Not connected, Your IP: 18.221.245.196
Online: 23810 users - 272931 Mbit/s total BW
pfSense_fan
-
Content Count
247 -
Joined
... -
Last visited
... -
Days Won
21
Reputation Activity
-
pfSense_fan got a reaction from lydianajihah82 in How To Set Up pfSense 2.1 for AirVPN ...
Understanding OpenVPN Settings on pfSense
Here is the list of settings given to us in the config files we download for a standard UDP connection. Below are descriptions of what they do and where they are located or how they are entered in pfSense.
They are as follows:
client dev tun proto udp remote xxx.xxx.xxx.xxx 443 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo no verb 3 explicit-exit-notify 5 key-direction 1
1.) "client" – This setting denotes whether this configuration is for a OpenVPN client or server. We are connecting to AirVPN as clients. There is no corresponding setting in pfSense as we are denoting this by selecting the client tab.
2.) dev tun = "Device Mode" on the OpenVPN client settings page. This setting selects the virtual network type.
From the OpenVPN manual:
3.) proto udp = "Protocol" drop down selection on the OpenVPN client settings page.
From the OpenVPN manual:
4.) remote xxx.xxx.xxx.xxx 443 = "Server Host or Address" AND "Server Port" entries on the pfSense client settings page. The host or address is the xxx.xxx.xxx.xxx entry replaced by the IP address or hostname of your preferred AirVPN entry server. The port is the 443 that follows, or could be any of the other optional ports you can choose with the config generator. For the purposes of this tutorial I chose to use the basic config of UDP 443.
From the OpenVPN manual:
5.) "resolv-retry infinite" = The check box next to the "Server Host Name Resolution" titled "Infinitely Resolve Server". From pfSense: "Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet."
From the OpenVPN manual:
6.) nobind = “Local Port” on the OpenVPN settings page and is set by leaving the entry BLANK or entering a number “0”.
From psSense: “Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port “
From the OpenVPN manual:
7.) persist-key = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-key;" but without the quotes.
From the OpenVPN manual:
8.) persist-tun = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-tun;" but without the quotes.
From the OpenVPN manual:
9.) remote-cert-tls server = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "remote-cert-tls server;" but without the quotes.
From the OpenVPN manual:
10.) cipher = "Encryption Algorythm" in the pfSense client settings page. AirVPN uses "AES-256-CBC" according to the config generator files.
From the OpenVPN manual:
11.) comp-lzo no = The check box labled “Compress tunnel packets using the LZO algorithm.” on the OpenVPN Client Settings page.
From the OpenVPN manual:
12.) verb 3 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "verb 3;" but without the quotes.
From the OpenVPN manual:
13.) Explicit-exit-notify 5 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "explicit-exit-notify 5;" but without the quotes.
From the OpenVPN manual:
14.) key-direction 1 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "key-direction 1;" but without the quotes.
From the OpenVPN manual:
Here is the list of settings that are further “pushed” to us when connecting. By entering them manually we take an additional step to prevent the use of or depreciation to “lower”, less secure settings. Below are descriptions of what they do. All of these following settings are entered into the Advanced box on the OpenVPN Client page.
They are as follows:
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA keysize 256 auth SHA1 key-method 2
1.) tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA = OpenVPN > Client > Advanced: tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;
This setting is automatically “pushed” when connecting to the server. That being said, it can also be set manually which has the benefit of preventing the use of/falling back to a lower encryption version.
From the OpenVPN manual:
2.) keysize 256 = OpenVPN > Client > Advanced: keysize 256;
From the OpenVPN manual:
3.) auth SHA1 = OpenVPN > Client > Advanced: auth SHA1;
From the OpenVPN manual:
4.) key-method 2 = OpenVPN > Client > Advanced: key-method 2;
From the OpenVPN manual:
-
pfSense_fan got a reaction from lydianajihah82 in How To Set Up pfSense 2.1 for AirVPN ...
Understanding Certificates and OpenVPN Config Files
I noticed on the forums that many people trying to set up pfSense struggle with entering their certificates properly. I will try to be as detailed as possible here.
First, if you have not done so already, we have to download the OpenVPN Config File (.ovpn) for our preferred AirVPN entry server. You can do this by logging into airvpn.org and then proceeding to https://airvpn.org/generator/ . Choose the entry server of your choice (the air entry server can be changed later whenever you need, we will focus on one for this tutorial) by selecting the corrisponding check box the scroll down and select the “Direct, protocol UDP, port 443”. Scroll down again and select both check boxes agreeing to the AirVPN terms of service, then click the “Generate” button. Once you have the config file you can open it with your favorite text editor. What you should see will look very similar as the sample ovpn config I pasted below (this one was downloaded for a windows client). The config is broken into FIVE main parts that we will need to identify for our uses.
