Jump to content
Not connected, Your IP: 18.117.232.215
pfSense_fan

How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

9 minutes ago, Mad_Max said:
My wan is 192.168.1.11 because its a cable from my router ( which has 10 clients connected to it and the pfsense is the 11th)

i got a screen shot of the OpenVPN config, but whats the gateway xD?
Gteways are under

SYSTEM - - Routing
Step 4 in the guide. 

About your VPN Client settings... At the bottom of the configuration set as show below. 

 

Screenshot_20190501-004048.png

Share this post


Link to post

move your modem into bridged mode so it passes the connection through to pfSense. 
Alternatively allow RFC1918 addresses on WAN interface which might get stuff working for you. You'll be behind a double-NAT config like this and your life is going to be painful, especially if you try port forwarding. 

 

Share this post


Link to post

i did the openvpn config like u said @zapoteknico and her eis a photo of the gateway

Thanks @dlecbasC, Im sorry for using these newbie terms but, the router was provided by my isp. It switches the net from fiber to Wireless + Lan. for pfsense, is it better to keep using this router? or should i get a small fiber to lan media convertor?

12.jpg

Share this post


Link to post

I am quite sure your issue is related the ip addresses of your interfaces (WAN and LAN) and/or the DHCP server assignation settings and/or the NAT outbound rules.
If i get it right you have the ISP router that gives IP  192.168.1.11 to your WAN via DHCP. 
Then tou have pfsense giving address 192.168.1.1 to your LAN network via DHCP.... 
Out of curiosity... What is the IP address of your ISP router? 

Share this post


Link to post

Here is a screen shot of the AirVPN Gateway and the Interfaces.

Well, my setup is: In my neighbors house the main router the ips start from 192.168.1.1 ... and i got a cable from his house to my access point, but not i removed the access point and installed a pfsense instead

air gateway.png

interfaces.png

Share this post


Link to post

Your pfsense Lan 192.168.1.1 has the same ip of your ISP router. 192.168.1.1.
It will never get connected...
The easier solution on my point of view is to change the IP of the ISP router... 

The guide you have followed starts assuming that you have a pfsense box with a WAN configured to receive an ip from isp router via DHCP (i.e. 192.168.0.x) and then have a LAN that will be set to have address starting from 192.168.1.1

Because your starting situation (isp router with ip 192.168.1.1)  you should change all the IP address in the guide with something like 192.168.2.1)

If you only have devices connected to the isp router via lan or wireless and no port forwarding on the isp router, then just change the isp router address to 192.168.0.1
The isp router will reboot... All the devices will get a new IP address and the pfsense router will connect (unless there are other mistakes in how you followed the guide) 
 

Share this post


Link to post

I think this picture will explain better what i mean
The isp router has ip 192.168.1.1 (like your isp. Router) 
It gives connection to clients (host machine) with ip 192.168.1.103 amd to the pfsense box with ip 192.168.1.106. (192.168.1.11 in your case) 

Then the pfsense box below has LAN ip 10.0.0.1 and gives IPs in the same range to other devices 10.0.0.5 - 10.0.07

Your pfsense LAN insted has IP 192.168.1.1 making any connection impossible due to duplicate ip on the network 

I think this also explains why your WAN_DHCP Gateway is not showing any Gateway or Monitor IP address.
In my working setup, it shows the ISP router IP Address 


 

IMG_20190501_015122_977.jpg

Share this post


Link to post

It is 2.30 am where i am.
Please review the step 2,3,4 of the guide. 
When you copy/paste the text for the certificates, ensure there are no spaces at the end. 
 

