How To Set Up pfSense 2.3 for AirVPN

[HughM 0]

It all depends on what you want to achieve. If you just want to either use the VPN WAN or the regular ISP WAN (i.e. only one at the time foar all clients in the home) then what you are proposing is possible without a VLAN capable switch or Wireless Access Point. One of the physical outer ports is then used for the VPN subnet, another for the Clearnet subnet. Switching the cable from the switch (or WAP) to the router from one router port to the other will then allow you to use either one or the other. This is then the subnet that all clients behind the switch / WAP will use. If you want a more sophisticated setup, with some clients in one subnet and others in the other subnet and also routing between the two sub-nets, you either need a smart switch (like in my drawing) or a WAP that supports multiple SSIDs, each mapping to a different VLAN ID. If there is no need for routing between the two subnets you could use two switches (one each behind the two router ports), but that is a very contrived setup imho.

[knall-knall 0]

Hello,

i have tried  to get AirVPN running under pfSense 2.4.5 following several guides including this one.
Unfortunately always with the same result.

I have taken great care to configure the parameters according to the tutorial and my config file, but it seems that the client never receives a response from the server:

Apr 10 23:27:28 openvpn 7197 TCP/UDP: Preserving recently used remote address: [AF_INET]178.162.204.219:443
Apr 10 23:27:28 openvpn 7197 Socket Buffers: R=[42080->42080] S=[57344->57344]
Apr 10 23:27:28 openvpn 7197 UDPv4 link local (bound): [AF_INET]192.168.1.100:0
Apr 10 23:27:28 openvpn 7197 UDPv4 link remote: [AF_INET]178,162,204,219:443 

(no log entry after that, VPN status stays pending)

With my own VPN server, the connection could be established without problems. I immediately saw the complete connection setup in the log here.

What could I miss in this case? 

[dIecbasC 38]

increase your log verbosity and post a full connection log for us. 

[knall-knall 0]

18 hours ago, dIecbasC said:

increase your log verbosity and post a full connection log for us. 

