pfSense_fan

pfBlockerNG worked for me on all of my VM's while testing 2.3.
 
I had some oddities with system tunables when going the upgrade route, but when I did a clean install everything worked well, beyond well. I did not restore all settings. I restored my aliases, but manually programmed everything else. I feel it was worth it.
 
There were some buggy issues on 2.2.6 with the DNS Resolver not taking the settings that were input all of the time, this seems to be fixed in 2.3. That bug carried over on upgrades, but is non existent with the clean install.
 
 
I cannot stress how much I recommend upgrading for all of the security and performance upgrades this offers.

Correct, the update migrates to the DNS Resolver, and the guide will focus on AirVPN DNS. The user can use the DNS of their choice.
 
 
 
 
No joke, I thought about this as I lay in bed last night. Problem is I have never attempted it. I would like to add this but have no timetable for such an addition. Once I'm done with the core parts of the guide I will explore this, but that's not saying much for when that might be.

REQUESTING FEEDBACK AGAIN!

 

 

As I go through and reorganize the guide, there is a need to change the "basic" firewall rules that this has utilized. I intend to be a bit more in depth going forward.

That being said, I have an tweak that I want to use, but want to make sure others agree it is a good idea. This tweak has to do with DNS and NTP.

 

More and more these days, IoT devices, apps and any number of devices are coming hard coded with DNS and NTP servers. Apple devices such as iphones and ipads query hard coded NTP.  Android apps are coded for google DNS. New Netflix apps are hard coded for google DNS as well. The list goes on. For a number of reasons, this can lead to configuration and/or security issues. Many of these devices and apps do not have an option to change these settings.

 

I can make a firewall rule that will redirect all requests for DNS and all requests for NTP to the server of our choosing, best served by pfSense itself since it acts as a DNS caching server and NTP server. In the case of trying to get such devices and apps to use AirVPN's DNS for anti georestriction reasons or other, this is the best fix.

 

I use this method and have for a few years. The question is, do you see the value in it as well? Should i include this as part of the guide? I feel like yes since this is a growing trend in devices and apps, but don't want to force my views on others.

 

Let me know, discuss.

If you are using the DNS Forwarder, change the DNS entries on the General settings page to your DNS of choice and select the gateway you want to make the request on in the drop down box to the right of it.
 
If you are using the Resolver, enter you DNS of choice on the General settings page, select the gateway as "None" in the drop downs. The go to the Resolver settings and select only the VPN gateway from the "Outgoing Network Interfaces".
 
 
If you are allowing clients to query other dns servers, you need to make a policy based firewall rule that tells all traffic destined for your DNS server of choice on port 53 to go out the vpn gateway. do this by selecting the gateway from the advanced otions. this firewall rule needs to be at the top of the list on the interface you are on.

To any users who use, rely on or are thinking about using this guide and pfSense to connect to AirVPN...

 

I AM LOOKING FOR SOME FEEDBACK BEFORE I PUT THE FINAL TOUCHES ON UPDATING THIS GUIDE!

 

In updating this guide to use the DNS Resolver instead of the DNS Forwarder, a number of changes were required. The order of the steps even had to be changed. I have worked out the new order of things, and am in the process of touching up details and the BBCODE I use. As I do that I have an itch to slightly evolve the guide to be a bit more in depth and probably a bit more complicated. With that said, it would also be more secure. I am thinking about adding in a step to create a group of aliases that would in turn assist in creating more in depth firewall rules.These settings have extensive testing by myself and others for over a year now, if not two.

 

So to you, who uses this, does that sound like something you would want to venture into, taking this to the next step?

 

Please let me know! Discuss!

Step 3: Setting up the OpenVPN Client - Has been thoroughly updated to align with the GUI settings of 2.2.6, plus some other tweaks that I believe should be used.
Step 5: Setting the AirVPN Gateway - Has had minor pfSense 2.2.6 GUI appearance tweaks and minor settings tweaks (now recommend to disable gateway monitoring on all version prior to pfsense 2.3)
 
 
As always, feedback is welcome and encouraged.

Step 3: Setting up the OpenVPN Client - Has been thoroughly updated to align with the GUI settings of 2.2.6, plus some other tweaks that I believe should be used.
Step 5: Setting the AirVPN Gateway - Has had minor pfSense 2.2.6 GUI appearance tweaks and minor settings tweaks (now recommend to disable gateway monitoring on all version prior to pfsense 2.3)
 
 
As always, feedback is welcome and encouraged.

For anyone who is interested, I am working on some final updates to this guide to bring it up to 2.2.6 (or 2.2.7 if they for some reason have another release before 2.3). I want to leave this guide up to date for the final 2.2.x release for those who choose not to al all or postpone updating to 2.3.
 
The main update will be including how to use the DNS Resolver. The Forwarder (DNSMasq) works fine, but the Resolver (Unbound) has some nice features up it's sleeve.
 
I am going to offer it up differently than I originally did with the forwarder. Instead of useing clear-net DNS for the system and handing out the VPN DNS via DHCP, I intend to reverse that. The system will use the VPN DNS and any Clear-Net interfaces will have to hand out external public DNS if the user desires it.
 
This could cause some confusion, as if the vpn goes down so to will the DNS Resolver. Others will find that fact desirable. I don't find it desireable myself, but to make the most use of the Resolver (Unbound) it needs to be. Unbound supports DNSSEC. This also allows users to make the most of the pfSense package "pfBlockerNG" and it's DNS block list functionality.
 
In the interim, any and all constructive criticism  is welcomed. As some know, I made this guide in my head to help users get started, my own setup is more complex, so I can't just refer to my own install. If anything else causes confusion or needs a tweak, please let me know.

For anyone who is interested, I am working on some final updates to this guide to bring it up to 2.2.6 (or 2.2.7 if they for some reason have another release before 2.3). I want to leave this guide up to date for the final 2.2.x release for those who choose not to al all or postpone updating to 2.3.
 
The main update will be including how to use the DNS Resolver. The Forwarder (DNSMasq) works fine, but the Resolver (Unbound) has some nice features up it's sleeve.
 
