 1600MHz DDR3 Server Class Memory

{Intel Pro 1000 PT dual NIC - already owned}

60GB Corsair Force LS v2 Series S, 2.5" SSD, SATA III 6Gb/s, MLC NAND Flash, Read 540MB/s, Write 440MB/s, 43k/23k IOPS

Zalman T5 Black Mini Tower micro-ATX Case with USB 3.0

400W CiT Micro-ATX Quiet Fan 20+4pin ATX 12V with 80mm Temp Control Fan, PSU

All inclusive, for the whole lot, less than £150. That's not even half the cost of a Rangelely motherboard alone over here. Since there's only my wife and I (and me being the only 'real' user of the net), that box is probably overkill so I'm not worried. It's massively cheaper than anything else I can build but still puts out more than ample horsepower to destroy the relatively little we'll ask of it (160Mbps WAN, single AirVPN connection with stunnel, maybe squid). Something to play with at least.

EDIT: Apologies if too OT, but I am also considering installing ESXi on there for the pfSense instance, and adding FreeNAS or similar. ATM my main desktop (8350 + 16GB DDR3 + Radeon R9 380 4GB + Samsung Evo 850 + 2TB storage) is doubling up as a general workstation, download box, storage and network share. I figure I can run pfSense plus throw some storage in there and set it up with qBittorrent-nox (web GUI) and local network server. At 25 watts that's a much more sensible proposition than leaving a high end box running 24/7 just to serve MKVs to my laptop in bed.

Ernst89

rainmakerraw

I'm not convinced you have a smoking gun for VirginMedia openvpn throttling. I assume you have the superhub in modem mode. It is possible AirVpn is providing different service levels for SSL and non SSL traffic. I certainly get different speeds from different UK servers, it is possible that a single server gives different speeds for SSL and non SSL traffic. Having said that I do get consistent high speeds from Naos, normally 150 Mb/s from Manchester Speedtest.net.

I'm very impressed with the Kabini as a pfSense machine, even with realtek nics.

I'm also interested in virtualization. I was attempting to get Proxmox 4.0 working on the Kabini, but it failed to passthough AES-NI to the pfSense guest and also there appeared to be something wrong with the virtio nics, so I gave up for a while. If you can get ESXI 6.0 working I would be very interested to hear.

A note on VirginMedia congestion, my line was congested prior to BT's FTTC product arriving in my area. But by 9 months after they had competition from FTTC the VirginMedia congestion disappeared and it never came back

rainmakerraw

rainmakerraw

I'm not convinced you have a smoking gun for VirginMedia openvpn throttling. I assume you have the superhub in modem mode. It is possible AirVpn is providing different service levels for SSL and non SSL traffic. I certainly get different speeds from different UK servers, it is possible that a single server gives different speeds for SSL and non SSL traffic. Having said that I do get consistent high speeds from Naos, normally 150 Mb/s from Manchester Speedtest.net.

I'm very impressed with the Kabini as a pfSense machine, even with realtek nics.

I'm also interested in virtualization. I was attempting to get Proxmox 4.0 working on the Kabini, but it failed to passthough AES-NI to the pfSense guest and also there appeared to be something wrong with the virtio nics, so I gave up for a while. If you can get ESXI 6.0 working I would be very interested to hear.

A note on VirginMedia congestion, my line was congested prior to BT's FTTC product arriving in my area. But by 9 months after they had competition from FTTC the VirginMedia congestion disappeared and it never came back

I have certainly wondered about the throttling (or lack thereof). It is of course possible that Air are providing different service levels on different protocols (though they of course insist they don't). However I have replicated my results across:

FreeBSD

Linux (Debian, Ubuntu, Fedora)

Windows 8.1

Windows 10

AirVPN

PIA

Proxy.sh

VNP.ac

Tunnelr

Any VPN connection ('normal' 443/UDP) hits a max of 5MB/sec. As soon as I connect using stunnel I get 18MB/sec plus. It certainly points to throttling when multiple providers and OSs all replicate the results. My superhub is always in modem mode (SH are crippled for OpenVPN in routing mode). I tried direct wired connections (sans router) and still got 5MB/sec unless I used SSL on top. Certainly feels like throttling. It could also be congestion, and VM happen to give SSL traffic higher priority on the network than 'standard' traffic. But that doesn't explain why if I disconnect from the VPN entirely I can still get the full 19MB/sec. Only OpenVPN is affected.

