How To Set Up pfSense 2.1 for AirVPN

[securvark 16]

Don't just take my word for it, do you own research.

 

There's a thread on pfsense forums where the box is discussed and the guy did have a few problems with running pfsense on it. He managed though and it's been stable for him. I am confident I can get everything to work - one way or another.

 

If you require 100% plug and play compatibility with pfsense, then it may not be for you - I can't decide for you so like I said, do your own research before you take the plunge.

[Hastalapasta 0]

I had PfSense running as a router and this weekend I successfully installed AirVPN on one of my NICs

There were a few hiccups, but I solved them all by myself.

Furthermore I have Port Forwarding setup.

 

Now I just have 1 tiny caveat, I cannot connect/see my Clear-Net Pcs from myt AirVPN connected devices and vice-versa.

 

Before  (with onlly the default Firewall rules) this was a non issue.

I guess by changing the firewall rules I screwe the routing up somehow.

 

Now I could just search on the web for the solution, I would, if I had the time, alas I am SWAMPED atm.

Thus I am asking if anyone knows how-to route between the Clear-net and AirVPN lans?

 

Everything is the same as the GUIDE. (Have a Quad-Port ethernet card with WAN/LAN/Opt1 (airvpn) / Opt2 (not assigned)

 

Regards,

 

A hardworking member

[fongocall 2]

Got it working with 2 nics on my laptop i3 ... now just trying to figure out why I'm only getting 1.2 mb/s download speed, when using the eddie client I get 150mbps

[hammerman 3]

Now I just have 1 tiny caveat, I cannot connect/see my Clear-Net Pcs from myt AirVPN connected devices and vice-versa.

 

Before  (with onlly the default Firewall rules) this was a non issue.

I guess by changing the firewall rules I screwe the routing up somehow.

 

Now I could just search on the web for the solution, I would, if I had the time, alas I am SWAMPED atm.

Thus I am asking if anyone knows how-to route between the Clear-net and AirVPN lans?

 

Everything is the same as the GUIDE. (Have a Quad-Port ethernet card with WAN/LAN/Opt1 (airvpn) / Opt2 (not assigned)

 

what happened when you tried post #175?

[tempair 0]

I have the same DNS setup running here without DNS leaks. Enable forwarding mode in DNS resolver.

 

Thanks Lizard. I have checked this box and tested via IPLeak.net, which reveals 6 DNS ip addresses, all coming from AirVPN. I will see if this resolves my reset problem over the next week.

 

 

If I understand you correctly tempair, you are performing DNS resolution over the VPn connection, then yes, you can't resolve the VPN server name until the VPN connection is made. I would advise you ust use the servers IP address itself which you can obtain by selecting 'fully resolve server names' or something like that in the config generator. Hope this helps. 

 

I realize this is a solution, but it's hard coded (ie, doesn't rotate as AirVPN remaps IP addresses) and doesn't tolerate their shutting servers down for maintenance. If I can maintain a DNS lookup from the US pool of servers, I get better redundancy.

 

Hopefully Lizard's solution will hold up for me. Thanks for the responses everyone.

[SirJohnEh 6]

 

I have the same DNS setup running here without DNS leaks. Enable forwarding mode in DNS resolver.

 

Thanks Lizard. I have checked this box and tested via IPLeak.net, which reveals 6 DNS ip addresses, all coming from AirVPN. I will see if this resolves my reset problem over the next week.

 

 

>If I understand you correctly tempair, you are performing DNS resolution over the VPn connection, then yes, you can't resolve the VPN server name until the VPN connection is made. I would advise you ust use the servers IP address itself which you can obtain by selecting 'fully resolve server names' or something like that in the config generator. Hope this helps. 

 

I realize this is a solution, but it's hard coded (ie, doesn't rotate as AirVPN remaps IP addresses) and doesn't tolerate their shutting servers down for maintenance. If I can maintain a DNS lookup from the US pool of servers, I get better redundancy.

 

Hopefully Lizard's solution will hold up for me. Thanks for the responses everyone.

