Jump to content
Not connected, Your IP: 54.152.38.154
pfSense_fan

How To Set Up pfSense 2.1 for AirVPN

Recommended Posts

The ideal hardware right now is a group of Intel Atom Motherboards from Supermicro. They have all the most recent encryption instructions and include a quad port Intel server NIC. The Intel code names for the chips are Rangely and Avoton. Rangely is intended for network devices like pfsense with its "Quickassist" instruction on the chip, but the functions it can take advantage of are not yet supported by pfsense. There is no word of it yet, so you might figure support for "Quickassist" is likely as much as two years away. Avoton on the other hand offers a 200mhz turbo boost on it's processor cores. It's up to you if you want to taske advantage of quickassist in the future or turbo boost now.

 



 

Rangely:

Supermicro: 5018A-FTN4 (NOTE: Access panel on front for network appliances. 1U Rackmount only needs Hard Drive and Memory, 2400Mhz 8 Core, Intel i354 Quad GbE, Intel QuickAssist)

Supermicro: A1SRi-2758F (Mini-ITX, 2400Mhz 8 Core, Intel i354 Quad GbE)

Supermicro: A1SRM-2758F (uATX Motherboard, 2400Mhz 8 Core, Intel i354 Quad GbE)

Supermicro: A1SRi-2558F (Mini-ITX, 2400Mhz 4 Core, Intel i354 Quad GbE)

Supermicro: A1SRM-2558F (uATX Motherboard, 2400Mhz 4 Core, Intel i354 Quad GbE)

 

Avoton:

Supermicro: 5018A-TN4 (1U Rackmount only needs Hard Drive and Memory, C2750 2400Mhz 8 Core, Intel i354 Quad GbE, Turbo Boost 2600Mhz)

Supermicro: A1SAi-2750F (Mini-ITX, C2750 2400Mhz 8 Core, Intel i354 Quad GbE, Turbo Boost 2600Mhz)

Supermicro: A1SAM-2750F (uATX Motherboard, C2750 2400Mhz 8 Core, Intel i354 Quad GbE, Turbo Boost 2600Mhz)

Supermicro: A1SAi-2550F (Mini-ITX, 2400Mhz 4 Core, C2550 Intel i354 Quad GbE, Turbo Boost 2600Mhz)

Supermicro: A1SAM-2550F (uATX Motherboard, C2550 2400Mhz 4 Core, Intel i354 Quad GbE, Turbo Boost 2600Mhz)

 



 

If you pick the 5018A-FTN4 or 5018A-TN4, all you will need is a hard drive and ECC DDR3 1600 memory from the qualified vendor list of memory or from crucial since they guarantee their memory if they list it as compatible for a particular motherboard. It may be easier to order from Crucial than to try to find qualified vendor ECC memory, and it must be qualified. I recommend 8 gigs of memory, more if price is not an issue. Although the firewall itself does not use much memory, If you use packages they can use a substantial amount of memory. I have used up to 9 gigs myself, but I was running a lot of packages including snort on its highest settings. As far as hard drives go, any will do honestly. I choose an enterprise drive that was on sale. It does not have to be very large, however at the time a terabyte drive was cheap so I got that. I do not recomend an SSD however since TRIM support is not built in yet and requires much tweaking, WELL BEYOND the scope of my tutorial. If you need further suggestions on memory or hard drive just ask.

 

It should be noted though, if you go with one of the other motherboards and piece together your own case, power supply, drive and memory, you might save up to $100, even if you buy the same case those two mentioned above come in.

 

If money and a bit more electricity use are no issue you could also step up to a Xeon based board. Hardware price will be slightly more if not the same in the end. Twice as powerful as above mentioned (Not saying much, the above is capable of gigabit speeds) but up to twice as much electricity use as well. Let me know if you want suggestions there. I use a Xeon.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

I like the look of the fit-PC2 but that hardware of the Supermicro: 5018A-FTN4. I really dont want a rackmount and would prefer a micro-atx or mini-atx this is the only thing leading me away from getting the supermicro at the moment. Havent built my own computer so trying to decide if I get the Supermicro: A1SRi-2758F or Supermicro: A1SRM-2758F what case and power supply to get. I also like the size of the netgate but it is more then im wanting to spend at the moment for the hardware that it offers. I think going with the supermicro hardware offers more bang for the buck even though there not as small in size as the other setups. Do you think going with a xeon would be worth the extra money plus the power usage?

