pfSense_fan

Since the patched version of OpenSSL was only released today, it's fair to say that everyone using the affected versions is at risk. That being said, from the article you linked to: AirVPN uses perfect forward secrecy, so we have at least that net of safety going for all of us.

Thank you!, I had a lot of fun along the way to making this actually. It's worth it to know it will help others. It does indeed work great and I too could not imagine life without it now! This is the beauty I have found in pfSense, there is almost always more than one way to skin a cat! All i need to do to switch endpoints is disable the client, change the entry IP and re-enable it. Both methods are only two steps! I at first used floating entries but during my research I learned, according to many sites including the pfsense forums, that they should be avoided as much as possible as they slow down the firewall. This is why i have gone the route of a "Block All" rule on each individual interface. With a "Block All" rule, any traffic we do not explicitly allow is not permitted to pass. The only allowed traffic is outbound that originates from the vpn interface and dns request to the AirDNS servers. All other traffic is blocked! Further, with the addition of the two check boxes at the end of the AirVPN_WAN Gateway section, if the vpn drops all states are killed and the connection is severed/blocked. But all the same in the end! Multiple ways to skin a cat!

I agree, I also like the look of those fit PC's, however the NIC's built on them are based on slightly older hardware. I am not sure if they are as full featured as the i354 on the Supermicro, specifically with Large Receive Offloading. The Supermicro's are also quite low power as well, 20 watts for the 8 core and 14 for the 4 core versions if I recall correctly. For the home user there is likely to be no advantage in going with a Xeon. If these were out when I bought my setup I would have went this route myself, The only advantage a Xeon has is in single threaded performance, where they are twice as powerful. You would have to run quite a few packages and do heavy filtering to really require this, so it is doubtful you would "need" it. This is why I listed if price is not an object. I will have a quick look at some more aesthetic cases for the mini-itx boards and will report back what might work best shortly.

pfSense 2.1.1 has the updated drivers to support i210 and i354 nics. I use an ASRock server board with quad Intel i210.

The ideal hardware right now is a group of Intel Atom Motherboards from Supermicro. They have all the most recent encryption instructions and include a quad port Intel server NIC. The Intel code names for the chips are Rangely and Avoton. Rangely is intended for network devices like pfsense with its "Quickassist" instruction on the chip, but the functions it can take advantage of are not yet supported by pfsense. There is no word of it yet, so you might figure support for "Quickassist" is likely as much as two years away. Avoton on the other hand offers a 200mhz turbo boost on it's processor cores. It's up to you if you want to taske advantage of quickassist in the future or turbo boost now. Rangely: Supermicro: 5018A-FTN4 (NOTE: Access panel on front for network appliances. 1U Rackmount only needs Hard Drive and Memory, 2400Mhz 8 Core, Intel i354 Quad GbE, Intel QuickAssist) Supermicro: A1SRi-2758F (Mini-ITX, 2400Mhz 8 Core, Intel i354 Quad GbE) Supermicro: A1SRM-2758F (uATX Motherboard, 2400Mhz 8 Core, Intel i354 Quad GbE) Supermicro: A1SRi-2558F (Mini-ITX, 2400Mhz 4 Core, Intel i354 Quad GbE) Supermicro: A1SRM-2558F (uATX Motherboard, 2400Mhz 4 Core, Intel i354 Quad GbE) Avoton: Supermicro: 5018A-TN4 (1U Rackmount only needs Hard Drive and Memory, C2750 2400Mhz 8 Core, Intel i354 Quad GbE, Turbo Boost 2600Mhz) Supermicro: A1SAi-2750F (Mini-ITX, C2750 2400Mhz 8 Core, Intel i354 Quad GbE, Turbo Boost 2600Mhz) Supermicro: A1SAM-2750F (uATX Motherboard, C2750 2400Mhz 8 Core, Intel i354 Quad GbE, Turbo Boost 2600Mhz) Supermicro: A1SAi-2550F (Mini-ITX, 2400Mhz 4 Core, C2550 Intel i354 Quad GbE, Turbo Boost 2600Mhz) Supermicro: A1SAM-2550F (uATX Motherboard, C2550 2400Mhz 4 Core, Intel i354 Quad GbE, Turbo Boost 2600Mhz) If you pick the 5018A-FTN4 or 5018A-TN4, all you will need is a hard drive and ECC DDR3 1600 memory from the qualified vendor list of memory or from crucial since they guarantee their memory if they list it as compatible for a particular motherboard. It may be easier to order from Crucial than to try to find qualified vendor ECC memory, and it must be qualified. I recommend 8 gigs of memory, more if price is not an issue. Although the firewall itself does not use much memory, If you use packages they can use a substantial amount of memory. I have used up to 9 gigs myself, but I was running a lot of packages including snort on its highest settings. As far as hard drives go, any will do honestly. I choose an enterprise drive that was on sale. It does not have to be very large, however at the time a terabyte drive was cheap so I got that. I do not recomend an SSD however since TRIM support is not built in yet and requires much tweaking, WELL BEYOND the scope of my tutorial. If you need further suggestions on memory or hard drive just ask. It should be noted though, if you go with one of the other motherboards and piece together your own case, power supply, drive and memory, you might save up to $100, even if you buy the same case those two mentioned above come in. If money and a bit more electricity use are no issue you could also step up to a Xeon based board. Hardware price will be slightly more if not the same in the end. Twice as powerful as above mentioned (Not saying much, the above is capable of gigabit speeds) but up to twice as much electricity use as well. Let me know if you want suggestions there. I use a Xeon.

Absolutely! I rather enjoy learning about this and talking about it. Two things to note if you are about to start.: 1. I am about to, after this post, update the airvpn interface firewall rules to shorten it and make it easier. 2. pfSense version 2.1.1 will be out in the next few days. These settings are fully tested for version 2.1.1, in fact I run 2.1.1 currently. There are slight differences in the verbiage, but ultimately it is exactly the same. 2.1.1 is preferred as there are bugfixes for OpenSSL, OpenVPN and Intel NIC drivers. If you start today and get it going, you will be able to update to 2.1.1 without issue though. If you do go through the guide, let me know if the firewall rules sorted themselves or were backwards in order from my guide. I've had them come out both ways and don't know which order to list them. I could easily re-order them for the guide.

I run it in hardware as the host OS. Although there are many people who do, I have never tried running it in a virtualized environment as I have read it slightly degrades performance. I have no doubts it can be done though. Perhaps create an account over at the pfSense forums and ask for assistance there? I'm sure the guide will work, but you would have to use virtual interfaces on some, which is over my head unfortunately. If you do figure it out, report back and share!

Not necessarily. I have Interfaces on my pfSense box dedicated for VOIP, XBOX and clear-net lan. You can route traffic however you please, it's up to you.

You can, as was stated by gigan3rd. You can use a router to accomplish this if you are not a heavy user. Similarly, if you are a heavy user, you can build a pfSense box to accomplish this. I run all of my devices, including mobile (via OpenVPN server), through pfSense and then through my AirVPN account. The option is there if you choose to use either method.

