Jump to content
Not connected, Your IP: 3.234.244.18
pfSense_fan

ANSWERED How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

I think you're right.  Right now, the SB8200 is off the router's WAN port, which means it's between the two end-points of the VPN tunnel. So, everything it sees is encrypted (including the address, so it doesn't know to respond).  And, since it's on a private address (192.168.100.1), it can't be addressed from the far end of the tunnel back across the internet.  IOW, AFAIK, I can't get there from here (behind the VPN).  I'll have to see about connecting something directly to the SB8200's other Ethernet port.  Thanks.

Share this post


Link to post

 

The only problem I'm having is that I can no longer access the status page for my SB8200 cable modem (192.168.100.1).  It's off of the pfSense's WAN port (of course), so I'm assuming it's one of the firewall rules blocking it.  I assumed it was the Reject Local one:

 

IPv4 *	AIRVPN_LAN net	*	PRIVATE NETWORKS	*	*	none	 	REJECT LOCAL	   

But, when I disable it, I still can't get there.  Any ideas?

 

EDIT:  Looking that rule over, isn't it blocking everything coming from the LAN side of things going to private addresses?  Shouldn't it be blocking everything from private address arriving on the WAN port?

 

-----------------------------------------------------------------------------------------------------------------------

Edit Firewall Rule

-----------------------------------------------------------------------------------------------------------------------

Action = [ Reject ▼]

-----------------------------------------------------------------------------------------------------------------------

Disabled = [_] (UNCHECKED)

-----------------------------------------------------------------------------------------------------------------------

Interface = [ AirVPN_LAN ▼]

-----------------------------------------------------------------------------------------------------------------------

Address Family = [ IPv4 ▼]

-----------------------------------------------------------------------------------------------------------------------

Protocol = [ any ▼]

-----------------------------------------------------------------------------------------------------------------------

 

 

-----------------------------------------------------------------------------------------------------------------------

Source

-----------------------------------------------------------------------------------------------------------------------

Source = [_] Invert match. [ AirVPN_LAN net ▼] [ ]/[--- ▼]

-----------------------------------------------------------------------------------------------------------------------

 

 

-----------------------------------------------------------------------------------------------------------------------

Destination

-----------------------------------------------------------------------------------------------------------------------

Destination = [_] Invert match. [ Single host or alias ▼] [ PRIVATE_NETWORKS ]/[--- ▼]

-----------------------------------------------------------------------------------------------------------------------

 

 

-----------------------------------------------------------------------------------------------------------------------

Extra Options

-----------------------------------------------------------------------------------------------------------------------

Log = [✔] (CHECKED)

-----------------------------------------------------------------------------------------------------------------------

Description = [ REJECT LOCAL ]

-----------------------------------------------------------------------------------------------------------------------

Advanced Options = [☼ Display Advanced ]

-----------------------------------------------------------------------------------------------------------------------

check you've done stage 6H correct as this is what should allow you to connect to your router.

Share this post


Link to post

My latest mapping....

 

vvv.png

 

I did complete the entire process and this time it works......!!!!!!

 

So for me getting to the end of point 4 does not give me a working connection BUT going somewhere to the end will allow it to start to work.

 

But and this is a biggy for me both of my Usenet clients can no longer connect to my provider. They both use either port 119 or 563 and I'm not sure how to allow for that within the Firewall...? 

you have to add 119 and 563 to your LAN and WAN service ports.  The author has listed the minimum ports users need to use most services - you have to add others you need.

Share this post


Link to post

Thanks to you both for the idea of adding the ports.

 

I found that by just adding ports 119 and 563 to the WAN service ports allowed access to them from my Usenet client.

 

All good so far.

 

Thankfully I have now remembered to make a backup of a working, so far, configuration.

Share this post


Link to post

 

The only problem I'm having is that I can no longer access the status page for my SB8200 cable modem (192.168.100.1).  It's off of the pfSense's WAN port (of course), so I'm assuming it's one of the firewall rules blocking it.  I assumed it was the Reject Local one:

 

check you've done stage 6H correct as this is what should allow you to connect to your router.