I am going to offer it up differently than I originally did with the forwarder. Instead of useing clear-net DNS for the system and handing out the VPN DNS via DHCP, I intend to reverse that. The system will use the VPN DNS and any Clear-Net interfaces will have to hand out external public DNS if the user desires it.
 
This could cause some confusion, as if the vpn goes down so to will the DNS Resolver. Others will find that fact desirable. I don't find it desireable myself, but to make the most use of the Resolver (Unbound) it needs to be. Unbound supports DNSSEC. This also allows users to make the most of the pfSense package "pfBlockerNG" and it's DNS block list functionality.
 
In the interim, any and all constructive criticism  is welcomed. As some know, I made this guide in my head to help users get started, my own setup is more complex, so I can't just refer to my own install. If anything else causes confusion or needs a tweak, please let me know.

For anyone who is interested, I am working on some final updates to this guide to bring it up to 2.2.6 (or 2.2.7 if they for some reason have another release before 2.3). I want to leave this guide up to date for the final 2.2.x release for those who choose not to al all or postpone updating to 2.3.
 
The main update will be including how to use the DNS Resolver. The Forwarder (DNSMasq) works fine, but the Resolver (Unbound) has some nice features up it's sleeve.
 
I am going to offer it up differently than I originally did with the forwarder. Instead of useing clear-net DNS for the system and handing out the VPN DNS via DHCP, I intend to reverse that. The system will use the VPN DNS and any Clear-Net interfaces will have to hand out external public DNS if the user desires it.
 
This could cause some confusion, as if the vpn goes down so to will the DNS Resolver. Others will find that fact desirable. I don't find it desireable myself, but to make the most use of the Resolver (Unbound) it needs to be. Unbound supports DNSSEC. This also allows users to make the most of the pfSense package "pfBlockerNG" and it's DNS block list functionality.
 
In the interim, any and all constructive criticism  is welcomed. As some know, I made this guide in my head to help users get started, my own setup is more complex, so I can't just refer to my own install. If anything else causes confusion or needs a tweak, please let me know.

NOTE: THIS IS AN ALTERNATE “STEP 7”



INTENDED FOR THOSE USING 2 NIC's


 

IN ADDITION TO THIS, THOSE USERS MUST ALSO MODIFY THE DNS FORWARDER SETTINGS AND ENSURE THAT ONLY LOCALHOST IS SELECTED. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL (CLEAR-NET) AND THE LAN (VPN). THE DNS FOR THE LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING GUIDE.


 
 






 
 



 
Setting Up pfSense for AirVPN



Using 2 NIC's


 

Step 7: Setting up the LAN (VPN) Interface


 
 




 
A:) Configuring the Interface


 
1.) Go to: Interfaces > Assign

http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php 
Here you will find your assigned interfaces. If you assigned them during original install you will have a WAN and LAN. You should also see the AirVPN_WAN interface we created earlier.
 
2.) Select the LAN interface.
 
Set it as follows: (NOTE: Some of these settings may be  set by default, edit as neccesarry.)
--General configuration
Enable = [✔] (CHECKED)
Description = [✎  LAN ]
IPv4 Configuration Type = [ Static IPv4 ▼]
IPv6 Configuration Type = [ None ▼]
MAC address = [✎_____] (empty)
MTU = [✎_____] (empty)
MSS = [✎_____] (empty)
Speed and duplex = Advanced > [ Autoselect ▼]
--Static IPv4 configuration
IPv4 address = [✎ 192.168.1.1 ] / [ 24 ▼]
Gateway = [ None ▼]
--Private networks
Block Private Networks = [_] (UNCHECKED)
Block Bogon Networks = [_] (UNCHECKED)
 
3.) Click [save]
 
4.) Click [ Apply Changes ]
 



 
 
B.) Seting up the DHCP Server for the LAN Interface


 
1.) Go to: Services > DHCP server

http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php 
2.) Ensure the "LAN" tab is selected
 
3.) Set as follows:
(NOTE: Only options we will change are listed for this section, leave the rest as they were by default)
Enable DHCP server on LAN interface = [✔] (CHECKED)
Range = [✎  192.168.1.100 ] to [✎  192.168.1.199 ]
DNS Servers = [✎ 10.4.0.1 ] and [✎________] (IMPORTANT FOR AirDNS!!!)
 
4.) Click [sAVE]
 
5.) Click [ Apply Changes ]
 



 
 
C.) Setting up the Outgoing NAT for the LAN Interface.


 

C.) NOTE: The only outbound NAT rule/s there should be are  the one/s we create. If there are others that were/are automatically created, DELETE THEM!!!


 
1.) Go to: Firewall > NAT > Outbound

http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php 
2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (If it is not selected, select it, click save and apply changes.)
 
3.) If there is already a rule for your LAN interface, select the [e] button to the right of it to edit it. If there is not a rule for your LAN interface, you will need to create one by selecting the [+] at the top right and creating a new one.
 
4.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ AirVPN_WAN ▼]
Protocol = [ Any ▼]
Source = Type: [ Network ▼]
               Address: [ 192.168.1.0 ] / [ 24 ▼]
               Source port: [_____] (empty/blank)
Destination: Type = [  Any ▼]
Translation: Address = [ Interface Address ]
Description = [ LAN -> AirVPN_WAN ]
 
5.) Click [ SAVE ]
 
6.) Click [ Apply Changes ]
 



 
 
D.) Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.


 
*NOTE: There are FOUR necessary rules for the LAN interface.  If there are any other rules, just delete them.
 



 
 
First LAN Firewall Rule:



”ALLOW_AirVPN_DNS”


 
The first LAN Firewall rule will allow DNS requests only to AirVPN DNS.
 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.) Click the [+] on the right to "Add New Rule" and[/u][/b] create a rule we will title "ALLOW_AirVPN_DNS"
 
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [ LAN ▼]
TCP/IP Version = [ IPv4 ▼]
Protocol = [ UDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ LAN net ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Single host or Alias ▼]
                     Address: [ 10.4.0.1 ]
Destination port range = From: [ DNS ▼]
                                      To: [ DNS ▼]
Log = [_] (UNCHECKED)
Description = [✎ ALLOW_AirVPN_DNS]
*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ AirVPN_WAN ▼]
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 


 
 
Second LAN Firewall Rule:



"BLOCK_DNS_LEAKS_VPN"


 
The second LAN rule will block all DNS requests that we do not explicitly allow.
 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN".
 
