How To Set Up pfSense 2.3 for AirVPN

[mcaid 0]

Fantastic guide. Thank you! It works! :-)

 

Any advice on how I can have PFSense send Netflix/Hulu/etc traffic out NOT through the VPN? I'm in the US, and trying to reach the US Netflix/Hulu services, but they block VPNs now. I would like any traffic from my home to Netflix/Hulu to just use my "regular" connection. Is that doable here?

[go558a83nk 362]

Fantastic guide. Thank you! It works! :-)

 

Any advice on how I can have PFSense send Netflix/Hulu/etc traffic out NOT through the VPN? I'm in the US, and trying to reach the US Netflix/Hulu services, but they block VPNs now. I would like any traffic from my home to Netflix/Hulu to just use my "regular" connection. Is that doable here?

 

pretty much can't isolate netflix traffic.  I don't know about hulu but netflix uses an endless variety of amazon servers which would mean you need to also put all amazon servers outside the VPN.

 

you may as well just route a device outside the VPN for those services. 

[dssguy11 4]

yup, I think that is right. Netflix sucks for doing that.

[juniormaxx 0]

i'm new and trying to figure things out with pFsense, I've got access to 1 AirVPN port on a 4 port nic, but I can't get the others working.  I want to set up all 4 ports 2 AirVPN ports, 1 in USA and 1 in Europe. I also want to have direct access to my ISP on the other 2 ports. is there a thread or instructions on how to set these up.  i'd really appreciate anyone's help.  this is headed in the right direction I just need to go the extra to make it perfect.

 

thanks for taking the time to read this.  

[Peen 0]

Hi, awesome guide! Worked great, except for a problem with my local Cox IP being shown in dnsleak.com, and a few other leak tests. This issue was only happening with Squid Proxy running. Trying a ton of peoples recommendations, nothing was working including deleting X-Forwarded head mode, and disabling VIA Header.

 

This is what I found to work with Squid, even though it was frowned upon in guide...I checked default gateway and problem was solved. So if someone else is having this issue, hopefully this will save them some time. CHECK DEFAULT GATEWAY!

 

Set as follows: 
------------------------------------------------------------------------------------
Edit Gateway
------------------------------------------------------------------------------------
Disabled = [_] (UNCHECKED)
------------------------------------------------------------------------------------
Interface = [AirVPN_WAN ▼]
------------------------------------------------------------------------------------
Address Family = [IPv4 ▼]
------------------------------------------------------------------------------------
Name = [ AirVPN_WAN ]
------------------------------------------------------------------------------------
Gateway = [ dynamic ]
------------------------------------------------------------------------------------
Default Gateway = [_] (*****UNCHECKED, SEE NOTES BELOW)
------------------------------------------------------------------------------------
Gateway Monitoring = [√] Disable Gateway Monitoring(CHECKED)
NOTE: The monitoring service has caused more issues then it has
corrected as of late, so we will disable it.
------------------------------------------------------------------------------------
Force state = [_] Mark Gateway as Down (UNCHECKED)
------------------------------------------------------------------------------------
Description = [ AirVPN_WAN ]
------------------------------------------------------------------------------------
[☼ Display Advanced ] = ( Unchanged )
------------------------------------------------------------------------------------
  
***** NOTE: In the past, the default gateway setting was advised to be checked. This was to act as a fail-safe in the event something went wrong, all traffic would attempt to route through the VPN and have no chance of being re-routed to the clear_net. While this "works", THIS IS NOT CORRECT FROM A ROUTING STAND POINT. Trying to use it this way causes what is known as a routing loop and can quickly exhaust network buffers. This can be seen in the OpenVPN Logs when using the "verb 4" setting. It shows up as:write UDPv4: No buffer space available (code=55)The idea of having the VPN as the default gateway is nice on paper, but should not be used. If all other settings are correct, this is not an issue and should not be worried about. Focus instead on having all settings correct!

