go558a83nk 362 Posted ... 13 hours ago, joebywan said: Thanks for that, worked. What's the DNS server we're supposed to be using? Status>OpenVPN says it's up, but I can't do the dnslookup to airvpn.org 10.4.0.1 is the DNS but I can't get dns resolver or forwarder to use that and it's especially a pain if you have policy routing - some clients using the VPN and others not. What I do is turn off resolver and forwarder in pfsense and use DHCP to assign the DNS I want to use to clients. I use firewall rules to enforce that clients use the DNS I want them to use. Quote Share this post Link to post
Wolke68 5 Posted ... if you want to use 10.4.0.1 you have to do a manual route in your ovpn config pfsense is bsd and there is a DNS push in the config not possible to use i use it for 10.4.0.1 10.50.1 10.6.0.1 10.7.0.1 Quote Share this post Link to post
joebywan 0 Posted ... 5 hours ago, Wolke68 said: if you want to use 10.4.0.1 you have to do a manual route in your ovpn config pfsense is bsd and there is a DNS push in the config not possible to use i use it for 10.4.0.1 10.50.1 10.6.0.1 10.7.0.1 Could you elaborate on how to do this please? Bit of a noob here. Shouldn't it be covered by step 6-D in the guide "Step 6-D: First AirVPN_LAN Firewall Rule "AirVPN LAN DNS REDIRECT""?? Quote Share this post Link to post
Wolke68 5 Posted ... add this in your openvpn config route 10.4.0.0 255.255.255.0; set 10.4.0.1 DNS for DNS Server Settings Nothing else to change. If you want to look at the routing table in pfsense if the route 10.4.0.0 is set to your AirVPN internal IP Quote Share this post Link to post
joebywan 0 Posted ... 6 hours ago, Wolke68 said: add this in your openvpn config route 10.4.0.0 255.255.255.0; set 10.4.0.1 DNS for DNS Server Settings Nothing else to change. If you want to look at the routing table in pfsense if the route 10.4.0.0 is set to your AirVPN internal IP So in System/General Setup if I setup 10.4.0.1 set to the vpn wan gateway, it won't automatically setup a route? When you say put it in the config, I'm assuming I can just put it in the custom settings text box at the bottom? Quote Share this post Link to post
Wolke68 5 Posted ... in my tests it is not enough the route from the DNS if you test in pfsense the dns question you get no answers with this extra route it is ok Quote Share this post Link to post
joebywan 0 Posted ... 13 hours ago, Wolke68 said: in my tests it is not enough the route from the DNS if you test in pfsense the dns question you get no answers with this extra route it is ok It worked, thanks! Quote Share this post Link to post
exilewolf 0 Posted ... Has any one stated having issues in the last few days with this setup, I have been running this setup for about 2 years and had no issues up until last night.. Now I am getting this error when I try to connect.. anyone else or is it just me Sep 25 04:26:54 openvpn 25923 [UNDEF] Inactivity timeout (--ping-restart), restarting Sep 25 04:26:54 openvpn 25923 TCP/UDP: Closing socket Sep 25 04:26:54 openvpn 25923 SIGUSR1[soft,ping-restart] received, process restarting Sep 25 04:26:54 openvpn 25923 Restart pause, 10 second(s) UPDATE : : found out my ISP was Blocking port 443 to vpn servers.. updated to a new IP good to go. Quote Share this post Link to post
joebywan 0 Posted ... Was working fine then nothing changed on my end I started getting these log entries and the vpn's not coming up. Oct 7 15:12:25 openvpn 20222 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 7 15:12:25 openvpn 20222 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 7 15:12:25 openvpn 20222 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.178:443 Oct 7 15:12:25 openvpn 20222 Socket Buffers: R=[42080->42080] S=[57344->57344] Oct 7 15:12:25 openvpn 20222 UDPv4 link local (bound): [AF_INET]192.168.0.3:0 Oct 7 15:12:25 openvpn 20222 UDPv4 link remote: [AF_INET]184.75.221.178:443 Oct 7 15:13:25 openvpn 20222 [UNDEF] Inactivity timeout (--ping-restart), restarting Oct 7 15:13:25 openvpn 20222 SIGUSR1[soft,ping-restart] received, process restarting Oct 7 15:13:25 openvpn 20222 Restart pause, 300 second(s) Oct 7 15:13:32 openvpn 20222 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Oct 7 15:13:32 openvpn 20222 MANAGEMENT: CMD 'state 1' Oct 7 15:13:32 openvpn 20222 MANAGEMENT: Client disconnected Any ideas on how to get it going again? Quote Share this post Link to post
neptunus 0 Posted ... (edited) I have a setup like: https://nguvu.org/pfsense/pfsense-baseline-setup/ The connection with AirVPN is working and the test as described on the site are also working. The challenge I have is that from VL20_VPN I cannot do a dns resolve on airvpn.org. All other DNS resolves are going well. Does anyone have tips on how I can solve this. Edited ... by neptunus Small update Quote Share this post Link to post