Set as follows:
Action = [ Reject ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [uDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Destination port range = From: [ DNS ▼]
                                      To: [ DNS ▼]
Log = [✔] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_VPN]
*** For this rule we will NOT set the advanced setting for gateway
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 


 
 
Third LAN Firewall Rule:



"Allow LAN Outbound"


 
The third LAN rule we will create will force traffic from the LAN interface to only exit via the AirVPN_WAN Gateway.
 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.)Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule"
 
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ LAN net ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log = [_] (UNCHECKED)
Description = [✎ Allow LAN Outbound]
*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ AirVPN_WAN ▼]
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 


 
 
Fourth LAN Firewall Rule:



"BLOCK ALL ELSE LAN"


 
The Fourth and final LAN firewall rule will block any and all traffic we do not alllow by use of other firewall rules on this interface.
 
1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "LAN" interface.
 
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"
 
Set as follows:
Action = [block ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log = [✔] (checked)
Description = [✎  BLOCK ALL ELSE LAN ]
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 



 
 
E.) Checking That Our Firewall Rules Are In The Correct Order


 
 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.)The order of the rules we just created is important!
They should appear in this following order when viewed:
ALLOW_AirVPN_DNS
BLOCK_DNS_LEAKS_VPN
Allow LAN Outbound
BLOCK ALL ELSE LAN
 
ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!
 
3.) Click [save]
 
4.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 
5.) Click [Yes] to Reboot
 



 
 
 
 





 
That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the LAN port and you are off and running! I hope this guide helps you!


 
 

Excellent! Welcome aboard!
 
 
It's funny really, I wrote the guide in only a few hours, but spent free time over months learning BBCODE and getting it to look good and organized on a forum. I now have blank formatted documents for things like firewall rules and NAT rules etc for quick additions and editing.
 
I'm glad you printed it, it's why I wrote my guide in text rather than pictures. What good are pictures if you don't have internet while setting this up! You made use of it as i pictured it should be, glad it worked out that way.
 
 
I would love to hear any and all feedback! SOme things such as subnet/net are not typos though... some things are simply changes from 2.1 to 2.1.3. Any feedback will help me update such things!
 

Preface
   




 
 
Here is a guide on how to set up pfSense 2.1 as a firewall, router and OpenVPN client for connecting to AirVPN and Clear-Net using three or more NIC's.
   


 
 
Why pfSense?
  PfSense is a firewall distribution based on FreeBSD and forked from m0n0wall. The primary focus of pfSense is security, not features as many consumer products are. It is not prone to the weak security and vulnerabilities that many consumer routers are. Because it is based on PC hardware, it is also far more powerful. As where an OpenVPN client on a consumer router might max out at 20-30 Mbit / sec, The newest generation of Xeon E3 12XX V3 could do upwards of 500 Mbit / sec on a properly configured pfSense install. For most of us that is far more than our ISP's even provide us with. Personally I have seen speeds as high as 150 Mbit / sec, and can easily get 60-75 Mbit / sec through the VPN when my use demands it, but I am limited by my ISP. If you have ever wondered how people accomplish the speeds they do on the status page, consider that I have been in that #1 spot more than once and frequently appear in the top 10.
 
Some other considerations on “Why pfSense”? Your entire network can be protected by a strong firewall and routing all trafic through your AirVPN connection, not just one device, without even a hint of slowing down your connection. For the more advanced user, you can even set up an OpenVPN SERVER and remotely connect your mobile phones, tablets, laptops and any other device you wish to your firewall and then route that traffic out through your AirVPN connection as well. This is exactly what I do. I route my mobile devices though the firewall which allows me to scan that traffic for viruses, firewall it and encrypt it with the VPN. At a later date I will also make a tutorial on how to accomplish this.
 
pfSense also has a “Packages” system for adding more things such as “pfBlocker” which is similar to peerblock. Other packages include Snort (Intrusion Detection), Squid (Caching proxy, the newest version has anti-virus and can even scan SSL on your network if you permit it) and Dansgaurdian (content filter). These can enhance your security if used properly.
 
There are many more reasons on top of this as well. Simply put; I have yet to find a better solution for connecting with AirVPN.
 
 


 
 
Why I made this guide.
  After searching for many months on how to correctly accomplish this, I was unable to find proper documentation. After months of piecing together the information I did find combined with tedious testing of settings not documented elsewhere, I started to document what I learned as I was also helping others get set up. I also wanted to document this for my own use, although at this point I know this like the back of my hand. After seeing more and more people have questions on using pfSense on AirVPN I decided to share what I learned and continue to learn. It is my hope that in using this guide, I can help others gain confidence in understanding and using pfSense, both in general and with AirVPN.
 
Further more, I believe strongly in the mission statement of the folks at AirVPN, and this is my thank you to them for offering a great service and an avenue for those that truly need privacy and anonymity. I can only hope this guide will some day help someone communicate important information or avert oppression and censorship.
 


 
 
Things to Consider Before Following This Guide
   
 
THIS TUTORIAL IS INTENDED TO BE USED ON A FRESH INSTALL OF PFSENSE!!!
  Everything in the following tutorial assumes your settings are as they were, default, after a fresh install. You most certainly can add to it, especially firewall rules, when set correctly. Many people will have many uses requiring additional settings. I consider these variables to be outside the scope of this tutorial as this is aimed at beginners. I cannot guarantee functionality if you attempt to integrate this guide into your previous settings. Therefore, these issues and settings will not be addressed in the tutorial, but are welcome in discussion in replies to the guide.
 

