pfSense_fan

The easiest way is probably to go back to you AirVPn client page and reexport the UDP-443 keys but tick advanced and click the option to export as individual files in a zip. You'll find all the bits and pieces nicely labelled for you in the zip file which will make things a bit easier to understand Im sure.

To each their own, I found it easier having just one file haha. Keep in mind I dowloaded the windows file. The OVPN files for linux etc look different, have different options we don't need.

I don't know the issue here though. You still enter everything between the placeholders noted, even though the certs look different now. I just have not got around to editing the guide, probably wont have the time for a month yet.

@anonym, make sure there are no blank lines/spaces etc before/above the cert or at the end of the cert you paste

Why not just add the networking capability to an existing PC?

Is there a defined list of reasons why it's better to use a stand alone unit?

There are countless reasons why its better. One that hit home for me was last year when the TOR browser was compromised. If you were behind openvpn on pfsense, even if it exposed your "IP address" it sent home the 10.4.0.X ip address assigned by the VPN and not your ISP. If you used a consumer router... exposed. TOR + OpenVPN on WIndows? Would have been exposed. That's just one reason. There are many security reasons, is it isn't compromised by other software on the system. There are performance reasons, if you care about that too.

That's not even mentioning that it is a REAL firewall, not a false sense of security consumer routers are.

It really comes down to whether one cares about taking all precautions in security and privacy. If you intend to take it seriously there is no questions, you are leaps and bounds better off with a dedicated appliance.

But if one is going to go that route, it needs to be taken seriously. You need good equipment to use it proper. Fast memory, good (Intel) NICs, and a 2+ ghz processor with AES and in that order of importance. I don't care what you read elsewhere, I can take screenshots of how much resources it actually takes to utilize the features you need to be secure and private. I'm using 9 gigs of memory using Snort and pfblocker. If I set up snort for another VPN connection I might be up to 13 gigs of memory.

Now if you have an old pc around and all parts required to get started, sure why not use it and learn. I just will never recomend buying second hand unless it is currrent generation equipment at a deal.

Just my 2 cents.

I've been reading through this thread though haven't committed to trying to configure AirVPN on my new pfSense box yet. I can't afford the downtime and reinstallation time if it goes wrong... No, not a business, just a family who would go mental at me without wifi access haha I need to wait until I have a spare night when they're all asleep and I can have it all working for sure by morning.

Quick question before I dive in. I have a dual port Intel Pro 1000PT NIC for WAN and LAN (my only ethernet device is a desktop PC right next to the pfSense box). I also have a new 450Mbps wireless N card installed (on pfSense 2.2 alpha, which supports it) and this card acts as a WAP for the family devices.

As far as I know, 2.2 alpha has not been patched for heartbleed. You may want to look into that. I have 2.2 installed on another hard drive... quite buggy still. You have been warned haha.

When I add AirVPN to the router (finally all our devcies can share the AirVPN connection!), what steps will I need to take for the wifi opt interface so that it works and shares the VPN also? I'm assuming I can treat it basically like another LAN card as far as your setup guide goes?

I've never bothered with wifi on the box, I just use a wireless router in AP mode. That being said, you should just set it up as any other interface. You Intel nics will show up as em0 and em1, the wificard will have a different name, thats all.

I also don't care about having WAN access if/when the VPN goes down. I'd rather the net be dead until the connection re-establishes, but that's another question lol.

It will be dead with my method, but pfsense will remain connected so you can at least investigate why. Any VPN connected interface simply gets cut off. The firewall should have clear net access. There are reasons for this... a number of reasons. Functional and security reasons.

But if you still prefer it to all together disconnect it can be done. I don't recommend it. If air were to go down extended you would be forced to change settings, having to change settings is not good policy, this is how mistakes end up happening. Just my opinion! You also can't use any url based air entry addresses such as country or continent entry addresses. Ip based only.

Thanks in advance.

Absolutely.

Hi pfsense-fan,
as a complete newbie, your guide was a life saver! I followed it as written and I am up and running with no problems.

Thank you! The feedback is much apprciated. I'm glad it helped.

As a newb to this, when I downloaded the certificate and opened it in Notepad or Notepad++ the certificate part doesn't look like your example at all so being new I thought I was doing something wrong and downloaded it a few times and opened it with other programs. I believe it's because of the 4096 encryption the cert part is now just about 30 lines of encrypted data, nothing readable like your example.

I noticed this recently too. I downloaded my certs after the 4096 bit upgrade and they still had that chain of data. I then downloaded a new server the other day and it looked different. Checked more and they all looked different. I don't know why, have not asked staff yet, but i will have to just edit that part. It is still everything in between the place setters noted though.