NOTE: THIS IS AN ALTERNATE “STEP 7” INTENDED FOR THOSE USING 2 NIC's IN ADDITION TO THIS, THOSE USERS MUST ALSO MODIFY THE DNS FORWARDER SETTINGS AND ENSURE THAT ONLY LOCALHOST IS SELECTED. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL (CLEAR-NET) AND THE LAN (VPN). THE DNS FOR THE LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING GUIDE. Setting Up pfSense for AirVPN Using 2 NIC's Step 7: Setting up the LAN (VPN) Interface A:) Configuring the Interface 1.) Go to: Interfaces > Assign http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php Here you will find your assigned interfaces. If you assigned them during original install you will have a WAN and LAN. You should also see the AirVPN_WAN interface we created earlier. 2.) Select the LAN interface. Set it as follows: (NOTE: Some of these settings may be set by default, edit as neccesarry.) --General configuration Enable = [✔] (CHECKED) Description = [✎ LAN ] IPv4 Configuration Type = [ Static IPv4 ▼] IPv6 Configuration Type = [ None ▼] MAC address = [✎_____] (empty) MTU = [✎_____] (empty) MSS = [✎_____] (empty) Speed and duplex = Advanced > [ Autoselect ▼] --Static IPv4 configuration IPv4 address = [✎ 192.168.1.1 ] / [ 24 ▼] Gateway = [ None ▼] --Private networks Block Private Networks = [_] (UNCHECKED) Block Bogon Networks = [_] (UNCHECKED) 3.) Click [save] 4.) Click [ Apply Changes ] B.) Seting up the DHCP Server for the LAN Interface 1.) Go to: Services > DHCP server http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php 2.) Ensure the "LAN" tab is selected 3.) Set as follows: (NOTE: Only options we will change are listed for this section, leave the rest as they were by default) Enable DHCP server on LAN interface = [✔] (CHECKED) Range = [✎ 192.168.1.100 ] to [✎ 192.168.1.199 ] DNS Servers = [✎ 10.4.0.1 ] and [✎________] (IMPORTANT FOR AirDNS!!!) 4.) Click [sAVE] 5.) Click [ Apply Changes ] C.) Setting up the Outgoing NAT for the LAN Interface. C.) NOTE: The only outbound NAT rule/s there should be are the one/s we create. If there are others that were/are automatically created, DELETE THEM!!! 1.) Go to: Firewall > NAT > Outbound http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php 2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (If it is not selected, select it, click save and apply changes.) 3.) If there is already a rule for your LAN interface, select the [e] button to the right of it to edit it. If there is not a rule for your LAN interface, you will need to create one by selecting the [+] at the top right and creating a new one. 4.) Set as follows: Do not NAT = [_] (unchecked) Interface = [ AirVPN_WAN ▼] Protocol = [ Any ▼] Source = Type: [ Network ▼] Address: [ 192.168.1.0 ] / [ 24 ▼] Source port: [_____] (empty/blank) Destination: Type = [ Any ▼] Translation: Address = [ Interface Address ] Description = [ LAN -> AirVPN_WAN ] 5.) Click [ SAVE ] 6.) Click [ Apply Changes ] D.) Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks. *NOTE: There are FOUR necessary rules for the LAN interface. If there are any other rules, just delete them. First LAN Firewall Rule: ”ALLOW_AirVPN_DNS” The first LAN Firewall rule will allow DNS requests only to AirVPN DNS. 1.) Go to Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface. 2.) Click the [+] on the right to "Add New Rule" and[/u][/b] create a rule we will title "ALLOW_AirVPN_DNS" Set as follows: Action = [ Pass ▼] Disabled = [_] Disable this rule (UNCHECKED) Interface = [ LAN ▼] TCP/IP Version = [ IPv4 ▼] Protocol = [ UDP ▼] Source = [_] Not (UNCHECKED) Type: [ LAN net ▼] Address: [______] (BLANK) Destination = [_] Not (UNCHECKED) Type: [ Single host or Alias ▼] Address: [ 10.4.0.1 ] Destination port range = From: [ DNS ▼] To: [ DNS ▼] Log = [_] (UNCHECKED) Description = [✎ ALLOW_AirVPN_DNS] *****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼] 3.) Click [ Save ] 4.) Click [ Apply Changes ] Second LAN Firewall Rule: "BLOCK_DNS_LEAKS_VPN" The second LAN rule will block all DNS requests that we do not explicitly allow. 1.) Go to Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface. 2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN". Set as follows: Action = [ Reject ▼] Disabled = [_] Disable this rule (UNCHECKED) Interface = [LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [uDP ▼] Source = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Destination = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Destination port range = From: [ DNS ▼] To: [ DNS ▼] Log = [✔] (CHECKED) Description = [✎ BLOCK_DNS_LEAKS_VPN] *** For this rule we will NOT set the advanced setting for gateway 3.) Click [ Save ] 4.) Click [ Apply Changes ] Third LAN Firewall Rule: "Allow LAN Outbound" The third LAN rule we will create will force traffic from the LAN interface to only exit via the AirVPN_WAN Gateway. 1.) Go to Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface. 2.)Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule" Set as follows: Action = [ Pass ▼] Disabled = [_] Disable this rule (UNCHECKED) Interface = [LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [Any ▼] Source = [_] Not (UNCHECKED) Type: [ LAN net ▼] Address: [______] (BLANK) Destination = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Log = [_] (UNCHECKED) Description = [✎ Allow LAN Outbound] *****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼] 3.) Click [ Save ] 4.) Click [ Apply Changes ] Fourth LAN Firewall Rule: "BLOCK ALL ELSE LAN" The Fourth and final LAN firewall rule will block any and all traffic we do not alllow by use of other firewall rules on this interface. 1.) Go to: Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "LAN" interface. 2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN" Set as follows: Action = [block ▼] Disabled = [_] Disable this rule (UNCHECKED) Interface = [LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [Any ▼] Source = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Destination = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Log = [✔] (checked) Description = [✎ BLOCK ALL ELSE LAN ] *** For this rule we will NOT set the advanced setting for gateway, it should be left as default 3.) Click [ Save ] 4.) Click [ Apply Changes ] E.) Checking That Our Firewall Rules Are In The Correct Order 1.) Go to Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface. 2.)The order of the rules we just created is important! They should appear in this following order when viewed: ALLOW_AirVPN_DNS BLOCK_DNS_LEAKS_VPN Allow LAN Outbound BLOCK ALL ELSE LAN ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY! 3.) Click [save] 4.) Go to: Diagnostics > Reboot System http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 5.) Click [Yes] to Reboot That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the LAN port and you are off and running! I hope this guide helps you!

Optional Advanced OpenVPN Settings This section is meant to inspire discussion of further openvpn options available to pfSense users. There are quite a few options! This list is extremely long, and I have not listed or tested all of them, but the list is large enough that I felt I should begin to share it. Over time, discussions and testing this list can grow so the community has a reference of what options work and how to use them! Options in bold work or are default (later I will color code this) Options that I have not tested but may work are followed by ???. Options that do not work in testing or in compatibility with the operating system are struck through. Tunnel Options: mode m local host remote host [port] [proto] - * (Can be used for redundant connections.) remote-random-hostname - ??? <connection> - ??? proto-force p remote-random proto p * “proto udp” connect-retry n connect-timeout n connect-retry-max n show-proxy-settings Windows Only http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method] - ??? http-proxy-retry - ??? http-proxy-timeout n - ??? http-proxy-option type [parm] - ??? socks-proxy server [port] - ??? socks-proxy-retry - ??? resolv-retry n - * float ipchange cmd port port lport port - * (“lport 0” Used by default in place of “nobind”) rport port bind nobind dev tunX | tapX | null - * (“dev tun”) dev-type device-type topology mode - ** (“topology net30” pushed by default) tun-ipv6 dev-node node lladdr address iproute cmd ifconfig l rn ifconfig-noexec ifconfig-nowarn - Can stop “false positives” in logs when using multiple clients. route network/IP [netmask] [gateway] [metric] - ??? (This option is in TCP-SSL AirVPN config files. pfSense has a Stunnel package. Requires research.) max-routes n route-gateway gw|'dhcp' route-metric m route-delay [n] [w] route-up cmd route-pre-down cmd route-noexec route-nopull - ??? allow-pull-fqdn client-nat snat|dnat network netmask alias redirect-gateway flags... link-mtu n redirect-private [flags] tun-mtu n tun-mtu-extra n - ??? mtu-disc type mtu-test fragment max mssfix max sndbuf size rcvbuf size mark value socket-flags flags... - (TCP Mode only, “socket-flags TCP_NODELAY”) txqueuelen n shaper n - (Not Compatiple with “fast-io”) inactive n [bytes] ping n - * (“ping 10” pushed by default) ping-exit n ping-restart n * (“ping-restart 60” pushed by default) keepalive n m ping-timer-rem persist-tun - * persist-key - * persist-local-ip - ??? persist-remote-ip - ??? mlock - (Highly recommended) up cmd up-delay - ??? down cmd down-pre up-restart - ??? setenv name value setenv FORWARD_COMPATIBLE 1 setenv-safe name value script-security level - * disable-occ user user group group cd dir chroot dir setcon context daemon [progname] syslog [progname] errors-to-stderr passtos inetd [wait|nowait] [progname] log file - ??? log-append file - ??? suppress-timestamps - ??? writepid file nice n - ??? fast-io (Recomended, Not compatible with “shaper n”) multihome echo [parms...] remap-usr1 signal verb n * (default “verb 3”, recommend “verb 4” status file [n] status-version [n] mute n comp-lzo [mode] * (comp-lzo no) comp-noadapt management IP port [pw-file] management-client management-query-passwords management-query-proxy management-query-remote management-forget-disconnect management-hold management-signal management-log-cache n management-up-down management-client-auth management-client-pf management-client-user u management-client-group g plugin module-pathname [init-string]