Share this post


Link to post
16 hours ago, Mad_Max said:

Thank you so much for your replies. But, i have changed the ISP ip and still no connection :(
 

stats.png

Hello i am available if you still need help. 
You can also try to contact me privately 

Share this post


Link to post
On 4/30/2019 at 7:37 PM, Mad_Max said:

here is the openVPN config:
https://imgur.com/a/BU60kUE

Sorry its a screen shot from a mobile and uploaded to imgur and not here 😕

i assume this still isn't working.

i can see about 5 options to change
1. under NCP ADD aes 256 GCM
2. auth digest alg needs to be set to sha512
3. toppology needs to be changed to subnet
4. TOS service need to uncheck don't pull routes.
5. please change VERB to 4 so we can actually read issues i the log

Share this post


Link to post

I'm picking up the thread from the last page, so I apologize if this has already been addressed. Can you ping ANY outside sites, from the pfSense box itself? Diagnostics > Ping. Select the WAN as the source address and attempt to ping an Air server (i.e. ran.airvpn.org) and see what happens. If not, then there's another issue, likely NAT related that's preventing it from getting a connection to the VPN.

If it works, then please try the following: VPN > OpenVPN > Clients. You have 4 buttons along the top: Settings, Related Status, Related Log Entries, Help. Click "Related Log Entries" and THAT will tell you what occurs when trying to connect to AirVPN.

Share this post


Link to post

Hello All,

My pfSense (ver 2.4.4) firewall is setup exactly as the original poster pfSense fan's guide (which by the pfSense fan, You Rock!) with the exception that I also added snort! to my pfSense. Thing is that I have never been able to send mail outgoing from my main desktop machine and I was hoping someone here can point me in the proper direction.

I have added 465 and 587 to my WAN service ports but still no go. I have poured over my pfSense firewall logs but even filtering on my source IP has not led me to see where the packets are being blocked.

thunderbird.png.67e7094df13937d6c280d66b39b8b9f7.png

pfsense.thumb.png.3592e3001f1fb5ad817d655b58734a9d.png

wireshark.thumb.png.236c3f954fff50b3eeca5ba04145a9bd.png

So I started up Wireshark and sent a test email to see what is going on. (BTW - I am using Thunderbird for my email client and Ubuntu for my OS.) The initial SYN packet sent uses a random port between 1024:65535 in this case 58294 with a destination of 465 at 74.125.141.109 which obviously does not make it to its destination (or I would see the ACK from 74.125.141.109) but instead re-transmits that packet once again, and again until it fails.

My Question is WHY? Registered and Ephemeral Ports should be open on the outgoing WAN. Am I missing something here?

BTW thank you to all who take time from your day to respond!

If anyone wants to setup SNORT on their 2.4.4 pfSense firewall this is the tutorial I followed - https://vorkbaard.nl/installing-snort-for-idsips-on-pfsense-2-4/






 

Share this post


Link to post

Status -> System Logs -> Firewall - Now attempt to send the mail and then look at the log to see if pfSense is actually blocking the outgoing or incoming connection AND on what interface. You say you have holes punched in the WAN for allowable ports, but what LAN is your PC operating off of and what gateway does that LAN use. If you set it up like the original guide and your PC is operating off of the AirVPN_LAN, which sends traffic out of the AirVPN_WAN and therefore you've punched holes in the wrong place. If I'm wrong here, check the settings in Thunderbird to see if you can use a fixed port, rather than a random one for the initial packet. Sorry, but I haven't used TB in some years and can't give more info.

Share this post


Link to post

Thanks for taking the time to look. I thought the exact same as you but I've verified that on both the AirVPN_LAN and the AirVPN_WAN those ports are open. Initially I wasn't logging those packets but I've turned logging on and I can see the packet match the rule and pass. So it is definitely being blocked after being passed at the LAN.

1708159660_Screenshotat2019-07-2217-24-40.thumb.png.2ddf591d390fa101f3cfb946319410ec.png

As far as ports that are open, they are for the most part mirrored on both the WAN and LAN side so I'm wondering if it is a firewall rule.

632586495_Screenshotat2019-07-2217-38-53.thumb.png.5cb8247d9e8b81820c76340dc987e9d3.png

Thunderbird is using a fixed port as far as I can see but it obviously is randomizing the initial port internally unless 465 is just the stated destination.

