How To Set Up pfSense 2.3 for AirVPN

[kalenjin 0]

Noob pfsense question.
Connecting from Ubuntu to a Watchguard Firebox flashed w/ 2.3 using minicom. I get the usual terminal table (see attached).
However, the tutorial seems to have a different GUI/interface.
https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/
How to proceed?

Thanx

[go558a83nk 362]

Noob pfsense question.

Connecting from Ubuntu to a Watchguard Firebox flashed w/ 2.3 using minicom. I get the usual terminal table (see attached).

However, the tutorial seems to have a different GUI/interface.

https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/

How to proceed?

 

Thanx

 

just connect with your web browser to the LAN IP address of the device running pfsense. e.g. 192.168.1.1

[kalenjin 0]

 

Noob pfsense question.

Connecting from Ubuntu to a Watchguard Firebox flashed w/ 2.3 using minicom. I get the usual terminal table (see attached).

However, the tutorial seems to have a different GUI/interface.

https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/

How to proceed?

 

Thanx

 

just connect with your web browser to the LAN IP address of the device running pfsense. e.g. 192.168.1.1

Connecting w/ serial cable. Hence, minicom (or putty, SSH etc).

Not on LAN

[go558a83nk 362]

 

 

Noob pfsense question.

Connecting from Ubuntu to a Watchguard Firebox flashed w/ 2.3 using minicom. I get the usual terminal table (see attached).

However, the tutorial seems to have a different GUI/interface.

https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/

How to proceed?

 

Thanx

 

just connect with your web browser to the LAN IP address of the device running pfsense. e.g. 192.168.1.1

Connecting w/ serial cable. Hence, minicom (or putty, SSH etc).

Not on LAN

 

I don't know what to tell you.  The guide here uses the web GUI.

[kalenjin 0]

 

 

 

Noob pfsense question.

Connecting from Ubuntu to a Watchguard Firebox flashed w/ 2.3 using minicom. I get the usual terminal table (see attached).

However, the tutorial seems to have a different GUI/interface.

https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/

How to proceed?

 

Thanx

 

just connect with your web browser to the LAN IP address of the device running pfsense. e.g. 192.168.1.1

Connecting w/ serial cable. Hence, minicom (or putty, SSH etc).

Not on LAN

 

I don't know what to tell you.  The guide here uses the web GUI.

Figured it out. In the terminal interface, you assign an IP range to a LAN port.

 

Now having the problem on OpenVPN of "An IPv4 protocol was selected, but the selected interface has no IPv4 address."

 

Google suggests it is a problem w/ OpenVPN on pfsense

[simpty 0]

Hey pfSense_fan, just wanted to say thank you a lot for writing this comprehensive tutorial! I (as a beginner) followed all your steps meticulously and it worked perfectly!

 

Just a question: When I want to switch the VPN server, should I only edit the OpenVPN client settings? 

 

 

Edit / Update (18.06.17):

 

So I just figured it out by myself It actually is soooo easy I didn't know that, I thought like every time you generate new OpenVPN configs for the new server you want to connect to you also get new key and certificate files with changed "content". But, everything stays the same, I compared the data inside the files with the one in pfSense, nothing changed. 

So the only thing you need to do is stop the OpenVPN client, change the IP of the VPN server and start the client again. Boom! Easy. Made my day <3

[JacksonLee 3]

 

---

---

---

---

 

 

Setting Up pfSense 2.3 for AirVPN

 

Step 3: Setting up the OpenVPN Client

 

 

---

---

---

---

 

 

 

---

---

 

 

Step 3-A: Setting up the OpenVPN Client

 

 

##### CLIENT OPTIONS #####;
server-poll-timeout 10   ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###;
explicit-exit-notify 5;

##### TUNNEL OPTIONS #####;
### Use Multple "remote" entries with the according entry IP address of your favorite servers       ###;
### other than the server entered in the "Server Host or Address" entry above and pfSense           ###;
### will automatically recconnect in a round robin fashion if the server you are connected to       ###;
### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###;
###remote XX.XX.XX.XX 443   ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###;
###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Acamar_UDP-2018###;
###remote XXX.XX.XX.XXX 2018   ###AirVPN_US-Miami_Yildun_UDP-2018###;
###remote XX.XX.XX.XX 53   ###AirVPN_US-Miami_Cursa_UDP-53###;
###remote XXX.XX.XX.XX 443   ###AirVPN_CA-Dheneb_UDP-443###;
###remote XXX.XX.XXX.XXX 443  ###AirVPN_CA-Saiph_UDP-443###;
###rcvbuf 262144;
###sndbuf 262144;
mlock   ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###;
fast-io   ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###;
###tun-mtu 1500;
###mssfix 1450;
###keepalive 5 15;

##### DATA CHANNEL ENCRYPTION OPTIONS #####;
key-direction 1;
keysize 256   ### Size of key from cipher ###;
prng SHA512 64  ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###;
### replay-window n [t]   ### Default = replay-window 64 15 ###;
### mute-replay-warnings;

##### TLS MODE OPTIONS #####;
tls-version-min 1.2   ### set the minimum TLS version we will accept from the peer ###;
key-method 2   ### client generates a random key ###;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384   ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###;
tls-timeout 2   ### Default = 2 ###;
ns-cert-type server   ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###;
remote-cert-tls server   ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###;
### reneg-sec 3600;

 

Is this the latest Version ? (taken from the Page 1 Post)

[dIecbasC 38]

Is this the latest Version ? (taken from the Page 1 Post)

 

 

Im pretty sure the latest version is the last one posted in this thread. 

