Jump to content
Not connected, Your IP: 3.233.220.21
pfSense_fan

ANSWERED How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

Hello pfSense_fan.

 

Thank you very much for creating and maintaining this guide. I have just renewed my AirVPN subscription for another year, and I used your referral link to do so. Please let me know if you do not receive credit for the referral and my purchase.

 

Thank you again for this wonderful guide.

Share this post


Link to post

Hey thanks again for your guides.

 

I am on pfSense 2.4 and this option on the OpenVPN config page no longer exists:

 

Server Host Name Resolution = [√] Infinitely Resolve Server

 

So I am wondering, this setting is supposed to make sure that when using a pool of servers, ie de.vpn.airdns.org, that when their DNS changes to a new DE server that pfSense picks it up and switches.

 

I'm not sure, but I don't think 2.4 is doing that. But maybe that setting isn't doing what I think its doing. Is there a way to get pfSense do what I want? (ie, resolve the pool DNS name and switch the VPN over to a new IP if it changes?).

 

Thanks!

 

Edit: Nevermind, I found it in the ovpn file,

 

resolv-retry infinite;

 

can be placed in the advanced box.

Share this post


Link to post

Hey guys, 

 

I don't know if this was already discussed (if yes please point me to that post, saves me time to read through all the pages   )

 

After using the instructions in the tutorial, my whole traffic is being routed through the VPN, which is exactly what I wanted.

But I have a question: how can I bypass that VPN for just 2-3 domains like for example www.google.com? These shouldn't use the VPN. I guess a need an extra outgoing / outbound rule for LAN, right?

 

 

Best regards,

simpty

 

Share this post


Link to post

Hey guys, 

 

I don't know if this was already discussed (if yes please point me to that post, saves me time to read through all the pages   )

 

After using the instructions in the tutorial, my whole traffic is being routed through the VPN, which is exactly what I wanted.

But I have a question: how can I bypass that VPN for just 2-3 domains like for example www.google.com? These shouldn't use the VPN. I guess a need an extra outgoing / outbound rule for LAN, right?

 

 

Best regards,

simpty

 

I would create an alias for the domains I want outside VPN.  You could also make an alias for the devices you want to be able to access those domains in case you don't want all devices to access those domains via the WAN.

 

Then create outgoing NAT rule to allow your network, or your device alias, to access the allowed domains alias.  Make sure the interface used for that NAT outgoing rule is your WAN.

 

Then create LAN firewall rule(s) to allow the traffic using the aliases as well, making sure (in advanced) that the interface used is WAN.

 

The order of your rules matters so if the same devices access VPN and WAN depending on domain you'll need to put the new rule above the rule allowing access to VPN tunnel.

Share this post


Link to post

I am going to use multiple WAN connection. I already setup AirVPN with pfsense 2.3.4_1

any guide step by step how to do do it. I am not an expert with vpns

 

Thank you

Share this post


Link to post

I've managed to setup a way to route some IPs via the VPN and some not via the VPN by creating a new non-VPN gateway and then an alias for the urls I want to go via the non-VPN.

 

However, the problem I have now is I want some some of the IPs on the VPN to be able to talk on the LAN to IPs not on the LAN e.g. IP1 on the VPN to be able to talk to Plex on the clearnet on port 32400.

 

Has anyone solved this problem or can tell me how to please.

Share this post


Link to post

I've managed to setup a way to route some IPs via the VPN and some not via the VPN by creating a new non-VPN gateway and then an alias for the urls I want to go via the non-VPN.

 

However, the problem I have now is I want some some of the IPs on the VPN to be able to talk on the LAN to IPs not on the LAN e.g. IP1 on the VPN to be able to talk to Plex on the clearnet on port 32400.

 

Has anyone solved this problem or can tell me how to please.

 

 

I'm not sure if I understand what you've done.  I have my network with some devices using VPN, some not, but they can all see eachother on the local network.  I didn't create any new gateway.  I do use aliases and create NAT outgoing and firewall rules to control what interface aliases can use.

Share this post


Link to post

For Step 4B part 3, should 'Gateway Action' also be ticked?  It looks similar to 'Gateway Monitoring' and I think it's a new option in pfSense.

 

Thanks

Share this post


Link to post

Thank you go558a83nk for explaining that! But.. I'm just a beginner and don't know how to do all this The only thing I can do is following tutorials

Share this post


Link to post

For Step 4B part 3, should 'Gateway Action' also be ticked?  It looks similar to 'Gateway Monitoring' and I think it's a new option in pfSense.

 

Thanks

 

if gateway monitoring is disabled there's no reason to check option to disable gateway action as it's not monitored anyway.

Share this post


Link to post

I have pfsense running with WAN + 3 VPN connections and set up policy based routing. Certain destination IP ranges are accessed via different VPN connection ( = locations). That worked well for a few years but recently share-online stopped working and telling me that I am trying to use the account with different IP's or that my IP is already loading. They simply block VPN now or they can somehow detec that I have multiple WAN connections?

