pfSense_fan

First off, forget about running wi-fi on pfsense. Waste of time and money and it doesn't work well. This is not a primary goal for pfSense and it is not well developed or supported. Just use a router that has access point mode and save the headache. Now to the point of that pc you linked: Will it run it? Yes. Is it a good choice? Absolutely not. http://ark.intel.com/products/27512/intel-pentium-d-processor-820-2m-cache-2_80-ghz-800-mhz-fsb 1. it is a 95 watt TDP older generation chip (from 2005!!!) meaning it has a high idle power because it does not have EIST (Enhanced Intel Speedstep Technology). If it idles at 70-80 watts just for the cpu, that's probably 95-150 watts of power for the whole system... 24/7, 365 days of the year. The amount you will spend on electricity is MUCH BETTER spent on better equipment. You might spend $100-$200 or more in electricity to run that for one year. A quad core Rangely board (15 watts TDP) might cost $15-$20 per year. EDIT: Not to mention an aged power supply may only be 50-60% efficent, which could double power consumption. That thing is TEN YEARS OLD. Computer tech has come a LONG LONG way since then. Modern power supplys are 80-90%+ efficient. 2. It does not have AES instructions. You asked what Padlock was. Padlock and AES-NI (NI = New Instructions) are basically very specific functions built into those chips to accelerate encryption functions. OpenVPN and pfSense use these if available, and they greatly assist. YOU SHOULD CONSIDER THIS A NECESSARY FEATURE. 3. why spend ANY money upgrading a PC from 2005? Upgrade the ram? Is it even DDR2? Save the money for better equipment. To put this in perspective, my brand new Intel XEON E3 1270 V3 (Haswell Based) has a TDP (think max power) of only 80 watts, and idles at 20. because it has tech that allows it to power down when in low use. This tech was new for the Haswell chips. When i measure my pfSense energy draw, it takes about 40-50 watts (for the whole system) with 12 gigabit NICS. My processor is probably 40 or more times more powerful than the one you linked to, and uses way less power. You don't need one like mine, you just need something that has proper modern tech in it. Think socket 1150 i3 (NOT socket 1155) and careful motherboard choice or better yet... one of the quad core (not octo-core) rangely (2558) or avoton (2550) boards. There was a big leap in features and function in the last 6 months, and you won't want to not be on board with that as pfSense gears towards a "strategy" based on AES-NI. Cheap hardware may be out of use in a year, and hence why I said it may be a waste of money. Meanwhile if you instead save your money to the $300-$400 price point, you have firewall capable of anything you throw at it. Trust me when i say you will want to use features like pfBlocker (which is the same as peerblock) and Snort. You will. And you won't be able to on crap hardware, both require plenty of memory to hold their "tables". Not to mention, what if in a year from now we move to AES 512 or similar? What then? This needs to be considered. Money saved now will soon be money wasted as i found out. Just answer these two questions: Is security important to me? Is privacy important to me? If you answer yes to both, what is $300 - $400 for an appliance that will provide you that for the next 5-10 years, maybe more? Ultimately no one can tell you what to do, But i have tinkered with builds and wasted money. I wish i knew better to just do it right the first time. And to be blunt, others are selling this old hardware for a reason. it is no longer useful. I would advise just as was suggested. Find places where you can make cutbacks for a bit and save for a while. I by no means am a well off individual, but for me there was no question I was willing to spend $600-$700 on my security and privacy. Admittedly I went overboard, but you can build a damn powerful machine at half what i spent. I advise you do just that. You will have something useful for years after.

I know the high end Asus routers do (think AC-68u, AC-56u as they have newer more powerful processors), and I know openvpn gets a boost if you use Merlins firmware on Asus. I also know the Netgear R7000 Nighhawk supports OpenVPN. I'm sure there are others, but you will want a premium router if you plan to use the vpn, as these high end routers max out at about 20-30 Mb/s through a vpn. Lesser routers can only do 10-15. Or if that's not enough muscle for you, you could build a pfSense box!

To try to diagnose any issue, please change the "verb 3" option in the advanced OpenVPN client settings to "verb 5" and save. Then try to connect to skype a few times. After failing a few times, Go to: http://192.168.1.1/diag_logs_openvpn.php Report to me any errors in those logs.Please Note: delete or replace any instances of any ip address with x.x.x.x before sending. Always be careful of that in logs. Also please use the "code" option (that is underneath the emoticon option in the editor) to encapsulate your entry, as I have for the link I posted above. It is best to paste the log to a text editor first to search for and remove any IP addresses and unwanted formatting.