My pfsense box is a

Lenovo thinkserver
70A4001LUX 5U
ts140
Xeon E3-1225 v3 3.2 ghz
4gb 1600mhz ram
500gb hd

I installed a 4 port intel NIC
motherboard ethernet port is WAN
port 1 of intel card is AirVPN with a four port netgear switch running a PC/Roku/wifi router
Port 2 gaming pc
port 3 wifi router through isp
port 4 voip

Nice setup! I found it very useful to set the VOIP on it's own subnet, I have very strict firewall rules on that interface that only allow connections to IP addresses used by the service provider. Very useful as there are malicious attempts to connect through the same ports as used by VOIP. If you use Snort even better, it isolates those specific attempts. You probably need more memory to use snort though.

Same with my gaming subnet. Easy to maintain specific firewall rules.

My internet is only 45Mbps down and with this box and AirVPN I notice no slow down in speed what so ever. Needless to say I am ecstatic!

Welcome to the big leagues! It's nice to have equipment that does what you expect of it, is it not? Be sure to have a proper burial for your old equipment after you take years of frustration out on it!

Once again I am very grateful you took the time to write this guide for the uninitiated.

Again you are most welcome! It was my hope in writing this that it would empower others to understand their hardware and software so as a community we can all learn together and share what we learn as we all go along! There are additions to the guide coming soon, and for you with such a powerful machine there are many tweaks to do!

First thing you should do is disable hyperthreading in your bios! There are a few reasons for this on a firewall, security the first, latency the second. For the rest stay tuned and keep us informed of your adventures in pfSense!

yes, it was for bit torrent. it took a bit of time before i realized that the p2p program had to be running for the test to be valid.
i assume i just have to use the same rules to set up my outside ip camera for cell phone access.

Correct, just input the appropriate ports and ip for that device.

As soon as I get a little free time I plan to add this section to the guide. I need to clarify a few things first.

wow . . . thanks pfsense fan.

i can confirm that it indeed is working after following your setup instructions.
by the way, as per my previous post, the confusing part was with the outbound nat section. i didn't realize the rules weren't needed anymore.

bravo !

As per the other guide, I couldn't have said, I never looked at it.

Was this for bittorrent? If so did you use the tool to check your bittorrent address?

hi,

still can't get it to work.
i have a static ip address set for my pc through pfsense.
i followed the steps here:

https://airvpn.org/topic/10214-how-to-port-forward-pfsense-using-airvpn/?hl=+port++forward

for port forward settings . . .
i have the interface set to airvpn_wan and i used create new associated filter rule.
but it's not too clear for the outbound rules . . .

it mentions "redirect target ip section" but i don't see that.
what are the correct settings for the outbound rules for the interface and destination address? it mentions the router ip address. does it matter if that's 192.168.1.1 or 192.168.123.1? or is the destination address that of the pc? i take it that all port entries should be the same?
should i be enabling upnp or does that make a difference?

You should not have to do anything to the outbound NAT for a port forward. Our outbound settings were taken care of in the guide. No further mods are necessary unless you are doing some other sorts of selective routing to a different gateway.. I whipped together a port forward guide, but have not had anyone test it yet. You can try it if you like.

If you don't see the redirect target ip, you may be in the wrong section. As far as the "router" ip address, those settings are "drop down" menus. Pick the one listed in my guide, EXACTLY. Aside from your redirect to your internal computer, tick for tick exactly as stated.

VPN Port Forwarding

The following is a basic guide on how to port forward on your AirVPN connection to a service running on your network. This will work for those of you using bittorrent, as I know how much you all like to download and share your favorite Linux and BSD distributions...

1.) The first thing we need to do is log into airvpn.org and forward our port or ports.

2.) Next we need to navigate to Firewall > NAT > Port Forward

Go To:

http://192.168.1.1/firewall_nat.php
-or-
https://192.168.1.1/firewall_nat.php

3.) Set as follows:

Disabled = [_] (unchecked)

No RDR (NOT) = [_] (unchecked)

Interface = [ AirVPN_WAN ▼]

Protocol = [ TCP/UDP ▼] (TCP, UDP or TCP/UDP depending on your uses)

Source = [_] not (unchecked)

Type: [ any ▼]

Address: [______]/[ 31 ▼](Blank/Greyed out)

Source port Range = from: [ Any ▼]

to: [ Any ▼]

Destination = [_] Not (UNCHECKED)

Type: [ AirVPN_WAN address ▼]

Address: [______]/[ 31 ▼](Blank/Greyed out)

Destination port Range = from: [ (other) ▼] [ NOTE *1]

to: [ (other) ▼] [ NOTE *2 ]

*1: Port, first port of a range or Alias of ports you forwarded at AirVPN.org

*2: Same port as above or ending port of a range you forwarded at AirVPN.org

Redirect target IP = [ NOTE *3 ]

*3: IP of your target pc/device. This is best if you have your device assigned to a static IP

Redirect target port = [ (other) ▼] [ NOTE *4 ]

*4: Same port as “Destination port Range = from:” as entered above (Note 1)

Description = [✎ WHATEVER NAME YOU CHOOSE ]

No XMLRPC Sync = [_] (unchecked)

NAT reflection = [ Use system default ▼]

Filter rule association = [ Create new associated rule ▼]

4.) Click [ Save ]

5.) Click [ Apply Changes ]

MORE INFO AT PFSENSE DOCS

EDIT: Also, after setting the port forward, go over to your AirVPN_WAN firewall rules and make sure the associated rule is above/on top any other rules you may have, if any.

