Not connected, Your IP: 18.226.222.12
Online: 22513 users - 261548 Mbit/s total BW
pfSense_fan
-
Content Count
247 -
Joined
... -
Last visited
... -
Days Won
21
Posts posted by pfSense_fan
-
-
Setting Up pfSense 2.3 for AirVPN
Step 5: IP Network and Basic Port Alias Creation to Aid Interface Setup
Step 5, Part 1:
Network Aliases
Step 5, Part 1 - A: "PRIVATE_NETWORKS" Alias (RFC 1918)
1.) Go to: Firewall / Aliases / IP
http://192.168.1.1/firewall_aliases.php?tab=ip -or- https://192.168.1.1/firewall_aliases.php?tab=ip
2.) Click the [ + Add ] button for "Add a new Alias"
Set as Follows:
Properties -------------------------------------------------------------------------------------------- Name = [ PRIVATE_NETWORKS ] -------------------------------------------------------------------------------------------- Description = [ PRIVATE_NETWORKS ] -------------------------------------------------------------------------------------------- Type = [ Network(s) ▼] --------------------------------------------------------------------------------------------Under the "Network(s)" section, click the [+ Add Network] button near the bottom to create new entries. You will need to create three entries here.
Network(s) -------------------------------------------------------------------------------------------- Hint = ......... -------------------------------------------------------------------------------------------- Network or FQDN = [ 10.0.0.0 ]/[ 8 ▼] [ https://tools.ietf.org/html/rfc1918 ] -------------------------------------------------------------------------------------------- [ 172.16.0.0 ]/[ 12 ▼] [ https://tools.ietf.org/html/rfc1918 ] -------------------------------------------------------------------------------------------- [ 192.168.0.0 ]/[ 16 ▼] [ https://tools.ietf.org/html/rfc1918 ] --------------------------------------------------------------------------------------------3.) Click [ Save ]
4.) Click [ Apply Changes ]
Step 5, Part 1 - B: "LOCAL_IP_MULTICAST" Alias (RFC 2365)
1.) Go to: Firewall: Aliases: IP
http://192.168.1.1/firewall_aliases.php?tab=ip -or- https://192.168.1.1/firewall_aliases.php?tab=ip
2.) Click the [ + Add ] button for "Add a new Alias"
Set as Follows:
Properties -------------------------------------------------------------------------------------------- Name = [ LOCAL_IP_MULTICAST ] -------------------------------------------------------------------------------------------- Description = [ LOCAL_IP_MULTICAST ] -------------------------------------------------------------------------------------------- Type = [ Network(s) ▼] --------------------------------------------------------------------------------------------Under the "Network(s)" section, click the [+ Add Network] button near the bottom to create new entries. You will need to create two entries here.
Network(s) -------------------------------------------------------------------------------------------- Hint = ......... -------------------------------------------------------------------------------------------- Network or FQDN = [ 224.0.0.0 ] [ 24 ▼] [ https://tools.ietf.org/html/rfc2365 ] -------------------------------------------------------------------------------------------- [ 239.255.0.0 ] [ 16 ▼] [ https://tools.ietf.org/html/rfc2365 ] --------------------------------------------------------------------------------------------3.) Click [ Save ]
4.) Click [ Apply Changes ]
Step 5, Part 2:
Basic Port Aliases
To admin our firewalls to be as secure as possible, you have to take the mindset that it is going to take a bit of effort. It starts with learning how the protocols are intended to work. Put short, only ports (services) that we intend to be running should be allowed. Thankfully, pfSense makes this somewhat easy in the fact that by default EVERYTHING is blocked by pfSense unless we create a rule to allow it. I have gone out of my way to offer basic ports to enter for an "entry level" port alias that will allow you to take first steps at becoming your own personal network security admin. These ports will cover the ports (services) that clients on your networks should be allowed to use. To start off and to make this as beginner friendly as possible, the basic rules will only cover the "Well Known Ports" range of 0-1023.
That being said, this step is going to require some user interaction as not everyone will have the same needs. Some people won't need an FTP port allowed on the local network, and some people might need IMAPS open on a local network if they have their own email server. Add or remove ports to these rules as needed. I fully encourage discussion in the forums so common services can be brought to everyones attention and added to the list.
With or without that discussion, here is some basic info on ports and their assignments. I encourage anyone not already familiar to read up on the subjects of:
Well Known Ports: 0 through 1023
Registered Ports: 1024 through 49151
Dynamic/Private or Ephemeral Ports : 49152 through 65535
Some quick links for further reading on the subject:
List of TCP and UDP port numbers - Wikipedia
Service Name and Transport Protocol Port Number Registry - iana.org
THIS WILL BE THE MOST CHALLANGING PART OF THIS GUIDE, YET THIS IS ONLY A BASIC SECURITY PRECAUTION! I will offer an advanced port alias section soon that will also cover controlling the "Registered Ports" port range of 1024 - 49151.
Step 5, Part 2 - A: "LAN_SERVICE_PORTS" Alias
LAN Service ports are ports that clients on our network will be allowed to connect to on the local network. These connections DO NOT leave the firewall to the outside internet.
You will need to include ports for any service you have on your LAN (Local Area Network) that falls within the "Well Known Ports" range of 0-1023.
1.) Go to: Firewall: Aliases: IP
http://192.168.1.1/firewall_aliases.php?tab=port -or- https://192.168.1.1/firewall_aliases.php?tab=port
2.) Click the [ + Add ] button to "Add a new Alias"
Set as Follows:
Properties -------------------------------------------------------------------------------------------------------------------- Name = [ LAN_SERVICE_PORTS ] -------------------------------------------------------------------------------------------------------------------- Description = [ LAN_SERVICE_PORTS ] -------------------------------------------------------------------------------------------------------------------- Type = [ Port(s) ▼] --------------------------------------------------------------------------------------------------------------------Under the "Port(s)" section, click the [+ Add Network] button near the bottom to create new entries. You will need to create multiple entries.
PLEASE NOTE: THE SUBNET MASK DROPDOWN SELECTION DOES NOT APPLY TO PORTS ALIASES AND AS SUCH CANNOT BE SELECTED/CHANGED. IGNORE IT.
Port(s) -------------------------------------------------------------------------------------------------------------------- Hint = ......... -------------------------------------------------------------------------------------------------------------------- Port = [ 21 ] [ -- ▼] [ FTP control (command) ] -------------------------------------------------------------------------------------------------------------------- [ 22 ] [ -- ▼] [ Secure Shell (SSH), file transfers (scp, sftp) ] -------------------------------------------------------------------------------------------------------------------- [ 80 ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP) ] -------------------------------------------------------------------------------------------------------------------- [ 161 ] [ -- ▼] [ Simple Network Management Protocol (SNMP) ] -------------------------------------------------------------------------------------------------------------------- [ 443 ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS) ] -------------------------------------------------------------------------------------------------------------------- [ 990 ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL ] -------------------------------------------------------------------------------------------------------------------- [ 1024:65535 ] [ -- ▼] [ Registered and Ephemeral Ports ] --------------------------------------------------------------------------------------------------------------------3.) Click [ Save ]
4.) Click [ Apply Changes ]
Step 5, Part 2 - B: "WAN_SERVICE_PORTS" Alias
WAN Service ports are ports that clients on our network will be allowed to connect to on the Wide Area Network (WAN).
These connections DO leave the firewall to the outside internet. You will need to include ports for any service
that YOU have a need to connect to that falls within the "Well Known Ports" range of 0-1023.
1.) Go to: Firewall > Aliases: IPhttp://192.168.1.1/firewall_aliases.php?tab=port -or- https://192.168.1.1/firewall_aliases.php?tab=port
2.) Click the [ + Add ] button to "Add a new Alias"
Set as Follows:
Properties -------------------------------------------------------------------------------------------------------------------- Name = [ WAN_SERVICE_PORTS ] -------------------------------------------------------------------------------------------------------------------- Description = [ WAN_SERVICE_PORTS ] -------------------------------------------------------------------------------------------------------------------- Type = [ Port(s) ▼] --------------------------------------------------------------------------------------------------------------------Under the "Port(s)" section, click the [+ Add Network] button near the bottom to create new entries. You will need to create multiple entries.
PLEASE NOTE: THE SUBNET MASK DROPDOWN SELECTION DOES NOT APPLY TO PORTS ALIASES AND AS SUCH CANNOT BE SELECTED/CHANGED. IGNORE IT.