The five parts are as follows:
Settings and Advanced Settings CA (Certificate Authority, everything between <ca> and </ca>) Cert (Certificate Data, everything between <cert> and </cert>) Key (RSA Private Key, everything between <key> and </key>) tls-auth (2048 bit OpenVPN static key, everything between <tls-auth> and </tls-auth>)
Sample OpenVPN Config File
We will need to copy these settings from YOUR config file you downloaded from the AirVPN config generator into pfSense to set up our certificates and OpenVPN. DO NOT USE THESE, they are fictional.
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Friday xxx of xxx 2014 xx:xx:xx AM
# OpenVPN Client Configuration
# AirVPN_XXXXXXXXXXX-xxxx
# --------------------------------------------------------
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>
-
pfSense_fan got a reaction from Wolf666 in How To Set Up pfSense 2.1 for AirVPN ...
*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****
pfSense 2.3 WAS RELEASED APRIL 12, 2016
WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3
THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN
I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA
AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST
pfSense_fan's Guide
How To Set Up pfSense 2.1 for AirVPN
Using Three or more NIC's
Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!
Table of Contents:
Preface Understanding Certificates and OpenVPN Config Files on pfSense Understanding OpenVPN Settings on pfSense Step 1: Entering our AirVPN CA (Certificate Authority) Step 2: Entering our AirVPN Certificate and Key Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface Step 5: Setting up the AirVPN Gateway Step 6: Setting up the DNS Forwarder Step 7: Setting up the LAN Interface Step 8: Setting up the AirVPN_LAN Interface Step 9: Setting Misc Advanced Options (Optional) Step 10: Setting Bootloader and System Tunables (Optional) Step 11: Setting Advanced OpenVPN Options (Optional) Alternate Step 6+7 For Dual (Two) NIC installs
-
pfSense_fan got a reaction from lydianajihah82 in How To Set Up pfSense 2.1 for AirVPN ...
Setting Up pfSense for AirVPN
Using 3 or more NIC's
Step 4: Assigning the OpenVPN Interface
1.) Go to: Interfaces > Assign
http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php 2.) Find and select the [+] on the lower right for “Add Interface”
A new interface should appear - [ovpnc1(AirVPN) ▼]
3.) Click [save]
4.) While still on the assign interfaces page, find the link for your newly created “ovpnc1” interface and select it. This will bring you to the configuration page for this interface.
Set as Follows:
--General configuration
Enable = [√] (CHECKED)
Description = [✎ AirVPN_WAN ]
IPv4 Configuration Type = [None ▼]
IPv6 Configuration Type = [None ▼]
MAC Address = [✎_____] (Blank/Empty)
MTU = [✎_____] (Blank/Empty)
MSS = [✎_____] (Blank/Empty)
--Private Networks
Block Private Networks = [_] (NOT CHECKED!!!)
Blocks Bogon Networks = [_] (NOT CHECKED!!!)
5.) Click [save]
6.) Click [Apply Changes]
-
pfSense_fan got a reaction from lydianajihah82 in How To Set Up pfSense 2.1 for AirVPN ...
Setting Up pfSense for AirVPN
Using 3 or more NIC's
Step 3: Setting up the OpenVPN Client
1.) Go to: VPN > OpenVPN > Client
http://192.168.1.1/vpn_openvpn_client.php -or- https://192.168.1.1/vpn_openvpn_client.php 2.) Find and select the [+] on the lower right for “Add Client”
3.) Here we will enter our settings, a descriptive name and advanced settings. Settings that go here are taken from our OpenVPN Config file, from the section highlighted YELLOW, as well as our tls-auth cert, highlighted PINK
Set as follows:
--General information
Disabled = [_] (NOT CHECKED!!!)
Server Mode = [Peer to Peer (SSL/TLS) ▼]
Protocol = [uDP ▼]
Device Mode = [tun ▼]
Interface = [WAN ▼]
Local Port = [✎ _____] (Blank/Empty)
Server Host or Address = [✎ XXX.XXX.XXX.XXX] IP of your preferred AirVPN Entry (From the "remote" line in the config)
Server Port = [✎ 443] (From the "remote" line in the config)
Proxy Host or address = [✎ _____] (Blank/Empty)
Proxy Port = [✎ _____] (Blank/Empty)
Proxy Authentication Extra Options = [none ▼}
Server Host Name Resolution = [√] Infinitely Resolve Server (checked)
Description = [✎ AirVPN]
--User Authentication Settings
User name/pass Leave empty when no user name and/or password are needed.
Username: [✎ _____] (Blank/Empty)
Password: [✎ _____] (Blank/Empty)
--Cryptographic Settings
TLS Authentication = [√ ] Enable authentication of TLS packets. (CHECKED)
[_] Automatically generate a shared TLS authentication key. (NOT CHECKED)
___________________________________
| #
| # 2048 bit OpenVPN static key
| #
| -----BEGIN OpenVPN Static key V1-----
| XXXXXXXXXXXXXXXXXXXXXX
| XXXXXXXXXXXXXXXXXXXXXX
| XXXXXXXXXXXXXXXXXXXXXX
| XXXXXXXXXXXXXXXXXXXXXX
| XXXXXXXXXXXXXXXXXXXXXX
| -----END OpenVPN Static key V1-----
|____________________________________
Peer Certificate Authority = [AirVPN_CA ▼]
Cient Certificate = [ AirVPN_CERT ▼]
Encryption Algorithm = [ AES-256-CBC (256 bit) ▼]
Auth Digest Algorithm = [ SHA1 (160 bit) ▼]
Hardware Crypto = SET THIS BASED ON YOUR CPU’s CAPABILITY!!! NOTE: Ivy Bridge, Haswell and newer Intel Processors support RD-RAND. If you have a different CPU you will have to research if BSD Cryptodev is compatible with your processor. If you are unsure, set this to BSD Cryptodev, it should not harm anything even if not supported. If supported, this setting can (will) increase performance of your pfSense appliance.