284907936_Screenshotat2019-07-2217-08-57.png.2f6d65164a5b48889e1cd634b95a23db.png

Aside from the first 3 rules (Anti-lock out, NAT-AirVPN DNS REDIRECT and AirVPN LAN NTP REDIRECT) here are the rest. As a test I paused the REJECT LOCAL just to see if that was the issue but it still blocked. So it must be blocking at the outbound WAN.

535056754_Screenshotat2019-07-2217-44-50.thumb.png.59779b5f02afbe03d64ed93b805c01da.png

Obviously I'm missing something but I can't figure out what.




 

Share this post


Link to post
On 7/22/2019 at 5:59 PM, mcana77 said:

Thanks for taking the time to look. I thought the exact same as you but I've verified that on both the AirVPN_LAN and the AirVPN_WAN those ports are open. Initially I wasn't logging those packets but I've turned logging on and I can see the packet match the rule and pass. So it is definitely being blocked after being passed at the LAN.

1708159660_Screenshotat2019-07-2217-24-40.thumb.png.2ddf591d390fa101f3cfb946319410ec.png

As far as ports that are open, they are for the most part mirrored on both the WAN and LAN side so I'm wondering if it is a firewall rule.

632586495_Screenshotat2019-07-2217-38-53.thumb.png.5cb8247d9e8b81820c76340dc987e9d3.png

Thunderbird is using a fixed port as far as I can see but it obviously is randomizing the initial port internally unless 465 is just the stated destination.

284907936_Screenshotat2019-07-2217-08-57.png.2f6d65164a5b48889e1cd634b95a23db.png

Aside from the first 3 rules (Anti-lock out, NAT-AirVPN DNS REDIRECT and AirVPN LAN NTP REDIRECT) here are the rest. As a test I paused the REJECT LOCAL just to see if that was the issue but it still blocked. So it must be blocking at the outbound WAN.

535056754_Screenshotat2019-07-2217-44-50.thumb.png.59779b5f02afbe03d64ed93b805c01da.png

Obviously I'm missing something but I can't figure out what.




 


Ok, I think I see the error here now. Under your firewall rule for your LAN to LAN communication (3rd from the bottom), remove the 1024-65535 and change it to any under the source. Your LAN to LAN chatter is usually going to run in the lower ranges generally speaking. You can of course add additional ports for various services (i.e. Plex I believe uses 32400), but add them to the LAN_SERVICE_PORTS alias. You're effectively saying that if the traffic on your LAN originates from a port between 1024-65535 and is going to a private address with one of those ports in the alias, then allow it. Otherwise, pfSense will enact it's default behavior, which is, "If it's not explicitly allowed, block it"..

Share this post


Link to post

Thanks for the guide, I now have pfsense and AirVPN setup and working :)

One little niggle that I have is that on reboot the openvpn client claims to be up when it is actually not passing through any traffic. A quick restart of the openvpn client solves this and it works great until next reboot.


Is anyone else seeing similar?

Edit: This is fixed in 2.5.0 experimental build :)

Share this post


Link to post

Followed the guide, and the VPN isn't coming up.

The status page shows reconnecting; process-push-msg-failed

Below I've pasted the logs.  I had to remove the custom options the guide had listed because it was freaking out about them.

image.thumb.png.62bfbe26cf78a494f1452b26df9d9b4e.png

Share this post


Link to post
57 minutes ago, joebywan said:

Followed the guide, and the VPN isn't coming up.

The status page shows reconnecting; process-push-msg-failed

Below I've pasted the logs.  I had to remove the custom options the guide had listed because it was freaking out about them.

image.thumb.png.62bfbe26cf78a494f1452b26df9d9b4e.png



You just need to add AES-256-GCM to your list of allowed ciphers in the NCP algorithms section.

Share this post


Link to post
On 9/16/2019 at 9:38 AM, go558a83nk said:


You just need to add AES-256-GCM to your list of allowed ciphers in the NCP algorithms section.
Thanks for that, worked.

What's the DNS server we're supposed to be using?  Status>OpenVPN says it's up, but I can't do the dnslookup to airvpn.org

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...