Jump to content
Not connected, Your IP: 3.227.2.109
pfSense_fan

How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

pfsense_fan, how would you setup DNS if you had some devices routed to WAN, other devices through VPN?

 

My setup:

 

1) all regular devices on my network have static leases

2) I have some devices routed to WAN

3) I changed the DNS forwarding rule that prevents alternate DNS to allow those WAN routed devices to use whatever DNS

4) Unbound was still only allowed the VPN interface for outgoing requests. 

 

There wasn't a problem until recently.  Now my streaming TV service (Vue) is really picky about things it seems.  It won't work unless I allow Unbound outgoing WAN as well. I assume the IP address querying DNS must match my WAN address?

 

This poses a problem for me because I want my VPN devices to also use public DNS but make sure the requests go through the VPN tunnel.  I like public DNS because I get geo-optimized content and they are faster.  But if I went with these settings my VPN devices would be doing DNS requests out the WAN and VPN.

 

So, I've had to resort to using Air DNS to get things working properly.

 

I use AirDNS in the general settings page, and put in public DNS in the static lease settings of the WAN routed devices. 

 

Things work, but I'd like to be able to use public DNS for everything, just out the respective interfaces.

 

I've tried using resolver mode (unticking forwarding mode in unbound settings) but this seems to force the use of the VPN DNS and ISP DNS and ignores my settings on the general setup page.

 

I've tried using the forwarder (dnsmasq).  It obeys my DNS settings on the general settings page but other problems cropped up for some reason - Vue stopped working again.

Share this post


Link to post

Not sure if I am following you, but you can use a public dns through the vpn. Just change the 10.4.0.1 on the general page to whatever you choose, just have it use the AirrVPN_WAN as the outgoing interface.

 

If you really want to get into it, set up a second openvpn client/interface and have that client connect to the AirVPN server closest to you, and use that for DNS only.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Not sure if I am following you, but you can use a public dns through the vpn. Just change the 10.4.0.1 on the general page to whatever you choose, just have it use the AirrVPN_WAN as the outgoing interface.

 

If you really want to get into it, set up a second openvpn client/interface and have that client connect to the AirVPN server closest to you, and use that for DNS only.

 

Sorry, I forgot to mention that I've tried specifying the outgoing gateway on the general setup page and it's ignored when using Unbound in forwarding mode.  I can test by connecting to a far away VPN server and testing for DNS "leaks".  The servers that are shown are both local and near the VPN server.  This is due to me having to allow Unbound to use the WAN for outgoing in the Unbound settings.  From what I've read the outgoing gateway is only obeyed when not in forwarding mode.  But, as I wrote previously, that presents other problems.

Share this post


Link to post

I think he better needs to setup custom routes per each DNS server address, for example Google DNS via VPN interface and others via WAN.

Done via /system_routes.php.

 

I'll look into this.  Thanks!

 

Edit: tested and doesn't work.  Rebooted just to make sure.  But, getting DNS requests out the WAN still.

Edit #2: since I'm looking at routes I realize now that specifying a gateway on the general settings page adds a static route, same as the system_routes page.

 

But, it seems that Unbound ignores it.

 

I have made sure that my NAT settings allow 127.0.0.0/8 to access the VPN tunnel.  But, still, no luck.

Share this post


Link to post

OK, fixed the problem!

 

Specifying outgoing gateway on the general settings page now works. what i had to do was change the NAT rules for localhost outgoing to VPN and WAN to be "this firewall", not 127.0.0.0/8.

 

Will this cause an additional problem somehow?

Share this post


Link to post

First, this is an amazing tutorial.  LOVE IT!!!

 

One minor thing I found while going through it.  At some point recently, pfSense changed the reboot page from https://192.168.1.1/reboot.php to https://192.168.1.1/diag_reboot.php.  Not a huge deal, and I'm not sure if you can even edit the prior posts.  Otherwise, this tutorial simply rocks.  I've designed commercial products for Fortune 500 software companies that don't have documentation this well written and clear.

Share this post


Link to post

Recently updated my pfsense installation to 2.3.

 

Did a clean install and followed all the steps in this guide to the letter.

Thank you for your efforts

 

My VPN is working and so is my Clearnet.

 

Only problem I am having is that my Clearnet and VPNnet cannot talk/see eacht other on the network.

They could previously.

I don' t know what I should add to the rules but I am lost. Not very Network savvy I'm afraid.

 

Did get the port forwarding to work.

 

Clients behind the VPN can ping vpn/clearnet pfsense gateway and vice-versa, but I cannot ping individual clients.

VPN is 192.168.1.1  and Clearnet is 192.168.2.1

 

Any ideas to the rules I should add?

Just want 1 client (192.168.2.10) to be able to access server stuff (192.168.1.11)

Share this post


Link to post

@pfSense_fan

 

Just wanted to say your tutorial is so easy to follow, it worked just perfect. Thank you so much.

 

Also, could you perhaps do an additional but optional tutorial for adding Squid and pfblockerNG support to this setup?

 

Many thanks.

Share this post


Link to post

I'm a newbie to pfSense, this setup is the first I've done. For the most part it works as intended, except that not encrypted http traffic does not go through the tunnel.

 

Visiting airvpn.org tells me I'm connected through the proper server. Checking http://myip.is reveals my real IP and LAN IP, while checking https://www.whatismyip.com/ reveals the IP of my VPN server. I stumbled upon it by accident, investigating the not working DynDNS confirmation which is asking http://checkip.dyndns.org which returns in turn the LAN address of my computer.

 

There should be added that my pfSense box is sitting behind another NAT with a 10.0.0.0/24 range. I can't get rid of it...

 

Did I miss something fundamental or does the NAT on the WAN side of the box interfere with my routing?

 

Help would me much appreciated!

Share this post


Link to post

I'm a newbie to pfSense, this setup is the first I've done. For the most part it works as intended, except that not encrypted http traffic does not go through the tunnel.

 

Visiting airvpn.org tells me I'm connected through the proper server. Checking http://myip.is reveals my real IP and LAN IP, while checking https://www.whatismyip.com/ reveals the IP of my VPN server. I stumbled upon it by accident, investigating the not working DynDNS confirmation which is asking http://checkip.dyndns.org which returns in turn the LAN address of my computer.

 

There should be added that my pfSense box is sitting behind another NAT with a 10.0.0.0/24 range. I can't get rid of it...

 

Did I miss something fundamental or does the NAT on the WAN side of the box interfere with my routing?

 

Help would me much appreciated!

 

if you followed the guide exactly it should not even be possible for your LAN devices to reach the WAN gateway.

Share this post


Link to post

 

I'm a newbie to pfSense, this setup is the first I've done. For the most part it works as intended, except that not encrypted http traffic does not go through the tunnel.

 

Visiting airvpn.org tells me I'm connected through the proper server. Checking http://myip.is reveals my real IP and LAN IP, while checking https://www.whatismyip.com/ reveals the IP of my VPN server. I stumbled upon it by accident, investigating the not working DynDNS confirmation which is asking http://checkip.dyndns.org which returns in turn the LAN address of my computer.

 

There should be added that my pfSense box is sitting behind another NAT with a 10.0.0.0/24 range. I can't get rid of it...

 

Did I miss something fundamental or does the NAT on the WAN side of the box interfere with my routing?

 

Help would me much appreciated!

 

if you followed the guide exactly it should not even be possible for your LAN devices to reach the WAN gateway.

 

 

Well, I thought so too and I think that I followed the guide to the point. Any suggestion on where I could have missed somethting? My first thought was that the PRIVATE NETWORKS could apply and might route my 192 /24 network through to the 10 /24 network. After removing the RFC1918 rules there was no change.

A few days ago I had to add the SMTP port to the WAN PORTS, so I could send mail. The connection attempts to the SMTP got caught, but why do the http attempts not get caught or routed properly?

Share this post


Link to post

 

 

I'm a newbie to pfSense, this setup is the first I've done. For the most part it works as intended, except that not encrypted http traffic does not go through the tunnel.

 

Visiting airvpn.org tells me I'm connected through the proper server. Checking http://myip.is reveals my real IP and LAN IP, while checking https://www.whatismyip.com/ reveals the IP of my VPN server. I stumbled upon it by accident, investigating the not working DynDNS confirmation which is asking http://checkip.dyndns.org which returns in turn the LAN address of my computer.

 

There should be added that my pfSense box is sitting behind another NAT with a 10.0.0.0/24 range. I can't get rid of it...

 

Did I miss something fundamental or does the NAT on the WAN side of the box interfere with my routing?

 

Help would me much appreciated!

 

if you followed the guide exactly it should not even be possible for your LAN devices to reach the WAN gateway.

 

 

Well, I thought so too and I think that I followed the guide to the point. Any suggestion on where I could have missed somethting? My first thought was that the PRIVATE NETWORKS could apply and might route my 192 /24 network through to the 10 /24 network. After removing the RFC1918 rules there was no change.

A few days ago I had to add the SMTP port to the WAN PORTS, so I could send mail. The connection attempts to the SMTP got caught, but why do the http attempts not get caught or routed properly?

 

sorry, I won't be much help.  my setup never followed the guide exactly and has strayed even further from it in time. 

Share this post


Link to post

 

 

 

I'm a newbie to pfSense, this setup is the first I've done. For the most part it works as intended, except that not encrypted http traffic does not go through the tunnel.

 

Visiting airvpn.org tells me I'm connected through the proper server. Checking http://myip.is reveals my real IP and LAN IP, while checking https://www.whatismyip.com/ reveals the IP of my VPN server. I stumbled upon it by accident, investigating the not working DynDNS confirmation which is asking http://checkip.dyndns.org which returns in turn the LAN address of my computer.

 

There should be added that my pfSense box is sitting behind another NAT with a 10.0.0.0/24 range. I can't get rid of it...

 

Did I miss something fundamental or does the NAT on the WAN side of the box interfere with my routing?

 

Help would me much appreciated!

 

if you followed the guide exactly it should not even be possible for your LAN devices to reach the WAN gateway.

 

 

Well, I thought so too and I think that I followed the guide to the point. Any suggestion on where I could have missed somethting? My first thought was that the PRIVATE NETWORKS could apply and might route my 192 /24 network through to the 10 /24 network. After removing the RFC1918 rules there was no change.

A few days ago I had to add the SMTP port to the WAN PORTS, so I could send mail. The connection attempts to the SMTP got caught, but why do the http attempts not get caught or routed properly?

sorry, I won't be much help.  my setup never followed the guide exactly and has strayed even further from it in time. 

 

I've found the culprit. The firewall rules are not the problem. After disabling the transparent squid proxy, behaviour is back to normal. Would I need extra rules if I wanted to run the proxy?

Share this post


Link to post

Hi.

 

Ok first, i thank you pfsense_fan for your guide, very detailed and precise. And i feel safe and everything seem to show that i am secured with a tunnel to the AirVPN Servers.

 

Now i have a big Problem, and it has to do with pfSense. Everything works so far, except my email clients will not send mails at all. Neither Port 465 nor Port 587.
I know that it is a pfSense Problem and not on the providers side an issue. I tested it on a free WiFi Connection with the AirVPN Windows Client and there it worked with sending. Also i am using 2 completely different emailprovider. Both will not work with pfSense for some reason. I have 2 main computers i use and also on both over pfSense i cant bring emails on the outgo...

 

So i am suspecting i have to add some Rule in the Firewall to make it work. But since i am not an expert in pfSense i would love if somebody can help me with my SMTP problem here.

I already tried a port forwarding, it did not fix it. Which is strange because other Port Forwarding works (maybe because in my AirVPN User Panel i have a port forwarded for torrent...) but SMTP will just not work. Also it cant be a solution because i would need the port on my whole network open (multiple PCs etc.) and not just for one computer.

Share this post


Link to post

Hi.

 

Ok first, i thank you pfsense_fan for your guide, very detailed and precise. And i feel safe and everything seem to show that i am secured with a tunnel to the AirVPN Servers.

 

Now i have a big Problem, and it has to do with pfSense. Everything works so far, except my email clients will not send mails at all. Neither Port 465 nor Port 587.

I know that it is a pfSense Problem and not on the providers side an issue. I tested it on a free WiFi Connection with the AirVPN Windows Client and there it worked with sending. Also i am using 2 completely different emailprovider. Both will not work with pfSense for some reason. I have 2 main computers i use and also on both over pfSense i cant bring emails on the outgo...

 

So i am suspecting i have to add some Rule in the Firewall to make it work. But since i am not an expert in pfSense i would love if somebody can help me with my SMTP problem here.

I already tried a port forwarding, it did not fix it. Which is strange because other Port Forwarding works (maybe because in my AirVPN User Panel i have a port forwarded for torrent...) but SMTP will just not work. Also it cant be a solution because i would need the port on my whole network open (multiple PCs etc.) and not just for one computer

 

Which email provider are you using?  Many email clients use IMAP instead of SMTP.  Try adding port 143 (IMAP) and 993 (IMAPS) to your firewall rule and see if it starts working.

Share this post


Link to post

I know that it is a pfSense Problem and not on the providers side an issue. I tested it on a free WiFi Connection with the AirVPN Windows Client and there it worked with sending. Also i am using 2 completely different emailprovider. Both will not work with pfSense for some reason. I have 2 main computers i use and also on both over pfSense i cant bring emails on the outgo...

 

Which email provider are you using?  Many email clients use IMAP instead of SMTP.  Try adding port 143 (IMAP) and 993 (IMAPS) to your firewall rule and see if it starts working.

 

I thought this would be very clear...