 

6H (Allow Local Services) looks fine to me.  But, I'm not having trouble connecting to the router.  I just can't get to the cable modem's Status page at 192.168.100.1.  And, that's outside my WAN port before the tunnel ends at AirVPN's servers.  It's not a big deal, though.  I can live with it.

Share this post


Link to post

Under Step 7-B: System / Advanced / Firewall and NAT, it says to check the "Disable Auto-added VPN rules" option ("Disable all auto-added VPN rules.  Note: This disables automatically added rules for IPsec").  Doing so shuts down all internet access on my system.  Where are these auto-added VPN rules listed that it's shutting down?  The only rule I can find on the router saying "auto created" is the localhost to WAN rule at Firewall / NAT / Outbound.  And, that wasn't created when the VPN was set up -- it was created at system setup:

 
WAN	127.0.0.0/8	*	*	*	WAN address	*		Auto created rule - localhost to WAN	 

 

Share this post


Link to post

This is probably just an irrelevant typo, but I thought I'd ask to be sure.  In the instructions at "Step 1-A: Disable DHCPv6 on WAN Interface", it implies we should rename the WAN interface "Wan_dhcp."

 

"1.) Go to: Interfaces / WAN...
 
Set as Follows:
--------------------------------------------------------------------------------------------
 General configuration
--------------------------------------------------------------------------------------------
                Enable = [√] (CHECKED)
--------------------------------------------------------------------------------------------
           Description = [ WAN_dhcp ]"
 
I just double-checked and the only other place in the instructions where "WAN_dhcp" shows up is in the tables of what our Gateways should look like in "Step 4-B: Setting the AirVPN Gateway" (System / Routing).  The originally named "WAN" is referenced everywhere else.  I've used "WAN_dhcp" everywhere.  Is this OK?

Share this post


Link to post

I have my pfsense airvpn working, i'm on 2.3.3 and I am pretty sure some things are a bit odd with this version because no matter how many times I follow the guide I end up with no dns ! I did try with Ver 2.3.2 and it works, but 2.3.3, nope. ( I test things like this because I'm a nut )

 

I do part of my setup after install on a monitor connected to the pfsense box, I have a ppoe to a bridge modem so I set that up along with the lan address and range / subset, then go to a pc and access the admin page and carry on from there, it gets interesting because my set up throws the guide out of step.

 

Anyway I can get the vpn up doing the CA, Cert, Interface and setting the airvpn wan as the gateway in the default lan rule, thats easy, then I do the rest but when I step 8A-1 DNS server and tick everything under DNSSEC then I loose ability to pull websites, so I don’t tick them and leave it at that.

 

Another issue to compound an already confused pfsense user, using the guide's rule for DNS server redirect seems to stop pfblocker running the DNSBL, every works fine but that doesn’t run, it wont even load a rule, five installs using different images and usb sticks to a SSD and I cant get it going, however, leave the rules out, including the alias's  and use the default lan rule and DNSSEC runs fine, this may just affect me for some reason, I dunno.

 

Of course given my limited understanding i would rather have dns locked down and use the firewall rules in the guide, just have pfblockerNG do the IPV4 filtering, leaving the privacy and easy list stuff to plugins in the browser until I can find or work out a fix.

Share this post


Link to post

 

This is probably just an irrelevant typo, but I thought I'd ask to be sure.  In the instructions at "Step 1-A: Disable DHCPv6 on WAN Interface", it implies we should rename the WAN interface "Wan_dhcp."

 

"1.) Go to: Interfaces / WAN...
 
Set as Follows:
--------------------------------------------------------------------------------------------
 General configuration
--------------------------------------------------------------------------------------------
                Enable = [√] (CHECKED)
--------------------------------------------------------------------------------------------
           Description = [ WAN_dhcp ]"
 
I just double-checked and the only other place in the instructions where "WAN_dhcp" shows up is in the tables of what our Gateways should look like in "Step 4-B: Setting the AirVPN Gateway" (System / Routing).  The originally named "WAN" is referenced everywhere else.  I've used "WAN_dhcp" everywhere.  Is this OK?