Setting Up pfSense for AirVPN System Tunables Only one this that everyone should do here: Enable IP fastforwarding. This can GREATLY increase performance, especially on low powered systems. 1.)Go to: System > Advanced > Syatem Tunables http://192.168.1.1/system_advanced_sysctl.php -or- https://192.168.1.1/system_advanced_sysctl.php 2.) Find "net.inet.ip.fastforwarding" (ctrl+F on windows browsers) By default this is disabled and the setting is "0". We want to enable it. Click the [e] edit button next to the setting. Edit the "0" and change it to "1". (Without the quotes!) 3.) Click [save] 4.) Click [Apply Changes]

Setting Misc Advanced Options Here is a list of other options to consider setting. Some of these are related to OpenVPN while others are just to get the operating system further set up properly for your particular hardware. For the brave there are some tweaks to the network drivers and other boot loader and “system tunables”. All of these are optional, many are highly recommended and some borderline on necessary. General System Tweaks Go to: System > Advanced >Miscellaneous http://192.168.1.1/system_advanced_misc.php -or- https://192.168.1.1/system_advanced_misc.php 1.) Find the section titled “Power savings” **NOTE 1: There are some known issues with this setting on AMD motherboards that support “Cool N' Quiet in the Bios. Do not enable PowerD if your AMD Motherboard uses this option, instead just let the motherboard handle this. This options works very well with Intel speedstep though. **NOTE 2: This setting does not affect the VPN setup, but while we are at this page, it is useful to set. It can save on your electrical bill. Set as follows: PowerD = [√] (checked) On AC Power Mode: = [Adaptive ▼] (Or Hiadaptive, depending on your preference) On Battery Power Mode: = [Minimum ▼] 2.) Find the section titled “Cryptographic Hardware Acceleration” ***NOTE : Ths option enables the AES Instruction Set on compatible CPUs. Your CPU may not support this option. If it does, you should set it appropriately. This option will increase the performance of your appliance if supported. Check here for supporting CPU's. If your CPU supports AES instructions, set this option to “AES-NI”. It should be noted that it is highly unlikely you have AMD Geode acceleration unless you purchased embedded equipment. Set as follows: Cryptographic Hardware = [AES-NI CPU-based Acceleration (aesni) ▼] (If supported!!!) 3.) Find the section titled “Thermal Sensors” ***NOTE: This setting does not affect the setup, but while we are at this page, it is useful to set. Your CPU may not support this feature. If it does, it will allow you to monitor the CPU temp from the Dashboard by adding the “Thermal Sensors” widget there. Most somewhat recent Intel and AMD processors should have this. Set as follows: Thermal Sensors = *Set according to your CPU’s capability, None, Intel or AMD* 4.) Click [sAVE]

Setting Up pfSense for AirVPN Using 3 or more NIC's Step 8: Setting up the AirVPN_LAN Interface A:) Configuring the Interface 1.) Go to: Interfaces > Assign http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php Here you will find your assigned interfaces. If you assigned them during original install you will see however many interfaces you have and should likely have a WAN, LAN, opt1 (as well as ovpn1). If you did not assign them you will have to click the [+] button at the bottom right to assign another. Once it is assigned, click save. 2.) Select one from the optional Interfaces (likely Opt1). Set it as follows: --General configuration Enable = [✔] (CHECKED) Description = [✎ AirVPN_LAN ] IPv4 Configuration Type = [ Static IPv4 ▼] IPv6 Configuration Type = [ None ▼] MAC address = [✎_____] (empty) MTU = [✎_____] (empty) MSS = [✎_____] (empty) Speed and duplex = Advanced > [ Autoselect ▼] --Static IPv4 configuration IPv4 address = [✎ 192.168.123.1 ] / [ 24 ▼] Gateway = [ None ▼] --Private networks Block Private Networks = [_] (UNCHECKED) Block Bogon Networks = [_] (UNCHECKED) 3.) Click [save] 4.) Click [ Apply Changes ] B.) Seting up the DHCP Server for the AirVPN_LAN Interface 1.) Go to: Services > DHCP server http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php 2.) Ensure the "AirVPN_LAN" tab is selected 3.) Set as follows: (NOTE: Only options we will change are listed for this section, leave the rest as they were by default) Enable DHCP server on AirVPN_LAN interface = [✔] (CHECKED) Range = [✎ 192.168.123.100 ] to [✎ 192.168.123.199 ] DNS Servers = [✎ 10.4.0.1 ] and [✎________] 4.) Click [sAVE] 5.) Click [ Apply Changes ] C.) Setting up the Outgoing NAT for the AirVPN_LAN Interface. 1.) Go to: Firewall > NAT > Outbound http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php 2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (If it is not selected, select it, click save and apply changes.) 3.) If there is already a rule for your AirVPN_LAN interface, select the [e] button to the right of it to edit it. If there is not a rule for your AirVPN_LAN interface, you will need to create one by selecting the [+] at the top right and creating a new one. 4.) Set as follows: Do not NAT = [_] (unchecked) Interface = [ AirVPN_WAN ▼] Protocol = [ Any ▼] Source = Type: [ Network ▼] Address: [ 192.168.123.0 ] / [ 24 ▼] Source port: [_____] (empty/blank) Destination: Type = [ Any ▼] Translation: Address = [ Interface Address ] Description = [ AirVPN_LAN -> AirVPN_WAN ] 5.) Click [ SAVE ] 6.) Click [ Apply Changes ] D.) Setting Basic Firewall Rules for the AirVPN_LAN Interface to enforce the policy based routing and block DNS Hijacking *NOTE: There are THREE necessary rules for the AirVPN_LAN interface. You should have no firewall rules here since this is a new interface. If there are any rules, just delete them. First AirVPN_LAN Firewall Rule: "BLOCK_DNS_LEAKS_VPN" The first AirVPN_LAN rule will block all DNS requests that we do not explicitly allow. Pay close attention to this one. 1.) Go to Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "AirVPN_LAN" interface. 2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN". Set as follows: Action = [ Block ▼] Disabled = [_] Disable this rule (UNCHECKED) Interface = [AirVPN_LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [TCP/UDP ▼] Source = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Destination = [✔] Not (CHECKED!!!!!!!!) Type: [ Single host or alias ▼] Address: [10.4.0.1] Destination port range = From: [ DNS ▼] To: [ DNS ▼] Log = [✔] (CHECKED) Description = [✎ BLOCK_DNS_LEAKS_VPN] *****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼] 3.) Click [ Save ] 4.) Click [ Apply Changes ] Second AirVPN_LAN Firewall Rule: "Allow AirVPN_LAN Outbound" The second AirVPN_LAN rule we will create will force traffic from the AirVPN_LAN interface to only exit via the AirVPN_WAN Gateway. 1.) Go to Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "AirVPN_LAN" interface. 2.)Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow AirVPN_LAN to any rule" Set as follows: Action = [ Pass ▼] Disabled = [_] Disable this rule (UNCHECKED) Interface = [AirVPN_LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [Any ▼] Source = [_] Not (UNCHECKED) Type: [ AirVPN_LAN Subnet ▼] Address: [______] (BLANK) Destination = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Log = [_] (UNCHECKED) Description = [✎ Allow AirVPN_LAN Outbound] *****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼] 3.) Click [ Save ] 4.) Click [ Apply Changes ] Third AirVPN_LAN Firewall Rule: "BLOCK ALL ELSE AirVPN_LAN" The third and final AirVPN_LAN firewall rule will block any and all traffic we do not alllow by use of other firewall rules on this interface. 1.) Go to: Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "AirVPN_LAN" interface. 2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE AirVPN_LAN" Set as follows: Action = [block ▼] Disabled = [_] Disable this rule (UNCHECKED) Interface = [AirVPN_LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [Any ▼] Source = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Destination = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Log = [✔] (checked) Description = [✎ BLOCK ALL ELSE AirVPN_LAN ] *** For this rule we will NOT set the advanced setting for gateway, it should be left as default 3.) Click [ Save ] 4.) Click [ Apply Changes ] E.) Checking That Our Firewall Rules Are In The Correct Order 1.) Go to Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "AirVPN_LAN" interface. 2.)The order of the rules we just created is important! They should appear in this following order when viewed: BLOCK_DNS_LEAKS_VPN Allow AirVPN_LAN Outbound BLOCK ALL ELSE AirVPN_LAN ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY! 3.) Click [save] 4.) Go to: Diagnostics > Reboot System http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 5.) Click [Yes] to Reboot Verifying Our BLOCK_DNS Rule is Functioning (Optional - For Windows and WINE Users) For this step we will need to download a program called “DNSBench”. This step is meant as a proof of concept to show that without the BLOCK_DNS firewall rules, a malicious program could indeed hijack your DNS requests. This program is a safe program, and one that I otherwise find very useful in finding low latency DNS servers. We will not however be using it as it is intended, but it is the best program I have found to simulate a program sending out DNS requests not received from the DHCP settings. Go to: https://www.grc.com/dns/benchmark.htm (click on the picture of the program to download it.) 1.) When you open it it will say: • • • Verifying Internet Access • • • 2.) Then, if up to this point it is working it will then say: Internet DNS Access Trouble 3.) Find and click the button toward the top that says [ Ignore Test Failure ] 4.) Then it will show: DNS Benchmark Domain Name System Benchmark Utility 5.) Find and click the "Nameservers" tab toward the top. If the DNS Blocking rules are enabled, entered correctly and functioning you should see this: Only the 10.4.0.1 entry should be green (signifying it can be contacted). All other entries should be red. If you view your firewall logs on pfSense now, it should have quite a few blocks triggered by destination port 53 on the AirVPN_LAN interface. If any other DNS servers are contacted and show up as Green, review the firewall settings and correct any discrepancies you find. If you find none and otherwise cannot correct the leak, feel free to ask for help by posting to this thread. For those of you that wish to verify the proof of concept, feel free to temporarily disable the BLOCK_DNS rule and verify this yourself (You have to close and re-open DNSBench, don't worry, testing this is quite safe). You will see that had this been a malicious program it could indeed hijack your browser. Be sure to re-enable the firewall rule after! That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the AirVPN_LAN port and you are off and running! I hope this guide helps you! Don't forget to back up your settings you just spent all this time setting up!