 

 

 

 

 

 

 

 

 

[farquaad 14]

Just wanted to say thanks.

 

This is a fantastic getting started guide and it's fool proof. I got to learn a lot about pfSense and firewalls in general.

[farquaad 14]

I have a problem with your setup. I fixed it the easy way but I wanted to know what you would recommend I do...

 

I had a AVPN setup pointing to several connections under one name ca.vpn.airdns.org. I also setup the DNS as mentioned under "System/General Setup" so that all DNS queries go through the VPN connection.

 

The problem I have is that once the line falls (whatever the reason), I am unable to reconnect because the only DNS configured is the one from AirVPN. Seeing as I cannot resolve ca.vpn.airdns.org => No VPN.

 

RESOLVE: Cannot resolve host address: ch.vpn.airdns.org: hostname nor servname provided, or not known

 

What would you do to fix this?

 

1) Another VPN setting with an IP rather than a domain name?

2) An external DNS for the WAN just so that the VPN can come up?

3) ...

 

What are your thoughts on this?

[go558a83nk 362]

just resolve ch.vpn.airdns.org and put that IP address in the server host or address field. 

[bama 0]

Hello joe_g I'm no expert but here is what I do understand about your issue,first your non-pfsense router whatever brand it is netgear linksy whatever it maybe the first thing you need to do before trying to connect a pfsense router/firewall is to go into that router and either manually set it up as an access point or look at the gui of that router it may have an option to put that router into wireless access point mode for you,and always make the ip of the access point is static because if your ISP provides you with a dynamic ip you will have problems getting back into that access point,and remember the whole idea of using pfsense is to try to give your network more capabilities than commercial brand routers,so that pfsense once set up properly should be both your router and firewall giving IP address assignments to your local network (lan) I didn't read read your entire post but as soon as I saw double nat instatly knew that's a Nono for your network and whatever brand that router is look up on the company's website about steps required to switch to WAP mode or try YouTube or a simple search on DuckDuckGo or whatever browser you use I know I'm not being very technical but once you do this then do a fresh setup of your pfsense box and you should be ok as long as you don't make any missteps following the guide and I hope I helped and good luck to you.

[farquaad 14]

just resolve ch.vpn.airdns.org and put that IP address in the server host or address field. 

Hi,

 

Sorry for the late reply. I get what you propose but the advantage of using the domain name is that it points to multiple servers, so if one goes down, it will still point to another that is up.

 

I had a look at editing the hosts file but that feels like a hack that might not last the next update.

 

Any other ideas?

[farquaad 14]

 

just resolve ch.vpn.airdns.org and put that IP address in the server host or address field. 

Hi,

 

Sorry for the late reply. I get what you propose but the advantage of using the domain name is that it points to multiple servers, so if one goes down, it will still point to another that is up.

 

I had a look at editing the hosts file but that feels like a hack that might not last the next update.

 

Any other ideas?

 

I will reply to my question!

 

I added a "Host override" in the "DNS resolver".

[panicmode 0]

So I setup pfsense as described with one difference. For the WAN_SERVICE_PORTS alias, i only allowed 443 and 80, with the assumption that when they were used in the AirVPN_LAN ALLOW OUTBOUND rule, it would only allow outbound http and https traffic and the rest would get blocked by the default deny rule. However that doesn't appear to be the case. The rule doesn't trigger on connections from the AirVPN_LAN to port 80 and 443 destinations and instead gets dropped by the default deny rule. 

 

If i add 1024:65535 to the WAN_SERVICE_PORTS alias, it starts working.

 

What gives? Am i thinking about this incorrectly?

[cford1905 0]

Hello:

 

I've been using this setup for a while and everything works great.  The only thing that I would like to be able to do is have my clearnet be able to access my NAS which is located on the VPN network.  I would like that the clearnet bet able to access ONLY the NAS.  Do I need to make an exception to one of the firewall rules?  Any advice would be greatly appreciated.

[anddan 0]

Kudos to the author of this guide   worked perfectly - awesome job!