EDIT 2: Also consider you need to have the ports you forwarded on pfSense also opened on the firewall of the pc you have, if it has a firewall.

Edit 3: You also need to set the external AirVPN IP address (as shown on the overview page when you log into the client area on airvpn.org) in you bittorrent, FTP program etc or else it does not broadcast the proper return address.

Morning pfsense users,
I have a lan and an airvpn_lan,like pfsense_fan has.
Now i want to install snort on ,my dual core d525.For me the question is on which interface(s) I have to bind snort,because i red somewere that snort can not " look " into the crypted airvpn_wan stream or can`t recognize anything.And that make sense to me.

I used the dns-benchmark and no leaks,thanks for the tip pfsense_fan.

Tip Steve Gibson,is also doing the podcast securitynow (twit.tv)

Gr,Linze

You at the very least want to run it on both your WAN_DHCP and AirVPN_WAN gateways. I don't know where you read that, but it's not true. I run it just fine like that, snort sees it inside pfSense before/after encryption/decryption. Unfortunately I have no advice further then that, Snort is far to involved for me to get into teaching others.

The only thing I will say is that the AC-NQ setting, from what i have read, is the only setting that actually stops bad connections BEFORE they enter your system. Good luck!

Also, thank you, it's good to know that step has proved useful!

Unfortunately I can't seem to find those in the UK? The C2558 only resolves to a car part rather than computer equipment on a cursory Google search and none of my usual suppliers stock anything of the sort. I currently have half a dozen Intel server NICs (Intel Pro 1000PT dual port varieties mostly) so I assume I'd be safe to reuse those regardless of platform chosen rather than rely on onboard equipment?

http://www.supermicro.com/wheretobuy/europe.cfm?rgn=132
http://www.supermicro.com/products/motherboard/ATOM/

It is harder to find the 2558 based boards, you have to look at places that sell servers etc. The standard consumer circles don't carry these.

You certainly could use those cards provided you have pci slots for them, however they do not support the same offloading features as the i354 nic's onboard those Atoms. If you have a 150Mb connection, it might be a consideration seeing you will be using a VPN.

OK from what I've found so far it's going to cost in the region of five times more for the Rangeley setup than it would for Kabini/Jaguar re-using my existing Intel Pro NICs. Unfortunately I'm going to have to rule out Rangelely at least for now. Although I appreciate the improved quality and flexibility, C2558 boards would cost me about $450 to $500 equivalent whereas the same in Kabini/Jaguar would be $75 to $80 at most. Looks like I'm going to have to 'make do'.

Our prices must differ greatly being accross the pond. Can you link me to some of these AMD boards you speak of? I've been piecing info together for my guide as far as hardware and I can find no such hardware as you speak of. The motherboards I find for amd are ~$100+ (For one worth it's salt for running 24 hours a day), the processors ~$150, they don't have compatible NIC's ( I know you have some spare) and they all are half the Mhz and take double the Electricity of the Rangely. Meanwhile, I can find a rangely 2558 for ~$220.

hi,

i followed the instructions and was able to get my system with 3 nics working.
but my port forwarding now doesn't work. when i do the tcp check it says "not reachable on server ip over the external port xxxx."

Before I came here to comment I went and verified a port forward was working on my end and it was. I'm not sure what has changed from your previous settings.

also, when i followed the previous instructions to set up the openvpn on pfsense i was able to use select routing to have some clients connect through the vpn and others not.
i just had to leave the default gateway as is and then issue a "route-nopull" instruction instead of a "redirect-gateway def1."
that way nothing was routed through the vpn except the ip addresses of the ones i wanted with the appropriate firewall rules.
unfortunately that doesn't seem to work either now.

Select routing as in a split subnet or specific url's? You can still do that but you would have to set different rules for outbound NAT and the firewall than my guide. You would also need to create an alias for your url's. My guide is only one way to set it up, and it has in mind completely separating VPN and clear-net connected devices from each other. At the time of writing I felt this type of setup (selective routing) would cause too much confusion amongst beginners, which this guide is aimed at.

Although I use "route-nopull;" it is for different reasons. All of the settings the the server tries to push - the gateway, DNS and route are set manually by us, and according to my logs those push settings are never successful and cause errors. I have been testing "route-nopull;" for some time now and have considered adding it to the settings I list in the guide for this reason. That is to say; nothing goes through the vpn without the appropriate rules anyway. That's just how it is set up on pfSense.

any suggestions for either??

For your port forward... do you have:

Interface = AirVPN_WAN

Filter rule association = Create new associated filter rule?

