Jump to content
Not connected, Your IP: 3.15.17.25
pfSense_fan

How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

13 hours ago, joebywan said:
Thanks for that, worked.

What's the DNS server we're supposed to be using?  Status>OpenVPN says it's up, but I can't do the dnslookup to airvpn.org

10.4.0.1 is the DNS but I can't get dns resolver or forwarder to use that and it's especially a pain if you have policy routing - some clients using the VPN and others not.

What I do is turn off resolver and forwarder in pfsense and use DHCP to assign the DNS I want to use to clients.

I use firewall rules to enforce that clients use the DNS I want them to use.

Share this post


Link to post

if you want to use 10.4.0.1 you have to do a manual route in your ovpn config


pfsense is bsd and there is a DNS push in the config not possible to use

i use it for
10.4.0.1
10.50.1
10.6.0.1
10.7.0.1
 

Share this post


Link to post
5 hours ago, Wolke68 said:

if you want to use 10.4.0.1 you have to do a manual route in your ovpn config


pfsense is bsd and there is a DNS push in the config not possible to use

i use it for
10.4.0.1
10.50.1
10.6.0.1
10.7.0.1
 

Could you elaborate on how to do this please?  Bit of a noob here. 

Shouldn't it be covered by step 6-D in the guide "Step 6-D: First AirVPN_LAN Firewall Rule "AirVPN LAN DNS REDIRECT""??
 

Share this post


Link to post

add this in your openvpn config


route 10.4.0.0 255.255.255.0;


set 10.4.0.1 DNS for DNS Server Settings
Nothing else to change.
If you want to look at the routing table in pfsense if the route 10.4.0.0 is set to your AirVPN internal IP
 

Share this post


Link to post
6 hours ago, Wolke68 said:

add this in your openvpn config


route 10.4.0.0 255.255.255.0;


set 10.4.0.1 DNS for DNS Server Settings
Nothing else to change.
If you want to look at the routing table in pfsense if the route 10.4.0.0 is set to your AirVPN internal IP
 

So in System/General Setup if I setup 10.4.0.1 set to the vpn wan gateway, it won't automatically setup a route?

When you say put it in the config, I'm assuming I can just put it in the custom settings text box at the bottom?

Share this post


Link to post

in my tests it is not enough the route from the DNS 
if you test in pfsense the dns question you get no answers
with this extra route it is ok
 

Share this post


Link to post
13 hours ago, Wolke68 said:

in my tests it is not enough the route from the DNS 
if you test in pfsense the dns question you get no answers
with this extra route it is ok
 

It worked, thanks!

Share this post


Link to post

Has any one stated having issues in the last few days with this setup, I have been running this setup for about 2 years and had no issues up until last night.. 
Now I am getting this error when I try to connect.. anyone else or is it just me :P
 

Sep 25 04:26:54 openvpn 25923 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sep 25 04:26:54 openvpn 25923 TCP/UDP: Closing socket
Sep 25 04:26:54 openvpn 25923 SIGUSR1[soft,ping-restart] received, process restarting
Sep 25 04:26:54 openvpn 25923 Restart pause, 10 second(s)


UPDATE : :  found out my ISP was Blocking port 443 to vpn servers.. updated to a new IP good to go. 

Share this post


Link to post

Was working fine then nothing changed on my end I started getting these log entries and the vpn's not coming up.

Oct 7 15:12:25 openvpn 20222 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 7 15:12:25 openvpn 20222 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 7 15:12:25 openvpn 20222 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.178:443
Oct 7 15:12:25 openvpn 20222 Socket Buffers: R=[42080->42080] S=[57344->57344]
Oct 7 15:12:25 openvpn 20222 UDPv4 link local (bound): [AF_INET]192.168.0.3:0
Oct 7 15:12:25 openvpn 20222 UDPv4 link remote: [AF_INET]184.75.221.178:443
Oct 7 15:13:25 openvpn 20222 [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 7 15:13:25 openvpn 20222 SIGUSR1[soft,ping-restart] received, process restarting
Oct 7 15:13:25 openvpn 20222 Restart pause, 300 second(s)
Oct 7 15:13:32 openvpn 20222 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 7 15:13:32 openvpn 20222 MANAGEMENT: CMD 'state 1'
Oct 7 15:13:32 openvpn 20222 MANAGEMENT: Client disconnected

Any ideas on how to get it going again?

