Jump to content
Not connected, Your IP: 54.226.4.91
pfSense_fan

How To Set Up pfSense 2.1 for AirVPN

Recommended Posts

Port forwarding can be quite tricky I ditched utorrent since that port forward check never quite worked said half working!  although when I ran the Air port forward test I got a green for pass.

 

I moved over to qbitorrent much faster and simple Port forwarding test if its green it works, all I did was leave that program on defaults and entered the Air Port forwarded port into qbittorent Port settings.

 

Remember when you set up Pfsense port forwarding guide which is here:

 

https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/page-6?do=findComment&comment=17580

 

Before you do any of this I had to set up a static IP because if you follow the normal air PF guide linked above you will get to this bit on the guide:

*3: IP of your target pc/device. This is best if you have your device assigned to a static IP
Redirect target port = [ (other) ▼] [ NOTE *4 ]

 

I got really confused here and then found out before I even start the port forwarding guide its easier (and it works!) to set the static IP first.

 

Have you gone to Services>dhp server and then air tab and scrolled to bottom and clicked + to add a static IP and linked this to your mac address of the PC your using?

 

If I recall you have to do the it to the air tab but depending on your set up you may have to do it to lan or the right one this is highly important otherwise the port forwarding won't relay to the right interface.

 

Don't forget once you done the static ip and then followed the Air port forward guide when you get to step *3 you can now enter your static ip at least.

 

Also sometimes what can cause an issue is your firewall maybe blocking ports/connections so disable it tempory, for some reason my firewall was still blocking it had to uninstall it.

 

Also don't forget you have to reboot your PC to refresh your network interfaces otherwise the port forwarding won't work. Don't worry about the air port test or the programs port test sometimes they are duff and you gotta add few downloads ie unbuntu iso and see if it maxes the connection you will know its working when it gets good speeds, give it a go.

Share this post


Link to post

Port forwarding can be quite tricky I ditched utorrent since that port forward check never quite worked said half working!  although when I ran the Air port forward test I got a green for pass.

 

I moved over to qbitorrent much faster and simple Port forwarding test if its green it works, all I did was leave that program on defaults and entered the Air Port forwarded port into qbittorent Port settings.

 

Remember when you set up Pfsense port forwarding guide which is here:

 

https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/page-6?do=findComment&comment=17580

 

Before you do any of this I had to set up a static IP because if you follow the normal air PF guide linked above you will get to this bit on the guide:

*3: IP of your target pc/device. This is best if you have your device assigned to a static IP

Redirect target port = [ (other) ▼] [ NOTE *4 ]

 

I got really confused here and then found out before I even start the port forwarding guide its easier (and it works!) to set the static IP first.

 

Have you gone to Services>dhp server and then air tab and scrolled to bottom and clicked + to add a static IP and linked this to your mac address of the PC your using?

 

If I recall you have to do the it to the air tab but depending on your set up you may have to do it to lan or the right one this is highly important otherwise the port forwarding won't relay to the right interface.

 

Don't forget once you done the static ip and then followed the Air port forward guide when you get to step *3 you can now enter your static ip at least.

 

Also sometimes what can cause an issue is your firewall maybe blocking ports/connections so disable it tempory, for some reason my firewall was still blocking it had to uninstall it.

 

Also don't forget you have to reboot your PC to refresh your network interfaces otherwise the port forwarding won't work. Don't worry about the air port test or the programs port test sometimes they are duff and you gotta add few downloads ie unbuntu iso and see if it maxes the connection you will know its working when it gets good speeds, give it a go.

 

I'm sorry, none of this is relevant to what is happening on my end, as all those steps have been followed, and when port forwarding works, one in fact does get a green light from this site as well. This is a technical issue where the packets leaving the airvpn_wan, are returning to the regular clear_wan. Port forwarding through the clearW-an then using an openvpn client to access airvpn results in a perfect port forward. It is only when going through the airvpn pfsense client does port forward not work.

 

I need to find out why the packets are not routing properly. A tcpdump as determined that pfsense is not behaving in the correct way.Multiple reinstalls has not helped, so there must be something amiss with the configuration. I know pfsense_fan said he is moving on, but he also asked to be informed of any technical issues. I think we have one here.

