Jump to content
Not connected, Your IP: 34.239.158.107

pfSense_fan

Members2
  • Content Count

    247
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    21

Reputation Activity

  1. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    pfSense_fan's Guide
    How To Set Up pfSense 2.3 for AirVPN
       




     
     
    Guide is updated to pfSense Version 2.3
    This guide will work on 2 or more interfaces.
    Please inform me of any and all errors found!
     Feedback is appreciated! Please rate this post or leave a comment to share if this worked for you!
       




     
     
     
    Table of Contents:
    Step 1: Disable IPv6 System Wide Step 2: Entering our AirVPN CA, Certificate and Key General Settings and Preparation Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface & Setting the AirVPN Gateway Step 5: IP and Port Alias Creation to Aid Interface Setup Step 6: Setting up an AirVPN Routed Interface Step 7: General Settings, Advanced Settings and Other Tweaks Step 8: Setting up the DNS Resolver -----
       




     
  2. Like
    pfSense_fan got a reaction from refresh in VPN DNS and pfSense issue   ...
    The "EEE" or Energy Efficient Ethernet tweak has nothing to do with DNS. It can cause issues with DHCP though.
     
    I too have had intermittent access to ipleak.net. I have chalked it down to using DNSSEC in combination with Air's DNS servers.
     
    Turning DNSSEC completely off and letting the system DNS cache enough time to clear fixes it, as does using another DNS Server.
  3. Like
    pfSense_fan got a reaction from Casper31 in How To Set Up pfSense 2.3 for AirVPN   ...
    After setting it up, how long did you let the DNS Resolver (Unbound) run before attempting to change a setting? DNSSEC requires a bit of time to negotiate. Another possibility is that DNSSEC is not available on all air servers, I can't be sure of that. I do use these settings so I know they work.
     
    That being said the only appreciable difference between that guide and mine is DNSSEC. I am considering removing DNSSEC from the basic guide and moving the option to an additional/optional step.
  4. Like
    pfSense_fan got a reaction from Casper31 in How To Set Up pfSense 2.3 for AirVPN   ...
    After setting it up, how long did you let the DNS Resolver (Unbound) run before attempting to change a setting? DNSSEC requires a bit of time to negotiate. Another possibility is that DNSSEC is not available on all air servers, I can't be sure of that. I do use these settings so I know they work.
     
    That being said the only appreciable difference between that guide and mine is DNSSEC. I am considering removing DNSSEC from the basic guide and moving the option to an additional/optional step.
  5. Like
    pfSense_fan got a reaction from onebarrell in How To Set Up pfSense 2.3 for AirVPN   ...
    Setting Up pfSense 2.3 for AirVPN
     Step 8: Setting Up the DNS Resolver
      




     
     
     


     
     
    Step 8-A: Setting the DNS Resolver Options
      


     
     
     
    1.) Go to: Services: DNS Resolver
    http://192.168.1.1/services_unbound.php -or- https://192.168.1.1/services_unbound.php Set as Follows:
     
    ----------------------------------------------------------------------------------------------------------------------- General DNS Resolver Options ----------------------------------------------------------------------------------------------------------------------- Enable = [✔] Enable DNS Resolver (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Listen Port = [______] (Empty/Blank) ----------------------------------------------------------------------------------------------------------------------- Network Interfaces = |-All------------------| NOTE: YOU MAY LEAVE THIS SETTING AS IT IS, DEFAULT, WITH "ALL" SELECTED | WAN | | AirVPN_LAN | | AirVPN_WAN | ----------------------------------------------------------------------------------------------------------------------- Outgoing Network = | All | NOTE: THIS SETTING MUST BE ALTERED. ENSURE ONLY AirVPN_WAN IS SELECTED Interfaces | WAN | | AirVPN_LAN | |-AirVPN_WAN-----------| ----------------------------------------------------------------------------------------------------------------------- System Domain Local = [ Transparent ▼] Zone Type ----------------------------------------------------------------------------------------------------------------------- DNSSEC = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- DNS Query Forwarding = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- DHCP Registration = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Static DHCP = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Display Custom = [☼ Display Custom Options ] <-- CLICK TO EXPOSE OPTIONS BOX Options ----------------------------------------------------------------------------------------------------------------------- Custom options = | server:private-address: 127.0.0.0/8 |(Copy and Paste) This setting is for DNS Rebinding | | protection in the 127.0.0.0/8 localhost zone. | | -----------------------------------------------------------------------------------------------------------------------  2.) Click [save]
     




     
     
     


     
     
    Step 8-B: Setting the DNS Resolver Advanced Options
      


     
     
     
    1.) Go to: Services: DNS Resolver: Advanced
    http://192.168.1.1/services_unbound_advanced.php -or- https://192.168.1.1/services_unbound_advanced.php Set as Follows:
     
    ----------------------------------------------------------------------------------------------------------------------- Advanced Resolver Options ----------------------------------------------------------------------------------------------------------------------- Hide Identity = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Hide Version = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Prefetch Support = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Prefetch DNS Key = [✔] (CHECKED) Support ----------------------------------------------------------------------------------------------------------------------- Harden DNSSEC data = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Message Cache Size = [ 512MB ▼] ----------------------------------------------------------------------------------------------------------------------- Outgoing TCP Buffers = [ 10 ▼] ----------------------------------------------------------------------------------------------------------------------- Incoming TCP Buffers = [ 10 ▼] ----------------------------------------------------------------------------------------------------------------------- EDNS Buffer Size = [ 4096 ▼] ----------------------------------------------------------------------------------------------------------------------- Number of Queries per = [ 512 ▼] Thread ----------------------------------------------------------------------------------------------------------------------- Jostle Timeout = [ 200 ▼] ----------------------------------------------------------------------------------------------------------------------- Maximum TTL for = [ 86400 ] RRsets and Messages ----------------------------------------------------------------------------------------------------------------------- Minimum TTL for = [ 0 ] RRsets and Messages ----------------------------------------------------------------------------------------------------------------------- TTL for Host = [15 Minutes ▼] Cache Entries ----------------------------------------------------------------------------------------------------------------------- Number of Hosts to = [ 10,000 ▼] Cache ----------------------------------------------------------------------------------------------------------------------- Unwanted Reply = [ disabled ▼] Threshold ----------------------------------------------------------------------------------------------------------------------- Log level = [ 1 ▼] (Or whatever you prefer, higher if you want to troubleshoot) ----------------------------------------------------------------------------------------------------------------------- Disable Auto-added = [_] (UNCHECKED) Access Control ----------------------------------------------------------------------------------------------------------------------- Experimental Bit 0x20 = [_] (UNCHECKED) NOTE: It is perfectly safe to use this option if you so choose to. Support Be aware, however, that this option breaks ipleak.net. -----------------------------------------------------------------------------------------------------------------------  2.) Click [save]
     
    3.) Click [Apply Changes]
     


     
     
    4.) Go to: Diagnostics > Reboot System
    http://192.168.1.1/reboot.php  -or-  https://192.168.1.1/reboot.php 5.) Click [Yes] to Reboot
     
     


     
     
     
    Step 8-C: Verifying Our DNS Settings (Optional Step)
     Here we will test to see if domain names are resolving from the DNS servers we entered on the General Setup page. We will do this using the built in feature of the firewall.
     
    1.) Go to: Diagnostics > DNS Lookup
    http://192.168.1.1/diag_dns.php -or- https://192.168.1.1/diag_dns.php Set as Follows:
    Hostname or IP = [ airvpn.org ]
     
    2.) Click [ Lookup ]
     
    3.) Verify the results:
    Hostname or IP = [ airvpn.org ] = 5.196.64.52
    If 5.196.64.52 was returned it is resolving correctly. Feel free to resolve as many sites as you wish! This is a useful tool to keep in mind as well.
     
     




     
     
    That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the AirVPN_LAN port and you are off and running! I hope this guide helps you! Don't forget to back up your settings you just spent all this time setting up!
      




     
  6. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    Setting Up pfSense 2.3 for AirVPN
     Step 7: General Settings, Advanced settings and Other Tweaks
      




     
     
     


     
     
    Step 7-A: System / General Setup
      


     
     
    NOTE: Here we will set a system wide DNS which the Resolver (Unbound) will use in forwarding mode using AirVPN’s internal DNS servers.
     With this method all requests to the built in DNS in pfSense, including requests from pfSense itself, will go through AirVPN’s DNS. To use this method you MUST use direct entry IP addresses in the openvpn configuration as your pfSense appliance will not be capable of resolving a domain name prior to the VPN tunnel being up.This method also means that if the VPN is down, there will will be no DNS resolution for any client on the system, even ones not using the VPN, unless an alternate DNS is handed to it via DHCP or manually programmed. Alternate DNS servers, inside or outside of the VPN, can be configured in the DHCP section on a per interface basis or more finely on a static DHCP reservation and with corresponding firewall rules and outbound NAT if it is needed.
     
    1.) Go to: System / General Setup
    http://192.168.1.1/system.php -or- https://192.168.1.1/system.phpand set as follows: 
    NOTE 1: You may set the hostname and domain to whatever you like, however if you do not know what this does, leave it alone
    NOTE 2: For more information on NTP pools or more accurate servers see: How do I use pool.ntp.org?)
    NOTE 3: Settings in the "webConfigurator" section are not covered here because they are purely optional
    ------------------------------------------------------------------------------------------------------------- System ------------------------------------------------------------------------------------------------------------- Hostname = [ pfsense ] (default) ------------------------------------------------------------------------------------------------------------- Domain = [ localdomain ] (default) -------------------------------------------------------------------------------------------------------------   ------------------------------------------------------------------------------------------------------------- DNS Servers Settings ------------------------------------------------------------------------------------------------------------- DNS Server 1 = [ 10.4.0.1 ] [ none ▼] ------------------------------------------------------------------------------------------------------------- DNS Server 2 = [ ] [ none ▼] ------------------------------------------------------------------------------------------------------------- DNS Server 3 = [ ] [ none ▼] ------------------------------------------------------------------------------------------------------------- DNS Server 4 = [ ] [ none ▼] Address Gateway ------------------------------------------------------------------------------------------------------------- DNS Server Override = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Disable DNS Forwarder = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Localization ------------------------------------------------------------------------------------------------------------- Time zone = [ WHATEVER ZONE IS BEST FOR YOU ▼] ------------------------------------------------------------------------------------------------------------- Timeservers = [ 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org ] (COPY AND PASTE) ------------------------------------------------------------------------------------------------------------- Language = [ English ▼] (Or whatever else you want, obviously) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- webConfigurator ------------------------------------------------------------------------------------------------------------- ... ------------------------------------------------------------------------------------------------------------- ... -------------------------------------------------------------------------------------------------------------  2.) Click [save]
     




     
     


     
     
    Step 7-B: System / Advanced / Firewall and NAT
      


     
     
