pfSense_fan

I have always had this issue. I always assumed it was my use of so many add-ons... but even if I whitelist the cookies from here it happens. It was the bane of my existence when I was making my tutorial. It's random and it can be frequent or can be hours in between. I later found when i started using a different server and port the issue got much much better. It coincided with the gateway monitoring results I was able to see using pfsense. Connections that had packet loss suffered the issue more. It could be worth trying other servers and ports for connecting if you are unable to monitor the connection.

You need to set the outbound NAT rules to correspond to the split subnet AND set an allow out firewall rule for each split of the subnet with the assigned gateway on the firewall rules page for that NIC... but yes you can do this. delete the allow out rule that allows the entire subnet. When I first started this guide i had a section for this but it caused me too much grief because the average person using my guide is completely new to this... and I choose not to support it as there is too much room for error if one does not know what they are doing. Mind you... you now cannot use the dns forwarder at all unless you want to lose ALL connectivity when the VPN is down. You will need to have dns served by dhcp to the clear net side or use the forwarder for both but set the dns on the general page to 10.4.0.1 only, with the gateway set to airvpn. There may be other steps but I too am a bit worn out at the moment. Good luck.

I tried it, too, it works quite well. Playing games like League of Legends over a VPN connection results in a 35 ms ping instead of 30 ms for me if played over the "naked" network. As I said in the very next sentence: "Not for competitive gaming anyway."

1. This all depends on a number of variables and in the end it is entirely an opinion of anyone who answers. Some things to question are: What level of gaming are you at? Casual? Competitive? Professional (legit professional)? There is always a chance for vengeful players (griefers), although legitimate "threats" are few and far between... UNLESS YOU ARE A LEGITIMATE PROFESSIONAL PLAYER. Professional players face a myriad of threats and grief from other players, but this stems from their names being publicly known. You then become targeted. People try to hack your network. People try to steal your identity whether it be gamer names or real life info. Social engineering is the biggest thing to fear in online gaming. Never give out your name to other gamers... EVER. not even just your first name. That's how social engineering starts. You said you didn't now how people got the info, they get it because XBOX does not use dedicated servers. Games choose a "host" from the pool of players in the lobby. The rest of you are clients. With the proper knowledge, software and equipment, you can see the IP address of everyone in the lobby. You The stories of the DOS attacks... well... they are real. At the same time they are highly unlikely unless you play at the utmost highest level where people will do anything to gain an advantage. I've been the victim of such an attack. 2. No... gaming through a VPN will always add latency. I tried it... it does not work well. Not for competitive gaming anyway. I game on the clear net, regardless of my experiences. I rely on a powerful firewall (pfSense) to protect me from any attacks. 3. For a few seconds, yes. Router processors are not equipped with encryption acceleration and thus are not very efficient at it. 4. Which ever server is closest to you that is stable for you. Latency matters in gaming.