--Tunnel Settings
IPv4 Tunnel Network = [✎ _____] (Blank/Empty)
IPv6 Tunnel Network = [✎ _____] (Blank/Empty)
IPv4 Remote Networks = [✎ _____] (Blank/Empty)
IPv6 Remote Networks = [✎ _____] (Blank/Empty)
Limit Outgoing Bandwidth = [✎ _____] (Blank/Empty)
Compression = [Disabled - No Compression ▼ ]
Type-of-Service = [_] (NOT CHECKED!!!)
Disable IPv6 = [✔] (CHECKED)
Don't pull routes = [✔] (CHECKED)
Don't add/remove routes = [✔] (CHECKED)
--Advanced Configuration
Advanced = (Copy and Paste The following text directly into the advanced box. Anything to the right of a # symbol is "commented out" and has no effect. I have added a few settings that make the use of pfSense and tighten up security, and have left comments with descriptions of many. Some options I have left in but commented out from use for users to have handy in the event of troubleshooting and can be ignored or deleted if not desired.)
##### CLIENT OPTIONS #####; server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###; explicit-exit-notify 5; ##### TUNNEL OPTIONS #####; ### Use Multple "remote" entries with the according entry IP address of your favorite servers ###; ### other than the server entered in the "Server Host or Address" entry above and pfSense ###; ### will automatically recconnect in a round robin fashion if the server you are connected to ###; ### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###; ###remote XX.XX.XX.XX 443 ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Acamar_UDP-2018###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Yildun_UDP-2018###; ###remote XX.XX.XX.XX 53 ###AirVPN_US-Miami_Cursa_UDP-53###; ###remote XXX.XX.XX.XX 443 ###AirVPN_CA-Dheneb_UDP-443###; ###remote XXX.XX.XXX.XXX 443 ###AirVPN_CA-Saiph_UDP-443###; rcvbuf 262144; sndbuf 262144; mlock ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###; fast-io ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###; ###tun-mtu 1500; ###mssfix 1450; ###keepalive 5 15; ##### DATA CHANNEL ENCRYPTION OPTIONS #####; key-direction 1; keysize 256 ### Size of key from cipher ###; prng SHA512 64 ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###; ### replay-window n [t] ### Default = replay-window 64 15 ###; ### mute-replay-warnings; ##### TLS MODE OPTIONS #####; tls-version-min 1.2 ### set the minimum TLS version we will accept from the peer ###; key-method 2 ### client generates a random key ###; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###; tls-timeout 2 ### Default = 2 ###; ns-cert-type server ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###; remote-cert-tls server ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###; ### reneg-sec 3600; Verbosity level = [ 3 (Recommended) ▼ ]
4.) Click [save]
5.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 6.) Click [Yes] to Reboot
-
pfSense_fan got a reaction from lydianajihah82 in How To Set Up pfSense 2.1 for AirVPN ...
Setting Up pfSense for AirVPN
Using 3 or more NIC's
Step 2: Entering our AirVPN Certificate and Key
1.) Go to: System > Cert Manager > Certificate Manager
http://192.168.1.1/system_certmanager.php -or- https://192.168.1.1/system_certmanager.php 2.) Find and select the [+] on the lower right for “Add or Import Certificate”
3.) Here we will enter a descriptive name and enter our Certificate and Key data.
Set as follows:
Descriptive name = [✎ AirVPN_CERT ]
Method = [ Import an Existing Certificate Authority ▼]
Certificate Data = [Everything BETWEEN <cert> and </cert> but NOT INCLUDING <cert> and </cert>] - (Everything highlighted ORANGE in the Sample ovpn config):
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
Private key data = [Everything BETWEEN <key> and </key> but NOT INCLUDING <key> and </key>] - (Everything highlighted GREEN in the Sample ovpn config):
<key>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</key>
4.) Click [save]
-
pfSense_fan got a reaction from lydianajihah82 in How To Set Up pfSense 2.1 for AirVPN ...
Setting Up pfSense for AirVPN
Using 3 or more NIC's
Step 1: Entering our AirVPN CA (Certificate Authority)
1.) Go to: System > Cert Manager
http://192.168.1.1/system_camanager.php -or- https://192.168.1.1/system_camanager.php 2.) Find and select the [+] on the lower right for “Add or Import CA”
3.) Here we will enter a descriptive name and enter our CA certificate data.