Apr 11 18:25:18 	openvpn 	2887 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Apr 11 18:25:18 	openvpn 	2887 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Apr 11 18:25:18 	openvpn 	2887 	TCP/UDP: Preserving recently used remote address: [AF_INET]178.162.204.219:443
Apr 11 18:25:18 	openvpn 	2887 	Socket Buffers: R=[42080->42080] S=[57344->57344]
Apr 11 18:25:18 	openvpn 	2887 	UDPv4 link local (bound): [AF_INET]192.168.1.100:0
Apr 11 18:25:18 	openvpn 	2887 	UDPv4 link remote: [AF_INET]178.162.204.219:443
Apr 11 18:25:18 	openvpn 	2887 	TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Apr 11 18:25:18 	openvpn 	2887 	SENT PING
Apr 11 18:25:18 	openvpn 	2887 	TIMER: coarse timer wakeup 1 seconds
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=0 state=S_INITIAL, mysid=40b6e54b 69557143, stored-sid=00000000 00000000, stored-ip=[AF_INET]178.162.204.219:443
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_process: chg=0 ks=S_INITIAL lame=S_UNDEF to_link->len=0 wakeup=604800
Apr 11 18:25:18 	openvpn 	2887 	ACK mark active outgoing ID 0
Apr 11 18:25:18 	openvpn 	2887 	TLS: Initial Handshake, sid=40b6e54b 69557143
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_can_send active=1 current=1 : [1] 0
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_send ID 0 (size=4 to=2)
Apr 11 18:25:18 	openvpn 	2887 	ENCRYPT HMAC: 000968ce 031eb632 9a9d85ac 4af7b91c c5d279eb 93c60a34 73843421 af95cfe[more...]
Apr 11 18:25:18 	openvpn 	2887 	ENCRYPT TO: 000968ce 031eb632 9a9d85ac 4af7b91c c5d279eb 93c60a34 73843421 af95cfe[more...]
Apr 11 18:25:18 	openvpn 	2887 	Reliable -> TCP/UDP
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_send_timeout 2 [1] 0
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_process: timeout set to 2
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8a2cbff4 e4dabc19, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:18 	openvpn 	2887 	RANDOM USEC=183806
Apr 11 18:25:18 	openvpn 	2887 	UDPv4 WRITE [86] to [AF_INET]178.162.204.219:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=40b6e54b 69557143 tls_hmac=000968ce 031eb632 9a9d85ac 4af7b91c c5d279eb 93c60a34 73843421 af95cfe7 6437d462 b78b019b 5cb6ac8b ef2b2fcb 25e16404 dd370152 ef0821ba 8f1bd43e pid=[ #1 / time = (1586622318) Sat Apr 11 1
Apr 11 18:25:18 	openvpn 	2887 	UDPv4 write returned 86
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=40b6e54b 69557143, stored-sid=00000000 00000000, stored-ip=[AF_INET]178.162.204.219:443
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_can_send active=1 current=0 : [1] 0
Apr 11 18:25:18 	openvpn 	2887 	SSL state (connect): before/connect initialization
Apr 11 18:25:18 	openvpn 	2887 	SSL state (connect): SSLv2/v3 write client hello A
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_send_timeout 2 [1] 0
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_process: timeout set to 2
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8a2cbff4 e4dabc19, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:18 	openvpn 	2887 	PO_CTL rwflags=0x0001 ev=5 arg=0x006a6f90
Apr 11 18:25:18 	openvpn 	2887 	PO_CTL rwflags=0x0001 ev=4 arg=0x006a5de8
Apr 11 18:25:18 	openvpn 	2887 	I/O WAIT T?|T?|SR|Sw [1/183806]
Apr 11 18:25:19 	openvpn 	2887 	event_wait returned 0
Apr 11 18:25:19 	openvpn 	2887 	I/O WAIT status=0x0020
Apr 11 18:25:19 	openvpn 	2887 	TIMER: coarse timer wakeup 1 seconds
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=40b6e54b 69557143, stored-sid=00000000 00000000, stored-ip=[AF_INET]178.162.204.219:443
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Apr 11 18:25:19 	openvpn 	2887 	ACK reliable_can_send active=1 current=0 : [1] 0
Apr 11 18:25:19 	openvpn 	2887 	ACK reliable_send_timeout 1 [1] 0
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_process: timeout set to 1
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8a2cbff4 e4dabc19, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:19 	openvpn 	2887 	PO_CTL rwflags=0x0001 ev=5 arg=0x006a6f90
Apr 11 18:25:19 	openvpn 	2887 	PO_CTL rwflags=0x0001 ev=4 arg=0x006a5de8
Apr 11 18:25:19 	openvpn 	2887 	I/O WAIT T?|T?|SR|Sw [1/183806] 

[dIecbasC 38]

Check your TLS key config and cipher settings. This doesn't look too clever. 

TLS Warning: no data channel send key available

[knall-knall 0]

Checked the settings again. 
The parameters are set according to https://nguvu.org/pfsense/pfsense-multi-vpn-wan/ (see screenshot attached).
Unfortunately, I can't find the misconfiguration. 
Custom settings:

client; persist-key; persist-tun; remote-cert-tls server; prng sha256 64; mlock; auth-nocache;

 

[dIecbasC 38]

the other thing Ive seen trip folks up is to make sure you connect to the right end point on the airvpn server, theres a TLS connection when you generate your certificate etc. 

 

[knall-knall 0]

that did the trick!
thank you very much for your help.

[EWK 0]

could anyone help me with this,
 

[zapoteknico 8]

What help do you need? 

 

[SumRndmDude 22]

The guide posted https://nguvu.org/pfsense/pfsense-baseline-setup/ has been updated for 2.4.5 and the person who runs the site does a brilliant job explaining the steps. A massive amount has not changed in the pfSense configuration, but there are a few performance tweaks and settings dealing with encryption/ciphers. Also, while the guide is setup for a multi-lan/multi-wan (redundancy), those not needing those can skip the steps easily without mucking up the setup.

[BuiltOnSelfSuccess 1]

Hello AirVPN Community!

I've been using AirVPN for years now but I'm really stuck and would appreciate your valuable input in helping resolve an issue that I have had for the past few weeks. Troubleshooting using some of the recommendations in various threads on here unfortunately has not resolved the issue for me.
I have been running OpenVPN on pfSense for a few years following the setup guide here. However over the past few weeks I noticed that my download speeds seemed to have dropped from 200mb to around 60mb. I suspected that it was down to all the people now working remotely and "clogging up the pipes" but this seemed to have dropped further to around 30mb. I can connect directly to my router to bypass the VPN and can achieve over 200mb throuput on my 200mb line.

