Jump to content
Not connected, Your IP: 3.17.75.138
pfSense_fan

How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

 

pfBlockerNG worked for me on all of my VM's while testing 2.3.

 

I had some oddities with system tunables when going the upgrade route, but when I did a clean install everything worked well, beyond well. I did not restore all settings. I restored my aliases, but manually programmed everything else. I feel it was worth it.

 

There were some buggy issues on 2.2.6 with the DNS Resolver not taking the settings that were input all of the time, this seems to be fixed in 2.3. That bug carried over on upgrades, but is non existent with the clean install.

 

 

I cannot stress how much I recommend upgrading for all of the security and performance upgrades this offers.

 

how are you testing for the DNS bugs?  problems with system tunables that are important?  at this point I'm hesitant to do a clean install. 

 

I have multiple hardware installs as well as VM's that I test on prior to implementing. 

I didn't say bugs with tunables, I said oddities - nor did I say they were important. The list of default tunables on 2.2.x are different from those on 2.3. I found that when I upgraded, it kept the list from 2.2.x and did not "update" the tunables list. At first i assumed it was because I have a highly customized group of settings, but that behavior stayed even if I performed a restore to factory defaults prior to upgrading. That being said, the correct upgraded values were there when queried from the command prompt. None the less it takes little effort to install fresh. I restored the settings that would have taken the most time to re-enter manually, my aliases. The rest took me less than an hour to set back up, including activating TRIM for my SSD.

 

Your takeaway of being afraid to upgrade is backwards though. The actual bugs are in the old software and have been addressed. You absolutely should upgrade. I always recommend backing up all settings.and doing a fresh install if possible. Not just backing up the whole system setting, but each individual area as well. Then you can try upgrading. If that works out... GREAT! If you see anomalies, you can do a clean install and restore what you need from your settings.

 

Just understand that the issues I am speaking of are on 2.2.x, so even if, and that is only an if because they may not, but even if they carry over, you are still more secure than now due to all the other updates to the base system etc.

 

 

Actually the only system tunable that was removed from upstream FreeBSD 10.3 is

net.inet.ip.fastforwarding.

The reason why it was removed, and why a better approach was required, can be

found in this post: https://blog.pfsense.org/?p=1866

 

That is not at all what i was referring to. Our short conversation on that tunable was only due to my trying to have a portion of the guide touch base on tunables. I was auditing that list last night prior to releasing and came across that.  The oddities I spoke of are not related, at all.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

I'm already on 2.3 Release via upgrade from 2.2.6.  I'm just hesitant to do a clean install because everything seems to be working.  That's why I asked how you're testing DNS and if the tunables problem was important.

Share this post


Link to post

just want to thank you again and say that more people should take advantage of your guide here and begin using a pfsense machine with decent CPU.  I can now run my AMD APU at 1400MHz (minimum state in powerd) and still max out my ISP line through openvpn tunnel to Air (120mbit/s).  that's only 200MHz faster than my router which struggled to do 50mbit/s and it runs nice and cool.  and my build was only $127, cheaper than a nice router.

Share this post


Link to post

I'm already on 2.3 Release via upgrade from 2.2.6. I'm just hesitant to do a clean install because everything seems to be working. That's why I asked how you're testing DNS and if the tunables problem was important.

 

Ahh, I see now.

 

You would know right away if it had the bug by entering only one DNS on the general settings page. You would either have no DNS at all, be unable to change DNS (the entry would show as changed, but it would not use it), or have DNS leaks galore (due to reverting to the root.hints file) if it bugged on you. If none of those, you are good. It revolved around having to enter all four DNS forwarding entries instead of just one, which was discussed in the preview/beta guides private thread.

 

I am able to just use one entered DNS, 10.4.0.1, no issues at all.

 

just want to thank you again and say that more people should take advantage of your guide here and begin using a pfsense machine with decent CPU. I can now run my AMD APU at 1400MHz (minimum state in powerd) and still max out my ISP line through openvpn tunnel to Air (120mbit/s). that's only 200MHz faster than my router which struggled to do 50mbit/s and it runs nice and cool. and my build was only $127, cheaper than a nice router.