     
    1.) Go to: System / Advanced / Firewall and NAT
    http://192.168.1.1/system_advanced_firewall.php -or- https://192.168.1.1/system_advanced_firewall.php and set as follows: 
    ------------------------------------------------------------------------------------------------------------- Firewall Advanced ------------------------------------------------------------------------------------------------------------- IP Do-Not-Fragment = [_] (UNCHECKED) compatibility ------------------------------------------------------------------------------------------------------------- IP Random id = [_] (UNCHECKED) generation ------------------------------------------------------------------------------------------------------------- Firewall Optimization = [ Conservative ▼] (By using a VPN, we add latency. Change this to compensate) Options ------------------------------------------------------------------------------------------------------------- Disable Firewall = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Disable Firewall Scrub = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Firewall Adaptive = [______] (BLANK) Timeouts ------------------------------------------------------------------------------------------------------------- Firewall Maximum = [ 2000000 ] States ------------------------------------------------------------------------------------------------------------- Firewall Maximum = [ 2000000 ] Table Entries ------------------------------------------------------------------------------------------------------------- Firewall Maximum = [______] (BLANK) Fragment Entries ------------------------------------------------------------------------------------------------------------- Static route filtering = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Disable Auto-added = [✔] (CHECKED) VPN rules ------------------------------------------------------------------------------------------------------------- Disable reply-to = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Disable Negate rules = [✔] (CHECKED) ------------------------------------------------------------------------------------------------------------- Aliases Hostnames = [ 86400 ] (86400 seconds = 24 hours/1 day) Resolve Interval ------------------------------------------------------------------------------------------------------------- Check certificate of = [✔] (CHECKED) aliases URLs -------------------------------------------------------------------------------------------------------------   NOTE: NO SETTINGS BELOW THIS POINT ON THIS PAGE WERE ALTERED FROM DEFAULT  2.) Click [save]
     




     
     
     


     
     
    Step 7-C: System / Advanced / Miscellaneous
      


     
     
    1.) Go to: System / Advanced / Miscellaneous
    http://192.168.1.1/system_advanced_misc.php -or- https://192.168.1.1/system_advanced_misc.phpand set as follows: 
     
    ------------------------------------------------------------------------------------------------------------- Proxy Support ------------------------------------------------------------------------------------------------------------- Proxy URL = [____________] (BLANK) ------------------------------------------------------------------------------------------------------------- Proxy Port = [____________] (BLANK) ------------------------------------------------------------------------------------------------------------- Proxy Username = [____________] (BLANK) ------------------------------------------------------------------------------------------------------------- Proxy Password = [____________] (BLANK) -------------------------------------------------------------------------------------------------------------   ------------------------------------------------------------------------------------------------------------- Load Balancing ------------------------------------------------------------------------------------------------------------- Load Balancing = [_] Use sticky connections (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Default gateway = [_] Enable default gateway switching(UNCHECKED) switching -------------------------------------------------------------------------------------------------------------   ------------------------------------------------------------------------------------------------------------- Power savings ------------------------------------------------------------------------------------------------------------- PowerD = [✔] Enable PowerD (CHECKED) ------------------------------------------------------------------------------------------------------------- On AC Power Mode = [ Adaptive ▼] (Or Hiadaptive if preferred)  ------------------------------------------------------------------------------------------------------------- On Battery Power Mode = [ Adaptive ▼] (Or other if preferred) ------------------------------------------------------------------------------------------------------------- On Unknown Power Mode = [ Adaptive ▼] (Or other if preferred) -------------------------------------------------------------------------------------------------------------   ------------------------------------------------------------------------------------------------------------- Cryptographic & Thermal Hardware ------------------------------------------------------------------------------------------------------------- Cryptographic Hardware = [ AES-NI CPU-based Acceleration (aesni) ▼] ------------------------------------------------------------------------------------------------------------- Thermal Sensors = [ None/ACPI ▼] (Or choose Intel or AMD based on the processor you have) ------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------  Schedules ------------------------------------------------------------------------------------------------------------- Schedule States = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------   ------------------------------------------------------------------------------------------------------------- Gateway Monitoring ------------------------------------------------------------------------------------------------------------- State Killing on = [✔] ( CHECKED ) Gateway Failure ------------------------------------------------------------------------------------------------------------- Skip rules when = [✔] ( CHECKED ) gateway is down ------------------------------------------------------------------------------------------------------------- NOTE: RAM DISKS CAUSE AN ISSUE WHEN USED WITH PFBLOCKER/DNSBL PACKAGE CAUSING UNBOUND NOT TO START. DO NOT USE RAM DISKS IF YOU PLAN TO USE PFBLOCKERNG -------------------------------------------------------------------------------------------------------------  RAM Disk Settings (Reboot to Apply Changes) ------------------------------------------------------------------------------------------------------------- Use RAM Disks = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- .... ------------------------------------------------------------------------------------------------------------- .... -------------------------------------------------------------------------------------------------------------   ------------------------------------------------------------------------------------------------------------- Hardware Settings ------------------------------------------------------------------------------------------------------------- Hard disk standby time = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------   ------------------------------------------------------------------------------------------------------------- Installation Feedback ------------------------------------------------------------------------------------------------------------- Host UUID = [✔] (CHECKED) -------------------------------------------------------------------------------------------------------------  2.) Click [save]
     
     




     
     
     


     
     
    Step 7-D: Block & Do Not Log
    IPv6 Floating Firewall Rule
      


     
     
    1.) Go to: Firewall / Rules
    http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select the "Floating" tab. 
    2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "BLOCK & DO NOT LOG IPv6".
     
    Set as follows:
      ----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Block ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Quick = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = | WAN | NOTE: SELECT ALL INTERFACES ON YOUR SYSTEM UNLESS YOU WANT IPv6 | AirVPN_LAN | HARDWARE MAY DIFFER SO YOU MAY HAVE MORE INTERFACES THAN | OpenVPN | SHOWN HERE. | etc. | | etc. | REGARDLESS OF HOW MANY, SELECT ALL!!!! ----------------------------------------------------------------------------------------------------------------------- Direction = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv6 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ any ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ any ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ BLOCK & DO NOT LOG IPv6 ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] -----------------------------------------------------------------------------------------------------------------------    3.) Click [ Save ]
     
    4.) Click [ Apply Changes ]
     
    Firewall: Rules     | Floating | _____________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |________|________________|______|_____________|______|_________|_______|__________|________________| | IPv6 * | * | * | * | * | * | None | | | | | | | | | | | | BLOCK & DO NOT | | | | | | | | | | LOG IPv6 | |________|________________|______|_____________|______|_________|_______|__________|________________|      




     
  7. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    Setting Up pfSense 2.3 for AirVPN
     Step 6: Setting up an AirVPN Routed Interface
      




     
     


     
     
    Step 6-A: Configuring the AirVPN_LAN Interface
      


     
     
    1.) Go to Interfaces / LAN
    http://192.168.1.1/interfaces.php?if=lan -or- https://192.168.1.1/interfaces.php?if=lan Set as follows:
    NOTE: Interface is renamed due to its use only through AirVPN and to avoid later confusion.
    -------------------------------------------------------------------------- General configuration -------------------------------------------------------------------------- Enable = [√] (CHECKED) -------------------------------------------------------------------------- Description = [ AirVPN_LAN ] -------------------------------------------------------------------------- IPv4 Configuration Type = [ Static IPv4 ▼] -------------------------------------------------------------------------- IPv6 Configuration Type = [ None ▼] -------------------------------------------------------------------------- MAC Address = [______________] (Blank/Empty) -------------------------------------------------------------------------- MTU = [______________] (Blank/Empty) -------------------------------------------------------------------------- MSS = [______________] (Blank/Empty) -------------------------------------------------------------------------- Speed and Duplex = [ autoselect ▼] --------------------------------------------------------------------------     -------------------------------------------------------------------------- Static IPv4 Configuration -------------------------------------------------------------------------- IPv4 Address = [ 192.168.1.1 ] / [ 24 ▼] -------------------------------------------------------------------------- IPv4 Upstream gateway = [ none ▼] --------------------------------------------------------------------------     -------------------------------------------------------------------------- Reserved Networks -------------------------------------------------------------------------- Block Private Networks = [_] (UNCHECKED!!!) -------------------------------------------------------------------------- Blocks Bogon Networks = [_] (UNCHECKED!!!) --------------------------------------------------------------------------  2.) Click [ Save ]
     
    3.) Click [Apply Changes]
     




     
     


     
     
    Step 6-B: Setting up the DHCP Server for the AirVPN_LAN Interface
      


     
     
    1.) Go to: Services / DHCP server
    http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php 2.) Ensure the "AirVPN_LAN" tab is selected
     
    3.) Set as follows: (NOTE: Some of these options may already be set by default, change as needed.)
    ------------------------------------------------------------------------------------------------------------- General Options ------------------------------------------------------------------------------------------------------------- Enable = [✔] (CHECKED) ------------------------------------------------------------------------------------------------------------- Deny unknown clients = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Ignore denied clients = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Subnet = 192.168.1.0 ------------------------------------------------------------------------------------------------------------- Subnet mask = 255.255.255.0 ------------------------------------------------------------------------------------------------------------- Available range = 192.168.1.1 - 192.168.1.254 ------------------------------------------------------------------------------------------------------------- Range = [ 192.168.1.100 ] [ 192.168.1.199 ] From To ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Additional Pools <----- NOTHING CHANGED HERE ------------------------------------------------------------------------------------------------------------- Add = [+ Add pool ] ------------------------------------------------------------------------------------------------------------- Pool Start Pool End Description Actions ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Servers ------------------------------------------------------------------------------------------------------------- WINS servers = [______________________] ------------------------------------------------------------------------------------------------------------- [______________________] ------------------------------------------------------------------------------------------------------------- DNS servers = [ 192.168.1.1 ] ------------------------------------------------------------------------------------------------------------- [______________________] ------------------------------------------------------------------------------------------------------------- [______________________] ------------------------------------------------------------------------------------------------------------- [______________________] ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Other Options ------------------------------------------------------------------------------------------------------------- Gateway = [______________________] ------------------------------------------------------------------------------------------------------------- Domain name = [______________________] ------------------------------------------------------------------------------------------------------------- Domain search list = [______________________] ------------------------------------------------------------------------------------------------------------- Default lease time = [______________________] ------------------------------------------------------------------------------------------------------------- Maximum lease time = [______________________] ------------------------------------------------------------------------------------------------------------- Failover peer IP = [______________________] ------------------------------------------------------------------------------------------------------------- Static ARP = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Time format change = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Statistics graphs = [_] (UNCHECKED) ------------------------------------------------------------------------------------------------------------- Dynamic DNS = [☼ Display Advanced ] ------------------------------------------------------------------------------------------------------------- MAC address control = [☼ Display Advanced ] ------------------------------------------------------------------------------------------------------------- NTP = [☼ Display Advanced ] <--CLICK THIS, IT CHANGES TO --> [☼ Hide Advanced ] ------------------------------------------------------------------------------------------------------------- NTP Server 1 = [ 192.168.1.1 ] ------------------------------------------------------------------------------------------------------------- NTP Server 2 = [ ] ------------------------------------------------------------------------------------------------------------- TFTP = [☼ Display Advanced ] ------------------------------------------------------------------------------------------------------------- LDAP = [☼ Display Advanced ] ------------------------------------------------------------------------------------------------------------- Additional = [☼ Display Advanced ] BOOTP/DHCP Options ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Network Booting <---- (Nothing changed here, do not expand) -------------------------------------------------------------------------------------------------------------  4.) Click [sAVE]
     
    5.) Click [ Apply Changes ]
     




     
     


     
     
    Step 6-C: Setting up the Outgoing NAT for the AirVPN_LAN Interface
      


     
     
    NOTE: THIS STEP REQUIRES THAT YOU HAVE ALREADY FOLLOWED THE OUTBOUND NAT INSTRUCTIONS FOUND IN "Step 4: Assigning the OpenVPN Interface & Setting the AirVPN Gateway".
     