I got researching and it seemed that there was another setup guide to compliment this one with a few updated sections: https://nguvu.org/pfsense/pfsense-baseline-setup/ so off I went and updated my OpenVPN settings to match the settings in the guide. This is where I get the Doh! moment, I now achieve download speeds of around 10mb, sometimes less!😭

CPU
Intel(R) Celeron(R) CPU N3160 @ 1.60GHz

4 CPUs: 1 package(s) x 4 core(s)

AES-NI CPU Crypto: Yes (active)

usage seems to sit between 10 and 20%

and memory usage at around 17%

The things I've tried:
Changing "Auth digest algorithm" from SHA512 to SHA256
Adding AES-256-CBC to the existing AES-256-GCM NCP Algorithms
Hardware crypto options changed as per:
I currently have the same "Custom options" from the updated guide:
client; persist-key; persist-tun; remote-cert-tls server; prng sha256 64; mlock; auth-nocache;

I have also tried:

sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

and

socket-flags TCP_NODELAY;

auth-nocache;

mlock;

key-direction 1;

tls-version-min 1.2;

key-method 2;

tls-timeout 2;

remote-cert-tls server;

mssfix 0;

tun-mtu 20000;

explicit-exit-notify 5;

persist-key;

persist-tun;

prng sha256 64;

Each time I change the settings I test the speed to see if there is any difference but overall not much.
I'm using Speedtest.net and https://sourceforge.net/speedtest/ to test speeds.

I've also got Snort, Service Watchdog and pfBlockerNG-devel running.
The Gateway status shows Online with 0.0% loss.
All interfaces are up.

Any help or guidance would be greatly appreciated!

[BuiltOnSelfSuccess 1]

On 4/29/2020 at 1:33 PM, BuiltOnSelfSuccess said:

Hello AirVPN Community!

I've been using AirVPN for years now but I'm really stuck and would appreciate your valuable input in helping resolve an issue that I have had for the past few weeks. Troubleshooting using some of the recommendations in various threads on here unfortunately has not resolved the issue for me.
I have been running OpenVPN on pfSense for a few years following the setup guide here. However over the past few weeks I noticed that my download speeds seemed to have dropped from 200mb to around 60mb. I suspected that it was down to all the people now working remotely and "clogging up the pipes" but this seemed to have dropped further to around 30mb. I can connect directly to my router to bypass the VPN and can achieve over 200mb throuput on my 200mb line.

I got researching and it seemed that there was another setup guide to compliment this one with a few updated sections: https://nguvu.org/pfsense/pfsense-baseline-setup/ so off I went and updated my OpenVPN settings to match the settings in the guide. This is where I get the Doh! moment, I now achieve download speeds of around 10mb, sometimes less!😭

CPU
Intel(R) Celeron(R) CPU N3160 @ 1.60GHz

4 CPUs: 1 package(s) x 4 core(s)

AES-NI CPU Crypto: Yes (active)

usage seems to sit between 10 and 20%

and memory usage at around 17%

The things I've tried:
Changing "Auth digest algorithm" from SHA512 to SHA256
Adding AES-256-CBC to the existing AES-256-GCM NCP Algorithms
Hardware crypto options changed as per:
I currently have the same "Custom options" from the updated guide:
client; persist-key; persist-tun; remote-cert-tls server; prng sha256 64; mlock; auth-nocache;

I have also tried:

sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

and

socket-flags TCP_NODELAY;

auth-nocache;

mlock;

key-direction 1;

tls-version-min 1.2;

key-method 2;

tls-timeout 2;

remote-cert-tls server;

mssfix 0;

tun-mtu 20000;

explicit-exit-notify 5;

persist-key;

persist-tun;

prng sha256 64;

Each time I change the settings I test the speed to see if there is any difference but overall not much.
I'm using Speedtest.net and https://sourceforge.net/speedtest/ to test speeds.

I've also got Snort, Service Watchdog and pfBlockerNG-devel running.
The Gateway status shows Online with 0.0% loss.
All interfaces are up.

Any help or guidance would be greatly appreciated!

I've now also tried the recommendations here: https://docs.netgate.com/pfsense/en/latest/interfaces/low-throughput-troubleshooting.html#vpn-mtu-issues

I disabled pfBlockerNG

I disabled Snort

Still I'm stuck with 10mb download speed and 20mb upload on a 200/20 line.....