 

It's nice to hear that powerd is working with the AMD. A few years ago they were not compatible.

 

 

Care to share the hardware you are using? I would love to know myself what hardware is working well for others.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Went to a local store and purchased the parts.  With manufacturer rebate bundles the price was cheap.

 

Got an AMD A6-7400K with an MSI A68HM-E33 V2 motherboard.  Unfortunately this comes with a realtek NIC (gigabit) but it was basically free after rebates.  my other NIC is a D-Link DGE-560T that I've had for a while.  Since this is my first try I didn't want to go all out and get Intel.  so far I haven't noticed a problem.

 

got a cheap used hdd for only $4 also, and a cheap 2GB stick of RAM.

 

It's not small form factor so if space is important to you this isn't the way to go.

 

Regarding temperatures and powerd.  Somewhere in the all the builds released leading up to 2.3 thermal sensors started to work.  However, it seems pfsense reads temperatures wrong.  I'm wondering if some part thinks the readout is in Fahrenheit and is converting to Celsius.  Most of the time it reads temps 6-8C, which is impossible. 

 

Powerd definitely works.  I can see the frequency change (in dashboard info) if in adaptive mode and also watch the temperature rise so I'm pretty sure the frequency readout is true.  One thing to note is that for this hardware it seems that "cool n quiet" has to be turned on in the BIOS for powerd to work.

Share this post


Link to post

Powerd definitely works.  I can see the frequency change (in dashboard info) if in adaptive mode and also watch the temperature rise so I'm pretty sure the frequency readout is true.  One thing to note is that for this hardware it seems that "cool n quiet" has to be turned on in the BIOS for powerd to work.

 

Good to know. I had an AMD APU as my first build, cool n quiet caused it to crash, and powerd did not work. Other users here had the same issue. It ran at full power at all times, something like 110 watts with hard drive and fans, and lead me to use intel.

 

My Rangeley with drive and 120mm fan uses something like 18 watts and maxes at about 30. I keep it in a rack mount 4u case which is bigger than it needs, but allows a silent 120mm fan. Power efficiency really does add up, so I didn't mind spending $500 for all new motherboard, memory, platinum rated PSU and server case. The electricity bill savings will cover the difference over a few years, which I will certainly still be using it.

 

It actually uses less power than my wireless access point.

 

 


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Hi! I setup pfsense 2.3 with this manual, but no internet. i think problem in firewall configuration 

 

That's a hugely vague description. Or would it be minimally vague? Dunno, whatever.

 

Main status page for pfSense. Do your WAN and AirVPN_WAN interfaces both have IP addresses?

Share this post


Link to post

 

Hi! I setup pfsense 2.3 with this manual, but no internet. i think problem in firewall configuration 

 

That's a hugely vague description. Or would it be minimally vague? Dunno, whatever.

 

Main status page for pfSense. Do your WAN and AirVPN_WAN interfaces both have IP addresses?

 

 

Yes, please check if your gateways have an IP address.

 

If they do, can you verify that on "Step 6-I: Sixth AirVPN_LAN Firewall Rule" that you did indeend set the AirVPN_WAN gateway in the advanced area of that rules settings page?


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

I had never worked with pfSense or any other advanced routing software before, but with this guide I was able to get pfSense, running in a VM, 100% functional on my first try!

Thanks a lot for taking the time to write such an elaborate and detailed guide.

 

I was able to spot some very minor errors however. You might want to change these in order to prevent some confusion for people who know even less about networking than I do:

1. In step 6-H.3, The destination fields are empty, I believe these should be "Single host or alias" and "PRIVATE_NETWORKS".

2. Same thing as 6-H.3 in step 6-I.3, where the first destination field should be "any".

3. In step 6-K.2, the rules that were generated for DNS & NTP redirect had "AirVPN_LAN net" as source for me, while the guide said it should be "*". Not sure if I did something wrong that caused this or if the source was simply missing from the example in the guide. Also, the description of "REJECT LOCAL" featured an underscore in step 6-K.2, but a space in step 6-J.3.