rickjames

I've just specced up a new pfSense box to play with, and though our friend pfSense_fan will shout at me (lol) I have gone AMD:

AMD Athlon 5350, AM1, Kabini, Quad Core, 2.05GHz with AES
Asus AM1M-A mATX motherboard
4GB ECC KINGSTON KVR16N11S8/4 1600MHz DDR3 Server Class Memory
{Intel Pro 1000 PT dual NIC - already owned}
60GB Corsair Force LS v2 Series S, 2.5" SSD, SATA III 6Gb/s, MLC NAND Flash, Read 540MB/s, Write 440MB/s, 43k/23k IOPS
Zalman T5 Black Mini Tower micro-ATX Case with USB 3.0
400W CiT Micro-ATX Quiet Fan 20+4pin ATX 12V with 80mm Temp Control Fan, PSU

Intel just released these puppies:

Intel Pentium Quad-core N3700, 2.40GHz SoC

Intel Celeron Quad-core N3150, 2.08GHz SoC

Intel Celeron Dual-core N3050, 2.16GHz SoC

Ranging from 4w - 6w TDP + AES support.

Only downside is no ECC

micro atx:

http://www.newegg.com/Product/Product.aspx?Item=N82E16813157617&cm_re=N3050-_-13-157-617-_-Product

mini itx:

http://www.newegg.com/Product/Product.aspx?Item=N82E16813157618&cm_re=N3050-_-13-157-618-_-Product

rainmakerraw

Thanks for the heads up. Sorry about the delay, my phone wouldn't let me reply earlier (probably something in uBlock for Firefox). Anyway those new boards look sweet, especially at that price, but I won't hold my breath over UK availability. I'll give it a few weeks maybe, and see what turns up...

rickjames

Thanks for the heads up. Sorry about the delay, my phone wouldn't let me reply earlier (probably something in uBlock for Firefox). Anyway those new boards look sweet, especially at that price, but I won't hold my breath over UK availability. I'll give it a few weeks maybe, and see what turns up...

No worries

I have several of the last version of those boards here "ASRock Q1900M" they're decent for the price.

2 are OpenBSD based router/firewalls and the other is a debian desktop. All are Running fanless - the power draw is so low its kinda ridiculous. And the newer model has a lower tdp than the model I have.

I've been tempted to upgrade to these new ones, but if it ain't broke.

hammerman

pfSense_fan stated about a year and a half ago that these rangely systems seemed to be the best at the time and also alluded to xeon systems which i would also have an interest in..

Rangely:

Supermicro: 5018A-FTN4 (NOTE: Access panel on front for network appliances. 1U Rackmount only needs Hard Drive and Memory, 2400Mhz 8 Core, Intel i354 Quad GbE, Intel QuickAssist)

Supermicro: A1SRi-2758F (Mini-ITX, 2400Mhz 8 Core, Intel i354 Quad GbE)

Supermicro: A1SRM-2758F (uATX Motherboard, 2400Mhz 8 Core, Intel i354 Quad GbE)

Supermicro: A1SRi-2558F (Mini-ITX, 2400Mhz 4 Core, Intel i354 Quad GbE)

Supermicro: A1SRM-2558F (uATX Motherboard, 2400Mhz 4 Core, Intel i354 Quad GbE)

has the C2758 been improved upon or has nothing changed in the past couple of years?

my old C2358 system died and i'm interested in an atom or xeon system . . . preferably under $1000.

thanks

zhang888

Take a look at Asrock Rack boards, I personally use

http://www.asrockrack.com/general/productdetail.asp?Model=E3C226D2I

Then you can rig it up with any Xeon E3 CPU, the best price/performance is 1230v3.

Total (not including memory and SSD) will cost about $500.

You can achieve near-Gigabit OpenVPN speeds with it.

hammerman

that seems to be what i'm looking for.

would any mini-itx case and 430 watt power supply do?

do you use vlans or did you add a multi-port ethernet card?

thanks

rickjames

fwiw: I have a workstation with a asrock c226 ws board here loaded up with ecc and love it. They're the server side of asus and make pretty solid stuff. I run multiple 1gb intel nics in mine, no vlans, trunks ect.

I'm not sure how fast your internet is but xeons are kind of overkill for running a single openvpn connection. Do you have 1GB internet?

