Air4141841 25 Posted ... make sure you assign a DNS server to WAN. and change 10.4.0.1 to the Airvpn tunnel on the system general page. have you configured firewall > NAT > outbound correctly? Quote Share this post Link to post
cr00 1 Posted ... AirVPN was set up with the pfsense-Tutorial here in the forum. Hi everyone, Here's what happened. I have set up my pfSense Firewall Appliance almost two months ago. Using the pfSense Tutorial that AirVPN provides. It worked flawlessly until last Thursday. Suddenly my pfSense router wasn't transferring data anymore and I went on doing some tweaking and noticed that AirDNS (10.4.0.1 wasn't resolving DNS queries anymore. I replaced it with Google, Cisco, Cloudfare, you name DNSs and was back online.(..)Same Problem here last week.The unbound DNS-Resolver-Log in pfsense showed this error "info: failed to prime trust anchor -- could not fetch DNSKEY rrset".After disabling DNSSEC in the DNS-Resolver config of pfsense the DNS-Resolving-issue disappeared. Until today DNS-resolving doesn't work mit DNSSEC enabled on 10.4.0.1. Quote Share this post Link to post
Air4141841 25 Posted ... interesting. i just confirmed that with my pfsense box and restarting the resolver Quote Share this post Link to post
hbs 1 Posted ... I did (I think) what you told me. I have an internet connection again on my lan. But it is leaking DNS. Here's the ipleak.net page. (AFAIK it should only appear there one DNS server) Following are two more screenshots of the changes I made. PS: I reboted. Now is leaking ips from my country. Quote Share this post Link to post
Air4141841 25 Posted ... i don't know the best solution. but i do have a solution that works for me.... and its not fun under DHCP Static Mappings for this Interface: i created static entry's for each of my devices. then clicked edit and under DNS servers put in 10.4.0.1 i would remove the one you added before. i would have though it would have worked... but i guess not Quote Share this post Link to post
hbs 1 Posted ... Air4141841 On ipleak.net using this configuration, how many DNS servers do you see? Quote Share this post Link to post
hbs 1 Posted ... AirVPN was set up with the pfsense-Tutorial here in the forum. Hi everyone, Here's what happened. I have set up my pfSense Firewall Appliance almost two months ago. Using the pfSense Tutorial that AirVPN provides. It worked flawlessly until last Thursday. Suddenly my pfSense router wasn't transferring data anymore and I went on doing some tweaking and noticed that AirDNS (10.4.0.1 wasn't resolving DNS queries anymore. I replaced it with Google, Cisco, Cloudfare, you name DNSs and was back online.(..)Same Problem here last week.The unbound DNS-Resolver-Log in pfsense showed this error "info: failed to prime trust anchor -- could not fetch DNSKEY rrset".After disabling DNSSEC in the DNS-Resolver config of pfsense the DNS-Resolving-issue disappeared. Until today DNS-resolving doesn't work mit DNSSEC enabled on 10.4.0.1. This is very interesting. You had the issue about the same time I started to have. Could you please take a screenshot or paste the configuration of your VPN client? Thanks Quote Share this post Link to post
cr00 1 Posted ... This is very interesting. You had the issue about the same time I started to have. Could you please take a screenshot or paste the configuration of your VPN client? ThanksThe config under "Services > DNS Resolver" is exactly the same like the one in step8 of pfsense_fan's tutorialhttps://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?do=findComment&comment=40144 I unchecked DNSSEC and pfsense turned again to resolve DNS with 10.4.0.1 (set up in "System > General Setup: DNS-Servers) for viewing the DNS Resolve log in pfsense log go to: Status > System Logs > DNS ResolverThe support informed me, that DNSSEC is not implemented and there is no need for DNSSEC enabled for the AirVPN-DNS-Servers. Quote Share this post Link to post
hbs 1 Posted ... See. I understand. Looks promising. But I have to restore my configuration to make sure I will be the closest from my setttings of last week. I will keep you guys posted. Quote Share this post Link to post
