Jump to content
Not connected, Your IP: 100.24.122.228
pfSense_fan

How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

Yes, he guide is awesome and I would not hesitate buying him a couple of beers. But I bought a 4 port nic for segmentation so I want to be able to

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

Share this post


Link to post

The box is not hosed, I did not do a back up. What's happening is the block-all-dns rule is blocking the devices on that lan segment. If I disabled that rule devices get Internet but I leak dns.

 

I also have a 3 nic setup and I believe the guide is made for a 2 nic. I will check out the other guide and report back.

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

Crazy, crazy, so i left the rule on and was going to deal it later. Went to bed and later today I happen to notice that my device is online. Checked it and with the rule i get traffic and im not leaking. not sure what happened. 

Share this post


Link to post

Strange stuff, oh yeah I have bought him many beers ! Let us know how that p2p forwarding guide if it was any good may have to try it eventually once I am fixed.

Share this post


Link to post

I've not tried port forwarding with pfsense.  for p2p I run a linux VM and use Eddie.  The linux VM is routed to the WAN, not the openvpn interface.

Share this post


Link to post

 

 

Worth going over the guide setting by setting, its so easy to make a mistake or one wrong check box or tick ! in fact I have yet to get it fully working myself. I had no websites when I first did the new updated 2.3 guide but then forgot I have 10.4.0.1 under my network adaptor DNS server settings under TCP/ipv4.

 

Hi,

 

Thanks for the reply. Although it's not really helpful. I redid the settings 3 times (one time with a complete fresh install of pfsense). Our router and server are my responsilbility, but my girlfriend is actually much better with computers, so I put aside my pride and asked her to check the configuration. She also didn't find a wrong setting. I then decided to (temporarily) move back to the 2.1 settings, but this guide got updated ever since I first used it. So even with the less secure settings, we had the same problems.

 

I then googled for an alternative guide and found one by nvugu

I roughly followed the guide; I don't need vlans, so I combined the applicable firewall and nat rules from the VPN and MGNT (anti lockout) vlan. I also disabled ipv6 as mentioned in the beginning of this topics guide. We now have smooth internet browsing and all ports seem to be closed, unless I specify them in the port alias. I don't know a lot about firewalls, so I don't know what the exact differences between the guides are. What I did notice though was nvugu doesn't use 'DNSSEC' and the "Experimental Bit 0x20 Support" and the DNS firewall rules are different.

 

 

After setting it up, how long did you let the DNS Resolver (Unbound) run before attempting to change a setting? DNSSEC requires a bit of time to negotiate. Another possibility is that DNSSEC is not available on all air servers, I can't be sure of that. I do use these settings so I know they work.

 

That being said the only appreciable difference between that guide and mine is DNSSEC. I am considering removing DNSSEC from the basic guide and moving the option to an additional/optional step.

 

Hi,

 

So I still have configured my router using the nvugu guide. I turned DNSSEC back on and nothing changed. I "hoped" websites would stop loading, but all of them still work (directly after switching it on and even now after a week or so). So DNSSEC is not the (only) problem when I used your guide. It has to be in the NAT rules or a combination of several settings. Maybe a plugin is interfering or something in my hardware, who knows. For me it is too much of a hassle to figure it out (no time and too little firewall knowledge).

 

Thanks for all the help so far.

Share this post


Link to post

Been tinkering it a bit more and unchecked "Experimental Bit 0x20 Support" under DNS resolver here:

https://192.168.1.1/services_unbound_advanced.php

 

I now have ipleak loading successfully with detected dns working fine, also dnsleak site works fine with both standard and extended test working ok. All websites appear to load nice and fast especially ipleak, but I will see if its stable and reliable that I have to test over the next day or 2.

 

This is with ;

 

DNS set to 10.4.0.1-under general settings

DNSSEC -unchecked under resolver settings

Experimental bit 0x20- unchecked under resolver settings

 

Doubt its a fix for you guys but not sure maybe give it a try and disable Experimental Bit 0x20 Support ?

Share this post


Link to post

Hello,

 

I have an atom n270 powered nettop w/2gb ram, 120gb hdd. It works great with the old pfsense guide over my 5mbit connection.

 

Now I have a 200/12mbit connection too and I was thinking of setting up pfsense+vpn for it.

 

Will my atom n270 nettop cope with my 200/12mbit line? What sort of speeds am I looking at via VPN?

Share this post


Link to post

This model is almost a decade old, and even then it was an Atom.

You would probably have the same speeds as a home router.

You're right, it's definitely ancient. I just finished installing pfsense 2.3.1 on the atom-powered nettop and a test on speedtest.net comes up at 93.35/12.44. It's less than half of the full 211mbit speed I can get and I have not setup the VPN yet.

 

What kit would you recommend for a 211mbit connection? My budget is $500.

 

Thanks in advance.

Share this post


Link to post

 

This model is almost a decade old, and even then it was an Atom.