Setting Up pfSense for AirVPN Using 3 or more NIC's Step 7: Setting up the LAN Interface A:) Configuring the Interface 1.) Go to Interfaces > LAN http://192.168.1.1/interfaces.php?if=lan -or- https://192.168.1.1/interfaces.php?if=lan Set it as follows: --General configuration Enable = [✔] (CHECKED) Description = [✎ LAN ] IPv4 Configuration Type = [ Static IPv4 ▼] IPv6 Configuration Type = [ None ▼] MAC address = [✎_____] (empty) MTU = [✎_____] (empty) MSS = [✎_____] (empty) Speed and duplex = Advanced > [ Autoselect ▼] --Static IPv4 configuration IPv4 address = [✎ 192.168.1.1 ] / [ 24 ▼] IPv4 Upstream Gateway = [ None ▼] --Private networks Block Private Networks = [_] (UNCHECKED) Block Bogon Networks = [_] (UNCHECKED) 2.) Click [save] 3.) Click [ Apply Changes ] B.) Setting up the DHCP Server for the LAN Interface 1.) Go to: Services > DHCP server http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php 2.) Ensure the "LAN" tab is selected 3.) Set as follows: (NOTE: These options may already be set by default, change as needed.) Enable DHCP server on LAN interface = [✔] (CHECKED) Range = [✎ 192.168.1.100 ] to [✎ 192.168.1.199 ] 4.) Click [sAVE] 5.) Click [ Apply Changes ] C.) Setting up the Outgoing NAT for the LAN Interface AND Localhost 1.) Go to: Firewall > NAT > Outbound http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php 2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. 3.) Click [ SAVE ] 4.) Click [ Apply Changes ] This will likely spawn a number of automatically created outbound NAT rules. At this point you can check the box next to all of the ones directed to port 500 and delete them, we don't want them. This should leave you with a few default rules titled similarly to “Default LAN to WAN” and “Default Localhost to WAN”. Any other rules than these two should be deleted. Each of the default rules can just be edited by clicking the [e] button to the right of it. If there is not a rule for your LAN or Localhost, you will need to create one by selecting the [+] at the top right and creating a new one. First we will set the LAN outbound NAT. 5.) Set as follows: Do not NAT = [_] (unchecked) Interface = [ WAN ▼] Protocol = [ any ▼] Source = [_] Not (unchecked) Type: [ Network ▼] Address: [ 192.168.1.0 ] / [ 24 ▼] Source port: [_____] (empty/blank) Destination = [_] Not (unchecked) Type = [ Any ▼] Address: [_____] / [ 24 ▼](empty/blank) Destination Port: [_____] (empty/blank) Translation: Address = [ Interface Address ] Description = [ LAN to WAN ] 6.) Click [ SAVE ] Second we will set the Localhost outbound NAT. 7.) Set as follows: Do not NAT = [_] (unchecked) Interface = [ WAN ▼] Protocol = [ any ▼] Source = [_] Not (unchecked) Type: [ Network ▼] Address: [ 127.0.0.1 ] / [ 8 ▼] Source port: [_____] (empty/blank) Destination = [_] Not (unchecked) Type = [ Any ▼] Address: [_____] / [ 24 ▼](empty/blank) Destination Port: [ 1024:65535 ] Translation: Address = [ Interface Address ] Description = [ Localhost to WAN ] 8.) Click [ SAVE ] 8.) Click [ Apply Changes ] D.) Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks. *NOTE: There are THREE necessary rules for the LAN interface. You should have two firewall rules here by default. The “anti-lockout rule” and a “default allow LAN to any” rule. Do not touch the anti-lockout rule. You can either delete or edit the default allow rule, it is up to you. First LAN Firewall Rule: "BLOCK_DNS_LEAKS_LAN" The first LAN firewall rule will block all DNS requests that we do not explicitly allow. This rule will force all users on this interface to use the DNS forwarder and hence the servers we entered on the general settings page. Pay close attention to this one. 1.) Go to Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface. 2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_LAN". Set as follows: Action = [ Block ▼] Disabled = [_] Disable this rule (UNCHECKED) Interface = [LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [TCP/UDP ▼] Source = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Destination = [✔] Not (CHECKED!!!!!!!!) Type: [ LAN address ▼] Address: [________] Destination port range = From: [ DNS ▼] To: [ DNS ▼] Log = [✔] (CHECKED) Description = [✎ BLOCK_DNS_LEAKS_LAN] *****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ WAN_DHCP ▼] 3.) Click [ Save ] 4.) Click [ Apply Changes ] Second LAN Firewall Rule: "ALLOW LAN OUTBOUND" 1.) Go to: Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "LAN" interface. 2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW LAN OUTBOUND" (Note: There may already be a rule titled " Default Allow LAN Outbound" or similar. You certainly can just edit that entry to these settings, or delete and create this.) 3.) Set as follows: Action = [ Pass ▼] Interface = [LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [Any ▼] Source = [_] Not (UNCHECKED) Type: [ LAN Subnet ▼] Address: [______] (BLANK) Destination = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Description = [✎ ALLOW LAN OUTBOUND] *****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ WAN_DHCP ▼] 4.) Click [ SAVE ] 5.) Click [ Apply Changes ] Third LAN Firewall Rule: "BLOCK ALL ELSE LAN" 1.) Go to: Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "LAN" interface. 2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN" 3.) Set as follows: Action = [block ▼] Disabled = [_] (UNCHECKED) Interface = [LAN ▼] TCP/IP Version = [iPv4 ▼] Protocol = [Any ▼] Source = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Destination = [_] Not (UNCHECKED) Type: [ Any ▼] Address: [______] (BLANK) Log packets that are handled by this rule = [✔] (checked) Description = [✎ BLOCK ALL ELSE LAN ] *** For this rule we will NOT set the advanced setting for gateway, it should be left as default 4.) Click [ SAVE ] 5.) Click [ Apply Changes ] E.) Checking That Our Firewall Rules Are In The Correct Order 1.) Go to Firewall > Rules http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface. 2.) The order of the rules we just created is important! They should appear in this following order when viewed: BLOCK DNS LEAKS LAN ALLOW LAN OUTBOUND BLOCK ALL ELSE LAN ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!