Do you have the redirect targeted to a static ip for your device?

pfSense 2.1.3 RELEASE Now Available!!!

pfSense release 2.1.3 follows very shortly after pfSense release 2.1.2
pfSense 2.1.3 is primarily a security release.

Various other fixes. Of note:

- Fix more potential places for interface looping in OpenVPN and with normal interfaces

Which could very well fix the issue many were having with interface looping (Which appears in the OpenVPN logs as "write UDPv4: No buffer space available (code=55)"). It remains to be see if it does indeed fix it, however it seems promising.

Back up your settings and update ASAP!!!

I will be testing this config option for the next few days to see if it fixes this issue.

--route-nopull
When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers.

When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

Unfortunately I can't seem to find those in the UK? The C2558 only resolves to a car part rather than computer equipment on a cursory Google search and none of my usual suppliers stock anything of the sort. I currently have half a dozen Intel server NICs (Intel Pro 1000PT dual port varieties mostly) so I assume I'd be safe to reuse those regardless of platform chosen rather than rely on onboard equipment?

http://www.supermicro.com/wheretobuy/europe.cfm?rgn=132

http://www.supermicro.com/products/motherboard/ATOM/

It is harder to find the 2558 based boards, you have to look at places that sell servers etc. The standard consumer circles don't carry these.

You certainly could use those cards provided you have pci slots for them, however they do not support the same offloading features as the i354 nic's onboard those Atoms. If you have a 150Mb connection, it might be a consideration seeing you will be using a VPN.

rainmakerraw

The AES instruction set is an extension of Intel CPUs with the goal to speed up encryption and decryption (E/D) performance.

OpenSSL, the SSL library used with OpenVPN, is compatible with those instructions. I assume this does have a notable effect on connection speeds as the new instructions increase the throughput. But to "feel" the change you'd need a very fast connection, one which could really challenge your CPU with E/D.
For example, I have 3500 kbits down, 450 up.. I won't notice any interesting change using AES-NI. With simultaneous download and upload my CPU is using barely 4% of CPU time. I have a Core2Quad with sufficient speeds not capable of AES-NI.

So: If you have a really fast internet connection, maybe more than 16 or even 32 mbits download, you could consider buying a CPU capable of AES-NI. Look here for reference on which CPUs does support them, here for a detailed list with search.
I have a 152Mbps connection and find this interesting. Can anyone please confirm whether the instruction 'AES' in AMD CPUs is the same (or at least, has the same function) as the AES-NI in Intel chips? In other words, can I buy an AMD chip to do this job or is it Intel only? Many thanks in advance.

Wikipedia - Supporting CPU's

Also, if it has "AES" instructions, it is the same thing.

EDIT: ...and then I saw that the post you quoted had the same link I provided. None the less, using an AES enabled chip helps tremendously. This has been discussed in depth amongst those of us using pfSense to connect. For you to get the most of your connection you will want to use an AES chip.

My apologies. I hadn't slept a whole day/night/day when I replied and completely missed that. I appreciate you taking time to reply and confirming I'm OK to buy AMD. I run IPFire myself, rather than pfSense, but I'm considering moving over as although IPFire is decent it's a little glitchy recently. I'm wanting to build a Jaguar (AM1 SoC) router to replace my old IPFire box, and now I know it supports AES also, my mind is made up. Thanks again for the reply.

If you are going to be starting from scratch buying a new board, I don't recommend AMD. Not because the processor is bad, but because most motherboards don't have network cards compatible with pfSense. The current ideal platform is the C2558 or c2578 based Supermicro Intel Atom boards (Rangely). They have quad Intel Server class network interfaces. For AMD you would need to purchase a separate network card, and the ones you need can be expensive. You'll find the price difference for an AMD build to be similar, but you will be getting much higher end equipment for the same price with a Rangely board. Just my thoughts!

Hello, just setting-up everything on PfSense with this great guide but there are a few things unclear to me.

-Step5:Point2 AirVPN_WAN_VPN4 (IPv4) and AirVPN_WAN_VPN6 (IPv6) I can't delete these 2 options that where automatically created, the remove/delete option is only available for the one that is created manually and not these other 2
any idea?

First, you clicked on the wrong [+]. I know this because it would have automatically deleted the AirVPN_WAN_VPN4. If you want to not see the ipv6 one you have to disable ipv6 entirely out of your system. I don't have the time at this monet to explain that.

-Step6:Point1 DNS Server –- Use gateway
[✎ 208.67.222.222 ] [ WAN_DHCP ▼] From where does the option WAN_DHCP comming from? This not the same as configurated in Step5, "AirVPN_WAN"? Because i can't see any WAN_DHCP in my settings.

Again, you clicked on the wrong [+] and it therefor automatically deleted your WAN.. You will likely have to start over with a re-install. Pay close attention to exactly which [+] I scpecify. Mouse over them to see what they are titled. They are different.

You are the second person to do this, I will have to clarify this section.