Port(s) -------------------------------------------------------------------------------------------------------------------- Hint = ......... -------------------------------------------------------------------------------------------------------------------- Port = [ 21 ] [ -- ▼] [ FTP control (command) ] -------------------------------------------------------------------------------------------------------------------- [ 43 ] [ -- ▼] [ WHOIS protocol (If you use a WHOIS program to attain host records) ] -------------------------------------------------------------------------------------------------------------------- [ 80 ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP) ] -------------------------------------------------------------------------------------------------------------------- [ 143 ] [ -- ▼] [ Internet Message Access Protocol (IMAP), management of email messages ] -------------------------------------------------------------------------------------------------------------------- [ 443 ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS) ] -------------------------------------------------------------------------------------------------------------------- [ 990 ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL ] -------------------------------------------------------------------------------------------------------------------- [ 993 ] [ -- ▼] [ Internet Message Access Protocol over TLS/SSL (IMAPS), I.E. Secure email ] -------------------------------------------------------------------------------------------------------------------- [ 1024:65535 ] [ -- ▼] [ Registered and Ephemeral Ports ] --------------------------------------------------------------------------------------------------------------------3.) Click [ Save ]
4.) Click [ Apply Changes ]
-
Setting Up pfSense 2.3 for AirVPN
Step 4: Assigning the OpenVPN Interface & Setting the AirVPN Gateway
Step 4-A: Assigning the OpenVPN Interface
1.) Go to: Interfaces / Interface assignments
http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php
2.) Find the line "Available network ports:" and set as follows:
Available network ports: = [ ovpnc1(AirVPN) ▼]
3.)Click the [ + Add ] button on the lower right for "Add selected interface"
4.) Click [ Save ]
5.) While still on the assign interfaces page, find the link for your newly created "ovpnc1" interface by "mousing over" it's name and select it. This will bring you to the configuration page for this interface.
Set as Follows:
-------------------------------------------------------------------------- General configuration -------------------------------------------------------------------------- Enable = [√] (CHECKED) -------------------------------------------------------------------------- Description = [ AirVPN_WAN ] -------------------------------------------------------------------------- IPv4 Configuration Type = [ None ▼] -------------------------------------------------------------------------- IPv6 Configuration Type = [ None ▼] -------------------------------------------------------------------------- MAC Address = [______] (Blank/Empty) -------------------------------------------------------------------------- MTU = [______] (Blank/Empty) -------------------------------------------------------------------------- MSS = [______] (Blank/Empty) -------------------------------------------------------------------------- Reserved Networks -------------------------------------------------------------------------- Block Private Networks = [_] (UNCHECKED!!!) -------------------------------------------------------------------------- Blocks Bogon Networks = [_] (UNCHECKED!!!) --------------------------------------------------------------------------6.) Click [ Save ]
7.) Click [Apply Changes]
Step 4-B: Setting the AirVPN Gateway
1.) Go to: System / Routing
http://192.168.1.1/system_gateways.php -or- https://192.168.1.1/system_gateways.php
2.) Find the button under the actions section on the same line as AirVPN_WAN_VPN4 that looks like overlapping sheets of paper (shown here as ☐) and select it.
***** NOTE: THE APPEARANCE OF THE FOLLOWING IS BASED ON A FRESH INSTALL AND ASSUMES YOU HAVE FOLLOWED THE PREVIOUS STEPS IN THIS GUIDE!
Default Gateways System: Gateways | Gateways | ______________________________________________________________________________________________________________________________________________ | Name | Interface | Gateway | Monitor IP | Description | Actions | | | | | | | | |_____________________|________________|___________________________|___________________________|________________________________|____________| | WAN_DHCP | WAN | 192.168.1.1 | 192.168.1.1 | Interface WAN_DHCP Gateway | | | (default) | | | | | ✐ ☐ Ø π | |_____________________|________________|___________________________|___________________________|________________________________|____________| | AirVPN_WAN_VPN4 | AirVPN_WAN | | | Interface AirVPN_WAN_VPN4 | ┌------ CLICK ME! | | | | | Gateway | ✐ ☐ Ø π | |_____________________|________________|___________________________|___________________________|________________________________|____________| [ + Add ]3.) This will bring you to the edit gateway page for your OpenVPN IPv4 interface. Here we will enter a Name, Settings and description for it.
Set as follows:
------------------------------------------------------------------------------------ Edit Gateway ------------------------------------------------------------------------------------ Disabled = [_] (UNCHECKED) ------------------------------------------------------------------------------------ Interface = [AirVPN_WAN ▼] ------------------------------------------------------------------------------------ Address Family = [IPv4 ▼] ------------------------------------------------------------------------------------ Name = [ AirVPN_WAN ] ------------------------------------------------------------------------------------ Gateway = [ dynamic ] ------------------------------------------------------------------------------------ Default Gateway = [_] (*****UNCHECKED, SEE NOTES BELOW) ------------------------------------------------------------------------------------ Gateway Monitoring = [√] Disable Gateway Monitoring(CHECKED) NOTE: The monitoring service has caused more issues then it has corrected as of late, so we will disable it. ------------------------------------------------------------------------------------ Force state = [_] Mark Gateway as Down (UNCHECKED) ------------------------------------------------------------------------------------ Description = [ AirVPN_WAN ] ------------------------------------------------------------------------------------ [☼ Display Advanced ] = ( Unchanged ) ------------------------------------------------------------------------------------***** NOTE: In the past, the default gateway setting was advised to be checked. This was to act as a fail-safe in the event something went wrong, all traffic would attempt to route through the VPN and have no chance of being re-routed to the clear_net. While this "works", THIS IS NOT CORRECT FROM A ROUTING STAND POINT. Trying to use it this way causes what is known as a routing loop and can quickly exhaust network buffers. This can be seen in the OpenVPN Logs when using the "verb 4" setting. It shows up as:
write UDPv4: No buffer space available (code=55)
The idea of having the VPN as the default gateway is nice on paper, but should not be used. If all other settings are correct, this is not an issue and should not be worried about. Focus instead on having all settings correct!4.) Click [save]
5.) Click [Apply Changes]
Gateways After Editing AirVPN_WAN System: Gateways | Gateways | ______________________________________________________________________________________________________________________________________________ | Name | Interface | Gateway | Monitor IP | Description | Actions | | | | | | | | |_____________________|________________|___________________________|___________________________|________________________________|____________| | WAN_DHCP | WAN | 192.168.1.1 | 192.168.1.1 | Interface WAN_DHCP Gateway | | | (default) | | | | | ✐ ☐ Ø π | |_____________________|________________|___________________________|___________________________|________________________________|____________| | AirVPN_WAN | AirVPN_WAN | | | AirVPN_WAN | | | | | | | | ✐ ☐ Ø π | |_____________________|________________|___________________________|___________________________|________________________________|____________|Step 4-C: Setting the Localhost Outbound NAT to Include the AirVPN_WAN
Now that we have added a new Gateway, we need to add outbound NAT rules to allow the firewall (pfSense itself) to use that gateway.
1.) Go to: Firewall / NAT / Outbound
http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php
NOTE: By default the "Mode:" selected is "Automatic outbound NAT rule generation (IPsec passthrough included)". Below this you will see a sort list of rules that are not accessible. We need to change the "Mode:" to "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" so that we may edit these and create new rules as needed throughout setup.
2.) Set as follows:
Mode: = Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)
3.) Click [save]
4.) Click [Apply Changes]
A now accessible list of rules should appear. We will delete the "Auto created rule - LAN to WAN" Since our "LAN" interface will become our "AirVPN_LAN" interface. Further, outbound NAT setup will be addressed per interface in that step's instructions.
Default Outbound NAT Mappings: _____________________________________________________________________________________________________________________ | Interface | Source | Source | Destination | Destination | NAT Address | NAT | Static| Description | | | | Port | | Port | | Port | Port | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | ✔ | Auto created rule | | | | | | | | | | for ISAKMP - | | | | | | | | | | localhost to WAN | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - localhost to WAN | | | | | | | | | | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 192.168.1.0/24 | * | * | * | WAN Address | * | ✔ | Auto created rule | | | | | | | | | | for ISAKMP - | | | | | | | | | | LAN to WAN | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 192.168.1.0/24 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - LAN to WAN | | | | | | | | | | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________|The two rules that use "STATIC PORT: ✔" and with "ISAKMP" in their respective descriptions are the default rules for IPSEC passthrough. If you do not use IPSEC, those two rules can safely be deleted by clicking the trash/rubbish button to the right of that rule. Most people will not need these rules since we are using OpenVPN, so going forward in this guide further instructions will have those rules ommited as if they were deleted. If you do need them you can keep them, it will not hurt the setup.