Share this post


Link to post

I like the look of the fit-PC2 but that hardware of the Supermicro: 5018A-FTN4. I really dont want a rackmount and would prefer a micro-atx or mini-atx this is the only thing leading me away from getting the supermicro at the moment. Havent built my own computer so trying to decide if I get the Supermicro: A1SRi-2758F or Supermicro: A1SRM-2758F what case and power supply to get. I also like the size of the netgate but it is more then im wanting to spend at the moment for the hardware that it offers. I think going with the supermicro hardware offers more bang for the buck even though there not as small in size as the other setups. Do you think going with a xeon would be worth the extra money plus the power usage?

 

 

I agree, I also like the look of those fit PC's, however the NIC's built on them are based on slightly older hardware. I am not sure if they are as full featured as the i354 on the Supermicro, specifically with Large Receive Offloading. The Supermicro's are also quite low power as well, 20 watts for the 8 core and 14 for the 4 core versions if I recall correctly.

 

For the home user there is likely to be no advantage in going with a Xeon. If these were out when I bought my setup I would have went this route myself, The only advantage a Xeon has is in single threaded performance, where they are twice as powerful. You would have to run quite a few packages and do heavy filtering to really require this, so it is doubtful you would "need" it. This is why I listed if price is not an object.

 

I will have a quick look at some more aesthetic cases for the mini-itx boards and will report back what might work best shortly.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

It's great to see a full "start to finish" guide posted. I've been using AirVPN via pfSense for about 18 months now. It works great, and I can't imaging life without it, but it wasn't easy when I was getting started. My setup is mostly similar. Although I run multiple networks with the helps of VLANs and a VLAN capable Wireless Access Point.

 

Thank you!, I had a lot of fun along the way to making this actually. It's worth it to know it will help others.

 

It does indeed work great and I too could not imagine life without it now!

 

For those who like switching VPN endpoints frequently, I've found it helpful to use "Interface Groups" and "Gateway Groups". These are helpful because they can be referenced in the firewall rules, so it helps simplify things. When a "Gateway Group" is configured for fail-over load balancing it allows you to switch VPN endpoints simply by disabling one client entry and enabling another.

 

This is the beauty  I have found in pfSense, there is almost always more than one way to skin a cat! All i need to do to switch endpoints is disable the client, change the entry IP and re-enable it. Both methods are only two steps!

 

I've also started using "Floating Firewall Rules" to help insure that no traffic intended for a VPN interface leaks out my regular WAN connection.

 

Just my two cents...

 

 

I at first used floating entries but during my research I learned, according to many sites including the pfsense forums, that they should be avoided as much as possible as they slow down the firewall. This is why i have gone the route of a "Block All" rule on each individual interface. With a "Block All" rule, any traffic we do not explicitly allow is not permitted to pass. The only allowed traffic is outbound that originates from the vpn interface and dns request to the AirDNS servers. All other traffic is blocked!

 

Further, with the addition of the two check boxes at the end of the AirVPN_WAN Gateway section, if the vpn drops all states are killed and the connection is severed/blocked.

 

But all the same in the end! Multiple ways to skin a cat!


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

I like the look of the fit-PC2 but that hardware of the Supermicro: 5018A-FTN4. I really dont want a rackmount and would prefer a micro-atx or mini-atx this is the only thing leading me away from getting the supermicro at the moment. Havent built my own computer so trying to decide if I get the Supermicro: A1SRi-2758F or Supermicro: A1SRM-2758F what case and power supply to get. I also like the size of the netgate but it is more then im wanting to spend at the moment for the hardware that it offers. I think going with the supermicro hardware offers more bang for the buck even though there not as small in size as the other setups. Do you think going with a xeon would be worth the extra money plus the power usage?

If cost is an issue maybe you should reconsider the hardware available from the pfSense Store. They come ready to go, RAM, and "HDD" (Compact Flash card) pre-loaded with pfSense included (nothing else to buy). The newest entry they have starts shipping on the 10th of April and includes a year of commercial support for $449+S&H.

 

Another issue to keep in mind that relates to cost is a wireless access point. Last time I checked and as far as I know, pfSense isn't a very good choice for wireless. FreeBSD has poor support for 802.11n wireless cards. You'd be far better off buying a separate access point. I use one from a Company called Engenius Tech (I don't recall the model #). If your keen on having several networks (like the tutorial), VLAN support is an important feature to consider.

 

A side benefit of have 4+ ports directly on the firewall is you can save yourself the cost of a VLAN capable switch.

Edited ... by BPH2OS

Share this post


Link to post

Think I won't bother to recommend my intel nuc with internal nic card idea after all

 

Would be nice if intel nuc released a dual nic nuc but I do like that Supermicro mobos with many nics and low powered cpus with aes support.