 

I think that name came from the set up the guide was based on, mines just called WAN.

Share this post


Link to post

Anyway I can get the vpn up doing the CA, Cert, Interface and setting the airvpn wan as the gateway in the default lan rule, thats easy, then I do the rest but when I step 8A-1 DNS server and tick everything under DNSSEC then I loose ability to pull websites, so I don’t tick them and leave it at that.

 

I'm mostly clueless, but over on the pfsense forums I did a search for Resolver DNSSEC and got some hits. Unfortunately, almost all were unanswered.  But, the indication was that there might be issues with DNSSEC if either IPV6 support is on or if DNS Query Forwarding is checked (I kept that option off in my 2.3.3 setup).  Have you got IPV6 off everywhere?  What happens if you turn off Forwarding?  Also, back in "Step 7-A: System / General Setup", the author said to use only AirVPN's DNS Server (10.4.0.1) in the DNS Server slot.  I decided not to do that and have four DNS servers listed there (thour 10.4.0.1 is the first one) with no issues.  What are you using there?  Maybe there's a problem with DNSSEC on whatever DNS Server you're using.

Share this post


Link to post

Two main issues with DNS I had

 

1) Air DNS can be slow to respond and doesn't always point me to the nearest option available.

 

2) With some devices not using the VPN I had to create a solution for them.

 

So, I switched off the resolver and forwarder (of pfsense), push DNS to my devices via DHCP, and control access to the DNS I want via firewall rules.

 

The only problems I've run into with this method is that my iftop (monitoring program I use through SSH) doesn't list hostnames but only IP address and to get Plex web app to work I had to enable PureNAT in system>advanced>Firewall & NAT

Share this post


Link to post

 

Anyway I can get the vpn up doing the CA, Cert, Interface and setting the airvpn wan as the gateway in the default lan rule, thats easy, then I do the rest but when I step 8A-1 DNS server and tick everything under DNSSEC then I loose ability to pull websites, so I don’t tick them and leave it at that.

 

I'm mostly clueless, but over on the pfsense forums I did a search for Resolver DNSSEC and got some hits. Unfortunately, almost all were unanswered.  But, the indication was that there might be issues with DNSSEC if either IPV6 support is on or if DNS Query Forwarding is checked (I kept that option off in my 2.3.3 setup).  Have you got IPV6 off everywhere?  What happens if you turn off Forwarding?  Also, back in "Step 7-A: System / General Setup", the author said to use only AirVPN's DNS Server (10.4.0.1) in the DNS Server slot.  I decided not to do that and have four DNS servers listed there (thour 10.4.0.1 is the first one) with no issues.  What are you using there?  Maybe there's a problem with DNSSEC on whatever DNS Server you're using.

Thanks for your reply,

 

IPv6 is disabled throughout pfsense , not tried disabling forwarding yet. My dns servers are opendns. Oddly enough I was searching for DNSSec and the other setting options, I must have read the same unanswered posts you did.

 

--

Share this post


Link to post

 

This is probably just an irrelevant typo, but I thought I'd ask to be sure.  In the instructions at "Step 1-A: Disable DHCPv6 on WAN Interface", it implies we should rename the WAN interface "Wan_dhcp."

 

"1.) Go to: Interfaces / WAN...
 
Set as Follows:
--------------------------------------------------------------------------------------------
 General configuration
--------------------------------------------------------------------------------------------
                Enable = [√] (CHECKED)
--------------------------------------------------------------------------------------------
           Description = [ WAN_dhcp ]"
 
I just double-checked and the only other place in the instructions where "WAN_dhcp" shows up is in the tables of what our Gateways should look like in "Step 4-B: Setting the AirVPN Gateway" (System / Routing).  The originally named "WAN" is referenced everywhere else.  I've used "WAN_dhcp" everywhere.  Is this OK?

 

 

You need to understand that with each incremental update, the pfSense team makes minor GUI updates. They frequently change the way "buttons" look and the wording on them.  I worked on this guide over the course of 6 or more months, some minor changes in the GUI show because of it.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

That's pretty much what I thought (bits and pieces of the guide done at different times).  I assume that since my naming is consistent, I'm ok.  Thanks.