Setting Up pfSense for AirVPN Using 3 or more NIC's Step 6: Setting Up the DNS Forwarder NOTE: Here we are going to disable the DNS Forwarder for VPN interfaces (DNS for VPN will be set through DHCP on a PER-INTERFACE BASIS), while leaving the Forwarder enabled for the LAN interface as well as the Firewall (Localhost) itself. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL/LAN (CLEAR-NET) AND THE AirVPN_LAN (VPN). THE DNS FOR THE AirVPN_LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING STEP 8 GUIDE. Please also note that if done correctly there is no chance of DNS “leaks” (As explained in the Preface), and further, we will be creating firewall rules to prevent DNS hijacking. Pay extra attention to this section. This seems to be a troublesome area for many, and is easily the biggest concern for a “leak” (we cannot share the DNS Forwarder) if a setting were to be configured incorrectly. That being said, we need to enter DNS servers on the General Setup page for the firewall to use and for initial connection to AirVPN when using URL's such as the entry address for the whole Earth or individual countries. This method also makes the firewall run more reliably as it does not require re-configuring if the VPN fails. In the event the VPN does fail, all states are dropped and the connection is severed provided you followed the instructions on setting up the gateway correctly. I suggest using OpenNIC DNS servers, however I will use OpenDNS since I cannot look up the appropriate OpenNIC servers for you. You may use the public DNS servers of your choice or ones your ISP provides (not recommended) if you wish. Setting DNS Options Under the General Setup Page 1.) Go to: System > General Setup: DNS servers http://192.168.1.1/system.php -or- https://192.168.1.1/system.php Set as Follows: DNS Server –- Use gateway [✎ 208.67.222.222 ] [ WAN_DHCP ▼] [✎ 208.67.220.220 ] [ WAN_DHCP ▼] [✎ (empty) ] [=== None === ▼] [✎ (empty) ] [=== None === ▼] [_] Allow DNS server list to be overwritten by DHCP/PPP on WAN = UNCHECKED [_] Do not use the DNS Forwarder as a DNS server for the firewall = UNCHECKED 2.) Click [save] Setting the DNS Forwarder Options 1.) Go to: Services > DNS Forwarder http://192.168.1.1/services_dnsmasq.php -or- https://192.168.1.1/services_dnsmasq.php Set as Follows: --General DNS Forwarder Options Enable = [✔] Enable DNS forwarder (CHECKED) DHCP Registration = [_] Register DHCP leases in DNS forwarder (UNCHECKED) Static DHCP = [_] Register DHCP static mappings in DNS forwarder (UNCHECKED) Prefer DHCP = [_] Resolve DHCP mappings first (UNCHECKED) DNS Query Forwarding = [_] Query DNS servers sequentially (UNCHECKED) [_] Require domain (UNCHECKED) [✔] Do not forward private reverse lookups (CHECKED) Listen Port = [______] (Empty/Blank) Interfaces = ***SEE STEPS BELOW By default all interfaces are selected. This may show up as “All” being highlighted, or each individual interface being highlighted. Using the Ctrl key, DESELECT AS NEEDED, AND ENSURE ONLY LAN AND LOCALHOST ARE SELECTED/HIGHLIGHTED. IT IS CRITICAL YOU GET THIS SECTION CORRECT. [✔] Strict Interface Binding Advanced = [Advanced] - Show advanced options (UNCHANGED) 2.) Click [save] 3.) Click [ Apply Changes ] Verifying Our DNS Settings (Optional Step) Here we will test to see if domain names are resolving from the DNS servers we entered on the General Setup page. We will do this using the built in feature of the firewall. 1.) Go to: Dianostics > DNS Lookup http://192.168.1.1/diag_dns.php -or- https://192.168.1.1/diag_dns.php Set as Follows: Hostname or IP = [ airvpn.org ] 2.) Click [ DNS Lookup ] 3.) Verify the results: Hostname or IP = [ airvpn.org ] = 95.211.138.143 If 95.211.138.143 was returned it is resolving correctly. Feel free to resolve as many sites as you wish! This is a useful tool to keep in mind as well.

Setting Up pfSense for AirVPN Using 3 or more NIC's Step 5: Setting the AirVPN Gateway 1.) Go to: System > Routing http://192.168.1.1/system_gateways.php -or- https://192.168.1.1/system_gateways.php 2.) Find and select the [+] on the same line asAirVPN_WAN_VPN4 ***** NOTE: BE VERY CAREFUL OF WHICH [+] YOU SELECT HERE. “MOUSING OVER” THE [+] BUTTONS WILL REVEAL THEIR TITLE. DO NOT SELECT THE ONE FOR WAN DHCP! What you will see here may vary. When I got to this point in my setup I had two gateways that were added but not yet enabled, You may only see your default/WAN gateway until you add a new one. I had AirVPN_WAN_VPN4 (IPv4) and AirVPN_WAN_VPN6 (IPv6, if you have IPv6 disabled you will not see this). You are not able to edit the names of these gateways. What I did to get around this was to create a new IPv4 gateway (by clicking the [+] on the same line as AirVPN_WAN_VPN4) and give it the name I wanted (AirVPN_WAN). Then, after saving this new interface, the old AirVPN_WAN_VPN4 Gateway will have automatically have been deleted. If IPv6 is not disable on your system, ignore the “grayed out”/disabled AirVPN_WAN_VPN6. It cannot be deleted, only made to disappear if you disable IPv6. I will not go into how to do that at this time. 3.) This will bring you to the edit gateway page for your OpenVPN IPv4 interface. Here we will enter a Name, Settings and description for it. Set as follows: Disabled = [_] (UNCHECKED) Interface = [AirVPN_WAN ▼] Address Family = [iPv4 ▼] Name = [✎ AirVPN_WAN] Gateway = [dynamic] Default Gateway = [_] (*****UNCHECKED, SEE NOTES BELOW) Disable Gateway Monitoring = [√] (CHECKED) The monitoring servicve has caused more issues then it has corrected as of late, so we will disable it. Monitor IP = [______] (Blank) If you do decide to enable this, set it to 10.4.0.1 Mark Gateway as Down = [_] (UNCHECKED) Advanced = **Unchanged** Description = [✎ AirVPN_WAN] ***** NOTE: In the past, the default gateway setting was advised to be checked. This was to act as a fail-safe in the event something went wrong, all traffic would attempt to route through the VPN and have no chance of being re-routed to the clear_net. While this "works", THIS IS NOT CORRECT FROM A ROUTING STAND POINT. Trying to use it this way causes what is known as a routing loop and can quickly exhaust network buffers. This can be seen in the OpenVPN Logs when using the "verb 4" setting. It shows up as: write UDPv4: No buffer space available (code=55)The idea of having the VPN as the default gateway is nice on paper, but should not be used. If all other settings are correct, this is not an issue and should not be worried about. Focus instead on having all settings correct! 4.) Click [save] 5.) Click [Apply Changes] 6.) Go to: System > Advanced >Miscellaneous http://192.168.1.1/system_advanced_misc.php -or- https://192.168.1.1/system_advanced_misc.php 7.) Find the section titled “Gateway Monitoring” *****NOTE***** The following settings are important!!! Set as follows: State Killing on Gateway Failure = [_] (NOT CHECKED!!!) Skip rules when gateway is down = [√] (CHECKED) 8.) Click [sAVE] 9.) Go to: Diagnostics > Reboot System http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 10.) Click [Yes] to Reboot

Setting Up pfSense for AirVPN Using 3 or more NIC's Step 4: Assigning the OpenVPN Interface 1.) Go to: Interfaces > Assign http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php 2.) Find and select the [+] on the lower right for “Add Interface” A new interface should appear - [ovpnc1(AirVPN) ▼] 3.) Click [save] 4.) While still on the assign interfaces page, find the link for your newly created “ovpnc1” interface and select it. This will bring you to the configuration page for this interface. Set as Follows: --General configuration Enable = [√] (CHECKED) Description = [✎ AirVPN_WAN ] IPv4 Configuration Type = [None ▼] IPv6 Configuration Type = [None ▼] MAC Address = [✎_____] (Blank/Empty) MTU = [✎_____] (Blank/Empty) MSS = [✎_____] (Blank/Empty) --Private Networks Block Private Networks = [_] (NOT CHECKED!!!) Blocks Bogon Networks = [_] (NOT CHECKED!!!) 5.) Click [save] 6.) Click [Apply Changes]