5.) Click the buton shaped like a trash/rubbish can to the right of the "Auto created rule for ISAKMP - localhost to WAN" rule to delete it.
6.) Click the buton shaped like a trash/rubbish can to the right of the "Auto created rule for ISAKMP - LAN to WAN" rule to delete it.
7.) Click the buton shaped like a trash/rubbish can to the right of the "Auto created rule - LAN to WAN" rule to delete it.
Now we are left with:
Outbound NAT after deleting unneccesarry default rules. Mappings: _____________________________________________________________________________________________________________________ | Interface | Source | Source | Destination | Destination | NAT Address | NAT | Static| Description | | | | Port | | Port | | Port | Port | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - localhost to WAN | | | | | | | | | | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________|Now we need to make another rule for "localhost to AirVPN_WAN"
8.) Click the [ ↑ Add ] button to the bottom right that has an upward facing arrow for "Add new mapping to the top of the list".
9.) Set as follows:
---------------------------------------------------------------------------------------------------- Edit Advanced Outbound NAT Entry ---------------------------------------------------------------------------------------------------- Disabled = [_] (unchecked) ---------------------------------------------------------------------------------------------------- Do not NAT = [_] (unchecked) ---------------------------------------------------------------------------------------------------- Interface = [ AirVPN_WAN ▼] ---------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ---------------------------------------------------------------------------------------------------- Source = [ Network ▼] [ 127.0.0.1 ]/[ 8 ▼] [__________] Type Source network for the outbound NAT mapping. Port ---------------------------------------------------------------------------------------------------- Destination = [ Any ▼] [___________________________________]/[---▼] [__________] Type Source network for the outbound NAT mapping. Port ---------------------------------------------------------------------------------------------------- [_] Not (unchecked) ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------- Translation ---------------------------------------------------------------------------------------------------- Address = [ Interface Address ▼] ---------------------------------------------------------------------------------------------------- Port = [______________________________] [_] Static-port ( empty/unchecked ) ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------- Misc ---------------------------------------------------------------------------------------------------- No XMLRPC Sync = [_] (unchecked) ---------------------------------------------------------------------------------------------------- Description = [ localhost to AirVPN_WAN ] ----------------------------------------------------------------------------------------------------10.) Click [save]
11.) Click [Apply Changes]
Mappings: ______________________________________________________________________________________________________________________ | Interface | Source | Source | Destination | Destination | NAT Address | NAT | Static| Description | | | | Port | | Port | | Port | Port | | |___________|_________________|________|_____________|_____________|_____________|______|_______|____________________| | AirVPN_WAN | 127.0.0.0/8 | * | * | * | AirVPN_WAN | * | >< | localhost to | | | | | | | Address | | | AirVPN_WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - localhost to WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________|ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECESSARY!
12.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php
13.) Click [ Yes ] to Reboot
-
Setting Up pfSense 2.3 for AirVPN
Step 3: Setting up the OpenVPN Client
Step 3-A: Setting up the OpenVPN Client
1.) Go to: VPN > OpenVPN > Client
http://192.168.1.1/vpn_openvpn_client.php -or- https://192.168.1.1/vpn_openvpn_client.php
2.) Find and select the [ + Add ] on the lower right for “Add Client”
3.) Here we will enter our settings, a descriptive name and advanced settings. Settings that go here are taken from our OpenVPN Config file, from the section highlighted YELLOW, as well as our tls-auth cert, highlighted PINK
Set as follows:
--General information
Disabled = [_] (UNCHECKED!!!)
Server Mode = [ Peer to Peer (SSL/TLS) ▼]
Protocol = [ UDP ▼]
Device Mode = [ tun ▼]
Interface = [ WAN ▼]
Local Port = [ 0 ] ( Zero )
Server Host or Address = [ XXX.XXX.XXX.XXX ] IP of your preferred AirVPN Entry (From the "remote" line in the config)
Server Port = [ 443 ] (From the "remote" line in the config)
Proxy Host or address = [_______] (Blank/Empty)
Proxy Port = [_______] (Blank/Empty)
Proxy Authentication Extra Options = [none ▼}
Server Host Name Resolution = [√] Infinitely Resolve Server (checked)
Description = [ AirVPN ]
--User Authentication Settings
User name/pass Leave empty when no user name and/or password are needed.
Username: [_______] (Blank/Empty)
Password: [_______] (Blank/Empty)
--Cryptographic Settings
TLS Authentication = [√ ] Enable authentication of TLS packets. (CHECKED)
[_] Automatically generate a shared TLS authentication key. (UNCHECKED)
___________________________________
| #
| # 2048 bit OpenVPN static key
| #
| -----BEGIN OpenVPN Static key V1-----
| XXXXXXXXXXXXXXXXXXXXXX
| XXXXXXXXXXXXXXXXXXXXXX
| XXXXXXXXXXXXXXXXXXXXXX
| XXXXXXXXXXXXXXXXXXXXXX
| XXXXXXXXXXXXXXXXXXXXXX
| -----END OpenVPN Static key V1-----
|____________________________________
Peer Certificate Authority = [AirVPN_CA ▼]
Client Certificate = [ AirVPN_CERT ▼]
Encryption Algorithm = [ AES-256-CBC (256 bit) ▼]
Auth Digest Algorithm = [ SHA1 (160 bit) ▼]
Hardware Crypto = SET THIS BASED ON YOUR CPU’s CAPABILITY!!! NOTE: Ivy Bridge, Haswell and newer Intel Processors support RD-RAND. If you have a different CPU you will have to research if BSD Cryptodev is compatible with your processor. If you are unsure, set this to BSD Cryptodev, it should not harm anything even if not supported. If supported, this setting can (will) increase performance of your pfSense appliance.
--Tunnel Settings
IPv4 Tunnel Network = [_______] (Blank/Empty)
IPv6 Tunnel Network = [______] (Blank/Empty)
IPv4 Remote Networks = [_______] (Blank/Empty)
IPv6 Remote Networks = [_______] (Blank/Empty)
Limit Outgoing Bandwidth = [_______] (Blank/Empty)
Compression = [Disabled - No Compression ▼ ]
Topology = [ net30 - isolated /30 network per client ▼ ]
Type-of-Service = [_] (UNCHECKED!!!)
Disable IPv6 = [✔] (CHECKED)
Don't pull routes = [✔] (CHECKED)
Don't add/remove routes = [_] (UNCHECKED)
--Advanced Configuration
Advanced = (Copy and paste the following text directly into the advanced box. Anything to the right of a # symbol is "commented out" and has no effect. I have added a few settings that make the use of pfSense and tighten up security, and have left comments with descriptions of many. Some options I have left in but commented out from use for users to have handy in the event of troubleshooting and can be ignored or deleted if not desired.)
##### CLIENT OPTIONS #####; server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###; explicit-exit-notify 5; ##### TUNNEL OPTIONS #####; ### Use Multple "remote" entries with the according entry IP address of your favorite servers ###; ### other than the server entered in the "Server Host or Address" entry above and pfSense ###; ### will automatically recconnect in a round robin fashion if the server you are connected to ###; ### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###; ###remote XX.XX.XX.XX 443 ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Acamar_UDP-2018###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Yildun_UDP-2018###; ###remote XX.XX.XX.XX 53 ###AirVPN_US-Miami_Cursa_UDP-53###; ###remote XXX.XX.XX.XX 443 ###AirVPN_CA-Dheneb_UDP-443###; ###remote XXX.XX.XXX.XXX 443 ###AirVPN_CA-Saiph_UDP-443###; ###rcvbuf 262144; ###sndbuf 262144; mlock ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###; fast-io ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###; ###tun-mtu 1500; ###mssfix 1450; ###keepalive 5 15; ##### DATA CHANNEL ENCRYPTION OPTIONS #####; key-direction 1; keysize 256 ### Size of key from cipher ###; prng SHA512 64 ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###; ### replay-window n [t] ### Default = replay-window 64 15 ###; ### mute-replay-warnings; ##### TLS MODE OPTIONS #####; tls-version-min 1.2 ### set the minimum TLS version we will accept from the peer ###; key-method 2 ### client generates a random key ###; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###; tls-timeout 2 ### Default = 2 ###; ns-cert-type server ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###; remote-cert-tls server ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###; ### reneg-sec 3600;
Verbosity level = [ 3 (Recommended) ▼ ]
4.) Click [save]
5.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php
6.) Click [Yes] to Reboot
-
Setting Up pfSense 2.3 for AirVPN
Step 2: Understanding and Entering our AirVPN CA, Certificate and Key
Step 2-A: Understanding Certificates and OpenVPN Config Files
I noticed on the forums that many people trying to set up pfSense struggle with entering their certificates properly. I will try to be as detailed as possible here.