 

 

Air's IPs rarely, if ever, change.  I resolve my dns thru the vpn on pfsense as well and therefore use the ip addresses for the openvpn client connections instead of hostnames.  I need to do this so the vpn sessions are able to reconnect on a system restart, etc.  For redundancy, I always have at least two sessions connected on my pfsense box then create a routing group that I use to route all my LAN traffic thru.  With that, if one Air connection drops, your LAN isn't without internet access.  Air servers go down, but two at the same time?  Much less likely.  If you keep 3 sessions connected at all times in a routing group then you reduce the probability of not having an available session that much more.  I've been running this setup for months now since joining Air and haven't had any downtime.  As a matter of fact, one of the Air servers in my pool did go offline today (and it's still offline) and no one in the house even noticed as the other connection just picked up the slack.  When I got home, I just changed the IP for that client connection away from the bad Air server and I'm now back to two connections in the pool.  Usually I just leave the bad server in the pool until it comes back online, but it's been offline for most of the day so I just decided to swap it with another.  Pretty good system and it allows me to not have to go thru the WAN connection for DNS resolution.  Probably also worth noting that the lost server ended almost 6 weeks of up time for that connection.  The other one in the pool has been up for nearly 6 weeks (and counting).  So, yes, the redundancy is important (especially since I cut off all devices on the LAN from the internet if the vpn goes down), but it's not like I'm losing connections to one server or another in the pool every day or anything like that.

[flat4 79]

SOOO, i finally got my pfsense box going followed the guide not that outdated for 2.2.6 but what I did not realize that when you're done you actually have to plug in a wire to the LAN_VPN to actually be on vpn. (yes i know mind blown) 

 

I did have some issues, on the LAN (not VPN_LAN) once the vpn was established none of the computers were able to get internet, internal worked fine but no internet. In the guide it stated that you could leave or delete the "default allow all". I deleted it and once i put it back in on top of the 3 other rules BAM internet. My biggest issue is that I have too many devices that are on the LAN and I really do not want to change the ips for the static devices if i were to move the cable from LAN to LAN_VPN.

 

What i'm think is that   I can put a routing statement and have all traffic from LAN go thru LAN_VPN but  Im not sure if that works, Anyone else that has come across this bridge? 

 

I would add some pictures but I dont know how. 

 

EDIT:

 

Came home and plug into that nic and voila i was on the VPN, and then i did a dns leak and its leaking like Niagara falls. all the dns that posted on ipleak.net were google's. i do not have google dns in my dns setup so im not sure why is getting it. I do not have a static ip so its pulling from the dhcp scope. ODD

 

Edit: #2 By accident i put the 10.4.0.1 dns entry in the wins instead of the dns for the vpn_lan dhcp server. I also solved why i was getting google's DNS, I hard coded the client once i removed this i go airvpn's.

 

Edit #3 Once I corrected this I thought i was in the clear but no, i did not have DNS (meaning i could not get to any websites, only by actual ip). Did not know why , I went thru the guide and found my mistakes. Once this was corrected i got internet. For me there will only be one server that is going to be using vpn but it needs to be reached from other internal LAN. At the moment I can ping and reach the one client from LAN to Airvpn LAN but not vice versa. I believe this is because my top LAN rule is "allow all" and the VPN Lan has only the three rules which the 3rd rules blocks any else.  I am hesitant to put an "allow all" because it probably will create a leak.

 

ANYHOW for all you with latest version of pfSense this is a very relevant guide.

 

Edit #4 I added a rule on the VPN_LAN to allow any Lan_VPN to LAN not where else, this seem to correct the issue i had of the client on the VPN_LAN not being able to connect/ping a client on the LAN (clear net). Now to test port forwarding and DDNS (from air)

[cford1905 0]

I've used this guide and have had my VPN up and running on pfsene for the past year.  Now that Netflix seems to be blocking AirVPN IPs I was wondering what is the best way to have pfsense route specific ip addresses outside of the VPN tunnel (Neflix, Amazon video, etc) and use my regular US clearent IP address.  Any help would be much appreciated.

[Ernst89 11]

cford1905

 

Add a new firewall rule in:

 

Firewall/Rules/Lan

 

The rule should be similar to the rule you use for other clearnet connectiuons.

 

But higher in the list than other lan rules that might apply.

 

Set the Destination field to Netflix's  / Single host or IP

Set the Gateway to your clearnet interface.

 

And bob is you uncle.