    1.) Go to: Firewall / NAT / Outbound
    http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php  
    2.) Click the [ ↑ Add ] button to the bottom right that has an upward facing arrow for "Add new mapping to the top of the list".
     
    3.) Set as follows:
    ------------------------------------------------------------------------------------------------------------- Edit Advanced Outbound NAT Entry ------------------------------------------------------------------------------------------------------------- Disabled = [_] (unchecked) ------------------------------------------------------------------------------------------------------------- Do not NAT = [_] (unchecked) ------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_WAN ▼] ------------------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ------------------------------------------------------------------------------------------------------------- Source = [ Network ▼] [ 192.168.1.0 ]/[ 24 ▼] [__________] Type Source network for the outbound NAT mapping. Port ------------------------------------------------------------------------------------------------------------- Destination = [ Any ▼] [___________________________________]/[--- ▼] [__________] Type Source network for the outbound NAT mapping. Port ------------------------------------------------------------------------------------------------------------- [_] Not (unchecked) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Translation ------------------------------------------------------------------------------------------------------------- Address = [ Interface Address ▼] -------------------------------------------------------------------------------------------------------------         Port = [______________________________] [_] Static-port ( empty/unchecked ) ------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------- Misc ------------------------------------------------------------------------------------------------------------- No XMLRPC Sync = [_] (unchecked) ------------------------------------------------------------------------------------------------------------- Description = [ AirVPN_LAN to AirVPN_WAN ] -------------------------------------------------------------------------------------------------------------  4.) Click [ SAVE ]
     
    5.) Click [ Apply Changes ]
        Outbound NAT as desired to this point. Order is important! Your rules should appear EXACTLY like this, in this order. Mappings:  ______________________________________________________________________________________________________________________ | Interface | Source | Source | Destination | Destination | NAT Address | NAT | Static| Description | | | | Port | | Port | | Port | Port | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________| | AirVPN_WAN | 192.168.1.0/24 | * | * | * | AirVPN_WAN | * | >< | AirVPN_LAN to | | | | | | | Address | | | AirVPN_WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________| | AirVPN_WAN | 127.0.0.0/8 | * | * | * | AirVPN_WAN | * | >< | localhost to | | | | | | | Address | | | AirVPN_WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - localhost to WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________|     




     
     
     
     
     




     
     
    Step 6: Setting Basic Firewall Rules for the AirVPN_LAN Interface
    The following steps control/redirect ALL DNS and NTP requests,
    define allowed local networks and services/ports,
    enforce the policy based routing (tell outbound traffic to go through the VPN)
    and define allowed outgoing networks and services/ports.
      




     
     
    To redirect all DNS and NTP requests on the interface, we actually have to create two port forwarding rules. Those rules have an option to automatically create an associated firewall rule with them, which we will take advantage of. We will start with the port forward rules, then create the rest of the firewall rules manually.
     


     
     
    Step 6-D: First AirVPN_LAN Firewall Rule
    "AirVPN LAN DNS REDIRECT"
      


     
     
    The first AirVPN_LAN firewall rule is actually a port forward + associated firewall rule that will redirect all DNS requests on this interface to the DNS server of our choice. In the interests of the majority of AirVPN users and for the purposes of this guide, this rule will force all users on this interface to use the DNS Resolver and hence the servers we entered on the general settings page(AirVPN's DNS), even if they have a manually configured or hard coded DNS.
     
    1.) Go to Firewall / NAT / Port Forward
    http://192.168.1.1/firewall_nat.php -or- https://192.168.1.1/firewall_nat.php 2.) Click the [ ↓ Add ] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "AirVPN LAN DNS REDIRECT".
     
    Set as follows:
    -------------------------------------------------------------------------------------------------------------- Edit Redirect Entry -------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- No RDR (NOT) = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] -------------------------------------------------------------------------------------------------------------- Protocol = [ TCP/UDP ▼] -------------------------------------------------------------------------------------------------------------- Source = [☼ Display Advanced ] (CLICK TO SHOW ADVANCED OPTIONS) -------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [----------]/[--▼] (UNCHECKED) Type Address/mask -------------------------------------------------------------------------------------------------------------- Source port range = [ Any ▼] [----------] [ Any ▼] [----------] From port Custom To port Custom -------------------------------------------------------------------------------------------------------------- Destination = [✔] Invert match. [ AirVPN_LAN address ▼] [----------]/[--▼] Type Address/mask -------------------------------------------------------------------------------------------------------------- Destination port range = [ DNS ▼] [----------] [ DNS ▼] [----------] From port Custom To port Custom -------------------------------------------------------------------------------------------------------------- Redirect target IP = [ 192.168.1.1 ] -------------------------------------------------------------------------------------------------------------- Redirect target port = [ DNS ▼] [------------------] Port Custom -------------------------------------------------------------------------------------------------------------- Description = [ AirVPN LAN DNS REDIRECT ] -------------------------------------------------------------------------------------------------------------- No XMLRPC Sync = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- NAT reflection = [ Use System Default ▼] -------------------------------------------------------------------------------------------------------------- Filter rule association = [ Add a new associated filter rule ▼] --------------------------------------------------------------------------------------------------------------  3.) Click [ Save ]
     
    4.) Click [ Apply Changes ]
     




     
     


     
     
    Step 6-E: Second AirVPN_LAN Firewall Rule
    "AirVPN LAN NTP REDIRECT"
      


     
     
    The Second AirVPN_LAN firewall rule is actually a port forward + associated firewall rule that will redirect all NTP requests on this interface to the NTP server of our choice. This rule will redirect all NTP requests to pfSense even if the client/device has a hard coded NTP server programmed.
     
    1.) Go to Firewall / NAT / Port Forward
    http://192.168.1.1/firewall_nat.php -or- https://192.168.1.1/firewall_nat.php 2.) Click the [ ↓ Add ] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "AirVPN LAN NTP REDIRECT".
     
    Set as follows:
    -------------------------------------------------------------------------------------------------------------- Edit Redirect Entry -------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- No RDR (NOT) = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] -------------------------------------------------------------------------------------------------------------- Protocol = [ UDP ▼] -------------------------------------------------------------------------------------------------------------- Source = [☼ Display Advanced] (CLICK TO SHOW ADVANCED OPTIONS) -------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [----------]/[--▼] (UNCHECKED) Type Address/mask -------------------------------------------------------------------------------------------------------------- Source port range = [ Any ▼] [----------] [ Any ▼] [----------] From port Custom To port Custom -------------------------------------------------------------------------------------------------------------- Destination = [✔] Invert match. [ AirVPN_LAN address ▼] [----------]/[--▼] Type Address/mask -------------------------------------------------------------------------------------------------------------- Destination port range = [ NTP ▼] [----------] [ NTP ▼] [----------] From port Custom To port Custom -------------------------------------------------------------------------------------------------------------- Redirect target IP = [ 192.168.1.1 ] -------------------------------------------------------------------------------------------------------------- Redirect target port = [ NTP ▼] [------------------] Port Custom -------------------------------------------------------------------------------------------------------------- Description = [ AirVPN LAN NTP REDIRECT ] -------------------------------------------------------------------------------------------------------------- No XMLRPC Sync = [_] (UNCHECKED) -------------------------------------------------------------------------------------------------------------- NAT reflection = [ Use System Default ▼] -------------------------------------------------------------------------------------------------------------- Filter rule association = [ Add a new associated filter rule ▼] --------------------------------------------------------------------------------------------------------------  3.) Click [ Save ]
     
    4.) Click [ Apply Changes ]
     




     
     


     
     
    Step 6-F: Third AirVPN_LAN Firewall Rule
    "ALLOW_LOCAL_ICMP"
      


     
     
    *NOTE: You should have two default firewall rules as well as the two associated NAT rules from our DNS and NTP redirection rules already set. The two default rules are the “anti-lockout rule” and a “default allow LAN to any” rule. Do not touch the anti-lockout rule. DELETE THE "DEFAULT ALLOW LAN TO ANY" RULE AT THIS TIME.
     
    1.) Go to Firewall / Rules
    http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "AirVPN_LAN" interface. 
    2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "ALLOW LOCAL ICMP".
     
    3.) Set as follows:
    ----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Pass ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ ICMP ▼] ----------------------------------------------------------------------------------------------------------------------- ICMP type = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Single host or alias ▼] [ PRIVATE_NETWORKS ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ ALLOW LOCAL ICMP ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] ( --NO ADVANCED OPTIONS ARE SET ON THIS RULE-- ) -----------------------------------------------------------------------------------------------------------------------  4.) Click [ Save ]
     
    5.) Click [ Apply Changes ]
    Firewall Rule #3 - ALLOW LOCAL ICMP   | AirVPN_LAN |  ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | * | PRIVATE_NETWORKS | * | * | None | | ALLOW LOCAL | | ICMP | | | | | | | | ICMP | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|    



     
     


     
     
    Step 6-G: Fourth AirVPN_LAN Firewall Rule
    "AirVPN_LAN_LOCAL_IP_MULTICAST"
      


     
     
    1.) Go to: Firewall / Rules
    http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "AirVPN_LAN" interface. 
    2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "AirVPN_LAN IP MULTICAST".
     
    3.) Set as follows:
    ----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Pass ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Single host or alias ▼] [ LOCAL_IP_MULTICAST ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ AirVPN_LAN IP MULTICAST ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] -----------------------------------------------------------------------------------------------------------------------  4.) Click [ Save ]
     
    5.) Click [ Apply Changes ]
    Firewall Rule #4 - AirVPN_LAN IP MULTICAST   | AirVPN_LAN |  ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4* | AIRVPN_LAN net | * | LOCAL_IP_MULTICAST | * | * | None | | AirVPN_LAN IP | | | | | | | | | | MULTICAST | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|  



     
     


     
     
    Step 6-H: Fifth AirVPN_LAN Firewall Rule
    "ALLOW_LOCAL_SERVICES"
      


     
     
    *NOTE: You should have two default firewall rules already set. The “anti-lockout rule” and a “default allow LAN to any” rule. Do not touch the anti-lockout rule. You can either delete or edit the default allow rule, it is up to you. If you are unsure of what you are doing, just delete it and create new rules from scratch. 
     
    1.) Go to Firewall / Rules
    http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "AirVPN_LAN" interface. 
    2.) Click the [↓ Add] on the right to "Add New Rule" and create a rule we will title "ALLOW LOCAL SERVICES".
     
    3.) Set as follows:
    ----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Pass ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ TCP/UDP ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- Display Advanced = [☼ Display Advanced ] <--CLICK, WILL TURN INTO--> [☼ Hide Advanced ] and expose next steps ----------------------------------------------------------------------------------------------------------------------- Source port range = [ (other) ▼] [ 1024 ] [ (other) ▼] [ 65535 ] From Custom To Custom ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Single host or alias ▼] [ PRIVATE_NETWORKS ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- Destination port range = [ (other) ▼] [ LAN_SERVICE_PORTS ] [ (other) ▼] [ LAN_SERVICE_PORTS ] From Custom To Custom ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ ALLOW LOCAL SERVICES ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] -----------------------------------------------------------------------------------------------------------------------  4.) Click [ Save ]
     
    5.) Click [ Apply Changes ]
    Firewall Rule #5 - ALLOW LOCAL SERVICES   | AirVPN_LAN | ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | 1024 | PRIVATE_NETWORKS | LAN_SERVICE_PORTS | * | None | | ALLOW LOCAL | | TCP/UDP | | - | | | | | | SERVICES | | | | 65535 | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|  


     
     


     
     
    Step 6-I: Sixth AirVPN_LAN Firewall Rule:
    "AirVPN_LAN ALLOW OUTBOUND"
      


     
     
    1.) Go to: Firewall / Rules
    http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "AirVPN_LAN" interface. 
    2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "AirVPN_LAN ALLOW OUTBOUND".
     