First, if you have not done so already, we have to download the OpenVPN Config File (.ovpn) for our preferred AirVPN entry server (We will need the direct IP address of the server as DNS will not function until the VPN is up.). You can do this by logging into airvpn.org and then proceeding to https://airvpn.org/generator/ . Choose the entry server of your choice (the air entry server can be changed later whenever you need, we will focus on one for this tutorial) by selecting the corresponding check box, then scroll down and select the Direct, protocol UDP, port 443. Scroll down again and select both check boxes agreeing to the AirVPN terms of service, then click the Generate button. Once you have the config file you can open it with your favorite text editor. What you should see will look very similar as the sample ovpn config I pasted below (this one was downloaded for a windows client). The config is broken into FIVE main parts that we will need to identify for our uses.
The five parts are as follows:
- Settings and Advanced Settings
- CA (Certificate Authority, everything between <ca> and </ca>)
- Cert (Certificate Data, everything between <cert> and </cert>)
- Key (RSA Private Key, everything between <key> and </key>)
- tls-auth (2048 bit OpenVPN static key, everything between <tls-auth> and </tls-auth>)
Sample OpenVPN Config File
We will need to copy these settings, from YOUR own config file that you downloaded from the AirVPN config generator, into pfSense to set up our certificates and OpenVPN.
DO NOT USE THESE, THEY ARE FICTIONAL.
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Friday xxx of xxx 2014 xx:xx:xx AM
# OpenVPN Client Configuration
# AirVPN_XXXXXXXXXXX-xxxx
# --------------------------------------------------------
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>
Step 2-B: Entering our AirVPN CA (Certificate Authority)
1.) Go to: System / Cert Manager / CAs
http://192.168.1.1/system_camanager.php -or- https://192.168.1.1/system_camanager.php
2.) Find and select the [ + Add ] on the lower right for "Add or Import CA"
3.) Here we will enter a descriptive name and enter our CA certificate data.
Set as follows:
Descriptive name = [✎ AirVPN_CA ]
Method = [ Import an Existing Certificate Authority ▼]
Certificate Data = [Everything BETWEEN <ca> and </ca> but NOT INCLUDING <ca> and </ca>)] - (Everything highlighted LIGHT BLUE in the Sample ovpn config):
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
Certificate Private Key(optional) = [_______________________] (Blank/Empty)
Serial for next certificate = [_______________________] (Blank/Empty)
4.) Click [save]
Step 2-C: Entering our AirVPN Certificate and Key
1.) Go to: System > Cert Manager > Certificate Manager
http://192.168.1.1/system_certmanager.php -or- https://192.168.1.1/system_certmanager.php
2.) Find and select the [ + Add ] on the lower right for "Add or Import Certificate"
3.) Here we will enter a descriptive name and enter our Certificate and Key data.
Set as follows:
Method = [ Import an Existing Certificate Authority ▼]
Descriptive name = [✎ AirVPN_CERT ]
Certificate Data = [Everything BETWEEN <cert> and </cert> but NOT INCLUDING <cert> and </cert>] - (Everything highlighted ORANGE in the Sample ovpn config):
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
Private key data = [Everything BETWEEN <key> and </key> but NOT INCLUDING <key> and </key>] - (Everything highlighted GREEN in the Sample ovpn config):
<key>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</key>
4.) Click [save]
-
Setting Up pfSense 2.3 for AirVPN
Step 1: Disable IPv6 System Wide
Step 1-A: Disable DHCPv6 on WAN Interface
By default, the DHCPv6 client is enabled on the WAN interface. The following steps detail how to turn it off.
1.) Go to: Interfaces / WAN
http://192.168.1.1/interfaces.php?if=wan -or- https://192.168.1.1/interfaces.php?if=wan
Set as Follows:
-------------------------------------------------------------------------------------------- General configuration -------------------------------------------------------------------------------------------- Enable = [√] (CHECKED) -------------------------------------------------------------------------------------------- Description = [ WAN_dhcp ] -------------------------------------------------------------------------------------------- IPv4 Configuration = [ DHCP ▼] Type -------------------------------------------------------------------------------------------- IPv6 Configuration = [ None ▼] <----- (CHANGE THIS TO "NONE"!!!) Type -------------------------------------------------------------------------------------------- MAC Address = [______] (Blank/Empty) -------------------------------------------------------------------------------------------- MTU = [______] (Blank/Empty) -------------------------------------------------------------------------------------------- MSS = [______] (Blank/Empty) -------------------------------------------------------------------------------------------- Private Networks -------------------------------------------------------------------------------------------- Block private networks = [√] (CHECKED) and loopback addresses -------------------------------------------------------------------------------------------- Block bogon networks = [√] (CHECKED) --------------------------------------------------------------------------------------------2.) Click [save]
3.) Click [Apply Changes]
Step 1-B: Disable DHCPv6 Server on LAN Interface
By default, the DHCPv6 server is enabled on the LAN interface. Check here to see if it is enabled. My appologies for this being a somewhat incomplete step, but it is disabled on my system and I am unable to see what the user interface looks like here. I hope to update this eventually.
1.) Go to: Services / DHCPv6 Server & RA
http://192.168.1.1/services_dhcpv6.php -or- https://192.168.1.1/services_dhcpv6.php
2.) If you can see your LAN interface here, adjust the setting to disable it. Also save and apply settings if necessary.
Step 1-C: Disable IPv6 Configuration Type Setting on LAN Interface
By default, an IPv6 configuration type is enabled on the LAN interface. The following steps detail how to turn it off.
1.) Go to: Interfaces / LAN
http://192.168.1.1/interfaces.php?if=lan -or- https://192.168.1.1/interfaces.php?if=lan
Set as Follows:
-------------------------------------------------------------------------------------------- General configuration -------------------------------------------------------------------------------------------- Enable = [√] (CHECKED) -------------------------------------------------------------------------------------------- Description = [ LAN ] -------------------------------------------------------------------------------------------- IPv4 Configuration = [ Static IPv4 ▼] Type -------------------------------------------------------------------------------------------- IPv6 Configuration = [ None ▼] <----- (CHANGE THIS TO "NONE"!!!) Type -------------------------------------------------------------------------------------------- MAC Address = [______________] (Blank/Empty) -------------------------------------------------------------------------------------------- MTU = [______________] (Blank/Empty) -------------------------------------------------------------------------------------------- MSS = [______________] (Blank/Empty) -------------------------------------------------------------------------------------------- Private Networks -------------------------------------------------------------------------------------------- Block private networks = [_] (UNCHECKED) and loopback addresses -------------------------------------------------------------------------------------------- Block bogon networks = [_] (UNCHECKED) --------------------------------------------------------------------------------------------2.) Click [save]
3.) Click [Apply Changes]
Step 1-D: "Disable" IPv6
1.) Go to: System / Advanced / Networking
http://192.168.1.1/system_advanced_network.php -or- https://192.168.1.1/system_advanced_network.php
IPv6 Options
Allow IPv6 = [_] (UNCHECKED)
From pfSense:
All IPv6 traffic will be blocked by the firewall unless this box is checked. NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic.
NOTE: No other settings on this page were altered from default.
2.) Click [save]
-
Please see also here for an updated baseline guide for systems newer than 2.3 (updated 2021/02/20):
https://nguvu.org/pfsense/pfsense-baseline-setup/
pfSense_fan's Guide
How To Set Up pfSense 2.3 for AirVPN
Guide is updated to pfSense Version 2.3
This guide will work on 2 or more interfaces.
Please inform me of any and all errors found!
