How To Set Up pfSense 2.3 for AirVPN

[go558a83nk 362]

13 hours ago, joebywan said:

Thanks for that, worked.

What's the DNS server we're supposed to be using?  Status>OpenVPN says it's up, but I can't do the dnslookup to airvpn.org

10.4.0.1 is the DNS but I can't get dns resolver or forwarder to use that and it's especially a pain if you have policy routing - some clients using the VPN and others not.

What I do is turn off resolver and forwarder in pfsense and use DHCP to assign the DNS I want to use to clients.

I use firewall rules to enforce that clients use the DNS I want them to use.

[Wolke68 5]

if you want to use 10.4.0.1 you have to do a manual route in your ovpn config


pfsense is bsd and there is a DNS push in the config not possible to use

i use it for
10.4.0.1
10.50.1
10.6.0.1
10.7.0.1
 

[joebywan 0]

5 hours ago, Wolke68 said:

if you want to use 10.4.0.1 you have to do a manual route in your ovpn config


pfsense is bsd and there is a DNS push in the config not possible to use

i use it for
10.4.0.1
10.50.1
10.6.0.1
10.7.0.1
 

Could you elaborate on how to do this please?  Bit of a noob here. 

Shouldn't it be covered by step 6-D in the guide "Step 6-D: First AirVPN_LAN Firewall Rule "AirVPN LAN DNS REDIRECT""??
 

[Wolke68 5]

add this in your openvpn config


route 10.4.0.0 255.255.255.0;


set 10.4.0.1 DNS for DNS Server Settings
Nothing else to change.
If you want to look at the routing table in pfsense if the route 10.4.0.0 is set to your AirVPN internal IP
 

[joebywan 0]

6 hours ago, Wolke68 said:

add this in your openvpn config


route 10.4.0.0 255.255.255.0;


set 10.4.0.1 DNS for DNS Server Settings
Nothing else to change.
If you want to look at the routing table in pfsense if the route 10.4.0.0 is set to your AirVPN internal IP
 

So in System/General Setup if I setup 10.4.0.1 set to the vpn wan gateway, it won't automatically setup a route?

When you say put it in the config, I'm assuming I can just put it in the custom settings text box at the bottom?

[Wolke68 5]

in my tests it is not enough the route from the DNS 
if you test in pfsense the dns question you get no answers
with this extra route it is ok
 

[joebywan 0]

13 hours ago, Wolke68 said:

in my tests it is not enough the route from the DNS 
if you test in pfsense the dns question you get no answers
with this extra route it is ok
 

It worked, thanks!

[Wolke68 5]

Congratulations 😆

[exilewolf 0]

---

[exilewolf 0]

Has any one stated having issues in the last few days with this setup, I have been running this setup for about 2 years and had no issues up until last night.. 
Now I am getting this error when I try to connect.. anyone else or is it just me
 

Sep 25 04:26:54	openvpn	25923	[UNDEF] Inactivity timeout (--ping-restart), restarting
Sep 25 04:26:54	openvpn	25923	TCP/UDP: Closing socket
Sep 25 04:26:54	openvpn	25923	SIGUSR1[soft,ping-restart] received, process restarting
Sep 25 04:26:54	openvpn	25923	Restart pause, 10 second(s)

UPDATE : :  found out my ISP was Blocking port 443 to vpn servers.. updated to a new IP good to go. 

[joebywan 0]

Was working fine then nothing changed on my end I started getting these log entries and the vpn's not coming up.

Oct 7 15:12:25	openvpn	20222	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 7 15:12:25	openvpn	20222	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 7 15:12:25	openvpn	20222	TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.178:443
Oct 7 15:12:25	openvpn	20222	Socket Buffers: R=[42080->42080] S=[57344->57344]
Oct 7 15:12:25	openvpn	20222	UDPv4 link local (bound): [AF_INET]192.168.0.3:0
Oct 7 15:12:25	openvpn	20222	UDPv4 link remote: [AF_INET]184.75.221.178:443
Oct 7 15:13:25	openvpn	20222	[UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 7 15:13:25	openvpn	20222	SIGUSR1[soft,ping-restart] received, process restarting
Oct 7 15:13:25	openvpn	20222	Restart pause, 300 second(s)
Oct 7 15:13:32	openvpn	20222	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 7 15:13:32	openvpn	20222	MANAGEMENT: CMD 'state 1'
Oct 7 15:13:32	openvpn	20222	MANAGEMENT: Client disconnected

Any ideas on how to get it going again?