First I would like to thank you for your expeditious reply, it is greatly appreciated. I will be the first to admit there needs to be some discussion on how it would work. Some initial thoughts are that perhaps only users connected to air could use it to keep abuse and load to a minimum. It would be best though if it could be tied to forum user names though, so we could know we are chatting with the same people from the forum indeed. Any help you need, I volunteer in any way I am capable of helping. I'm sure a few others that currently join me would also be happy to beta test. I'm not sure it needs any integration into a web frontend however. Very easily a tutorial could be posted on the forums on how to get started with XMPP. A set of default conference rooms can be available on the server, and user can create their own chats. Thank you, I was not aware of them. I will have to research them now. Perhaps, but this is beyond the point of what we are trying to accomplish. I somehow do not think it would be good form to suggest the entire user base sign up there either. While I am not against chats/group chat in any way, it's only a benefit that XMPP also has this ability. The real focus here is Off The Record communication with the OTR plugin. It is precisely the need for this ability in some circumstances that promted this request. To be fair, I heavily weighed the pros and cons of this request for weeks before asking. While it is unprecedented in the scope of the current service compared to the competition, it is not outside the scope of their mission statement. To compare the need for secure communication with bittorrent and game servers is a bit of a reach... and possibly an assumption. While I do not pass judgement on ones reasons for using this service, I can assure you my motivations are privacy and advocacy. I will end by giving a few examples of issues I've ran into in helping a number of users learn about security/piracy/networkingand why I feel it would be best if there was an "in-house" solution. 1.) In helping people set up pfsense and other networking equipment, it is quite often that logs require reviewing. This sometimes can be as many as 2000 lines of logs. For those that don't know, many times OpenVPN and other network logs can give away a users clearnet ip-address. Ask anyone I have helped (and I hope some may chime in) that I ask them to search these logs and remove identifying info before sending them to me. Unfortunately these people are seeking help because they don't understand it as it is, and 9 times out of ten they overlook info that absolutely would not belong on a forum, even in a private message. I should have no knowledge of those bits honestly, but at least with OTR these users can shrink their partition of trust. 2.) Another common form of troubleshooting is viewing screen captures. This has the same concerns as above and a few others.A screen shot may include bits of info on a user they may not realize is potentially exposing. Weather apps/widgets that show a city is one example. The dashboard of pfSense gives away all ip addresses of the system. Again, uninformed users don't know better and this info DOES NOT belong on a forum. Without the assistance, however, these folks may not get up and running securely. This does not even get intot the further potential for exposure with exif data on pictures. 3.) I have spent many, many hours teaching users about hardware choices and why some choices are better than others or even "must have" if certain levels of security and privacy are to be attained. Some of this equipment is not common consumer equipment. Public discussion of these hardware choices could potentially put a user at risk of being correlated. With the revelations that equipment can be intercepted and bugged, the need for off the record discussion of such matters cannot be overlooked for those who require privacy or may be oppressed. In private, I can share with a user what best practices I know of how they can best attain the equipment... from methods of payment right down to where and how to purchase it. And for anyone who thinks this is a far fetched scenario... the need has been very real for some already. 4.) I very much enjoy sharing what I know with others and helping where I can, but I also work for a living. I work long hours in fact, very long indeed some days. There has a been a few times already where it was exceedingly hard to help some users because we simply were not on the forums at the same time. So much time would pass between communication that I would forget where we had left off. Moving the coversation over to XMPP expedited the whole process because as soon as we were both on we chugged away at the setups. It made my helping others more convenient for me. I'm not sure many people realize just how many hours of my own time I've dedicated to helping the community. I am not looking for thanks.... what I am looking for is a way to "help me help you". So to reiterate, chats/conference rooms are great and all, and I do and would use them, but lets not overlook they do not offer OTR in conference rooms. What myself and others are looking for/asking for is the ability to use OTR if and when it is needed. While it is great that there are other services out there, we would not be shrinking our partition of trust but expanding it. That's not to add we would all need to register there, increasing our web footprint (I try not to use an identity at more than one site ever). There is also nothing to prevent someone from impersonating another forum member on another service, while an air server would be tied to forum usernames. So this is just a few of the examples I can think of right now (and there are more) that warranted the use of OTR. That's not even considering the many others who may wish to learn how to speak out against an employer or oppressive government but don't know how. This could be a good step in spreading this knowledge and growing the community. It's hard to know who to trust as far as using other services. Anyone who hosts a server has the potential to spy, especially in conference rooms. Heck, I could host a server quite easy with the equipment I have and it could handle the entire userbase... and it would be quite secure behind a very powerful firewall, Snort/Suricata and various blacklists for bots and attacks... but I do not have the bandwidth... and nothing would prevent me from logging. Air (I assume) would be obligated not to spy or log in the same way they are obligated not to on the VPN servers. They can not be forced to divulge what they do not know. This is why it seems a good fit,in my humble opinion, considering the mission statement. While I would understand if this was ultimately determined to be outside the scope of the project, I look forward to hearing ideas on how to make this a reality!

Provided ipleak and dns leak tests results return okay results, it is not likely that you are leaking. Even though you are connected to the vpn, you must remember you are connecting THROUGH your carrier, so you are still connected and must carry an ip from them as well. That is the connection you are then tunneling through. It is scary, I know, seeing that ip there in certain apps... but don't lose sleep as long as other tests come back saying you are indeed connected to the vpn. Cheers.