I only mention it because consumer grade router performance is like 1/100th of any of the systems mentioned in the last few posts lol. There's overkill and then there O-O-O-Overkill.

rainmakerraw

Talking of overkill, I've been planning a self-build but the off-the-shelf Lenovo ThinkServer TS140 looks tempting at the price (£240 after cashback). Intel Xeon QC E3-1226V3, 4GB DDR3 ECC RAM, 1TB HDD and all that fun stuff for the price of a SuperMicro mobo alone. It has AES-NI and QuickSync so would be a handy little media server too, but that'd mean running pfSense under ESXi. Not a bad little unit though for the price, and since we're going to 300Mbps WAN it might be justifiable.

hammerman

i will have 1gb internet starting in october.

but i also have 4 different openvpn connections running.

that's why i asked about getting an ethernet card in lieu of using vlans.

i'm pretty much sold on the asrock system. i was just looking for some reassurance with the other components.

case: corsair 250d mini itx case

ps: corsair cx430m

nic: intel pro quad port server pci-express . . . or would that not work?

also crucial eec 16gb ram and crucial 120 gb ssd.

does that seem ok?

rickjames

Talking of overkill, I've been planning a self-build but the off-the-shelf Lenovo ThinkServer TS140 looks tempting at the price (£240 after cashback).

That Lenovo looks interesting. With a 1Tb drive in a router you could short stroke the hell out of it lol.

i will have 1gb internet starting in october.
but i also have 4 different openvpn connections running.
that's why i asked about getting an ethernet card in lieu of using vlans.

i'm pretty much sold on the asrock system. i was just looking for some reassurance with the other components.

case: corsair 250d mini itx case
ps: corsair cx430m
nic: intel pro quad port server pci-express . . . or would that not work?
also crucial eec 16gb ram and crucial 120 gb ssd.

does that seem ok?

I have no clue about the compatibility of the intel nic, guessing its a 4x card? The memory compatibility list is on the page zhang linked. The psu should be fine.

hammerman

thanks for the advice.

i've decided to the xeon route.

i'll keep my fingers crossed that the build goes well.

LazyLizard14

The guide is still valid in some parts and a good starting point but if you are a newbie you will get confused.

Also I would say the scenario with multiple (more than two) NICs is not what the average user is looking for. A more useful way is to use policy based routing: http://www.retropixels.org/blog/use-pfsense-to-selectively-route-through-a-vpn

A major problem is also the change from dnsmasq (DNS forwarder) to unbound (DNS resolver) a while ago. Is anybody running pfsense with unbound?

Wolf666

I use unbound and no forward function. I have a NIC dedicated for VPN, that interface is excluded from unbound response.

Basically is the same setup of the guide, using Resolver instead of Forwarder and deselecting forwarding mode, deselecting interface assigned to VPN.

Sent from my iPad using Tapatalk

LazyLizard14

Interesting. According to pfsense it is mandatory for multi-WAN configurations to have forwarding mode enabled : https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

Since we all have the clearnet connection and at least one OpenVPN connection I assume we have a multi.WAN setup?!

And also if you use AirVPN's DNS server (which makes sense!) you must have forwarding mode enabled.

Could you be so kind and post a screenshot of your generalsetting and advanced settings tab of DNS resolver?

Wolf666

Here the screenshots, enabled interfaces are LAN, OPT and localhost. The interface under AirVPN is VPN and it is excluded:

Sent from my iPad using Tapatalk

chuckhammerberry

i'm stuck on "Setting the DNS Forwarder Options"

followed the settings exactly but getting the below error

The DNs Resolver is enabled using this port . Chose a non-conflicting port, or disable DNs resolver

Wolf666

i'm stuck on "Setting the DNS Forwarder Options"

followed the settings exactly but getting the below error

The DNs Resolver is enabled using this port . Chose a non-conflicting port, or disable DNs resolver

Did you try DNS Resolver? I use it and I also posted my working setup.

Sent from my iPad using Tapatalk

LazyLizard14

@Wolf666: Thanks for posting. Why did you disable hide version and hide identity ? Also I wonder what to set for the option Do not use the DNS Forwarder or Resolver as a DNS server for the firewall under System: General setup.

@chuck: Seems you are still running DNS forwarder. Disable it first, then set up DNS resolver.

zhang888

PfSense 2.3 alpha just got released, with complete new bootstrap GUI.

