pfSense_fan

Revised guide is fine am back up and running but yeah tried the "persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;verb 3;explicit-exit-notify 5;" Line and it broke my stability of downloads again so tried ""persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;" Its stable and fine so far in downloads and no replay errors in the openvpn logs was it ? everything is fine in those logs my end so far! Oddly enough, the tun-mtu and mssfix were causing errors on my end. Removing them fixed part of it but exposed another error. I had to increase the send and receive buffers for OpenVPN. Since then, no replay errors. I am however seeing odd results when trying to use speedtest. Everything else seems fine,

Follow my guide. This guide was never complete. It left out two security checks, it didn't even have entries in the advanced box on the client page. Follow mine closely.

...

browser froze...

I on the other hand have ran into a replay error in my logs. I have removed the tun-mtu and mssfix from my settings while I test.

New recomended advanced options are "persist-key;persist-tun;remote-cert-tls server;key-direction 1;comp-lzo no;tun-mtu 1500;mssfix 1400;verb 4;explicit-exit-notify 5;"

Guide has been updated to the best of my understanding. I am seeing no errors in logs. Pleas review the "Understanding Certificates and OpenVPN Config Files", delete old certs and keys and re-enter steps 1, 2 and 3 from scratch. Of note on the client page, the Advanced settings are new,compression is no longer checked (but handled in the advanced section) and we must enter our tls-auth key. Please inform me of any issues.

Don't forget when you log in to download new certs and keys to use airvpn.org's direct ip address to be sure you are not victim of DNS hijacking. https://95.211.138.143/client/ I also recomend the use of firefox add-on "perspectives" to verify the ssl cert. It likely will fail, but viewing the results will show the notaries in agreement for the last 3-4 days since the renew of certs after the Heartbleed fiasco.

Ae you running Snort on AC-NQ setting? It's the only one that truly works in real time, will make use of your memory, especially if you run it on both your WAN and AirVPN_WAN. There are other tweaks you will need if you are using em4 driver NIC's as well, will use a tad more memory. I've used 9 gigs of ram running Snort, pfblocker, Squid3 with antivirus etc. There are ways to make use of good hardware if you are serious about privacy and security. I found this out the hard way since there are so many people who preach low power equipment on the pfSense forums. My first build flat out was weak... too weak to use multiple instances of OpenVPN, Snort, have extremly large firewall tables and still get full ISP speeds through the VPN. This is when I learned most people over there do not care about the levels of privacy I do or ensuring full speeds over a VPN. FOr most it seems if it works it is enough... but not for me. Overkill is just enough in my opinion. I want my equipment to still work in 5 years and not be underpowered. And now with 4096 bit encryption... don't regret it at all.

This is only an issue on AMD processors. Their Bios is not compatible with PowerD, so best to leave this off for AMD. It works brilliantly with Intel Speedstep however.

If they show up as amazonaws dns servers it is the AirVPN backup. No worries there, it is normal. It should only be a few different settings honestly. I will test, view my logs for errors and post when I feel good about the updated guide. We will have to reload our certs with the new ones though. I don't at this time. I've only been using pfSense 4 months now. Still working on those things. I've learned Snort at this point, but it is difficult to learn though. Have not got ad blocking working correctly yet. In time.

Glad to hear it worked! I just used a find and replace feature to change AirVPN_LAN to LAN, then added a few sentences. Didn't take long at all! If you have not done so yet, please check for IP and DNS leaks and report back your findings! http://ipleak.net/ http://www.dnsleaktest.com/ https://www.grc.com/dns/dns.htm

PLEASE NOTE: I HAVE ADDED A SECTION FOR THOSE WHO ARE USING ONLY TWO NETWORK INTERFACE CARDS (NICs). This section covers an alternate step 6 and 7 (there will be no section 8 since you do not have more network ports). These are the only differences. I made this quickly using find and replace text editing, so please report any errors to me!

if it stopped working it tells me you did not set up the 10.4.0.1 dns on the dhcp server page for the lan interface. You cannot share the dns forwarder between the firewall (localhost) which faces the clear-net and your LAN, which will be your VPN facing interface on your setup. They must use separate DNS or else possibility of leaks. If you were to use AirVPN DNS on the general page, you cannot connect to AirVPN unless you use direct IP address of entry servers.

Yes you can. I do this. All you have to is assign the "ovpns1" or equivalent as an interface, create a manual outbound NAT rule for the subnet of that interface that points towards your AirVPN gateway and create firewall rules to enforce the policy routing. Have you set up pfSense to connect to AirVPN yet?

If you only have two NIC ports there are some slight differences in how to set it up that i have not had the chance to address yet. First, in the DNS forwarder section, you will ONLY HIGHLIGHT LOCALHOST. This allows the firewall to connect to airdns if using url based entry servers. Second, your "LAN" will be set up in the manner the "AirVPN_LAN" in my guide is. There is no need for you to make a VLAN to accomplish this. You do not need to rename it, change the IP address of the port or the DHCP settings to 192.168.123.1 etc. but all other settings will be as the AirVPN_LAN. If there is more steps to it I apologize i am running out and wanted to post this quickly, i plan on making a guide for two interfaces separately soon. It would take only minimal effort for me to edit the documents i have saved. The issue is finding time. I am a few weeks away from having any of that. I also have noticed that it now inputs the correct order for the firewall rules and will be editing that soon. EDIT: Also consider that after tomorrow, this guide will not work until updated with the new settings that are coming our way. I have already started on the edits and should have them up soon after I get reconnected and verify all settings.