I would formally like to request the addition of an XMPP server as a feature. Unfortunately, forums in general are not conducive for many of the types and manner of communication that Air and VPN users in general require. Privacy is a concern for many matters and Pidgin + OTR for instance offers a much higher level of security and shrinks the partition of trust during such communication. Another area the forums fall short is offering an efficient manner for real time conversations, chats and even support from other forum members. For instance, there quite often is a need for personalized support for members who have followed my pfSense setup guide due to the fact that there are so many variables to consider for hardware choices and network environments. This type of support can take days or weeks with back and forth forum conversation.. or can take minutes to hours in real time chat. Posts with such personalized instruction could also potentially confuse the uninitiated, as settings for one setup could be detrimental to another. As such, I feel personal support is a much better option in such instances. A group of air users and myself currently converse on XMPP using Pidgin + OTR. It has been a great convenience for all of us. However, and this is a big however, some of us have concerns over using an "unknown" XMPP Server. I personally scoured for a few days before choosing one (I will not advertise which server was chosen) based on the required use of SSL on all communications. Most servers required registration over clear http. Even though we found one that was a bit more secure, the service I don't think is meant for or ready for a large influx of users and there are frequent drops of the service. We all agree we need to find another server, but who do you trust? Which brings me to my request. I believe it would be greatly beneficial to all if there was an Air supported XMPP server with end to end encryption and no logs of any sort. I believe the ability to create chats will also open up access for individuals to learn more about methods of security, privacy, recommended software and even hardware discussions. Overall I feel it can help build the community, and the more that participate, the more knowledge and experience that gets shared and the community can grow. I personally would love to see that happen, and I think many more would participate if a more private arena existed. This information would trickle its way to the forums I suspect as well, only helping more and more. This would be one more feature to add to the reasons why AirVPN is the best around. Staff, can we make this happen?

Just wanted to chime in saying I wouldn't want everyone think you can't accomplish network wide ad blocking though. I use a Dedian based filtering OS called Untangle to filter ads network wide. It has an adblock package that uses easylist as well as makes it easy to create your own rules. I run it on an Intel Atom motherboard. Your issue was the use of a proxy, which redirected the connection. The way I have it done there is no proxy, it is transparent and network wide.

No issues with lowes here. Are you using a US Air server? Are you using 10.4.0.1 as your DNS? If you are, perhaps try a different server? Have you done DNS leak tests?

I'm not really sure how that happened to be honest. Many others at this point have followed the guide and had no issues of this sort to date. WebGUI access from WAN is disabled by default upon install. How did you diagnose this issue? As for the NAS, one thing to remember with pfsense the way it is set up in the guide is that on each interface we have created a "BLOCK ALL" rule. This means you must create rules on the the affected interface as all traffic which we do not explicitly allow is blocked. This is how a true firewall behaves... so whichever interface the NAS is tied to needs rules allowing connections to it. I would create an alias that defines your local subnets (192.168.1.1/24, 192.168.123.1/24 etc) and create a firewall rule to allow connections from that alias as the source to the ip address of the NAS. PLace the firewall rule below the block dns rule. You will also need to create a static DHCP mapping for the NAS. Aliases - doc.pfsense.org

Because it takes both client AND server being vulnerable to actually be vulnerable, it's not much of an issue. As refresh stated, AIr updated so we are covered. As for when 2.1.4 will be out to correct it, expect about a week. https://forum.pfsense.org/index.php?topic=77876.msg424785#msg424785

Already knowing your official answer will be something along the lines of "Absolutely not" I will offer my opinion on your issue: I find it offensive that you would propose such a proposition as this, potentially asking to weaken the security for the rest of us, because you are having hardware issues. Blow the dust out of your computer making sure to get the heat sink. Buy a new and better cpu fan or even cooler. Buy a better case fan... or even just buy better equipment going forward. In our chats about pfSense you seem determined to buy cheap equipment and multiple times I have told you why it is a bad idea. You persist to try bend physics and technical specifications to try to fit your agenda. The proper course here is to save your pocket change up until you can afford equipment that does what you require it to, not ask a service to lower it's level of security to suit what your hardware is capable of. Your persistence with such comments can be and is being taken by some as trolling.

On the openvpn client settings page, select TCP instead of UDP and also enter the port you are using if it is not 443.

Correct. tun-mtu 1500 (glad you caught the dash, i was in a rush) is the default and is also what is pushed by the air servers, however it does not hurt to manually specify it when using mssfix. I have seen odd issues in my logs with tun-mtu when not also manually specified. At the very least it hurts nothing, but could help to manually specify it.

Many pfSense users use mssfix 1400 After normal ip overhead and openvpn overhead, if memory serves me well that would allow a tcp packet of I believe 1412 or something. That means an mss clamped to 1400 should never go above that threshold. The reason you can ping 1460 is because of compression. Some of us have found it is better at high bandwidth speeds to avoid the cpu cost that causes. Manually changing your NIC mtu or specifying linkmtu in openvpn is not recommended. You want to use whatever mtu that is supported by your ISP on your NIC, this is most often 1500 (if it is not, then use whatever it is) What you will want to do is specify (wherever you can add openvpn config options, sorry I don't use that program) tunmtu 1500 (don't confuse this with actual mtu) and mssfix 1400. This will direct openvpn not to pass tcp packets larger than 1400. If that does not work try mssfix 1380 or 1360 etc. Don't confuse yourself trying to understand it, give it a try and see if it helps. As I said, this has been discussed in depth among pfSense users.