Lee47 23 Posted ... Hi has anyone managed to get Policy routing Websites ONLY to work under pfsense air ? I am trying to get paypal or online banking sites to use the ISP ip, I see people got separate devices and pcs, tvs etc to work but not seen if its possible for websites only. Quote Share this post Link to post
go558a83nk 362 Posted ... 1 hour ago, Lee47 said: Hi has anyone managed to get Policy routing Websites ONLY to work under pfsense air ? I am trying to get paypal or online banking sites to use the ISP ip, I see people got separate devices and pcs, tvs etc to work but not seen if its possible for websites only. create aliases for things. they can include FQDN. Then create firewall rules for you LAN using those aliases to allow stuff via VPN or via WAN then create rules under those to block the interface you don't want them to use. 1 Lee47 reacted to this Quote Share this post Link to post
tomquinn 0 Posted ... I followed NGVU's guide and everything seems to work. But all my computers must be on the LAN gateway. I have the pfsense connected to a dd-wrt router with wan and dhcp server off. How do I assign which devices go out which gateways? Do I do it on pfsense or dd-wrt? Any help would be appreciated. Quote Share this post Link to post
genuine3000 0 Posted ... (edited) Hi, I'm busy to egress my firewall I was looking for a DNS rule to not allow other traffic go's to other public adress for example 8.8.8.8 or whatever Ok redirect works fine for DNSleaks but if you hard-code it like apps or a person fills in DHCP to use 8.8.8.8 dns then we got a problem So for security reasons i would like that al the traffic is generated by clients go to the redirected dns of airvpn hope someone can help never mind found the solution myself :-)) Edited ... by genuine3000 solution Quote Share this post Link to post
revolsnayr 0 Posted ... On 4/12/2016 at 10:09 PM, pfSense_fan said: ##### CLIENT OPTIONS #####; server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###; explicit-exit-notify 5; ##### TUNNEL OPTIONS #####; ### Use Multple "remote" entries with the according entry IP address of your favorite servers ###; ### other than the server entered in the "Server Host or Address" entry above and pfSense ###; ### will automatically recconnect in a round robin fashion if the server you are connected to ###; ### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###; ###remote XX.XX.XX.XX 443 ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Acamar_UDP-2018###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Yildun_UDP-2018###; ###remote XX.XX.XX.XX 53 ###AirVPN_US-Miami_Cursa_UDP-53###; ###remote XXX.XX.XX.XX 443 ###AirVPN_CA-Dheneb_UDP-443###; ###remote XXX.XX.XXX.XXX 443 ###AirVPN_CA-Saiph_UDP-443###; ###rcvbuf 262144; ###sndbuf 262144; mlock ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###; fast-io ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###; ###tun-mtu 1500; ###mssfix 1450; ###keepalive 5 15; ##### DATA CHANNEL ENCRYPTION OPTIONS #####; key-direction 1; keysize 256 ### Size of key from cipher ###; prng SHA512 64 ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###; ### replay-window n [t] ### Default = replay-window 64 15 ###; ### mute-replay-warnings; ##### TLS MODE OPTIONS #####; tls-version-min 1.2 ### set the minimum TLS version we will accept from the peer ###; key-method 2 ### client generates a random key ###; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###; tls-timeout 2 ### Default = 2 ###; ns-cert-type server ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###; remote-cert-tls server ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###; ### reneg-sec 3600; Not sure if this was pointed out but I had everything working up until 2.4.4 and then I moved my modem/routers locations and lost connectivity on my VPN router. After fixing multiple issues including a boot loop and having to do a reinstall from scratch, I noticed this setting for OpenVPN throws an AUTH error. Instead of trying to fix it, I just removed it and run it on a single server without HA. Any ideas on what's causing it? I know this is an old thread but just curious. Quote Share this post Link to post
dIecbasC 38 Posted ... On 1/1/2020 at 12:54 AM, tomquinn said: I followed NGVU's guide and everything seems to work. The nguvu baseline guide mentioned in this thread has been updated for pfSense v2.4.5. Quote Share this post Link to post
EWK 0 Posted ... Followed this guide and it has been working great for a couple of years now. One question though, I have a Qotom with mulitple ports, only one gives internet rest gives network, no internet. How do I get the others to work? They are OPT5 and OP6. Thanks! Quote Share this post Link to post