Set as follows:
Descriptive name = [✎ AirVPN_CA ]
Method = [ Import an Existing Certificate Authority ▼]
Certificate Data = [Everything BETWEEN <ca> and </ca> but NOT INCLUDING <ca> and </ca>)] - (Everything highlighted LIGHT BLUE in the Sample ovpn config):
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
Certificate Private Key(optional) = [_____] (Blank/Empty)
4.) Click [save]
-
pfSense_fan got a reaction from lydianajihah82 in How To Set Up pfSense 2.1 for AirVPN ...
Understanding OpenVPN Settings on pfSense
Here is the list of settings given to us in the config files we download for a standard UDP connection. Below are descriptions of what they do and where they are located or how they are entered in pfSense.
They are as follows:
client dev tun proto udp remote xxx.xxx.xxx.xxx 443 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo no verb 3 explicit-exit-notify 5 key-direction 1
1.) "client" – This setting denotes whether this configuration is for a OpenVPN client or server. We are connecting to AirVPN as clients. There is no corresponding setting in pfSense as we are denoting this by selecting the client tab.
2.) dev tun = "Device Mode" on the OpenVPN client settings page. This setting selects the virtual network type.
From the OpenVPN manual:
3.) proto udp = "Protocol" drop down selection on the OpenVPN client settings page.
From the OpenVPN manual:
4.) remote xxx.xxx.xxx.xxx 443 = "Server Host or Address" AND "Server Port" entries on the pfSense client settings page. The host or address is the xxx.xxx.xxx.xxx entry replaced by the IP address or hostname of your preferred AirVPN entry server. The port is the 443 that follows, or could be any of the other optional ports you can choose with the config generator. For the purposes of this tutorial I chose to use the basic config of UDP 443.
From the OpenVPN manual:
5.) "resolv-retry infinite" = The check box next to the "Server Host Name Resolution" titled "Infinitely Resolve Server". From pfSense: "Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet."
From the OpenVPN manual:
6.) nobind = “Local Port” on the OpenVPN settings page and is set by leaving the entry BLANK or entering a number “0”.
From psSense: “Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port “
From the OpenVPN manual:
7.) persist-key = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-key;" but without the quotes.
From the OpenVPN manual:
8.) persist-tun = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-tun;" but without the quotes.
From the OpenVPN manual:
9.) remote-cert-tls server = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "remote-cert-tls server;" but without the quotes.
From the OpenVPN manual:
10.) cipher = "Encryption Algorythm" in the pfSense client settings page. AirVPN uses "AES-256-CBC" according to the config generator files.
From the OpenVPN manual:
11.) comp-lzo no = The check box labled “Compress tunnel packets using the LZO algorithm.” on the OpenVPN Client Settings page.
From the OpenVPN manual:
12.) verb 3 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "verb 3;" but without the quotes.
From the OpenVPN manual:
13.) Explicit-exit-notify 5 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "explicit-exit-notify 5;" but without the quotes.
From the OpenVPN manual:
14.) key-direction 1 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "key-direction 1;" but without the quotes.
From the OpenVPN manual:
Here is the list of settings that are further “pushed” to us when connecting. By entering them manually we take an additional step to prevent the use of or depreciation to “lower”, less secure settings. Below are descriptions of what they do. All of these following settings are entered into the Advanced box on the OpenVPN Client page.
They are as follows:
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA keysize 256 auth SHA1 key-method 2
1.) tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA = OpenVPN > Client > Advanced: tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;
This setting is automatically “pushed” when connecting to the server. That being said, it can also be set manually which has the benefit of preventing the use of/falling back to a lower encryption version.
From the OpenVPN manual:
2.) keysize 256 = OpenVPN > Client > Advanced: keysize 256;
From the OpenVPN manual:
3.) auth SHA1 = OpenVPN > Client > Advanced: auth SHA1;
From the OpenVPN manual:
4.) key-method 2 = OpenVPN > Client > Advanced: key-method 2;
From the OpenVPN manual:
-
pfSense_fan got a reaction from lydianajihah82 in How To Set Up pfSense 2.1 for AirVPN ...
Understanding Certificates and OpenVPN Config Files
I noticed on the forums that many people trying to set up pfSense struggle with entering their certificates properly. I will try to be as detailed as possible here.
First, if you have not done so already, we have to download the OpenVPN Config File (.ovpn) for our preferred AirVPN entry server. You can do this by logging into airvpn.org and then proceeding to https://airvpn.org/generator/ . Choose the entry server of your choice (the air entry server can be changed later whenever you need, we will focus on one for this tutorial) by selecting the corrisponding check box the scroll down and select the “Direct, protocol UDP, port 443”. Scroll down again and select both check boxes agreeing to the AirVPN terms of service, then click the “Generate” button. Once you have the config file you can open it with your favorite text editor. What you should see will look very similar as the sample ovpn config I pasted below (this one was downloaded for a windows client). The config is broken into FIVE main parts that we will need to identify for our uses.
