Jump to content
Not connected, Your IP:

Recommended Posts

If you are looking on how to configure AirVPN on pfSEnse, please follow this great post

The following are just a few changes I made that worked for me and that might help someone with the same problems I had. Mostly, avoiding a DNS leak.

Note that I am not an expert so anyone is welcome to comment if you think I'm doing something wrong. What follows is just a patch of multiple ideas on the net that led me to a working solution.

1. Create the VPN Certificates you need

Go to AirVPN and download a config file (.ovpn)

Now go to pfSense and create a CA for AirVPN

Descriptive name: [AirVPN CA]
Method: [import an existing Certificate Authority]
Certificate data: [Open .ovpn file and insert data found between <ca> and </ca>]

Now open the Certificates tab and create a new certificate

Method: [import an existing certificate]
Descriptive name: [AirVPN Client]
Certificate data: [Open .ovpn file and insert data found between <cert> and </cert>]
Private key data: [Open .ovpn file and insert data found between <key> and </key>]

2. Create an OpenVPN connection

Follow the document mentioned above and make the following modifications to it,

Go to the Clients tab and make sure that:

- You use an IP as the Server host to make sure you can re-connect if the line goes down. If the DNS you use is the one from AirVPN, the VPN connection has to be up before you can access it...

- Add the following options:


server-poll-timeout 10;
explicit-exit-notify 5;
key-direction 1;
prng SHA512 64;
tls-version-min 1.2;
key-method 2;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
tls-timeout 2;
remote-cert-tls server;

remote 443  # no.vpn.airdns.org
remote 443  # no.vpn.airdns.org
remote 443  # ro.vpn.airdns.org
remote 443  # ro.vpn.airdns.org

The "remote" entries allow your VPN to connect to another server if the VPN connection drops.

3. The resolver settings I have

General Settings


Enable: [X]
Listen Port: [Blank]
Network Interfaces: [LAN] + any other local network you may have
Outgoing Network Interfaces: [Your VPN Interface]
System Domain Local Zone Type: [Transparent]
DNS Query Forwarding: [ ]
DHCP Registration: [ ]
Static DHCP: [X]
OpenVPN Clients: [ ]
Custom options:
   name: "."


Note that the Custom settings forward to an AirVPN internal DNS. Depending on the type of connection you use, the IP will change so check our it will fail.

Advanced Settings


Hide Identity: [x]
Hide Version: [X]
Prefetch Support: [X]
Prefetch DNS Key Support: [X]
Harden DNSSEC Data: [X]
Serve Expired : [ ]



The rest I have left as default.

Now go to DNSLeakTest and test!


I hope this helped someone.

Share this post

Link to post

I had some sudden leaks I couldn't figure out, but changing a few settings that you mentioned in the DNS resolver helped. Thanks!

Share this post

Link to post
Posted ... (edited)

that's a box i'd like to build myself and test on for a while


need to put a pfsense box on the local maybe go from the


cable modem to the ddwrt then to the pfsense box


add some nics or extend with another router


in switch mode basically see what i can come up with

Edited ... by tokzco

Share this post

Link to post

According ipleak,I had no leaks...,but with your dns settings ,it works completely.No need for  eddie anymore for "some" us sites.

Thanks for sharing this info.


Share this post

Link to post

i am using DHCP server and specificying the Airvpn DNS Ips in there to apss on to the clients. I removed that and tried your DNS resolver settings (with dns forwarder disbaled) and no internet connectivity (cannot resolve a web address) what am i missing here?

What i actually want to do is pass on Family Open DNS to clients for added safety. Probelm is when i enter those DNS ips (or any others bedies the air vpn's) i get no connectivity

Share this post

Link to post


I am very interested in trying your suggestion, but it looks like the link to the openVPN document mentioned in point 2 is not working !

At least it is not working for me anyway.


Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...