zapoteknico 8 Posted ... It is not recommended to use a pfsense firewall with multi lab port as you would normally use a router you buy. If you are aiming to connect many computers directly to the pfsense firewall, as said you shouldn't do that. The guide here https://nguvu.org/pfsense/pfsense-baseline-setup/ Shows you how the firewall ports should be setup. The guide shows VLAN setting but they work exactly as they are normal port. I initially wanted to do what you are trying to do but then, after reading I followed the guide setting up only the vl20_VPN port and the VL30_clearnet one as backup if i will want to bypass the VPN. I then use a standard wireless router plugged to the vl20 port and all my devices connects to the wireless router. If I want to bypass the VPN, I just swap the cable connecting the pfsense to the router using the cable going out from the VL30_clearnet port 1 EWK reacted to this Quote Share this post Link to post
HughM 0 Posted ... 4 minutes ago, zapoteknico said: It is not recommended to use a pfsense firewall with multi lab port as you would normally use a router you buy. If you are aiming to connect many computers directly to the pfsense firewall, as said you shouldn't do that. The guide here https://nguvu.org/pfsense/pfsense-baseline-setup/ Shows you how the firewall ports should be setup. The guide shows VLAN setting but they work exactly as they are normal port. I initially wanted to do what you are trying to do but then, after reading I followed the guide setting up only the vl20_VPN port and the VL30_clearnet one as backup if i will want to bypass the VPN. I then use a standard wireless router plugged to the vl20 port and all my devices connects to the wireless router. If I want to bypass the VPN, I just swap the cable connecting the pfsense to the router using the cable going out from the VL30_clearnet port Why can't you use multiple ports for multiple VLANs? This is in fact the setup I am currently preparing (with the help of the referenced article too). I then plan to have a smart switch filter the multiple VLANs to the firewal's ports. That way the router routes (at the network / IP level) and the switch switches (at the [V}LAN / link level). This seems perfect to me. I plan to use an interface per subnet, in stead of a VLAN per subnet. Admittedly I am still learning and have not executed it yet, but this should work imho. Quote Share this post Link to post
zapoteknico 8 Posted ... Sorry I haven't been clear. It is not recommended to use the firewall as "router" in a way that you will plug multiple computers to the firewall ports like you would do using a switchand then having the firewall providing IP addresses in the same range (I. E 192.168.1.2 on one port, 193.168.1.3 on second port etc.) If instead you are going to setup multiple subnets, then the guide provided will help you in doing that. If you check the guide you will see that each port of the firewall provides different ranges (192.168.10.x on first port, 192.168.20.x on second port etcetera) Hope this helps Quote Share this post Link to post
HughM 0 Posted ... @zapoteknico thanks, yes I understand that and that is what I am planning too. So use physical ports on the router i.s.o. VLANS over a single physical port. I have attached a diagram with the various subnets (SECure, CLeaR, IOT, and WAN) and the switch in front of the pfSense router. The tagged VLANS go to other routers (not shown here. Quote Share this post Link to post
zapoteknico 8 Posted ... That's how should work. I do not have a VLAN switch but the guide helped me in doing exactly what u want to do. If your pfsense is already setup, you will not have to follow the entire guide but only the relevant configurations for the different pfsense ports(the are called vlan10, vlan20, vlan20 etc) Quote Share this post Link to post
EWK 0 Posted ... 7 hours ago, zapoteknico said: It is not recommended to use a pfsense firewall with multi lab port as you would normally use a router you buy. If you are aiming to connect many computers directly to the pfsense firewall, as said you shouldn't do that. The guide here https://nguvu.org/pfsense/pfsense-baseline-setup/ Shows you how the firewall ports should be setup. The guide shows VLAN setting but they work exactly as they are normal port. I initially wanted to do what you are trying to do but then, after reading I followed the guide setting up only the vl20_VPN port and the VL30_clearnet one as backup if i will want to bypass the VPN. I then use a standard wireless router plugged to the vl20 port and all my devices connects to the wireless router. If I want to bypass the VPN, I just swap the cable connecting the pfsense to the router using the cable going out from the VL30_clearnet port Thank you for your answer. So the best solution is, that I should put an unmanaget switch behind it if I want to connect more devices? Quote Share this post Link to post