You would probably have the same speeds as a home router.

You're right, it's definitely ancient. I just finished installing pfsense 2.3.1 on the atom-powered nettop and a test on speedtest.net comes up at 93.35/12.44. It's less than half of the full 211mbit speed I can get and I have not setup the VPN yet.

 

What kit would you recommend for a 211mbit connection? My budget is $500.

 

Thanks in advance.

 

I would go with this: http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-2558F.cfm

 

regards

Share this post


Link to post

I decided to go with a full i5 computer instead of the Supermicro route.  that way if I decided to get out of PFsense one day, i could repurpose the computer for a server or HTPC.  This is what I bought and it could do 1gb internet connection easily.  

 

If you want a prebuilt machine, look at Netgate here http://store.netgate.com/Routers-C178.aspx

 

1 Antec ISK 310-150 Black / Silver 0.8mm cold rolled steel Mini-ITX Desktop Computer Case 150W Power Supply $74.99

1 Intel Core i5-6400 6 MB Skylake Quad-Core 2.7 GHz LGA 1151 65W BX80662I56400 Desktop Processor Intel HD Graphics 530  $189.99

1 GIGABYTE GA-H170N-WIFI (rev. 1.0) LGA 1151 Intel H170 HDMI SATA 6Gb/s USB 3.0 Mini ITX Intel Motherboard $114.99

G.SKILL Ripjaws V Series 16GB (2 x 8GB) 288-Pin DDR4 SDRAM DDR4 2133 (PC4 17000) Intel Z170 Platform / Intel X99 Platform ... $61.99

 

Subtotal $441.96 Tax $0.00 Super Eggsaver (4-7 bus. days) $9.89 Order Total $451.85

Share this post


Link to post

I have set up three WAN/LANs  -one clearnet using my ISP DNS servers which I set in the DHCP server settings, one VPN to Europe and one VPN to the US.  I have the two VPN LAN's using the DNS resolver and have set the DNS servers on the general setup page to 10.4.0.1 for VPN1-WAN and 10.5.0.1 for VPN2-WAN.  Everything seems to be working fine, but when I check for any DNS leaks on the VPN's I can detect the AirVPN DNS server in both Europe and USA from each VPN... Is this normal or is there a way to limit the DNS server to just the country the VPN is connected to?

 

Thanks

Share this post


Link to post

While configuring pfsense I keep getting error "502 Bad Gateway". I can't seem to find any solution for it. I even wiped and installed a developmental copy of pfsense, cleared browser cache etc and it has the same problem too.

 

I'm really stuck.

Share this post


Link to post

I have set up three WAN/LANs  -one clearnet using my ISP DNS servers which I set in the DHCP server settings, one VPN to Europe and one VPN to the US.  I have the two VPN LAN's using the DNS resolver and have set the DNS servers on the general setup page to 10.4.0.1 for VPN1-WAN and 10.5.0.1 for VPN2-WAN.  Everything seems to be working fine, but when I check for any DNS leaks on the VPN's I can detect the AirVPN DNS server in both Europe and USA from each VPN... Is this normal or is there a way to limit the DNS server to just the country the VPN is connected to?

 

Thanks

 

I briefly tried to setup a similar configuration, and got the same results that you did - both AirVPN DNS servers were visible to both VPN VLANs.  I didn't have time to figure out a working configuration, but I'm interested if you figure it out.

Share this post


Link to post

 

I have set up three WAN/LANs  -one clearnet using my ISP DNS servers which I set in the DHCP server settings, one VPN to Europe and one VPN to the US.  I have the two VPN LAN's using the DNS resolver and have set the DNS servers on the general setup page to 10.4.0.1 for VPN1-WAN and 10.5.0.1 for VPN2-WAN.  Everything seems to be working fine, but when I check for any DNS leaks on the VPN's I can detect the AirVPN DNS server in both Europe and USA from each VPN... Is this normal or is there a way to limit the DNS server to just the country the VPN is connected to?

 

Thanks

I briefly tried to setup a similar configuration, and got the same results that you did - both AirVPN DNS servers were visible to both VPN VLANs.  I didn't have time to figure out a working configuration, but I'm interested if you figure it out.

 

I think I may have a partial solution to the DNS question while using multiple VPNs with pfSense.  I found how to restrict DNS to only one server, but all queries will go there.

 

Go Services -> DNS Resolver -> General Settings.  Change the "Outgoing Network Interface" to only one of your VPN WANs.  I initially set it up with both VPN WANS selected here, but just found this pfSense document related to the DNS Resolver:  https://doc.pfsense.org/index.php/Unbound_DNS_Resolver).  The relevant section is quoted below:

 

Outgoing Network Interfaces: Specific interface(s) to use for sourcing outbound queries. By default any interface may be used. Can be useful for selecting a specific WAN or local interface for VPN queries.