[h3nchman24 0]

For the life of me, I can not get this to open a port for my OpenVPN server.  I am missing something; I can either get local access or the internet over the VPN, not both.  I am at a loss how to get this to work with the server part.  

[clevoir 3]

How do I configure the WAN interface as PPPOE? I have followed the guide OK, when I try and change to WAN settings, it says that there is a DCHP serviver in place?

[4Qman 0]

I have an APU2C4

I am playing around at the moment but need to see if this will work.

MODEM - APU2C4   WAN
                             LAN1 - SWITCH - Unifi AP (using public IP)
                             OPT1 - SWITCH (Configured to use AirVPN Provider IP

That way all wireless devices are via my ISP IP address and whatever is plugged into the OPT1 switch will be under the VPN providers IP

 

Is this possible using this guide?

[wer 14]

I have an APU2C4

I am playing around at the moment but need to see if this will work.

(...)

Is this possible using this guide?

Yes, of course. This guide is working very well for firewall appliances like ALIX or APU. You shouldn't run into major problems by following this guide closely.

By the way, I think the APU is a nice choice since it's open source and runs coreboot firmware.

[4Qman 0]

 

I have an APU2C4

I am playing around at the moment but need to see if this will work.

(...)

Is this possible using this guide?

Yes, of course. This guide is working very well for firewall appliances like ALIX or APU. You shouldn't run into major problems by following this guide closely.

By the way, I think the APU is a nice choice since it's open source and runs coreboot firmware.

 

Thank you for the reply.

 

I have my LAN working fine, when i setup VPN on OPT1 following this guide i get a aconnection to the VPN but when i plug a computer into the switch (OPT1) i get invalid IP configuration.

 

Is this guide ok to follow if you have LAN (using defefault gateway) and OPT1 as (Vpn gateway), if yes what needs to be changed to allow it to work?

[clevoir 3]

I have got it all working OK but sometimes the LAN address 192.168.1.1 is not recognised on startup, when this happens I can't acesss the GUI or access the internet

 

I have pfsense running on a dedicated PC with a X7SPA-HF motherboard

 

When this happens I have to reboot the PC, and then it works OK?

 

Also at the moment I only have 1 VPN server set up, if I add a number of servers will pfsense try to connect to a radom one or in thje order that they are listed

 

I would like to use nl.vpn.airdns.org addreess but note in the instruction s that this can't be resolved and server IP addresses have to be used instead. So can I add all NL servers with pfsense randomly choosing between them?

[go558a83nk 362]

I have got it all working OK but sometimes the LAN address 192.168.1.1 is not recognised on startup, when this happens I can't acesss the GUI or access the internet

 

I have pfsense running on a dedicated PC with a X7SPA-HF motherboard

 

When this happens I have to reboot the PC, and then it works OK?

 

Also at the moment I only have 1 VPN server set up, if I add a number of servers will pfsense try to connect to a radom one or in thje order that they are listed

 

I would like to use nl.vpn.airdns.org addreess but note in the instruction s that this can't be resolved and server IP addresses have to be used instead. So can I add all NL servers with pfsense randomly choosing between them?

 

You can add many VPN client setup and it will connect to all that are enabled.  That is not the way to get a random server.

 

Getting a random server isn't the same as using nl.vpn.airdns.org.  That address gets you the least busy NL server at the time.

[clevoir 3]

I have now found the IP address for nl.vpn.airdns.org and understand the pfsense will select one of the NL servers in connection.

 

My main issue is as per my orignal post, sometimes on starting pfsense my LAN port is not being recognised at 19.168.1.1 and then have no internet access?

[go558a83nk 362]

I have now found the IP address for nl.vpn.airdns.org and understand the pfsense will select one of the NL servers in connection.

 

My main issue is as per my orignal post, sometimes on starting pfsense my LAN port is not being recognised at 19.168.1.1 and then have no internet access?

 

 

I don't know about your other problem.

 

nl.vpn.airdns.org resolves to one of the NL servers, the "best" at the time.  So, you wouldn't want to keep using that IP because it'll always point to the same server.  You need to research how to do "remote random" within pfsense.

[DZMM 2]

I've been using this method to successfully filter my whole connection.

 

Is there an easy way to amend the setup so that only certain IP addresses go through the VPN and other IPs just go the normal WAN?

 

Thanks in advance

[go558a83nk 362]

I've been using this method to successfully filter my whole connection.

 

Is there an easy way to amend the setup so that only certain IP addresses go through the VPN and other IPs just go the normal WAN?

 

Thanks in advance

 

 

Of course. This, policy routing, has been discussed plenty in this forum and in this thread in particular.  Just read the previous several pages of this thread.