[sparkster666 0]

Thanks for this guide It works great. I would really appreciate it if someone could help me out. I would like all traffic on my lan except for 3 ip's to not use the vpn. I only have 3 ip's I would like to protect with a vpn. Any help would be greatly appreciated.   

[go558a83nk 362]

IPs you want outside the VPN make an outbound NAT rule that allows those IPs out the WAN interface.  The rule must be above the rule that forces all else through the VPN.

 

Make corresponding LAN firewall rules that allow those IPs out the WAN gateway (advanced options > gateway in the rule settings), again placed above the rule that routes the rest through the VPN.

[pPN 0]

Thank you for your fine effort in documenting a pfSense configuration for AirVPN so thoroughly.

 

I have one minor issue (but a major pain) with my configuration. On booting pfSense, OpenVPN comes up correctly, but the pf rule for AIRVPN_LAN ALLOW OUTBOUND (your Step 6-I) does not get applied until manually restarting OpenVPN.

 

Checking "pfctl -s rules" at the console clearly shows that "AIRVPN_LAN ALLOW OUTBOUND" does not exist on first boot. (Even though "ifconfig" shows a configured interface with IP address for ovpnc1, and the peer address can be pinged).

 

Restarting the OpenVPN service manually works around the issue (until next boot).

 

I just upgraded from 2.3.2 to 2.3.2-p1 hoping to resolve the problem.

 

Do you have any thoughts on this ?

 

Is anybody else experiencing this issue ?

[go558a83nk 362]

Thank you for your fine effort in documenting a pfSense configuration for AirVPN so thoroughly.

 

I have one minor issue (but a major pain) with my configuration. On booting pfSense, OpenVPN comes up correctly, but the pf rule for AIRVPN_LAN ALLOW OUTBOUND (your Step 6-I) does not get applied until manually restarting OpenVPN.

 

Checking "pfctl -s rules" at the console clearly shows that "AIRVPN_LAN ALLOW OUTBOUND" does not exist on first boot. (Even though "ifconfig" shows a configured interface with IP address for ovpnc1, and the peer address can be pinged).

 

Restarting the OpenVPN service manually works around the issue (until next boot).

 

I just upgraded from 2.3.2 to 2.3.2-p1 hoping to resolve the problem.

 

Do you have any thoughts on this ?

 

Is anybody else experiencing this issue ?

 

so if the rule doesn't get set upon boot that means traffic isn't flowing through the tunnel until you restart the openvpn service?

 

I haven't had anything like that.

[pPN 0]

so if the rule doesn't get set upon boot that means traffic isn't flowing through the tunnel until you restart the openvpn service?

 

I haven't had anything like that.

 

Right. No traffic flow at all (until manual intervention). Thanks for picking up on that part, because I neglected to explicitly state it!

[pPN 0]

A bit more investigation reveals that there must be a race condition between OpenVPN starting and the firewall filters. The failure is intermittent, and moving the OpenVPN startup further down in /etc/bootup stops the problem from occurring. I will create a bug report for pfSense. (I have no idea why nobody else is seeing this though).

[zhang888 1066]

Not sure it's actually a bug - it depends on where your rule was set. If it was set per interface,

and the interface is not up before OpenVPN is up, naturally it will fail on boot and then after you restart

OpenVPN and the interface is up again the rule will become active.

 

Did you try setting a floating rule instead?

https://doc.pfsense.org/index.php/What_are_Floating_Rules

[pPN 0]

Thanks for taking the time to consider this problem, it's certainly interesting!

 

Not sure it's actually a bug - it depends on where your rule was set. If it was set per interface,

and the interface is not up before OpenVPN is up, naturally it will fail on boot and then after you restart

OpenVPN and the interface is up again the rule will become active.