[cford1905 0]

 

 

Didn't work.   I'm created the rule on the LAN section.  With the following.

 

Action = [ PASS ▼]

Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼] (LAN_VPN, WAN, WAN_VPN and OpenVPN are the other options)
TCP/IP Version = [iPv4 ▼]
Protocol = [TCP/UDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [✔]
                     Type: [ Host or alias ▼]
                     Address: [iP ADDRES THAT I WANT TO EXIT VIA CLEAR NET]

[ADVANCED FEATURES]  >  GATEWAY = [ WAN_DHCP ▼]
 

As my clearnet and VPN are set up on different NIC ports could this be what is causing a problem?

[pfSense_fan 181]

Unfortunately it's not at all this simple.

 

When you visit netflix, it makes requests to other netflix owned domains such as nflximg.com, nflximg.net, nflxext.com and so on. These domains themselves further resolve to further yet more netflix owned domains AND some other non netflix owned domains.

 

The trick is, you need all of the requests to route outside the VPN. I have been playing with this in my free time and have gotten it to work for periods, so I am yet missing something.

 

First things first you need to route all Netflix owned IP space. The best way to do this is with pfBlockerNG. You can simply enter in Netflix owned AS ip blocks. Those blocks right now are:

( reference )

- AS2906

- AS40027

- AS55095

- AS394406

 

Then you have to get everything else that further resolves, so you have to make an alias for all of the domains that get requested. Some non netflix ones that come up are NS1, NS2, NS3 and NS4.P19.DYNECT.NET

 

Even if you manage to get all requests to run outside of the VPN, you still have to get the DNS requests for them to run outside, as the CDN's and name servers netflix use try to connect you to the closest CDN by your geoip. So if you have a dns request coming from New York and an ip from California it still does not like it. So now you need a second DNS server and the ability to overide the domains in the dns forwarder or resolver. It works better in the forwarder from what I have read, which is unfortunate as I use the DNS Blacklist with resolver and pfBlockerNG.

 

So yeah it's not so simple, but it should be possible. I have a bunch of virtual machines running pfSense as dedicated DNS servers trying to work out the best config. Maybe as a community with enough minds we can figure this out.

[flat4 79]

Unfortunately it's not at all this simple.

 

When you visit netflix, it makes requests to other netflix owned domains such as nflximg.com, nflximg.net, nflxext.com and so on. These domains themselves further resolve to further yet more netflix owned domains AND some other non netflix owned domains.

 

The trick is, you need all of the requests to route outside the VPN. I have been playing with this in my free time and have gotten it to work for periods, so I am yet missing something.

 

First things first you need to route all Netflix owned IP space. The best way to do this is with pfBlockerNG. You can simply enter in Netflix owned AS ip blocks. Those blocks right now are:

( reference )

- AS2906

- AS40027

- AS55095

- AS394406

 

Then you have to get everything else that further resolves, so you have to make an alias for all of the domains that get requested. Some non netflix ones that come up are NS1, NS2, NS3 and NS4.P19.DYNECT.NET

 

Even if you manage to get all requests to run outside of the VPN, you still have to get the DNS requests for them to run outside, as the CDN's and name servers netflix use try to connect you to the closest CDN by your geoip. So if you have a dns request coming from New York and an ip from California it still does not like it. So now you need a second DNS server and the ability to overide the domains in the dns forwarder or resolver. It works better in the forwarder from what I have read, which is unfortunate as I use the DNS Blacklist with resolver and pfBlockerNG.

 

So yeah it's not so simple, but it should be possible. I have a bunch of virtual machines running pfSense as dedicated DNS servers trying to work out the best config. Maybe as a community with enough minds we can figure this out.

great to have you back 

[zhang888 1065]

You should move all the Netflix related talk to Offtopic. Or here.

People that watch this thread should only see pfSense related stuff

[SumRndmDude 22]

If I have missed this somewhere else, please feel free to point me to the post instead of having to answer it again, but after following the guide, I cannot get internal names to resolve. Everything else is spot on and working great, but my clients that I've assigned names to, won't resolve by the name. I can ping each IP, but the DNS isn't working on the LAN portion. I'm loathe to tinker with the original settings unknowingly as everything else works brilliantly. So what would need to be changed or what should I look into to figure out myself what to change?