[DZMM 2]

 

I've been using this method to successfully filter my whole connection.

 

Is there an easy way to amend the setup so that only certain IP addresses go through the VPN and other IPs just go the normal WAN?

 

Thanks in advance

 

 

Of course. This, policy routing, has been discussed plenty in this forum and in this thread in particular.  Just read the previous several pages of this thread.

Thanks - to save others time, check out post 71

[DZMM 2]

 

 

I've been using this method to successfully filter my whole connection.

 

Is there an easy way to amend the setup so that only certain IP addresses go through the VPN and other IPs just go the normal WAN?

 

Thanks in advance

 

 

Of course. This, policy routing, has been discussed plenty in this forum and in this thread in particular.  Just read the previous several pages of this thread.

Thanks - to save others time, check out post 71

Sorry, it wasn't as easy as I'd hoped.  I went to interfaces but I couldn't see how to create another LAN interface - is this because I've only got 2 NICs?  Is there a way to route non-VPN traffic with only 2 NICs?

 

Thanks

[go558a83nk 362]

 

 

 

I've been using this method to successfully filter my whole connection.

 

Is there an easy way to amend the setup so that only certain IP addresses go through the VPN and other IPs just go the normal WAN?

 

Thanks in advance

 

 

Of course. This, policy routing, has been discussed plenty in this forum and in this thread in particular.  Just read the previous several pages of this thread.

Thanks - to save others time, check out post 71

Sorry, it wasn't as easy as I'd hoped.  I went to interfaces but I couldn't see how to create another LAN interface - is this because I've only got 2 NICs?  Is there a way to route non-VPN traffic with only 2 NICs?

 

Thanks

 

 

No, you don't create another interface.  See this post. https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?p=61027

[DZMM 2]

 

 

Sorry, it wasn't as easy as I'd hoped.  I went to interfaces but I couldn't see how to create another LAN interface - is this because I've only got 2 NICs?  Is there a way to route non-VPN traffic with only 2 NICs?

 

Thanks - to save others time, check out post 71

 

Thanks

 

No, you don't create another interface.  See this post. https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?p=61027

I was just about to post how I'd managed to work it out myself..I did something similar:

 

1. created an alias with the IP addresses I wanted to bypass the VPN

2. created outbound rules so those IPs could use the WAN (put at the bottom of the list)

3. created a firewall rule on AIRVPN_LAN where for my alias to use the WAN gateway (under advanced) not the AIRVPN_WAN gateway

 

Ideally for 3 I would have preferred to use floating rules so I can traffic shape, but I couldn't get it to work with floating rules.  One for the future

[go558a83nk 362]

 

 

 

Sorry, it wasn't as easy as I'd hoped.  I went to interfaces but I couldn't see how to create another LAN interface - is this because I've only got 2 NICs?  Is there a way to route non-VPN traffic with only 2 NICs?

 

Thanks - to save others time, check out post 71

 

Thanks

 

No, you don't create another interface.  See this post. https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?p=61027

I was just about to post how I'd managed to work it out myself..I did something similar:

 

1. created an alias with the IP addresses I wanted to bypass the VPN

2. created outbound rules so those IPs could use the WAN (put at the bottom of the list)

3. created a firewall rule on AIRVPN_LAN where for my alias to use the WAN gateway (under advanced) not the AIRVPN_WAN gateway

 

Ideally for 3 I would have preferred to use floating rules so I can traffic shape, but I couldn't get it to work with floating rules.  One for the future

 

 

Yep, Alias is the way to do it.  Glad you figured it out.  It's good for understanding how it all works.

[DZMM 2]

 

 

I was just about to post how I'd managed to work it out myself..I did something similar:

 

 

Sorry, it wasn't as easy as I'd hoped.  I went to interfaces but I couldn't see how to create another LAN interface - is this because I've only got 2 NICs?  Is there a way to route non-VPN traffic with only 2 NICs?

 

Thanks - to save others time, check out post 71

 

Thanks

 

No, you don't create another interface.  See this post. https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?p=61027

 

1. created an alias with the IP addresses I wanted to bypass the VPN

2. created outbound rules so those IPs could use the WAN (put at the bottom of the list)

3. created a firewall rule on AIRVPN_LAN where for my alias to use the WAN gateway (under advanced) not the AIRVPN_WAN gateway

 

Ideally for 3 I would have preferred to use floating rules so I can traffic shape, but I couldn't get it to work with floating rules.  One for the future

 

Yep, Alias is the way to do it.  Glad you figured it out.  It's good for understanding how it all works.

where I'm stumped with though, is how to change my firewall rules to allow access to local services.  Here's an example of the problem I'm having:

 

I have plex running at 172.30.12.30 on port 32400.  I put this IP on the VPN passthrough to solve problems with remote access and all is good with remote access using the method above and a simple port forward.

 

However, when I want an internal service e.g. sonarr running on 172.30.12.2 (i.e. over the VPN) to connect to Plex it can't via 172.30.12.30:32400 but it can via the external address 31.54.xx.xx:32400.

 

Anyone help?