 

For my next pfsense build that may be the best choice forward.

Share this post


Link to post

I had another question. If the software VPN client on my pc only gets 8 megs would I be able to expect a lot faster speeds with pfsense? Even if the closest airvpn server is 1000 miles away?

Share this post


Link to post

Total speed depends on several different factors, (your internet speed, your ISP, your computer, sever load, protocol, server distance ect). One thing to note, the closest server isn't always the fastest one. I've started using the DNS endpoint names (example us.vpn.airdns.org) instead of connecting to a specific server IP. There's an option to select a country (or world) from the config generator page. The DNS names are ideal because they always resolves to the fastest server at that time, if a server is down it will be removed from the pool. I've always used AirVPN via pfSense, so I can't really comment on speeds achieved from a desktop client.

 

That doesn't really answer your question but I thought it might help.

Share this post


Link to post

I had another question. If the software VPN client on my pc only gets 8 megs would I be able to expect a lot faster speeds with pfsense? Even if the closest airvpn server is 1000 miles away?

 

What type of processor does your computer use?  This can be a big factor, not to mention the cpu is doing double duty with encrypting everything as well as you using that computer.

 

What kind of network interface card are you using? The on motherboard one? Most onboard NIC's have little or no offload computing power or capabilities and so the CPU must again play double duty.

 

To give my experience, I have a high end computer and I maxed out at at about 30 megs when using windows and OpenVPN. With pfSense I can max out my speed provided by my ISP. I have seen speeds as high as 150 megs.

 

That being said you will likely see some improvement at the very least, it will be more reliable, you can share the connection to multiple devices and it is very secure.  It is a quite powerful firewall.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

I really dont want a rackmount and would prefer a micro-atx or mini-atx this is the only thing leading me away from getting the supermicro at the moment. Havent built my own computer so trying to decide if I get the Supermicro: A1SRi-2758F or Supermicro: A1SRM-2758F what case and power supply to get.

 

Here is just a few examples of what you could get to go with the mini-itx boards:

 

Antec: ISK110 VESA (I like this one, includes 90 watt psu  On Youtube)

 

Supermicro: CSE-101i / SuperChassis 101i  (Nice and small, comes with 80 watt psu)

 

In-Win: H-Frame Mini  (Very aesthetically pleasing, Includes 180 watt psu, a bit pricier though. If my firewall were to be displayed I think I would go with this one. On youtube, smaller than it looks, that girl is tiny haha)

 

Silverstone: SST-ML06B (My favorite of the Silverstones.Requires SFX power supply)

 

Silverstone: SST-RVZ01B (Requires SFX power supply)

 

Silverstone: SST-ML05B (Requires SFX power supply)

 

 

There are many other options including nice ones that require a TFX power supply. Look around In-Win's website, check out Lian-Li as well. Wish I had more time today. Search youtube for any one you find that you like. Something to consider about power supplies -  they are most efficient at roughly 50% load. These computes only would peak at about 30 watts under load. A smaller power supply is better. The antec or supermicro may be best here.

 

There is nothing to fear in building a pc, just have patience and read all instructions before starting. I will also be happy to answer questions,

 

Edit: Here is a link to Crucial's compatible dual channel 8 gig ( 2x4 gig) ECC (Error Checking & Correction) Memory


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Its an older computer with And Athlon 64 X dual core 4400+ 2.30 GHz on windows 7 32bit. I installed a realtek PCI Gigabit NIC.

 

It looks like your CPU does not support AES instructions. This is very intensive for a cpu, so yes you are likely bottlenecked.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

I'm interested in this but I'm not in a position to buy any of the special hardware which you outlined. Would I still get improved speeds using my old laptop which has 2gb RAM and a pentium dual core processor? It currently has 32-bit Linux Mint 16 on it. I understand that a similar bottleneck would occur to the AMD machine mentioned earlier, as this also does not seem to have AES hardware acceleration. Thanks for the great tutorial!

Share this post


Link to post

Hello pfSense_fan, that's a good guide, I appreciate your time it took you to write.

 

A small note, I didn't see you mention anything about a sysctl tweak called net.inet.ip.fastforwarding = 1

As a long time PfSense+OpenVPN user, I notice it does increase performance greatly.

 

This topic had been discussed many times on the PfSense forums, see here for example:

 

https://forum.pfsense.org/index.php/topic,47567.0.html

 

 

 

If you have a Xeon v3 CPU this will probably won't have a great performance upgrade for you, but if you run PfSense on a cheaper hardware that can grealy improve the speed.