[neptunus 0]

I have a setup like: https://nguvu.org/pfsense/pfsense-baseline-setup/
The connection with AirVPN is working and the test as described on the site are also working.

The challenge I have is that from VL20_VPN I cannot do a dns resolve on airvpn.org.
All other DNS resolves are going well.

Does anyone have tips on how I can solve this.

Edited ... by neptunus
Small update

[Lee47 23]

Hi has anyone managed to get Policy routing Websites ONLY to work under pfsense air ?

I am trying to get paypal or online banking sites to use the ISP ip, I see people got separate devices and pcs, tvs etc to work but not seen if its possible for websites only.

[go558a83nk 362]

1 hour ago, Lee47 said:

Hi has anyone managed to get Policy routing Websites ONLY to work under pfsense air ?

I am trying to get paypal or online banking sites to use the ISP ip, I see people got separate devices and pcs, tvs etc to work but not seen if its possible for websites only.

create aliases for things.  they can include FQDN.  Then create firewall rules for you LAN using those aliases to allow stuff via VPN or via WAN then create rules under those to block the interface you don't want them to use.

[tomquinn 0]

I followed NGVU's guide and everything seems to work. 
But all my computers must be on the LAN gateway. I have the pfsense connected to a dd-wrt router with wan and dhcp server off. How do I assign which devices go out which gateways? Do I do it on pfsense or dd-wrt?

Any help would be appreciated. 
 

[genuine3000 0]

Hi,
I'm busy to egress my firewall I was looking for a DNS rule to not allow other traffic go's to other public adress for example 8.8.8.8 or whatever
Ok redirect works fine for DNSleaks but if you hard-code it like apps or a person fills in DHCP to use 8.8.8.8 dns then we got a problem
So for security reasons i would like that al the traffic is generated by clients go to the redirected dns of airvpn

hope someone can help


never mind found the solution myself :-))

Edited ... by genuine3000
solution

[revolsnayr 0]

On 4/12/2016 at 10:09 PM, pfSense_fan said:

##### CLIENT OPTIONS #####; server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###; explicit-exit-notify 5; ##### TUNNEL OPTIONS #####; ### Use Multple "remote" entries with the according entry IP address of your favorite servers ###; ### other than the server entered in the "Server Host or Address" entry above and pfSense ###; ### will automatically recconnect in a round robin fashion if the server you are connected to ###; ### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###; ###remote XX.XX.XX.XX 443 ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Acamar_UDP-2018###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Yildun_UDP-2018###; ###remote XX.XX.XX.XX 53 ###AirVPN_US-Miami_Cursa_UDP-53###; ###remote XXX.XX.XX.XX 443 ###AirVPN_CA-Dheneb_UDP-443###; ###remote XXX.XX.XXX.XXX 443 ###AirVPN_CA-Saiph_UDP-443###; ###rcvbuf 262144; ###sndbuf 262144; mlock ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###; fast-io ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###; ###tun-mtu 1500; ###mssfix 1450; ###keepalive 5 15; ##### DATA CHANNEL ENCRYPTION OPTIONS #####; key-direction 1; keysize 256 ### Size of key from cipher ###; prng SHA512 64 ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###; ### replay-window n [t] ### Default = replay-window 64 15 ###; ### mute-replay-warnings; ##### TLS MODE OPTIONS #####; tls-version-min 1.2 ### set the minimum TLS version we will accept from the peer ###; key-method 2 ### client generates a random key ###; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###; tls-timeout 2 ### Default = 2 ###; ns-cert-type server ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###; remote-cert-tls server ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###; ### reneg-sec 3600;



Not sure if this was pointed out but I had everything working up until 2.4.4 and then I moved my modem/routers locations and lost connectivity on my VPN router.  After fixing multiple issues including a boot loop and having to do a reinstall from scratch, I noticed this setting for OpenVPN throws an AUTH error.  Instead of trying to fix it, I just removed it and run it on a single server without HA.  Any ideas on what's causing it?  I know this is an old thread but just curious.

[dIecbasC 38]

On 1/1/2020 at 12:54 AM, tomquinn said:

I followed NGVU's guide and everything seems to work. 

The nguvu baseline guide mentioned in this thread has been updated for pfSense v2.4.5. 