[BuiltOnSelfSuccess 1]

23 hours ago, BuiltOnSelfSuccess said:

I've now also tried the recommendations here: https://docs.netgate.com/pfsense/en/latest/interfaces/low-throughput-troubleshooting.html#vpn-mtu-issues

I disabled pfBlockerNG

I disabled Snort

Still I'm stuck with 10mb download speed and 20mb upload on a 200/20 line.....

 

In the end all I did was change to a different server with a different entry IP, I get over 200mb throughput now.

Thank you for the replies.

[Hoox 0]

I did a new install in pfsense 2.4.5 following this guide. Everything looks good, but I cant seem to get ip from DHCP server on VLAN20 (VPN).
This is from the log:

Jul 4 14:22:09	dhcpd		DHCPOFFER on 10.0.20.100 to 94:de:80:f8:59:d4 (VPN-PC) via igb2.20
Jul 4 14:22:09	dhcpd		DHCPDISCOVER from 94:de:80:f8:59:d4 (VPN-PC) via igb2.20

So it seems like the DHCP server sees the client and offer an IP in the correct subnet, but there is no DHCPACK from the client afterwards. I tried with different machines also. 
Other VLANs works fine. Clients gets IPs.
Something I forgot for VLAN20? Some firewall rule?

[zapoteknico 8]

I'd your computer/machine directly plugged to the pfsense firewall?
Did you try restarting the dhcp server? 
It is my understanding firewall rules have no impact on the dhcp server and IP assignation

[Wolke68 5]

This sample isnt  with VLAN20 i thought you mean pfSense ngu samples

https://nguvu.org/pfsense/pfsense-baseline-setup/
 

[Hoox 0]

Correct, I followed the guide on nguvu.org.

I found the error with the VLAN - turns out I forgot about an old ACL on this interface on the switch. When I deleted it all worked as intended! 😁

[Polius 1]

On 4/12/2020 at 8:32 AM, dIecbasC said:

the other thing Ive seen trip folks up is to make sure you connect to the right end point on the airvpn server, theres a TLS connection when you generate your certificate etc. 

 

What about mine? What's the problem here?
I'm a noob by the way, please understand.

 Nov 7 14:05:44     openvpn     63938     Restart pause, 80 second(s)
Nov 7 14:05:44     openvpn     63938     SIGUSR1[connection failed(soft),init_instance] received, process restarting
Nov 7 14:05:44     openvpn     63938     TCP: connect to [AF_INET]193.148.16.213:443 failed: Permission denied
Nov 7 14:05:44     openvpn     63938     Attempting to establish TCP connection with [AF_INET]193.148.16.213:443 [nonblock]
Nov 7 14:05:44     openvpn     63938     Socket Buffers: R=[65228->65228] S=[65228->65228]
Nov 7 14:05:44     openvpn     63938     TCP/UDP: Preserving recently used remote address: [AF_INET]193.148.16.213:443
Nov 7 14:05:44     openvpn     63938     NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 7 14:04:24     openvpn     63938     Restart pause, 80 second(s)
Nov 7 14:04:24     openvpn     63938     SIGUSR1[connection failed(soft),init_instance] received, process restarting
Nov 7 14:04:24     openvpn     63938     TCP: connect to [AF_INET]193.148.16.213:443 failed: Permission denied
Nov 7 14:04:24     openvpn     63938     Attempting to establish TCP connection with [AF_INET]193.148.16.213:443 [nonblock]
Nov 7 14:04:24     openvpn     63938     Socket Buffers: R=[65228->65228] S=[65228->65228]
Nov 7 14:04:24     openvpn     63938     TCP/UDP: Preserving recently used remote address: [AF_INET]193.148.16.213:443
Nov 7 14:04:24     openvpn     63938     NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 7 14:03:44     openvpn     63938     Restart pause, 40 second(s) Edited ... by Polius
typo

[Wolke68 5]

I think this is your problem


TCP: connect to [AF_INET]193.148.16.213:443 failed: Permission denied

why you wanna youse TCP?

[Polius 1]

Ok guys, the problem is resolved. It's my firewall rule blocking the connection...there's nothing wrong with using TCP or UDP, that's not the problem. They both will work.
 

Also, for people who are stuck: DO NOT FOLLOW THIS GUIDE!! If you follow this guide, you will fail, as it's outdated and a lot of settings are not shown and if do follow it, you won't know where the problem is.