 

 

Regards,


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Hello pfSense_fan, that's a good guide, I appreciate your time it took you to write.

 

A small note, I didn't see you mention anything about a sysctl tweak called net.inet.ip.fastforwarding = 1

As a long time PfSense+OpenVPN user, I notice it does increase performance greatly.

 

This topic had been discussed many times on the PfSense forums, see here for example:

 

https://forum.pfsense.org/index.php/topic,47567.0.html

 

 

 

If you have a Xeon v3 CPU this will probably won't have a great performance upgrade for you, but if you run PfSense on a cheaper hardware that can grealy improve the speed.

 

 

Regards,

 

Thank you! It did take some amount of time! You should see the private messages back and forth with user Refresh as we ironed out both the guide I was writing and helping solve the issues he was having. I enjoy learning and helping others though so the reward is mine!

 

As user Refresh can confirm, we are using that tweak as well as a few other key tunables, and an addition to the optional advanced section is coming for sysctls and bootloaders (Tweaks for bittorent, tweaks to protect against D.O.S., setting the MBUFS, NIC driver tweaks etc). I didn't add anything beyond what is in the AirVPN/OpenVPN config files for the basic guide though as it is intended for beginners... no need to jump into tweaks until after a stable install. You will notice though that I reserved additional posts at the end to add sections. After finishing the advanced options, a section for how to install from USB is coming, and then a section on things to consider in hardware selection. I just have not found the time unfortunately to get it out quickly. I have documents I add to little by little when I have spare time. I didn't want to hold back the entire guide for those sections though.

 

You are right though, fastforwarding makes a huge difference, as long as you are not using ipsec (it breaks ipsec). Most won't be since we are using OpenVPN.

 

If you have any other suggestions, please share!


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

I'm interested in this but I'm not in a position to buy any of the special hardware which you outlined. Would I still get improved speeds using my old laptop which has 2gb RAM and a pentium dual core processor? It currently has 32-bit Linux Mint 16 on it. I understand that a similar bottleneck would occur to the AMD machine mentioned earlier, as this also does not seem to have AES hardware acceleration. Thanks for the great tutorial!

 

This depends on many factors, including the speeds you get now, what type of network interface card is on the laptop and what it is capable of, and the fact you would need a vlan capable switch since a laptop only has one network card.

 

For many people buying new equipment will be best. Old hardware can use as much electricity in a year as the cost of new energy efficient hardware, so it can easily pay for itself.

 

That being said, an old PC would be better than an old laptop. You need good network cards (preferably PCI-e) for pfsense, and by good I mean legitimate Intel PRO/1000 or preferably the newer more energy efficient and cooler running i210 /i350 /i354. Not all network cards work on FreeBSD but intel supports their drivers well. PRO/1000 cards can be had cheap at this point either used or new old stock on ebay. I bought quad port PRO/1000 PT cards for $65 each. Dual ports can be had for $30. You need at the very least two ports if you don't have a vlan capable switch.

 

Did I mention the network cards need to be Intel? They need to be Intel. You are asking for trouble-shooting if not. Many Realtek cards won't even read.

 

EDIT: It also needs to be considered that after this Sunday, AirVPN will be using 4096 bit encryption, which if I understand, is an order of magnitude more intensive on a CPU than the already intensive 2048. It may just not be worth the effort for the slight gains you may get. But that is just my opinion.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

I think this is awesome, I know how hard it is to write newbie friendly guides so appreciate this massively. I especially liked you went the extra mile to highlight the various certificate areas, many other posts online skimmed this and I think caused quite a bit of frustration.

 

One suggestion I have is I'd love to see some summary screens at the end of each section which highlights how everything should look after the config. It would have helped me clear up the mess I made when I made a couple of errors during my first run through it. 

Partly as v2.1.2 creates firewall rules in the right order now so doenst need doing in reverse order. 

 

Ive still got a problem with my config as AirVPN is not reporting Im connected so Im going to go back through everything again, if I find anything which I think helps Ill loop back round. 

 

thx again

Ian

Share this post


Link to post

So, I suspect Im getting confused because of the differences between my simple router which is configured with two ports, one in from my wifi access point & switch (airport extreme) and the outward bound port which goes to my virgin media modem. 

 

Problem is that even though my VPN connects my public IP is still that of my ISP, and not AirVPN. 

 

I suspect the problem is with my interface assignment but could be wrong, Im fairly new to this area of computing so bear with me please. 