-Step7-D:Point3 Source = [_] Not (UNCHECKED) Type: [ LAN Subnet ▼]
I have only the options "LAN net" and LAN address, i assume that "LAN net" okay and the same as LAN Subnet?

Subnet and net are the same. I wrote this when the current version was 2.1, for whatever reason they changed this for 2.1.2

-Step7-E The Anti-Lockout Rule is set to port 80 & 443 in my settings, is this okay or how can i fix this?

Leave the anti lockout rule alone. It is gray for a reason.Back in 2.1 it did not allow you to modify this, now they linked it t where you can. I also need to clarify this.

I suggest you re-install and pay PRECISE attention to everything you click considering what I told you here.

A number of users of pfSense have all shared a single error in our logs ever since the 4096 bit config upgrade.

write UDPv4: No buffer space available (code=55)

We have been searching, testing and tweaking trying to figure it out since then. Although we made our systems run better, we never quite got rid of the error. Finally I came accross an answer at the pfSense forums and also the same conclusion at a tunnelblick forum.

This is what happens when you setup broken routing, where your client gets a route to the server IP where it's connecting, within the VPN, and tries to access the server IP by using the tunnel. It has to be able to reach the server outside the tunnel not within it, and basically loops traffic and causes chaos. Don't push or setup routes on your client inside the tunnel for the IP it has to reach outside the tunnel.

This is affecting many pfSense users. Staff, is there any option we can add to our configs to prevent this?

https://forum.pfsense.org/index.php?topic=40405.msg208614#msg208614

https://code.google.com/p/tunnelblick/issues/detail?id=44#c16

Apr 29 17:15:36 openvpn[.....]: write UDPv4: No buffer space available (code=55)

Apr 29 17:15:28 openvpn[.....]: write UDPv4: No buffer space available (code=55)

Apr 29 16:57:34 openvpn[.....]: write UDPv4: No buffer space available (code=55)

Apr 29 16:34:14 openvpn[.....]: Initialization Sequence Completed

Apr 29 16:34:14 openvpn[.....]: /sbin/route add -net 10.30.0.1 10.30.x.x 255.255.255.255

Apr 29 16:34:14 openvpn[.....]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system

Apr 29 16:34:14 openvpn[.....]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1558 10.30.x.x 10.30.x.x init

Apr 29 16:34:14 openvpn[.....]: /sbin/ifconfig ovpnc2 10.30.x.x 10.30.x.x mtu 1500 netmask 255.255.255.255 up

Apr 29 16:34:14 openvpn[.....]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0

Apr 29 16:34:14 openvpn[.....]: TUN/TAP device /dev/tun2 opened

Apr 29 16:34:14 openvpn[.....]: TUN/TAP device ovpnc2 exists previously, keep at program end

Apr 29 16:34:14 openvpn[.....]: ROUTE: default_gateway=UNDEF

Apr 29 16:34:14 openvpn[.....]: Could not retrieve default gateway from route socket:: No such process (errno=3)

Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: route options modified

Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: --ifconfig/up options modified

Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: LZO parms modified

Apr 29 16:34:14 openvpn[.....]: OPTIONS IMPORT: timers and/or timeouts modified

Apr 29 16:34:14 openvpn[.....]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.30.0.1,comp-lzo no,route 10.30.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.30.x.x 10.30.x.x'

dIecbasC

Hi pfSense_fan

Yes I can see that the firewall rule could stop an attack similar to DNSChanger. However this is not a DNS Leak and isn't really related to the AirVPN VPN tunnel. In the general case it seems rather arbitrary to have a firewall rule that only blocks unknown DNS servers for the VPN tunneled connections and not the Non VPN connections. Forgive me if I have misinterpreted what you are doing (and please correct me).

Considering the nature of how and why people use a VPN, myself and others consider such a simple step a necessity. This guide is meant for those who do not know what they are doing, and that is something they should know. It is simply a matter of perspective. Perhaps you see it as arbitrary, but I simply have not had time to update the entire guide.That rule will be added to the non VPN side too, but is not a priority. I explain in the preface that this is not a "leak" like is so often talked about on these forums. I always have.

My own view is that I prefer guides to be focused on the concern they are addressing. in this case setting up an AirVPN tunnel.

In time this guide will encompass writing the image to a USB, How to install, thoughts and considerations on hardware selection and a much more in depth look at other settings to set on the operating system as well as other OpenVPN options.

I think it better if other more general views on network security are given separately or are at least flagged as being non-essential so that people can decide if they are required in their own particular circumstances.

We disagree on the necessity of that rule. People who would make such decisions will not need my guide. The same rule is in place on the Comodo guide for windows, and I would posit it should be used by anyone using any method. The addition of that layer, as well as the "Block All" rule was a choice I made to add to the guide because I believe security is part of a guide covering how to use a VPN. I wouldn't set this up for a friend or neighbor without such rules, and I would not teach a newb anything else. The point of a system such as pfSense is to strictly not allow ANY traffic we do no explicitly allow. Just teaching someone how to connect and not teaching them the basics of securing that connection is irresponsible in my opinion.