Share this post


Link to post

If anyone reading this uses Cox Communications ( www.cox.com ), can you actually login to their site?  So far, that's the only thing I haven't been able to do.  I can browse their site just fine.  But, can't login.  They claim they don't block access via VPN, but I can login with my phone via the phone network.  I don't know if it's something I did wrong with running through this guide (my setup still looks good to me) or if Cox is lying to me and blocking logins via VPNs.

 

EDIT:  After fighting with this for a while, I decided to flush my DNS caches in case they were bad. So, in my pfSense router, I restarted the DNS Resolver. But, probably more importantly, I did an "ipconfig /flushdns" in Windows. Then I could log in. My face is red.

Share this post


Link to post

If anyone reading this uses Cox Communications ( www.cox.com ), can you actually login to their site?  So far, that's the only thing I haven't been able to do.  I can browse their site just fine.  But, can't login.  They claim they don't block access via VPN, but I can login with my phone via the phone network.  I don't know if it's something I did wrong with running through this guide (my setup still looks good to me) or if Cox is lying to me and blocking logins via VPNs.

 

They probably aren't blocking VPNs specifically, but I bet they use some database (like projecthoneypot) to block known offending IP addresses.  Have you tried from different servers?

Share this post


Link to post

 

 

 

If anyone reading this uses Cox Communications ( www.cox.com ), can you actually login to their site?  So far, that's the only thing I haven't been able to do.  I can browse their site just fine.  But, can't login.  They claim they don't block access via VPN, but I can login with my phone via the phone network.  I don't know if it's something I did wrong with running through this guide (my setup still looks good to me) or if Cox is lying to me and blocking logins via VPNs.

They probably aren't blocking VPNs specifically, but I bet they use some database (like projecthoneypot) to block known offending IP addresses.  Have you tried from different servers?

 

Not yet.  I checked AirVPN's "Checking Routes" page:

 

https://airvpn.org/routes/

 

two ways.  For www.cox.com, all the servers trying to get to www.cox.com are green (Direct) for Routed To, red (Fail) for Ping, and green (302) for HTTP.  But, for their separate login page:

 

https://www.cox.com/resaccount/sign-in.cox?onfailure=http%3A%2F%2Fwww.cox.com%2Fresaccount%2Flasvegas%2Fsign-in.cox&onsuccess=https%3A%2F%2Fwww.cox.com%2Fresaccount%2Fhome.cox%3Fautherror%3D3%26flr%3D0

 

all the the HTTPs are red (Fail).  Of course, the issue isn't browsing to cox.  It's signing in.  Once I get a chance to change the configuration to log into another server, I'll try it.

 

I don't want to hijack this thread, though.  I just wanted a quick "anyone else" to see if I might have messed up the setup from the guide.  If no one is seeing anything similar, I'll have to start my own thread.  Thanks.

 

EDIT:  After fighting with this for a while, I decided to flush my DNS caches in case they were bad. So, in my pfSense router, I restarted the DNS Resolver. But, probably more importantly, I did an "ipconfig /flushdns" in Windows. Then I could log in. My face is red.

Share this post


Link to post

This time, I'm more on topic.  In "Step 3-A: Setting up the OpenVPN Client," it says:

 

--User Authentication Settings
User name/pass      Leave empty when no user name and/or password are needed.
                                   Username: [_______] (Blank/Empty)
                                   Password: [_______] (Blank/Empty)
 

 

With the connection happening through the pfSense box, how DOES the AirVPN server know we're authorized?  I've only logged onto the site via my browser.  I don't have anything in those fields on the pfSense box.  Yet the site knows all about my connection.  Is the login information part of the certificate?