 
 
THIS TUTORIAL IS INTENDED FOR THOSE THAT NEED CONNECTIONS TO BOTH CLEAR NET AND VPN
  Most users will need connections for some of their devices through the clear net just as I do for things such as VOIP and gaming. Setting it up this way also has the added benefit that if the VPN fails you do not need to reconfigure anything to test why it failed. Constantly having to reconfigure things is a quick way to forget something and poor planning with security. This is why I STRONGLY recommend the use of 3 or more network interface cards. This creates a sort of “Air Gap” between the clear-net and VPN configured networks, considering you have to physically move a network cable to access the different networks. In fact, I personally do not condone the use of only two interfaces for beginners for this reason. I have however, as a courtesy, added a basic addendum to the guide for those who choose to go this route. There is no clear-net configured interface in the two interface guide, only VPN. If the VPN goes down, internet connectivity will go down. I do not use this method myself, and made that section “in my head”. If it needs amending, users of it will need to notify me. I will update that section, although not as frequently as the main guide.
 

 
 
THIS TUTORIAL IS INTENDED FOR BEGINNERS AND THOSE WHO ARE OTHERWISE NOT CONFIDENT IN WHAT THEY ARE DOING
  “Tim Toady” - There's more than one way to do it. As the old saying goes, there is more than one way to skin a cat. Well, on pfSense there are quite a few different ways to go about setting it up for using it with AirVPN. I want to make this clear up front that this tutorial is not the only way to set this up. I'm not going to cover them all, in fact I'm not going to cover any other method than the one I believe to be the safest, easiest and most noob proof. I have added in a few steps (Dropping all states and preventing the gateway from re-routing if the VPN drops as well as blocking all other DNS other than the one we intend to use – the AirVPN DNS or otherwise) that go beyond just “getting it to work” because they further secure the setup for VPN uses. I consider these basic security precautions part of a basic guide to using a VPN, not a later addendum. I intended this to be educational to those who don't know or are not quite confident in what they are doing. If this does not suit your uses or you have your own security policies you choose to follow, you are free to play with my settings as you see fit or use a different guide. If you have constructive criticism or insight on further security policies I’d love to hear it. This tutorial was never intended for experienced users who just wanted to get OpenVPN going. It was meant to give someone who has no previous experience with a commercial firewall the tools they need to make the jump away from weak and insecure consumer grade equipment. The focus will continue to be with that in mind.
 

 
 
ON THE SUBJECT OF DNS LEAKS
NOTE: READ AND UNDERSTAND THIS IN IT'S ENTIRETY
  DNS leaks are not an "issue" on pfSense or its core underlying operating system, FreeBSD. DNS leaks are primarily an issue on Windows operating system. If pfSense is set correctly, the OPERATING SYSTEM will not leak a DNS request. If we tell an interface to use a specific DNS server, it will. It (pfSense) will not send a request out of an alternate interface or gateway.
 
That being said, an uninformed user, foreign hardware (mobile devices etc) or program may try to contact an alternate DNS server from behind the firewall. This can be harmless (an uninformed user contacting an external DNS), or this could be a malicious attack (DNS Hijacking or DNS Rebinding Attack). This is not a fault of pfSense, and the following scenario can happen on ANY platform. A virus, worm, or malicious browser code could hijack and reroute the DNS request to a poisoned or malicious server. This could lead to you seeing an incorrect hijacked web page and could be an attempt to expose you by an adversary. I have added this consideration to the firewall rules that protect against this. IT SHOULD BE NOTED HOWEVER THAT EVEN IF A USER OR PROGRAM SOMEHOW USED AN ALTERNATE EXTERNAL DNS, IT IS NOT A "LEAK" IN THE SAME SENSE THAT IS OFTEN DISCUSSED ON THE AIRVPN.ORG FORUMS. That type of leak requires that a DNS request would leave your network on an interface other than the one you intended (In our case this would mean it would leave an interface other than the AirVPN_LAN or AirVPN_WAN). In the event that a program (malicious or not) sent out a request to an EXTERNAL DNS server other than AirDNS, if all of our settings are set correctly it would still go through the VPN we have set up. While this prevents an outside observer from knowing exactly who is sending the DNS requests, it does not stop this alternate DNS from replying with a poisoned site. The only real way a DNS LEAK would happen is through user error with the DNS Forwarder settings. WE CANNOT SHARE THE DNS FORWARDER BETWEEN CLEAR-NET AND VPN CONFIGURED INTERFACES. Even though we will configure DNS for VPN interfaces through DHCP, at this point (and without further intervention) the DNS forwarder is still ACCESSIBLE from any device behind a VPN configured interface. We need to manually block this availability to prevent devices from unknowingly causing leaks. If you have a wireless network behind a VPN interface, and a mobile device with a manually configured DNS of 192.168.1.1 entered the network, it would cause a DNS leak unless we create a firewall rule to block such connectivity. THIS COULD POTENTIALLY EXPOSE THE VPN USER WITHOUT SUCH A RULE. The way the DNS forwarder works is it sends queries to and then collects (caches) information from all DNS servers entered on the general settings page. If you were to use VPN and Clear-net DNS, it would send requests potentially inside and outside (or just outside) the VPN tunnel. Avoiding this has been covered in the guide, where I explain two steps to isolate VPN DNS requests from those of clear-net requests - how to set the DNS servers for VPN interfaces through DHCP and firewall rules to block all DNS requests to anything that we do not explicitly allow, including the built in DNS forwarder. These blocks are necessary to prevent accidental or malicious DNS leaks and hijacking.
 
As a bonus, I have added a section at the end of the “Setting Up the DNS Forwarder” section describing how to verify your DNS settings are working within the firewall. I also added instructions at the very end of the tutorial for Windows and Wine users on how to internally and externally test for DNS leaks.
 

 
 

 
ON THE SUBJECT OF IP LEAKS
  When using a VPN configured interface according to the steps in this guide, If the VPN fails, all states are cleared and the connection is severed. Even if the connection somehow did not drop, the “Block All” firewall rule which is addressed in this guide will block any attempts for a connection that does not go out the AirVPN_WAN gateway. In this, redundancies are in place to block IP leaks.
 


