Jump to content
Not connected, Your IP: 3.237.89.4
pfSense_fan

ANSWERED How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

It all depends on what you want to achieve. If you just want to either use the VPN WAN or the regular ISP WAN (i.e. only one at the time foar all clients in the home) then what you are proposing is possible without a VLAN capable switch or Wireless Access Point. One of the physical outer ports is then used for the VPN subnet, another for the Clearnet subnet. Switching the cable from the switch (or WAP) to the router from one router port to the other will then allow you to use either one or the other. This is then the subnet that all clients behind the switch / WAP will use. If you want a more sophisticated setup, with some clients in one subnet and others in the other subnet and also routing between the two sub-nets, you either need a smart switch (like in my drawing) or a WAP that supports multiple SSIDs, each mapping to a different VLAN ID. If there is no need for routing between the two subnets you could use two switches (one each behind the two router ports), but that is a very contrived setup imho.

Share this post


Link to post

Hello,

i have tried  to get AirVPN running under pfSense 2.4.5 following several guides including this one.
Unfortunately always with the same result.

I have taken great care to configure the parameters according to the tutorial and my config file, but it seems that the client never receives a response from the server:

Apr 10 23:27:28 openvpn 7197 TCP/UDP: Preserving recently used remote address: [AF_INET]178.162.204.219:443
Apr 10 23:27:28 openvpn 7197 Socket Buffers: R=[42080->42080] S=[57344->57344]
Apr 10 23:27:28 openvpn 7197 UDPv4 link local (bound): [AF_INET]192.168.1.100:0
Apr 10 23:27:28 openvpn 7197 UDPv4 link remote: [AF_INET]178,162,204,219:443 

(no log entry after that, VPN status stays pending)

With my own VPN server, the connection could be established without problems. I immediately saw the complete connection setup in the log here.

What could I miss in this case? 

Share this post


Link to post
18 hours ago, dIecbasC said:

increase your log verbosity and post a full connection log for us. 

Apr 11 18:25:18 	openvpn 	2887 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Apr 11 18:25:18 	openvpn 	2887 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Apr 11 18:25:18 	openvpn 	2887 	TCP/UDP: Preserving recently used remote address: [AF_INET]178.162.204.219:443
Apr 11 18:25:18 	openvpn 	2887 	Socket Buffers: R=[42080->42080] S=[57344->57344]
Apr 11 18:25:18 	openvpn 	2887 	UDPv4 link local (bound): [AF_INET]192.168.1.100:0
Apr 11 18:25:18 	openvpn 	2887 	UDPv4 link remote: [AF_INET]178.162.204.219:443
Apr 11 18:25:18 	openvpn 	2887 	TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Apr 11 18:25:18 	openvpn 	2887 	SENT PING
Apr 11 18:25:18 	openvpn 	2887 	TIMER: coarse timer wakeup 1 seconds
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=0 state=S_INITIAL, mysid=40b6e54b 69557143, stored-sid=00000000 00000000, stored-ip=[AF_INET]178.162.204.219:443
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_process: chg=0 ks=S_INITIAL lame=S_UNDEF to_link->len=0 wakeup=604800
Apr 11 18:25:18 	openvpn 	2887 	ACK mark active outgoing ID 0
Apr 11 18:25:18 	openvpn 	2887 	TLS: Initial Handshake, sid=40b6e54b 69557143
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_can_send active=1 current=1 : [1] 0
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_send ID 0 (size=4 to=2)
Apr 11 18:25:18 	openvpn 	2887 	ENCRYPT HMAC: 000968ce 031eb632 9a9d85ac 4af7b91c c5d279eb 93c60a34 73843421 af95cfe[more...]
Apr 11 18:25:18 	openvpn 	2887 	ENCRYPT TO: 000968ce 031eb632 9a9d85ac 4af7b91c c5d279eb 93c60a34 73843421 af95cfe[more...]
Apr 11 18:25:18 	openvpn 	2887 	Reliable -> TCP/UDP
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_send_timeout 2 [1] 0
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_process: timeout set to 2
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8a2cbff4 e4dabc19, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:18 	openvpn 	2887 	RANDOM USEC=183806
Apr 11 18:25:18 	openvpn 	2887 	UDPv4 WRITE [86] to [AF_INET]178.162.204.219:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=40b6e54b 69557143 tls_hmac=000968ce 031eb632 9a9d85ac 4af7b91c c5d279eb 93c60a34 73843421 af95cfe7 6437d462 b78b019b 5cb6ac8b ef2b2fcb 25e16404 dd370152 ef0821ba 8f1bd43e pid=[ #1 / time = (1586622318) Sat Apr 11 1
Apr 11 18:25:18 	openvpn 	2887 	UDPv4 write returned 86
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=40b6e54b 69557143, stored-sid=00000000 00000000, stored-ip=[AF_INET]178.162.204.219:443
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_can_send active=1 current=0 : [1] 0
Apr 11 18:25:18 	openvpn 	2887 	SSL state (connect): before/connect initialization
Apr 11 18:25:18 	openvpn 	2887 	SSL state (connect): SSLv2/v3 write client hello A
Apr 11 18:25:18 	openvpn 	2887 	ACK reliable_send_timeout 2 [1] 0
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_process: timeout set to 2
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8a2cbff4 e4dabc19, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:18 	openvpn 	2887 	TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:18 	openvpn 	2887 	PO_CTL rwflags=0x0001 ev=5 arg=0x006a6f90
Apr 11 18:25:18 	openvpn 	2887 	PO_CTL rwflags=0x0001 ev=4 arg=0x006a5de8
Apr 11 18:25:18 	openvpn 	2887 	I/O WAIT T?|T?|SR|Sw [1/183806]
Apr 11 18:25:19 	openvpn 	2887 	event_wait returned 0
Apr 11 18:25:19 	openvpn 	2887 	I/O WAIT status=0x0020
Apr 11 18:25:19 	openvpn 	2887 	TIMER: coarse timer wakeup 1 seconds
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=40b6e54b 69557143, stored-sid=00000000 00000000, stored-ip=[AF_INET]178.162.204.219:443
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Apr 11 18:25:19 	openvpn 	2887 	ACK reliable_can_send active=1 current=0 : [1] 0
Apr 11 18:25:19 	openvpn 	2887 	ACK reliable_send_timeout 1 [1] 0
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_process: timeout set to 1
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=8a2cbff4 e4dabc19, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:19 	openvpn 	2887 	TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Apr 11 18:25:19 	openvpn 	2887 	PO_CTL rwflags=0x0001 ev=5 arg=0x006a6f90
Apr 11 18:25:19 	openvpn 	2887 	PO_CTL rwflags=0x0001 ev=4 arg=0x006a5de8
Apr 11 18:25:19 	openvpn 	2887 	I/O WAIT T?|T?|SR|Sw [1/183806] 