Wolke68 5 Posted ... Please read the how to for pfsense WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent thisDec 28 16:53:12 openvpn 33200 /sbin/route add -net 128.0.0.0 10.14.192.1 128.0.0.0Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 0.0.0.0 10.14.192.1 128.0.0.0Dec 28 16:53:12 openvpn 33200 ERROR: FreeBSD route add command failed: external program exited with error status: 1Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 96.47.229.58 192.168.1.1 255.255.255.255Dec 28 16:53:12 openvpn 33200 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.14.192.252 255.255.255.0 initDec 28 16:53:12 openvpn 33200 /sbin/route add -net 10.14.192.0 10.14.192.1 255.255.255.0Dec 28 16:53:12 openvpn 33200 /sbin/ifconfig ovpnc1 10.14.192.252 10.14.192.1 mtu 1500 netmask 255.255.255.0 up For pfsense it isnt correct dont get routes etc. WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC' The only way i get airvpn DNS to work is in the DNS resolver Option (incl. DNSSEC) no forwarding Advanced Option Box: forward-addr: 10.4.0.1 System DNS as an Example OpenDNS with no Gateway Quote Share this post Link to post
Air4141841 25 Posted ... Air4141841 On ipleak.net using this configuration, how many DNS servers do you see?it shows me connected to Airvpn ip which says Exit, Volans ONE DNS server. which says Volans Quote Share this post Link to post
Wolke68 5 Posted ... And i See DNS Addresses - 2 servers178.162.209.171GermanyGermany AirVPN Server (Exit, Serpens) 185.189.112.27GermanyGermany AirVPN Server (Exit, Cervantes) Dnsleaktest 178.162.209.171 27.112.189.185.in-addr.arpa Leaseweb Deutschland GmbH Germany185.189.112.27 none UK Web.Solutions Direct Ltd Germany Quote Share this post Link to post
hbs 1 Posted ... This is very interesting. You had the issue about the same time I started to have. Could you please take a screenshot or paste the configuration of your VPN client? ThanksThe config under "Services > DNS Resolver" is exactly the same like the one in step8 of pfsense_fan's tutorialhttps://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?do=findComment&comment=40144 I unchecked DNSSEC and pfsense turned again to resolve DNS with 10.4.0.1 (set up in "System > General Setup: DNS-Servers) for viewing the DNS Resolve log in pfsense log go to: Status > System Logs > DNS ResolverThe support informed me, that DNSSEC is not implemented and there is no need for DNSSEC enabled for the AirVPN-DNS-Servers. After reinstalling my old config I followed these steps. It worked. But there is a catch. If I reboot, my internet connection is lost. Did you reboot after you found this workaround? I had to reinstall the configuration with this workaround to make it work again. Quote Share this post Link to post
hbs 1 Posted ... Please read the how to for pfsense WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent thisDec 28 16:53:12 openvpn 33200 /sbin/route add -net 128.0.0.0 10.14.192.1 128.0.0.0Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 0.0.0.0 10.14.192.1 128.0.0.0Dec 28 16:53:12 openvpn 33200 ERROR: FreeBSD route add command failed: external program exited with error status: 1Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 96.47.229.58 192.168.1.1 255.255.255.255Dec 28 16:53:12 openvpn 33200 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.14.192.252 255.255.255.0 initDec 28 16:53:12 openvpn 33200 /sbin/route add -net 10.14.192.0 10.14.192.1 255.255.255.0Dec 28 16:53:12 openvpn 33200 /sbin/ifconfig ovpnc1 10.14.192.252 10.14.192.1 mtu 1500 netmask 255.255.255.0 up For pfsense it isnt correct dont get routes etc. WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC' The only way i get airvpn DNS to work is in the DNS resolver Option (incl. DNSSEC) no forwarding Advanced Option Box: forward-addr: 10.4.0.1 System DNS as an Example OpenDNS with no Gateway what do you mean by that? Disabling DNS Query ForwardingEnable Forwarding Mode Quote Share this post Link to post
Wolke68 5 Posted ... In the how to https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?do=findComment&comment=40144 DNS Query Forwarding = [ ] (CHECKED) WITH this it works for me Advanced Option Box: forward-zone: name: "."forward-addr: 10.4.0.1 Quote Share this post Link to post
cr00 1 Posted ... After reinstalling my old config I followed these steps. It worked. But there is a catch. If I reboot, my internet connection is lost. Did you reboot after you found this workaround? I had to reinstall the configuration with this workaround to make it work again. DNS-Forwarder is disabled: Enable [ ] Enable DNS forwarder is unchecked.DNS-Resolving worked immediately after disabling DNSSEC in the DNS-Resolver-config. After disabling DNSSEC there you got to restart the DNS-Resolver.Enabling DNSSEC + restarting the DNS-Resolver leads again to the error. In the meantime I restarted the pfsense-box too. With DNSSEC disabled everything is working fine now. Quote Share this post Link to post
