Jump to content
Not connected, Your IP: 52.15.136.223
pfSense_fan

How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

I'm just checking back in as the only major thing remaining on my "I want to do with pfSense" (I've cracked VPN and traffic shaping - remote access almost done) is setting up a proxy.  Is there definitely no way to use Squid with this setup with leakage?  Maybe it's possible to use squid for non-vital IPs/devices, with other devices going via the VPN?

 

Or, are there other proxies/methods available that do work?

 

 

What are your goals for using squid? I can give you an answer if I know what you are trying to accomplish.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Okay, I read all 15 pages, however I may have simply overlooked it. 

 

How do I only allow certain IPs to go on the VPN? I do not want all of the traffic to route over the VPN.

 

You make an outbound NAT rule for the range of local ip addresses you want to exit the clear internet, and another for the local IP addresses you want to exit the vpn.

 

Once thatis done, you make outbound firewall rules for those local IP address ranges, and specifying which gateway those ranges will exit.

 

It's only a slight adjustment to what the guide teaches. It is called policy routing, and the guide explains how it is accomplish by setting the VPN WAN for the outbound firwall rules.

 

https://doc.pfsense.org/index.php/What_is_policy_routing


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

 

I'm just checking back in as the only major thing remaining on my "I want to do with pfSense" (I've cracked VPN and traffic shaping - remote access almost done) is setting up a proxy.  Is there definitely no way to use Squid with this setup with leakage?  Maybe it's possible to use squid for non-vital IPs/devices, with other devices going via the VPN?

 

Or, are there other proxies/methods available that do work?

 

 

What are your goals for using squid? I can give you an answer if I know what you are trying to accomplish.

Thanks for the reply. I just want to use the transparent proxy and hopefully the HTTPS functionality as well, with Lightsquid reporting. I use pfblockerng so i don't need squid for that and i don't do any content filtering yet, but i might try that in years to come as my kids get older.

Share this post


Link to post

 

 

Anyway I can get the vpn up doing the CA, Cert, Interface and setting the airvpn wan as the gateway in the default lan rule, thats easy, then I do the rest but when I step 8A-1 DNS server and tick everything under DNSSEC then I loose ability to pull websites, so I don’t tick them and leave it at that.

 

I'm mostly clueless, but over on the pfsense forums I did a search for Resolver DNSSEC and got some hits. Unfortunately, almost all were unanswered.  But, the indication was that there might be issues with DNSSEC if either IPV6 support is on or if DNS Query Forwarding is checked (I kept that option off in my 2.3.3 setup).  Have you got IPV6 off everywhere?  What happens if you turn off Forwarding?  Also, back in "Step 7-A: System / General Setup", the author said to use only AirVPN's DNS Server (10.4.0.1) in the DNS Server slot.  I decided not to do that and have four DNS servers listed there (thour 10.4.0.1 is the first one) with no issues.  What are you using there?  Maybe there's a problem with DNSSEC on whatever DNS Server you're using.

Thanks for your reply,

 

IPv6 is disabled throughout pfsense , not tried disabling forwarding yet. My dns servers are opendns. Oddly enough I was searching for DNSSec and the other setting options, I must have read the same unanswered posts you did.

 

--

 

This might be OBE, but OpenDNS apparently doesn't support DNSSEC:

 

https://support.opendns.com/hc/en-us/community/posts/220028387-OpenDNS-and-DNSSEC

 

Similarly, AirVPN's DNS Server doesn't support DNSSEC:

 

https://airvpn.org/topic/16202-request-dnssec/

 

So, if all you have are OpenDNS and AirVPN DNS servers set, having the DNSSEC (and the hardening option, too) will probably do bad things.