4. In Step 7-D.2, the "Direction" setting is missing from the guide example.

 

These errors probably won't cause any problems, since most people will be able to determine what the settings should be, like I did, but I thought you would want to know anyway.

Again, thanks a lot for writing this guide, it would have taken me ages to setup my network without it.

Share this post


Link to post

I had never worked with pfSense or any other advanced routing software before, but with this guide I was able to get pfSense, running in a VM, 100% functional on my first try!

Thanks a lot for taking the time to write such an elaborate and detailed guide.

 

I was able to spot some very minor errors however. You might want to change these in order to prevent some confusion for people who know even less about networking than I do:

1. In step 6-H.3, The destination fields are empty, I believe these should be "Single host or alias" and "PRIVATE_NETWORKS".

2. Same thing as 6-H.3 in step 6-I.3, where the first destination field should be "any".

3. In step 6-K.2, the rules that were generated for DNS & NTP redirect had "AirVPN_LAN net" as source for me, while the guide said it should be "*". Not sure if I did something wrong that caused this or if the source was simply missing from the example in the guide. Also, the description of "REJECT LOCAL" featured an underscore in step 6-K.2, but a space in step 6-J.3.

4. In Step 7-D.2, the "Direction" setting is missing from the guide example.

 

These errors probably won't cause any problems, since most people will be able to determine what the settings should be, like I did, but I thought you would want to know anyway.

Again, thanks a lot for writing this guide, it would have taken me ages to setup my network without it.

Glad to hear it helped you out!

 

All issues should be fixed now. Thank you for pointing them out. It's hard to notice these things in the text editor. It's a giant wall of text.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Planning on trying this out soon, but my mini PC wireless isn't supported by pf-sense apparently. How can I setup PF-sense without wireless then run it into my router to broadcast? With DHCP turned on? Is that how I would even do it?

Share this post


Link to post

Yes, for best results set your router to access point mode. Most new-ish routers have this option. In access point mode, NAT is turned off on your router and it essentially runs as a switch. Plug it in to an interface and DHCP will pass right through it. This is the best way to do this, wireless support in FreeBSD and hence pfSense leaves something to be desired, but that really all depends on your personal use case.

 

You could also look into something more professional such as the Unifi access points from Ubiquiti Networks.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Great work!

 

Do you have experience/knowledge about setting up TOR on pfSense and configure AirVPN over TOR directly on the pfSense?

 

 

I do not.

 

That is far beyond the scope of what this guide is intended to be. This is just intended to be a point of entry and educational guide for people to gain the confidence to move away from lackluster and insecure consumer products. Nothing more.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Hello Pfsense fan,great guides,I just have this question I originally setup all the pfsense rules and openvpn while still in 2.2.x versions so I updated to 2.3 but don't have time right now to setup all rules,are my previous version settings ok until I get all the other rules setup or am I in a security risk,I did have to make a couple of changes to my old settings so the openvpn would communicate with air remote server but everything else seems to be running just fine.and thanks again.

Share this post


Link to post

Hello Pfsense fan,great guides,I just have this question I originally setup all the pfsense rules and openvpn while still in 2.2.x versions so I updated to 2.3 but don't have time right now to setup all rules,are my previous version settings ok until I get all the other rules setup or am I in a security risk,I did have to make a couple of changes to my old settings so the openvpn would communicate with air remote server but everything else seems to be running just fine.and thanks again.

 

 

The short answer is this: I updated the steps for a reason.

 

Conversely, nothing in this entire guide is "required" except steps 2/3/4. AirVPN will be fully functional on pfSense with those three steps alone.