 
 
Why multiple Network Interface Cards?
Why use both clear-net and AirVPN?
Why not force all traffic through the VPN?
  These questions can all be summed up into one answer. I have many devices and many users connected in my residence. I needed a method to divide, isolate, protect and route these devices and users. With the use of multiple subnets on multiple NIC's I can achieve this while also maintaining very specific firewall rules for each interface. As an example, one setup I have used was as follows:
 
WAN
LAN
XBOX
VOIP
AirVPN_WAN
AirVPN_LAN_1
AirVPN_LAN_2
AirVPN_LAN_3
AirVPN_LAN_4
 
I needed a setup that allowed Clear-Net access for the Firewall, LAN (to ensure connectivity even if the VPN goes down), XBOX and VOIP interfaces, while requiring the AirVPN_LAN interfaces to route through my AirVPN OpenVPN client. This also required no leaks, either IP or DNS. This guide accomplishes that by explaining how to set up one interface for clear-net and another for VPN access. This can then be extrapolated for additional interfaces of either sort.
 
I do not suspect the average user will go the same route as I have (having 8+ NIC's), but quad port NIC's and motherboards that include quad port NIC's and on board low power VGA are becoming common and recommended for this use.
 


 
 
What kind of hardware can run pfSense?
  While the quick answer is “pretty much any pc equipment” there are many considerations for this such as cost of hardware, energy efficiency and how it will be used. Will you use packages such as Snort? How much memory is really required? How “fast” is your internet connection? How long do you intend to use this? At the time of this writing, I personally recommend Rangely or Avoton (Rangely is intended for network devices, Avoton has turbo boost) based Intel Atom boards or the newest generation of Xeon E3 12X0 V3 processors(Ones without graphics on the chip). There is a number of motherboards from SuperMicro and ASRock that have Quad Port Intel Server Class NIC's built onto the board as well as having built on VGA. I cannot stress how much and why I recommend these. Having those on board saves a lot of money and hassle as many cheap motherbord NIC's are not supported as where the Intel Server NIC's are well supported. Those processors also have built in encryption “instructions” (AES-NI, RDRAND) that OpenVPN/OpenSSL can take advantage of and they are quite energy efficient. Energy efficiency must be considered, as the cost of electricity to run an older piece of hardware could easily pay itself off in 1-2 years of running. There certainly is nothing wrong with using equipment you have laying around, however I do not advocate seeking for purchase or “upgrading” old hardware in any way. I consider it a waste of money when considering performance and electrical/upgrading costs over that of new hardware. Ultimately you must decide what you want, what you need and how much to spend on the build.
 
(Eventually I will post links to the hardware I suggest with a more in depth explanation of why)
 
 




 
 
A general disclaimer about this guide
  I wrote this guide under my own free will and provide it for all to use. I am not in any way affiliated with pfSense, AirVPN or any of the hardware manufacturers mentioned in this article. This guide was formed from research, trial and error and extensive testing. I make no guarantee of this article's accuracy further than to say it works for me. Under no circumstance will myself or any of the previously mentioned entities be responsible for your choice to use this guide, successes or failures in using it, or any further support. Like anything in life, you should research accordingly and use your best judgement.
 
 




 
 
Last but not least, I want to say thank you to user Refresh for his participation and support in the making of this, which without that support this may not have been possible!
   




 
 
Time to get started!
   




 

ATTENTION!
All those who follow this guide, please be advised...
 
 





 
 
I just wanted to give everyone who follows this guide a heads up that in the next week or two i will be "ending support" for this guide as it now stands.
 
Over the next few days I will be making some tweaks to the guide that will require everyone's attention if you want to have the tidiest and most functional setup while using the method I described here.
 
If anyone has any questions or suggestions, now is the time to speak up. Although I will still be "around" here and there and will gladly help, I am moving on to bigger and better things.
 
This guide works, but it could be better and I know that now. I don't however have the time to create a new one at this junction. I've spent a portion of each and every free day I've had over the last ten months researching and sharing what I've learned about this stuff.  That is way more time than I ever imagined or intended, way too much time... and now life beckons. I no longer have free time to spare so I leave you all with this guide as it is, which should suffice at least until pfSense 2.2 comes out.
 
I learned so much all along the way while making this guide. I hope you all did too!

In the wake of the Heartbleed Bug, the OpenBSD Foundation has begun a fork of the OpenSSL source code. Enter LibreSSL.
 
In one week they have removed 90,000 lines of C code and 150,000 lines of content that they say was old or unused.
 
For those not familiar with OpenBSD, they are a non-profit and are security centric in the coding of their software. Part of their culture is to frequently perform group audits of their code. PF, or Packet Filter, was originally designed by them and is the underlying firewall engine of pfSense, which I trust to keep me secure. As Pointed out by another user, they also maintain the OpenSSH project, used by many. In short they for a long time have played a big part in keeping many of us secure.
 
They are implementing the first release of LibreSSL into OpenBSD 5.6 and then working on porting it to other OS's
 
I personally am excited about this. I think this has good potential for future releases of OpenVPN and ultimately our uses with VPN. 
This perhaps might be a good candidate for AirVPN's No-Profit Community initiative. While some may consider this sentiment premature, this seems like a probable evolution of the Open Source SSL Library most will end up using. It only makes sense as their team seems to keep up with routine audits.
 
Further reading:
http://www.libressl.org/
http://www.openbsdfoundation.org/
http://www.openbsdfoundation.org/donations.html
http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****
pfSense 2.3 WAS RELEASED APRIL 12, 2016
WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3
THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN
I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA
AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST
   




 
 
pfSense_fan's Guide
How To Set Up pfSense 2.1 for AirVPN
Using Three or more NIC's
 Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!
 