Feedback is appreciated! Please rate this post or leave a comment to share if this worked for you!
Table of Contents:
- Step 1: Disable IPv6 System Wide
- Step 2: Entering our AirVPN CA, Certificate and Key General Settings and Preparation
- Step 3: Setting up the OpenVPN Client
- Step 4: Assigning the OpenVPN Interface & Setting the AirVPN Gateway
- Step 5: IP and Port Alias Creation to Aid Interface Setup
- Step 6: Setting up an AirVPN Routed Interface
- Step 7: General Settings, Advanced Settings and Other Tweaks
- Step 8: Setting up the DNS Resolver
-----
-
Hi all,
What NAT rules should I have in order to get DHCP working for the AirVPN_LAN ?
Thank you for your time and answers.
N.
Do yourself a favor and wait a week or two.
This guide will be completely outdated in the coming days as the release of pfSense 2.3 is very near.
I am working on a new guide that is far more in depth than the current one, but it will take some time to edit my BBCODE and have some users test it before releasing it.
I wouldn't waste your time right now.
rainmakerraw reacted to this -
I need feedback from users who have done a fresh install of pfSense 2.3
What i need to know is if the DHCPv6 server is enabled on the LAN interface by default for you.
Please let me know, as I am trying to accurately update the guide to 2.3.
-
Those openvpn options have no affect on your interface options.
if your servers are accessible then I would have a look at your outbound NAT and your gateways.
-
I am on 2.3 RC if you need me I am available.
Sent from my iPad using Tapatalk
For sure, wouldn't hurt to have an experienced user look it over.
Anyone else want to have a look at it? I would like to send a group invite, hope to get a few more.
-
All the same, the update I'm making should work for 2.3 as well. If not I can add the steps to the thread and add links in the index as the main guide goes to 2.3.So, just as expected:
https://blog.pfsense.org/?p=1997
Prepare a good bottle of your favorite liquer, the release is very near if nothing critical is found in the RC.
That being saidI came on here to see if there are any other takers that want to help me audit/preview the new guide before posting. Any takers? I can invite to a private thread.
-
That's quite OK. I want this guide to be accesible so it's OK if you have a lot of questions. It will help me nail the update down.I would be honored to help beta test, though I am a novice in this environment.
-
I had a problem with doing a straight copy and paste as well. The issue was that the commented out portions tend to overrun the 255 character per line limit. Delete any of the comments you absolutely don't need. Specifically the explanation for the server round-robin as it is quite long. Once I did that, I was golden and my client would start up.
>It should be fixed now. That's what feedback is for.
I didn't know there was a line limit. Thanks for the heads up.
The comments are fine left in otherwise, they are there and have been in my setup, except the explanation for using remote.
Thanks guys. I'm still so new that I have to wait for moderator clearance, and so my post came in after you replied. I assumed there was some kind of string shenanigans going on. Glad it was something simple.
And pfSense_fan, as soon as I'm clear of this low post count censorship, I'll try to get you more feedback. Your guide single-handedly kept me using AirVPN. Without it I would have been lost in the sea of pfsense generic documentation.
Thank you, that's a very nice compliment. I remember feeling that way, it's what lead me to make this. Everywhere I looked, every "guide" seemed like it was written for people who already knew how to do it. It's almost as if it is an inside joke with open source software, "Here's how to do XYZ, assuming you already know how to do ABCDEFG...". It was maddening.
That being said, I am working on a major update to the guide. Any interest in previewing it to help me spot any errors and possibly beta test it? I can invite one more person into the private thread. Let me know.
-
It should be fixed now. That's what feedback is for.
I didn't know there was a line limit. Thanks for the heads up.
The comments are fine left in otherwise, they are there and have been in my setup, except the explanation for using remote.
-
REQUESTING FEEDBACK AGAIN!
I can make a firewall rule that will redirect all requests for DNS and all requests for NTP to the server of our choosing, best served by pfSense itself since it acts as a DNS caching server and NTP server. In the case of trying to get such devices and apps to use AirVPN's DNS for anti georestriction reasons or other, this is the best fix.
Let me know, discuss.
I like this to.Tokeep google out of the loop ,is always a good idea .
If I understand this right, you want to use the Resolver in combination with Airvpn dns?
Have a good day.
Gr,casper.
Correct, the update migrates to the DNS Resolver, and the guide will focus on AirVPN DNS. The user can use the DNS of their choice.
pfsense_fan, any chance you can add to the tutorial as an optional a guide to setting up SSL tunnel on pfsense, unfortunately ISP are traffic shaping users using OpenVPN..... for those that are getting throttled (me), the optional guide will be a God send!
No joke, I thought about this as I lay in bed last night. Problem is I have never attempted it. I would like to add this but have no timetable for such an addition. Once I'm done with the core parts of the guide I will explore this, but that's not saying much for when that might be.
airvpnincongnito reacted to this -
REQUESTING FEEDBACK AGAIN!
As I go through and reorganize the guide, there is a need to change the "basic" firewall rules that this has utilized. I intend to be a bit more in depth going forward.
That being said, I have an tweak that I want to use, but want to make sure others agree it is a good idea. This tweak has to do with DNS and NTP.
More and more these days, IoT devices, apps and any number of devices are coming hard coded with DNS and NTP servers. Apple devices such as iphones and ipads query hard coded NTP. Android apps are coded for google DNS. New Netflix apps are hard coded for google DNS as well. The list goes on. For a number of reasons, this can lead to configuration and/or security issues. Many of these devices and apps do not have an option to change these settings.
I can make a firewall rule that will redirect all requests for DNS and all requests for NTP to the server of our choosing, best served by pfSense itself since it acts as a DNS caching server and NTP server. In the case of trying to get such devices and apps to use AirVPN's DNS for anti georestriction reasons or other, this is the best fix.
I use this method and have for a few years. The question is, do you see the value in it as well? Should i include this as part of the guide? I feel like yes since this is a growing trend in devices and apps, but don't want to force my views on others.
Let me know, discuss.
-
Just built a box for pfsense and used your guide on the first page of this thread to get things more or less working.
My setup is just cheap "desktop" parts but it's fast. I'm using just 2 NICs.
I'd love some help/ideas on how to do the following
1) easiest setup for switching between various VPN providers. This is a problem if I intend to use VPN provider DNS.2) I actually would rather use public DNS as long as I can verify DNS requests from VPN tunneled clients are actually going through the tunnel. Prior to this new pfsense box my router, unless I created policy rules, would send DNS requests out the WAN even for clients routed through the VPN.
3) Finally, how do I route certain LAN clients through through WAN and not VPN?BTW, got a cheap AMD A6 7400K CPU, turned on AES-NI, and selected the engine in the openvpn client setup. I was able to max out my line, 120mbit/s. Nice!
Edit: I think I've figured out a couple of the questions above. Still tinkering with the idea of using different DNS. The reason is that often AirDNS points me to a server far away, not the nearest in a given network.
If you are using the DNS Forwarder, change the DNS entries on the General settings page to your DNS of choice and select the gateway you want to make the request on in the drop down box to the right of it.
If you are using the Resolver, enter you DNS of choice on the General settings page, select the gateway as "None" in the drop downs. The go to the Resolver settings and select only the VPN gateway from the "Outgoing Network Interfaces".
If you are allowing clients to query other dns servers, you need to make a policy based firewall rule that tells all traffic destined for your DNS server of choice on port 53 to go out the vpn gateway. do this by selecting the gateway from the advanced otions. this firewall rule needs to be at the top of the list on the interface you are on.
go558a83nk reacted to this -
Step 3, under the advanced options adding the round robin when you're connection goes down and it goes to a different server, do yo need just IP's? certs and all that info is not needed?Step 3: Setting up the OpenVPN Client - Has been thoroughly updated to align with the GUI settings of 2.2.6, plus some other tweaks that I believe should be used.
Step 5: Setting the AirVPN Gateway - Has had minor pfSense 2.2.6 GUI appearance tweaks and minor settings tweaks (now recommend to disable gateway monitoring on all version prior to pfsense 2.3)
As always, feedback is welcome and encouraged.
i would like to see the more secure settings also not to only improve my setup but knowledge.
Correct, just need to add the IP addresses and commented out descriptions (if desired). Yours certs do not change per server, you have one certificate tied to your account that lets you connect to any air server, the only thing that changes on the certs you download is the individual server details such as IP and port.