Wolke68 5 Posted ... Sure i rebooted a few times after that and it worked with dnssec What are your Main DNS in System?With or without a Gateway? Dont youse 10.4.0.1 for Gateway monitoring! Quote Share this post Link to post
hbs 1 Posted ... After reinstalling my old config I followed these steps. It worked. But there is a catch. If I reboot, my internet connection is lost. Did you reboot after you found this workaround? I had to reinstall the configuration with this workaround to make it work again. DNS-Forwarder is disabled: Enable [ ] Enable DNS forwarder is unchecked.DNS-Resolving worked immediately after disabling DNSSEC in the DNS-Resolver-config. After disabling DNSSEC there you got to restart the DNS-Resolver.Enabling DNSSEC + restarting the DNS-Resolver leads again to the error. In the meantime I restarted the pfsense-box too. With DNSSEC disabled everything is working fine now. This is my configuration (DNS Resolver) as of the moment it is working. The only thing I did to make this work was unchecking DNSSSEC and save it. And Apply settings. Do you want me to disable DNS resolver. Then Enable DNS Forwarder? Didn't get that part Quote Share this post Link to post
hbs 1 Posted ... Sure i rebooted a few times after that and it worked with dnssec What are your Main DNS in System?With or without a Gateway? Dont youse 10.4.0.1 for Gateway monitoring! Quote Share this post Link to post
Wolke68 5 Posted ... DNS resolver is ok If it works for you it s your choice I have no DNS Query Forwarding and i have in the Advanced Box some other Option not 127.0.0.1 Sorry and you dont read my Messages Main DNS Not 10.4.0.1 Mine are 208.67.222.222208.67.220.220 Quote Share this post Link to post
hbs 1 Posted ... these are mine options Thanks for replying. I tried to use your DNS Resolver custom options for my DNS Resolver but they are ending in error. Could you please, copy and paste it here? Quote Share this post Link to post
Air4141841 25 Posted ... this thread has made my head hurt bad. i have tried to set mine up the way others are explaining and i can not get it to work. i guess i am working with a broken Pfsense box as well Quote Share this post Link to post
hbs 1 Posted ... Air4141841 sorry to hear that. But I assure you. If you follow the pfsense Tutorial from AirVPN it will work. For that, to work you only need to disable DNSSEC like mentioned above. Only that. But you will end up like me. Without the possibility to reboot. I'm waiting to hear what else cr00 can tell us. Quote Share this post Link to post
cr00 1 Posted ... DNS-Forwarder is disabled: Enable [ ] Enable DNS forwarder is unchecked.DNS-Resolving worked immediately after disabling DNSSEC in the DNS-Resolver-config. After disabling DNSSEC there you got to restart the DNS-Resolver.Enabling DNSSEC + restarting the DNS-Resolver leads again to the error. In the meantime I restarted the pfsense-box too. With DNSSEC disabled everything is working fine now.This is my configuration (DNS Resolver) as of the moment it is working. screencapture-192-168-0-1-services_unbound-php-2018-12-28-17_30_15.png The only thing I did to make this work was unchecking DNSSSEC and save it. And Apply settings. Do you want me to disable DNS resolver. Then Enable DNS Forwarder? Didn't get that partHi hbs,maybe I have not expressed myself clearly. sorry for that. My current settings for theDNS-Resolver (DNS-Resolver activated, DNSSEC disabled) and theDNS-Forwarder (disabled) are identical to pfsense_fan's tutorial, except the DNSSEC, which in the tutorial ist wrongly enabled. AirVPN support informed me, that there is no need of DNSSEC in case you use the AirVPN-DNS-Servers (a.e. 10.4.0.1).Under this configuration I have no DNS-Resolving issues. Indead it is strange, that the enabled DNSSEC option was working until last week, although the AirVPN DNS-servers are not configured for DNSSEC.The support couldn't explain this yet, the tech-support will investigate further. I hope your config is working with these settings now, like my pfsense-box does. Quote Share this post Link to post