 

Thanks for everyones time.

 

http://comments.gmane.org/gmane.comp.security.firewalls.pfsense.general/5439

Share this post


Link to post

Have you gone through your settings one by one as per the pfsense guide?

 

It is very easy to miss a setting or a setting to be incorrect, many times even when I ran through this guide I would find a setting incorrect and once fixed it would be fine. Can vouch this pfsense guide works fine with port forwarding, green on client side and green on airs port test can max out my ubuntu/linux distros nicely.

Share this post


Link to post

 

Have you gone through your settings one by one as per the pfsense guide?

 

It is very easy to miss a setting or a setting to be incorrect, many times even when I ran through this guide I would find a setting incorrect and once fixed it would be fine. Can vouch this pfsense guide works fine with port forwarding, green on client side and green on airs port test can max out my ubuntu/linux distros nicely.

I really appreciate your replies. I'm going to redo my pfsense install from scratch, again, with two new nics, and see what happens. I'll keep you posted.

Thanks.

 

It would help if the guide was consistent.

 

For Block DNS Leak for LAN & AirVPN_LAN, the instructions say Protocol=TCP/UDP, the photo as an example shows only Proto=UDP. How did you know which to follow? This was the problem. The TCP packets were being blocked. Once I followed the photo instead of the text. The port opened

 

 Step 8: Setting up the AirVPN_LAN Interface

 

2.) Select one from the optional Interfaces (likely Opt1).

 

There would not be an Opt1 as that was already taken when assigning ovpnc1?

 

This should read like Opt2, no?

 

 Here you will find your assigned interfaces. If you assigned them during original install you will see however many interfaces you have and should likely have a WAN, LAN, opt1 (as well as ovpn1). If you did not assign them you will have to click the [+] button at the bottom right to assign another. Once it is assigned, click save.

 

But if you did not assign all interfaces at install, then the new one you'd be adding now would be Opt2.

Share this post


Link to post

On mine I just followed the text entries especially for the embolden parts for the pfsense guide, I also have tcp/udp selected. You are right the picture does show just udp but it is only used to illustrate the order of the firewall rules as its mentioned above the picture.

 

Can you confirm you have selected udp as shown in the picture and port forwarded is now working ?

 

And yes the opt1-2 bit I noticed this also, this guide does not always take into account peoples different set ups and connections for example I find I am unable to follow the openvpn section correctly with WAN setting I have to put it on lan then reboot then change to Wan while no one else seemed to have this issue.

 

Still for the main part I have noticed other vpn providers pfsense guides are incomplete or not even working and when you compare to this guide which has 2-3x more settings you can see why other VPN companies guides arent as complete or working, I would say this is still hands down the best pfsense guide to date

Share this post


Link to post

DNS mainly uses the UDP protocol - except for zone transfer which use TCP, if UDP fails TCP should be used, so I think the dns leak rules should be kept with both UDP/TCP. Am I right on that?


- Router/Firewall pfSense 2.3.2 (Supermicro A1SRi-2558, SSD Intel S3500, 8GB RAM ECC)

- Switch Cisco SG350-10

- AP Netgear R7000 (Stock FW)

- HTPC Intel NUC5i3RYH

- NAS Synology DS1515+ (5 x 5TB WD Red)

- NAS Synology DS213+ (2 x ST3000DM001)

Share this post


Link to post

DNS mainly uses the UDP protocol - except for zone transfer which use TCP, if UDP fails TCP should be used, so I think the dns leak rules should be kept with both UDP/TCP. Am I right on that?

 

 

I'd like confirmation on this as well. 

Can you now port forward Wolf?

Share this post


Link to post

Not yet, I am installing 2.2Beta 20OCT and I will report back. I know the reply-to is not completely fixed : https://redmine.pfsense.org/issues/3760


- Router/Firewall pfSense 2.3.2 (Supermicro A1SRi-2558, SSD Intel S3500, 8GB RAM ECC)

- Switch Cisco SG350-10

- AP Netgear R7000 (Stock FW)

- HTPC Intel NUC5i3RYH

- NAS Synology DS1515+ (5 x 5TB WD Red)

- NAS Synology DS213+ (2 x ST3000DM001)

Share this post


Link to post

Quick google suggest TCP is more reliable and stable but when using openvpn and UDP it offers greater performance especially under torrents and streaming.