The five parts are as follows:
Settings and Advanced Settings CA (Certificate Authority, everything between <ca> and </ca>) Cert (Certificate Data, everything between <cert> and </cert>) Key (RSA Private Key, everything between <key> and </key>) tls-auth (2048 bit OpenVPN static key, everything between <tls-auth> and </tls-auth>)
Sample OpenVPN Config File
We will need to copy these settings from YOUR config file you downloaded from the AirVPN config generator into pfSense to set up our certificates and OpenVPN. DO NOT USE THESE, they are fictional.
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Friday xxx of xxx 2014 xx:xx:xx AM
# OpenVPN Client Configuration
# AirVPN_XXXXXXXXXXX-xxxx
# --------------------------------------------------------
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>
-
pfSense_fan got a reaction from lydianajihah82 in How To Set Up pfSense 2.1 for AirVPN ...
Preface
Here is a guide on how to set up pfSense 2.1 as a firewall, router and OpenVPN client for connecting to AirVPN and Clear-Net using three or more NIC's.
Why pfSense?
PfSense is a firewall distribution based on FreeBSD and forked from m0n0wall. The primary focus of pfSense is security, not features as many consumer products are. It is not prone to the weak security and vulnerabilities that many consumer routers are. Because it is based on PC hardware, it is also far more powerful. As where an OpenVPN client on a consumer router might max out at 20-30 Mbit / sec, The newest generation of Xeon E3 12XX V3 could do upwards of 500 Mbit / sec on a properly configured pfSense install. For most of us that is far more than our ISP's even provide us with. Personally I have seen speeds as high as 150 Mbit / sec, and can easily get 60-75 Mbit / sec through the VPN when my use demands it, but I am limited by my ISP. If you have ever wondered how people accomplish the speeds they do on the status page, consider that I have been in that #1 spot more than once and frequently appear in the top 10.
Some other considerations on “Why pfSense”? Your entire network can be protected by a strong firewall and routing all trafic through your AirVPN connection, not just one device, without even a hint of slowing down your connection. For the more advanced user, you can even set up an OpenVPN SERVER and remotely connect your mobile phones, tablets, laptops and any other device you wish to your firewall and then route that traffic out through your AirVPN connection as well. This is exactly what I do. I route my mobile devices though the firewall which allows me to scan that traffic for viruses, firewall it and encrypt it with the VPN. At a later date I will also make a tutorial on how to accomplish this.
pfSense also has a “Packages” system for adding more things such as “pfBlocker” which is similar to peerblock. Other packages include Snort (Intrusion Detection), Squid (Caching proxy, the newest version has anti-virus and can even scan SSL on your network if you permit it) and Dansgaurdian (content filter). These can enhance your security if used properly.
There are many more reasons on top of this as well. Simply put; I have yet to find a better solution for connecting with AirVPN.
Why I made this guide.
After searching for many months on how to correctly accomplish this, I was unable to find proper documentation. After months of piecing together the information I did find combined with tedious testing of settings not documented elsewhere, I started to document what I learned as I was also helping others get set up. I also wanted to document this for my own use, although at this point I know this like the back of my hand. After seeing more and more people have questions on using pfSense on AirVPN I decided to share what I learned and continue to learn. It is my hope that in using this guide, I can help others gain confidence in understanding and using pfSense, both in general and with AirVPN.
Further more, I believe strongly in the mission statement of the folks at AirVPN, and this is my thank you to them for offering a great service and an avenue for those that truly need privacy and anonymity. I can only hope this guide will some day help someone communicate important information or avert oppression and censorship.
Things to Consider Before Following This Guide
THIS TUTORIAL IS INTENDED TO BE USED ON A FRESH INSTALL OF PFSENSE!!!
Everything in the following tutorial assumes your settings are as they were, default, after a fresh install. You most certainly can add to it, especially firewall rules, when set correctly. Many people will have many uses requiring additional settings. I consider these variables to be outside the scope of this tutorial as this is aimed at beginners. I cannot guarantee functionality if you attempt to integrate this guide into your previous settings. Therefore, these issues and settings will not be addressed in the tutorial, but are welcome in discussion in replies to the guide.
THIS TUTORIAL IS INTENDED FOR THOSE THAT NEED CONNECTIONS TO BOTH CLEAR NET AND VPN
Most users will need connections for some of their devices through the clear net just as I do for things such as VOIP and gaming. Setting it up this way also has the added benefit that if the VPN fails you do not need to reconfigure anything to test why it failed. Constantly having to reconfigure things is a quick way to forget something and poor planning with security. This is why I STRONGLY recommend the use of 3 or more network interface cards. This creates a sort of “Air Gap” between the clear-net and VPN configured networks, considering you have to physically move a network cable to access the different networks. In fact, I personally do not condone the use of only two interfaces for beginners for this reason. I have however, as a courtesy, added a basic addendum to the guide for those who choose to go this route. There is no clear-net configured interface in the two interface guide, only VPN. If the VPN goes down, internet connectivity will go down. I do not use this method myself, and made that section “in my head”. If it needs amending, users of it will need to notify me. I will update that section, although not as frequently as the main guide.