Share this post


Link to post
Posted ... (edited)

I have a setup like: https://nguvu.org/pfsense/pfsense-baseline-setup/
The connection with AirVPN is working and the test as described on the site are also working.

The challenge I have is that from VL20_VPN I cannot do a dns resolve on airvpn.org.
All other DNS resolves are going well.

Does anyone have tips on how I can solve this.

Edited ... by neptunus
Small update

Share this post


Link to post

Hi has anyone managed to get Policy routing Websites ONLY to work under pfsense air ?

I am trying to get paypal or online banking sites to use the ISP ip, I see people got separate devices and pcs, tvs etc to work but not seen if its possible for websites only.

Share this post


Link to post
1 hour ago, Lee47 said:

Hi has anyone managed to get Policy routing Websites ONLY to work under pfsense air ?

I am trying to get paypal or online banking sites to use the ISP ip, I see people got separate devices and pcs, tvs etc to work but not seen if its possible for websites only.


create aliases for things.  they can include FQDN.  Then create firewall rules for you LAN using those aliases to allow stuff via VPN or via WAN then create rules under those to block the interface you don't want them to use.

Share this post


Link to post

I followed NGVU's guide and everything seems to work. 
But all my computers must be on the LAN gateway. I have the pfsense connected to a dd-wrt router with wan and dhcp server off. How do I assign which devices go out which gateways? Do I do it on pfsense or dd-wrt?

Any help would be appreciated. 
 

Share this post


Link to post
Posted ... (edited)

Hi,
I'm busy to egress my firewall I was looking for a DNS rule to not allow other traffic go's to other public adress for example 8.8.8.8 or whatever
Ok redirect works fine for DNSleaks but if you hard-code it like apps or a person fills in DHCP to use 8.8.8.8 dns then we got a problem
So for security reasons i would like that al the traffic is generated by clients go to the redirected dns of airvpn

hope someone can help


never mind found the solution myself :-))

Edited ... by genuine3000
solution

Share this post


Link to post
On 4/12/2016 at 10:09 PM, pfSense_fan said:
##### CLIENT OPTIONS #####; server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###; explicit-exit-notify 5; ##### TUNNEL OPTIONS #####; ### Use Multple "remote" entries with the according entry IP address of your favorite servers ###; ### other than the server entered in the "Server Host or Address" entry above and pfSense ###; ### will automatically recconnect in a round robin fashion if the server you are connected to ###; ### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###; ###remote XX.XX.XX.XX 443 ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Acamar_UDP-2018###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Yildun_UDP-2018###; ###remote XX.XX.XX.XX 53 ###AirVPN_US-Miami_Cursa_UDP-53###; ###remote XXX.XX.XX.XX 443 ###AirVPN_CA-Dheneb_UDP-443###; ###remote XXX.XX.XXX.XXX 443 ###AirVPN_CA-Saiph_UDP-443###; ###rcvbuf 262144; ###sndbuf 262144; mlock ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###; fast-io ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###; ###tun-mtu 1500; ###mssfix 1450; ###keepalive 5 15; ##### DATA CHANNEL ENCRYPTION OPTIONS #####; key-direction 1; keysize 256 ### Size of key from cipher ###; prng SHA512 64 ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###; ### replay-window n [t] ### Default = replay-window 64 15 ###; ### mute-replay-warnings; ##### TLS MODE OPTIONS #####; tls-version-min 1.2 ### set the minimum TLS version we will accept from the peer ###; key-method 2 ### client generates a random key ###; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###; tls-timeout 2 ### Default = 2 ###; ns-cert-type server ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###; remote-cert-tls server ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###; ### reneg-sec 3600;



Not sure if this was pointed out but I had everything working up until 2.4.4 and then I moved my modem/routers locations and lost connectivity on my VPN router.  After fixing multiple issues including a boot loop and having to do a reinstall from scratch, I noticed this setting for OpenVPN throws an AUTH error.  Instead of trying to fix it, I just removed it and run it on a single server without HA.  Any ideas on what's causing it?  I know this is an old thread but just curious.

Share this post


Link to post

Followed this guide and it has been working great for a couple of years now. One question though, I have a Qotom with mulitple ports, only one gives internet rest gives network, no internet.
How do I get the others to work? They are OPT5 and OP6. Thanks!