Do follow this guide https://nguvu.org/pfsense/pfsense-baseline-setup/ It's updated with the latest settings.

For example, in pfsense 2.4.5, we have "TLS Key Usage Mode:" in OpenVPN Client settings and you have to toggle it to "TLS Encryption and Authentication". If you leave it as "TLS Authentication", which is the default, your connection will fail. (If you follow this guide, you will skip it altogether and your connection will fail)

Hope this helps someone out there and thanks for whoever authors nguvu.org, it's literally saving lives! Edited ... by Polius
typo

[bobsnail 0]

I posted a query yesterday in the problems section, but with hindisght it sits better here.  I followed the latest guidance at nguvu.org (mentioned above), everything simple (if longwinded)

1) my subnets are 'up' on the summary screen, but dont work.  So i can go to my LAN 192.168.1.1 and access the management screens, but if i got to the management subnet 192.168.10.1 etc then the interface just times out.  i can actaully ping the subnets but cant connect to mamangement console.  any ideas please?

2) my vpn connection wont connec, it just says 'inactivity timeout' in the logs
 

Nov 9 20:07:56	openvpn	94791	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 9 20:07:56	openvpn	94791	TCP/UDP: Preserving recently used remote address: [AF_INET]141.98.101.132:443
Nov 9 20:07:56	openvpn	94791	UDPv4 link local (bound): [AF_INET]192.168.0.56:0
Nov 9 20:07:56	openvpn	94791	UDPv4 link remote: [AF_INET]141.98.101.132:443
Nov 9 20:08:26	openvpn	94791	[UNDEF] Inactivity timeout (--ping-restart), restarting
Nov 9 20:08:26	openvpn	94791	SIGUSR1[soft,ping-restart] received, process restarting

3)  In the instructions under 'create VPN connection' it says 
 

• TLS Key = Paste contents of the ta.key/tls-crypt.key downloaded here 


Does that mean I post either/or/both? That was the only step I was unsure of (i tried the contents of both files one at a time but neother made a difference)

I always struggle with the instructions for pfsense/airvpn (since v2.1)  Im often envious of how simple the setup appears to be with other providers, but i do love airVPN..

Any help very much appreciated

[Polius 1]

On 11/9/2020 at 8:13 PM, bobsnail said:

3)  In the instructions under 'create VPN connection' it says 

 

• TLS Key = Paste contents of the ta.key/tls-crypt.key downloaded here 


Does that mean I post either/or/both? That was the only step I was unsure of (i tried the contents of both files one at a time but neother made a difference)

I always struggle with the instructions for pfsense/airvpn (since v2.1)  Im often envious of how simple the setup appears to be with other providers, but i do love airVPN..

Any help very much appreciated

Not sure about the other 2 but I can answer this one
You paste tls-crypt.key there only. I believe "ta.key" (ca.key?) is pasted in the certificate section.

You might have to do some trial and error but when it's connected, it should look like this:


BTW, off topic: a few custom directives needs to be removed if you use the config generator file:
dev tun
route-delay 5

if you follow the guide, you won't need to worry about them. Edited ... by Polius

[Polius 1]

You don't need to follow the whole guide if your network is simple like mine is. You only need to follow the "Create and configure the VPN client" section. And maybe DNS resolver and make your own firewall rules.

A simpler guide if you search "pfsense nordvpn"

I use them both actually; the openvpn client section you have to follow nguvu though, but the above link will save you a lot of time!

I used to use Nord, but of course, now I know that airvpn service is so much better. GL

Edited ... by Polius

[bobsnail 0]

Polius, thanks for taking the time to reply.  ive had AirVPN working over PfSense since i joined in 2016 but its always been a battle with each config change.  Actually the nordVPN  (and the ExpressVPN) instructions  are very similar to each other, so i know getting it working should be much simpler than the AirVPN guide.    know them off by heart lol (apprecaite theres differences like you dont need to provide account details with AirVPN etc)

Ive atually made a bit of progress i changed the config files and that made a difference (no idea why as the server Nashira was up and working in Eddie and i checked the Certs and keys several times but switched to NAOS helped).  Tunnel is now up, but when i go to IPleak.net my DNS is over AirVPN now, but my main traffic isnt lol.  I know its something ive done wrong, im figuring its NAT related, but checked them (and the firewall rules) several times over a coulpe of days now).  Its driving me crazy.

I shall keep plodding along... it will probally work eventually... just bored of this battle every time