How To Set Up pfSense 2.1 for AirVPN

[tempair 0]

I used this guide to successfully set up my VPN. However, I experience DNS lookup failures every few days that forces me to change the DNS Resolver Outgoing Network Interface from VPN_WAN to WAN (clearnet) in order to resolve AirVPN's domain information. Once I toggle it over, it resolves the address, and I can then switch it back. If I have both clearnet and VPN WANs' enabled, I get a DNS leak. What is the correct configuration for the DNS Resolver to get around this problem without creating a leak? Thanks!

[LazyLizard14 11]

I have the same DNS setup running here without DNS leaks. Enable forwarding mode in DNS resolver.

[dIecbasC 38]

If I understand you correctly tempair, you are performing DNS resolution over the VPn connection, then yes, you can't resolve the VPN server name until the VPN connection is made. I would advise you ust use the servers IP address itself which you can obtain by selecting 'fully resolve server names' or something like that in the config generator. Hope this helps. 

[Khariz 109]

I used this guide to successfully set up my VPN. However, I experience DNS lookup failures every few days that forces me to change the DNS Resolver Outgoing Network Interface from VPN_WAN to WAN (clearnet) in order to resolve AirVPN's domain information. Once I toggle it over, it resolves the address, and I can then switch it back. If I have both clearnet and VPN WANs' enabled, I get a DNS leak. What is the correct configuration for the DNS Resolver to get around this problem without creating a leak? Thanks!

 

Edit:  Never mind, I'm so stupid.  I didn't notice this was a pfsense thread. I was giving solutions that didn't make sense.

[securvark 16]

Hi,

 

As you can read elsewhere on the forums I've been trying airVPN through different ways like direct from my PC, through a router (TP-Link with OpenWrt) and through virtual machines running OpenWrt x86 or PfSense).

 

I've setup PfSense and configured OpenVPN for AirVPN. It was quite easy following the guide. It seems to work fine but I keep running into the same issue with PfSense: With each new (or refresh) connection it takes 5 to 10 seconds before anything happens. With OpenWrt in a VM or with direct VPN from my PC it works fine.

 

I see this also in my own script which I use to sync some Linux repository to local storage for local clients to use offline. It finds a recent mirror by downloading a very small file (few bytes is all) from http://url.org/lastupdate from several mirrors and comparing the contents. Downloading this file takes 2 to 3 seconds before even a connection is established, and then another 5 seconds before it starts downloading. With 5 or 6 mirrors, this part takes a minute alone which normally is done in 1 second, it just flies by.

 

Once it starts downloading packages from the mirror it picked, it's fine. It downloads smaller files at 2-3 MB/s, larger files it ramps up quickly, so bandwidth-wise its absolutely fine. I suspect it has to do with DNS lookups but I have no experience with PfSense so I've no idea how to troubleshoot or even fix this.

 

I would really appreciate some help with this!

 

Thanks!

 

When I open a new page in my browser, it just sits there 'looking up http://URL ...' in the status bar at the bottom.

[Khariz 109]

This is an interesting thread where this guy got a bunch of suggestions. It also shows how to make sure you have DNS servers set up. In the end, he had to do a fresh install of Pfsense to get it working, but there is some useful discussion here:

 

https://forums.freebsd.org/threads/pfsense-dns-not-resolving.9932/

[securvark 16]

Thanks Khariz,

 

I went through that thread, it's more about getting DNS to work without VPN. I made sure my pfsense install worked fine before I continued and dabbled with setting up the OpenVPN.

 

Having said that, the tests work fine from the router console. From a client, it works slowly, but it works.

 

I just disabled the rule to block DNS LEAK and now it's fast again. I'm leaking DNS though, according to ipleak.net.

 

So I think forwarding DNS to the VPN isn't working properly. I'll poke around some more, but would appreciate any help.

 

Thanks again!

[securvark 16]

Oke, I think I got it figured out. Since this pfsense version is newer there are a couple of differences.

 

First mistake was that I was running both the DNS Resolver (unbound) and the DNS forwarder (dnsmasq). I'm not familiar with BSD or the unbound package so I didn't think about it. I disabled unbound and rechecked the forwarder options.

 

Next, I looked at General Setup / DNS servers. I think there's actually a mistake or something left out of the instructions.

