Jump to content
Not connected, Your IP: 3.147.55.155
pfSense_fan

How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

Thanks Free_Norway,

 

I will try with as you suggested.

 

Before that, I need another info: it's possible to configure a "hole" in VPN setup? With this guide every hosts in LAN net (in my case 192.168.2.0) will be routed to VPN but I need that some specific hosts in this subnet can to use directly WAN and not VPN.

 

Thanks in advance

 

 

Share this post


Link to post

Hi framura

 

I'am not the right guy to answer this but i know pfsense_fan had a "clear net" interface in his previus guide. A nother interface with a different ip range with traffic directly through the WAN.

Have a look at this guide, maybe it can help you: https://nguvu.org/pfsense/pfsense-2.3-setup/

If it's not working, ask pfsense_fan for help

 

Sebastian

Share this post


Link to post

Hi guys

 

My new install is working quite well, but there a some issues that i can't figure out.

I use a multi vpn wan(3) setup and have just copied the configs/setups/rules for every vpn interface.

After i completed the setup i remembered that you can create a interface group that can be used in the firewall settings.

The issues now are dns related:

In the System->Settings->general->DNS Servers i use the arivpn dns servers 10.4.0.1/10.6.0.1/10.8.0.1, each using a different vpn gateway.

The issue is now thatif i do a dns leak test i see 2/3 of the server locations that i use.

Has somebody an ide for the reason?

 

Sebastian

Share this post


Link to post

Hi guys

 

My new install is working quite well, but there a some issues that i can't figure out.

I use a multi vpn wan(3) setup and have just copied the configs/setups/rules for every vpn interface.

After i completed the setup i remembered that you can create a interface group that can be used in the firewall settings.

The issues now are dns related:

In the System->Settings->general->DNS Servers i use the arivpn dns servers 10.4.0.1/10.6.0.1/10.8.0.1, each using a different vpn gateway.

The issue is now thatif i do a dns leak test i see 2/3 of the server locations that i use.

Has somebody an ide for the reason?

 

Sebastian

 

assigning a gateway for the DNS in the general settings is not how this guide does it.

Share this post


Link to post

Hi go558a83nk

 

If you look at step 7 -> 1.) There you asign gateway Airvpn_wan to the Dns Server 10.4.0.1

 

wow, sure does.  call me confused.  I'm 100% sure I followed directions for using unbound that said not to assign a gateway there.  did the guide change?  anyway, I don't assign a gateway there but just use firewall rules to control traffic flow.

Share this post


Link to post

Hi again

 

Could you explain how to do this?

Do you leave the DNS Server section in General settings at all?

 

for each DNS server the gateway is set to none.  but neither do I use VPN DNS.

 

one reason for this is that it allows the pfsense box itself to resolve DNS without relying on the VPN tunnel being "up".  another reason is that I prefer the CDN servers I get using public DNS over those from VPN DNS.

 

I still have NAT and firewall rules that redirect all LAN DNS requests to the pfsense box (so no rogue DNS are used like google)

Share this post


Link to post

Unfortunately it does not work for me.

I did everything like he did, but I can't get a connection. Seems to me like my "AirVPN_WAN" is just sitting there, doing nothing, while my regular WAN gets an address.

Share this post


Link to post

Hi Xpcn13

 

What happens when you try the DNS lookup from the Gui?

If you get a result there, then one of your NAT settings or firewall rules are wrong.

 

I had something like that the first time i tried as well.

Pay special attention to the "invert" mark that is in some rules, easy to miss.

 

I did i refresh of my install this weekend, using the guide.

Everything worked after some tinkering. ;-)

Share this post


Link to post

Hi,

 

I have a problem with (remote) port forwarding.

 

I use nl.vpn.airdns.org as server (to get a different server on each connection, hopefully server with less users and with more bandwidth available.

 

But in this case pfsense get as public IP not the real IP public address but always -1 on the last octet: for example if

 

nl.vpn.airdns.org = 213.152.161.19

 

the real IP address is 213.152.161.20

 

In this case port forwarding doesn't works: what do you think?

 

TIA

Share this post


Link to post

Hi,

 

I have a problem with (remote) port forwarding.

 

I use nl.vpn.airdns.org as server (to get a different server on each connection, hopefully server with less users and with more bandwidth available.

 

But in this case pfsense get as public IP not the real IP public address but always -1 on the last octet: for example if

 

nl.vpn.airdns.org = 213.152.161.19

 

the real IP address is 213.152.161.20

 

In this case port forwarding doesn't works: what do you think?

 

TIA

 

Port forwarding does not rely on the server you connect to. The rules and ports will "follow" you on each server you connect to,

since those ports are reserved to your internal IP - the one that starts with 10.x.

 

If you follow the port forwarding section correctly, you will see that server changes do not affect the rules.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

I am stuck on DSL. How do I get pfSense to work with PPPoE? I followed the guide perfectly. Then I did something stupid and gave the interfaces ips(not in the webconfiguration). I don't know how to get back to the way it was before I assigned the ips.I tried #15 restore recent config and the interfaces still have ips assigned to them.

how do I get  them back? And after that how do I setup my DSL modem?  Please be verbose.