Setting Up pfSense for AirVPN Using 3 or more NIC's Step 3: Setting up the OpenVPN Client 1.) Go to: VPN > OpenVPN > Client http://192.168.1.1/vpn_openvpn_client.php -or- https://192.168.1.1/vpn_openvpn_client.php 2.) Find and select the [+] on the lower right for “Add Client” 3.) Here we will enter our settings, a descriptive name and advanced settings. Settings that go here are taken from our OpenVPN Config file, from the section highlighted YELLOW, as well as our tls-auth cert, highlighted PINK Set as follows: --General information Disabled = [_] (NOT CHECKED!!!) Server Mode = [Peer to Peer (SSL/TLS) ▼] Protocol = [uDP ▼] Device Mode = [tun ▼] Interface = [WAN ▼] Local Port = [✎ _____] (Blank/Empty) Server Host or Address = [✎ XXX.XXX.XXX.XXX] IP of your preferred AirVPN Entry (From the "remote" line in the config) Server Port = [✎ 443] (From the "remote" line in the config) Proxy Host or address = [✎ _____] (Blank/Empty) Proxy Port = [✎ _____] (Blank/Empty) Proxy Authentication Extra Options = [none ▼} Server Host Name Resolution = [√] Infinitely Resolve Server (checked) Description = [✎ AirVPN] --User Authentication Settings User name/pass Leave empty when no user name and/or password are needed. Username: [✎ _____] (Blank/Empty) Password: [✎ _____] (Blank/Empty) --Cryptographic Settings TLS Authentication = [√ ] Enable authentication of TLS packets. (CHECKED) [_] Automatically generate a shared TLS authentication key. (NOT CHECKED) ___________________________________ | # | # 2048 bit OpenVPN static key | # | -----BEGIN OpenVPN Static key V1----- | XXXXXXXXXXXXXXXXXXXXXX | XXXXXXXXXXXXXXXXXXXXXX | XXXXXXXXXXXXXXXXXXXXXX | XXXXXXXXXXXXXXXXXXXXXX | XXXXXXXXXXXXXXXXXXXXXX | -----END OpenVPN Static key V1----- |____________________________________ Peer Certificate Authority = [AirVPN_CA ▼] Cient Certificate = [ AirVPN_CERT ▼] Encryption Algorithm = [ AES-256-CBC (256 bit) ▼] Auth Digest Algorithm = [ SHA1 (160 bit) ▼] Hardware Crypto = SET THIS BASED ON YOUR CPU’s CAPABILITY!!! NOTE: Ivy Bridge, Haswell and newer Intel Processors support RD-RAND. If you have a different CPU you will have to research if BSD Cryptodev is compatible with your processor. If you are unsure, set this to BSD Cryptodev, it should not harm anything even if not supported. If supported, this setting can (will) increase performance of your pfSense appliance. --Tunnel Settings IPv4 Tunnel Network = [✎ _____] (Blank/Empty) IPv6 Tunnel Network = [✎ _____] (Blank/Empty) IPv4 Remote Networks = [✎ _____] (Blank/Empty) IPv6 Remote Networks = [✎ _____] (Blank/Empty) Limit Outgoing Bandwidth = [✎ _____] (Blank/Empty) Compression = [Disabled - No Compression ▼ ] Type-of-Service = [_] (NOT CHECKED!!!) Disable IPv6 = [✔] (CHECKED) Don't pull routes = [✔] (CHECKED) Don't add/remove routes = [✔] (CHECKED) --Advanced Configuration Advanced = (Copy and Paste The following text directly into the advanced box. Anything to the right of a # symbol is "commented out" and has no effect. I have added a few settings that make the use of pfSense and tighten up security, and have left comments with descriptions of many. Some options I have left in but commented out from use for users to have handy in the event of troubleshooting and can be ignored or deleted if not desired.) ##### CLIENT OPTIONS #####; server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###; explicit-exit-notify 5; ##### TUNNEL OPTIONS #####; ### Use Multple "remote" entries with the according entry IP address of your favorite servers ###; ### other than the server entered in the "Server Host or Address" entry above and pfSense ###; ### will automatically recconnect in a round robin fashion if the server you are connected to ###; ### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###; ###remote XX.XX.XX.XX 443 ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Acamar_UDP-2018###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Yildun_UDP-2018###; ###remote XX.XX.XX.XX 53 ###AirVPN_US-Miami_Cursa_UDP-53###; ###remote XXX.XX.XX.XX 443 ###AirVPN_CA-Dheneb_UDP-443###; ###remote XXX.XX.XXX.XXX 443 ###AirVPN_CA-Saiph_UDP-443###; rcvbuf 262144; sndbuf 262144; mlock ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###; fast-io ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###; ###tun-mtu 1500; ###mssfix 1450; ###keepalive 5 15; ##### DATA CHANNEL ENCRYPTION OPTIONS #####; key-direction 1; keysize 256 ### Size of key from cipher ###; prng SHA512 64 ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###; ### replay-window n [t] ### Default = replay-window 64 15 ###; ### mute-replay-warnings; ##### TLS MODE OPTIONS #####; tls-version-min 1.2 ### set the minimum TLS version we will accept from the peer ###; key-method 2 ### client generates a random key ###; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###; tls-timeout 2 ### Default = 2 ###; ns-cert-type server ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###; remote-cert-tls server ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###; ### reneg-sec 3600; Verbosity level = [ 3 (Recommended) ▼ ] 4.) Click [save] 5.) Go to: Diagnostics > Reboot System http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 6.) Click [Yes] to Reboot

Setting Up pfSense for AirVPN Using 3 or more NIC's Step 2: Entering our AirVPN Certificate and Key 1.) Go to: System > Cert Manager > Certificate Manager http://192.168.1.1/system_certmanager.php -or- https://192.168.1.1/system_certmanager.php 2.) Find and select the [+] on the lower right for “Add or Import Certificate” 3.) Here we will enter a descriptive name and enter our Certificate and Key data. Set as follows: Descriptive name = [✎ AirVPN_CERT ] Method = [ Import an Existing Certificate Authority ▼] Certificate Data = [Everything BETWEEN <cert> and </cert> but NOT INCLUDING <cert> and </cert>] - (Everything highlighted ORANGE in the Sample ovpn config): <cert> -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END CERTIFICATE----- </cert> Private key data = [Everything BETWEEN <key> and </key> but NOT INCLUDING <key> and </key>] - (Everything highlighted GREEN in the Sample ovpn config): <key> -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END CERTIFICATE----- </key> 4.) Click [save]

Setting Up pfSense for AirVPN Using 3 or more NIC's Step 1: Entering our AirVPN CA (Certificate Authority) 1.) Go to: System > Cert Manager http://192.168.1.1/system_camanager.php -or- https://192.168.1.1/system_camanager.php 2.) Find and select the [+] on the lower right for “Add or Import CA” 3.) Here we will enter a descriptive name and enter our CA certificate data. Set as follows: Descriptive name = [✎ AirVPN_CA ] Method = [ Import an Existing Certificate Authority ▼] Certificate Data = [Everything BETWEEN <ca> and </ca> but NOT INCLUDING <ca> and </ca>)] - (Everything highlighted LIGHT BLUE in the Sample ovpn config): <ca> -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END CERTIFICATE----- </ca> Certificate Private Key(optional) = [_____] (Blank/Empty) 4.) Click [save]

Understanding OpenVPN Settings on pfSense Here is the list of settings given to us in the config files we download for a standard UDP connection. Below are descriptions of what they do and where they are located or how they are entered in pfSense. They are as follows: clientdev tunproto udpremote xxx.xxx.xxx.xxx 443resolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls servercipher AES-256-CBCcomp-lzo noverb 3explicit-exit-notify 5key-direction 1 1.) "client" – This setting denotes whether this configuration is for a OpenVPN client or server. We are connecting to AirVPN as clients. There is no corresponding setting in pfSense as we are denoting this by selecting the client tab. 2.) dev tun = "Device Mode" on the OpenVPN client settings page. This setting selects the virtual network type. From the OpenVPN manual: 3.) proto udp = "Protocol" drop down selection on the OpenVPN client settings page. From the OpenVPN manual: 4.) remote xxx.xxx.xxx.xxx 443 = "Server Host or Address" AND "Server Port" entries on the pfSense client settings page. The host or address is the xxx.xxx.xxx.xxx entry replaced by the IP address or hostname of your preferred AirVPN entry server. The port is the 443 that follows, or could be any of the other optional ports you can choose with the config generator. For the purposes of this tutorial I chose to use the basic config of UDP 443. From the OpenVPN manual: 5.) "resolv-retry infinite" = The check box next to the "Server Host Name Resolution" titled "Infinitely Resolve Server". From pfSense: "Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet." From the OpenVPN manual: 6.) nobind = “Local Port” on the OpenVPN settings page and is set by leaving the entry BLANK or entering a number “0”. From psSense: “Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port “ From the OpenVPN manual: 7.) persist-key = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-key;" but without the quotes. From the OpenVPN manual: 8.) persist-tun = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-tun;" but without the quotes. From the OpenVPN manual: 9.) remote-cert-tls server = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "remote-cert-tls server;" but without the quotes. From the OpenVPN manual: 10.) cipher = "Encryption Algorythm" in the pfSense client settings page. AirVPN uses "AES-256-CBC" according to the config generator files. From the OpenVPN manual: 11.) comp-lzo no = The check box labled “Compress tunnel packets using the LZO algorithm.” on the OpenVPN Client Settings page. From the OpenVPN manual: 12.) verb 3 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "verb 3;" but without the quotes. From the OpenVPN manual: 13.) Explicit-exit-notify 5 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "explicit-exit-notify 5;" but without the quotes. From the OpenVPN manual: 14.) key-direction 1 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "key-direction 1;" but without the quotes. From the OpenVPN manual: Here is the list of settings that are further “pushed” to us when connecting. By entering them manually we take an additional step to prevent the use of or depreciation to “lower”, less secure settings. Below are descriptions of what they do. All of these following settings are entered into the Advanced box on the OpenVPN Client page. They are as follows: tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHAkeysize 256auth SHA1key-method 2 1.) tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA = OpenVPN > Client > Advanced: tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA; This setting is automatically “pushed” when connecting to the server. That being said, it can also be set manually which has the benefit of preventing the use of/falling back to a lower encryption version. From the OpenVPN manual: 2.) keysize 256 = OpenVPN > Client > Advanced: keysize 256; From the OpenVPN manual: 3.) auth SHA1 = OpenVPN > Client > Advanced: auth SHA1; From the OpenVPN manual: 4.) key-method 2 = OpenVPN > Client > Advanced: key-method 2; From the OpenVPN manual:

