pfSense_fan

The short answer is this: I updated the steps for a reason. Conversely, nothing in this entire guide is "required" except steps 2/3/4. AirVPN will be fully functional on pfSense with those three steps alone. Still, without further steps, many users, if not most still could not get clients to use the VPN. I was helping so many, I made the guide with the basic steps to further use the VPN on clients. The old guide was simply a guide on how to get started, and also avoid some DNS leaking. I actually consciously made it simple because there are so many different use cases that it is impossible for me to support/help users troubleshoot them. The old guide had zero, and I mean zero outbound firewall protection aside from DNS. The default allow outbound rule was migrated for use on whichever "LAN" was used in the old guide. This guide has some introductory examples on how to create local and outbound firewall rules. The old guide blocked all local traffic, this guide has examples on how to permit common local services. Since that time my knowledge of this area has grown, and I am now sharing the basic knowledge of a "Deny all, only allow what you need" security policy. While this setup could be considered harder and will require more user interaction, it is the correct way to use the firewall. ​ tl;dr = With the old guide your outgoing traffic is slightly more secure than a consumer router, but not much. If you keep the rules, you keep that level of security. At the end of the day, its a personal preference. My opinion is that everyone who used the old guide should take the time to migrate, but to each their own.

I do not. That is far beyond the scope of what this guide is intended to be. This is just intended to be a point of entry and educational guide for people to gain the confidence to move away from lackluster and insecure consumer products. Nothing more.

Yes, for best results set your router to access point mode. Most new-ish routers have this option. In access point mode, NAT is turned off on your router and it essentially runs as a switch. Plug it in to an interface and DHCP will pass right through it. This is the best way to do this, wireless support in FreeBSD and hence pfSense leaves something to be desired, but that really all depends on your personal use case. You could also look into something more professional such as the Unifi access points from Ubiquiti Networks.

Glad to hear it helped you out! All issues should be fixed now. Thank you for pointing them out. It's hard to notice these things in the text editor. It's a giant wall of text.

That's a hugely vague description. Or would it be minimally vague? Dunno, whatever. Main status page for pfSense. Do your WAN and AirVPN_WAN interfaces both have IP addresses? Yes, please check if your gateways have an IP address. If they do, can you verify that on "Step 6-I: Sixth AirVPN_LAN Firewall Rule" that you did indeend set the AirVPN_WAN gateway in the advanced area of that rules settings page?

Still to this day I get the "403 Forbidden" error when trying to access this. This leads me to have a few questions for Staff: 1.) Are there any character restrictions for the XMPP usernames? If yes, what are they? 2.) Are there any restrictins on XMPP username character length limits? Is so what is it? 3.) Are there any character restrictions for the XMPP passwords? If yes, what are they? 4.) Are there any restrictins on XMPP password character length limits? Is so what is it? I still very much would like to get this working.

Good to know. I had an AMD APU as my first build, cool n quiet caused it to crash, and powerd did not work. Other users here had the same issue. It ran at full power at all times, something like 110 watts with hard drive and fans, and lead me to use intel. My Rangeley with drive and 120mm fan uses something like 18 watts and maxes at about 30. I keep it in a rack mount 4u case which is bigger than it needs, but allows a silent 120mm fan. Power efficiency really does add up, so I didn't mind spending $500 for all new motherboard, memory, platinum rated PSU and server case. The electricity bill savings will cover the difference over a few years, which I will certainly still be using it. It actually uses less power than my wireless access point.

Ahh, I see now. You would know right away if it had the bug by entering only one DNS on the general settings page. You would either have no DNS at all, be unable to change DNS (the entry would show as changed, but it would not use it), or have DNS leaks galore (due to reverting to the root.hints file) if it bugged on you. If none of those, you are good. It revolved around having to enter all four DNS forwarding entries instead of just one, which was discussed in the preview/beta guides private thread. I am able to just use one entered DNS, 10.4.0.1, no issues at all. It's nice to hear that powerd is working with the AMD. A few years ago they were not compatible. Care to share the hardware you are using? I would love to know myself what hardware is working well for others.