Please don't see this as a negative comment, I think it is a wonderful guide and wish it had been available when I struggled to figure out how to set up pfSense with AirVPN.

I don't. I just hope it does not cause confusion amongst those who don't know the first thing about security. Those who become more acclimated, like yourself, certainly can choose for themselves later on, how to secure their system best. For beginners though, jumping to pfSense from consumer software and equipment can be a daunting jump. There is little documentation out there on how to set up the basics, let alone how to set up a VPN. What info I did find never explained why to set things the way they did. I choose to take an educational approach to my guide. I put a disclaimer in the preface that each individual should do their own research and decide if this is for them or not.

rainmakerraw

The AES instruction set is an extension of Intel CPUs with the goal to speed up encryption and decryption (E/D) performance.

OpenSSL, the SSL library used with OpenVPN, is compatible with those instructions. I assume this does have a notable effect on connection speeds as the new instructions increase the throughput. But to "feel" the change you'd need a very fast connection, one which could really challenge your CPU with E/D.
For example, I have 3500 kbits down, 450 up.. I won't notice any interesting change using AES-NI. With simultaneous download and upload my CPU is using barely 4% of CPU time. I have a Core2Quad with sufficient speeds not capable of AES-NI.

So: If you have a really fast internet connection, maybe more than 16 or even 32 mbits download, you could consider buying a CPU capable of AES-NI. Look here for reference on which CPUs does support them, here for a detailed list with search.

I have a 152Mbps connection and find this interesting. Can anyone please confirm whether the instruction 'AES' in AMD CPUs is the same (or at least, has the same function) as the AES-NI in Intel chips? In other words, can I buy an AMD chip to do this job or is it Intel only? Many thanks in advance.

Wikipedia - Supporting CPU's

Also, if it has "AES" instructions, it is the same thing.

EDIT: ...and then I saw that the post you quoted had the same link I provided. None the less, using an AES enabled chip helps tremendously. This has been discussed in depth amongst those of us using pfSense to connect. For you to get the most of your connection you will want to use an AES chip.

I think this bit is wrong, it needs to be a single address, not Any

Under Block DNS Leaks VPN

Destination = [✔] Not (CHECKED!!!!!!!!)
Type: ~~[ Any ▼]~~ [ Single host or alias ▼]
Address: [10.4.0.1]

Fixed, thank you for that. Yesterday was a long day. Sorry I missed that important detail.

Lee47

Perhaps someone would explain why they believe there is a problem.

If a system uses a non AirVPN DNS such as Google over the AirVPN connection the connection is still anonymous. T

AIUI the case we are trying to avoid, referred to as a DNS leak, is where a DNS request from a VPN protected process over a Non VPN route. This can easily happen if using the pfSense DNS forwarder to a non AirVPN DNS server.

However I don't see why a VPN protected process making a request to a third party DNS server over the VPN tunnel is any more of a risk than a VPN process making a request to any other port over the VPN tunnel.

As I see it the rule blocking all VPN DNS requests not to AirVPN serves no useful purpose and moreover it actually prevents the case where it is useful to use a hard coded thirdparty DNS server such as google when one wants to sometimes run a computer behind a VPN tunnel and sometimes not VPN without re-configuring DNS servers.

You are correct that if a request goes out, it is still going out through the VPN Tunnel and is therefor "anonymized".

However.... and it is a big "however".

It does not stop a malicious attack from hijacking your browser.

Imagine for a moment an adversary wants to expose VPN users. They can see that a very popular destination for VPN users is a message board for animated cat gifs. So this adversary posts some pictures at lolcatgifs-com, but with his link he inserts some malicious javascript which directs your browser to his servers dns. He now serves you up false version of lolcatgifs-com, and subsequently has control now what dns you use. This attacker watrches your web browsing and see you visit airvpn's web page. He now serves you up a false front page where you enter and submit your username and pass, possibly multiple times trying to get it to work. But for a time period it doesn't allow you to log in. In the coming days you log into your email as well as your bank and credit card to pay your bills. Same thing, it doesn't work for short period.

Then one day you can't come online because all of your identity has been stolen. Or if you are a whistle-blower a high level adversary has targeted your home. These scenarios may be far fetched in the eyes of some, but they are possible.

EDIT: Had you blocked all other avenues for dns other than the one you intended, it would block the attempt. You would receive errors and pages wouldn't load, and when you investigate your logs you would see why.

Read up on DNS Hijacking and DNS Rebinding attacks. Not just at Wikipedia... search it out.

In the end of all things, if you decide to trust another DNS that is on you, but you should still use the firewall rule, just with your DNS of choice. Most will want to use AirDNS for the anti geo-blocking. You can make an alias if you need to enter more than one address.

PLEASE NOTE: MAIN GUIDE HAS BEEN AMENDED!!!