This depends on many factors, including the speeds you get now, what type of network interface card is on the laptop and what it is capable of, and the fact you would need a vlan capable switch since a laptop only has one network card. For many people buying new equipment will be best. Old hardware can use as much electricity in a year as the cost of new energy efficient hardware, so it can easily pay for itself. That being said, an old PC would be better than an old laptop. You need good network cards (preferably PCI-e) for pfsense, and by good I mean legitimate Intel PRO/1000 or preferably the newer more energy efficient and cooler running i210 /i350 /i354. Not all network cards work on FreeBSD but intel supports their drivers well. PRO/1000 cards can be had cheap at this point either used or new old stock on ebay. I bought quad port PRO/1000 PT cards for $65 each. Dual ports can be had for $30. You need at the very least two ports if you don't have a vlan capable switch. Did I mention the network cards need to be Intel? They need to be Intel. You are asking for trouble-shooting if not. Many Realtek cards won't even read. EDIT: It also needs to be considered that after this Sunday, AirVPN will be using 4096 bit encryption, which if I understand, is an order of magnitude more intensive on a CPU than the already intensive 2048. It may just not be worth the effort for the slight gains you may get. But that is just my opinion.

Thank you! It did take some amount of time! You should see the private messages back and forth with user Refresh as we ironed out both the guide I was writing and helping solve the issues he was having. I enjoy learning and helping others though so the reward is mine! As user Refresh can confirm, we are using that tweak as well as a few other key tunables, and an addition to the optional advanced section is coming for sysctls and bootloaders (Tweaks for bittorent, tweaks to protect against D.O.S., setting the MBUFS, NIC driver tweaks etc). I didn't add anything beyond what is in the AirVPN/OpenVPN config files for the basic guide though as it is intended for beginners... no need to jump into tweaks until after a stable install. You will notice though that I reserved additional posts at the end to add sections. After finishing the advanced options, a section for how to install from USB is coming, and then a section on things to consider in hardware selection. I just have not found the time unfortunately to get it out quickly. I have documents I add to little by little when I have spare time. I didn't want to hold back the entire guide for those sections though. You are right though, fastforwarding makes a huge difference, as long as you are not using ipsec (it breaks ipsec). Most won't be since we are using OpenVPN. If you have any other suggestions, please share!

Excellent, excellent news! Will we only be able to generate the new config files and keys after the disconnect?

I'm running pfsense 2.1 and i just checked the openssl version and it's 0.9.8y. You are mistaken. The core operating system used 0.9.8y, but each package used it's own packed version of OpenSSL. The webcnfigurator, OpenVPN and other packages were all vulnerable. They have issued an update, and 2.1.2 has come out less than a week after the release of 2.1.1 Please update!

It is not just pfSense, but any OpenVPN client that does not have the updated OpenSSL in it. This includes any consumer grade router with pre-installed OpenVPN, which would require firmware updates. It would also be the case for any software based client that is not yet updated. The question is, does this vulnerability affect only the server, or can a client cause this heartbeat issue even if the server does not have it? At any rate pfSense looks to be fast-tracking a 2.1.2 release, with a note there will be no pre-release. I agree, but that is for another post.

Thank you Staff, this is the reply some, if not many of us, were looking for. This is what needed to be done.

It looks like your CPU does not support AES instructions. This is very intensive for a cpu, so yes you are likely bottlenecked.

Here is just a few examples of what you could get to go with the mini-itx boards: Antec: ISK110 VESA (I like this one, includes 90 watt psu On Youtube) Supermicro: CSE-101i / SuperChassis 101i (Nice and small, comes with 80 watt psu) In-Win: H-Frame Mini (Very aesthetically pleasing, Includes 180 watt psu, a bit pricier though. If my firewall were to be displayed I think I would go with this one. On youtube, smaller than it looks, that girl is tiny haha) Silverstone: SST-ML06B (My favorite of the Silverstones.Requires SFX power supply) Silverstone: SST-RVZ01B (Requires SFX power supply) Silverstone: SST-ML05B (Requires SFX power supply) There are many other options including nice ones that require a TFX power supply. Look around In-Win's website, check out Lian-Li as well. Wish I had more time today. Search youtube for any one you find that you like. Something to consider about power supplies - they are most efficient at roughly 50% load. These computes only would peak at about 30 watts under load. A smaller power supply is better. The antec or supermicro may be best here. There is nothing to fear in building a pc, just have patience and read all instructions before starting. I will also be happy to answer questions, Edit: Here is a link to Crucial's compatible dual channel 8 gig ( 2x4 gig) ECC (Error Checking & Correction) Memory

What type of processor does your computer use? This can be a big factor, not to mention the cpu is doing double duty with encrypting everything as well as you using that computer. What kind of network interface card are you using? The on motherboard one? Most onboard NIC's have little or no offload computing power or capabilities and so the CPU must again play double duty. To give my experience, I have a high end computer and I maxed out at at about 30 megs when using windows and OpenVPN. With pfSense I can max out my speed provided by my ISP. I have seen speeds as high as 150 megs. That being said you will likely see some improvement at the very least, it will be more reliable, you can share the connection to multiple devices and it is very secure. It is a quite powerful firewall.