ANSWERED pfsense / SSL Tunnel specific guide?

[spookygoy 7]

Hi,  I'm pretty green to pfsense as a whole,  and I know there are a few good guides out there, but I'm wondering if one has been written in particular, to address  setting pfsense up w/AirVPN using  SSL tunneling (also how crypto hardware acceleration work w/regard to that).   I need this to get around my ISP's  traffic shaping,  and undoubtedly need my hand held while sorting it out.

I'm hoping to come back to using AirVPN  if I can get it all working.

Ideally the guide would go through everything step by step,  including any  killswitches or other scripts/steps  that need to be setup to recover from broken connections, or power cycles, etc.  so everything comes back up on its own.

[go558a83nk 367]

Before you go the stunnel route have you tried using tls-crypt configs?

[spookygoy 7]

Yes, I did extensive testing a while back,  although I will probably retest again, but from what I remember everything except SSL tunneling showed evidence of bandwidth shaping.

Usually the best I can hope for is around 200Mbps downstream,  but that's roughly half of the max pipe we pay for (verified on standard connection)


Also can a mod please just set me to not need approval, I've got 7 rep and 35 posts on an established account it's pretty clear I'm not a spammer.

[go558a83nk 367]

Well, I'd try UDP entry IP 3 or 4 first.  If that doesn't work like it should then try TCP entry IP 3 or 4.  If that doesn't then resort to stunnel.  I'll be glad to try to help should it come to that.  But it's a last resort because it's just not going to have much speed either.  I'm really surprised you saw more than 200mbps with the SSL tunnel.  What OS was doing the testing back then?

[spookygoy 7]

When I did my testing I was using Windows 10 on an i7 6800K with the eddie client.   I have an ASUS  AC86U which I bought since it could easily do  200Mbps with OpenVPN  and by and large I was quite happy with that.   But my current VPN provider lost the server closest to me with the best performance and I was getting frustrated not being able to break 150Mb/s  on a good day, for whatever reason (as well as other sporadic performance issues).    So at that point I grabbed their client software, and then also a 3 day trial on Air and the Eddie client, to go through a lot of tests.     I did  TLS / non-TLS tests on both services,  UDP/TCP on various ports and entry IPs but nothing really seemed consistent.    But I have a distinct memory of seeing over 300Mbps using SSL tunnel   (oddly don't think I saw that with SSH).

At that point I decided to repurpose old hardware and build a Pfsense box.   I picked up two  dual port gigabit Intel NICs  and threw them into an FX8320 I have owned for years and not done much with.
At first I was seeing similar performance,  but there have recently been a few ISP outages,  and also i enabled both the BSD drivers and AES-NI  on pfsense  (I had only enabled AES-NI at first),  so I'm not sure if any of that helped change,  but  doing some more testing in the past 24 hours w/my current VPN provider  I'm now seeing 400Mbit+ speeds  - honestly confused as to what caused this change.  It's standard UDP  port 1301.      Granted performance does go up and down depending on line conditions, but this is from a server all the way in Texas which is at the other end of the country for me.

This request may be moot anyway.   I thought I had figured out a way to continuously purchase AirVPN anonymously that didn't involve acquiring bitcoins,  but now it seems that method is being blocked from working inexplicably  (the same prepaid VISA card I used to grab a 3 day trial  18 days ago,  has enough funds for another, but won't run.  A different card probably from the same production lot also refuses to run, so I wonder if they notice "that shouldn't happen" and then clamp down on future purchases).

If I do manage to get some services purchased at some point I may still ask for your guidance,  purely for the educational experience  tbh.

[austeretecky 0]

Following this post closely I too have ISP shaping with anything less than SSL tunneling.  I installed Stunnel package on pfsense but unable to import SSL cert to certificate manager due to lack of private key information.  Looking for location of the private key information or other was to implement a STunnel at the pfsense level.

[go558a83nk 367]

you don't need to import any cert for stunnel to work.

1) install stunnel package from package manager
2) Create the stunnel tunnel here in services>stunnel.  /pkg.php?xml=stunnel.xml

1. Select client mode
2. use 127.0.0.1 as listening IP
3. listen on port doesn't matter but you'll just use whatever you put here in the openvpn client setup
4. certificate is default
5. redirect IP is found in the .ssl file that you can download for stunnel in the config generator
6. redirect port is also found in that ssl file (in the name of the file too)
7. save the stunnel tunnel
8. your status_logs.php should show stunnel activity to let you know it's running

3) Create or edit an openvpn config for AirVPN keeping everything the same as usual but changing the following

1. protocol is TCP only
2. interface is any
3. server address is 127.0.0.1
4. server port is what you setup as listening port for the stunnel tunnel
5. in the custom options box input

   route <server IP address> 255.255.255.255 net_gateway;

     where <server IP address> is the same as in point 5 above

Now in my experience it'll connect then disconnect, perhaps a few times before finally staying connected.  Just be patient.