Share this post


Link to post

I have pfsense running with WAN + 3 VPN connections and set up policy based routing. Certain destination IP ranges are accessed via different VPN connection ( = locations). That worked well for a few years but recently share-online stopped working and telling me that I am trying to use the account with different IP's or that my IP is already loading. They simply block VPN now or they can somehow detec that I have multiple WAN connections?

 

They can see you are accessing from 3 different addresses as each one has a different IP address. For some services I use use a selective routing rule to enforce traffic out of a specific gateway rather than gateway group which gets round this. 

Share this post


Link to post

Can you explain in detail please. Under "Firewall / Rules / LAN" I have the following rule

airvpn_eu3as2h.jpg

 

Under the EU alias are all the destination IP ranges of the share-online servers. Worked well for but suddenly stopped and they seem to detect that I have multiple WAN setup.

Share this post


Link to post

Need a little help, got the OpenVPN server working and shows to connect from outside fine, but the kicker is it has no network or internet access once I connect.  I know it is a rule but I cannot figure out the rule that I need to add to make traffic pass.  

 

 

Also, I had to disable any rule for OpenVPN server...to make sure it worked but it did connect but that is all it does.  Any help with a rule help the way it is setup would be great.  

Share this post


Link to post

I upgraded to PFSense 2.4 today. It broke my PFSense connectivity completely. I have my PFSense configured as instructed in this thread by pfSense_fan.  I do, however use a 4 port nic and utilize all 4 ports. I have a WAN, LAN (open Internet),  AIRVPN 1 LAN, and AirVPN 2 LAN.  Everything has been working and updating fine since PFSense 2.3. After the update today to 2.4, I have lost all internet connectivity including the open internet lan port. The internet icon on my windows 7 taskbar shows that I do have internet but no web pages will load. I backed up my pPFSense configuration before upgrading and have now reloaded PFSense 2.3.4 along with my saved configuration file. Everything works again with PFSense 2.3.4. I have tried to upgrade to 2.4 a couple of times in the last couple of hours;  it just does not work me. If anyone has had the same problem, and found a solution, please post it in this thread.

 

EDIT: I finally got it working. It seems that if OpenVPN is configured to use port 1194 no connection will occur. If I use ports 53, 80, 443, or 2018, I can connect without any problem. I was using port 1194 without issue with PFSense 2.3.4.

 

EDIT 2: Now the only port that I can use to connect is 443. I can't get internet access using any other port. My speeds are also somewhat slower using  PFSense 2.4. I'm going back to 2.3.4. It is stable and I can connect using any port that AirVpn allows. I think PFSense 2.4 may have been released before it was ready.

 

EDIT 3: This will be my final edit.

 

I want to now post that apparently there was something wrong with my previous PFSense 2.3.4 configuration which prevented PFSense 2.4 from updating properly. After trying to use my saved 2.3.4 configuration files on both upgrades and fresh installs, I was never able to avoid problems.

 

Over the weekend, I did a fresh install of PFSense 2.4 and manually configured it using pfSense_fan’s 2.3 guide that I slightly modified only to use two AIRVPN interfaces as well as also an open LAN interface such as described in his PFSense 2.1 guide.  PFSense is again working as it should for me. It will now connect using any of the ports that AIRVPN allows. I don’t know what was wrong with my previous configuration, since it worked perfectly and upgraded from Pfsense 2.3 to 2.3.4 without any problems or DNS leaks, but I am pleased to say that Pfsense 2.4 is indeed working perfectly with AIRVPN after the fresh install and manual configuration. Thanks again to pfSense_fan for providing this GREAT and detailed guide.

Share this post


Link to post

I upgraded to PFSense 2.4 today. It broke my PFSense connectivity completely. I have my PFSense configured as instructed in this thread by pfSense_fan.  I do, however use a 4 port nic and utilize all 4 ports. I have a WAN, LAN (open Internet),  AIRVPN 1 LAN, and AirVPN 2 LAN.  Everything has been working and updating fine since PFSense 2.3. After the update today to 2.4, I have lost all internet connectivity including the open internet lan port. The internet icon on my windows 7 taskbar shows that I do have internet but no web pages will load. I backed up my pPFSense configuration before upgrading and have now reloaded PFSense 2.3.4 along with my saved configuration file. Everything works again with PFSense 2.3.4. I have tried to upgrade to 2.4 a couple of times in the last couple of hours;  it just does not work me. If anyone has had the same problem, and found a solution, please post it in this thread.

 

EDIT: I finally got it working. It seems that if OpenVPN is configured to use port 1194 no connection will occur. If I use ports 53, 80, 443, or 2018, I can connect without any problem. I was using port 1194 without issue with PFSense 2.3.4.