Share this post


Link to post

Just wanted to mention that the Guide's setting for Topology in "Step 3-A: Setting up the OpenVPN Client" might need changing.  According to:

 

https://community.openvpn.net/openvpn/wiki/Topology

 

Subnet topology is the current recommended topology; it is not the default as of OpenVPN 2.3 for reasons of backwards-compatibility with 2.0.9-era configs. It is safe and recommended to use subnet topology when no old/outdated clients exist that are running OpenVPN 2.0.9 under Windows.

In subnet topology, the tun device is configured with an IP and netmask like a "traditional" broadcast-based network. The traditional network and broadcast IPs should not be used; while tun has no concept of broadcasts, Windows clients will be unable to properly use these addresses. All remaining IPs in the network are available for use.

Since every IP can be used, subnet topology allows the better utilization of IP space and easier to understand network layout.

 

Going to Diagnostics / Command Prompt on my pfSense 2.3.3 box and entering:

 

openvpn --version

gives me:

 

OpenVPN 2.3.14

 

So, it looks like a subnet topology would be a better choice than the current net30 topology.

Share this post


Link to post

 

 

 

Anyway I can get the vpn up doing the CA, Cert, Interface and setting the airvpn wan as the gateway in the default lan rule, thats easy, then I do the rest but when I step 8A-1 DNS server and tick everything under DNSSEC then I loose ability to pull websites, so I don’t tick them and leave it at that.

 

I'm mostly clueless, but over on the pfsense forums I did a search for Resolver DNSSEC and got some hits. Unfortunately, almost all were unanswered.  But, the indication was that there might be issues with DNSSEC if either IPV6 support is on or if DNS Query Forwarding is checked (I kept that option off in my 2.3.3 setup).  Have you got IPV6 off everywhere?  What happens if you turn off Forwarding?  Also, back in "Step 7-A: System / General Setup", the author said to use only AirVPN's DNS Server (10.4.0.1) in the DNS Server slot.  I decided not to do that and have four DNS servers listed there (thour 10.4.0.1 is the first one) with no issues.  What are you using there?  Maybe there's a problem with DNSSEC on whatever DNS Server you're using.

Thanks for your reply,

 

IPv6 is disabled throughout pfsense , not tried disabling forwarding yet. My dns servers are opendns. Oddly enough I was searching for DNSSec and the other setting options, I must have read the same unanswered posts you did.

 

--

 

This might be OBE, but OpenDNS apparently doesn't support DNSSEC:

 

https://support.opendns.com/hc/en-us/community/posts/220028387-OpenDNS-and-DNSSEC

 

Similarly, AirVPN's DNS Server doesn't support DNSSEC:

 

https://airvpn.org/topic/16202-request-dnssec/

 

So, if all you have are OpenDNS and AirVPN DNS servers set, having the DNSSEC (and the hardening option, too) will probably do bad things.

Thats interesting, thanks for digging into it :-)  I changed from opendns to airvpn dns just to do some tests. Il try and find some DNSSEC compliant servers to test with.

Share this post


Link to post

 

Just wanted to mention that the Guide's setting for Topology in "Step 3-A: Setting up the OpenVPN Client" might need changing.  According to:

 

https://community.openvpn.net/openvpn/wiki/Topology

 

 

Subnet topology is the current recommended topology; it is not the default as of OpenVPN 2.3 for reasons of backwards-compatibility with 2.0.9-era configs. It is safe and recommended to use subnet topology when no old/outdated clients exist that are running OpenVPN 2.0.9 under Windows.

In subnet topology, the tun device is configured with an IP and netmask like a "traditional" broadcast-based network. The traditional network and broadcast IPs should not be used; while tun has no concept of broadcasts, Windows clients will be unable to properly use these addresses. All remaining IPs in the network are available for use.

Since every IP can be used, subnet topology allows the better utilization of IP space and easier to understand network layout.

Going to Diagnostics / Command Prompt on my pfSense 2.3.3 box and entering:

 

openvpn --version

gives me:

 

OpenVPN 2.3.14

 

So, it looks like a subnet topology would be a better choice than the current net30 topology.''