 

My dashboard reports the following connections:-

WAN(DHCP 81.101.xxx.xxx

LAN 192.168.1.1

AIRVPN WAN 10.4.xx.xxx

AIRVPN LAN 192.168.123.1

 

DNS Servers via OpenNIC 213.138.101.252 & 185.19.105.6 (UK)

 

my interface assignments look like this

 

motherboard Intel DQ77KB

WAN em1 (7c:05:xx:xx:xx:a9) (this is unmanaged Intel NIC)

LAN em0 (7c:05:xx:xx:xx:a8) (this is a managed Intel NIC)

AirVPN_WAN (ovpnc1 (AirVPN)

AirVPN_LAN (VLAN 1 on em1) <----------this is the bit Im not sure is right.

 

OpenVPN reports connected ok via system log

Apr 12 09:21:24 openvpn[79070]: Initialization Sequence Completed

Apr 12 09:21:24 openvpn[79070]: /sbin/route add -net 10.4.0.1 10.4.xx.xxx 255.255.255.255

Apr 12 09:21:24 openvpn[79070]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system

Apr 12 09:21:24 openvpn[79070]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.4.xxx.xxx 0.4.xxx.xxx init

Apr 12 09:21:24 openvpn[79070]: /sbin/ifconfig ovpnc1 10.4.xx.xxx 10.4.xx.xxx mtu 1500 netmask 255.255.255.255 up

 

any help would be very much appreciated, thanks in adv

Ian

Share this post


Link to post

If you only have two NIC ports there are some slight differences in how to set it up that i have not had the chance to address yet.

 

First, in the DNS forwarder section, you will ONLY HIGHLIGHT LOCALHOST. This allows the firewall to connect to airdns if using url based entry servers.

 

Second, your "LAN" will be set up in the manner the "AirVPN_LAN" in my guide is. There is no need for you to make a VLAN to accomplish this. You do not need to rename it, change the IP address of the port or the DHCP settings to 192.168.123.1 etc. but all other settings will be as the AirVPN_LAN.

 

If there is more steps to it I apologize i am running out and wanted to post this quickly, i plan on making a guide for two interfaces separately soon. It would take only minimal effort for me to edit the documents i have saved. The issue is finding time. I am a few weeks away from having any of that.

 

I also have noticed that it now inputs the correct order for the firewall rules and will be editing that soon.

 

EDIT: Also consider that after tomorrow, this guide will not work until updated with the new settings that are coming our way. I have already started on the edits and should have them up soon after I get reconnected and verify all settings.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

thanks for you response, I managed to sort my additional interface out and not have a single AirVPN_LAN which connects.

Still can't fathom out how to make my devices use the VPN and when I set the DNS forwarder to localhost only everything stops working.

I guess it must be important to set it as you say as you took the time to BOLD, CAPS and UNDERLINE that point!

 

Ive learned a tons this afternoon regardless but suspect I'll knock this on the head for now until you guys have had time to test and publish new guidelines.

 

appreciate your help

Ian 

Share this post


Link to post

thanks for you response, I managed to sort my additional interface out and not have a single AirVPN_LAN which connects.

Still can't fathom out how to make my devices use the VPN and when I set the DNS forwarder to localhost only everything stops working.

I guess it must be important to set it as you say as you took the time to BOLD, CAPS and UNDERLINE that point!

 

Ive learned a tons this afternoon regardless but suspect I'll knock this on the head for now until you guys have had time to test and publish new guidelines.

 

appreciate your help

Ian

if it stopped working it tells me you did not set up the 10.4.0.1 dns on the dhcp server page for the lan interface.

 

You cannot share the dns forwarder between the firewall (localhost) which faces the clear-net and your LAN, which will be your VPN facing interface on your setup. They must use separate DNS or else possibility of leaks. If you were to use AirVPN DNS on the general page, you cannot connect to AirVPN unless you use direct IP address of entry servers.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

So, I suspect Im getting confused because of the differences between my simple router which is configured with two ports, one in from my wifi access point & switch (airport extreme) and the outward bound port which goes to my virgin media modem.

 

PLEASE NOTE: I HAVE ADDED A SECTION FOR THOSE WHO ARE USING ONLY TWO NETWORK INTERFACE CARDS (NICs).  

 

This section covers an alternate step 6 and 7 (there will be no section 8 since you do not have more network ports). These are the only differences.

 

I made this quickly using find and replace text editing, so please report any errors to me!


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Thank you - I followed your new guide and it works perfectly. I had to erase the old settings which were hanging around and causing a conflict in some way but I got there in the end. Given my pretty simple network needs, this works brilliantly now thanks to you. I also appreciate you responding as quickly as what you did.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...