So screenshots should probably be updated when it will be announced stable in a few weeks.

vmCert

This was an awsome setup guide. I really appreciate your work. That is a lot of work to put this together. I grabbed an old AMD machine I had and installed three more NIC's in it.

My pFsense version was a newer version (2.2.4-Release) so everything was not exactly the same. I am a nube so it was a little frustrating to read and try, but eventually I was able to connect to and use the OpenVPN setup with Airvpn.org on my account.

My system was a little different because my LAN is 10.1.10.1 and not 192.168.1.1 so all I had to do is change the example to my addressing scheme and it seemed to work.

The final test, when you download an use the DNS Benchmark Test, showed a different IP other than 10.4.0.1. My address was 192.168.2.1. I have no idea why.

The whole time I had IPv6 running also. This maybe has something to do with it. I dont know.

I am going to read some more and try and understand exactly what was accomplised. It is a daunting task for me. I wish I had been involved with this a number of years ago so that I could have been a little more invisible (traffic) through these last 20 years.

Thank you so much for your help an service.

Pat

zhang888

This was an awsome setup guide. I really appreciate your work. That is a lot of work to put this together. I grabbed an old AMD machine I had and installed three more NIC's in it.

My pFsense version was a newer version (2.2.4-Release) so everything was not exactly the same. I am a nube so it was a little frustrating to read and try, but eventually I was able to connect to and use the OpenVPN setup with Airvpn.org on my account.

My system was a little different because my LAN is 10.1.10.1 and not 192.168.1.1 so all I had to do is change the example to my addressing scheme and it seemed to work.
The final test, when you download an use the DNS Benchmark Test, showed a different IP other than 10.4.0.1. My address was 192.168.2.1. I have no idea why.

The whole time I had IPv6 running also. This maybe has something to do with it. I dont know.

I am going to read some more and try and understand exactly what was accomplised. It is a daunting task for me. I wish I had been involved with this a number of years ago so that I could have been a little more invisible (traffic) through these last 20 years.

Thank you so much for your help an service.

Pat

You may still see some old DNS servers which one of your clients had manually set. So what I did in my case, was just a small rule to catch all outgoing udp/53

and push them to the pfSense 127.0.0.1:53 resolver.

This will make all your clients have any custom, even invalid servers set, but the query will always go thru the correct interface which they cannot bypass.

Probably you have some device that can resolve DNS on your 192.168.2.1, maybe some other router etc.

If you are not managing clients and only doing it for yourself, it might be easier to see which device has a wrong setting.

And, better late than never

vmCert

a small rule to catch all outgoing udp/53

and push them to the pfSense 127.0.0.1:53 resolver.

This was an awsome setup guide. I really appreciate your work. That is a lot of work to put this together. I grabbed an old AMD machine I had and installed three more NIC's in it.

My pFsense version was a newer version (2.2.4-Release) so everything was not exactly the same. I am a nube so it was a little frustrating to read and try, but eventually I was able to connect to and use the OpenVPN setup with Airvpn.org on my account.

My system was a little different because my LAN is 10.1.10.1 and not 192.168.1.1 so all I had to do is change the example to my addressing scheme and it seemed to work.
The final test, when you download an use the DNS Benchmark Test, showed a different IP other than 10.4.0.1. My address was 192.168.2.1. I have no idea why.

The whole time I had IPv6 running also. This maybe has something to do with it. I dont know.

I am going to read some more and try and understand exactly what was accomplised. It is a daunting task for me. I wish I had been involved with this a number of years ago so that I could have been a little more invisible (traffic) through these last 20 years.

Thank you so much for your help an service.

Pat

You may still see some old DNS servers which one of your clients had manually set. So what I did in my case, was just a small rule to catch all outgoing udp/53
and push them to the pfSense 127.0.0.1:53 resolver.
This will make all your clients have any custom, even invalid servers set, but the query will always go thru the correct interface which they cannot bypass.
Probably you have some device that can resolve DNS on your 192.168.2.1, maybe some other router etc.
If you are not managing clients and only doing it for yourself, it might be easier to see which device has a wrong setting.

And, better late than never

a small rule to catch all outgoing udp/53

and push them to the pfSense 127.0.0.1:53 resolver.

How to do that? I'm learning all the time....

Thanks

How To Set Up pfSense 2.1 for AirVPN

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation