Jump to content
Not connected, Your IP: 18.220.134.161
NoMAD2022

My Pfsense AirVPN setup and its complications

Recommended Posts

Hi all,

 

I tried to fix my problems by reading the internet and not writing in it but here I am writing in a Forum after years!

 

My story (ofc your can skip this): when worldcup 2018 started, i couldn't get any broadcaster in Sweden to stream the game is 4K and the only feasible option i could find was BBC  iPlayer on selected smart TV (Samsung) (not the same app on Android TV /SHIELD) which were streaming selected games in 4K. till this date i was not using a VPN connection and most of the stream service were working with smart DNS proxy (even BBC iplayer) but not the 4K stream, i came to conclusion that an english IP on a proper VPN channel should make me able to open 4K streams and it did but it needed a 40mbps line to work and getting a VPN connection working on my router with that speed was not possible. so macbook and PC host spots were my solution to saturate over 40mbps over openvpn. as it sounds it's not a permanent solution and this is were i bought my Pfsense box from Aliexpress. with 4 ethernet, i used WAN, LAN, LAN2 and LAN3. my home connection is 100/100 mbps Fiber.

 

LAN = connected to my AP and switch so all PC, laptops, phones,ect are here (my real ISP IP)

LAN2= directly connected to nvidia SHIELD (accessing youtube TV, FuboTV, HULU TV) 

LAN3= directly connected to samsung TV (accessing BBC iPlayer, iTV HUB)

 

Lan2 and Lan3 are were connected to VPN server with their own local subnet one to US server and other to UK servers and more or less everything worked, since it was my first pfsense box i felt some stability after few days which led to reboot the box and since i went try and error on my first box, i was kind of sure that a clean setup from scratch will yield desired result. i must say that my US and UK VPN servers were setup by myself (openvpn docker on ubuntu) after examining different VPS providers to get best Ping and Speed. more or less these were the best machines i could find, hence the connection and servers were fine i was not confident of all my setups and securities and that's when i started everything from scratch.

 

This time things changes and i bought a switch with VLAN support and added a Unifi AP instead of my ASUS AC87U router in hope to take everything to next level

 

I followed this guide here which is good one for my setup https://nguvu.org/pfsense/pfsense-baseline-setup/

and there i came to know AirVPN, after studying about AirVPN, i thought it's better than managing my own VPN server by getting proper maintenance and support without worrying about server side of the issue. it was giving me an IP with right Geo data (was missing it with my own VPN servers) and also had AirDNS so i won't need smart DNS proxy anymore ,tho still i couldn't match my own VPN servers speed yet on AirVPN and didnt get Netflix working

 

 

what i need to figure out now is the best possible setup for my needs. so if we say picture below shows my setup, what do you think i should do the get below result. (i only have VLAN 10.20.30.40.50) 

 

I use vlan 20 and 50 for VPN connection to US and UK and each VLAN goes directly with Ethernet to shield and TV. VLAN 30 is were all my home pc and clients are located. ( plusMy unraid NAS machine which hosts deluge and a LAMP VM)

 

Goals:

 

1. create a VPN connection pool according to https://nguvu.org/pfsense/pfsense-multi-vpn-wan/ for VLAN 20

2. connect all my PC, Laptops, NAS to vlan 20 secure instead of vlan 30 (Open network) since everything is connected here i need a good VPN connection to not lose over 10-20% of my line speed (NL or SWE or DE servers perhaps)

3. Route My gaming PC and LAMP VM through ISP gateway and not VPN pool without AirDNS (selective routing ins  pfsense)

4. Route SHIELD traffic only through US VPN with use of AirDNS.

5. Router SAMSUNG traffic trough UK VPN only.

6. Deluge traffic from NAS machine should go through VPN while LAMP one goes directly to internet

 

 

should i make a pool of close servers in EU for VLAN20 and load balance traffic on VPN gateways, and add 2 not in the pool VPN gateways for my SHIELD and SAMSUNG TV? or put everything in the same pool and use selective routing?

is my vlan setup good enough to support this needs? or i need to add more?

what is the use of DMZ, in original guide it seems that his KODI, Mediplayer and smart TV are in DMZ zones? does anyone know about this? what's the befit?

what similar setups you have ? 

 

 

160319-net-vlans.png

Share this post


Link to post

Hi all,

 

I tried to fix my problems by reading the internet and not writing in it but here I am writing in a Forum after years!

 

My story (ofc your can skip this): when worldcup 2018 started, i couldn't get any broadcaster in Sweden to stream the game is 4K and the only feasible option i could find was BBC  iPlayer on selected smart TV (Samsung) (not the same app on Android TV /SHIELD) which were streaming selected games in 4K. till this date i was not using a VPN connection and most of the stream service were working with smart DNS proxy (even BBC iplayer) but not the 4K stream, i came to conclusion that an english IP on a proper VPN channel should make me able to open 4K streams and it did but it needed a 40mbps line to work and getting a VPN connection working on my router with that speed was not possible. so macbook and PC host spots were my solution to saturate over 40mbps over openvpn. as it sounds it's not a permanent solution and this is were i bought my Pfsense box from Aliexpress. with 4 ethernet, i used WAN, LAN, LAN2 and LAN3. my home connection is 100/100 mbps Fiber.

 

LAN = connected to my AP and switch so all PC, laptops, phones,ect are here (my real ISP IP)

LAN2= directly connected to nvidia SHIELD (accessing youtube TV, FuboTV, HULU TV) 

LAN3= directly connected to samsung TV (accessing BBC iPlayer, iTV HUB)

 

Lan2 and Lan3 are were connected to VPN server with their own local subnet one to US server and other to UK servers and more or less everything worked, since it was my first pfsense box i felt some stability after few days which led to reboot the box and since i went try and error on my first box, i was kind of sure that a clean setup from scratch will yield desired result. i must say that my US and UK VPN servers were setup by myself (openvpn docker on ubuntu) after examining different VPS providers to get best Ping and Speed. more or less these were the best machines i could find, hence the connection and servers were fine i was not confident of all my setups and securities and that's when i started everything from scratch.

 

This time things changes and i bought a switch with VLAN support and added a Unifi AP instead of my ASUS AC87U router in hope to take everything to next level

 

I followed this guide here which is good one for my setup https://nguvu.org/pfsense/pfsense-baseline-setup/

and there i came to know AirVPN, after studying about AirVPN, i thought it's better than managing my own VPN server by getting proper maintenance and support without worrying about server side of the issue. it was giving me an IP with right Geo data (was missing it with my own VPN servers) and also had AirDNS so i won't need smart DNS proxy anymore ,tho still i couldn't match my own VPN servers speed yet on AirVPN and didnt get Netflix working

 

 

what i need to figure out now is the best possible setup for my needs. so if we say picture below shows my setup, what do you think i should do the get below result. (i only have VLAN 10.20.30.40.50) 

 

I use vlan 20 and 50 for VPN connection to US and UK and each VLAN goes directly with Ethernet to shield and TV. VLAN 30 is were all my home pc and clients are located. ( plusMy unraid NAS machine which hosts deluge and a LAMP VM)

 

Goals:

 

1. create a VPN connection pool according to https://nguvu.org/pfsense/pfsense-multi-vpn-wan/ for VLAN 20

2. connect all my PC, Laptops, NAS to vlan 20 secure instead of vlan 30 (Open network) since everything is connected here i need a good VPN connection to not lose over 10-20% of my line speed (NL or SWE or DE servers perhaps)

3. Route My gaming PC and LAMP VM through ISP gateway and not VPN pool without AirDNS (selective routing ins  pfsense)

4. Route SHIELD traffic only through US VPN with use of AirDNS.

5. Router SAMSUNG traffic trough UK VPN only.

6. Deluge traffic from NAS machine should go through VPN while LAMP one goes directly to internet

 

 

should i make a pool of close servers in EU for VLAN20 and load balance traffic on VPN gateways, and add 2 not in the pool VPN gateways for my SHIELD and SAMSUNG TV? or put everything in the same pool and use selective routing?

is my vlan setup good enough to support this needs? or i need to add more?

what is the use of DMZ, in original guide it seems that his KODI, Mediplayer and smart TV are in DMZ zones? does anyone know about this? what's the befit?

what similar setups you have ? 

 

 

160319-net-vlans.png

I use the same config from the website https://nguvu.org/ .

 

There is a lot of potential in this configuration. Much more than I use.

I have vlan 20 ,vlan 30 plus a isolated vlan.

V-lan 20 is connected to air and going to two servers parallel in the eu. Kind of fallover and described on his website.

V-lan 30 is clearnet in combi with airdns .

Server in the islolated v-lan .

I also use pfblocker with DNSBL+Blocklists, I can recomment this. It took me some time to have everything working in the right order and have the right dnsbl-lists!

 

Question:why not use german or norg server insteat of the one in the uk? I think you have almost the same speed.

 

Greetings,Casper

Share this post


Link to post

Good to hear from someone

I have almost finished the setup and it performs as i wanted.

 

vl20 for nvidia shield and US VPN. (fuboTV and Netflix) + AirDNS

vl30, clrnet, almost all my devices are here, PC, Laptop, NAS (includes a LAMP server) , phones + OpenDNS

vl40 Guests + ISP DNS

vl50 for Smart TV with UK VPN, BBC iplayer, iTV HUB + AirDNS 

these are the vlans on unifi as well.

 

I use UK connection to access BBC and iTV maybe BTsport and Sky in future not sure if it works with German or Norg IP but since my UK and US connection are for streaming devices mainly/only, the speed is almost always good enough for HD streaming. (haven't checked 4K yet)

on my NAS machine, Deluge is directly connected to an NL server which i think give me best speed more or less.

 

I use pfblocker but not with DNSBL, what's the use of it? does it put a public interface on internet?

and what are the specifications and use of your isolated v-lan for server?

and last but not least, did you get your Avahi working with this setup? do you use it at all? is it needed nowadays?

interestingly when I'm on vl20 (US) wifi i can see both my ChromeCast in vl20 and vl30 but while on vl30 (clrnet) i only see the chromecast in that vlan.

 

Cheers,

Share this post


Link to post

Hi everyone again.

 

from FW logs i can see that my shield box is trying to connect Google DNS at 8.8.8.8 and this particularly happens happens when Netflix app is running.

tho it's being blocked by pfsense, after few days this many failed responses builds up and streaming become problematic, a reboot would fix it fro 2 more days

If i set Airdns manually in the shield box it won't work as it makes request to port 53 UDP and not 443 TCP on 10.4.0.1 so i lose internet connection.

can i set NAT rule to 8.8.8.8:53 UDP to 10.4.0.1:443 TCP? does it make sense? 

can i fake the google DNS machine locally and answer to shield box request instead of google itself?

If i let this traffic through then Netflix would know my real location from DNS leak.

 

any idea?

Share this post


Link to post

Hi everyone again.

 

from FW logs i can see that my shield box is trying to connect Google DNS at 8.8.8.8 and this particularly happens happens when Netflix app is running.

tho it's being blocked by pfsense, after few days this many failed responses builds up and streaming become problematic, a reboot would fix it fro 2 more days

If i set Airdns manually in the shield box it won't work as it makes request to port 53 UDP and not 443 TCP on 10.4.0.1 so i lose internet connection.

can i set NAT rule to 8.8.8.8:53 UDP to 10.4.0.1:443 TCP? does it make sense? 

can i fake the google DNS machine locally and answer to shield box request instead of google itself?

If i let this traffic through then Netflix would know my real location from DNS leak.

 

any idea?

 

 

DNS requests are to UDP 53 at 10.4.0.1.   It seems you're confused thinking the DNS port changes to the same as the openvpn port you're using.

Share this post


Link to post

well i thought I've read that somewhere but can't find it now! however I have a NAT rule to 8.8.8.8:53 UDP to 10.4.0.1:443 TCP and everything is working so far!

maybe i should change that to 10.4.0.1:54 UDP ? 

--------------------------------------

EDIT: changed  port forward to 10.4.0.1:54 UDP . so far so good.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...