There was one day last week when I could not access the website. I entered in the direct IP for airvpn.org and that worked. It may be a dns blocking. Next time try the direct IP and see what happens. https://95.211.138.143/

It needs OpenVPN. From the front page of the airvpn.org:

Correct, running a router in access point mode is the best solution, provided the router has access point mode. I use an Asus router this way.

10 Mb/s. You might get between 10-20, but either way, if you are doing any downloading through the VPN and hit that 10-20 that cpu would be saturated. You mentioned you didn't want it to affect the rest of the network, but if the CPU is maxed it will have nothing left and that of course will affect it. Just being up front, I have no doubts it will work just don't be surprised when you run into it's limits. Most modern consumer routers are 800mhz - 1ghz or even more... and those processors are purpose built for networking. An x86 CPU is not. What I'm saying about the CPU is that it will be running at 100% during pretty much any use. This will require you to tune your buffers and face packet loss as it tries to keep up.. Just as the link to the pfSense guidelines state, the encryption is extremely CPU intensive. As those queues build up, those buffers will fill. But you could always set bandwidth limits with traffic shaping to try to mitigate it. As far as memory, you will need to use the nanobsd builds. I have no experience with those. I would not find that suitable because I consider Snort a necessity. On it's highest setting... the only setting that catches intrusions BEFORE (AC-NQ, no queues, it catches in real time) they enter your system, it requires plenty of memory. To each their own. Having started out with a low powered build based off of many discussions on other forums and subsequently realizing I could not do ANY sort of power user type functions, I have my prejudices against these types of builds. Don't let me deter you though. I'm just sharing my experiences. The money i spent on my first build was money wasted. i feel like all the advice I read about was given by old farts who only read the news online. It all depends on your uses though.

It's good that they support Padlock, in fact it's important. but beware you will be looking at bottlenecks with an 800mhz processor. I will be surprised if you can get even 10 megs through a 4096 bit VPN. That CPU will be pegged and it WILL interfere with the rest of traffic in your home. If you get it and need help setting up the VPN, please refer to my guide, and let us know how it goes.

In the wake of the Heartbleed Bug, the OpenBSD Foundation has begun a fork of the OpenSSL source code. Enter LibreSSL. In one week they have removed 90,000 lines of C code and 150,000 lines of content that they say was old or unused. For those not familiar with OpenBSD, they are a non-profit and are security centric in the coding of their software. Part of their culture is to frequently perform group audits of their code. PF, or Packet Filter, was originally designed by them and is the underlying firewall engine of pfSense, which I trust to keep me secure. As Pointed out by another user, they also maintain the OpenSSH project, used by many. In short they for a long time have played a big part in keeping many of us secure. They are implementing the first release of LibreSSL into OpenBSD 5.6 and then working on porting it to other OS's I personally am excited about this. I think this has good potential for future releases of OpenVPN and ultimately our uses with VPN. This perhaps might be a good candidate for AirVPN's No-Profit Community initiative. While some may consider this sentiment premature, this seems like a probable evolution of the Open Source SSL Library most will end up using. It only makes sense as their team seems to keep up with routine audits. Further reading: http://www.libressl.org/ http://www.openbsdfoundation.org/ http://www.openbsdfoundation.org/donations.html http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

Or if you are looking at an Intel or AMD processor you want to make sure it has AES instructions. Very important. Also consider you will lose 10% of your speed to the overhead of the VPN tunnel. For a 40-50 Mbit connection through VPN I would be looking ~2.0Ghz processor as I don't like the idea of a processor always running near it's max. I like to have a bit of headroom. It would be hard for me to recommend anything in your price range for use with VPN. https://www.pfsense.org/hardware/index.html#sizing EDIT: Also, as far as RAM goes, this all depends on your uses. If you plan to use Snort and other packages, you can easily eat 4-6 gigs of RAM. Without Snort you can get away with 2. I recommend 8, and no less than 4 though. My setup uses up to 9 gigs of RAM, But I run Snort on up to four gateways. Each gateway takes about 2 gigs of ram to hold all the Snort rules, so if you ran it on your WAN and AirVPN gateway you would easily use 4. Just food for thought.