Share this post


Link to post

This time, I'm more on topic. In "Step 3-A: Setting up the OpenVPN Client," it says:

--User Authentication Settings[/size]

User name/pass Leave empty when no user name and/or [/size]password are needed.[/size]

Username: [_______] (Blank/Empty)[/size]

[/size]Password: [_______] (Blank/Empty)[/size]

[/size]

With the connection happening through the pfSense box, how DOES the AirVPN server know we're authorized? I've only logged onto the site via my browser. I don't have anything in those fields on the pfSense box. Yet the site knows all about my connection. Is the login information part of the certificate?
I assumed that the user information is stored within the generated key once obtained when you have logged into the site and downloaded the file with the data in.

I'm sure that someone better informed could confirm that.

Share this post


Link to post

 

 

This is probably just an irrelevant typo, but I thought I'd ask to be sure.  In the instructions at "Step 1-A: Disable DHCPv6 on WAN Interface", it implies we should rename the WAN interface "Wan_dhcp."

 

"1.) Go to: Interfaces / WAN...
 
Set as Follows:
--------------------------------------------------------------------------------------------
 General configuration
--------------------------------------------------------------------------------------------
                Enable = [√] (CHECKED)
--------------------------------------------------------------------------------------------
           Description = [ WAN_dhcp ]"
 
I just double-checked and the only other place in the instructions where "WAN_dhcp" shows up is in the tables of what our Gateways should look like in "Step 4-B: Setting the AirVPN Gateway" (System / Routing).  The originally named "WAN" is referenced everywhere else.  I've used "WAN_dhcp" everywhere.  Is this OK?

 

You need to understand that with each incremental update, the pfSense team makes minor GUI updates. They frequently change the way "buttons" look and the wording on them.  I worked on this guide over the course of 6 or more months, some minor changes in the GUI show because of it.

This happens to same other 'updates' for various things, the developers often say its improvements but I believe they do it to keep our lives interesting :-)

Share this post


Link to post

 

With the connection happening through the pfSense box, how DOES the AirVPN server know we're authorized? I've only logged onto the site via my browser. I don't have anything in those fields on the pfSense box. Yet the site knows all about my connection. Is the login information part of the certificate?
I assumed that the user information is stored within the generated key once obtained when you have logged into the site and downloaded the file with the data in.

I'm sure that someone better informed could confirm that.

I think they is unique to each user, the key replaces the need for pain text user details, that’s my understanding of it,

Share this post


Link to post

Perhaps related to the Authorization question I raised a few posts back:  does the VPN need to be "logged off" after some period of time?  Last night, I lost all internet access (though I could still ping sites and resolve addresses via pfSense).  This morning, I finally tried restarting the "OpenVPN Client: AirVPN" in pfSense and everything came back up.  I've got "Services Status" sitting on my pfSense Dashboard and there was no indication that something was wrong.

 

I had restored a Configuration some time in there.  Maybe it's a good thing to restart the OpenVPN client when I do that.

Share this post


Link to post

I'm just checking back in as the only major thing remaining on my "I want to do with pfSense" (I've cracked VPN and traffic shaping - remote access almost done) is setting up a proxy.  Is there definitely no way to use Squid with this setup with leakage?  Maybe it's possible to use squid for non-vital IPs/devices, with other devices going via the VPN?

 

Or, are there other proxies/methods available that do work?

Share this post


Link to post

Perhaps related to the Authorization question I raised a few posts back:  does the VPN need to be "logged off" after some period of time?  Last night, I lost all internet access (though I could still ping sites and resolve addresses via pfSense).  This morning, I finally tried restarting the "OpenVPN Client: AirVPN" in pfSense and everything came back up.  I've got "Services Status" sitting on my pfSense Dashboard and there was no indication that something was wrong.

 

I had restored a Configuration some time in there.  Maybe it's a good thing to restart the OpenVPN client when I do that.

In the 18 months I have used a vpn with pfsense I have never had to log off the vpn, its kept running until it fails of its own accord. I'm new to airvpn but I expect to have the connection always on in the same way.

 

One thing I have learnt is if you import a config file then restarting the vpn is sometimes needed, after the restore pfsense reboots but sometimes the vpn goes off on a tangent and needs a restart.

Share this post


Link to post

Okay, I read all 15 pages, however I may have simply overlooked it. 

 

How do I only allow certain IPs to go on the VPN? I do not want all of the traffic to route over the VPN.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...