There is a setting that causes automatic detection of private networks. You need to disable it. It's located on the Firewall Settings tab of Advanced Settings. There is a tick box for "Enable automatic detection of private networks" Make sure it is not selected. EDIT: If you only intend to use AirVPN DNS, you should also have a DNS blocking rule located at the top of your rules that only allows DNS requests to Air: Action = Block (log if you so coose to, I do) Protocol = TCP/UDP Direction = In/Out Source address = Any Destination address = 10.4.0.1 (You also NEED to tick the "Exclude" box) Source Port = Any Destrination port = 53

https://support.microsoft.com/kb/196271/en-us

Glad that worked out! There's still many tweaks to do!

Mind you, I don't use VM's, but it is my understanding that this is a compatibility thing with VM's since most physical NIC's cannot directly communicate with the VM. For instancem, when I have run virtualbox with a guest OS, it creates virtual Intel NIC's that use the EM driver. So if it uses the same method, pfSense would see them as Intel NIC's. You either generated your certs incorrectly or some other misunderstanding. Just download a cert for Windows. You will see the key in that config file. If not, you need to open a ticket with Air. You need that key. Do not generate your own. You need to be on the lan port during setup, or else you can create a static mapping for your computer on the AirVPN_LAN dhcp server page. You could also create an GUI anti lockout firewall rule for your AirVPN_LAN interface. It's a FIREWALL mate! Why on earth would you be able to see into it from the WAN port?!?! It's doing it's job! Here's also a secret, I'm not an expert either. This guide is a learning experince for me as well! I have just been sharing what I learn as i go. You lose me at virtual machines. I would never put pfSense in a VM as a personal preference, so I won't be much more help unfortunately. No idea here mate. You should head on over to the pfSense forums and ask the community there.

Well explained mate. Better words then I mustered up when writing my pfSense guide, that is for sure. It is the primary reason why I heavily, HEAVILY push pfsense users to use more than two NIC's. VOIP and other services are just not suited for VPN use. My VOIP requires ports 4000 - 65535 be available and open for RTP. Air gives us a number of ports to open, but ot nearly enough for that.

I will look into it next time I update the guide which will likely be in june, this is a busy time of the year for me. I fixed one section already, will fix the other soon ... will look into it Agreed as long as it is not locked! First step, hop on a computer connected to the LAN and see if you can access a website by direct IP, such as airvpn.org https://95.211.138.143/ If not that (a dns issue), we will need to dig into it.

It is! https://airvpn.org/pfsense/ The old guide was Knickers, which I expanded upon. As you should! pfSense is quite powerful and capable, it is worth researching to secure yourself. Remain active here and join us as we all learn more about methods to do so! A group of us are looking into how to create a secure and reliable means of chat/communication so we can have open discussions on such topics.

Excellent! Welcome aboard! It's funny really, I wrote the guide in only a few hours, but spent free time over months learning BBCODE and getting it to look good and organized on a forum. I now have blank formatted documents for things like firewall rules and NAT rules etc for quick additions and editing. I'm glad you printed it, it's why I wrote my guide in text rather than pictures. What good are pictures if you don't have internet while setting this up! You made use of it as i pictured it should be, glad it worked out that way. I would love to hear any and all feedback! SOme things such as subnet/net are not typos though... some things are simply changes from 2.1 to 2.1.3. Any feedback will help me update such things!

Ideal is in the eye of the beholder. DO you use VOIP, Gaming, do heavy downloading? How willing are you to learn about serious security? Do you want to be as secure as possible? If you read any post where this comes up, the first thing i say is get a rangely board. Preferably the octo core, but the quad core will suffice for most users. Those boards have top of the line intel NICs, AES, low power and a feature called quickassist which things like Snort will use in the near future. They simply are the ideal build right now. If you wanted some more single thread horsepower, you could use a Haswell Xeon for about $100 more. It's really up to what you want to be ale to do with it. My choice came down to I didn't want to find out I couldn't do something.

At the time of this screenshot it was using just shy of 8 gigs of RAM. A far cry from what you read around the net. I wasted money on a previous build because of such info. Some people define anything that turns on as "working". It's a far cry from working well though.