THIS TUTORIAL IS INTENDED FOR BEGINNERS AND THOSE WHO ARE OTHERWISE NOT CONFIDENT IN WHAT THEY ARE DOING
“Tim Toady” - There's more than one way to do it. As the old saying goes, there is more than one way to skin a cat. Well, on pfSense there are quite a few different ways to go about setting it up for using it with AirVPN. I want to make this clear up front that this tutorial is not the only way to set this up. I'm not going to cover them all, in fact I'm not going to cover any other method than the one I believe to be the safest, easiest and most noob proof. I have added in a few steps (Dropping all states and preventing the gateway from re-routing if the VPN drops as well as blocking all other DNS other than the one we intend to use – the AirVPN DNS or otherwise) that go beyond just “getting it to work” because they further secure the setup for VPN uses. I consider these basic security precautions part of a basic guide to using a VPN, not a later addendum. I intended this to be educational to those who don't know or are not quite confident in what they are doing. If this does not suit your uses or you have your own security policies you choose to follow, you are free to play with my settings as you see fit or use a different guide. If you have constructive criticism or insight on further security policies I’d love to hear it. This tutorial was never intended for experienced users who just wanted to get OpenVPN going. It was meant to give someone who has no previous experience with a commercial firewall the tools they need to make the jump away from weak and insecure consumer grade equipment. The focus will continue to be with that in mind.
ON THE SUBJECT OF DNS LEAKS
NOTE: READ AND UNDERSTAND THIS IN IT'S ENTIRETY
DNS leaks are not an "issue" on pfSense or its core underlying operating system, FreeBSD. DNS leaks are primarily an issue on Windows operating system. If pfSense is set correctly, the OPERATING SYSTEM will not leak a DNS request. If we tell an interface to use a specific DNS server, it will. It (pfSense) will not send a request out of an alternate interface or gateway.
That being said, an uninformed user, foreign hardware (mobile devices etc) or program may try to contact an alternate DNS server from behind the firewall. This can be harmless (an uninformed user contacting an external DNS), or this could be a malicious attack (DNS Hijacking or DNS Rebinding Attack). This is not a fault of pfSense, and the following scenario can happen on ANY platform. A virus, worm, or malicious browser code could hijack and reroute the DNS request to a poisoned or malicious server. This could lead to you seeing an incorrect hijacked web page and could be an attempt to expose you by an adversary. I have added this consideration to the firewall rules that protect against this. IT SHOULD BE NOTED HOWEVER THAT EVEN IF A USER OR PROGRAM SOMEHOW USED AN ALTERNATE EXTERNAL DNS, IT IS NOT A "LEAK" IN THE SAME SENSE THAT IS OFTEN DISCUSSED ON THE AIRVPN.ORG FORUMS. That type of leak requires that a DNS request would leave your network on an interface other than the one you intended (In our case this would mean it would leave an interface other than the AirVPN_LAN or AirVPN_WAN). In the event that a program (malicious or not) sent out a request to an EXTERNAL DNS server other than AirDNS, if all of our settings are set correctly it would still go through the VPN we have set up. While this prevents an outside observer from knowing exactly who is sending the DNS requests, it does not stop this alternate DNS from replying with a poisoned site. The only real way a DNS LEAK would happen is through user error with the DNS Forwarder settings. WE CANNOT SHARE THE DNS FORWARDER BETWEEN CLEAR-NET AND VPN CONFIGURED INTERFACES. Even though we will configure DNS for VPN interfaces through DHCP, at this point (and without further intervention) the DNS forwarder is still ACCESSIBLE from any device behind a VPN configured interface. We need to manually block this availability to prevent devices from unknowingly causing leaks. If you have a wireless network behind a VPN interface, and a mobile device with a manually configured DNS of 192.168.1.1 entered the network, it would cause a DNS leak unless we create a firewall rule to block such connectivity. THIS COULD POTENTIALLY EXPOSE THE VPN USER WITHOUT SUCH A RULE. The way the DNS forwarder works is it sends queries to and then collects (caches) information from all DNS servers entered on the general settings page. If you were to use VPN and Clear-net DNS, it would send requests potentially inside and outside (or just outside) the VPN tunnel. Avoiding this has been covered in the guide, where I explain two steps to isolate VPN DNS requests from those of clear-net requests - how to set the DNS servers for VPN interfaces through DHCP and firewall rules to block all DNS requests to anything that we do not explicitly allow, including the built in DNS forwarder. These blocks are necessary to prevent accidental or malicious DNS leaks and hijacking.
As a bonus, I have added a section at the end of the “Setting Up the DNS Forwarder” section describing how to verify your DNS settings are working within the firewall. I also added instructions at the very end of the tutorial for Windows and Wine users on how to internally and externally test for DNS leaks.
ON THE SUBJECT OF IP LEAKS
When using a VPN configured interface according to the steps in this guide, If the VPN fails, all states are cleared and the connection is severed. Even if the connection somehow did not drop, the “Block All” firewall rule which is addressed in this guide will block any attempts for a connection that does not go out the AirVPN_WAN gateway. In this, redundancies are in place to block IP leaks.