 
 
 
Table of Contents:
Preface Understanding Certificates and OpenVPN Config Files on pfSense Understanding OpenVPN Settings on pfSense Step 1: Entering our AirVPN CA (Certificate Authority) Step 2: Entering our AirVPN Certificate and Key Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface Step 5: Setting up the AirVPN Gateway Step 6: Setting up the DNS Forwarder Step 7: Setting up the LAN Interface Step 8: Setting up the AirVPN_LAN Interface Step 9: Setting Misc Advanced Options (Optional) Step 10: Setting Bootloader and System Tunables (Optional) Step 11: Setting Advanced OpenVPN Options (Optional) Alternate Step 6+7 For Dual (Two) NIC installs
 

 



 

I recalled someone posting to say they worked it out and I knew I bookmarked it. I have not tried this myself but here is the post.
 
Edit: Just had to ask... have you tried the alternate entry and or ports? My isp throttles most, but a few slipped by them and it works fine without.

*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****
pfSense 2.3 WAS RELEASED APRIL 12, 2016
WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3
THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN
I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA
AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST
   




 
 
pfSense_fan's Guide
How To Set Up pfSense 2.1 for AirVPN
Using Three or more NIC's
 Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!
 



 
 
 
Table of Contents:
Preface Understanding Certificates and OpenVPN Config Files on pfSense Understanding OpenVPN Settings on pfSense Step 1: Entering our AirVPN CA (Certificate Authority) Step 2: Entering our AirVPN Certificate and Key Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface Step 5: Setting up the AirVPN Gateway Step 6: Setting up the DNS Forwarder Step 7: Setting up the LAN Interface Step 8: Setting up the AirVPN_LAN Interface Step 9: Setting Misc Advanced Options (Optional) Step 10: Setting Bootloader and System Tunables (Optional) Step 11: Setting Advanced OpenVPN Options (Optional) Alternate Step 6+7 For Dual (Two) NIC installs
 

 



 

Overview

We host a XMPP (Jabber) server, with A-A security rating. We recommend to use only OTR compatible client.

It's available for free to every member of this website.

This forum is open to already available or new guides, tutorials or discussions (even about XEP).


Recommended client

OS X: Adium
Windows, Linux: Pidgin
Android: Xabber

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 6: Setting Up the DNS Forwarder
  


 
 
NOTE: Here we are going to disable the DNS Forwarder for VPN interfaces (DNS for VPN will be set through DHCP on a PER-INTERFACE BASIS), while leaving the Forwarder enabled for the LAN interface as well as the Firewall (Localhost) itself. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL/LAN (CLEAR-NET) AND THE AirVPN_LAN (VPN). THE DNS FOR THE AirVPN_LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING STEP 8 GUIDE. Please also note that if done correctly there is no chance of DNS “leaks” (As explained in the Preface), and further, we will be creating firewall rules to prevent DNS hijacking.
 
Pay extra attention to this section. This seems to be a troublesome area for many, and is easily the biggest concern for a “leak” (we cannot share the DNS Forwarder) if a setting were to be configured incorrectly. That being said, we need to enter DNS servers on the General Setup page for the firewall to use and for initial connection to AirVPN when using URL's such as the entry address for the whole Earth or individual countries. This method also makes the firewall run more reliably as it does not require re-configuring if the VPN fails. In the event the VPN does fail, all states are dropped and the connection is severed provided you followed the instructions on setting up the gateway correctly. I suggest using OpenNIC DNS servers, however I will use OpenDNS since I cannot look up the appropriate OpenNIC servers for you. You may use the public DNS servers of your choice or ones your ISP provides (not recommended) if you wish.
 Setting DNS Options Under the General Setup Page
 1.) Go to: System > General Setup: DNS servers
http://192.168.1.1/system.php -or- https://192.168.1.1/system.php Set as Follows:
 
DNS Server –- Use gateway
[✎ 208.67.222.222 ] [ WAN_DHCP ▼]
[✎ 208.67.220.220 ] [ WAN_DHCP ▼]
[✎ (empty) ] [=== None === ▼]
[✎ (empty) ] [=== None === ▼]
 
[_] Allow DNS server list to be overwritten by DHCP/PPP on WAN = UNCHECKED
[_] Do not use the DNS Forwarder as a DNS server for the firewall = UNCHECKED
 
2.) Click [save]
 


 
 
 
Setting the DNS Forwarder Options
 1.) Go to: Services > DNS Forwarder
http://192.168.1.1/services_dnsmasq.php -or- https://192.168.1.1/services_dnsmasq.php Set as Follows:
 
--General DNS Forwarder Options
Enable = [✔] Enable DNS forwarder (CHECKED)
DHCP Registration = [_] Register DHCP leases in DNS forwarder (UNCHECKED)
Static DHCP = [_] Register DHCP static mappings in DNS forwarder (UNCHECKED)
Prefer DHCP = [_] Resolve DHCP mappings first (UNCHECKED)
DNS Query Forwarding = [_] Query DNS servers sequentially (UNCHECKED)
                                     [_] Require domain (UNCHECKED)
                                     [✔] Do not forward private reverse lookups (CHECKED)
Listen Port = [______] (Empty/Blank)
Interfaces = ***SEE STEPS BELOW
By default all interfaces are selected. This may show up as “All” being highlighted, or each individual interface being highlighted. Using the Ctrl key, DESELECT AS NEEDED, AND ENSURE ONLY LAN AND LOCALHOST ARE SELECTED/HIGHLIGHTED. IT IS CRITICAL YOU GET THIS SECTION CORRECT.
 
[✔] Strict Interface Binding
 
Advanced = [Advanced] - Show advanced options (UNCHANGED)
 
2.) Click [save]
 
3.) Click [ Apply Changes ]
 


 
 
 
Verifying Our DNS Settings (Optional Step)
 Here we will test to see if domain names are resolving from the DNS servers we entered on the General Setup page. We will do this using the built in feature of the firewall.
 
1.) Go to: Dianostics > DNS Lookup
http://192.168.1.1/diag_dns.php -or- https://192.168.1.1/diag_dns.php Set as Follows:
Hostname or IP = [ airvpn.org ]
 
2.) Click [ DNS Lookup ]
 
3.) Verify the results:
Hostname or IP = [ airvpn.org ] = 95.211.138.143
If 95.211.138.143 was returned it is resolving correctly. Feel free to resolve as many sites as you wish! This is a useful tool to keep in mind as well.
 