To make it more clear. I take the email clients, tested it over a WiFi connection with the AirVPN Windows software. It works. I did in the meantime change absolutely nothing on the email clients at all. That means, the emailproviders take the SSL Ports (Tested 993, 465 and 587). When i switch to the pfSense i cant send any emails.

That makes it, without a doubt, a problem of pfSense and not the emailproviders.

Share this post


Link to post

I agree that it sounds like the issue is in your pfSense configuration.  I assumed your pfSense rule was passing only SMTP, that's why I suggested adding IMAP also.

 

What ports are included in your pass rule in pfSense?  What does the pfSense log show?

Share this post


Link to post

I agree that it sounds like the issue is in your pfSense configuration.  I assumed your pfSense rule was passing only SMTP, that's why I suggested adding IMAP also.

 

What ports are included in your pass rule in pfSense?  What does the pfSense log show?

IMAP is ingoing, i am talking the whole time about outgoing mails...

The Problem is, i can NOT SEND mails. Receiving emails is no issue, that works fine.

IMAP = Income

SMTP = Outgoing

I dont want to sound like a jerk, but really i explained that allready.

I did only added an indiviual NAT rule for a NAS/Server in my Homenetwork for Torrent. Beside that i did nothing else and followed the guide.

 

So it leaves me still with the problem of my SMTP connection on pfSense does not work and i cant send emails on any computers over a client.

It would help me, what i have to do to make SMTP work in my whole network.

Share this post


Link to post

So it leaves me still with the problem of my SMTP connection on pfSense does not work and i cant send emails on any computers over a client.

It would help me, what i have to do to make SMTP work in my whole network.

 

A good start would be to explain your setup in more detail.  Do you have your own mail server behind pfSense, or are you connecting to commercial email provider like gmail?  What firewall rules do you have configured in pfSense?  Do you still have the default ANY/ANY rule on LAN, or have you changed it?  Are you logging blocked/rejected traffic on LAN?  If not, add logging to your LAN block/reject rules and look for your mail traffic getting blocked/rejected.  Without more details, there isn't much more we can do to help you.

Share this post


Link to post

A good start would be to explain your setup in more detail.

I did. The Setup is this Guide here explained and followed entirely...

What more detail could i give then this enormoulsy detailed guide?

 

Do you have your own mail server behind pfSense, or are you connecting to commercial email provider like gmail?

I dont see how that makes any difference at all, because it is clearly a problem in this pfSense configuration and a portproblem.
It is not like gmail would use, lets say port 465, but google port 465... it is the same technology behind it. SMTP...

But to answer a question which does not help really to solve, i use my own domain/email provider.

More so the question is obsolete if we see that my client works over the AirVPN Windows software with a open WiFi connection. You know what i mean?

In general you keep on asking questions which allready had been answered in a different way.

 

What firewall rules do you have configured in pfSense?  Do you still have the default ANY/ANY rule on LAN, or have you changed it?

I followed the Guide by pfsense_fan. And as far as i remember, it said to delete any other left rule or so.

I make some screenshots.

 

Are you logging blocked/rejected traffic on LAN?

Not that i am aware of. Where exactly would i see that?

 

If not, add logging to your LAN block/reject rules and look for your mail traffic getting blocked/rejected.

How do i enable and observe that? Where?

 

Share this post


Link to post

Going on the understanding that your setup is exactly as given in the guide, your firewall is blocking all SMTP traffic.  The setup given in the guide only allows WAN traffic on the following ports:

 

Port(s)
--------------------------------------------------------------------------------------------------------------------
Hint = .........
--------------------------------------------------------------------------------------------------------------------
Port = [ 21 ] [ -- ▼] [ FTP control (command) ]
--------------------------------------------------------------------------------------------------------------------
[ 43 ] [ -- ▼] [ WHOIS protocol (If you use a WHOIS program to attain host records) ]
--------------------------------------------------------------------------------------------------------------------
[ 80 ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP) ]
--------------------------------------------------------------------------------------------------------------------
[ 143 ] [ -- ▼] [ Internet Message Access Protocol (IMAP), management of email messages ]
--------------------------------------------------------------------------------------------------------------------
[ 443 ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS) ]
--------------------------------------------------------------------------------------------------------------------
[ 990 ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL ]
--------------------------------------------------------------------------------------------------------------------
[ 993 ] [ -- ▼] [ Internet Message Access Protocol over TLS/SSL (IMAPS), I.E. Secure email ]
--------------------------------------------------------------------------------------------------------------------
[ 1024:65535 ] [ -- ▼] [ Registered and Ephemeral Ports ]

 

Go to the Firewall -> Aliases -> Ports menu and add ports 465 and 587 to the WAN_SERVICE_PORTS alias.  That will allow SMTP traffic. 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...