[dIecbasC 38]

If I have missed this somewhere else, please feel free to point me to the post instead of having to answer it again, but after following the guide, I cannot get internal names to resolve. Everything else is spot on and working great, but my clients that I've assigned names to, won't resolve by the name. I can ping each IP, but the DNS isn't working on the LAN portion. I'm loathe to tinker with the original settings unknowingly as everything else works brilliantly. So what would need to be changed or what should I look into to figure out myself what to change?

 

whats the DNS server addresses on your client? This is usually symptomatic of pointing your clients DNS at a public server, i.e 10.4.0.1 or 8.8.8.8

Point your local clients at your pfsense box, and use the forwarder or resolver to handle local lookups and forward public lookups on to the public servers, i.e 10.4.0.1

[ricola 0]

@pfSense_fan:  Thank you so much for this absolutely incredible setup guide!  I did have a couple of minor stumbling points, though, and wanted to bring them up for others.  There are some simple corrections which should be made to the guide.  One is minor, but I think the other is probably causing confusion, as it did for me.

First, on the 3 NIC guide, at step #7 (https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/?do=findComment&comment=16208), there's a typo between LAN and VPN.  This is minor and I'm sure most people knew what to do:

 

 

Second, on the 2 NIC guide, at step #7 (https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/?do=findComment&comment=16213), there's a typo, where the guide has a "_VPN" suffix on the rule name, plus an actual error regarding the interface to choose.  The guide states to select the LAN interface, but the steps state to select the AirVPN_LAN interface from the dropdown.  In a 2 NIC setup, there shouldn't be an AirVPN_LAN interface.

 

 

Lastly--and this one's all on me--most of the PCs on my home network have static IPs, so it took me a while to remember that I needed to change the settings for the computers to pick up the new DNS server from pfSense or to manually enter the new one into each computer's settings.

[pfSense_fan 181]

@pfSense_fan:  Thank you so much for this absolutely incredible setup guide!  I did have a couple of minor stumbling points, though, and wanted to bring them up for others.  There are some simple corrections which should be made to the guide.  One is minor, but I think the other is probably causing confusion, as it did for me.

 

First, on the 3 NIC guide, at step #7 (https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/?do=findComment&comment=16208), there's a typo between LAN and VPN.  This is minor and I'm sure most people knew what to do:

 

Image 035.jpg

 

Second, on the 2 NIC guide, at step #7 (https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/?do=findComment&comment=16213), there's a typo, where the guide has a "_VPN" suffix on the rule name, plus an actual error regarding the interface to choose.  The guide states to select the LAN interface, but the steps state to select the AirVPN_LAN interface from the dropdown.  In a 2 NIC setup, there shouldn't be an AirVPN_LAN interface.

 

Image 034.jpg

 

Lastly--and this one's all on me--most of the PCs on my home network have static IPs, so it took me a while to remember that I needed to change the settings for the computers to pick up the new DNS server from pfSense or to manually enter the new one into each computer's settings.

 

 

I changed both to what I intended. Thanks for the heads up.

 

As an aside, only part of it was a typo. The rule names were intended to state where the traffic was destined, not just the interface. Reasoning being that you can use selective policy based routing on the same interfaces to send traffic out another gateway if desired. I chose not to explain policy based routing for a few reasons, the main being that it opens up Pandora's box for security issues if the user is a novice. Having separate interfaces is the proper way to do it from a security standpoint as the traffic between local networks is then filtered. Traffic only separated by a switch is not, and as such is why I push the use of three or more interfaces so users can properly separate and/or filter devices through the firewall. I bring it up as I have browsed the replies to this post and it seemed to be a recurring issue that folks were trying to connect the different subnets. It is by design and proper that they are blocked by default. Firewall rules need to be created to allow devices behind one interface to access services on another. I left this out as it is outside the scope of what this was intended to be, and making rules to allow such access is well documented at the pfSense forums.

 

All this being said, this guide is bordering being out dated. If I can find the free time I will update the last bits such as the resolver config and other small bits before allowing this to be archived for those who do not update to pfSense 2.3 right away.

 

I am considering making a heavily updated guide for 2.3.

[flat4 79]

Is 2.3 out?

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

[dIecbasC 38]

close to RC status. 