 

I think wolf is right its best to stick with tcp/udp settings with the block dns rules if you can.

Share this post


Link to post

Quick google suggest TCP is more reliable and stable but when using openvpn and UDP it offers greater performance especially under torrents and streaming.

 

I think wolf is right its best to stick with tcp/udp settings with the block dns rules if you can.

 

The ports do not forward with TCP blocked for me.

 

Since the OP abandoned this thread, I haven't much choice to do other than not block that protocol, like his photos in his instructions.

Share this post


Link to post

Quick google suggest TCP is more reliable and stable but when using openvpn and UDP it offers greater performance especially under torrents and streaming.

 

I think wolf is right its best to stick with tcp/udp settings with the block dns rules if you can.

 

But Wolf still can't forward ports while I can, by following the illustration and not the text.

 

Now if Wolf was able to forward ports with tcp/udp blocked for lan and airlan, then I'd be inclined to give more weight to his findings.

 

If I block tcp, transmission, is unable to complete it's internal torrent test. Soulseek/Nicotine is unable to complete it's internal open port test. Airvpn site returns grey results. Pfsense firewall log, shows the tcp requests being blocked, obviously because they are being told to be blocked, by the tcp/udp rule. I am not leaking DNS with my current setup.

Share this post


Link to post

Ok, Port Forwarding (TCP/UDP) is now working with the fix: https://redmine.pfsense.org/issues/3760

 

I am now running:

 

2.2-BETA (amd64) 
built on Thu Oct 30 08:02:16 CDT 2014 


- Router/Firewall pfSense 2.3.2 (Supermicro A1SRi-2558, SSD Intel S3500, 8GB RAM ECC)

- Switch Cisco SG350-10

- AP Netgear R7000 (Stock FW)

- HTPC Intel NUC5i3RYH

- NAS Synology DS1515+ (5 x 5TB WD Red)

- NAS Synology DS213+ (2 x ST3000DM001)

Share this post


Link to post

 

Ok, Port Forwarding (TCP/UDP) is now working with the fix: https://redmine.pfsense.org/issues/3760

 

I am now running:

 

2.2-BETA (amd64) 

built on Thu Oct 30 08:02:16 CDT 2014 

 

 

Ok, I'm all set now. Forwarding ports with tcp/udp blocked for lan and airvpn_lan

 

2.1.5-RELEASE (amd64) 

built on Mon Aug 25 07:44:45 EDT 2014

 
The only real change I made was from an intel dual port card, to two realtek based cards.
 

Which programs are you using to forward ports?

 

Is your system Linux or Windows?

Share this post


Link to post

The apps needing port forward are pyLoad, Trasmission and Plex, all running on NAS, Synology DS213+. I access them from several PC (Windows) and iDevices.

 

 

Sent from my iPad using Tapatalk


- Router/Firewall pfSense 2.3.2 (Supermicro A1SRi-2558, SSD Intel S3500, 8GB RAM ECC)

- Switch Cisco SG350-10

- AP Netgear R7000 (Stock FW)

- HTPC Intel NUC5i3RYH

- NAS Synology DS1515+ (5 x 5TB WD Red)

- NAS Synology DS213+ (2 x ST3000DM001)

Share this post


Link to post

Question for pfsense users:

 

Have you guys tried using additional IP leak guides like comodos?

 

I find none of these ip leak guides to work including airs own one, perhaps airs pfsense is too secure ? !

 

I was wondering if anyone has set up additional backup firewall/program rules to prevent IP leaks just in case pfsense by some miracle did not.

Share this post


Link to post

Newb install problem

 

When adding the OpenVPN client (Step 3 of the install guide) I get the following error and am unable to proceed:

 

An IPv4 protocol was selected, but the selected interface has no IPv4 address.

 

Would appreciate any suggestions on how to resolve this. Thanks.

Share this post


Link to post

Newb install problem

 

When adding the OpenVPN client (Step 3 of the install guide) I get the following error and am unable to proceed:

 

An IPv4 protocol was selected, but the selected interface has no IPv4 address.