Why multiple Network Interface Cards?
Why use both clear-net and AirVPN?
Why not force all traffic through the VPN?
These questions can all be summed up into one answer. I have many devices and many users connected in my residence. I needed a method to divide, isolate, protect and route these devices and users. With the use of multiple subnets on multiple NIC's I can achieve this while also maintaining very specific firewall rules for each interface. As an example, one setup I have used was as follows:
WAN
LAN
XBOX
VOIP
AirVPN_WAN
AirVPN_LAN_1
AirVPN_LAN_2
AirVPN_LAN_3
AirVPN_LAN_4
I needed a setup that allowed Clear-Net access for the Firewall, LAN (to ensure connectivity even if the VPN goes down), XBOX and VOIP interfaces, while requiring the AirVPN_LAN interfaces to route through my AirVPN OpenVPN client. This also required no leaks, either IP or DNS. This guide accomplishes that by explaining how to set up one interface for clear-net and another for VPN access. This can then be extrapolated for additional interfaces of either sort.
I do not suspect the average user will go the same route as I have (having 8+ NIC's), but quad port NIC's and motherboards that include quad port NIC's and on board low power VGA are becoming common and recommended for this use.
What kind of hardware can run pfSense?
While the quick answer is “pretty much any pc equipment” there are many considerations for this such as cost of hardware, energy efficiency and how it will be used. Will you use packages such as Snort? How much memory is really required? How “fast” is your internet connection? How long do you intend to use this? At the time of this writing, I personally recommend Rangely or Avoton (Rangely is intended for network devices, Avoton has turbo boost) based Intel Atom boards or the newest generation of Xeon E3 12X0 V3 processors(Ones without graphics on the chip). There is a number of motherboards from SuperMicro and ASRock that have Quad Port Intel Server Class NIC's built onto the board as well as having built on VGA. I cannot stress how much and why I recommend these. Having those on board saves a lot of money and hassle as many cheap motherbord NIC's are not supported as where the Intel Server NIC's are well supported. Those processors also have built in encryption “instructions” (AES-NI, RDRAND) that OpenVPN/OpenSSL can take advantage of and they are quite energy efficient. Energy efficiency must be considered, as the cost of electricity to run an older piece of hardware could easily pay itself off in 1-2 years of running. There certainly is nothing wrong with using equipment you have laying around, however I do not advocate seeking for purchase or “upgrading” old hardware in any way. I consider it a waste of money when considering performance and electrical/upgrading costs over that of new hardware. Ultimately you must decide what you want, what you need and how much to spend on the build.
(Eventually I will post links to the hardware I suggest with a more in depth explanation of why)
A general disclaimer about this guide
I wrote this guide under my own free will and provide it for all to use. I am not in any way affiliated with pfSense, AirVPN or any of the hardware manufacturers mentioned in this article. This guide was formed from research, trial and error and extensive testing. I make no guarantee of this article's accuracy further than to say it works for me. Under no circumstance will myself or any of the previously mentioned entities be responsible for your choice to use this guide, successes or failures in using it, or any further support. Like anything in life, you should research accordingly and use your best judgement.
Last but not least, I want to say thank you to user Refresh for his participation and support in the making of this, which without that support this may not have been possible!
Time to get started!
-
pfSense_fan got a reaction from Wolf666 in How To Set Up pfSense 2.1 for AirVPN ...
*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****
pfSense 2.3 WAS RELEASED APRIL 12, 2016
WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3
THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN
I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA
AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST
pfSense_fan's Guide
How To Set Up pfSense 2.1 for AirVPN
Using Three or more NIC's
Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!
Table of Contents:
Preface Understanding Certificates and OpenVPN Config Files on pfSense Understanding OpenVPN Settings on pfSense Step 1: Entering our AirVPN CA (Certificate Authority) Step 2: Entering our AirVPN Certificate and Key Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface Step 5: Setting up the AirVPN Gateway Step 6: Setting up the DNS Forwarder Step 7: Setting up the LAN Interface Step 8: Setting up the AirVPN_LAN Interface Step 9: Setting Misc Advanced Options (Optional) Step 10: Setting Bootloader and System Tunables (Optional) Step 11: Setting Advanced OpenVPN Options (Optional) Alternate Step 6+7 For Dual (Two) NIC installs
-
pfSense_fan got a reaction from johnarcher in How To Set Up pfSense 2.1 for AirVPN ...
NOTE: THIS IS AN ALTERNATE “STEP 7”
INTENDED FOR THOSE USING 2 NIC's
IN ADDITION TO THIS, THOSE USERS MUST ALSO MODIFY THE DNS FORWARDER SETTINGS AND ENSURE THAT ONLY LOCALHOST IS SELECTED. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL (CLEAR-NET) AND THE LAN (VPN). THE DNS FOR THE LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING GUIDE.