Understanding Certificates and OpenVPN Config Files I noticed on the forums that many people trying to set up pfSense struggle with entering their certificates properly. I will try to be as detailed as possible here. First, if you have not done so already, we have to download the OpenVPN Config File (.ovpn) for our preferred AirVPN entry server. You can do this by logging into airvpn.org and then proceeding to https://airvpn.org/generator/ . Choose the entry server of your choice (the air entry server can be changed later whenever you need, we will focus on one for this tutorial) by selecting the corrisponding check box the scroll down and select the “Direct, protocol UDP, port 443”. Scroll down again and select both check boxes agreeing to the AirVPN terms of service, then click the “Generate” button. Once you have the config file you can open it with your favorite text editor. What you should see will look very similar as the sample ovpn config I pasted below (this one was downloaded for a windows client). The config is broken into FIVE main parts that we will need to identify for our uses. The five parts are as follows: Settings and Advanced SettingsCA (Certificate Authority, everything between <ca> and </ca>)Cert (Certificate Data, everything between <cert> and </cert>)Key (RSA Private Key, everything between <key> and </key>)tls-auth (2048 bit OpenVPN static key, everything between <tls-auth> and </tls-auth>) Sample OpenVPN Config File We will need to copy these settings from YOUR config file you downloaded from the AirVPN config generator into pfSense to set up our certificates and OpenVPN. DO NOT USE THESE, they are fictional. # -------------------------------------------------------- # Air VPN | https://airvpn.org | Friday xxx of xxx 2014 xx:xx:xx AM # OpenVPN Client Configuration # AirVPN_XXXXXXXXXXX-xxxx # -------------------------------------------------------- client dev tun proto udp remote xxx.xxx.xxx.xxx 443 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo no verb 3 explicit-exit-notify 5 <ca> -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END CERTIFICATE----- </cert> <key> -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END CERTIFICATE----- </key> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END OpenVPN Static key V1----- </tls-auth>