 

Still, without further steps, many users, if not most still could not get clients to use the VPN. I was helping so many, I made the guide with the basic steps to further use the VPN on clients. The old guide was simply a guide on how to get started, and also avoid some DNS leaking. I actually consciously made it simple because there are so many different use cases that it is impossible for me to support/help users troubleshoot them. The old guide had zero, and I mean zero outbound firewall protection aside from DNS. The default allow outbound rule was migrated for use on whichever "LAN" was used in the old guide. This guide has some introductory examples on how to create local and outbound firewall rules. The old guide blocked all local traffic, this guide has examples on how to permit common local services.

 

Since that time my knowledge of this area has grown, and I am now sharing the basic knowledge of a "Deny all, only allow what you need" security policy. While this setup could be considered harder and will require more user interaction, it is the correct way to use the firewall.

tl;dr = With the old guide your outgoing traffic is slightly more secure than a consumer router, but not much. If you keep the rules, you keep that level of security. At the end of the day, its a personal preference. My opinion is that everyone who used the old guide should take the time to migrate, but to each their own.

 


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Hey all,

 

Thank you very much for this new tutorial worked like a charm to me, did several attempts with the 'old' one with no success.

his one worked very well and I find it clearer also.

 

I have a couple of questions tho:

 

1) If I generate a TCP 443 certificate does it change something in particular besides the OpenVPN Client configuration ?

 

2) Is there any way to change 'easily' (with a minimum of steps) the AirVPN Server I connect to ?

 

 

Thank you very much for your time.

 

 

n.

Share this post


Link to post

Hey all,

 

Thank you very much for this new tutorial worked like a charm to me, did several attempts with the 'old' one with no success.

his one worked very well and I find it clearer also.

 

I have a couple of questions tho:

 

1) If I generate a TCP 443 certificate does it change something in particular besides the OpenVPN Client configuration ?

 

2) Is there any way to change 'easily' (with a minimum of steps) the AirVPN Server I connect to ?

 

 

Thank you very much for your time.

 

 

n.

 

​You are welcome and I am glad to hear it went so well. Please take a moment to rate/like the post so other users may know the guide has been tested and works for those who have tried it!

​1) Any setting that is changed from the OVPN config you download compared to the "standard" OVPN config i used as an example would need to be adjusted accordingly. The guide shows where the settings go, just adjust as needed.

 

​2) All you need to do is change the entry IP on the "Server host or address" line in the OpenVPN client page on pfsense, then save. You may also need to reset states after saving:

​https://192.168.1.1/diag_resetstate.php
​

Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Yes, for best results set your router to access point mode. Most new-ish routers have this option. In access point mode, NAT is turned off on your router and it essentially runs as a switch. Plug it in to an interface and DHCP will pass right through it. This is the best way to do this, wireless support in FreeBSD and hence pfSense leaves something to be desired, but that really all depends on your personal use case.

 

You could also look into something more professional such as the Unifi access points from Ubiquiti Networks.

 

Thanks I appreciate the response!

Share this post


Link to post

Ugh I keep having problems with pfSense. I'm about to quit.  

 

When I try and boot up 2.3 is gets hung on "Trying to mount root from ufs:/dev/ufs/pfSense [ro]". It won't do anything after displaying that message.

 

When I boot up 2.2.6 I can install until it comes time to detect the WAN and I don't have one on that machine and I don't know how to skip it so I can't even get past that part. It just keeps asking me to detect the WAN. FML. 

Share this post


Link to post

Download again and reflash to usb stick if that is what you are doing. I had this happen to me as well. Downloaded again, reflashed using rufus and off I went. It does sit on that screen for a minute though.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Hello, pfSense_fan,

I want to thank you for your guide on how to setup PFSense 2.3 for use with AirVPN. I have my PFSense box setup following your detailed instructions, and it is working great. I appreciate the effort that you went to, providing myself and others with your guide. I know it was a lot of work that took many hours and days to compile.

 

I had been using your previous PFSense guide for AirVPN for the last couple of years without any problems. It still works perfectly by the way. It has always updated and continued working fine whenever a newer version of PFSense was released. I hope this guide will last as long as your previous one has.

 

Thanks again.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...