NO MAJOR UPDATES TO FUNCTIONALITY WERE MADE

SOME STEPS CLARIFIED, SOME STEPS HAVE BEEN CONSOLIDATED

STEP TO INTERNALLY CHECK FOR DNS LEAKS/HIJACKING ADDED (STEP 8)

PLEASE REVIEW:

PREFACE - ON THE SUBJECT OF DNS LEAKS

STEP 6 - DNS FORWARDER

STEP 8 - AirVPN_LAN (CONSOLIDATED FIREWALL RULES)

STEP 8 - AirVPN_LAN (ADDED STEP TO TEST DNS LEAKS)

Functionally everything is the same. I was able to create one less firewall rule on the AirVPN_LAN interface and achieve the exact same function by using the "NOT" inverse feature. There are now three firewall rules instead of four. I also added a small section for novices on how to verify the DNS resolver is working at the end of the DNS Forwarder section. I have not had time to make the same updates to the dual (2) NIC addition, but will soon.

I also added a proof of concept and How-To on internally testing for DNS LEAKS / HIJACKING. Some forum members could not see the point of the firewall rules I listed in my guide for "BLOCKING DNS LEAKS" and went on to poo-poo the idea of using them. The point always was that malware or an adversary could hijack your DNS request and potentially expose a VPN user without such rules in place. So for those of you that indeed want to be as secure as possible, you will want to continue using them or start using them if you are not. I no longer consider this a redundancy. Test for yourself and decide for yourself.

Verifying Our BLOCK_DNS Rule is Functioning

(Optional - For Windows and WINE Users)

For this step we will need to download a program called “DNSBench”. This step is meant as a proof of concept to show that without the BLOCK_DNS firewall rules, a malicious program could indeed hijack your DNS requests. This program is a safe program, and one that I otherwise find very useful in finding low latency DNS servers. We will not however be using it as it is intended, but it is the best program I have found to simulate a program sending out DNS requests not received from the DHCP settings.

Go to:

https://www.grc.com/dns/benchmark.htm (click on the picture of the program to download it.)

1.) When you open it it will say:

• • •

Verifying Internet Access

• • •

2.) Then, if up to this point it is working it will then say:

Internet DNS Access Trouble

3.) Find and click the button toward the top that says [ Ignore Test Failure ]

4.) Then it will show:

DNS Benchmark

Domain Name System Benchmark Utility

5.) Find and click the "Nameservers" tab toward the top. If the DNS Blocking rules are enabled, entered correctly and functioning you should see this:

Only the 10.4.0.1 entry should be green (signifying it can be contacted). All other entries should be red. If you view your firewall logs on pfSense now, it should have quite a few blocks triggered by destination port 53 on the AirVPN_LAN interface. If any other DNS servers are contacted and show up as Green, review the firewall settings and correct any discrepancies you find. If you find none and otherwise cannot correct the leak, feel free to ask for help by posting to this thread.

For those of you that wish to verify the proof of concept, feel free to temporarily disable the BLOCK_DNS rule and verify this yourself (You have to close and re-open DNSBench, don't worry, testing this is quite safe). You will see that had this been a malicious program it could indeed hijack your browser. Be sure to re-enable the firewall rule after!

Option 2 seems to be most democatic, and IMHO only projects that currently help AirVPN infrastructure should be candidates.
For example, LibreSSL seems like a very good idea, but unless we see and use it everyday, I don't think it should be a candidate.

I agree that Option 2 is best; it encourages participation and avoids creating a group of 'elite' members. In the light of this report yesterday http://www.securityweek.com/tech-titans-launch-core-infrastructure-initiative-secure-key-open-source-components I'm not sure how useful LibreSSL will be.

I agree with those two gentlemen.

And no, I don't like the people at LibreSSL. Would you change your girlfriend just because she accidentally sprained your leg? Your leg will be okay somewhen, and you can't know your new girlfriend's secrets.
Sure it's important to have a choice and maybe they are doing the right thing with "cleaning OpenSSL's code" (their own words). But let's just sit down, make a camp fire, sing a song and relax. Let's just find out the destiny of LibreSSL. If security researchers and the time likewise explicitly say "yes, we recommend everyone prefering LibreSSL over OpenSSL" then we can think about funding it. To me it's a newborn and doesn't deserve much attention for now; at least that's what I say.

I figured many would think my suggestion was premature. Part of me does as well.... however...

To play along with your analogy: Imagine you are a fitness and health guru and you met a lovely young lady that shared your passion for fitness. This girl is everything you have been looking for. Attractive, intelligent and the time you spend together is magic. You share your every bit of being. She's the only one for you.

Now imagine that once she got you hooked, knowing you loved her every bit of being, she no longer had to try. She's "the only show in town" and she knows it. She stops going to the gym with you. She stops jogging with you. She stops the healthy eating lifestyle you one shared. She lets herself go and is no longer the fitness queen you wanted to share your life with. She becomes "bloated". To top it off, now she ignores you, and starts to pay attention to other men.