[Air4141841 30]

On 12/4/2019 at 10:44 AM, go558a83nk said:

you don't need to import any cert for stunnel to work.

1) install stunnel package from package manager
2) Create the stunnel tunnel.

1. Select client mode
2. use 127.0.0.1 as listening IP
3. listen on port doesn't matter but you'll just use whatever you put here in the openvpn client setup
4. certificate is default
5. redirect IP is found in the .ssl file that you can download for stunnel in the config generator
6. redirect port is also found in that ssl file (in the name of the file too)
7. save the stunnel tunnel
8. your status_logs.php should show stunnel activity to let you know it's running

3) Create or edit an openvpn config for AirVPN keeping everything the same as usual but changing the following

1. protocol is TCP only
2. interface is any
3. server address is 127.0.0.1
4. server port is what you setup as listening port for the stunnel tunnel
5. in the custom options box input

   
   route <server IP address> 255.255.255.255 net_gateway;

     where <server IP address> is the same as in point 5 above

Now in my experience it'll connect then disconnect, perhaps a few times before finally staying connected.  Just be patient.

I've tried this.

your saying create the tunnel using the openvpn clients page?  but use the STunnel data? 

I've tried under services > stunnel and nothing happens.      

its unfortunate there is no where to find logs either 

[go558a83nk 367]

3 minutes ago, Air4141841 said:

I've tried this.

your saying create the tunnel using the openvpn clients page?  but use the STunnel data? 

I've tried under services > stunnel and nothing happens.      

I edited my post to confirm you create a stunnel tunnel in services>stunnel.  Once that's running you can edit your openvpn config to connect to the listening stunnel daemon, which is step 3.

[Air4141841 30]

Stunnel will not start for Anything 

I've stopped/disabled any current tunnels.   I've reinstalled the package.   I;ve rebooted the pfsense box.

I have NO other packages that could be conflicting 
Stunnel will not start for Anything 

[go558a83nk 367]

3 minutes ago, Air4141841 said:

Stunnel will not start for Anything 

I've stopped/disabled any current tunnels.   I've reinstalled the package.   I;ve rebooted the pfsense box.

I have NO other packages that could be conflicting 
Stunnel will not start for Anything 

I said in step 2, point 8 how to see logs for stunnel.  But you said above "there is no where to find logs either".  But there is.

Please make sure stunnel is or is not running.

Then you must edit your openvpn config to suit.  It's all in the steps I outlined above.

[Air4141841 30]

this is this only thing I see created
 

Dec 5 17:13:28

php-fpm

4612

/pkg_edit.php: The command '/usr/local/etc/rc.d/stunnel.sh stop' returned exit code '1', the output was 'killall: warning: kill -TERM 15768: No such process'

EDIT.

protocol HAS TO BE BLANK.  I have TCP in it.    the service actually started now.    I'm on to the next step

[Bogdan1234 0]

Did anyone manage to get this running? I'm able to run OpenVPN and STunnel separetly, however it won't work together.
Here is the log:

Oct 17 17:53:23	openvpn	74380	OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020
Oct 17 17:53:23	openvpn	74380	library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Oct 17 17:53:23	openvpn	74677	mlockall call succeeded
Oct 17 17:53:23	openvpn	74677	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 17 17:53:23	openvpn	74677	Initializing OpenSSL support for engine 'rdrand'
Oct 17 17:53:23	openvpn	74677	TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:33333
Oct 17 17:53:23	openvpn	74677	UDPv4 link local (bound): [AF_INET]78.31.74.9:0
Oct 17 17:53:23	openvpn	74677	UDPv4 link remote: [AF_INET]127.0.0.1:33333
Oct 17 17:53:53	openvpn	74677	[UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 17 17:53:53	openvpn	74677	SIGUSR1[soft,ping-restart] received, process restarting
Oct 17 17:53:58	openvpn	74677	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 17 17:53:58	openvpn	74677	TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:33333
Oct 17 17:53:58	openvpn	74677	UDPv4 link local (bound): [AF_INET]78.31.74.9:0
Oct 17 17:53:58	openvpn	74677	UDPv4 link remote: [AF_INET]127.0.0.1:33333
Oct 17 17:53:59	openvpn	74677	event_wait : Interrupted system call (code=4)
Oct 17 17:53:59	openvpn	74677	SIGTERM[hard,] received, process exiting

Edited ... by Bogdan1234

[go558a83nk 367]

I'd say that your stunnel isn't actually running or your openvpn setup is not pointing to the port at which stunnel is listening.