 

Below DNS Servers, there's room for 4 DNS server IP's each with its own gateway. The instructions tell me to set it to WAN gateway. Actually, you need to set this to the AIRVPN_WAN gateway because the firewall is blocking everything except to 10.4.0.1 (VPN).

 

I now have fast access with the block-all-dns rule in place.

 

Just to confirm, I'm using the opennic DNS servers configured on that page above:

87.98.175.85 - AIRVPN_WAN

185.83.217.248 - AIRVPN_WAN

 

When I check the ipleak.net page, it detects these DNS servers. At first, I thought that meant it was leaking, but I'm not sure. I suppose if my setup was forwarding to the ISP DNS servers and those would be showing on ipleak, that would mean it was leaking. So long story short, this is good, right?

 

Thanks for everything!

 

Edit: even better: I think in a permanent VPN setup, I figured out I can actually just use 10.4.0.1 as a DNS server to gateway AIRVPN. Now, ipleak shows my DNS server as being my detected IP address. This is the wanted setup correct?

[Khariz 109]

Yep! Exactly.

[hammerman 3]

The much appreciated guide from pfsense_fan is getting a little bit dated and is becoming difficult to follow with 18 pages of updates and corrections.

I am trying to use dns resolver instead of forwarder.

Step 6 shows how to setup the dns forwarder.

Could someone carefully explain how to use dns resolver instead?

Securvark seems to have it done correctly. perhaps someone could explain what the actual settings he uses are so that people not as versed can get things up and running quickly.

Maybe redo step 6 using dns resolver?

 

thanks

[jds_uniphase 0]

I am trying to set up a second vpn client. I follow the same steps as the first, but when I get to step 5 I run into a problem trying to set the second airvpn gateway.

I am unable to use 10.4.0.1 as I did with the first airvpn interface . . . so I just leave it blank.

Is this correct to do?

 

thank you.

[securvark 16]

The big question you need to ask yourself is, why would you want to use DNS Resolver instead of DNS Forwarder?

 

Dnsmasq works absolutely fine and unless you have a specific reason to want to use unbound (DNS Resolver), I see no reason to use it over dnsmasq (forwarder).

 

Having said that, you can simply:

- disable DNS forwarder

- enable DNS Resolver

- select interface localhost

- outgoing: airvpn_wan

- enable DNSSEC

- do NOT check forwarding (it's not the same thing as with dnsmasq, read the Help)

 

Save and Apply.

[dIecbasC 38]

The much appreciated guide from pfsense_fan is getting a little bit dated and is becoming difficult to follow with 18 pages of updates and corrections.

I am trying to use dns resolver instead of forwarder.

Step 6 shows how to setup the dns forwarder.

Could someone carefully explain how to use dns resolver instead?

Securvark seems to have it done correctly. perhaps someone could explain what the actual settings he uses are so that people not as versed can get things up and running quickly.

Maybe redo step 6 using dns resolver?

 

thanks

 

Yeah, agreed. pfsense 2.3 introduces yet more changes which break the OpenVPN config too. Im working on a refreshed version which will build on pfsense's guide.

[securvark 16]

 

The much appreciated guide from pfsense_fan is getting a little bit dated and is becoming difficult to follow with 18 pages of updates and corrections.

I am trying to use dns resolver instead of forwarder.

Step 6 shows how to setup the dns forwarder.

Could someone carefully explain how to use dns resolver instead?

Securvark seems to have it done correctly. perhaps someone could explain what the actual settings he uses are so that people not as versed can get things up and running quickly.

Maybe redo step 6 using dns resolver?

 

thanks

 

Yeah, agreed. pfsense 2.3 introduces yet more changes which break the OpenVPN config too. Im working on a refreshed version which will build on pfsense's guide.

 

Which changes would that be? I followed the guide to the letter on a fresh install of pfsense and ran into zero issues with openVPN, except the DNS resolver/forwarder because I was too dim to read the warning that resolver was already on port 53 when I enabled the forwarder. The fix is easy: disable the resolver and follow the guide for the forwarder and everything works fine.

 

Of course if you want to make a new guide it would be a welcome addition but the current guide still works.