 

EDIT 2: Now the only port that I can use to connect is 443. I can't get internet access using any other port. My speeds are also somewhat slower using  PFSense 2.4. I'm going back to 2.3.4. It is stable and I can connect using any port that AirVpn allows. I think PFSense 2.4 may have been released before it was ready.

It is difficult to suggest a solution without seeing your 2.3.4 configuration. Perhaps posting screenshots would be beneficial.

 

IIRC there were issues with DNS Forwarder and DNS Resolver when upgrading from 2.3.4 (with pfBlockerNG and Suricata) to 2.4-RC. Neither pfBlockerNG nor Suricata functioned properly in 2.4-RC. I installed 2.4-RC without packages, configured AirVPN, and installed updates when released. No issues upgrading from 2.4-RC to 2.4.0-RELEASE. I have not yet installed any packages.

Share this post


Link to post

Using PfSense 2.4.2....Airvpn works great and I didn’t change my config.

 

 

Inviato dal mio iPad utilizzando Tapatalk


- Router/Firewall pfSense 2.3.2 (Supermicro A1SRi-2558, SSD Intel S3500, 8GB RAM ECC)

- Switch Cisco SG350-10

- AP Netgear R7000 (Stock FW)

- HTPC Intel NUC5i3RYH

- NAS Synology DS1515+ (5 x 5TB WD Red)

- NAS Synology DS213+ (2 x ST3000DM001)

Share this post


Link to post

Great guide.

 

Given the recent WPA2 WiFi vulnerabilities, I think it would be prudent to add firewall rules to the guide as  an optional section to Restrict access to management interface... The default configuration of pfSense allows management access from any machine on the LAN and denies it to anything outside of the local network WAN. There is also the anti-lockout rule enabled by default that prevents firewall rules from being configured in a way that will lock the user out of the web interface..... Given that a lot of users connect a Wireless AP to pfSense, compromising the AP will give access to the pfSense GUI thus hardening access to the GUI would be prudent... 

 

I was thinking a good way to restrict access for most users would be to allow admin user(s) to join the PfSense control panel via an approved static IP on their Desktop and ban all other users.  So I guess you would need two rules on the firewall... one for approved IP and the other Block the rest.

 

How would you go about writing something like that and add it to the guide?

 

Cheers,

Share this post


Link to post

I am pretty new to all this stuff and I have everything up and running and am slowly learning the ins and outs.

I have spent the last couple days trying to get certain IPs / ranges to bypass the VPN. After much trial and reading I have yet to find a solution. I presume this is because of settings that are unique to this guide. I found this below and I think its the answer to my problems but I am unsure where to implement these rules.

 

  "I just finished figuring out how to split my subnet so IPs in the range of 192.168.1.2 to 192.168.1.127 go through the VPN while IPs 192.168.1.128 to 192.168.1.254 bypass the VPN.  As you stated, it does require NAT rules to be left in place when you switch to manual.

 

The trick is to duplicate each of the manually generated ones and simply change the interface to the VPN connection interface.  When finished, you should have pairs for:

  • Source: subnet, Destination port 500
  • Source: subnet, Destination port *
  • Source 127.0.0.0/8, Destination port *

The only difference between each entry in each pair is the interface.  They should appear in that order, with each interface being covered by each source/destination port:

  • Source: subnet, Destination port 500, Interface WAN
  • Source: subnet, Destination port 500, Interface VPN
  • Source: subnet, Destination port *, Interface WAN
  • Source: subnet, Destination port *, Interface VPN
  • Source 127.0.0.0/8, Destination port *, Interface WAN
  • Source 127.0.0.0/8, Destination port *, Interface VPN

I then use firewall rules to guide each half of the subnet through either the VPN or through the WAN interface gateway.  I think this is very useful for folks who want to send their media players (Apple TV, etc) through the VPN while leaving their computers passing through the regular interface.

 

That being said, each person's setup is going to be unique.  I did have to refer to the guide that worked for a previous VPN to figure out why my desired setup wouldn't work given the instructions here.  That's when I realized I was missing the six NAT rules." 

 

 

tl;dr  can someone tell me what how to do this in more detail ^

 

 

 

 

 

I understand the post but under NAT in the guide there is only 2 entry's instead of 3

Share this post


Link to post

OK I solved the issue!

All I had to do was create a rule under Firewall>NAT> Outbound with interface set as WAN_DHCP and source set to any, and put this rule at the bottom of the list.  After that my firewall redirect rule under the LAN tab worked just fine.  I guess the guide had me deleting the default entry and that is what caused the issue,

Share this post


Link to post

i searched this thread and i couldnt find much but
 

  1. VPN
  2. OpenVPN
  3. Clients
  4. Edit

    america.vpn.airdns.org sometimes doesnt work, i had this problem before and had to put in the server manually, but i want it to be able to reconnect

    what is the correct host name now?

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...