    3.) Set as follows:
      ----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Pass ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ TCP/UDP ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [------------------]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- Display Advanced = [☼ Display Advanced ] <--CLICK, WILL TURN INTO--> [☼ Hide Advanced ] and expose next steps ----------------------------------------------------------------------------------------------------------------------- Source port range = [ (other) ▼] [ 1024 ] [ (other) ▼] [ 65535 ] From Custom To Custom ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Any ▼] [------------------]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- Destination port range = [ (other) ▼] [ WAN_SERVICE_PORTS ] [ (other) ▼] [ WAN_SERVICE_PORTS ] From Custom To Custom ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ AirVPN_LAN ALLOW OUTBOUND ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] <-- CLICK THIS TO EXPOSE ADVANCED OPTIONS, SEE NOTE BELOW!!!!!! ----------------------------------------------------------------------------------------------------------------------- NOTE: THERE ARE TOO MANY ADVANCED OPTIONS FOR ME TO ILLUSTRATE. WE ONLY NEED ONE SETTING IN THIS ADVANCED AREA, THE "GATEWAY" SETTING. THIS IS AN EXTREMELY IMPORTANT STEP, AS THIS OPTION DIRECTS OUR TRAFFIC THROUGH AIRVPN. FIND AND EDIT THIS OPTION TO THE FOLLOWING: ----------------------------------------------------------------------------------------------------------------------- Advanced Options ----------------------------------------------------------------------------------------------------------------------- Gateway = [ AirVPN_WAN ▼] -----------------------------------------------------------------------------------------------------------------------    3.) Click [ Save ]
     
    4.) Click [ Apply Changes ]
    Firewall Rule #6 - AirVPN_LAN ALLOW OUTBOUND   | AirVPN_LAN | ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | 1024 | * | WAN_SERVICE_PORTS | AirVPN_WAN | None | | AirVPN_LAN | | TCP/UDP | | - | | | | | | ALLOW | | | | 65535 | | | | | | OUTBOUND | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|  



     
     


     
     
    Step 6-J: Seventh AirVPN_LAN Firewall Rule
    "REJECT LOCAL"
      


     
     
    1.) Go to: Firewall / Rules
    http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "AirVPN_LAN" interface. 
    2.) Click the [↓ Add] button on the bottom right (When moused over it reads "Add rule to the end of the list") and create a rule we will title "REJECT LOCAL"
     
    3.) Set as follows:
    ----------------------------------------------------------------------------------------------------------------------- Edit Firewall Rule ----------------------------------------------------------------------------------------------------------------------- Action = [ Reject ▼] ----------------------------------------------------------------------------------------------------------------------- Disabled = [_] (UNCHECKED) ----------------------------------------------------------------------------------------------------------------------- Interface = [ AirVPN_LAN ▼] ----------------------------------------------------------------------------------------------------------------------- Address Family = [ IPv4 ▼] ----------------------------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Source ----------------------------------------------------------------------------------------------------------------------- Source = [_] Invert match. [ AirVPN_LAN net ▼] [ ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Destination ----------------------------------------------------------------------------------------------------------------------- Destination = [_] Invert match. [ Single host or alias ▼] [ PRIVATE_NETWORKS ]/[--- ▼] ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Extra Options ----------------------------------------------------------------------------------------------------------------------- Log = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Description = [ REJECT LOCAL ] ----------------------------------------------------------------------------------------------------------------------- Advanced Options = [☼ Display Advanced ] -----------------------------------------------------------------------------------------------------------------------  3.) Click [ Save ]
     
    4.) Click [ Apply Changes ]
    Firewall Rule #7 - REJECT_LOCAL   | AirVPN_LAN |  ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4* | AirVPN_LAN net | * | PRIVATE_NETWORKS | * | * | None | | REJECT LOCAL | | | | | | | | | | | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|  



     
     


     
     
    Step 6-K: Checking That Our Firewall Rules Are In The Correct Order
      


     
     
    1.) Go to Firewall / Rules
    http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "AirVPN_LAN" interface. 
    2.) The order of the rules we just created is important!
    They should appear in this following order when viewed:
      | AirVPN_LAN |  ____________________________________________________________________________________________________________________________________________ | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | * | * | * | AirVPN_LAN Address | 443 | * | * | | Anti_lockout Rule | | | | | | 80 | | | | | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | * | 192.168.1.1 | 53 (DNS) | * | None | | NAT AirVPN LAN | | TCP/UDP | | | | | | | | DNS REDIRECT | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 UDP | AIRVPN_LAN net | * | 192.168.1.1 | 123 (NTP) | * | None | | NAT AirVPN LAN | | | | | | | | | | NTP REDIRECT | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | * | PRIVATE_NETWORKS | * | * | None | | ALLOW LOCAL | | ICMP | | | | | | | | ICMP | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4* | AIRVPN_LAN net | * | LOCAL_IP_MULTICAST | * | * | None | | AirVPN_LAN IP | | | | | | | | | | MULTICAST | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | 1024 | PRIVATE_NETWORKS | LAN_SERVICE_PORTS | * | None | | ALLOW LOCAL | | TCP/UDP | | - | | | | | | SERVICES | | | | 65535 | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4 | AIRVPN_LAN net | 1024 | * | WAN_SERVICE_PORTS | AirVPN_WAN | None | | AirVPN_LAN | | TCP/UDP | | - | | | | | | ALLOW | | | | 65535 | | | | | | OUTBOUND | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________| | IPv4* | AirVPN_LAN net | * | PRIVATE_NETWORKS | * | * | None | | REJECT LOCAL | | | | | | | | | | | | | | | | | | | | | |___________|______________________|_______|____________________|____________________|______________|_______|__________|____________________|  ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECESSARY!
    IF YOU STILL HAVE THE DEFAULT ALLOW LAN RULE, DELETE IT!
     



     
  8. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    Setting Up pfSense 2.3 for AirVPN
     Step 5: IP Network and Basic Port Alias Creation to Aid Interface Setup
      




     
     
     



     
     
    Step 5, Part 1:
    Network Aliases
      



     
     
     


     
     
    Step 5, Part 1 - A: "PRIVATE_NETWORKS" Alias (RFC 1918)
      


     
     
     
    1.) Go to: Firewall / Aliases / IP
    http://192.168.1.1/firewall_aliases.php?tab=ip -or- https://192.168.1.1/firewall_aliases.php?tab=ip 2.) Click the [ + Add ] button for "Add a new Alias"
     
    Set as Follows:
     
      Properties -------------------------------------------------------------------------------------------- Name = [ PRIVATE_NETWORKS ] -------------------------------------------------------------------------------------------- Description = [ PRIVATE_NETWORKS ] -------------------------------------------------------------------------------------------- Type = [ Network(s) ▼] --------------------------------------------------------------------------------------------    Under the "Network(s)" section, click the [+ Add Network] button near the bottom to create new entries. You will need to create three entries here.
     
      Network(s) -------------------------------------------------------------------------------------------- Hint = ......... -------------------------------------------------------------------------------------------- Network or FQDN = [ 10.0.0.0 ]/[ 8 ▼] [ https://tools.ietf.org/html/rfc1918 ] -------------------------------------------------------------------------------------------- [ 172.16.0.0 ]/[ 12 ▼] [ https://tools.ietf.org/html/rfc1918 ] -------------------------------------------------------------------------------------------- [ 192.168.0.0 ]/[ 16 ▼] [ https://tools.ietf.org/html/rfc1918 ] --------------------------------------------------------------------------------------------    3.) Click [ Save ]
     
    4.) Click [ Apply Changes ]
     




     
     
     


     
     
    Step 5, Part 1 - B: "LOCAL_IP_MULTICAST" Alias (RFC 2365)
      


     
     
     
    1.) Go to: Firewall: Aliases: IP
    http://192.168.1.1/firewall_aliases.php?tab=ip -or- https://192.168.1.1/firewall_aliases.php?tab=ip 2.) Click the [ + Add ] button for "Add a new Alias"
     
    Set as Follows:
     
      Properties -------------------------------------------------------------------------------------------- Name = [ LOCAL_IP_MULTICAST ] -------------------------------------------------------------------------------------------- Description = [ LOCAL_IP_MULTICAST ] -------------------------------------------------------------------------------------------- Type = [ Network(s) ▼] --------------------------------------------------------------------------------------------    Under the "Network(s)" section, click the [+ Add Network] button near the bottom to create new entries. You will need to create two entries here.
     
      Network(s) -------------------------------------------------------------------------------------------- Hint = ......... -------------------------------------------------------------------------------------------- Network or FQDN = [ 224.0.0.0 ] [ 24 ▼] [ https://tools.ietf.org/html/rfc2365 ] -------------------------------------------------------------------------------------------- [ 239.255.0.0 ] [ 16 ▼] [ https://tools.ietf.org/html/rfc2365 ] --------------------------------------------------------------------------------------------    3.) Click [ Save ]
     
    4.) Click [ Apply Changes ]
     




     
     
     



     
     
    Step 5, Part 2:
    Basic Port Aliases
      



     
     
    To admin our firewalls to be as secure as possible, you have to take the mindset that it is going to take a bit of effort. It starts with learning how the protocols are intended to work. Put short, only ports (services) that we intend to be running should be allowed. Thankfully, pfSense makes this somewhat easy in the fact that by default EVERYTHING is blocked by pfSense unless we create a rule to allow it. I have gone out of my way to offer basic ports to enter for an "entry level" port alias that will allow you to take first steps at becoming your own personal network security admin. These ports will cover the ports (services) that clients on your networks should be allowed to use. To start off and to make this as beginner friendly as possible, the basic rules will only cover the "Well Known Ports" range of 0-1023.
     
    That being said, this step is going to require some user interaction as not everyone will have the same needs. Some people won't need an FTP port allowed on the local network, and some people might need IMAPS open on a local network if they have their own email server. Add or remove ports to these rules as needed. I fully encourage discussion in the forums so common services can be brought to everyones attention and added to the list.
     
    With or without that discussion, here is some basic info on ports and their assignments. I encourage anyone not already familiar to read up on the subjects of:
     
    Well Known Ports: 0 through 1023
    Registered Ports: 1024 through 49151
    Dynamic/Private or Ephemeral Ports : 49152 through 65535
     
    Some quick links for further reading on the subject:
    List of TCP and UDP port numbers - Wikipedia
    Service Name and Transport Protocol Port Number Registry - iana.org
     
    THIS WILL BE THE MOST CHALLANGING PART OF THIS GUIDE, YET THIS IS ONLY A BASIC SECURITY PRECAUTION! I will offer an advanced port alias section soon that will also cover controlling the "Registered Ports" port range of 1024 - 49151.
     