 

The only catch to this setup is that all DNS requests (regardless of which VPN WAN the traffic originates on) goes to the same DNS server.  In my case I am connected to one server in Canada and another in the US.  I have the DNS set to us the US server so I can use sites that are geo-restricted to the US.  All of my other traffic goes to the server in Canada, but the DNS requests still go back to the US.  Since it is still an AirVPN DNS server, I'm satisfied with this arrangement.

Share this post


Link to post

For anyone else still having issues loading ipleak or running dnsleaks standard or extended test can you try switching off:

 

Experimental Bit 0x20 Support

 

https://192.168.1.1/services_unbound_advanced.php

 

un-tick it and save and give ipleak or dnsleak a shot, let me know if it fixes the issue it did for me and I have dnssec and dnssec hardened options left on as per the new 2.3 guide.

Share this post


Link to post

For anyone else still having issues loading ipleak or running dnsleaks standard or extended test can you try switching off:

 

Experimental Bit 0x20 Support

 

https://192.168.1.1/services_unbound_advanced.php

 

un-tick it and save and give ipleak or dnsleak a shot, let me know if it fixes the issue it did for me and I have dnssec and dnssec hardened options left on as per the new 2.3 guide.

 

when you test at GRC the 0x20 support adds additional randomness in the alphabetic case, mixing up lower and upper case.  without 0x20 turned on GRC reports things are all lower case.

 

Since https://www.grc.com/dns/dns.htm and https://www.dns-oarc.net/oarc/services/dnsentropy both work with all the options turned ON, I'll just use them.  They work fine at showing any leaks and much more.

Share this post


Link to post

Yeah bit strange some had issues I actually thought it was 0x20 support that was messing up my sites but nope dnssec enabled worked fine for almost 2 days but just now gave me 2 sites not loading correctly.

 

I have unticked dnssec and dnssec hardened and 02x20 support so all 3 options are off and now the problematic sites load fine again, I think ill just leave them switched off for now, otherwise guide is fine just needs a bit of fine tuning.

Share this post


Link to post

Hello, I have followed this to the T and routing traffic to the outside network works great! I can hit google and everything appears to be working. Before running through this guide i had 2 lan interfaces. One for Lan and the other for WLan. I can no longer reach devices on the other networks. I have:

 

10.0.0.0 /24

10.0.1.0 /24

 

from 10.0.0.50 i can ping 10.0.1.1 (default gateway), but can't reach 10.0.1.50 (device on network)

 

Am i missing something obvious? I even tried doing a * * on all interfaces under Firewall/Rules and still get nothing.

Share this post


Link to post

Hello,

 

@pfSense_fan or anyone else who might be able to answer:

 

I'm quite new to pfSense and I'm still trying to understand some of the basics. I have a question about the NTP and DNS redirect rules that you propose. As far as I understand they will redirect any NTP or DNS requests coming from the airvpn lan to the pfsense server? My question is:

 

Why are they port forward rules and are we actually opening up any ports on the firewall by setting these rules?

 

Thank you for your great guide!

Share this post


Link to post

Hello, thank you for the guide I would never have succeeded  without it. Following your instructions to the letter I now have a working setup. Before moving to  pfSense I used the software AirVPN made available for Linux  which allowed me to connect using ssh or ssl in order to avoid my connection to AirVPN being identified. I am unsure that when using pfSense I still have this protection or perhaps I need to modify my setup to enable this facility. Your advice would be much appreciated.

Regards.

Share this post


Link to post

Hello, thank you for the guide I would never have succeeded  without it. Following your instructions to the letter I now have a working setup. Before moving to  pfSense I used the software AirVPN made available for Linux  which allowed me to connect using ssh or ssl in order to avoid my connection to AirVPN being identified. I am unsure that when using pfSense I still have this protection or perhaps I need to modify my setup to enable this facility. Your advice would be much appreciated.

Regards.

 

Yes, you can run stunnel so that you can do openvpn within SSL tunnel.  I would imagine SSH is also available but I've not tried it.

 

There was a post in pfsense forums regarding installing stunnel from the freebsd repo.

Share this post


Link to post

Hi,

 

thanks for your guide: I will use it for my opnsense (pfsense's fork) setup.

 

Just a question: how to choose dynamically  the server to connect to? 

 

I think to use NL servers but how can I choose the best NL server each time (for example the server with more bandwidth available)?

 

Thanks in advance 

Share this post


Link to post

Hi

 

First a big thanks to pfsense_fan for this updated guide.
I did a new install with opnsense today and it is working perfect.
I use a multi VPNWAN setup, so some changes have to be made.

Maybe someone can answer this:

can I use a interface group in the firewall rules rather than repeating the rules for every VPN_gateway?
Is there any disadvantage in doing so?

framura as to your question:

you can use nl.vpn.airdns.org -> you will get this in the config file if you don't check "resolved hosts in .ovpn file" or you can use the advanced configuration settings described in the guide ->look at the comments!

 

Regards
Sebastian

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...