To any users who use, rely on or are thinking about using this guide and pfSense to connect to AirVPN...
I AM LOOKING FOR SOME FEEDBACK BEFORE I PUT THE FINAL TOUCHES ON UPDATING THIS GUIDE!
.....
So to you, who uses this, does that sound like something you would want to venture into, taking this to the next step?
Please let me know! Discuss!
1.I am interested to !And have test hardware.
2.in step3
##### CLIENT OPTIONS #####;
server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###;
explicit-exit-notify 5;
I am almost sure that you forgot the " ;" after-timeout 10 .
Can you confirm this?
Gr,Casper
1. Perfect, glad to have another tester, that being said, our testing last night exposed some details I have to change to other steps. Once I have those done, I will PM you the new bits. Forewarned, it may be a number of days. There is a lot to consider
2. Nope, did not forget... it is at the end of the line. The ";" signifies a line break, it has no other function. If you wish to see what it does when you submit these entries you can go to:
https://192.168.1.1/edit.php
On the line toward the top that says "Save / Load from path:" Enter:/var/etc/openvpn/client1.conf
Then click load. You should see all the entries pfSense adds through the GUI settings and all of our settings, each on it's own line.
Glad to hear!Tested the new DNS Resolver settings and 18 hours later, everything is up and running fine. Huge thanks to pfSense_fan for walking me through a few hiccups as I'm currently only using the 2 NIC setup and for helping me figure out my internal DNS issue. Cannot wait to do the full 2.3 setup.
-
Glad to hear that. It's nice to know people are still learning, just I I had a few years ago.That guide you looked at is based off of the same alias and port sets that I am referring to. Only required outbound ports should be allowed on outbound rules, only required local ports should be allowed on local rules. The changes I am proposing would be near identical except this guide focuses on physical ports instead of VLANS.
No issues for me here. I only have a few hardwired connections. The vast majority are through a wireless AP, so I just don't feel I need all the VLAN's in that setup. So I would be very interested in your updated perspective. I have learned a lot about pfSense since following your initial guide. Ultimately, I'd like to have it running your 3 NIC setup (when I get my C2758 board) connected to Air constantly, internal DNS resolution (via hostname) and Suricata for that extra security.
I just finished the bbcode for the DNS resolver. Care to beta test it with my guidance? I can PM you instructions.
Edit: I PM'd you in case you do.
-
That guide you looked at is based off of the same alias and port sets that I am referring to. Only required outbound ports should be allowed on outbound rules, only required local ports should be allowed on local rules. The changes I am proposing would be near identical except this guide focuses on physical ports instead of VLANS.Just for the hell of it, I was browsing this guide and it is fairly in-depth as far as I can tell with the use of multiple VLAN's. Beyond the scope of my need honestly. However, I have no issues with more security and I would like to utilize the DNS resolver as I still have never been able to get internal DNS resolution working using the initial guide. I cannot ping via host names. I have a new C2758 board on the way that I plan to use as a dedicated pfSense box and replace the Core2-Duo I'm using at the moment.
-
To any users who use, rely on or are thinking about using this guide and pfSense to connect to AirVPN...
I AM LOOKING FOR SOME FEEDBACK BEFORE I PUT THE FINAL TOUCHES ON UPDATING THIS GUIDE!
In updating this guide to use the DNS Resolver instead of the DNS Forwarder, a number of changes were required. The order of the steps even had to be changed. I have worked out the new order of things, and am in the process of touching up details and the BBCODE I use. As I do that I have an itch to slightly evolve the guide to be a bit more in depth and probably a bit more complicated. With that said, it would also be more secure. I am thinking about adding in a step to create a group of aliases that would in turn assist in creating more in depth firewall rules.These settings have extensive testing by myself and others for over a year now, if not two.
So to you, who uses this, does that sound like something you would want to venture into, taking this to the next step?
Please let me know! Discuss!
-
This is a very good thread and I think a lot of poster here are very good at pfSense.
I have one question.
What kind of data pfsense company collect from pfsense boxes ?
https://forum.pfsense.org/index.php?topic=108589.0
Many thanks in advance!
That would be hard to say for sure, but pfSense does not send out crash reports without you submitting it. When you get a crash report it asks you what you would like to do next.
-
Step 3: Setting up the OpenVPN Client - Has been thoroughly updated to align with the GUI settings of 2.2.6, plus some other tweaks that I believe should be used.
Step 5: Setting the AirVPN Gateway - Has had minor pfSense 2.2.6 GUI appearance tweaks and minor settings tweaks (now recommend to disable gateway monitoring on all version prior to pfsense 2.3)
As always, feedback is welcome and encouraged.
-
For anyone who is interested, I am working on some final updates to this guide to bring it up to 2.2.6 (or 2.2.7 if they for some reason have another release before 2.3). I want to leave this guide up to date for the final 2.2.x release for those who choose not to al all or postpone updating to 2.3.
The main update will be including how to use the DNS Resolver. The Forwarder (DNSMasq) works fine, but the Resolver (Unbound) has some nice features up it's sleeve.
I am going to offer it up differently than I originally did with the forwarder. Instead of useing clear-net DNS for the system and handing out the VPN DNS via DHCP, I intend to reverse that. The system will use the VPN DNS and any Clear-Net interfaces will have to hand out external public DNS if the user desires it.
This could cause some confusion, as if the vpn goes down so to will the DNS Resolver. Others will find that fact desirable. I don't find it desireable myself, but to make the most use of the Resolver (Unbound) it needs to be. Unbound supports DNSSEC. This also allows users to make the most of the pfSense package "pfBlockerNG" and it's DNS block list functionality.
In the interim, any and all constructive criticism is welcomed. As some know, I made this guide in my head to help users get started, my own setup is more complex, so I can't just refer to my own install. If anything else causes confusion or needs a tweak, please let me know.
How To Set Up pfSense 2.3 for AirVPN
in General & Suggestions
Posted ...
Setting Up pfSense 2.3 for AirVPN
Step 6: Setting up an AirVPN Routed Interface
Step 6-A: Configuring the AirVPN_LAN Interface
1.) Go to Interfaces / LAN
Set as follows:
NOTE: Interface is renamed due to its use only through AirVPN and to avoid later confusion.
-------------------------------------------------------------------------- General configuration -------------------------------------------------------------------------- Enable = [√] (CHECKED) -------------------------------------------------------------------------- Description = [ AirVPN_LAN ] -------------------------------------------------------------------------- IPv4 Configuration Type = [ Static IPv4 ▼] -------------------------------------------------------------------------- IPv6 Configuration Type = [ None ▼] -------------------------------------------------------------------------- MAC Address = [______________] (Blank/Empty) -------------------------------------------------------------------------- MTU = [______________] (Blank/Empty) -------------------------------------------------------------------------- MSS = [______________] (Blank/Empty) -------------------------------------------------------------------------- Speed and Duplex = [ autoselect ▼] -------------------------------------------------------------------------- -------------------------------------------------------------------------- Static IPv4 Configuration -------------------------------------------------------------------------- IPv4 Address = [ 192.168.1.1 ] / [ 24 ▼] -------------------------------------------------------------------------- IPv4 Upstream gateway = [ none ▼] -------------------------------------------------------------------------- -------------------------------------------------------------------------- Reserved Networks -------------------------------------------------------------------------- Block Private Networks = [_] (UNCHECKED!!!) -------------------------------------------------------------------------- Blocks Bogon Networks = [_] (UNCHECKED!!!) --------------------------------------------------------------------------2.) Click [ Save ]
3.) Click [Apply Changes]
Step 6-B: Setting up the DHCP Server for the AirVPN_LAN Interface
1.) Go to: Services / DHCP server
2.) Ensure the "AirVPN_LAN" tab is selected
3.) Set as follows: (NOTE: Some of these options may already be set by default, change as needed.)