     
     
    Step 5, Part 2 - A: "LAN_SERVICE_PORTS" Alias
      


     
     
    LAN Service ports are ports that clients on our network will be allowed to connect to on the local network. These connections DO NOT leave the firewall to the outside internet.
    You will need to include ports for any service you have on your LAN (Local Area Network) that falls within the "Well Known Ports" range of 0-1023.
     1.) Go to: Firewall: Aliases: IP
    http://192.168.1.1/firewall_aliases.php?tab=port -or- https://192.168.1.1/firewall_aliases.php?tab=port 2.) Click the [ + Add ] button to "Add a new Alias"
     
    Set as Follows:
     
      Properties -------------------------------------------------------------------------------------------------------------------- Name = [ LAN_SERVICE_PORTS ] -------------------------------------------------------------------------------------------------------------------- Description = [ LAN_SERVICE_PORTS ] -------------------------------------------------------------------------------------------------------------------- Type = [ Port(s) ▼] --------------------------------------------------------------------------------------------------------------------    Under the "Port(s)" section, click the [+ Add Network] button near the bottom to create new entries. You will need to create multiple entries.
    PLEASE NOTE: THE SUBNET MASK DROPDOWN SELECTION DOES NOT APPLY TO PORTS ALIASES AND AS SUCH CANNOT BE SELECTED/CHANGED. IGNORE IT.
        Port(s) -------------------------------------------------------------------------------------------------------------------- Hint = ......... -------------------------------------------------------------------------------------------------------------------- Port = [ 21 ] [ -- ▼] [ FTP control (command) ] -------------------------------------------------------------------------------------------------------------------- [ 22 ] [ -- ▼] [ Secure Shell (SSH), file transfers (scp, sftp) ] -------------------------------------------------------------------------------------------------------------------- [ 80 ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP) ] -------------------------------------------------------------------------------------------------------------------- [ 161 ] [ -- ▼] [ Simple Network Management Protocol (SNMP) ] -------------------------------------------------------------------------------------------------------------------- [ 443 ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS) ] -------------------------------------------------------------------------------------------------------------------- [ 990 ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL ] -------------------------------------------------------------------------------------------------------------------- [ 1024:65535 ] [ -- ▼] [ Registered and Ephemeral Ports ] --------------------------------------------------------------------------------------------------------------------    3.) Click [ Save ]
     
    4.) Click [ Apply Changes ]
     




     
     
     


     
     
    Step 5, Part 2 - B: "WAN_SERVICE_PORTS" Alias
      


     
     
    WAN Service ports are ports that clients on our network will be allowed to connect to on the Wide Area Network (WAN).
    These connections DO leave the firewall to the outside internet. You will need to include ports for any service
    that YOU have a need to connect to that falls within the "Well Known Ports" range of 0-1023.
    1.) Go to: Firewall > Aliases: IPhttp://192.168.1.1/firewall_aliases.php?tab=port -or- https://192.168.1.1/firewall_aliases.php?tab=port 2.) Click the [ + Add ] button to "Add a new Alias"
     
    Set as Follows:
     
      Properties -------------------------------------------------------------------------------------------------------------------- Name = [ WAN_SERVICE_PORTS ] -------------------------------------------------------------------------------------------------------------------- Description = [ WAN_SERVICE_PORTS ] -------------------------------------------------------------------------------------------------------------------- Type = [ Port(s) ▼] --------------------------------------------------------------------------------------------------------------------    Under the "Port(s)" section, click the [+ Add Network] button near the bottom to create new entries. You will need to create multiple entries.
    PLEASE NOTE: THE SUBNET MASK DROPDOWN SELECTION DOES NOT APPLY TO PORTS ALIASES AND AS SUCH CANNOT BE SELECTED/CHANGED. IGNORE IT.
        Port(s) -------------------------------------------------------------------------------------------------------------------- Hint = ......... -------------------------------------------------------------------------------------------------------------------- Port = [ 21 ] [ -- ▼] [ FTP control (command) ] -------------------------------------------------------------------------------------------------------------------- [ 43 ] [ -- ▼] [ WHOIS protocol (If you use a WHOIS program to attain host records) ] -------------------------------------------------------------------------------------------------------------------- [ 80 ] [ -- ▼] [ Hypertext Transfer Protocol (HTTP) ] -------------------------------------------------------------------------------------------------------------------- [ 143 ] [ -- ▼] [ Internet Message Access Protocol (IMAP), management of email messages ] -------------------------------------------------------------------------------------------------------------------- [ 443 ] [ -- ▼] [ Hypertext Transfer Protocol over TLS/SSL (HTTPS) ] -------------------------------------------------------------------------------------------------------------------- [ 990 ] [ -- ▼] [ FTPS Protocol (control), FTP over TLS/SSL ] -------------------------------------------------------------------------------------------------------------------- [ 993 ] [ -- ▼] [ Internet Message Access Protocol over TLS/SSL (IMAPS), I.E. Secure email ] -------------------------------------------------------------------------------------------------------------------- [ 1024:65535 ] [ -- ▼] [ Registered and Ephemeral Ports ] --------------------------------------------------------------------------------------------------------------------    3.) Click [ Save ]
     
    4.) Click [ Apply Changes ]
     




     
  9. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    Setting Up pfSense 2.3 for AirVPN
     Step 4: Assigning the OpenVPN Interface & Setting the AirVPN Gateway
      




     
     


     
     
    Step 4-A: Assigning the OpenVPN Interface
      


     
     
    1.) Go to: Interfaces / Interface assignments
    http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php 2.) Find the line "Available network ports:" and set as follows:
    Available network ports: = [ ovpnc1(AirVPN) ▼]
     
    3.)Click the [ + Add ] button on the lower right for "Add selected interface"
     
    4.) Click [ Save ]
     
    5.) While still on the assign interfaces page, find the link for your newly created "ovpnc1" interface by "mousing over" it's name and select it. This will bring you to the configuration page for this interface.
     
    Set as Follows:
    -------------------------------------------------------------------------- General configuration -------------------------------------------------------------------------- Enable = [√] (CHECKED) -------------------------------------------------------------------------- Description = [ AirVPN_WAN ] -------------------------------------------------------------------------- IPv4 Configuration Type = [ None ▼] -------------------------------------------------------------------------- IPv6 Configuration Type = [ None ▼] -------------------------------------------------------------------------- MAC Address = [______] (Blank/Empty) -------------------------------------------------------------------------- MTU = [______] (Blank/Empty) -------------------------------------------------------------------------- MSS = [______] (Blank/Empty) -------------------------------------------------------------------------- Reserved Networks -------------------------------------------------------------------------- Block Private Networks = [_] (UNCHECKED!!!) -------------------------------------------------------------------------- Blocks Bogon Networks = [_] (UNCHECKED!!!) --------------------------------------------------------------------------    6.) Click [ Save ]
     
    7.) Click [Apply Changes]
     




     
     


     
     
    Step 4-B: Setting the AirVPN Gateway
      


     
     
    1.) Go to: System / Routing
    http://192.168.1.1/system_gateways.php  -or-  https://192.168.1.1/system_gateways.php 2.) Find the button under the actions section on the same line as AirVPN_WAN_VPN4 that looks like overlapping sheets of paper (shown here as ☐) and select it.
    ***** NOTE: THE APPEARANCE OF THE FOLLOWING IS BASED ON A FRESH INSTALL AND ASSUMES YOU HAVE FOLLOWED THE PREVIOUS STEPS IN THIS GUIDE!
     
        Default Gateways System: Gateways | Gateways |    ______________________________________________________________________________________________________________________________________________   | Name | Interface | Gateway | Monitor IP | Description | Actions |   | | | | | | |   |_____________________|________________|___________________________|___________________________|________________________________|____________|   | WAN_DHCP | WAN | 192.168.1.1 | 192.168.1.1 | Interface WAN_DHCP Gateway | |   | (default) | | | | | ✐ ☐ Ø π |   |_____________________|________________|___________________________|___________________________|________________________________|____________|   | AirVPN_WAN_VPN4 | AirVPN_WAN | | | Interface AirVPN_WAN_VPN4 | ┌------ CLICK ME!   | | | | | Gateway | ✐ ☐ Ø π |   |_____________________|________________|___________________________|___________________________|________________________________|____________| [ + Add ]   3.) This will bring you to the edit gateway page for your OpenVPN IPv4 interface. Here we will enter a Name, Settings and description for it.
     
    Set as follows:
      ------------------------------------------------------------------------------------ Edit Gateway ------------------------------------------------------------------------------------ Disabled = [_] (UNCHECKED) ------------------------------------------------------------------------------------ Interface = [AirVPN_WAN ▼] ------------------------------------------------------------------------------------ Address Family = [IPv4 ▼] ------------------------------------------------------------------------------------ Name = [ AirVPN_WAN ] ------------------------------------------------------------------------------------ Gateway = [ dynamic ] ------------------------------------------------------------------------------------ Default Gateway = [_] (*****UNCHECKED, SEE NOTES BELOW) ------------------------------------------------------------------------------------ Gateway Monitoring = [√] Disable Gateway Monitoring(CHECKED) NOTE: The monitoring service has caused more issues then it has corrected as of late, so we will disable it. ------------------------------------------------------------------------------------ Force state = [_] Mark Gateway as Down (UNCHECKED) ------------------------------------------------------------------------------------ Description = [ AirVPN_WAN ] ------------------------------------------------------------------------------------ [☼ Display Advanced ] = ( Unchanged ) ------------------------------------------------------------------------------------    ***** NOTE: In the past, the default gateway setting was advised to be checked. This was to act as a fail-safe in the event something went wrong, all traffic would attempt to route through the VPN and have no chance of being re-routed to the clear_net. While this "works", THIS IS NOT CORRECT FROM A ROUTING STAND POINT. Trying to use it this way causes what is known as a routing loop and can quickly exhaust network buffers. This can be seen in the OpenVPN Logs when using the "verb 4" setting. It shows up as:
    write UDPv4: No buffer space available (code=55)The idea of having the VPN as the default gateway is nice on paper, but should not be used. If all other settings are correct, this is not an issue and should not be worried about. Focus instead on having all settings correct! 
    4.) Click [save]
     
    5.) Click [Apply Changes]
     
     
        Gateways After Editing AirVPN_WAN System: Gateways | Gateways |  ______________________________________________________________________________________________________________________________________________ | Name | Interface | Gateway | Monitor IP | Description | Actions | | | | | | | | |_____________________|________________|___________________________|___________________________|________________________________|____________| | WAN_DHCP | WAN | 192.168.1.1 | 192.168.1.1 | Interface WAN_DHCP Gateway | | | (default) | | | | | ✐ ☐ Ø π | |_____________________|________________|___________________________|___________________________|________________________________|____________| | AirVPN_WAN | AirVPN_WAN | | | AirVPN_WAN | | | | | | | | ✐ ☐ Ø π | |_____________________|________________|___________________________|___________________________|________________________________|____________|  



     
     
     


     
     
    Step 4-C: Setting the Localhost Outbound NAT to Include the AirVPN_WAN
      


     
     
     
    Now that we have added a new Gateway, we need to add outbound NAT rules to allow the firewall (pfSense itself) to use that gateway.
     
    1.) Go to: Firewall / NAT / Outbound
    http://192.168.1.1/firewall_nat_out.php  -or-  https://192.168.1.1/firewall_nat_out.php NOTE: By default the "Mode:" selected is "Automatic outbound NAT rule generation (IPsec passthrough included)". Below this you will see a sort list of rules that are not accessible. We need to change the "Mode:" to "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" so that we may edit these and create new rules as needed throughout setup.
     