 

pfsense_fan: you have PM

[zhang888 1065]

2.3 release is imminent.

The number of open bugs reduced to a state where we can see a release every day from now on.

 

Check their redmine bugtracker.

 

99.9% nothing will change on the OpenVPN configuraion, both GUI and under the hood since

the 2.3 branch hit feature freeze status already. So pfSense_fan is very welcome to update the

screenshots on page 1, or make a separate clean thread with a new version

[shinobiwan 0]

First, thank you for the awesome guide. 

 

I have read it many times and the only thing I'm not sure of is what I need to do differently about DHCP and DNS in pfsense.

 

I have my primary domain controller (Windows Server 2012) handling DHCP and DNS.

 

I have my pfsense box running about a few months now with no problems that I'm aware of.  It has the onboard nic and a quad port nic.

 

The onboard is set to the WAN interface and the quad port nic is using two ports (LAN and Guest interfaces).

 

Everything in your guide makes sense to me but I'm stuck on what I should do configuring DNS for VPN.  The guide states "DNS for VPN will be set through DHCP" but I don't have DHCP enabled on the LAN interface.

 

Thanks in advance.

[pfSense_fan 181]

First, thank you for the awesome guide. 

 

I have read it many times and the only thing I'm not sure of is what I need to do differently about DHCP and DNS in pfsense.

 

I have my primary domain controller (Windows Server 2012) handling DHCP and DNS.

 

I have my pfsense box running about a few months now with no problems that I'm aware of.  It has the onboard nic and a quad port nic.

 

The onboard is set to the WAN interface and the quad port nic is using two ports (LAN and Guest interfaces).

 

Everything in your guide makes sense to me but I'm stuck on what I should do configuring DNS for VPN.  The guide states "DNS for VPN will be set through DHCP" but I don't have DHCP enabled on the LAN interface.

 

Thanks in advance.

 

I've never used windows server products so I'm not familiar with how they work, but I can give you an example of what I do on my network ( I don't use my own guide, my network is far more complicated) 

 

I use selective routing on some of my interfaces, that is, I have a computer or two on a VPN facing interface that also require limited or full clearnet access. I use static mappings for them and with that, have the alternate DNS served to them via that same static mapping. So that is one way. I assume (would hope) there is some similar way to control what your DHCP server hands out.

 

Alternatively, you could use a port forwarding rule to redirect DNS from whatever IP address/range needs it. I use this method for NTP and DNS as some devices have them hard coded (Apple with NTP and many android devices for Google DNS).

 

All that being said you also may be like me, and not able to get away with one DNS server. I use 3 currently. I have a server running multiple VM instances of pfSense as a dedicated DNS server. I use the built in forwarder to map all of the DHCP and static mappings and I point it at the other two instances that are running the Resolver so I can make use of its security features and pfBlockerNG/DNSBL.  One resolver, the main one, points at AirVPN DNS. The other uses the root servers through the clearnet. By default everything goes to the VPN DNS, but Domain Overrides can be used to point them to the other.

 

Wish I had a definitive answer for you but I don't.

 

Any reason you don't use pfSense to control it all?

[zhang888 1065]

Probably many of the DNS related questions can be solved with a mini how-to on how to setup DNSCrypt

package and resolvers on pfSense.

 

Then you can just choose 127.0.0.1 as your DNS in pfSense and DNSCrypt will catch it and forward it

to the dnscrypt-node resolver of your choice.

[flat4 79]

 

First, thank you for the awesome guide. 

 

I have read it many times and the only thing I'm not sure of is what I need to do differently about DHCP and DNS in pfsense.

 

I have my primary domain controller (Windows Server 2012) handling DHCP and DNS.

 

I have my pfsense box running about a few months now with no problems that I'm aware of.  It has the onboard nic and a quad port nic.

 

The onboard is set to the WAN interface and the quad port nic is using two ports (LAN and Guest interfaces).

 

Everything in your guide makes sense to me but I'm stuck on what I should do configuring DNS for VPN.  The guide states "DNS for VPN will be set through DHCP" but I don't have DHCP enabled on the LAN interface.

 

Thanks in advance.