 

 

I'm testing a fresh pfsense install today, after reading your post I changed to the subnet topology, I dont have any need for backward compatibility, though some people will have. If I find any glitches then I will post back, may take some time as I go through all the logs for this and other stuff.

 

One odd thing I did discover after setting the airvpn guide for pfsense, I have mostly linux computers, each has firejail installed and I use a set of custom commands to launch firejailed browsers in private mode, one of those options forces the browser to use a forced dns, in my case the dns servers are opendns, this worked ok, however using the airvpn dns guide I set up opendns.

 

For some odd reason if firejail also uses opendns then the browser fails to pull webpages, change the firejail dns and no problem. I then changed an androids dns to opendns and the same thing, it fails to pull webpages. It seems to be that if a device has the same dns server as the one used in pfsense using the airvpn guide, then it wont pull webpages, I am unsure if this effects just me but I thought I would mention this in case anyone finds a phone or tablet wont connect, some people change the devices dns and may inadvertently hit this problem. 

 

From my point of view this is a trivial issue compared to the extra security the dns setting in this guide offer :-)

Share this post


Link to post

 

 

I'm just checking back in as the only major thing remaining on my "I want to do with pfSense" (I've cracked VPN and traffic shaping - remote access almost done) is setting up a proxy.  Is there definitely no way to use Squid with this setup with leakage?  Maybe it's possible to use squid for non-vital IPs/devices, with other devices going via the VPN?

 

Or, are there other proxies/methods available that do work?

 

 

What are your goals for using squid? I can give you an answer if I know what you are trying to accomplish.

Thanks for the reply. I just want to use the transparent proxy and hopefully the HTTPS functionality as well, with Lightsquid reporting. I use pfblockerng so i don't need squid for that and i don't do any content filtering yet, but i might try that in years to come as my kids get older.

What I've just done as a halfway house is exclude the IPs that I need 100% VPN coverage by entering their IP addresses in the "Bypass Proxy for These Destination IPs" section of Squid.  It'd be good if I could get Squid working for my whole network, but this is an ok compromise for now.

Share this post


Link to post

 

 

I'm just checking back in as the only major thing remaining on my "I want to do with pfSense" (I've cracked VPN and traffic shaping - remote access almost done) is setting up a proxy.  Is there definitely no way to use Squid with this setup with leakage?  Maybe it's possible to use squid for non-vital IPs/devices, with other devices going via the VPN?

 

Or, are there other proxies/methods available that do work?

 

 

What are your goals for using squid? I can give you an answer if I know what you are trying to accomplish.

Thanks for the reply. I just want to use the transparent proxy and hopefully the HTTPS functionality as well, with Lightsquid reporting. I use pfblockerng so i don't need squid for that and i don't do any content filtering yet, but i might try that in years to come as my kids get older.

@pfSense_fan did you see my reply?

Share this post


Link to post

Hopefully I  followed the guide but now I see....

 

Untitled.pngfr

 

the ! mark against the Dest.Address.

 

Is that an indication that I have somehow messed up and if so any ideas how....?

 

 

Thanks 

Share this post


Link to post

 

Okay, I read all 15 pages, however I may have simply overlooked it. 

 

How do I only allow certain IPs to go on the VPN? I do not want all of the traffic to route over the VPN.

You make an outbound NAT rule for the range of local ip addresses you want to exit the clear internet, and another for the local IP addresses you want to exit the vpn.

 

Once thatis done, you make outbound firewall rules for those local IP address ranges, and specifying which gateway those ranges will exit.

 

It's only a slight adjustment to what the guide teaches. It is called policy routing, and the guide explains how it is accomplish by setting the VPN WAN for the outbound firwall rules.

 

https://doc.pfsense.org/index.php/What_is_policy_routing

Awesome, thanks! It's working, however I did turn off DNSSEC and added 2 additional DNS Servers (the OpenDNS ones). 