------------------------------------------------------------------------------------------------------------- General Options ------------------------------------------------------------------------------------------------------------- Enable = [✔] (CHECKED) ------------------------------------------------------------------------------------------------------------- Deny unknown clients = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Ignore denied clients = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Subnet = 192.168.1.0 ------------------------------------------------------------------------------------------------------------- Subnet mask = 255.255.255.0 ------------------------------------------------------------------------------------------------------------- Available range = 192.168.1.1 - 192.168.1.254 ------------------------------------------------------------------------------------------------------------- Range = [ 192.168.1.100 ] [ 192.168.1.199 ] From To ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Additional Pools <----- NOTHING CHANGED HERE ------------------------------------------------------------------------------------------------------------- Add = [+ Add pool ] ------------------------------------------------------------------------------------------------------------- Pool Start Pool End Description Actions ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Servers ------------------------------------------------------------------------------------------------------------- WINS servers = [______________________] ------------------------------------------------------------------------------------------------------------- [______________________] ------------------------------------------------------------------------------------------------------------- DNS servers = [ 192.168.1.1 ] ------------------------------------------------------------------------------------------------------------- [______________________] ------------------------------------------------------------------------------------------------------------- [______________________] ------------------------------------------------------------------------------------------------------------- [______________________] ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Other Options ------------------------------------------------------------------------------------------------------------- Gateway = [______________________] ------------------------------------------------------------------------------------------------------------- Domain name = [______________________] ------------------------------------------------------------------------------------------------------------- Domain search list = [______________________] ------------------------------------------------------------------------------------------------------------- Default lease time = [______________________] ------------------------------------------------------------------------------------------------------------- Maximum lease time = [______________________] ------------------------------------------------------------------------------------------------------------- Failover peer IP = [______________________] ------------------------------------------------------------------------------------------------------------- Static ARP = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Time format change = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Statistics graphs = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Dynamic DNS = [☼ Display Advanced ] ------------------------------------------------------------------------------------------------------------- MAC address control = [☼ Display Advanced ] ------------------------------------------------------------------------------------------------------------- NTP = [☼ Display Advanced ] <--CLICK THIS, IT CHANGES TO --> [☼ Hide Advanced ] ------------------------------------------------------------------------------------------------------------- NTP Server 1 = [ 192.168.1.1 ] ------------------------------------------------------------------------------------------------------------- NTP Server 2 = [ ] ------------------------------------------------------------------------------------------------------------- TFTP = [☼ Display Advanced ] ------------------------------------------------------------------------------------------------------------- LDAP = [☼ Display Advanced ] ------------------------------------------------------------------------------------------------------------- Additional = [☼ Display Advanced ] BOOTP/DHCP Options ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Network Booting <---- (Nothing changed here, do not expand) -------------------------------------------------------------------------------------------------------------4.) Click [sAVE]
5.) Click [ Apply Changes ]
Step 6-C: Setting up the Outgoing NAT for the AirVPN_LAN Interface
NOTE: THIS STEP REQUIRES THAT YOU HAVE ALREADY FOLLOWED THE OUTBOUND NAT INSTRUCTIONS FOUND IN "Step 4: Assigning the OpenVPN Interface & Setting the AirVPN Gateway".
1.) Go to: Firewall / NAT / Outbound
2.) Click the [ ↑ Add ] button to the bottom right that has an upward facing arrow for "Add new mapping to the top of the list".
3.) Set as follows:
------------------------------------------------------------------------------------------------------------- Edit Advanced Outbound NAT Entry ------------------------------------------------------------------------------------------------------------- Disabled = [_] (unchecked) ------------------------------------------------------------------------------------------------------------- Do not NAT = [_] (unchecked) ------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_WAN ▼] ------------------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ------------------------------------------------------------------------------------------------------------- Source = [ Network ▼] [ 192.168.1.0 ]/[ 24 ▼] [__________] Type Source network for the outbound NAT mapping. Port ------------------------------------------------------------------------------------------------------------- Destination = [ Any ▼] [___________________________________]/[--- ▼] [__________] Type Source network for the outbound NAT mapping. Port ------------------------------------------------------------------------------------------------------------- [_] Not (unchecked) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Translation ------------------------------------------------------------------------------------------------------------- Address = [ Interface Address ▼] ------------------------------------------------------------------------------------------------------------- Port = [______________________________] [_] Static-port ( empty/unchecked ) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Misc ------------------------------------------------------------------------------------------------------------- No XMLRPC Sync = [_] (unchecked) ------------------------------------------------------------------------------------------------------------- Description = [ AirVPN_LAN to AirVPN_WAN ] -------------------------------------------------------------------------------------------------------------4.) Click [ SAVE ]
5.) Click [ Apply Changes ]
Outbound NAT as desired to this point. Order is important! Your rules should appear EXACTLY like this, in this order. Mappings: ______________________________________________________________________________________________________________________ | Interface | Source | Source | Destination | Destination | NAT Address | NAT | Static| Description | | | | Port | | Port | | Port | Port | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________| | AirVPN_WAN | 192.168.1.0/24 | * | * | * | AirVPN_WAN | * | >< | AirVPN_LAN to | | | | | | | Address | | | AirVPN_WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________| | AirVPN_WAN | 127.0.0.0/8 | * | * | * | AirVPN_WAN | * | >< | localhost to | | | | | | | Address | | | AirVPN_WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - localhost to WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________|Step 6: Setting Basic Firewall Rules for the AirVPN_LAN Interface
The following steps control/redirect ALL DNS and NTP requests,
define allowed local networks and services/ports,
enforce the policy based routing (tell outbound traffic to go through the VPN)
and define allowed outgoing networks and services/ports.
To redirect all DNS and NTP requests on the interface, we actually have to create two port forwarding rules. Those rules have an option to automatically create an associated firewall rule with them, which we will take advantage of. We will start with the port forward rules, then create the rest of the firewall rules manually.
Step 6-D: First AirVPN_LAN Firewall Rule
"AirVPN LAN DNS REDIRECT"
The first AirVPN_LAN firewall rule is actually a port forward + associated firewall rule that will redirect all DNS requests on this interface to the DNS server of our choice. In the interests of the majority of AirVPN users and for the purposes of this guide, this rule will force all users on this interface to use the DNS Resolver and hence the servers we entered on the general settings page(AirVPN's DNS), even if they have a manually configured or hard coded DNS.
1.) Go to Firewall / NAT / Port Forward
2.) Click the [ ↓ Add ] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "AirVPN LAN DNS REDIRECT".
Set as follows:
-------------------------------------------------------------------------------------------------------------- Edit Redirect Entry -------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- No RDR (NOT) = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] -------------------------------------------------------------------------------------------------------------- Protocol = [ TCP/UDP ▼] -------------------------------------------------------------------------------------------------------------- Source = [☼ Display Advanced ] (CLICK TO SHOW ADVANCED OPTIONS) -------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [----------]/[--▼] (UNCHECKED) Type Address/mask -------------------------------------------------------------------------------------------------------------- Source port range = [ Any ▼] [----------] [ Any ▼] [----------] From port Custom To port Custom -------------------------------------------------------------------------------------------------------------- Destination = [✔] Invert match. [ AirVPN_LAN address ▼] [----------]/[--▼] Type Address/mask -------------------------------------------------------------------------------------------------------------- Destination port range = [ DNS ▼] [----------] [ DNS ▼] [----------] From port Custom To port Custom -------------------------------------------------------------------------------------------------------------- Redirect target IP = [ 192.168.1.1 ] -------------------------------------------------------------------------------------------------------------- Redirect target port = [ DNS ▼] [------------------] Port Custom -------------------------------------------------------------------------------------------------------------- Description = [ AirVPN LAN DNS REDIRECT ] -------------------------------------------------------------------------------------------------------------- No XMLRPC Sync = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- NAT reflection = [ Use System Default ▼] -------------------------------------------------------------------------------------------------------------- Filter rule association = [ Add a new associated filter rule ▼] --------------------------------------------------------------------------------------------------------------3.) Click [ Save ]
4.) Click [ Apply Changes ]
Step 6-E: Second AirVPN_LAN Firewall Rule
"AirVPN LAN NTP REDIRECT"
The Second AirVPN_LAN firewall rule is actually a port forward + associated firewall rule that will redirect all NTP requests on this interface to the NTP server of our choice. This rule will redirect all NTP requests to pfSense even if the client/device has a hard coded NTP server programmed.
1.) Go to Firewall / NAT / Port Forward
2.) Click the [ ↓ Add ] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "AirVPN LAN NTP REDIRECT".