Thank you

Share this post


Link to post

Great Guide, was able to get it working on the first try(aside from the experimental DNS bit).

 

One question though about step 8-C 'Verifying Our DNS Settings'

 

Did the ip of the airvpn.org server change or is something wrong with my setup? When I do a dns lookup from pfsense(or anywhere) it returns 5.196.64.52 instead of the listed [213.152.180.16|95.211.138.143].

 

It wasn't clear to me if there's supposed to be a different result when using the internal airvpn dns server or not.

Share this post


Link to post

Great Guide, was able to get it working on the first try(aside from the experimental DNS bit).

 

One question though about step 8-C 'Verifying Our DNS Settings'

 

Did the ip of the airvpn.org server change or is something wrong with my setup? When I do a dns lookup from pfsense(or anywhere) it returns 5.196.64.52 instead of the listed [213.152.180.16|95.211.138.143].

 

It wasn't clear to me if there's supposed to be a different result when using the internal airvpn dns server or not.

 

yes, airvpn.org IP address has changed since that guide was written.  now they have 2 or 3 different servers they use time to time.

Share this post


Link to post

Hi, thanks for a very thorough tutorial. I've been trying to get this work for a couple of days and I can't get it working.

First time by exactly following the whole tutorial, second time only doing steps 2/3/4. Then trying to redo various parts.

 

Some observations:

 

- As soon as I complete step 4, my internet connection stops working.

- pfSense router (192.168.2.1) is behind main router (192.168.1.1). I think that means double-NAT.

- I've tried to replace 192.168.1.1 with 192.168.2.1 wherever it's appropriate, but it's very possible I got this wrong somewhere.

- I can't put the main router in bridge mode, but I have the possibility to put pfsense router in DMZ. But with DMZ I can't get pfsense router to connect to internet, even in default config. But I kinda like the idea of double NAT until I'm sure I understood pfsense better, so I don't create security holes by accident.

- Both main router and pfsense router have DHCP servers, but different ranges (is this OK?) 192.168.2.100-200 vs 192.168.1.100-200

- All interfaces have IP's (LAN, WAN, AirVPN_WAN) - looking good in the web interface

- OpenVPN Status is "UP", all in order, with some KB's transferred

- In other words, as soon as I add the NAT-out rule "localhost to AirVPN_WAN" I can't connect to anything.

- DNS seems to work (still using 8.8.8.8 for the moment), any ping gives an external IP, but no data transfer

- I read step 2/3/4 should be enough for a working VPN connection, but is that true? It feels like I need to add a NAT-out rule "LAN to AirVPN_WAN". Anyway, if I try that it's still no dice.

- Step 1-a, to check "Block private networks and loopback addresses" seems to kill my connection. I guess because of the double nat?

 

I'm not sure how to proceed from here, and how to start to "debug" this.

Is there a mini-minimal AirVPN-pfsense setup I could try to have something to work from?

 

Thank you in advance for any input

 

J

Share this post


Link to post

Unfortunately the pfsense expert and creator of this guide hasn't posted in this forum at all since 15 May 2016.

 

My question would be why the double NAT?  I don't know if it's your problem or not but it's probably better to do without it.

Share this post


Link to post

running a double Nat is never a good idea, just complicates things. pfsense blocks everything by default so no worries there. i would first make sure that the wan gets an ip from the router. then put that ip in the DMZ. also make sure you uncheck block private networks on pfsense wan.

Share this post


Link to post

Thanks for getting back, 

 

After reading your comments I've tried to get the DMZ working, I'm aware double NAT isn't the best. The reason I was using it is that it was the only configuration I could get working with a functioning connection to start with. 

 

@dssguy11: Sorry for going off-topic, but what do you mean with "then put that ip in the DMZ"? Is there something I need to do on the pfsense box in order to make it part of the DMZ? I can choose to assign the public IP to the pfsense router (=DMZ, I think). Do I need to make another interface of some sort to match the main router somehow? Pfsense gets the public IP, but I can't connect to anything (no internet, no dns). I did allow "private networks"

 

In general: Is there any reason I can't make a connection to AirVPN from inside a double NAT? Having an isolated network inside my regular network would allow me to have a separate "clearnet" network, that could be handy. The goal is to have two separate wireless networks eventually, one for VPN, one regular connection.

 

j

Share this post


Link to post

Joe,

 

when we were living at my parents house temporarily while our house was being built, i put my PFsense box behind their router in a double NAT situation.  I did this because I like to play around with my network and I didn't want to take theirs down at the same time.  Mine was completely independent of theirs, other than needing theirs to be up so I could get an IP.   It worked perfectly, but even in the DMZ, i had a few issues with port forwards.  I have since moved my own internet account to their house and I have my cable modem in bridge mode going right to my PFsense WAN port. 

 

What I did was plug my WAN interface into a port on their router, see what IP it got, then I would go into their router's DMZ section and put that IP into the DMZ section.  That way it would pretty much bypass most of their router's interference.