 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 5: Setting the AirVPN Gateway
  


 
 
1.) Go to: System > Routing
http://192.168.1.1/system_gateways.php  -or-  https://192.168.1.1/system_gateways.php 2.) Find and select the [+] on the same line asAirVPN_WAN_VPN4
***** NOTE: BE VERY CAREFUL OF WHICH [+] YOU SELECT HERE. “MOUSING OVER” THE [+] BUTTONS WILL REVEAL THEIR TITLE. DO NOT SELECT THE ONE FOR WAN DHCP! What you will see here may vary. When I got to this point in my setup I had two gateways that were added but not yet enabled, You may only see your default/WAN gateway until you add a new one. I had AirVPN_WAN_VPN4 (IPv4) and AirVPN_WAN_VPN6 (IPv6, if you have IPv6 disabled you will not see this). You are not able to edit the names of these gateways. What I did to get around this was to create a new IPv4 gateway (by clicking the [+] on the same line as AirVPN_WAN_VPN4) and give it the name I wanted (AirVPN_WAN). Then, after saving this new interface, the old AirVPN_WAN_VPN4 Gateway will have automatically have been deleted. If IPv6 is not disable on your system, ignore the “grayed out”/disabled AirVPN_WAN_VPN6. It cannot be deleted, only made to disappear if you disable IPv6. I will not go into how to do that at this time.
 
3.) This will bring you to the edit gateway page for your OpenVPN IPv4 interface. Here we will enter a Name, Settings and description for it.
 
Set as follows:
Disabled = [_] (UNCHECKED)
Interface = [AirVPN_WAN ▼]
Address Family = [iPv4 ▼]
Name = [✎ AirVPN_WAN]
Gateway = [dynamic]
Default Gateway = [_] (*****UNCHECKED, SEE NOTES BELOW)
Disable Gateway Monitoring = [√] (CHECKED) The monitoring servicve has caused more issues then it has corrected as of late, so we will disable it.
Monitor IP = [______] (Blank) If you do decide to enable this, set it to 10.4.0.1
Mark Gateway as Down = [_] (UNCHECKED)
Advanced = **Unchanged**
Description = [✎ AirVPN_WAN]
 
***** NOTE: In the past, the default gateway setting was advised to be checked. This was to act as a fail-safe in the event something went wrong, all traffic would attempt to route through the VPN and have no chance of being re-routed to the clear_net. While this "works", THIS IS NOT CORRECT FROM A ROUTING STAND POINT. Trying to use it this way causes what is known as a routing loop and can quickly exhaust network buffers. This can be seen in the OpenVPN Logs when using the "verb 4" setting. It shows up as:
write UDPv4: No buffer space available (code=55)The idea of having the VPN as the default gateway is nice on paper, but should not be used. If all other settings are correct, this is not an issue and should not be worried about. Focus instead on having all settings correct! 
4.) Click [save]
 
5.) Click [Apply Changes]
 


 
 
 
6.) Go to: System > Advanced >Miscellaneous
http://192.168.1.1/system_advanced_misc.php  -or-  https://192.168.1.1/system_advanced_misc.php 7.) Find the section titled “Gateway Monitoring”
*****NOTE***** The following settings are important!!!
 
Set as follows:
State Killing on Gateway Failure = [_] (NOT CHECKED!!!)
Skip rules when gateway is down = [√] (CHECKED)
 
8.) Click [sAVE]
 
 


 
 
9.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php  -or-  https://192.168.1.1/reboot.php 10.) Click [Yes] to Reboot
 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 4: Assigning the OpenVPN Interface
  


 
 
1.) Go to: Interfaces > Assign
http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php 2.) Find and select the [+] on the lower right for “Add Interface”
A new interface should appear - [ovpnc1(AirVPN) ▼]
 
3.) Click [save]
 
4.) While still on the assign interfaces page, find the link for your newly created “ovpnc1” interface and select it. This will bring you to the configuration page for this interface.
 
Set as Follows:
--General configuration
Enable = [√] (CHECKED)
Description = [✎ AirVPN_WAN ]
IPv4 Configuration Type = [None ▼]
IPv6 Configuration Type = [None ▼]
MAC Address = [✎_____] (Blank/Empty)
MTU = [✎_____] (Blank/Empty)
MSS = [✎_____] (Blank/Empty)
--Private Networks
Block Private Networks = [_] (NOT CHECKED!!!)
Blocks Bogon Networks = [_] (NOT CHECKED!!!)
 
5.) Click [save]
 
6.) Click [Apply Changes]
 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 3: Setting up the OpenVPN Client
  


 
 
1.) Go to: VPN > OpenVPN > Client
http://192.168.1.1/vpn_openvpn_client.php -or- https://192.168.1.1/vpn_openvpn_client.php 2.) Find and select the [+] on the lower right for “Add Client”
 
3.) Here we will enter our settings, a descriptive name and advanced settings. Settings that go here are taken from our OpenVPN Config file, from the section highlighted YELLOW, as well as our tls-auth cert, highlighted PINK
 
Set as follows:
 
--General information
Disabled = [_] (NOT CHECKED!!!)
Server Mode = [Peer to Peer (SSL/TLS) ▼]
Protocol = [uDP ▼]
Device Mode = [tun ▼]
Interface = [WAN ▼]
Local Port = [✎ _____] (Blank/Empty)
Server Host or Address = [✎ XXX.XXX.XXX.XXX] IP of your preferred AirVPN Entry (From the "remote" line in the config)
Server Port = [✎ 443] (From the "remote" line in the config)
Proxy Host or address = [✎ _____] (Blank/Empty)
Proxy Port = [✎ _____] (Blank/Empty)
Proxy Authentication Extra Options = [none ▼}
Server Host Name Resolution = [√] Infinitely Resolve Server (checked)
Description = [✎ AirVPN]
 