    2.) Set as follows:
    Mode: = Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)
     
    3.) Click [save]
     
    4.) Click [Apply Changes]
     
    A now accessible list of rules should appear. We will delete the "Auto created rule - LAN to WAN" Since our "LAN" interface will become our "AirVPN_LAN" interface. Further, outbound NAT setup will be addressed per interface in that step's instructions.
     
        Default Outbound NAT Mappings:  _____________________________________________________________________________________________________________________ | Interface | Source | Source | Destination | Destination | NAT Address | NAT | Static| Description | | | | Port | | Port | | Port | Port | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | ✔ | Auto created rule | | | | | | | | | | for ISAKMP - | | | | | | | | | | localhost to WAN | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - localhost to WAN | | | | | | | | | | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 192.168.1.0/24 | * | * | * | WAN Address | * | ✔ | Auto created rule | | | | | | | | | | for ISAKMP - | | | | | | | | | | LAN to WAN | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 192.168.1.0/24 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - LAN to WAN | | | | | | | | | | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________|  The two rules that use "STATIC PORT: ✔" and with "ISAKMP" in their respective descriptions are the default rules for IPSEC passthrough. If you do not use IPSEC, those two rules can safely be deleted by clicking the trash/rubbish button to the right of that rule. Most people will not need these rules since we are using OpenVPN, so going forward in this guide further instructions will have those rules ommited as if they were deleted. If you do need them you can keep them, it will not hurt the setup.
     
    5.) Click the buton shaped like a trash/rubbish can to the right of the "Auto created rule for ISAKMP - localhost to WAN" rule to delete it.
     
    6.) Click the buton shaped like a trash/rubbish can to the right of the "Auto created rule for ISAKMP - LAN to WAN" rule to delete it.
     
    7.) Click the buton shaped like a trash/rubbish can to the right of the "Auto created rule - LAN to WAN" rule to delete it.
     
    Now we are left with:
     
        Outbound NAT after deleting unneccesarry default rules. Mappings:  _____________________________________________________________________________________________________________________ | Interface | Source | Source | Destination | Destination | NAT Address | NAT | Static| Description | | | | Port | | Port | | Port | Port | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - localhost to WAN | | | | | | | | | | | |___________|________________|________|_____________|_____________|_____________|______|_______|____________________|   Now we need to make another rule for "localhost to AirVPN_WAN"
     
    8.) Click the [ ↑ Add ] button to the bottom right that has an upward facing arrow for "Add new mapping to the top of the list".
     
    9.) Set as follows:
      ---------------------------------------------------------------------------------------------------- Edit Advanced Outbound NAT Entry ---------------------------------------------------------------------------------------------------- Disabled = [_] (unchecked) ---------------------------------------------------------------------------------------------------- Do not NAT = [_] (unchecked) ---------------------------------------------------------------------------------------------------- Interface = [ AirVPN_WAN ▼] ---------------------------------------------------------------------------------------------------- Protocol = [ any ▼] ---------------------------------------------------------------------------------------------------- Source = [ Network ▼] [ 127.0.0.1 ]/[ 8 ▼] [__________] Type Source network for the outbound NAT mapping. Port ---------------------------------------------------------------------------------------------------- Destination = [ Any ▼] [___________________________________]/[---▼] [__________] Type Source network for the outbound NAT mapping. Port ---------------------------------------------------------------------------------------------------- [_] Not (unchecked) ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------- Translation ---------------------------------------------------------------------------------------------------- Address = [ Interface Address ▼] ----------------------------------------------------------------------------------------------------         Port = [______________________________] [_] Static-port ( empty/unchecked ) ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------- Misc ---------------------------------------------------------------------------------------------------- No XMLRPC Sync = [_] (unchecked) ---------------------------------------------------------------------------------------------------- Description = [ localhost to AirVPN_WAN ] ----------------------------------------------------------------------------------------------------     
    10.) Click [save]
     
    11.) Click [Apply Changes]
     
     
        Mappings:  ______________________________________________________________________________________________________________________ | Interface | Source | Source | Destination | Destination | NAT Address | NAT | Static| Description | | | | Port | | Port | | Port | Port | | |___________|_________________|________|_____________|_____________|_____________|______|_______|____________________| | AirVPN_WAN | 127.0.0.0/8 | * | * | * | AirVPN_WAN | * | >< | localhost to | | | | | | | Address | | | AirVPN_WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________| | WAN | 127.0.0.0/8 | * | * | * | WAN Address | * | >< | Auto created rule | | | | | | | | | | - localhost to WAN | | | | | | | | | | | |____________|________________|________|_____________|_____________|_____________|______|_______|____________________|     
    ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECESSARY!
     

     
     
     
    12.) Go to: Diagnostics > Reboot System
    http://192.168.1.1/reboot.php  -or-  https://192.168.1.1/reboot.php 13.) Click [ Yes ] to Reboot
     




     
  10. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    Setting Up pfSense 2.3 for AirVPN
     Step 3: Setting up the OpenVPN Client
      




     
     
     


     
     
    Step 3-A: Setting up the OpenVPN Client
      


     
     
    1.) Go to: VPN > OpenVPN > Client
    http://192.168.1.1/vpn_openvpn_client.php -or- https://192.168.1.1/vpn_openvpn_client.php 2.) Find and select the [ + Add ] on the lower right for “Add Client”
     
    3.) Here we will enter our settings, a descriptive name and advanced settings. Settings that go here are taken from our OpenVPN Config file, from the section highlighted YELLOW, as well as our tls-auth cert, highlighted PINK
     
    Set as follows:
     
    --General information
    Disabled = [_] (UNCHECKED!!!)
    Server Mode = [ Peer to Peer (SSL/TLS) ▼]
    Protocol = [ UDP ▼]
    Device Mode = [ tun ▼]
    Interface = [ WAN ▼]
    Local Port = [ 0 ] ( Zero )
    Server Host or Address = [ XXX.XXX.XXX.XXX ] IP of your preferred AirVPN Entry (From the "remote" line in the config)
    Server Port = [ 443 ] (From the "remote" line in the config)
    Proxy Host or address = [_______] (Blank/Empty)
    Proxy Port = [_______] (Blank/Empty)
    Proxy Authentication Extra Options = [none ▼}
    Server Host Name Resolution = [√] Infinitely Resolve Server (checked)
    Description = [ AirVPN ]
     
    --User Authentication Settings
    User name/pass      Leave empty when no user name and/or password are needed.
                                       Username: [_______] (Blank/Empty)
                                       Password: [_______] (Blank/Empty)
     
    --Cryptographic Settings
    TLS Authentication = [√ ] Enable authentication of TLS packets. (CHECKED)
                                       [_] Automatically generate a shared TLS authentication key. (UNCHECKED)
      ___________________________________
     | #
     | # 2048 bit OpenVPN static key
     | #
     | -----BEGIN OpenVPN Static key V1-----
     | XXXXXXXXXXXXXXXXXXXXXX
     | XXXXXXXXXXXXXXXXXXXXXX
     | XXXXXXXXXXXXXXXXXXXXXX
     | XXXXXXXXXXXXXXXXXXXXXX
     | XXXXXXXXXXXXXXXXXXXXXX
     | -----END OpenVPN Static key V1-----
     |____________________________________
    Peer Certificate Authority = [AirVPN_CA ▼]
    Client Certificate = [ AirVPN_CERT ▼]
    Encryption Algorithm = [ AES-256-CBC (256 bit) ▼]
    Auth Digest Algorithm = [ SHA1 (160 bit) ▼]
    Hardware Crypto = SET THIS BASED ON YOUR CPU’s CAPABILITY!!! NOTE: Ivy Bridge, Haswell and newer Intel Processors support RD-RAND. If you have a different CPU you will have to research if BSD Cryptodev is compatible with your processor. If you are unsure, set this to BSD Cryptodev, it should not harm anything even if not supported. If supported, this setting can (will) increase performance of your pfSense appliance.
     
    --Tunnel Settings
    IPv4 Tunnel Network = [_______] (Blank/Empty)
    IPv6 Tunnel Network = [______] (Blank/Empty)
    IPv4 Remote Networks = [_______] (Blank/Empty)
    IPv6 Remote Networks = [_______] (Blank/Empty)
    Limit Outgoing Bandwidth = [_______] (Blank/Empty)
    Compression = [Disabled - No Compression ▼ ]
    Topology = [ net30 - isolated /30 network per client ▼ ]
    Type-of-Service = [_] (UNCHECKED!!!)
    Disable IPv6 = [✔] (CHECKED)
    Don't pull routes = [✔] (CHECKED)
    Don't add/remove routes = [_] (UNCHECKED)
     
    --Advanced Configuration
    Advanced = (Copy and paste the following text directly into the advanced box. Anything to the right of a # symbol is "commented out" and has no effect. I have added a few settings that make the use of pfSense and tighten up security, and have left comments with descriptions of many. Some options I have left in but commented out from use for users to have handy in the event of troubleshooting and can be ignored or deleted if not desired.)
    ##### CLIENT OPTIONS #####; server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###; explicit-exit-notify 5; ##### TUNNEL OPTIONS #####; ### Use Multple "remote" entries with the according entry IP address of your favorite servers ###; ### other than the server entered in the "Server Host or Address" entry above and pfSense ###; ### will automatically recconnect in a round robin fashion if the server you are connected to ###; ### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###; ###remote XX.XX.XX.XX 443 ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Acamar_UDP-2018###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Yildun_UDP-2018###; ###remote XX.XX.XX.XX 53 ###AirVPN_US-Miami_Cursa_UDP-53###; ###remote XXX.XX.XX.XX 443 ###AirVPN_CA-Dheneb_UDP-443###; ###remote XXX.XX.XXX.XXX 443 ###AirVPN_CA-Saiph_UDP-443###; ###rcvbuf 262144; ###sndbuf 262144; mlock ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###; fast-io ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###; ###tun-mtu 1500; ###mssfix 1450; ###keepalive 5 15; ##### DATA CHANNEL ENCRYPTION OPTIONS #####; key-direction 1; keysize 256 ### Size of key from cipher ###; prng SHA512 64 ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###; ### replay-window n [t] ### Default = replay-window 64 15 ###; ### mute-replay-warnings; ##### TLS MODE OPTIONS #####; tls-version-min 1.2 ### set the minimum TLS version we will accept from the peer ###; key-method 2 ### client generates a random key ###; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###; tls-timeout 2 ### Default = 2 ###; ns-cert-type server ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###; remote-cert-tls server ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###; ### reneg-sec 3600;  Verbosity level = [ 3 (Recommended) ▼ ]
     
    4.) Click [save]
     
    5.) Go to: Diagnostics > Reboot System
    http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 6.) Click [Yes] to Reboot
     




     
  11. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    Setting Up pfSense 2.3 for AirVPN
     Step 2: Understanding and Entering our AirVPN CA, Certificate and Key
      




     
     
     


     
     
    Step 2-A: Understanding Certificates and OpenVPN Config Files
      


     
     
    I noticed on the forums that many people trying to set up pfSense struggle with entering their certificates properly. I will try to be as detailed as possible here.
     
    First, if you have not done so already, we have to download the OpenVPN Config File (.ovpn) for our preferred AirVPN entry server (We will need the direct IP address of the server as DNS will not function until the VPN is up.). You can do this by logging into airvpn.org and then proceeding to https://airvpn.org/generator/ . Choose the entry server of your choice (the air entry server can be changed later whenever you need, we will focus on one for this tutorial) by selecting the corresponding check box, then scroll down and select the Direct, protocol UDP, port 443. Scroll down again and select both check boxes agreeing to the AirVPN terms of service, then click the Generate button. Once you have the config file you can open it with your favorite text editor. What you should see will look very similar as the sample ovpn config I pasted below (this one was downloaded for a windows client). The config is broken into FIVE main parts that we will need to identify for our uses.
     