Preface Here is a guide on how to set up pfSense 2.1 as a firewall, router and OpenVPN client for connecting to AirVPN and Clear-Net using three or more NIC's. Why pfSense? PfSense is a firewall distribution based on FreeBSD and forked from m0n0wall. The primary focus of pfSense is security, not features as many consumer products are. It is not prone to the weak security and vulnerabilities that many consumer routers are. Because it is based on PC hardware, it is also far more powerful. As where an OpenVPN client on a consumer router might max out at 20-30 Mbit / sec, The newest generation of Xeon E3 12XX V3 could do upwards of 500 Mbit / sec on a properly configured pfSense install. For most of us that is far more than our ISP's even provide us with. Personally I have seen speeds as high as 150 Mbit / sec, and can easily get 60-75 Mbit / sec through the VPN when my use demands it, but I am limited by my ISP. If you have ever wondered how people accomplish the speeds they do on the status page, consider that I have been in that #1 spot more than once and frequently appear in the top 10. Some other considerations on “Why pfSense”? Your entire network can be protected by a strong firewall and routing all trafic through your AirVPN connection, not just one device, without even a hint of slowing down your connection. For the more advanced user, you can even set up an OpenVPN SERVER and remotely connect your mobile phones, tablets, laptops and any other device you wish to your firewall and then route that traffic out through your AirVPN connection as well. This is exactly what I do. I route my mobile devices though the firewall which allows me to scan that traffic for viruses, firewall it and encrypt it with the VPN. At a later date I will also make a tutorial on how to accomplish this. pfSense also has a “Packages” system for adding more things such as “pfBlocker” which is similar to peerblock. Other packages include Snort (Intrusion Detection), Squid (Caching proxy, the newest version has anti-virus and can even scan SSL on your network if you permit it) and Dansgaurdian (content filter). These can enhance your security if used properly. There are many more reasons on top of this as well. Simply put; I have yet to find a better solution for connecting with AirVPN. Why I made this guide. After searching for many months on how to correctly accomplish this, I was unable to find proper documentation. After months of piecing together the information I did find combined with tedious testing of settings not documented elsewhere, I started to document what I learned as I was also helping others get set up. I also wanted to document this for my own use, although at this point I know this like the back of my hand. After seeing more and more people have questions on using pfSense on AirVPN I decided to share what I learned and continue to learn. It is my hope that in using this guide, I can help others gain confidence in understanding and using pfSense, both in general and with AirVPN. Further more, I believe strongly in the mission statement of the folks at AirVPN, and this is my thank you to them for offering a great service and an avenue for those that truly need privacy and anonymity. I can only hope this guide will some day help someone communicate important information or avert oppression and censorship. Things to Consider Before Following This Guide THIS TUTORIAL IS INTENDED TO BE USED ON A FRESH INSTALL OF PFSENSE!!! Everything in the following tutorial assumes your settings are as they were, default, after a fresh install. You most certainly can add to it, especially firewall rules, when set correctly. Many people will have many uses requiring additional settings. I consider these variables to be outside the scope of this tutorial as this is aimed at beginners. I cannot guarantee functionality if you attempt to integrate this guide into your previous settings. Therefore, these issues and settings will not be addressed in the tutorial, but are welcome in discussion in replies to the guide. THIS TUTORIAL IS INTENDED FOR THOSE THAT NEED CONNECTIONS TO BOTH CLEAR NET AND VPN Most users will need connections for some of their devices through the clear net just as I do for things such as VOIP and gaming. Setting it up this way also has the added benefit that if the VPN fails you do not need to reconfigure anything to test why it failed. Constantly having to reconfigure things is a quick way to forget something and poor planning with security. This is why I STRONGLY recommend the use of 3 or more network interface cards. This creates a sort of “Air Gap” between the clear-net and VPN configured networks, considering you have to physically move a network cable to access the different networks. In fact, I personally do not condone the use of only two interfaces for beginners for this reason. I have however, as a courtesy, added a basic addendum to the guide for those who choose to go this route. There is no clear-net configured interface in the two interface guide, only VPN. If the VPN goes down, internet connectivity will go down. I do not use this method myself, and made that section “in my head”. If it needs amending, users of it will need to notify me. I will update that section, although not as frequently as the main guide. THIS TUTORIAL IS INTENDED FOR BEGINNERS AND THOSE WHO ARE OTHERWISE NOT CONFIDENT IN WHAT THEY ARE DOING “Tim Toady” - There's more than one way to do it. As the old saying goes, there is more than one way to skin a cat. Well, on pfSense there are quite a few different ways to go about setting it up for using it with AirVPN. I want to make this clear up front that this tutorial is not the only way to set this up. I'm not going to cover them all, in fact I'm not going to cover any other method than the one I believe to be the safest, easiest and most noob proof. I have added in a few steps (Dropping all states and preventing the gateway from re-routing if the VPN drops as well as blocking all other DNS other than the one we intend to use – the AirVPN DNS or otherwise) that go beyond just “getting it to work” because they further secure the setup for VPN uses. I consider these basic security precautions part of a basic guide to using a VPN, not a later addendum. I intended this to be educational to those who don't know or are not quite confident in what they are doing. If this does not suit your uses or you have your own security policies you choose to follow, you are free to play with my settings as you see fit or use a different guide. If you have constructive criticism or insight on further security policies I’d love to hear it. This tutorial was never intended for experienced users who just wanted to get OpenVPN going. It was meant to give someone who has no previous experience with a commercial firewall the tools they need to make the jump away from weak and insecure consumer grade equipment. The focus will continue to be with that in mind. ON THE SUBJECT OF DNS LEAKS NOTE: READ AND UNDERSTAND THIS IN IT'S ENTIRETY DNS leaks are not an "issue" on pfSense or its core underlying operating system, FreeBSD. DNS leaks are primarily an issue on Windows operating system. If pfSense is set correctly, the OPERATING SYSTEM will not leak a DNS request. If we tell an interface to use a specific DNS server, it will. It (pfSense) will not send a request out of an alternate interface or gateway. That being said, an uninformed user, foreign hardware (mobile devices etc) or program may try to contact an alternate DNS server from behind the firewall. This can be harmless (an uninformed user contacting an external DNS), or this could be a malicious attack (DNS Hijacking or DNS Rebinding Attack). This is not a fault of pfSense, and the following scenario can happen on ANY platform. A virus, worm, or malicious browser code could hijack and reroute the DNS request to a poisoned or malicious server. This could lead to you seeing an incorrect hijacked web page and could be an attempt to expose you by an adversary. I have added this consideration to the firewall rules that protect against this. IT SHOULD BE NOTED HOWEVER THAT EVEN IF A USER OR PROGRAM SOMEHOW USED AN ALTERNATE EXTERNAL DNS, IT IS NOT A "LEAK" IN THE SAME SENSE THAT IS OFTEN DISCUSSED ON THE AIRVPN.ORG FORUMS. That type of leak requires that a DNS request would leave your network on an interface other than the one you intended (In our case this would mean it would leave an interface other than the AirVPN_LAN or AirVPN_WAN). In the event that a program (malicious or not) sent out a request to an EXTERNAL DNS server other than AirDNS, if all of our settings are set correctly it would still go through the VPN we have set up. While this prevents an outside observer from knowing exactly who is sending the DNS requests, it does not stop this alternate DNS from replying with a poisoned site. The only real way a DNS LEAK would happen is through user error with the DNS Forwarder settings. WE CANNOT SHARE THE DNS FORWARDER BETWEEN CLEAR-NET AND VPN CONFIGURED INTERFACES. Even though we will configure DNS for VPN interfaces through DHCP, at this point (and without further intervention) the DNS forwarder is still ACCESSIBLE from any device behind a VPN configured interface. We need to manually block this availability to prevent devices from unknowingly causing leaks. If you have a wireless network behind a VPN interface, and a mobile device with a manually configured DNS of 192.168.1.1 entered the network, it would cause a DNS leak unless we create a firewall rule to block such connectivity. THIS COULD POTENTIALLY EXPOSE THE VPN USER WITHOUT SUCH A RULE. The way the DNS forwarder works is it sends queries to and then collects (caches) information from all DNS servers entered on the general settings page. If you were to use VPN and Clear-net DNS, it would send requests potentially inside and outside (or just outside) the VPN tunnel. Avoiding this has been covered in the guide, where I explain two steps to isolate VPN DNS requests from those of clear-net requests - how to set the DNS servers for VPN interfaces through DHCP and firewall rules to block all DNS requests to anything that we do not explicitly allow, including the built in DNS forwarder. These blocks are necessary to prevent accidental or malicious DNS leaks and hijacking. As a bonus, I have added a section at the end of the “Setting Up the DNS Forwarder” section describing how to verify your DNS settings are working within the firewall. I also added instructions at the very end of the tutorial for Windows and Wine users on how to internally and externally test for DNS leaks. ON THE SUBJECT OF IP LEAKS When using a VPN configured interface according to the steps in this guide, If the VPN fails, all states are cleared and the connection is severed. Even if the connection somehow did not drop, the “Block All” firewall rule which is addressed in this guide will block any attempts for a connection that does not go out the AirVPN_WAN gateway. In this, redundancies are in place to block IP leaks. Why multiple Network Interface Cards? Why use both clear-net and AirVPN? Why not force all traffic through the VPN? These questions can all be summed up into one answer. I have many devices and many users connected in my residence. I needed a method to divide, isolate, protect and route these devices and users. With the use of multiple subnets on multiple NIC's I can achieve this while also maintaining very specific firewall rules for each interface. As an example, one setup I have used was as follows: WAN LAN XBOX VOIP AirVPN_WAN AirVPN_LAN_1 AirVPN_LAN_2 AirVPN_LAN_3 AirVPN_LAN_4 I needed a setup that allowed Clear-Net access for the Firewall, LAN (to ensure connectivity even if the VPN goes down), XBOX and VOIP interfaces, while requiring the AirVPN_LAN interfaces to route through my AirVPN OpenVPN client. This also required no leaks, either IP or DNS. This guide accomplishes that by explaining how to set up one interface for clear-net and another for VPN access. This can then be extrapolated for additional interfaces of either sort. I do not suspect the average user will go the same route as I have (having 8+ NIC's), but quad port NIC's and motherboards that include quad port NIC's and on board low power VGA are becoming common and recommended for this use. What kind of hardware can run pfSense? While the quick answer is “pretty much any pc equipment” there are many considerations for this such as cost of hardware, energy efficiency and how it will be used. Will you use packages such as Snort? How much memory is really required? How “fast” is your internet connection? How long do you intend to use this? At the time of this writing, I personally recommend Rangely or Avoton (Rangely is intended for network devices, Avoton has turbo boost) based Intel Atom boards or the newest generation of Xeon E3 12X0 V3 processors(Ones without graphics on the chip). There is a number of motherboards from SuperMicro and ASRock that have Quad Port Intel Server Class NIC's built onto the board as well as having built on VGA. I cannot stress how much and why I recommend these. Having those on board saves a lot of money and hassle as many cheap motherbord NIC's are not supported as where the Intel Server NIC's are well supported. Those processors also have built in encryption “instructions” (AES-NI, RDRAND) that OpenVPN/OpenSSL can take advantage of and they are quite energy efficient. Energy efficiency must be considered, as the cost of electricity to run an older piece of hardware could easily pay itself off in 1-2 years of running. There certainly is nothing wrong with using equipment you have laying around, however I do not advocate seeking for purchase or “upgrading” old hardware in any way. I consider it a waste of money when considering performance and electrical/upgrading costs over that of new hardware. Ultimately you must decide what you want, what you need and how much to spend on the build. (Eventually I will post links to the hardware I suggest with a more in depth explanation of why) A general disclaimer about this guide I wrote this guide under my own free will and provide it for all to use. I am not in any way affiliated with pfSense, AirVPN or any of the hardware manufacturers mentioned in this article. This guide was formed from research, trial and error and extensive testing. I make no guarantee of this article's accuracy further than to say it works for me. Under no circumstance will myself or any of the previously mentioned entities be responsible for your choice to use this guide, successes or failures in using it, or any further support. Like anything in life, you should research accordingly and use your best judgement. Last but not least, I want to say thank you to user Refresh for his participation and support in the making of this, which without that support this may not have been possible! Time to get started!

*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE***** pfSense 2.3 WAS RELEASED APRIL 12, 2016 WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3 THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST pfSense_fan's Guide How To Set Up pfSense 2.1 for AirVPN Using Three or more NIC's Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!! Table of Contents: PrefaceUnderstanding Certificates and OpenVPN Config Files on pfSenseUnderstanding OpenVPN Settings on pfSenseStep 1: Entering our AirVPN CA (Certificate Authority)Step 2: Entering our AirVPN Certificate and KeyStep 3: Setting up the OpenVPN ClientStep 4: Assigning the OpenVPN InterfaceStep 5: Setting up the AirVPN GatewayStep 6: Setting up the DNS ForwarderStep 7: Setting up the LAN InterfaceStep 8: Setting up the AirVPN_LAN InterfaceStep 9: Setting Misc Advanced Options (Optional)Step 10: Setting Bootloader and System Tunables (Optional)Step 11: Setting Advanced OpenVPN Options (Optional)Alternate Step 6+7 For Dual (Two) NIC installs