GRC: DNS Nameserver Spoofability Test - The most accurate I have found in finding leaks. In hundreds of hours of testing, this test found my ISP DNS when others did not. DNS-OARC: Web-based DNS Randomness Test - Similarly good at finding all used DNS, not mentioned before. There are many ip checking websites. Any search engine will bring many up. I fail to see how that cloakfish link applies. It seems like it's just selling something.

how are you testing for the DNS bugs? problems with system tunables that are important? at this point I'm hesitant to do a clean install. I have multiple hardware installs as well as VM's that I test on prior to implementing. I didn't say bugs with tunables, I said oddities - nor did I say they were important. The list of default tunables on 2.2.x are different from those on 2.3. I found that when I upgraded, it kept the list from 2.2.x and did not "update" the tunables list. At first i assumed it was because I have a highly customized group of settings, but that behavior stayed even if I performed a restore to factory defaults prior to upgrading. That being said, the correct upgraded values were there when queried from the command prompt. None the less it takes little effort to install fresh. I restored the settings that would have taken the most time to re-enter manually, my aliases. The rest took me less than an hour to set back up, including activating TRIM for my SSD. Your takeaway of being afraid to upgrade is backwards though. The actual bugs are in the old software and have been addressed. You absolutely should upgrade. I always recommend backing up all settings.and doing a fresh install if possible. Not just backing up the whole system setting, but each individual area as well. Then you can try upgrading. If that works out... GREAT! If you see anomalies, you can do a clean install and restore what you need from your settings. Just understand that the issues I am speaking of are on 2.2.x, so even if, and that is only an if because they may not, but even if they carry over, you are still more secure than now due to all the other updates to the base system etc. That is not at all what i was referring to. Our short conversation on that tunable was only due to my trying to have a portion of the guide touch base on tunables. I was auditing that list last night prior to releasing and came across that. The oddities I spoke of are not related, at all.

pfBlockerNG worked for me on all of my VM's while testing 2.3. I had some oddities with system tunables when going the upgrade route, but when I did a clean install everything worked well, beyond well. I did not restore all settings. I restored my aliases, but manually programmed everything else. I feel it was worth it. There were some buggy issues on 2.2.6 with the DNS Resolver not taking the settings that were input all of the time, this seems to be fixed in 2.3. That bug carried over on upgrades, but is non existent with the clean install. I cannot stress how much I recommend upgrading for all of the security and performance upgrades this offers.

RESERVED FOR FUTURE USE DISCUSSION IS OPEN!