    The five parts are as follows:

     
     

     
     

     
     

     
     

     
     
    Settings and Advanced Settings CA (Certificate Authority, everything between <ca> and </ca>) Cert (Certificate Data, everything between <cert> and </cert>) Key (RSA Private Key, everything between <key> and </key>) tls-auth (2048 bit OpenVPN static key, everything between <tls-auth> and </tls-auth>)
     
     
     
    Sample OpenVPN Config File
     We will need to copy these settings, from YOUR own config file that you downloaded from the AirVPN config generator, into pfSense to set up our certificates and OpenVPN.
     
    DO NOT USE THESE, THEY ARE FICTIONAL.
     
     
    # --------------------------------------------------------
    # Air VPN | https://airvpn.org | Friday xxx of xxx 2014 xx:xx:xx AM
    # OpenVPN Client Configuration
    # AirVPN_XXXXXXXXXXX-xxxx
    # --------------------------------------------------------
     
    client
    dev tun
    proto udp
    remote xxx.xxx.xxx.xxx 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    cipher AES-256-CBC
    comp-lzo no
    verb 3
    explicit-exit-notify 5
    <ca>
    -----BEGIN CERTIFICATE-----
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    -----END CERTIFICATE-----
    </ca>
    <cert>
    -----BEGIN CERTIFICATE-----
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    -----END CERTIFICATE-----
    </cert>
    <key>
    -----BEGIN CERTIFICATE-----
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    -----END CERTIFICATE-----
    </key>
    key-direction 1
    <tls-auth>
    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    -----END OpenVPN Static key V1-----
    </tls-auth>
     




     
     
     


     
     
    Step 2-B: Entering our AirVPN CA (Certificate Authority)
      


     
     
    1.) Go to: System / Cert Manager / CAs
    http://192.168.1.1/system_camanager.php -or- https://192.168.1.1/system_camanager.php 2.) Find and select the [ + Add ] on the lower right for "Add or Import CA"
     
    3.) Here we will enter a descriptive name and enter our CA certificate data.
     
    Set as follows:
    Descriptive name = [✎ AirVPN_CA ]
    Method = [ Import an Existing Certificate Authority ▼]
    Certificate Data = [Everything BETWEEN <ca> and </ca> but NOT INCLUDING <ca> and </ca>)] - (Everything highlighted LIGHT BLUE in the Sample ovpn config):
     
    <ca>
    -----BEGIN CERTIFICATE-----
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    -----END CERTIFICATE-----
    </ca>
     
    Certificate Private Key(optional) = [_______________________] (Blank/Empty)
     
    Serial for next certificate = [_______________________] (Blank/Empty)
     
    4.) Click [save]
     




     
     
     


     
     
    Step 2-C: Entering our AirVPN Certificate and Key
      


     
     
    1.) Go to: System > Cert Manager > Certificate Manager
    http://192.168.1.1/system_certmanager.php -or- https://192.168.1.1/system_certmanager.php 2.) Find and select the [ + Add ] on the lower right for "Add or Import Certificate"
     
    3.) Here we will enter a descriptive name and enter our Certificate and Key data.
     
    Set as follows:
    Method = [ Import an Existing Certificate Authority ▼]
    Descriptive name = [✎ AirVPN_CERT ]
    Certificate Data = [Everything BETWEEN <cert> and </cert> but NOT INCLUDING <cert> and </cert>] - (Everything highlighted ORANGE in the Sample ovpn config):
     
    <cert>
    -----BEGIN CERTIFICATE-----
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    -----END CERTIFICATE-----
    </cert>
     
    Private key data = [Everything BETWEEN <key> and </key> but NOT INCLUDING <key> and </key>] - (Everything highlighted GREEN in the Sample ovpn config):
     
    <key>
    -----BEGIN CERTIFICATE-----
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    -----END CERTIFICATE-----
    </key>
     
    4.) Click [save]
     




     
  12. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    Setting Up pfSense 2.3 for AirVPN
     Step 1: Disable IPv6 System Wide
      




     
     


     
     
    Step 1-A: Disable DHCPv6 on WAN Interface
      


     
     
     
    By default, the DHCPv6 client is enabled on the WAN interface. The following steps detail how to turn it off.
     
    1.) Go to: Interfaces / WAN
    http://192.168.1.1/interfaces.php?if=wan -or- https://192.168.1.1/interfaces.php?if=wan  
    Set as Follows:
    -------------------------------------------------------------------------------------------- General configuration -------------------------------------------------------------------------------------------- Enable = [√] (CHECKED) -------------------------------------------------------------------------------------------- Description = [ WAN_dhcp ] -------------------------------------------------------------------------------------------- IPv4 Configuration = [ DHCP ▼] Type -------------------------------------------------------------------------------------------- IPv6 Configuration = [ None ▼] <----- (CHANGE THIS TO "NONE"!!!) Type -------------------------------------------------------------------------------------------- MAC Address = [______] (Blank/Empty) -------------------------------------------------------------------------------------------- MTU = [______] (Blank/Empty) -------------------------------------------------------------------------------------------- MSS = [______] (Blank/Empty) -------------------------------------------------------------------------------------------- Private Networks -------------------------------------------------------------------------------------------- Block private networks = [√] (CHECKED) and loopback addresses -------------------------------------------------------------------------------------------- Block bogon networks = [√] (CHECKED) --------------------------------------------------------------------------------------------  2.) Click [save]
     
    3.) Click [Apply Changes]
     




     
     


     
     
    Step 1-B: Disable DHCPv6 Server on LAN Interface
      


     
     
     
    By default, the DHCPv6 server is enabled on the LAN interface. Check here to see if it is enabled. My appologies for this being a somewhat incomplete step, but it is disabled on my system and I am unable to see what the user interface looks like here. I hope to update this eventually.
     
    1.) Go to: Services / DHCPv6 Server & RA
    http://192.168.1.1/services_dhcpv6.php -or- https://192.168.1.1/services_dhcpv6.php 2.) If you can see your LAN interface here, adjust the setting to disable it. Also save and apply settings if necessary.
     




     
     


     
     
    Step 1-C: Disable IPv6 Configuration Type Setting on LAN Interface
      


     
     
     
    By default, an IPv6 configuration type is enabled on the LAN interface. The following steps detail how to turn it off.
     
    1.) Go to: Interfaces / LAN
    http://192.168.1.1/interfaces.php?if=lan -or- https://192.168.1.1/interfaces.php?if=lan  
    Set as Follows:
    -------------------------------------------------------------------------------------------- General configuration -------------------------------------------------------------------------------------------- Enable = [√] (CHECKED) -------------------------------------------------------------------------------------------- Description = [ LAN ] -------------------------------------------------------------------------------------------- IPv4 Configuration = [ Static IPv4 ▼] Type -------------------------------------------------------------------------------------------- IPv6 Configuration = [ None ▼] <----- (CHANGE THIS TO "NONE"!!!) Type -------------------------------------------------------------------------------------------- MAC Address = [______________] (Blank/Empty) -------------------------------------------------------------------------------------------- MTU = [______________] (Blank/Empty) -------------------------------------------------------------------------------------------- MSS = [______________] (Blank/Empty) -------------------------------------------------------------------------------------------- Private Networks -------------------------------------------------------------------------------------------- Block private networks = [_] (UNCHECKED) and loopback addresses -------------------------------------------------------------------------------------------- Block bogon networks = [_] (UNCHECKED) --------------------------------------------------------------------------------------------  2.) Click [save]
     
    3.) Click [Apply Changes]
     




     


     
     
    Step 1-D: "Disable" IPv6
      


     
     
     
    1.) Go to: System / Advanced / Networking
    http://192.168.1.1/system_advanced_network.php -or- https://192.168.1.1/system_advanced_network.php  
    IPv6 Options
    Allow IPv6 = [_] (UNCHECKED)
    From pfSense:
    All IPv6 traffic will be blocked by the firewall unless this box is checked. NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic. NOTE: No other settings on this page were altered from default.
     
    2.) Click [save]
     




     
  13. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    pfSense_fan's Guide
    How To Set Up pfSense 2.3 for AirVPN
       




     
     
    Guide is updated to pfSense Version 2.3
    This guide will work on 2 or more interfaces.
    Please inform me of any and all errors found!
     Feedback is appreciated! Please rate this post or leave a comment to share if this worked for you!
       




     
     
     
    Table of Contents:
    Step 1: Disable IPv6 System Wide Step 2: Entering our AirVPN CA, Certificate and Key General Settings and Preparation Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface & Setting the AirVPN Gateway Step 5: IP and Port Alias Creation to Aid Interface Setup Step 6: Setting up an AirVPN Routed Interface Step 7: General Settings, Advanced Settings and Other Tweaks Step 8: Setting up the DNS Resolver -----
       




     
  14. Like
    pfSense_fan got a reaction from cliff.peeples in How To Set Up pfSense 2.3 for AirVPN   ...
    It does work.
     
    Unlike the old guide, the 2.3 guide is very close to how I actually use my appliance.  It works for me and is tested and working for others.  There is no hidden magic to adding a clear interface.... you create a new interface and through all of the SAME STEPS, tell the traffic to route out WAN instead of AirVPN_WAN.
     
    If you tried and it failed you missed something. It's normal, there are a lot of steps/settings and it is easy to overlook one or more. The most common mistake is the outbound NAT settings and not defining the correct gateway on the outbound firewall rule.
     
    I changed this guide to create the AirVPN_LAN interface first due to the high demand. Adding a second interface for clearnet works the same way in principal as the old guide.... but the old guide should not be used. here are too many settings that have changed.
  15. Like
    pfSense_fan got a reaction from Wolf666 in How To Set Up pfSense 2.3 for AirVPN   ...
    For those asking about the clearnet interface, I don't have a timetable other than to say eventually.
     
    If you used the original guide, you should be ale to extrapolate how to accomplish this.
     
    First create and name a new interface. All settings on the interface page are the same are the AirVPN_LAN interface EXCEPT the name and IP address of the subnet you choose.
     
    Under dhcp server for the new interface, replace the 192.168.1.100 - 192.168.1.199 with 192.168.123.100 - 192.168.123.199 (or whatever subnet you chose)
     
    For the rest of the interface settings, simply replace AirVPN_LAN in the rules for Clear_LAN (or whatever you name it) and AirVPN_WAN with WAN.
     
    On the outbound rule, select WAN for the gateway.
     
    There is not much different, you are just telling the traffic where to go. I highly encourage you all to take ther time to understand how this works, the information is there in the guide. If not, I will eventually open up the text editor and add it, right now I am backed up with work and cannot.
  16. Like
    pfSense_fan got a reaction from refresh in How To Set Up pfSense 2.3 for AirVPN   ...
    Thank you, it means lot to read such a wonderful compliment. I am so glad it has helped you. For anyone interested, updating the guide from the original to the new 2.3 took over 100 hours of research and and editing. The original guide took well over a few thousand hours including learning/upgrading it between iterations. I rushed this one out to have it ready for 2.3. There will be small edits over time to explain in more detail what and why settings are recommended the way they are. For now I need a break from it. There will also be some additional optional steps added.
     