In the wake of the Heartbleed Bug, the OpenBSD Foundation has begun a fork of the OpenSSL source code. Enter LibreSSL. In one week they have removed 90,000 lines of C code and 150,000 lines of content that they say was old or unused. For those not familiar with OpenBSD, they are a non-profit and are security centric in the coding of their software. Part of their culture is to frequently perform group audits of their code. PF, or Packet Filter, was originally designed by them and is the underlying engine of pfSense, which I trust to keep me secure. They are implementing the first release of LibreSSL into OpenBSD 5.6 and then working on porting it to other OS's I personally am excited about this. I think this has good potential for future releases of OpenVPN and ultimately our uses with VPN. This perhaps might be a good canidate for AirVPN's No-Profit Community innitiative. If it meets the standards for it, i will gladly submit a post for it. Further reading: http://www.libressl.org/ http://www.openbsdfoundation.org/ http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

I was just reading about the resurfacing of this exploit and recalled this post... came here to post about it. This is exactly why I switched to pfSense. I use an Asus router with merlin firmware in Access point mode only. Soon enough the pfSense guide I have made will have options to harden pfSense/OpenVPN added to it. It is being tested in PM's currently.

Please Note!!!! Guide has been amended!!! The Default string of options entered into the advanced area of the OpenVPN Client settings area has been amended!!! There are no critical changes however it is highly recommended you update them. They harden the security of the connection by not allowing, under any circumstance, the use of lower encryption and/or security levels than intended by AirVPN. Please note you are already using these options as they are "pushed" by AirVPN when you connect. What these settings do is, in the unlikely event of a man in the middle attack, prevent you from having any other weak/er settings being pushed to you. You may also notice I removed two of the settings included in the AirVPN OpenVPN config file. "persist-tun" and "persist-key" have been removed due to the fact pfSense automatically enters these "in the background". You can verify this yourself by going to Diagnostics > Edit File. Once there, enter the string "/var/etc/openvpn/client1.conf" (without the quotes of course) and click "load"(NOTE: be careful not to edit anything or click save while here. Exit by navigating back to the dashboard or closing the tab). You will then see all of the settings your OpenVPN client are using. If you did not remove "persist-tun" and "persist-key", they will be entered twice. If you did remove them, they will still be there, but only once. The Understanding OpenVPN settings in pfSense and Entering OpenVPN Client Settings pages have been updated. Please review and update your settings. The new OpenVPN client advanced settings string is as follows: remote-cert-tls server;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;keysize 256;auth SHA1;key-method 2;key-direction 1;comp-lzo no;verb 3;explicit-exit-notify 5;

Good, we are talking about the same replay error. For anyone following, the backtrack warning shown here is likely caused by the latency in the connection. There are potential tweaks that some of us will be testing to avoid this. If we determine a solution it will be added to the advanced options section.

Did you ever get to the bottom of your replay errors. I checked my log today after noticing my squid filter had stopped blocking adverts on my tablets and found that I had the replay errors you mentioned too. Download speeds are still 110mbit + so they aren't crippling my connection but theres something there which needs tweaking. I suspect that for some reason my WAN connection dropped which caused Squid filter to fail too. I'll sort that after I clean up the replay errors. other than that, system continues to work very well thanks to your guide, Ian Before I answer from my end, what replay error did you get? Some are harmless while others are a potential sign of attack, want to be sure we are comparing apples to apples here. The short answer is yes I fixed it. Unfortunately I don't REALLY know what actually caused it. I have some ideas based on my observations though. Removing tun-mtu 1500;mssfix 1400; fixed it for me. Odd, considering I needed those settings before for stable operation. I've been researching this bit by bit each day since then, trying to understand what has changed, but it's been a process of elimination cosidering I have many tweaks. That being said, I believe a combination of the MSS (Maximum Segment Size) of the operating system causing fragmenting and reassembling (The PF, the packet filter, reasembles MSS to 1460 if what I have researched is correct, which is too big for the VPN tunnel), the MBUF settings being too low and therefor filling and the further fragmenting of MSS under OpenVPN (the two MSS's are different due to the overhead in the VPN protocol) causing the network buffers to start dropping some packets, hence the replays. I have my network wide MSS set to 1400, adjusting the default so it will work over the VPN without further processing. This is more efficient than using mssfix, at least from what I have read. I have also tweaked my interface drivers and other system tunables that are related. If you are interested, I can start a private chat and we can discuss tweaks for you to test. I would hate to post such info at this time as I feel it is a layered issue and I don't want to prematurely post a "fix", if you even want to call it that. A replay on a high bandwidth, high latency connection (as are many servers at distance) is considered normal. That's not to say we can't tweak a bit and get rid of them though!

Glad to hear this! The more people share success or failures the more that can know this is successful and the better the guide can get as I ammend it. It will be a month or two before I release the server guide, hang in there!