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

RESERVED FOR FUTURE USE

Setting Up pfSense 2.3 for AirVPN Step 8: Setting Up the DNS Resolver Step 8-A: Setting the DNS Resolver Options 1.) Go to: Services: DNS Resolver http://192.168.1.1/services_unbound.php -or- https://192.168.1.1/services_unbound.php Set as Follows: ----------------------------------------------------------------------------------------------------------------------- General DNS Resolver Options ----------------------------------------------------------------------------------------------------------------------- Enable = [✔] Enable DNS Resolver (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Listen Port = [______] (Empty/Blank) ----------------------------------------------------------------------------------------------------------------------- Network Interfaces = |-All------------------| NOTE: YOU MAY LEAVE THIS SETTING AS IT IS, DEFAULT, WITH "ALL" SELECTED | WAN | | AirVPN_LAN | | AirVPN_WAN | ----------------------------------------------------------------------------------------------------------------------- Outgoing Network = | All | NOTE: THIS SETTING MUST BE ALTERED. ENSURE ONLY AirVPN_WAN IS SELECTED Interfaces | WAN | | AirVPN_LAN | |-AirVPN_WAN-----------| ----------------------------------------------------------------------------------------------------------------------- System Domain Local = [ Transparent ▼] Zone Type ----------------------------------------------------------------------------------------------------------------------- DNSSEC = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- DNS Query Forwarding = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- DHCP Registration = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Static DHCP = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Display Custom = [☼ Display Custom Options ] <-- CLICK TO EXPOSE OPTIONS BOX Options ----------------------------------------------------------------------------------------------------------------------- Custom options = | server:private-address: 127.0.0.0/8 |(Copy and Paste) This setting is for DNS Rebinding | | protection in the 127.0.0.0/8 localhost zone. | | ----------------------------------------------------------------------------------------------------------------------- 2.) Click [save] Step 8-B: Setting the DNS Resolver Advanced Options 1.) Go to: Services: DNS Resolver: Advanced http://192.168.1.1/services_unbound_advanced.php -or- https://192.168.1.1/services_unbound_advanced.php Set as Follows: ----------------------------------------------------------------------------------------------------------------------- Advanced Resolver Options ----------------------------------------------------------------------------------------------------------------------- Hide Identity = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Hide Version = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Prefetch Support = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Prefetch DNS Key = [✔] (CHECKED) Support ----------------------------------------------------------------------------------------------------------------------- Harden DNSSEC data = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Message Cache Size = [ 512MB ▼] ----------------------------------------------------------------------------------------------------------------------- Outgoing TCP Buffers = [ 10 ▼] ----------------------------------------------------------------------------------------------------------------------- Incoming TCP Buffers = [ 10 ▼] ----------------------------------------------------------------------------------------------------------------------- EDNS Buffer Size = [ 4096 ▼] ----------------------------------------------------------------------------------------------------------------------- Number of Queries per = [ 512 ▼] Thread ----------------------------------------------------------------------------------------------------------------------- Jostle Timeout = [ 200 ▼] ----------------------------------------------------------------------------------------------------------------------- Maximum TTL for = [ 86400 ] RRsets and Messages ----------------------------------------------------------------------------------------------------------------------- Minimum TTL for = [ 0 ] RRsets and Messages ----------------------------------------------------------------------------------------------------------------------- TTL for Host = [15 Minutes ▼] Cache Entries ----------------------------------------------------------------------------------------------------------------------- Number of Hosts to = [ 10,000 ▼] Cache ----------------------------------------------------------------------------------------------------------------------- Unwanted Reply = [ disabled ▼] Threshold ----------------------------------------------------------------------------------------------------------------------- Log level = [ 1 ▼] (Or whatever you prefer, higher if you want to troubleshoot) ----------------------------------------------------------------------------------------------------------------------- Disable Auto-added = [_] (UNCHECKED) Access Control ----------------------------------------------------------------------------------------------------------------------- Experimental Bit 0x20 = [_] (UNCHECKED) NOTE: It is perfectly safe to use this option if you so choose to. Support Be aware, however, that this option breaks ipleak.net. ----------------------------------------------------------------------------------------------------------------------- 2.) Click [save] 3.) Click [Apply Changes] 4.) Go to: Diagnostics > Reboot System http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 5.) Click [Yes] to Reboot Step 8-C: Verifying Our DNS Settings (Optional Step) Here we will test to see if domain names are resolving from the DNS servers we entered on the General Setup page. We will do this using the built in feature of the firewall. 1.) Go to: Diagnostics > DNS Lookup http://192.168.1.1/diag_dns.php -or- https://192.168.1.1/diag_dns.php Set as Follows: Hostname or IP = [ airvpn.org ] 2.) Click [ Lookup ] 3.) Verify the results: Hostname or IP = [ airvpn.org ] = 5.196.64.52 If 5.196.64.52 was returned it is resolving correctly. Feel free to resolve as many sites as you wish! This is a useful tool to keep in mind as well. That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the AirVPN_LAN port and you are off and running! I hope this guide helps you! Don't forget to back up your settings you just spent all this time setting up!