 

You also need to go into your PFsense WAN properties and unclick block private networks.  If you are getting a public IP, then don't bother doing that.  Not sure if your router has some sort of pass through to pass a public IP onto the PFsense box.  Not sure how that would work if both routers share the same public IP.  I would go the private route myself as I know 100% that it works.

 

How I set mine up (and it's been a work in progress) is I have a clearnet wired LAN as well as a full time wired AirVPN tunnel.  I also have a couple switches and Unifi AP's that support VLANS.  So i have a wireless network that goes to the Clearnet as well as a VLAN for guest network (Clearnet) and a wireless VLAN that goes to AIRVPN.   So if I am sitting on the couch, i can connect to Homenet which will go out my ISP or I can connect to HomenetVPN and I will go through the VPN tunnel wirelessly.  

 

I will upload a photo of my network setup to give you an idea.  Just remember that one click or tick in the wrong spot will make it NOT WORK.  

 

https://drive.google.com/open?id=0B4IAV3fk9yIYbzJtMzY2S3RKMEk

 

Also you need to make sure your rules are right and you have an outbound NAT for every segment of your network.

Share this post


Link to post

Putting pfsense behind another router is beyond this guide but OOC, why are you putting pfsense behind another router and what is it? Not a modem router is it from a service provider because if so there's a better way to solve your problem.

Share this post


Link to post

here are a couple images from my pfsense..

 

https://drive.google.com/open?id=0B4IAV3fk9yIYS1dJRjBCenB3aFU

 

https://drive.google.com/open?id=0B4IAV3fk9yIYUXRqcjJNUlVsbEE

 

https://drive.google.com/open?id=0B4IAV3fk9yIYU2tVbU82TUVwUDA

 

 

another thing i was going to add is when i set this up, i started with a clearnet LAN and I left it like that.. I didn't make it the VPN lan like the guide suggested.. I kept my standard LAN and added a NEW AirVPN lan so i didn't mess with my standard network.  AIRVPN is in addition to, not a replacement of my original LAN network.

Share this post


Link to post

Thank you both,

I've been wrestling with this and I've got a bit further. I think I've got some dyslexia since on the fifth attempt it works (sort of), I must have missed some detail all along before.

 

Main router is a MediaAccess TG789bvn provided by the ISP (modem/router combo). It cannot be set in bridge mode. It can forward the public IP to a specific device (DMZ). I can't get that mode to work in pfsense (no connection) no matter how hard I try. So I've been following the guide with my double-NAT setup. I've run into one problem that might have something to do with it:

 

If I enable the DNS Resolver to go through AirVPN_WAN the VPN connection dies after a while, looses it's IP and everything. I can imagine this has to do with the double NAT situation. But perhaps this warrants its own forum post?

 

I'll have a look at your screenshots in depth to see if I can learn something from it. Much appreciated.

Share this post


Link to post

here is a screen shot of my DNS resolver settings..

 

https://drive.google.com/open?id=0B4IAV3fk9yIYQ0EzVGQ2U19ya1k

 

also, remember to choose an actual individual server to connect to by IP, i had a bunch of problems when i would just connect to "the Americas", etc. 

 

Don't worry about the double nat, it isn't ideal but i know for a fact that it works.  I would just let it get a private IP from the main router, uncheck block private IP's and take that IP and put it in the first routers DMZ section.

Share this post


Link to post

Hi dssguy11,

 

I recently jumped on the VPN wagon, discovered the cpu limitations of commercial routers and bought a Zotac CI 323 mini pc with 8GB memory and 120GB SSD plus a Ubiquiti AC-LR-AP.

I set up a XenServer (after a failed Esxi attempt) on the CI 323, created a debian VM with Unifi Controller for the Ubiquiti AP and yesterday created a pfSense VM which i configured with your guide.

Having zero Linux experience all the internet guides and forums have been a life saver and especially your guide has made it possible for me to create my own home router with very limited knowledge and within a short timeframe. So thank you very much for all the hours you put in to this!

 

I'm in the proces of trying to understand what all the configuration steps actually do because i need to change the configuration to not route everything through VPN but only a small selection of devices. I read your 'clearnet' remark and i think this is what i am looking for. An additional hurdle is making ip reservations while keeping the device on DHCP (Phone and iPad switch home/work/friends/restaurant network on a daily basis so i want to keep them on dhcp but through vpn when at home). My wifes work laptop creates an IPSec VPN when working from home which is no longer working so i either need to figure out how to re-enable ipsec throughput or keep her off the vpn-selection. My 2 tv's and the kids iPads are used to watch Netflix and since this morning they all say "your behind a proxy so no video for you" so i want to keep them off the vpn-selection. Should i put the pfSense VM in the vpn-selection? Should i put the Esxi host in the vpn-selection? Should i give the Ubiquiti AC-LR-AP a static ip and should i put it in the vpn-selection? Loads of best practice questions.

 

Any help in overcoming one or more of the above stated hurdles would be much appreciated.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...