While I did misunderstand what you were trying to do, not to worry I took no offense. That being said, there is no way to back up any of the openVPN settings or the AirVPN_WAN settings as it all dissappers even if in the config(the certs and the interface don't exist yet, user Refresh and I tried this in private) Those things have to be done manually, which is why I believe spending just a bit more time understanding this is best! At this point I can do a start to finish installs in about 5 minutes, including the basic firewall rules. Soon you will too! Don't misconstrue my belief in the importance of understanding this! It is why I explained so much at the beginning, I believe it is important! Again not to worry, I took nothing ill away from your post, sometimes the meaning behind text escapes all of us, I did not mean to convey that if I did in my response.

My setup has never been like that though. I would not have a way to back it up. I made the guide as text so not only could it be edited easily, but you can also print it. It should be clear as on most pages I left nothing out, you can even use a pencil to mark the steps off as you go. Unfortunately for you and others I have little to no interest in running a virtual machine at this time, I really have no reason to do so, I would sooner buy another piece of hardware if I needed another platform. That is just a personal preference as I care about performance and to me it is just one more thing to go wrong. That being said, I see no reason to do more than I have. There will be small additions, and updates for when pfSense 2.2 comes out, but I think it is important for anyone using this to take some time to understand it. After all using this is for security and privacy and we should never leave that in the hands of others! Trial and error is a good thing... we learn! It is also my hope that others in the community will chime in and share further knowledge. I am still learning and will continue to share as I do! The same goes for you, I hope you will share what you learn when you get the VM working! Good luck!

Absolutly! Thanks for the feedback and welcome aboard! I remember how alien this all seemed to me just a few months ago. It's not so bad once you know what you're looking at. That's why I wrote this.... and I hope other users will share things they learn with the community as well! About your question, are you referring to the actual config file backed up from pfSense or the guide I made? I'm not sure I follow. It's not safe to post the entire backup because it also backs up certificates. It also messes things up if our interfaces have different names or use different drivers (em, igb etc) I can load config files for individual areas such as sysctls and bootloaders, and am looking into doing so after extensive testing. All that being said, My configuration looks nothing like the guide... my setup is very complex. I wouldn't be able to back it up regardless.

I can confirm this, connections to BOTH Chicago servers are throttled. I normally get 54-60 down.... only can manage a rock solid 5 down on UDP 443. Got 50 on TCP SSL. Upload speeds seem unaffected. I first noticed this 6 or more months ago, but thought it was something on my end.

To those that were following it, I figured out the issue. I don't have the technical knowledge to explain it, but the upgrade to the 4096 bit keys somehow broke the Large Recieve Offloading feature i had been using up to that point with no issue. I disabled it and it "fixed" the upload issue. Interestingly enough, I loose pretty much exactly 10% of my rated speed to the vpn tunnel now. The loss was barely noticible before.

Absolutely! I, and everyone else, should thank you as well though. We all learned a lot from your guide! I was just unsettled by a few things my firewall logs showed as well as a few OpenVPN config file settings that were left unset. If you have not done so yet, be sure to go over the two check boxes at the end of Step 5 as well as enter in all of the options into the advanced settings area on the OpenVPN CLient page. Being an experienced pfSense user at this point, do you have any tips for the rest of us?

It's not strange, my setup is far more complex than yours. I have 16 NIC's installed currently, and many many tweaks. It's why I can't upload pictures for most steps of the guide... mine looks nothing like others screens will. None the less, my uploads on speedtest have been abnormally low since the update. I usually get about 12Mb. The 54 download is normal during most hours of the day.. i'm on a 60 Mb plan currently But yeah, a close inspection of my OpenVPN logs showed the send and receive buffers being overflowed. Doubled the buffer size using "sndbuf 131072;rcvbuf 131072;" and no Replays since. EDIT: Also, I read you were thinking about adding more NIC's. If you are adding one quad port sure, otherwise just get a managed switch. The more I learn about this the more I realize that is what I should have done in the beginning. But hey, I learn by tinkering. If you do buy a quad port, get an i350. My PRO/1000 PT quad port eats 15 watts by itself. Old technology, old and larger silicon dies. Run hot as hell too, even with a large heat sink. The i210 quad on my board has more offloading and doesn't even need a heat sink. I am likely buying a Rangely board and selling my Quad port PRO/1000's. I might buy an i350 quad but will also be getting a switch and rack mounting it all in the basement along with NAS.

You will need to change the "Verb 3" setting in the advanced line to "verb 4" and save. It will literally say something about replay if you have it. It means packets are arriving out of order. Not a huge deal, but something that can be fixed.

While there is a Stunnel package available for pfSense, I am learning it may not be fully featured. I am not entirely sure it is possible. your best bet would be to ask over at the pfSense forums and share what you learn here!