    I hope it lasts as long too, and i really hope, as I always have, that discussion will pick up in this thread among users and together we can evolve the discussion to make this better for everyone.
  17. Like
    pfSense_fan got a reaction from Wolf666 in Is it possible to route the traffic from my Xbox One through AirVpn?   ...
    You would need to use a router that routes all traffic through the VPN such as pfSense, Asus, Netgear etc that have OpenVPN.
     
    That being said you cannot port forward all the required ports for XBOX Live to function entirely and will have a strict NAT and have some services be unavailable at times, including chat.
     
    I use pfSense of course, but I do not run my consoles through the VPN, instead I employ a true isolated DMZ for them and allow UPNP only on that interface and only for those devices. This allows me to enjoy full functionality as well as top level security. I even have ad and tracking servers blocked on the DNS level for a bit of extra privacy. Keep in mind if you use XBOX Live this is generally attached to your true identity through your account so there is little value of the gaming traffic to go through the VPN, unless you are trying to hide gaming use from your ISP.
  18. Like
    pfSense_fan got a reaction from cliff.peeples in How To Set Up pfSense 2.3 for AirVPN   ...
    It does work.
     
    Unlike the old guide, the 2.3 guide is very close to how I actually use my appliance.  It works for me and is tested and working for others.  There is no hidden magic to adding a clear interface.... you create a new interface and through all of the SAME STEPS, tell the traffic to route out WAN instead of AirVPN_WAN.
     
    If you tried and it failed you missed something. It's normal, there are a lot of steps/settings and it is easy to overlook one or more. The most common mistake is the outbound NAT settings and not defining the correct gateway on the outbound firewall rule.
     
    I changed this guide to create the AirVPN_LAN interface first due to the high demand. Adding a second interface for clearnet works the same way in principal as the old guide.... but the old guide should not be used. here are too many settings that have changed.
  19. Like
    pfSense_fan got a reaction from Wolf666 in How To Set Up pfSense 2.3 for AirVPN   ...
    For those asking about the clearnet interface, I don't have a timetable other than to say eventually.
     
    If you used the original guide, you should be ale to extrapolate how to accomplish this.
     
    First create and name a new interface. All settings on the interface page are the same are the AirVPN_LAN interface EXCEPT the name and IP address of the subnet you choose.
     
    Under dhcp server for the new interface, replace the 192.168.1.100 - 192.168.1.199 with 192.168.123.100 - 192.168.123.199 (or whatever subnet you chose)
     
    For the rest of the interface settings, simply replace AirVPN_LAN in the rules for Clear_LAN (or whatever you name it) and AirVPN_WAN with WAN.
     
    On the outbound rule, select WAN for the gateway.
     
    There is not much different, you are just telling the traffic where to go. I highly encourage you all to take ther time to understand how this works, the information is there in the guide. If not, I will eventually open up the text editor and add it, right now I am backed up with work and cannot.
  20. Like
    pfSense_fan got a reaction from Wolf666 in Is it possible to route the traffic from my Xbox One through AirVpn?   ...
    You would need to use a router that routes all traffic through the VPN such as pfSense, Asus, Netgear etc that have OpenVPN.
     
    That being said you cannot port forward all the required ports for XBOX Live to function entirely and will have a strict NAT and have some services be unavailable at times, including chat.
     
    I use pfSense of course, but I do not run my consoles through the VPN, instead I employ a true isolated DMZ for them and allow UPNP only on that interface and only for those devices. This allows me to enjoy full functionality as well as top level security. I even have ad and tracking servers blocked on the DNS level for a bit of extra privacy. Keep in mind if you use XBOX Live this is generally attached to your true identity through your account so there is little value of the gaming traffic to go through the VPN, unless you are trying to hide gaming use from your ISP.
  21. Like
    pfSense_fan got a reaction from onebarrell in How To Set Up pfSense 2.3 for AirVPN   ...
    Setting Up pfSense 2.3 for AirVPN
     Step 8: Setting Up the DNS Resolver
      




     
     
     


     
     
    Step 8-A: Setting the DNS Resolver Options
      


     
     
     
    1.) Go to: Services: DNS Resolver
    http://192.168.1.1/services_unbound.php -or- https://192.168.1.1/services_unbound.php Set as Follows:
     
    ----------------------------------------------------------------------------------------------------------------------- General DNS Resolver Options ----------------------------------------------------------------------------------------------------------------------- Enable = [✔] Enable DNS Resolver (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Listen Port = [______] (Empty/Blank) ----------------------------------------------------------------------------------------------------------------------- Network Interfaces = |-All------------------| NOTE: YOU MAY LEAVE THIS SETTING AS IT IS, DEFAULT, WITH "ALL" SELECTED | WAN | | AirVPN_LAN | | AirVPN_WAN | ----------------------------------------------------------------------------------------------------------------------- Outgoing Network = | All | NOTE: THIS SETTING MUST BE ALTERED. ENSURE ONLY AirVPN_WAN IS SELECTED Interfaces | WAN | | AirVPN_LAN | |-AirVPN_WAN-----------| ----------------------------------------------------------------------------------------------------------------------- System Domain Local = [ Transparent ▼] Zone Type ----------------------------------------------------------------------------------------------------------------------- DNSSEC = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- DNS Query Forwarding = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- DHCP Registration = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Static DHCP = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Display Custom = [☼ Display Custom Options ] <-- CLICK TO EXPOSE OPTIONS BOX Options ----------------------------------------------------------------------------------------------------------------------- Custom options = | server:private-address: 127.0.0.0/8 |(Copy and Paste) This setting is for DNS Rebinding | | protection in the 127.0.0.0/8 localhost zone. | | -----------------------------------------------------------------------------------------------------------------------  2.) Click [save]
     




     
     
     


     
     
    Step 8-B: Setting the DNS Resolver Advanced Options
      


     
     
     
    1.) Go to: Services: DNS Resolver: Advanced
    http://192.168.1.1/services_unbound_advanced.php -or- https://192.168.1.1/services_unbound_advanced.php Set as Follows:
     
    ----------------------------------------------------------------------------------------------------------------------- Advanced Resolver Options ----------------------------------------------------------------------------------------------------------------------- Hide Identity = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Hide Version = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Prefetch Support = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Prefetch DNS Key = [✔] (CHECKED) Support ----------------------------------------------------------------------------------------------------------------------- Harden DNSSEC data = [✔] (CHECKED) ----------------------------------------------------------------------------------------------------------------------- Message Cache Size = [ 512MB ▼] ----------------------------------------------------------------------------------------------------------------------- Outgoing TCP Buffers = [ 10 ▼] ----------------------------------------------------------------------------------------------------------------------- Incoming TCP Buffers = [ 10 ▼] ----------------------------------------------------------------------------------------------------------------------- EDNS Buffer Size = [ 4096 ▼] ----------------------------------------------------------------------------------------------------------------------- Number of Queries per = [ 512 ▼] Thread ----------------------------------------------------------------------------------------------------------------------- Jostle Timeout = [ 200 ▼] ----------------------------------------------------------------------------------------------------------------------- Maximum TTL for = [ 86400 ] RRsets and Messages ----------------------------------------------------------------------------------------------------------------------- Minimum TTL for = [ 0 ] RRsets and Messages ----------------------------------------------------------------------------------------------------------------------- TTL for Host = [15 Minutes ▼] Cache Entries ----------------------------------------------------------------------------------------------------------------------- Number of Hosts to = [ 10,000 ▼] Cache ----------------------------------------------------------------------------------------------------------------------- Unwanted Reply = [ disabled ▼] Threshold ----------------------------------------------------------------------------------------------------------------------- Log level = [ 1 ▼] (Or whatever you prefer, higher if you want to troubleshoot) ----------------------------------------------------------------------------------------------------------------------- Disable Auto-added = [_] (UNCHECKED) Access Control ----------------------------------------------------------------------------------------------------------------------- Experimental Bit 0x20 = [_] (UNCHECKED) NOTE: It is perfectly safe to use this option if you so choose to. Support Be aware, however, that this option breaks ipleak.net. -----------------------------------------------------------------------------------------------------------------------  2.) Click [save]
     
    3.) Click [Apply Changes]
     


     
     
    4.) Go to: Diagnostics > Reboot System
    http://192.168.1.1/reboot.php  -or-  https://192.168.1.1/reboot.php 5.) Click [Yes] to Reboot
     
     


     
     
     
    Step 8-C: Verifying Our DNS Settings (Optional Step)
     Here we will test to see if domain names are resolving from the DNS servers we entered on the General Setup page. We will do this using the built in feature of the firewall.
     
    1.) Go to: Diagnostics > DNS Lookup
    http://192.168.1.1/diag_dns.php -or- https://192.168.1.1/diag_dns.php Set as Follows:
    Hostname or IP = [ airvpn.org ]
     
    2.) Click [ Lookup ]
     
    3.) Verify the results:
    Hostname or IP = [ airvpn.org ] = 5.196.64.52
    If 5.196.64.52 was returned it is resolving correctly. Feel free to resolve as many sites as you wish! This is a useful tool to keep in mind as well.
     
     




     
     
    That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the AirVPN_LAN port and you are off and running! I hope this guide helps you! Don't forget to back up your settings you just spent all this time setting up!
      




     
  22. Like
    pfSense_fan got a reaction from go558a83nk in How To Set Up pfSense 2.3 for AirVPN   ...
    Good to know. I had an AMD APU as my first build, cool n quiet caused it to crash, and powerd did not work. Other users here had the same issue. It ran at full power at all times, something like 110 watts with hard drive and fans, and lead me to use intel.
     
    My Rangeley with drive and 120mm fan uses something like 18 watts and maxes at about 30. I keep it in a rack mount 4u case which is bigger than it needs, but allows a silent 120mm fan. Power efficiency really does add up, so I didn't mind spending $500 for all new motherboard, memory, platinum rated PSU and server case. The electricity bill savings will cover the difference over a few years, which I will certainly still be using it.
     
    It actually uses less power than my wireless access point.
     
     
  23. Like
    pfSense_fan reacted to hammerman in How To Set Up pfSense 2.3 for AirVPN   ...
    all is good now.
    followed the guide to a "t" and it worked without a hitch.
     
    thanks !
  24. Like
    pfSense_fan reacted to go558a83nk in How To Set Up pfSense 2.3 for AirVPN   ...
    just want to thank you again and say that more people should take advantage of your guide here and begin using a pfsense machine with decent CPU.  I can now run my AMD APU at 1400MHz (minimum state in powerd) and still max out my ISP line through openvpn tunnel to Air (120mbit/s).  that's only 200MHz faster than my router which struggled to do 50mbit/s and it runs nice and cool.  and my build was only $127, cheaper than a nice router.
  25. Like
    pfSense_fan got a reaction from zhang888 in How To Set Up pfSense 2.3 for AirVPN   ...
    pfBlockerNG worked for me on all of my VM's while testing 2.3.
     
    I had some oddities with system tunables when going the upgrade route, but when I did a clean install everything worked well, beyond well. I did not restore all settings. I restored my aliases, but manually programmed everything else. I feel it was worth it.
     
    There were some buggy issues on 2.2.6 with the DNS Resolver not taking the settings that were input all of the time, this seems to be fixed in 2.3. That bug carried over on upgrades, but is non existent with the clean install.
     
     
    I cannot stress how much I recommend upgrading for all of the security and performance upgrades this offers.
×
×
  • Create New...