Setting Up pfSense 2.3 for AirVPN Step 7: General Settings, Advanced settings and Other Tweaks Step 7-A: System / General Setup NOTE: Here we will set a system wide DNS which the Resolver (Unbound) will use in forwarding mode using AirVPN’s internal DNS servers. With this method all requests to the built in DNS in pfSense, including requests from pfSense itself, will go through AirVPN’s DNS. To use this method you MUST use direct entry IP addresses in the openvpn configuration as your pfSense appliance will not be capable of resolving a domain name prior to the VPN tunnel being up.This method also means that if the VPN is down, there will will be no DNS resolution for any client on the system, even ones not using the VPN, unless an alternate DNS is handed to it via DHCP or manually programmed. Alternate DNS servers, inside or outside of the VPN, can be configured in the DHCP section on a per interface basis or more finely on a static DHCP reservation and with corresponding firewall rules and outbound NAT if it is needed. 1.) Go to: System / General Setup http://192.168.1.1/system.php -or- https://192.168.1.1/system.phpand set as follows: NOTE 1: You may set the hostname and domain to whatever you like, however if you do not know what this does, leave it alone NOTE 2: For more information on NTP pools or more accurate servers see: How do I use pool.ntp.org?) NOTE 3: Settings in the "webConfigurator" section are not covered here because they are purely optional ------------------------------------------------------------------------------------------------------------- System ------------------------------------------------------------------------------------------------------------- Hostname = [ pfsense ] (default) ------------------------------------------------------------------------------------------------------------- Domain = [ localdomain ] (default) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- DNS Servers Settings ------------------------------------------------------------------------------------------------------------- DNS Server 1 = [ 10.4.0.1 ] [ none ▼] ------------------------------------------------------------------------------------------------------------- DNS Server 2 = [ ] [ none ▼] ------------------------------------------------------------------------------------------------------------- DNS Server 3 = [ ] [ none ▼] ------------------------------------------------------------------------------------------------------------- DNS Server 4 = [ ] [ none ▼] Address Gateway ------------------------------------------------------------------------------------------------------------- DNS Server Override = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Disable DNS Forwarder = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Localization ------------------------------------------------------------------------------------------------------------- Time zone = [ WHATEVER ZONE IS BEST FOR YOU ▼] ------------------------------------------------------------------------------------------------------------- Timeservers = [ 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org ] (COPY AND PASTE) ------------------------------------------------------------------------------------------------------------- Language = [ English ▼] (Or whatever else you want, obviously) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- webConfigurator ------------------------------------------------------------------------------------------------------------- ... ------------------------------------------------------------------------------------------------------------- ... ------------------------------------------------------------------------------------------------------------- 2.) Click [save] Step 7-B: System / Advanced / Firewall and NAT 1.) Go to: System / Advanced / Firewall and NAT http://192.168.1.1/system_advanced_firewall.php -or- https://192.168.1.1/system_advanced_firewall.php and set as follows: ------------------------------------------------------------------------------------------------------------- Firewall Advanced ------------------------------------------------------------------------------------------------------------- IP Do-Not-Fragment = [_] (UNCHECKED) compatibility ------------------------------------------------------------------------------------------------------------- IP Random id = [_] (UNCHECKED) generation ------------------------------------------------------------------------------------------------------------- Firewall Optimization = [ Conservative ▼] (By using a VPN, we add latency. Change this to compensate) Options ------------------------------------------------------------------------------------------------------------- Disable Firewall = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Disable Firewall Scrub = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Firewall Adaptive = [______] (BLANK) Timeouts ------------------------------------------------------------------------------------------------------------- Firewall Maximum = [ 2000000 ] States ------------------------------------------------------------------------------------------------------------- Firewall Maximum = [ 2000000 ] Table Entries ------------------------------------------------------------------------------------------------------------- Firewall Maximum = [______] (BLANK) Fragment Entries ------------------------------------------------------------------------------------------------------------- Static route filtering = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Disable Auto-added = [✔] (CHECKED) VPN rules ------------------------------------------------------------------------------------------------------------- Disable reply-to = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Disable Negate rules = [✔] (CHECKED) ------------------------------------------------------------------------------------------------------------- Aliases Hostnames = [ 86400 ] (86400 seconds = 24 hours/1 day) Resolve Interval ------------------------------------------------------------------------------------------------------------- Check certificate of = [✔] (CHECKED) aliases URLs ------------------------------------------------------------------------------------------------------------- NOTE: NO SETTINGS BELOW THIS POINT ON THIS PAGE WERE ALTERED FROM DEFAULT 2.) Click [save] Step 7-C: System / Advanced / Miscellaneous 1.) Go to: System / Advanced / Miscellaneous http://192.168.1.1/system_advanced_misc.php -or- https://192.168.1.1/system_advanced_misc.phpand set as follows: ------------------------------------------------------------------------------------------------------------- Proxy Support ------------------------------------------------------------------------------------------------------------- Proxy URL = [____________] (BLANK) ------------------------------------------------------------------------------------------------------------- Proxy Port = [____________] (BLANK) ------------------------------------------------------------------------------------------------------------- Proxy Username = [____________] (BLANK) ------------------------------------------------------------------------------------------------------------- Proxy Password = [____________] (BLANK) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Load Balancing ------------------------------------------------------------------------------------------------------------- Load Balancing = [_] Use sticky connections (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Default gateway = [_] Enable default gateway switching(UNCHECKED) switching ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Power savings ------------------------------------------------------------------------------------------------------------- PowerD = [✔] Enable PowerD (CHECKED) ------------------------------------------------------------------------------------------------------------- On AC Power Mode = [ Adaptive ▼] (Or Hiadaptive if preferred) ------------------------------------------------------------------------------------------------------------- On Battery Power Mode = [ Adaptive ▼] (Or other if preferred) ------------------------------------------------------------------------------------------------------------- On Unknown Power Mode = [ Adaptive ▼] (Or other if preferred) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Cryptographic & Thermal Hardware ------------------------------------------------------------------------------------------------------------- Cryptographic Hardware = [ AES-NI CPU-based Acceleration (aesni) ▼] ------------------------------------------------------------------------------------------------------------- Thermal Sensors = [ None/ACPI ▼] (Or choose Intel or AMD based on the processor you have) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Schedules ------------------------------------------------------------------------------------------------------------- Schedule States = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Gateway Monitoring ------------------------------------------------------------------------------------------------------------- State Killing on = [✔] ( CHECKED ) Gateway Failure ------------------------------------------------------------------------------------------------------------- Skip rules when = [✔] ( CHECKED ) gateway is down ------------------------------------------------------------------------------------------------------------- NOTE: RAM DISKS CAUSE AN ISSUE WHEN USED WITH PFBLOCKER/DNSBL PACKAGE CAUSING UNBOUND NOT TO START. DO NOT USE RAM DISKS IF YOU PLAN TO USE PFBLOCKERNG ------------------------------------------------------------------------------------------------------------- RAM Disk Settings (Reboot to Apply Changes) ------------------------------------------------------------------------------------------------------------- Use RAM Disks = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- .... ------------------------------------------------------------------------------------------------------------- .... ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Hardware Settings ------------------------------------------------------------------------------------------------------------- Hard disk standby time = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Installation Feedback ------------------------------------------------------------------------------------------------------------- Host UUID = [✔] (CHECKED) ------------------------------------------------------------------------------------------------------------- 2.) Click [save] Step 7-D: Block & Do Not Log IPv6 Floating Firewall Rule 1.) Go to: Firewall / Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select the "Floating" tab. 2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "BLOCK & DO NOT LOG IPv6". Set as follows: ----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Block ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Quick = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = | WAN | NOTE: SELECT ALL INTERFACES ON YOUR SYSTEM UNLESS YOU WANT IPv6 | AirVPN_LAN | HARDWARE MAY DIFFER SO YOU MAY HAVE MORE INTERFACES THAN | OpenVPN | SHOWN HERE. | etc. | | etc. | REGARDLESS OF HOW MANY, SELECT ALL!!!! ----------------------------------------------------------------------------------------------------------------------- Direction = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv6 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ any ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ any ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ BLOCK & DO NOT LOG IPv6 ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] ----------------------------------------------------------------------------------------------------------------------- 3.) Click [ Save ] 4.) Click [ Apply Changes ] Firewall: Rules | Floating | _____________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |________|________________|______|_____________|______|_________|_______|__________|________________| | IPv6 * | * | * | * | * | * | None | | | | | | | | | | | | BLOCK & DO NOT | | | | | | | | | | LOG IPv6 | |________|________________|______|_____________|______|_________|_______|__________|________________|