 

Now, I attempted to create rules as you suggested to route some of my traffic outside of the VPN, however, I cannot get it working. I attempted so many different config/options and nothing was a go. 

Share this post


Link to post

By the end of this guide, the firewall rules look like:

 

 ____________________________________________________________________________________________________________________________________________
| Proto     | Source               | Port  | Destination        | Port               | Gateway      | Queue | Schedule | Description        |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| *         | *                    | *     | AirVPN_LAN Address | 443                | *            | *     |          | Anti_lockout Rule  |
|           |                      |       |                    | 80                 |              |       |          |                    |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4      | AIRVPN_LAN net       | *     | 192.168.1.1        | 53 (DNS)           | *            | None  |          | NAT AirVPN LAN     |
| TCP/UDP   |                      |       |                    |                    |              |       |          | DNS REDIRECT       |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4 UDP  | AIRVPN_LAN net       | *     | 192.168.1.1        | 123 (NTP)          | *            | None  |          | NAT AirVPN LAN     |
|           |                      |       |                    |                    |              |       |          | NTP REDIRECT       |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4      | AIRVPN_LAN net       | *     | PRIVATE_NETWORKS   | *                  | *            | None  |          | ALLOW LOCAL        |
| ICMP      |                      |       |                    |                    |              |       |          | ICMP               |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4*     | AIRVPN_LAN net       | *     | LOCAL_IP_MULTICAST | *                  | *            | None  |          | AirVPN_LAN IP      |
|           |                      |       |                    |                    |              |       |          | MULTICAST          |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4      | AIRVPN_LAN net       | 1024  | PRIVATE_NETWORKS   | LAN_SERVICE_PORTS  | *            | None  |          | ALLOW LOCAL        |
| TCP/UDP   |                      | -     |                    |                    |              |       |          | SERVICES           |
|           |                      | 65535 |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4      | AIRVPN_LAN net       | 1024  | *                  | WAN_SERVICE_PORTS  | AirVPN_WAN   | None  |          | AirVPN_LAN         |
| TCP/UDP   |                      | -     |                    |                    |              |       |          | ALLOW              |
|           |                      | 65535 |                    |                    |              |       |          | OUTBOUND           |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4*     | AirVPN_LAN net       | *     | PRIVATE_NETWORKS   | *                  | *            | None  |          | REJECT LOCAL       |
|           |                      |       |                    |                    |              |       |          |                    |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| 

The two lines above the final line are allowing local and outbound traffic on approved ports.  But, looking at those lists of approved ports:

 

LAN_Service_Ports:
[ 21           ] [ -- ▼] [ FTP control (command)							]
[ 22           ] [ -- ▼] [ Secure Shell (SSH), file transfers (scp, sftp)	]
[ 80           ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP)				]
[ 161          ] [ -- ▼] [ Simple Network Management Protocol (SNMP)		]
[ 443          ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS)	]
[ 990          ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL		]
[ 1024:65535   ] [ -- ▼] [ Registered and Ephemeral Ports					]
WAN_Service_Ports:
[ 21           ] [ -- ▼] [ FTP control (command)                                                    ]
[ 43           ] [ -- ▼] [ WHOIS protocol (If you use a WHOIS program to attain host records)       ]
[ 80           ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP)                                       ]
[ 143          ] [ -- ▼] [ Internet Message Access Protocol (IMAP), management of email messages    ]
[ 443          ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS)                         ]
[ 990          ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL                                ]
[ 993          ] [ -- ▼] [ Internet Message Access Protocol over TLS/SSL (IMAPS), I.E. Secure email ]
[ 1024:65535   ] [ -- ▼] [ Registered and Ephemeral Ports                                           ]

I've got to ask:  since the approved ports both contain the range of all Registered and Ephemeral Ports [1024:65535] (which works out to 64,511 ports), why bother with being specific with the remaining 6 or 7 named ports below 1024?  Why not just leave the port Aliases off those rules entirely and just allow all internal and outgoing traffic (which, I believe, is the default firewall behavior).  Especially for a home network (though, not everyone reading this will be on a home network).