Set as follows:
-------------------------------------------------------------------------------------------------------------- Edit Redirect Entry -------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- No RDR (NOT) = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] -------------------------------------------------------------------------------------------------------------- Protocol = [ UDP ▼] -------------------------------------------------------------------------------------------------------------- Source = [☼ Display Advanced] (CLICK TO SHOW ADVANCED OPTIONS) -------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [----------]/[--▼] (UNCHECKED) Type Address/mask -------------------------------------------------------------------------------------------------------------- Source port range = [ Any ▼] [----------] [ Any ▼] [----------] From port Custom To port Custom -------------------------------------------------------------------------------------------------------------- Destination = [✔] Invert match. [ AirVPN_LAN address ▼] [----------]/[--▼] Type Address/mask -------------------------------------------------------------------------------------------------------------- Destination port range = [ NTP ▼] [----------] [ NTP ▼] [----------] From port Custom To port Custom -------------------------------------------------------------------------------------------------------------- Redirect target IP = [ 192.168.1.1 ] -------------------------------------------------------------------------------------------------------------- Redirect target port = [ NTP ▼] [------------------] Port Custom -------------------------------------------------------------------------------------------------------------- Description = [ AirVPN LAN NTP REDIRECT ] -------------------------------------------------------------------------------------------------------------- No XMLRPC Sync = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- NAT reflection = [ Use System Default ▼] -------------------------------------------------------------------------------------------------------------- Filter rule association = [ Add a new associated filter rule ▼] --------------------------------------------------------------------------------------------------------------3.) Click [ Save ]
4.) Click [ Apply Changes ]
Step 6-F: Third AirVPN_LAN Firewall Rule
"ALLOW_LOCAL_ICMP"
*NOTE: You should have two default firewall rules as well as the two associated NAT rules from our DNS and NTP redirection rules already set. The two default rules are the “anti-lockout rule” and a “default allow LAN to any” rule. Do not touch the anti-lockout rule. DELETE THE "DEFAULT ALLOW LAN TO ANY" RULE AT THIS TIME.
1.) Go to Firewall / Rules
and Select your "AirVPN_LAN" interface.2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "ALLOW LOCAL ICMP".
3.) Set as follows:
----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Pass ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ ICMP ▼] ----------------------------------------------------------------------------------------------------------------------- ICMP type = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Single host or alias ▼] [ PRIVATE_NETWORKS ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ ALLOW LOCAL ICMP ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] ( --NO ADVANCED OPTIONS ARE SET ON THIS RULE-- ) -----------------------------------------------------------------------------------------------------------------------4.) Click [ Save ]
5.) Click [ Apply Changes ]
Firewall Rule #3 - ALLOW LOCAL ICMP | AirVPN_LAN | ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | * | PRIVATE_NETWORKS | * | * | None | | ALLOW LOCAL | | ICMP | | | | | | | | ICMP | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|Step 6-G: Fourth AirVPN_LAN Firewall Rule
"AirVPN_LAN_LOCAL_IP_MULTICAST"
1.) Go to: Firewall / Rules
and select your "AirVPN_LAN" interface.2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "AirVPN_LAN IP MULTICAST".
3.) Set as follows:
----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Pass ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Single host or alias ▼] [ LOCAL_IP_MULTICAST ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ AirVPN_LAN IP MULTICAST ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] -----------------------------------------------------------------------------------------------------------------------4.) Click [ Save ]
5.) Click [ Apply Changes ]
Firewall Rule #4 - AirVPN_LAN IP MULTICAST | AirVPN_LAN | ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4* | AIRVPN_LAN net | * | LOCAL_IP_MULTICAST | * | * | None | | AirVPN_LAN IP | | | | | | | | | | MULTICAST | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|Step 6-H: Fifth AirVPN_LAN Firewall Rule
"ALLOW_LOCAL_SERVICES"
*NOTE: You should have two default firewall rules already set. The “anti-lockout rule” and a “default allow LAN to any” rule. Do not touch the anti-lockout rule. You can either delete or edit the default allow rule, it is up to you. If you are unsure of what you are doing, just delete it and create new rules from scratch.
1.) Go to Firewall / Rules
and Select your "AirVPN_LAN" interface.2.) Click the [↓ Add] on the right to "Add New Rule" and create a rule we will title "ALLOW LOCAL SERVICES".
3.) Set as follows:
----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Pass ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ TCP/UDP ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- Display Advanced = [☼ Display Advanced ] <--CLICK, WILL TURN INTO--> [☼ Hide Advanced ] and expose next steps ----------------------------------------------------------------------------------------------------------------------- Source port range = [ (other) ▼] [ 1024 ] [ (other) ▼] [ 65535 ] From Custom To Custom ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Single host or alias ▼] [ PRIVATE_NETWORKS ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- Destination port range = [ (other) ▼] [ LAN_SERVICE_PORTS ] [ (other) ▼] [ LAN_SERVICE_PORTS ] From Custom To Custom ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ ALLOW LOCAL SERVICES ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] -----------------------------------------------------------------------------------------------------------------------4.) Click [ Save ]
5.) Click [ Apply Changes ]
Firewall Rule #5 - ALLOW LOCAL SERVICES | AirVPN_LAN | ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | 1024 | PRIVATE_NETWORKS | LAN_SERVICE_PORTS | * | None | | ALLOW LOCAL | | TCP/UDP | | - | | | | | | SERVICES | | | | 65535 | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|Step 6-I: Sixth AirVPN_LAN Firewall Rule:
"AirVPN_LAN ALLOW OUTBOUND"
1.) Go to: Firewall / Rules
and select your "AirVPN_LAN" interface.2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "AirVPN_LAN ALLOW OUTBOUND".
3.) Set as follows:
----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Pass ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ TCP/UDP ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [------------------]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- Display Advanced = [☼ Display Advanced ] <--CLICK, WILL TURN INTO--> [☼ Hide Advanced ] and expose next steps ----------------------------------------------------------------------------------------------------------------------- Source port range = [ (other) ▼] [ 1024 ] [ (other) ▼] [ 65535 ] From Custom To Custom ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Any ▼] [------------------]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- Destination port range = [ (other) ▼] [ WAN_SERVICE_PORTS ] [ (other) ▼] [ WAN_SERVICE_PORTS ] From Custom To Custom ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ AirVPN_LAN ALLOW OUTBOUND ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] <-- CLICK THIS TO EXPOSE ADVANCED OPTIONS, SEE NOTE BELOW!!!!!! ----------------------------------------------------------------------------------------------------------------------- NOTE: THERE ARE TOO MANY ADVANCED OPTIONS FOR ME TO ILLUSTRATE. WE ONLY NEED ONE SETTING IN THIS ADVANCED AREA, THE "GATEWAY" SETTING. THIS IS AN EXTREMELY IMPORTANT STEP, AS THIS OPTION DIRECTS OUR TRAFFIC THROUGH AIRVPN. FIND AND EDIT THIS OPTION TO THE FOLLOWING: ----------------------------------------------------------------------------------------------------------------------- Advanced Options ----------------------------------------------------------------------------------------------------------------------- Gateway = [ AirVPN_WAN ▼] -----------------------------------------------------------------------------------------------------------------------3.) Click [ Save ]
4.) Click [ Apply Changes ]
Firewall Rule #6 - AirVPN_LAN ALLOW OUTBOUND | AirVPN_LAN | ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | 1024 | * | WAN_SERVICE_PORTS | AirVPN_WAN | None | | AirVPN_LAN | | TCP/UDP | | - | | | | | | ALLOW | | | | 65535 | | | | | | OUTBOUND | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|Step 6-J: Seventh AirVPN_LAN Firewall Rule
"REJECT LOCAL"
1.) Go to: Firewall / Rules
and select your "AirVPN_LAN" interface.2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "REJECT LOCAL"
3.) Set as follows:
----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Reject ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Single host or alias ▼] [ PRIVATE_NETWORKS ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ REJECT LOCAL ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] -----------------------------------------------------------------------------------------------------------------------3.) Click [ Save ]
4.) Click [ Apply Changes ]
Firewall Rule #7 - REJECT_LOCAL | AirVPN_LAN | ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4* | AirVPN_LAN net | * | PRIVATE_NETWORKS | * | * | None | | REJECT LOCAL | | | | | | | | | | | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|Step 6-K: Checking That Our Firewall Rules Are In The Correct Order
1.) Go to Firewall / Rules
and Select your "AirVPN_LAN" interface.2.) The order of the rules we just created is important!
They should appear in this following order when viewed:
ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECESSARY!
IF YOU STILL HAVE THE DEFAULT ALLOW LAN RULE, DELETE IT!