--User Authentication Settings
User name/pass      Leave empty when no user name and/or password are needed.
                                   Username: [✎ _____] (Blank/Empty)
                                   Password: [✎ _____] (Blank/Empty)
 
--Cryptographic Settings
TLS Authentication = [√ ] Enable authentication of TLS packets. (CHECKED)
                                 [_] Automatically generate a shared TLS authentication key. (NOT CHECKED)
  ___________________________________
 | #
 | # 2048 bit OpenVPN static key
 | #
 | -----BEGIN OpenVPN Static key V1-----
 | XXXXXXXXXXXXXXXXXXXXXX
 | XXXXXXXXXXXXXXXXXXXXXX
 | XXXXXXXXXXXXXXXXXXXXXX
 | XXXXXXXXXXXXXXXXXXXXXX
 | XXXXXXXXXXXXXXXXXXXXXX
 | -----END OpenVPN Static key V1-----
 |____________________________________
Peer Certificate Authority = [AirVPN_CA ▼]
Cient Certificate = [ AirVPN_CERT ▼]
Encryption Algorithm = [ AES-256-CBC (256 bit) ▼]
Auth Digest Algorithm = [ SHA1 (160 bit) ▼]
Hardware Crypto = SET THIS BASED ON YOUR CPU’s CAPABILITY!!! NOTE: Ivy Bridge, Haswell and newer Intel Processors support RD-RAND. If you have a different CPU you will have to research if BSD Cryptodev is compatible with your processor. If you are unsure, set this to BSD Cryptodev, it should not harm anything even if not supported. If supported, this setting can (will) increase performance of your pfSense appliance.
 
--Tunnel Settings
IPv4 Tunnel Network = [✎ _____] (Blank/Empty)
IPv6 Tunnel Network = [✎ _____] (Blank/Empty)
IPv4 Remote Networks = [✎ _____] (Blank/Empty)
IPv6 Remote Networks = [✎ _____] (Blank/Empty)
Limit Outgoing Bandwidth = [✎ _____] (Blank/Empty)
Compression = [Disabled - No Compression ▼ ]
Type-of-Service = [_] (NOT CHECKED!!!)
Disable IPv6 = [✔] (CHECKED)
Don't pull routes = [✔] (CHECKED)
Don't add/remove routes = [✔] (CHECKED)
 
--Advanced Configuration
Advanced = (Copy and Paste The following text directly into the advanced box. Anything to the right of a # symbol is "commented out" and has no effect. I have added a few settings that make the use of pfSense and tighten up security, and have left comments with descriptions of many. Some options I have left in but commented out from use for users to have handy in the event of troubleshooting and can be ignored or deleted if not desired.)
##### CLIENT OPTIONS #####; server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###; explicit-exit-notify 5; ##### TUNNEL OPTIONS #####; ### Use Multple "remote" entries with the according entry IP address of your favorite servers ###; ### other than the server entered in the "Server Host or Address" entry above and pfSense ###; ### will automatically recconnect in a round robin fashion if the server you are connected to ###; ### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###; ###remote XX.XX.XX.XX 443 ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Acamar_UDP-2018###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Yildun_UDP-2018###; ###remote XX.XX.XX.XX 53 ###AirVPN_US-Miami_Cursa_UDP-53###; ###remote XXX.XX.XX.XX 443 ###AirVPN_CA-Dheneb_UDP-443###; ###remote XXX.XX.XXX.XXX 443 ###AirVPN_CA-Saiph_UDP-443###; rcvbuf 262144; sndbuf 262144; mlock ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###; fast-io ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###; ###tun-mtu 1500; ###mssfix 1450; ###keepalive 5 15; ##### DATA CHANNEL ENCRYPTION OPTIONS #####; key-direction 1; keysize 256 ### Size of key from cipher ###; prng SHA512 64 ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###; ### replay-window n [t] ### Default = replay-window 64 15 ###; ### mute-replay-warnings; ##### TLS MODE OPTIONS #####; tls-version-min 1.2 ### set the minimum TLS version we will accept from the peer ###; key-method 2 ### client generates a random key ###; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###; tls-timeout 2 ### Default = 2 ###; ns-cert-type server ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###; remote-cert-tls server ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###; ### reneg-sec 3600;  Verbosity level = [ 3 (Recommended) ▼ ]
 
4.) Click [save]
 
5.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 6.) Click [Yes] to Reboot
 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 2: Entering our AirVPN Certificate and Key
  


 
 
1.) Go to: System > Cert Manager > Certificate Manager
http://192.168.1.1/system_certmanager.php -or- https://192.168.1.1/system_certmanager.php 2.) Find and select the [+] on the lower right for “Add or Import Certificate”
 
3.) Here we will enter a descriptive name and enter our Certificate and Key data.
 
Set as follows:
Descriptive name = [✎ AirVPN_CERT ]
Method = [ Import an Existing Certificate Authority ▼]
Certificate Data = [Everything BETWEEN <cert> and </cert> but NOT INCLUDING <cert> and </cert>] - (Everything highlighted ORANGE in the Sample ovpn config):
 
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
 
Private key data = [Everything BETWEEN <key> and </key> but NOT INCLUDING <key> and </key>] - (Everything highlighted GREEN in the Sample ovpn config):
 
<key>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</key>
 
4.) Click [save]
 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 1: Entering our AirVPN CA (Certificate Authority)
  


 
 
1.) Go to: System > Cert Manager
http://192.168.1.1/system_camanager.php -or- https://192.168.1.1/system_camanager.php 2.) Find and select the [+] on the lower right for “Add or Import CA”
 
3.) Here we will enter a descriptive name and enter our CA certificate data.
 
Set as follows:
Descriptive name = [✎ AirVPN_CA ]
Method = [ Import an Existing Certificate Authority ▼]
Certificate Data = [Everything BETWEEN <ca> and </ca> but NOT INCLUDING <ca> and </ca>)] - (Everything highlighted LIGHT BLUE in the Sample ovpn config):
 
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
 
Certificate Private Key(optional) = [_____] (Blank/Empty)
 
4.) Click [save]