Share this post


Link to post

Check your TLS key config and cipher settings. This doesn't look too clever. 

TLS Warning: no data channel send key available

Share this post


Link to post

the other thing Ive seen trip folks up is to make sure you connect to the right end point on the airvpn server, theres a TLS connection when you generate your certificate etc. 

 

airvpn.jpg

Share this post


Link to post

The guide posted https://nguvu.org/pfsense/pfsense-baseline-setup/ has been updated for 2.4.5 and the person who runs the site does a brilliant job explaining the steps. A massive amount has not changed in the pfSense configuration, but there are a few performance tweaks and settings dealing with encryption/ciphers. Also, while the guide is setup for a multi-lan/multi-wan (redundancy), those not needing those can skip the steps easily without mucking up the setup.

Share this post


Link to post

Hello AirVPN Community!

I've been using AirVPN for years now but I'm really stuck and would appreciate your valuable input in helping resolve an issue that I have had for the past few weeks. Troubleshooting using some of the recommendations in various threads on here unfortunately has not resolved the issue for me.
I have been running OpenVPN on pfSense for a few years following the setup guide here. However over the past few weeks I noticed that my download speeds seemed to have dropped from 200mb to around 60mb. I suspected that it was down to all the people now working remotely and "clogging up the pipes" but this seemed to have dropped further to around 30mb. I can connect directly to my router to bypass the VPN and can achieve over 200mb throuput on my 200mb line.

I got researching and it seemed that there was another setup guide to compliment this one with a few updated sections:  https://nguvu.org/pfsense/pfsense-baseline-setup/ so off I went and updated my OpenVPN settings to match the settings in the guide. This is where I get the Doh! moment, I now achieve download speeds of around 10mb, sometimes less!😭

CPU
Intel(R) Celeron(R) CPU N3160 @ 1.60GHz

4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
usage seems to sit between 10 and 20%

and memory usage at around 17%

The things I've tried:
Changing "Auth digest algorithm" from SHA512 to SHA256
Adding AES-256-CBC to the existing AES-256-GCM NCP Algorithms
Hardware crypto options changed as per:
I currently have the same "Custom options" from the updated guide:
client; persist-key; persist-tun; remote-cert-tls server; prng sha256 64; mlock; auth-nocache;

I have also tried:

sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

and

socket-flags TCP_NODELAY;

auth-nocache;

mlock;

key-direction 1;

tls-version-min 1.2;

key-method 2;

tls-timeout 2;

remote-cert-tls server;

mssfix 0;

tun-mtu 20000;

explicit-exit-notify 5;

persist-key;

persist-tun;

prng sha256 64;


Each time I change the settings I test the speed to see if there is any difference but overall not much.
I'm using Speedtest.net and https://sourceforge.net/speedtest/ to test speeds.