 

Would appreciate any suggestions on how to resolve this. Thanks.

 

Could Try this but unsure if it will work, select Lan instead of wan and see if it saves, once its rebooted you can switch it back to wan which is the correct setting. Or if it still does not like it carry on with the guide and at the end of it then select Wan.

 

The pfsense guide works well but its best to go over all the settings to make sure they are correct, all it takes is one wrong setting to make it not work I had to go over it several times the first time and noticed few mistakes before correcting them and then it worked. Printing out the guide helps!

Share this post


Link to post

Hi pfSense_fan, thank you so much for your great guide!

 

I noticed that in "Step 7", --> "Second we will set the Localhost outbound NAT." the localhost address is:

 

Source = [_] Not (unchecked)
               Type: [ Network ▼]
               Address: [ 127.0.0.1 ] / [ 8 ▼]
               Source port: [_____] (empty/blank)

 

but in the next screenshot the localhost address is 127.0.0.0 (and not 127.0.0.1)

 

In the "D." section «Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.» the name of the rule is

 

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN".

 

 

but the description shows the right name

 

 

Description = [✎ BLOCK_DNS_LEAKS_LAN]

 

 

In section "E.) Checking That Our Firewall Rules Are In The Correct Order" for the AirVPN_LAN, the screenshot shows an alias for the «! AirVPN_DNS» destination instead of the 10.4.0.1 address.

 

 

I have a question: I'm using pfblocker with List Action set to "Alias only".

 

Do I need to setup the AirVPN Gateway in the "Advanced features" section of the AirVPN_WAN blocking rules, or leave it at the default setting? (see attached screenshot, where the first rule has that gateway set)

 

 

Share this post


Link to post

As a general rule of thumb I would ignore what the screenshots suggest or show, they really are only used as illustration purposes. Follow the embolded text as normal. So if the text says 127.0.0.1 then just keep to that really.

 

Sometimes the screenshots are just their to show the order of the rules or how it may appear etc

 

Unsure of the alias settings tbh, I think once you got the basic pfsense guide sorted and up and working then its a good idea to test other things out but only if you are sure what you are doing:) I use peerblock and update a similar list find it bit more easier to maintain and update and block/unblock etc

 

pfsense forums the guys there may be able to assist on that question:

 

https://forum.pfsense.org/index.php

Share this post


Link to post

As refresh said, follow the text and you will get pfSense working.

 

 

Sent from my iPad using Tapatalk


- Router/Firewall pfSense 2.3.2 (Supermicro A1SRi-2558, SSD Intel S3500, 8GB RAM ECC)

- Switch Cisco SG350-10

- AP Netgear R7000 (Stock FW)

- HTPC Intel NUC5i3RYH

- NAS Synology DS1515+ (5 x 5TB WD Red)

- NAS Synology DS213+ (2 x ST3000DM001)

Share this post


Link to post

pfsense_fan, it has been some months since I wrote and your responded and I am pleased to say that although not yet perfect, my network is now working almost as required thanks to your guide.  The only confusion for me was entering LAN rule number one as it appears under the AirVPN_LAN interface and not the LAN interface.  Perhaps a discrepancy in pfsense versions.

 

Thanks for your time in initially writing it and then in patiently helping so many of us make this work.  You deserve your rest.

 

Geoff

Share this post


Link to post

Thank you very much for this guide! Using most parts of it helped my to set up pfSense on my thin client. You using two separate interfaces / subnets with DHCP servers for VPN and clearnet access. This requires a separate wiring depending if the device is using clearnet access or through VPN. Also devices in those two subnets cannot see each other as there is no routing between them.

Unfortunately in my network I have many devices that need clearnet access but also need to communicate with the devices in the other subnet (VPN); for example Smart TV's and streaming clients that suppose to use clearnet for video on demand but also need to be able to access media on my pc that is connected to the other subnet.

How would you suggest to resolve this?

Is it possible to set up both internal interfaces in pfsense within just one subnet and assign the clients different gateways (1 subnet and 2 gateways)? Would be pretty easy so I wonder if i missed anything.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...