 

EDIT:  And while I'm questioning those rules and aliases, why are the source ports in those two rules restricted to 1024:65535 while the destination ports are restricted by those aliases to that range plus those 6 or 7 named ports?  Why not leave the source ports blank?  Plus, if we remove the aliases from the rules, the two rules could be combined into one "allow all outbound traffic" rule.

Share this post


Link to post

Hi,

 

I have vpn up and running.

I just like to add 2 nics to the airvpnlan connection. Working all 3 in the same ip range.

Is this possible?

Share this post


Link to post

 I use pfblockerng so i don't need squid for that and i don't do any content filtering yet, but i might try that in years to come as my kids get older.

 

Could you (or @pfSense_fan or anyone) tell me how to setup pfblockerng with openvpn (especially this guide)? I've tried a few things but it's not working properly.

Share this post


Link to post

Greetings.

 

I just want to say thanks again for the guide as it has helped a great deal.  

 

I'm here, however, because of one slight issue.  The airvpn gateway is down and not sure why.  My openvpn nic shows no IP address.

 

I think I had everything working up until I changed from DNS forwarding to DNS resolving and will likely try to replicate that momentarily.

 

What would you advise I look at?

 

Thanks.

 

UPDATE: I resolved my issues by removing airvpn's dns and putting opendns servers in their place.  Is this okay to do privacy/security wise?

Share this post


Link to post

I've been finagling with my DNS Server settings recently, too.  So, I'll pass along some of what I'm finding.

 

- First, I think a lot of the DNS Resolver settings in the guide are carry-overs from previous versions of pfSense.  Specifically, before version 2.2.  The settings seem to treat Resolver similarly to Forwarder.  For instance, Forwarder (and what Resolver does if you put it in Forwarding mode under Services / DNS Resolver / General Settings) starts with a DNS Server you give it and goes up the chain of DNS Servers until it finds the address it's looking for.  Resolver works the opposite way.  With it set to it's default, non-forwarding mode, it starts with the 13 root DNS Servers:

 

https://www.iana.org/domains/root/servers

 

(which it knows about automatically) and works its way down the hierarchy until it finds the address it's looking for.  So, with Resolver set up that way (Services / DNS Resolver / General Settings / DNS Query Forwarding = UNCHECKED), we do not put any DNS Servers on the System / General Setup page.  So, the DNS Server Settings section of that page should be entirely empty and unchecked.  I've been running this way today, and www.ipleak.net continues to show the correct AirVPN DNS servers and I've had no issues resolving names.

 

- Second, since there's currently nothing in my pfSense setup specifying AirVPN's DNS Servers and ipleak is showing the correct ones (I've got two servers running at once), it looks like Resolver (or something) is querying the VPN server for the correct DNS Server IP or just using the default x.x.0.1 for it.  So, again, it looks like with Resolver running without forwarding, we don't need to specify a DNS Server anywhere.  There appears to be no DNS leakage.

 

- Third, if you've got Resolver in forwarding mode and are telling it to use OpenDNS' servers, be aware that OpenDNS does NOT support DNSSEC.  So, if you've got the DNSSEC and "DNSSEC Hardening" options on, the system will stop resolving names since NONE of the resolved names will have DNSSEC data attached.  Ditto for AirVPN's DNS Servers.  With Resolver on without forwarding, it starts from the root and ends up using the highest (and likely most correct) DNS Server for resolving names.  That server can change depending on the address it's looking up.  So, even if a particular hit doesn't have DNSSEC information, it will most likely be a one-off thing.  In general, we'll most likely get good answers.

 

YMMV:  I'm still a newb, but that's what I've found so far.