[EWK 0]

Followed this guide and it has been working great for a couple of years now. One question though, I have a Qotom with mulitple ports, only one gives internet rest gives network, no internet.
How do I get the others to work? They are OPT5 and OP6. Thanks!

[zapoteknico 8]

It is not recommended to use a pfsense firewall with multi lab port as you would normally use a router you buy. 
If you are aiming to connect many computers directly to the pfsense firewall, as said you shouldn't do that. 
The guide here https://nguvu.org/pfsense/pfsense-baseline-setup/

Shows you how the firewall ports should be setup. 
The guide shows VLAN setting but they work exactly as they are normal port. 
I initially wanted to do what you are trying to do but then, after reading I followed the guide setting up only the vl20_VPN port and the VL30_clearnet one as backup if i will want to bypass the VPN. 
I then use a standard wireless router plugged to the vl20 port and all my devices connects to the wireless router. 
If I want to bypass the VPN, I just swap the cable connecting the pfsense to the router using the cable going out from the VL30_clearnet port 
 

[HughM 0]

4 minutes ago, zapoteknico said:

It is not recommended to use a pfsense firewall with multi lab port as you would normally use a router you buy. 
If you are aiming to connect many computers directly to the pfsense firewall, as said you shouldn't do that. 
The guide here https://nguvu.org/pfsense/pfsense-baseline-setup/

Shows you how the firewall ports should be setup. 
The guide shows VLAN setting but they work exactly as they are normal port. 
I initially wanted to do what you are trying to do but then, after reading I followed the guide setting up only the vl20_VPN port and the VL30_clearnet one as backup if i will want to bypass the VPN. 
I then use a standard wireless router plugged to the vl20 port and all my devices connects to the wireless router. 
If I want to bypass the VPN, I just swap the cable connecting the pfsense to the router using the cable going out from the VL30_clearnet port 
 

Why can't you use multiple ports for multiple VLANs? This is in fact the setup I am currently preparing (with the help of the referenced article too). I then plan to have a smart switch filter the multiple VLANs to the firewal's ports. That way the router routes (at the network / IP level) and the switch switches (at the [V}LAN / link level). This seems perfect to me.

I plan to use an interface per subnet, in stead of a VLAN per subnet. Admittedly I am still learning and have not executed it yet, but this should work imho.

[zapoteknico 8]

Sorry I haven't been clear. It is not recommended to use the firewall as "router" in a way that you will plug multiple computers to the firewall ports like you would do using a switchand then having the firewall providing IP addresses in the same range (I. E 192.168.1.2 on one port, 193.168.1.3 on second port etc.)
If instead you are going to setup multiple subnets, then the guide provided will help you in doing that. If you check the guide you will see that each port of the firewall provides different ranges (192.168.10.x on first port, 192.168.20.x on second port etcetera) 
Hope this helps 
 

[HughM 0]

@zapoteknico thanks, yes I understand that and that is what I am planning too. So use physical ports on the router i.s.o. VLANS over a single physical port. I have attached a diagram with the various subnets (SECure, CLeaR, IOT, and WAN) and the switch in front of the pfSense router. The tagged VLANS go to other routers (not shown here.

[zapoteknico 8]

That's how should work. I do not have a VLAN switch but the guide helped me in doing exactly what u want to do. 
If your pfsense is already setup, you will not have to follow the entire guide but only the relevant configurations for the different pfsense ports(the are called vlan10, vlan20, vlan20 etc) 

[EWK 0]

7 hours ago, zapoteknico said:

It is not recommended to use a pfsense firewall with multi lab port as you would normally use a router you buy. 
If you are aiming to connect many computers directly to the pfsense firewall, as said you shouldn't do that. 
The guide here https://nguvu.org/pfsense/pfsense-baseline-setup/

Shows you how the firewall ports should be setup. 
The guide shows VLAN setting but they work exactly as they are normal port. 
I initially wanted to do what you are trying to do but then, after reading I followed the guide setting up only the vl20_VPN port and the VL30_clearnet one as backup if i will want to bypass the VPN. 
I then use a standard wireless router plugged to the vl20 port and all my devices connects to the wireless router. 
If I want to bypass the VPN, I just swap the cable connecting the pfsense to the router using the cable going out from the VL30_clearnet port 
 

Thank you for your answer. 
So the best solution is, that I should put an unmanaget switch behind it if I want to connect more devices?