Share this post


Link to post

It is not recommended to use a pfsense firewall with multi lab port as you would normally use a router you buy. 
If you are aiming to connect many computers directly to the pfsense firewall, as said you shouldn't do that. 
The guide here https://nguvu.org/pfsense/pfsense-baseline-setup/

Shows you how the firewall ports should be setup. 
The guide shows VLAN setting but they work exactly as they are normal port. 
I initially wanted to do what you are trying to do but then, after reading I followed the guide setting up only the vl20_VPN port and the VL30_clearnet one as backup if i will want to bypass the VPN. 
I then use a standard wireless router plugged to the vl20 port and all my devices connects to the wireless router. 
If I want to bypass the VPN, I just swap the cable connecting the pfsense to the router using the cable going out from the VL30_clearnet port 
 

Share this post


Link to post
4 minutes ago, zapoteknico said:

It is not recommended to use a pfsense firewall with multi lab port as you would normally use a router you buy. 
If you are aiming to connect many computers directly to the pfsense firewall, as said you shouldn't do that. 
The guide here https://nguvu.org/pfsense/pfsense-baseline-setup/

Shows you how the firewall ports should be setup. 
The guide shows VLAN setting but they work exactly as they are normal port. 
I initially wanted to do what you are trying to do but then, after reading I followed the guide setting up only the vl20_VPN port and the VL30_clearnet one as backup if i will want to bypass the VPN. 
I then use a standard wireless router plugged to the vl20 port and all my devices connects to the wireless router. 
If I want to bypass the VPN, I just swap the cable connecting the pfsense to the router using the cable going out from the VL30_clearnet port 
 


Why can't you use multiple ports for multiple VLANs? This is in fact the setup I am currently preparing (with the help of the referenced article too). I then plan to have a smart switch filter the multiple VLANs to the firewal's ports. That way the router routes (at the network / IP level) and the switch switches (at the [V}LAN / link level). This seems perfect to me.

I plan to use an interface per subnet, in stead of a VLAN per subnet. Admittedly I am still learning and have not executed it yet, but this should work imho.

Share this post


Link to post

Sorry I haven't been clear. It is not recommended to use the firewall as "router" in a way that you will plug multiple computers to the firewall ports like you would do using a switchand then having the firewall providing IP addresses in the same range (I. E 192.168.1.2 on one port, 193.168.1.3 on second port etc.)
If instead you are going to setup multiple subnets, then the guide provided will help you in doing that. If you check the guide you will see that each port of the firewall provides different ranges (192.168.10.x on first port, 192.168.20.x on second port etcetera) 
Hope this helps 
 

Share this post


Link to post
@zapoteknico thanks, yes I understand that and that is what I am planning too. So use physical ports on the router i.s.o. VLANS over a single physical port. I have attached a diagram with the various subnets (SECure, CLeaR, IOT, and WAN) and the switch in front of the pfSense router. The tagged VLANS go to other routers (not shown here.

Screen Shot 2020-04-03 at 13.31.30.png

Share this post


Link to post

That's how should work. I do not have a VLAN switch but the guide helped me in doing exactly what u want to do. 
If your pfsense is already setup, you will not have to follow the entire guide but only the relevant configurations for the different pfsense ports(the are called vlan10, vlan20, vlan20 etc) 

Share this post


Link to post
7 hours ago, zapoteknico said:

It is not recommended to use a pfsense firewall with multi lab port as you would normally use a router you buy. 
If you are aiming to connect many computers directly to the pfsense firewall, as said you shouldn't do that. 
The guide here https://nguvu.org/pfsense/pfsense-baseline-setup/

Shows you how the firewall ports should be setup. 
The guide shows VLAN setting but they work exactly as they are normal port. 
I initially wanted to do what you are trying to do but then, after reading I followed the guide setting up only the vl20_VPN port and the VL30_clearnet one as backup if i will want to bypass the VPN. 
I then use a standard wireless router plugged to the vl20 port and all my devices connects to the wireless router. 
If I want to bypass the VPN, I just swap the cable connecting the pfsense to the router using the cable going out from the VL30_clearnet port 
 

Thank you for your answer. 
So the best solution is, that I should put an unmanaget switch behind it if I want to connect more devices? 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...