Share this post


Link to post

Hmm.. I'm not sure what I'm doing wrong.  I just tried it without any DNS servers in general setup and with dns forwarding disabled, my openvpn connection goes down.  

 

I wonder how our setups are different?

Share this post


Link to post

As dIecbasC said, under Services / DNS Resolver / General Settings, make sure you've got all (and just) your local interfaces selected for Network Interfaces and that you've got all (and just) your non-local interfaces selected for Outgoing Network Interfaces.  Also, make sure you've got Services / DNS Forwarder disabled and Service / DNS Resolver enabled.  There's also a race condition that exists upon reloading a pfSense backup or rebooting the box.  So, if you do that, restart first your VPN Client(s) and after it's back up and running, do the same for DNS Resolver (I have the Services Status widget on my Dashboard where I do that).  I've also included the relevant parts of my DNS setup:

170a0255ef.png

 

17124e951e.png

 

170eec55e3.png

Share this post


Link to post

By the end of this guide, the firewall rules look like:

 

 ____________________________________________________________________________________________________________________________________________
| Proto     | Source               | Port  | Destination        | Port               | Gateway      | Queue | Schedule | Description        |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| *         | *                    | *     | AirVPN_LAN Address | 443                | *            | *     |          | Anti_lockout Rule  |
|           |                      |       |                    | 80                 |              |       |          |                    |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4      | AIRVPN_LAN net       | *     | 192.168.1.1        | 53 (DNS)           | *            | None  |          | NAT AirVPN LAN     |
| TCP/UDP   |                      |       |                    |                    |              |       |          | DNS REDIRECT       |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4 UDP  | AIRVPN_LAN net       | *     | 192.168.1.1        | 123 (NTP)          | *            | None  |          | NAT AirVPN LAN     |
|           |                      |       |                    |                    |              |       |          | NTP REDIRECT       |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4      | AIRVPN_LAN net       | *     | PRIVATE_NETWORKS   | *                  | *            | None  |          | ALLOW LOCAL        |
| ICMP      |                      |       |                    |                    |              |       |          | ICMP               |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4*     | AIRVPN_LAN net       | *     | LOCAL_IP_MULTICAST | *                  | *            | None  |          | AirVPN_LAN IP      |
|           |                      |       |                    |                    |              |       |          | MULTICAST          |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4      | AIRVPN_LAN net       | 1024  | PRIVATE_NETWORKS   | LAN_SERVICE_PORTS  | *            | None  |          | ALLOW LOCAL        |
| TCP/UDP   |                      | -     |                    |                    |              |       |          | SERVICES           |
|           |                      | 65535 |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4      | AIRVPN_LAN net       | 1024  | *                  | WAN_SERVICE_PORTS  | AirVPN_WAN   | None  |          | AirVPN_LAN         |
| TCP/UDP   |                      | -     |                    |                    |              |       |          | ALLOW              |
|           |                      | 65535 |                    |                    |              |       |          | OUTBOUND           |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|
| IPv4*     | AirVPN_LAN net       | *     | PRIVATE_NETWORKS   | *                  | *            | None  |          | REJECT LOCAL       |
|           |                      |       |                    |                    |              |       |          |                    |
|           |                      |       |                    |                    |              |       |          |                    |
|___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| 

The two lines above the final line are allowing local and outbound traffic on approved ports.  But, looking at those lists of approved ports:

 

LAN_Service_Ports:
[ 21           ] [ -- ▼] [ FTP control (command)							]
[ 22           ] [ -- ▼] [ Secure Shell (SSH), file transfers (scp, sftp)	]
[ 80           ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP)				]
[ 161          ] [ -- ▼] [ Simple Network Management Protocol (SNMP)		]
[ 443          ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS)	]
[ 990          ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL		]
[ 1024:65535   ] [ -- ▼] [ Registered and Ephemeral Ports					]
WAN_Service_Ports:
[ 21           ] [ -- ▼] [ FTP control (command)                                                    ]
[ 43           ] [ -- ▼] [ WHOIS protocol (If you use a WHOIS program to attain host records)       ]
[ 80           ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP)                                       ]
[ 143          ] [ -- ▼] [ Internet Message Access Protocol (IMAP), management of email messages    ]
[ 443          ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS)                         ]
[ 990          ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL                                ]
[ 993          ] [ -- ▼] [ Internet Message Access Protocol over TLS/SSL (IMAPS), I.E. Secure email ]
[ 1024:65535   ] [ -- ▼] [ Registered and Ephemeral Ports                                           ]