[hammerman 3]

thanks for the info re: dns resolver.

i have a similar question to the one by jds_uniphase about when you select interface "local host"

and outgoing "airvpn wan"

if i have several vpn interfaces such as airvpn wan1, arvpn wan2 etc,

is the interface still just "local host" and do i include all of these these in the outgoing?

 

thanks

[securvark 16]

Can you be more specific about where and for what you select these interfaces?

 

I had as minor issue where local clients could no longer resolve other local addresses, but I fixed that too. Above the firewall rule on LAN to block all DNS traffic, create an allow rule for src:LAN, port 53, dest:pfsense-box. Next, remove the 10.4.0.1 from DHCP server as a DNS server for clients and on the General settings page, change the DNS servers to use gateway VPN.

 

This works for me since I am blocking all traffic *not* going over VPN, and *all* my traffic LAN and wifi pass over VPN.

[hammerman 3]

when i tried to use dns resolver, under network interfaces i chose lan and localhost.

under outgoing network interfaces i chose airvpn1 and airvpn2.

is this correct?

should i also add the firewall rule as you suggest?

you mention that the destination should be pfsense-box. is that "this firewall"? do i leave the port range blank as well?

[planetexpress 0]

Is it just as straight forward as to, say, replace pfsense with OPNsense ...or is it A) a stoopid question or a can of worms you don't want (to go there), C) pfSense TWO POINT ONE got it? otherwise how can we know what will happen....  or

 

Hmm..since BSD had to split off to OPNsense because the same people who never (and this is them talking I'm just repeating) take there open soource work..use it..and never have they ever (I'm talking about anyone in any case) sent one penney in support of the free software/open source etc effort.

 

Just as it is Free4NAS not NASforFree because BSD had to change to Free4NAS when, again, same story, their work was appropriated and then even marketed with off the gutter hardware.

 

But on a positive note the response from BSD is "we rather the people get good work they can depend on (ours) than some hack S*i* they would get from the hackathon that would be the attempt to reproduce what takes us years of work.  And they do it because they are young, smart, and motivated by talent, youth, and the go-get-it attitude that comes with that territory.

 

 

[securvark 16]

when i tried to use dns resolver, under network interfaces i chose lan and localhost.

under outgoing network interfaces i chose airvpn1 and airvpn2.

is this correct?

should i also add the firewall rule as you suggest?

you mention that the destination should be pfsense-box. is that "this firewall"? do i leave the port range blank as well?

 

Yes, on the DNS resolver page you choose LAN and localhost

Outgoing would be your VPN interface(s)

 

I did not completely follow the guide with respect to DNS, but I think it's safe and I'm not leaking DNS. Here's what I did:

 

In System / General Setup, under DNS servers I configured 2 servers from OpenNIC using WAN gateway. I still need to test if I can direct this to the VPN gateway, that should be better. Last time I tried that, it didn't work, I suspect because the block DNS rule not equal to 10.4.0.1 blocks it. Might need to change that to a 10.4.0.0/16 range, or even a 10.0.0.0/8. The firewall logging should show it so it's easy to figure out why if it doesn't work. Either way, the config I have now (with WAN gateway) works and ipleak.net does not show me leaking DNS.

 

Under Firewall / Rules, LAN tab, there are the following rules configured:

 

ID     Proto     Source     Port     Destination     Port     Gateway     Queue     Schedule     Description
       *         *          *        LAN Address     8989     *           *                      Anti-Lockout Rule
                                                     22

       IPv4      LAN net    *        This Firewall   53       *           none
       TCP/UDP                                       (DNS)

       IPv4      *          *        ! 10.4.0.1      53       AIRVPN_WAN  none
       TCP/UDP                                       (DNS)

       IPv4      *          *        *               *        AIRVPN_WAN  none                   Allow LAN Outbound
       *

       IPv4      *          *        *               *        *           none                   BLOCK ALL ELSE LAN
       *

 

** Hope your browser window is wide enough, the table above should be fully aligned so it's clear what is what. If not, let me know and I'll post a screenshot.

 

Next, under Services / DHCP Server, I configured a DNS server for DHCP clients with the IP of PfSense (it's LAN address if you have multiple interfaces).

 

Force your client to a new IP address from DHCP and check it got the new DNS server and not the 10.4.0.1. Try an nslookup from the command line or terminal and see if it's resolving. Try loading ipleak.net and see if it's secure.