 

The rule in question is as per instruction: Step 6-I: Sixth AirVPN_LAN Firewall Rule: "AirVPN_LAN ALLOW OUTBOUND"

 

So this rule depends on the LAN interface, and the AirVPN gateway (AirVPN_WAN)

 

It seems highly unlikely that the LAN interface is down at the point in time that the OpenVPN service successfully establishes a connection via the WAN interface. One would expect that both LAN and WAN interfaces would come up at approximately the same time (both configured with static IP addresses in my case).

 

Did you try setting a floating rule instead?

https://doc.pfsense.org/index.php/What_are_Floating_Rules

 

Thanks for the idea, but unfortunately the same issue exists. Any dependency on AirVPN_WAN means that the rule is not added to BSD-pf until OpenVPN announces a successful connection (and it is acted upon).

 

Following through the OpenVPN startup (and the filter has failed to be applied), does not show anything odd. OpenVPN log shows:

/usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.XX.XX.XX 255.255.0.0 init

Inspecting /usr/local/sbin/ovpn-linkup shows that /usr/local/sbin/pfSctl is called to announce the interface, which I expect then leads to the following System log:

/rc.newwanip:rc.newwanip:on (IP address:10.XX.XX.XX)(interface: AIRVPN_WAN[opt2])(real interface:ovpnc1).

So whatever needs to respond to this notification is not acting on it (more than 50% of the time in my case). This still appears to be a boot-time race condition, whether some other dependency is not yet available, or the engine that acts on the new interface announcement is not ready itself.

[burgercity 0]

Thank you so much for creating this guide. I would never have been able to set-up this project without your guidance. You are a hero. This guide worked flawlessly for me. When my AirVPN subscription requires renewal I will be using your referral. Thank you, sir.

[JustKuz 2]

This post here by the OP is the reason I will be signing up for AirVPN very soon. Struggling with vpn client setups on pfsense with different providers (ExpressVPN & Nord). Will be cancelling those soon and heading over this way because of  some GREAT pfsense documentation. 

 

THANK YOU!

[JacksonLee 3]

--Advanced Configuration

Advanced = (Copy and paste the following text directly into the advanced box. Anything to the right of a # symbol is "commented out" and has no effect. I have added a few settings that make the use of pfSense and tighten up security, and have left comments with descriptions of many. Some options I have left in but commented out from use for users to have handy in the event of troubleshooting and can be ignored or deleted if not desired.)

##### CLIENT OPTIONS #####;
server-poll-timeout 10   ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###;
explicit-exit-notify 5;

##### TUNNEL OPTIONS #####;
### Use Multple "remote" entries with the according entry IP address of your favorite servers       ###;
### other than the server entered in the "Server Host or Address" entry above and pfSense           ###;
### will automatically recconnect in a round robin fashion if the server you are connected to       ###;
### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###;
###remote XX.XX.XX.XX 443   ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###;
###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Acamar_UDP-2018###;
###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Yildun_UDP-2018###;
###remote XX.XX.XX.XX 53   ###AirVPN_US-Miami_Cursa_UDP-53###;
###remote XXX.XX.XX.XX 443   ###AirVPN_CA-Dheneb_UDP-443###;
###remote XXX.XX.XXX.XXX 443  ###AirVPN_CA-Saiph_UDP-443###;
###rcvbuf 262144;
###sndbuf 262144;
mlock   ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###;
fast-io   ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###;
###tun-mtu 1500;
###mssfix 1450;
###keepalive 5 15;

##### DATA CHANNEL ENCRYPTION OPTIONS #####;
key-direction 1;
keysize 256   ### Size of key from cipher ###;
prng SHA512 64  ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###;
### replay-window n [t]   ### Default = replay-window 64 15 ###;
### mute-replay-warnings;

##### TLS MODE OPTIONS #####;
tls-version-min 1.2   ### set the minimum TLS version we will accept from the peer ###;
key-method 2   ### client generates a random key ###;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384   ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###;
tls-timeout 2   ### Default = 2 ###;
ns-cert-type server   ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###;
remote-cert-tls server   ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###;
### reneg-sec 3600;

 

 

Is this still the Latest Setting I should use ?