I've never used windows server products so I'm not familiar with how they work, but I can give you an example of what I do on my network ( I don't use my own guide, my network is far more complicated) 

 

I use selective routing on some of my interfaces, that is, I have a computer or two on a VPN facing interface that also require limited or full clearnet access. I use static mappings for them and with that, have the alternate DNS served to them via that same static mapping. So that is one way. I assume (would hope) there is some similar way to control what your DHCP server hands out.

 

Alternatively, you could use a port forwarding rule to redirect DNS from whatever IP address/range needs it. I use this method for NTP and DNS as some devices have them hard coded (Apple with NTP and many android devices for Google DNS).

 

All that being said you also may be like me, and not able to get away with one DNS server. I use 3 currently. I have a server running multiple VM instances of pfSense as a dedicated DNS server. I use the built in forwarder to map all of the DHCP and static mappings and I point it at the other two instances that are running the Resolver so I can make use of its security features and pfBlockerNG/DNSBL.  One resolver, the main one, points at AirVPN DNS. The other uses the root servers through the clearnet. By default everything goes to the VPN DNS, but Domain Overrides can be used to point them to the other.

 

Wish I had a definitive answer for you but I don't.

 

Any reason you don't use pfSense to control it all?

what do you run for your hyper visor? just curious.

[shinobiwan 0]

 

First, thank you for the awesome guide. 

 

I have read it many times and the only thing I'm not sure of is what I need to do differently about DHCP and DNS in pfsense.

 

I have my primary domain controller (Windows Server 2012) handling DHCP and DNS.

 

I have my pfsense box running about a few months now with no problems that I'm aware of.  It has the onboard nic and a quad port nic.

 

The onboard is set to the WAN interface and the quad port nic is using two ports (LAN and Guest interfaces).

 

Everything in your guide makes sense to me but I'm stuck on what I should do configuring DNS for VPN.  The guide states "DNS for VPN will be set through DHCP" but I don't have DHCP enabled on the LAN interface.

 

Thanks in advance.

 

I've never used windows server products so I'm not familiar with how they work, but I can give you an example of what I do on my network ( I don't use my own guide, my network is far more complicated) 

 

I use selective routing on some of my interfaces, that is, I have a computer or two on a VPN facing interface that also require limited or full clearnet access. I use static mappings for them and with that, have the alternate DNS served to them via that same static mapping. So that is one way. I assume (would hope) there is some similar way to control what your DHCP server hands out.

 

Alternatively, you could use a port forwarding rule to redirect DNS from whatever IP address/range needs it. I use this method for NTP and DNS as some devices have them hard coded (Apple with NTP and many android devices for Google DNS).

 

All that being said you also may be like me, and not able to get away with one DNS server. I use 3 currently. I have a server running multiple VM instances of pfSense as a dedicated DNS server. I use the built in forwarder to map all of the DHCP and static mappings and I point it at the other two instances that are running the Resolver so I can make use of its security features and pfBlockerNG/DNSBL.  One resolver, the main one, points at AirVPN DNS. The other uses the root servers through the clearnet. By default everything goes to the VPN DNS, but Domain Overrides can be used to point them to the other.

 

Wish I had a definitive answer for you but I don't.

 

Any reason you don't use pfSense to control it all?

 

To be perfectly honest I'm not proficient in Windows either.  I followed some youtube videos and set up my Domain Controller with Active Directory, DNS, and DHCP roles.  From what I could gather, Active Directory is heavily dependent on a Windows DNS server to be able to function.

 

I really appreciate the feedback and I have read through a lot on pfsense DNS services but I can't wrap my brain around it.

 

But now you've got me thinking again about what devices would go where.  My setup:

 

2 TVs (maybe on AirVPN LAN interface so I can use the built in youtube app to watch stuff that's normally blocked by region)

1 File Server with samba shares that also hosts a Plex Media Server  (centos)

1 Backup server (centos)

1 Domain Controller (Windows Server 2012 R2)

Mobile devices (probably want on AirVPN LAN)

3 windows PCs

1 linux mint box

 

So would it even be possible to have the domain controller on a different interface than domain member pcs?

 

Even if it could work would that even make sense to do?

 

I was originally thinking since all of my devices are on 1 LAN right now, I should just move them all to the AirVPN Lan interface... but I'm clueless about how the DNS role in my domain controller should be configured and how it relates to any settings in pfsense.