Do you continue to hope she will get back to the woman you fell in love with? Do you look for alternatives? It's hard because we become invested in our relationships, and want/hope for the best concerning those we care about. But you have to do what is best for you. That is what dating is supposed to be about, finding out who is right for us. Sometimes, after dating the beauty queen who didn't appreciate you, you will give more attention to the nerdy girl who appreciates you back...

Privacy and security is our fitness and health passion, and OpenSSL is that girl that seemed to be everything you were looking for. They were not keeping up with you, and they were taking on code for government compatibility programs and code for systems that 99.9999% of the internet don't use and could potentially open vulnerabilities for you.

Whether or not OpenSSL gets fixed, I do not believe we can continue to trust to put all of our eggs in one basket. A little competition, if anything, will be good to drive change at this time. It will encourage them to keep "fit" knowing they could lose their partners. Whether one "likes" them or not is irrelevant, the code that the OpenBSD Foundation puts out has time and time again stood out as some of the best and most secure out there. Most people use code regularly that OpenBSD Foundation created, it even appears in some windows firewall software. PF is regarded as the most secure firewall, and many people rely on OpenSSH. Yet they almost had to shut down a year ago until a billionaire donated a decent sum. They still only brought in about $60,000 to use on hosting fees and fund developers. It would be a huge loss to the well being and security of ALL OF US and the internet as a whole if they had to "close shop".

My suggestion was not just for LibreSSL, it was for the OpenBSD Foundation in general.

I hope you all will take a moment to think about that, and the opportunity that security and privacy minded individuals that we all are have to drive change, rather than sit around and be taken for a ride by the same pretty girl who keeps hurting us.

That all being said, My vote won't count (I don't disagree with it either) if option 2 is a requirement, and I don't expect an exception to be made for me. I am most definitely a premium member, but I do not and would not post to the forums from any account I actually connected to the VPN with - I consider it a layer of "plausible deniability". Call me paranoid, but I doubt I am the only one who thinks that way considering how many lurkers there are each day.

So just some food for thought.

From some research done by myself and another user, this error:

write UDPv4: No buffer space available (code=55)

is caused by maxing out the speed capability of a tunnel.

That being said, we found this to be caused by the specific server we were connected to. In my case, my ISP was throttling on the server I was connected to.

Try a different server or protocol if it persists.

The Control and Data chanel messages are normal operation.

SSL Certificate checking with Perpectives Project

https://addons.mozilla.org/en-US/firefox/addon/perspectives/

http://perspectives-project.org/

https://en.wikipedia.org/wiki/Perspectives_project

Personally, I would like to see a perspectives notary added to each AirVPN server. Would add a "trusted" notary for Air users.

It's evolution, Convergence (by Moxie Marlinspike, based on Perspectives Project) seems to have even more promise, but doesn't seem to be continually supported.

http://convergence.io/

https://en.wikipedia.org/wiki/Convergence_(SSL)

https://www.youtube.com/watch?v=i9e4g7SV244 (Moxie Marlinspike Speaks Part 1)

https://www.youtube.com/watch?v=EYv3bTTNF1w (Moxie Marlinspike Speaks Part 2)

There is someone trying to update Convergence though, not many users at this point.

https://addons.mozilla.org/en-us/firefox/addon/convergence-extra/

Ask this question in my tutorial thread. Then, as I answer this question, it is there for anyone asking the same in the future, I will get back to you in the coming days. There has been some other discussion on this topic that you can search for in the main thread, it ended up in PM's though. I will share what info was researched in that thread as i have time in the coming days.

Sign In

pfSense_fan

Content Count

Joined

Last visited

Days Won

Content Type

Forums

Store

Posts posted by pfSense_fan

How To Set Up pfSense 2.1 for AirVPN

Virgin Media + OpenVPN = Fail?

How To Set Up pfSense 2.1 for AirVPN

How To Set Up pfSense 2.1 for AirVPN

How To Set Up pfSense 2.1 for AirVPN

How To Set Up pfSense 2.1 for AirVPN

How To Set Up pfSense 2.1 for AirVPN

How To Set Up pfSense 2.1 for AirVPN

AES-NI Performance Analyzed

How To Set Up pfSense 2.1 for AirVPN

How To Set Up pfSense 2.1 for AirVPN

Error in OpenVPN Logs on pfSense

AES-NI Performance Analyzed

AES-NI Performance Analyzed

How To Set Up pfSense 2.1 for AirVPN

Error in OpenVPN Logs on pfSense

How To Set Up pfSense 2.1 for AirVPN

AES-NI Performance Analyzed

How To Set Up pfSense 2.1 for AirVPN

How To Set Up pfSense 2.1 for AirVPN

How To Set Up pfSense 2.1 for AirVPN

April projects funding

How To Set Up pfSense 2.1 for AirVPN

About funding browser extensions

Recommended Specs for Air and PFSense?

Home

Community