[fongocall 2]

I got stuck on:

 

Second LAN Firewall Rule:

"ALLOW LAN OUTBOUND"

 

Source = [_] Not (UNCHECKED)

              Type: [ LAN Subnet ▼]
              Address: [______] (BLANK)

 

 

I do not see  [ LAN Subnet ]

 

in the Interfaces list  I have: Wan/Lan/opt1/airvpn wan

 

this is a fresh copy of pfsense 2.2.6

 

Thanks for the help

 

 

 

[fongocall 2]

thanks for any help

[securvark 16]

I got stuck on:

 

Second LAN Firewall Rule:

"ALLOW LAN OUTBOUND"

 

Source = [_] Not (UNCHECKED)

              Type: [ LAN Subnet ▼]

              Address: [______] (BLANK)

 

 

I do not see  [ LAN Subnet ]

 

in the Interfaces list  I have: Wan/Lan/opt1/airvpn wan

 

this is a fresh copy of pfsense 2.2.6

 

Thanks for the help

 

Looks like you're looking at the wrong fields.

 

The Interface should be set to LAN.

 

The Source Type you need to select is LAN net.

[fongocall 2]

 

I got stuck on:

 

Second LAN Firewall Rule:

"ALLOW LAN OUTBOUND"

 

Source = [_] Not (UNCHECKED)

              Type: [ LAN Subnet ▼]

              Address: [______] (BLANK)

 

 

I do not see  [ LAN Subnet ]

 

in the Interfaces list  I have: Wan/Lan/opt1/airvpn wan

 

this is a fresh copy of pfsense 2.2.6

 

Thanks for the help

Looks like you're looking at the wrong fields.

 

The Interface should be set to LAN.

 

The Source Type you need to select is LAN net.

Thanks! I'm new to all this, got it working on a old  p4 @3ghz 2gb ram ... very old computer, only getting 16mb up stream and have a 150mbs connection, do you recommend a mother board? or even better a motherboard combo? 

 

thanks for the help.

[securvark 16]

Thanks! I'm new to all this, got it working on a old  p4 @3ghz 2gb ram ... very old computer, only getting 16mb up stream and have a 150mbs connection, do you recommend a mother board? or even better a motherboard combo? 

 

thanks for the help.

 

Any recent CPU with AES-NI will outperform that P4 when it comes to AES encryption (used in SSL and VPN tunnels).

 

However, throughput is dependent on much more than your CPU.

 

Did you check whether the CPU hits a 100% load? Are there other processes that take a fair bit of processing power? You can also try other servers.

 

In a few weeks I'll purchase this nifty little box. It has a quad core CPU with AES-NI, supports up to 8GB RAM, has a M2 SSD slot and can house a 2.5" SATA drive, sports dual gigabit NIC's 5Ghz wifi, bluetooth, USB 3 - I think it's the perfect machine to build a home router with that can easily do > 200mbit VPN, especially if you set up 2 or 3 load balanced VPN connections. PfSense runs fine on it, but some hardware is currently not supported (wifi, most notably). I'm not sure about bluetooth.

[fongocall 2]

 

Thanks! I'm new to all this, got it working on a old  p4 @3ghz 2gb ram ... very old computer, only getting 16mb up stream and have a 150mbs connection, do you recommend a mother board? or even better a motherboard combo? 

 

thanks for the help.

Any recent CPU with AES-NI will outperform that P4 when it comes to AES encryption (used in SSL and VPN tunnels).

 

However, throughput is dependent on much more than your CPU.

 

Did you check whether the CPU hits a 100% load? Are there other processes that take a fair bit of processing power? You can also try other servers.

 

In a few weeks I'll purchase this nifty little box. It has a quad core CPU with AES-NI, supports up to 8GB RAM, has a M2 SSD slot and can house a 2.5" SATA drive, sports dual gigabit NIC's 5Ghz wifi, bluetooth, USB 3 - I think it's the perfect machine to build a home router with that can easily do > 200mbit VPN, especially if you set up 2 or 3 load balanced VPN connections. PfSense runs fine on it, but some hardware is currently not supported (wifi, most notably). I'm not sure about bluetooth.

very in trusting little computer! wonder if I can buy that in Canada! I'll have to do some research..