I've also got Snort, Service Watchdog and pfBlockerNG-devel running.
The Gateway status shows Online with 0.0% loss.
All interfaces are up.

Any help or guidance would be greatly appreciated!

Share this post


Link to post
On 4/29/2020 at 1:33 PM, BuiltOnSelfSuccess said:

Hello AirVPN Community!

I've been using AirVPN for years now but I'm really stuck and would appreciate your valuable input in helping resolve an issue that I have had for the past few weeks. Troubleshooting using some of the recommendations in various threads on here unfortunately has not resolved the issue for me.
I have been running OpenVPN on pfSense for a few years following the setup guide here. However over the past few weeks I noticed that my download speeds seemed to have dropped from 200mb to around 60mb. I suspected that it was down to all the people now working remotely and "clogging up the pipes" but this seemed to have dropped further to around 30mb. I can connect directly to my router to bypass the VPN and can achieve over 200mb throuput on my 200mb line.

I got researching and it seemed that there was another setup guide to compliment this one with a few updated sections:  https://nguvu.org/pfsense/pfsense-baseline-setup/ so off I went and updated my OpenVPN settings to match the settings in the guide. This is where I get the Doh! moment, I now achieve download speeds of around 10mb, sometimes less!😭

CPU
Intel(R) Celeron(R) CPU N3160 @ 1.60GHz

4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
usage seems to sit between 10 and 20%

and memory usage at around 17%

The things I've tried:
Changing "Auth digest algorithm" from SHA512 to SHA256
Adding AES-256-CBC to the existing AES-256-GCM NCP Algorithms
Hardware crypto options changed as per:
I currently have the same "Custom options" from the updated guide:
client; persist-key; persist-tun; remote-cert-tls server; prng sha256 64; mlock; auth-nocache;

I have also tried:

sndbuf 524288;rcvbuf 524288;client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

and

socket-flags TCP_NODELAY;

auth-nocache;

mlock;

key-direction 1;

tls-version-min 1.2;

key-method 2;

tls-timeout 2;

remote-cert-tls server;

mssfix 0;

tun-mtu 20000;

explicit-exit-notify 5;

persist-key;

persist-tun;

prng sha256 64;


Each time I change the settings I test the speed to see if there is any difference but overall not much.
I'm using Speedtest.net and https://sourceforge.net/speedtest/ to test speeds.

I've also got Snort, Service Watchdog and pfBlockerNG-devel running.
The Gateway status shows Online with 0.0% loss.
All interfaces are up.

Any help or guidance would be greatly appreciated!

I've now also tried the recommendations here: https://docs.netgate.com/pfsense/en/latest/interfaces/low-throughput-troubleshooting.html#vpn-mtu-issues

I disabled pfBlockerNG

I disabled Snort

Still I'm stuck with 10mb download speed and 20mb upload on a 200/20 line.....

Share this post


Link to post
23 hours ago, BuiltOnSelfSuccess said:

I've now also tried the recommendations here: https://docs.netgate.com/pfsense/en/latest/interfaces/low-throughput-troubleshooting.html#vpn-mtu-issues

I disabled pfBlockerNG

I disabled Snort

Still I'm stuck with 10mb download speed and 20mb upload on a 200/20 line.....

 

In the end all I did was change to a different server with a different entry IP, I get over 200mb throughput now.

Thank you for the replies.

Share this post


Link to post

I did a new install in pfsense 2.4.5 following this guide. Everything looks good, but I cant seem to get ip from DHCP server on VLAN20 (VPN).
This is from the log:

Jul 4 14:22:09 dhcpd   DHCPOFFER on 10.0.20.100 to 94:de:80:f8:59:d4 (VPN-PC) via igb2.20
Jul 4 14:22:09 dhcpd   DHCPDISCOVER from 94:de:80:f8:59:d4 (VPN-PC) via igb2.20
So it seems like the DHCP server sees the client and offer an IP in the correct subnet, but there is no DHCPACK from the client afterwards. I tried with different machines also. 
Other VLANs works fine. Clients gets IPs.
Something I forgot for VLAN20? Some firewall rule?

Share this post


Link to post

I'd your computer/machine directly plugged to the pfsense firewall?
Did you try restarting the dhcp server? 
It is my understanding firewall rules have no impact on the dhcp server and IP assignation

Share this post


Link to post

Correct, I followed the guide on nguvu.org.

I found the error with the VLAN - turns out I forgot about an old ACL on this interface on the switch. When I deleted it all worked as intended! 😁

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...