I've got to ask:  since the approved ports both contain the range of all Registered and Ephemeral Ports [1024:65535] (which works out to 64,511 ports), why bother with being specific with the remaining 6 or 7 named ports below 1024?  Why not just leave the port Aliases off those rules entirely and just allow all internal and outgoing traffic (which, I believe, is the default firewall behavior).  Especially for a home network (though, not everyone reading this will be on a home network).

 

EDIT:  And while I'm questioning those rules and aliases, why are the source ports in those two rules restricted to 1024:65535 while the destination ports are restricted by those aliases to that range plus those 6 or 7 named ports?  Why not leave the source ports blank?  Plus, if we remove the aliases from the rules, the two rules could be combined into one "allow all outbound traffic" rule.

 

 

Then you did not follow and read the links to more info I left on the step in the guide that deals with this. There is every reason in the world to limit them in that port range.

 

From Wikipedia:

The port numbers in the range from 0 to 1023 are the well-known ports or system ports.[6] They are used by system processes that provide widely used types of network services. On Unix-like operating systems, a process must execute with superuser privileges to be able to bind a network socket to an IP address using one of the well-known ports.

 

Those ports should never be in use without explicit permission. Not allowing ones that are not in use stops any malicious activity on those ports without intervention. As far as the outgoing NAT excluding them? Those are service (server) ports and traffic should never originate from those ports, hence not allowing outgoing NAT from that port range should have ZERO effect on users.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

This my first post since I joined AirVPN. I have an APU2C4 with Pfsense 2.3.3. The setup as suggested with the guide was wonderful. The only drawback is the speed. I'm getting 80MB with the non protected LAN and max 10MB with the one with openvpn. Any idea?

Share this post


Link to post
Posted ... (edited)

Thanks for this very detailed and comprehensive guide! I have everything setup and working. I have so far only discovered one anomaly and it is with regards to Minecraft. I can not authenticate to Minecraft (not a home server, but Mojang). Confirmed that this is a setup issue as running local vpn on the client where Minecraft is installed allows me to login. Some relevant packet capture info below:

0:15:07.178278 IP (tos 0x0, ttl 64, id 15580, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.107.41278 > 52.72.218.212.80: Flags [.], cksum 0x8743 (correct), ack 5412, win 348, options [nop,nop,TS val 3632200741 ecr 825028318], length 0
20:15:07.202733 IP (tos 0x0, ttl 64, id 15581, offset 0, flags [DF], proto TCP (6), length 111)
    192.168.1.107.41278 > 52.72.218.212.80: Flags [P.], cksum 0x7c56 (correct), seq 1030:1089, ack 5412, win 348, options [nop,nop,TS val 3632200765 ecr 825028318], length 59
20:15:07.416672 IP (tos 0x48, ttl 231, id 47099, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->a50)!)
    52.72.218.212.80 > 192.168.1.107.41278: Flags [.], cksum 0x8794 (correct), ack 1089, win 123, options [nop,nop,TS val 825028379 ecr 3632200765], length 0
20:15:07.530548 IP (tos 0x28, ttl 44, id 31089, offset 0, flags [DF], proto TCP (6), length 1062, bad cksum 0 (->a47e)!)
    209.58.153.108.443 > 192.168.1.107.59656: Flags [P.], cksum 0xad24 (correct), seq 695:1705, ack 1, win 125, options [nop,nop,TS val 917355306 ecr 4217794678], length 1010
20:15:07.531245 IP (tos 0x0, ttl 64, id 47648, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.107.59656 > 209.58.153.108.443: Flags [.], cksum 0x472b (correct), ack 1705, win 1436, options [nop,nop,TS val 4217796203 ecr 917355306], length 0
20:15:07.561459 IP (tos 0x0, ttl 64, id 55350, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.107.54904 > 5.196.64.52.443: Flags [.], cksum 0x3c06 (correct), ack 1242690239, win 254, options [nop,nop,TS val 2038206200 ecr 2452324353], length 0
20:15:07.669116 IP (tos 0x18, ttl 53, id 41981, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->99a3)!)
    5.196.64.52.443 > 192.168.1.107.54904: Flags [.], cksum 0xfa4f (correct), ack 1, win 280, options [nop,nop,TS val 2452326913 ecr 2038154900], length 0
20:15:07.905864 IP (tos 0x28, ttl 44, id 31090, offset 0, flags [DF], proto TCP (6), length 1102, bad cksum 0 (->a455)!)
    209.58.153.108.443 > 192.168.1.107.59656: Flags [P.], cksum 0xfca3 (correct), seq 1705:2755, ack 1, win 125, options [nop,nop,TS val 917355396 ecr 4217796203], length 1050
20:15:07.906658 IP (tos 0x0, ttl 64, id 47649, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.107.59656 > 209.58.153.108.443: Flags [.], cksum 0x413f (correct), ack 2755, win 1436, options [nop,nop,TS val 4217796579 ecr 917355396], length 0
20:15:08.339775 IP (tos 0x28, ttl 44, id 31091, offset 0, flags [DF], proto TCP (6), length 751, bad cksum 0 (->a5b3)!)
    209.58.153.108.443 > 192.168.1.107.59656: Flags [P.], cksum 0x2017 (correct), seq 2755:3454, ack 1, win 125, options [nop,nop,TS val 917355505 ecr 4217796579], length 699

My firewall rules are set almost identically to the guide (specific privileged ports for things like http/https with 1025:65535). Any ideas? Clients are running Minecraft on linux using Java 1.8.0x

 

**Update** Fixed

Seems like some of AirVPN IP's are blacklisted by Mojang authentication server. Switched to different server on PFSense and now I can login

Edited ... by lordlukan

Share this post


Link to post

 

 I use pfblockerng so i don't need squid for that and i don't do any content filtering yet, but i might try that in years to come as my kids get older.

 

Could you (or @pfSense_fan or anyone) tell me how to setup pfblockerng with openvpn (especially this guide)? I've tried a few things but it's not working properly.

I can't remember which, but I used one or both of these guides:

 

https://www.fredmerc.com/2016/07/pfsense-adblock-using-pfblockerng-guide/

http://benoliver999.com/technology/2016/02/27/howtoblockadswithpfblocker/

Share this post


Link to post

Thank you for the guide, but cannot get it to work.

 

openvpn     12068     Server poll timeout, restarting
openvpn     12068     SIGUSR1[soft,server_poll] received, process restarting
openvpn     12068     NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
openvpn     12068     Socket Buffers: R=[42080->42080] S=[57344->57344]
openvpn     12068     UDPv4 link local: [undef]
openvpn     12068     UDPv4 link remote: [AF_INET]94.***.**.**:443
openvpn     12068     write UDPv4: Network is unreachable (code=51)
openvpn     12068     write UDPv4: Network is unreachable (code=51)
openvpn     12068     write UDPv4: Network is unreachable (code=51)
openvpn     12068     Server poll timeout, restarting

 

Share this post


Link to post

Just wanted to say thank you. 

 

With 6 short months working with Linux, it took me more than a few tries working (within Virtualbox), but I've finally succeeded!

 

This will go down as both the longest and most rewarding checklist I've ever completed.  

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...