Setting Up pfSense for AirVPN
Using 2 NIC's
Step 7: Setting up the LAN (VPN) Interface
A:) Configuring the Interface
1.) Go to: Interfaces > Assign
http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php
Here you will find your assigned interfaces. If you assigned them during original install you will have a WAN and LAN. You should also see the AirVPN_WAN interface we created earlier.
2.) Select the LAN interface.
Set it as follows: (NOTE: Some of these settings may be set by default, edit as neccesarry.)
--General configuration
Enable = [✔] (CHECKED)
Description = [✎ LAN ]
IPv4 Configuration Type = [ Static IPv4 ▼]
IPv6 Configuration Type = [ None ▼]
MAC address = [✎_____] (empty)
MTU = [✎_____] (empty)
MSS = [✎_____] (empty)
Speed and duplex = Advanced > [ Autoselect ▼]
--Static IPv4 configuration
IPv4 address = [✎ 192.168.1.1 ] / [ 24 ▼]
Gateway = [ None ▼]
--Private networks
Block Private Networks = [_] (UNCHECKED)
Block Bogon Networks = [_] (UNCHECKED)
3.) Click [save]
4.) Click [ Apply Changes ]
B.) Seting up the DHCP Server for the LAN Interface
1.) Go to: Services > DHCP server
http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php
2.) Ensure the "LAN" tab is selected
3.) Set as follows:
(NOTE: Only options we will change are listed for this section, leave the rest as they were by default)
Enable DHCP server on LAN interface = [✔] (CHECKED)
Range = [✎ 192.168.1.100 ] to [✎ 192.168.1.199 ]
DNS Servers = [✎ 10.4.0.1 ] and [✎________] (IMPORTANT FOR AirDNS!!!)
4.) Click [sAVE]
5.) Click [ Apply Changes ]
C.) Setting up the Outgoing NAT for the LAN Interface.
C.) NOTE: The only outbound NAT rule/s there should be are the one/s we create. If there are others that were/are automatically created, DELETE THEM!!!
1.) Go to: Firewall > NAT > Outbound
http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php
2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (If it is not selected, select it, click save and apply changes.)
3.) If there is already a rule for your LAN interface, select the [e] button to the right of it to edit it. If there is not a rule for your LAN interface, you will need to create one by selecting the [+] at the top right and creating a new one.
4.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ AirVPN_WAN ▼]
Protocol = [ Any ▼]
Source = Type: [ Network ▼]
Address: [ 192.168.1.0 ] / [ 24 ▼]
Source port: [_____] (empty/blank)
Destination: Type = [ Any ▼]
Translation: Address = [ Interface Address ]
Description = [ LAN -> AirVPN_WAN ]
5.) Click [ SAVE ]
6.) Click [ Apply Changes ]
D.) Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.
*NOTE: There are FOUR necessary rules for the LAN interface. If there are any other rules, just delete them.
First LAN Firewall Rule:
”ALLOW_AirVPN_DNS”
The first LAN Firewall rule will allow DNS requests only to AirVPN DNS.
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
2.) Click the [+] on the right to "Add New Rule" and[/u][/b] create a rule we will title "ALLOW_AirVPN_DNS"
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [ LAN ▼]
TCP/IP Version = [ IPv4 ▼]
Protocol = [ UDP ▼]
Source = [_] Not (UNCHECKED)
Type: [ LAN net ▼]
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ Single host or Alias ▼]
Address: [ 10.4.0.1 ]
Destination port range = From: [ DNS ▼]
To: [ DNS ▼]
Log = [_] (UNCHECKED)
Description = [✎ ALLOW_AirVPN_DNS]
*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]
3.) Click [ Save ]
4.) Click [ Apply Changes ]
Second LAN Firewall Rule:
"BLOCK_DNS_LEAKS_VPN"
The second LAN rule will block all DNS requests that we do not explicitly allow.
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN".
Set as follows:
Action = [ Reject ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [uDP ▼]
Source = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Destination port range = From: [ DNS ▼]
To: [ DNS ▼]
Log = [✔] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_VPN]
*** For this rule we will NOT set the advanced setting for gateway
3.) Click [ Save ]
4.) Click [ Apply Changes ]
Third LAN Firewall Rule:
"Allow LAN Outbound"
The third LAN rule we will create will force traffic from the LAN interface to only exit via the AirVPN_WAN Gateway.
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
2.)Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule"
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
Type: [ LAN net ▼]
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Log = [_] (UNCHECKED)
Description = [✎ Allow LAN Outbound]
*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]
3.) Click [ Save ]
4.) Click [ Apply Changes ]
Fourth LAN Firewall Rule:
"BLOCK ALL ELSE LAN"
The Fourth and final LAN firewall rule will block any and all traffic we do not alllow by use of other firewall rules on this interface.
1.) Go to: Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "LAN" interface.
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"
Set as follows:
Action = [block ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Log = [✔] (checked)
Description = [✎ BLOCK ALL ELSE LAN ]
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default
3.) Click [ Save ]
4.) Click [ Apply Changes ]
E.) Checking That Our Firewall Rules Are In The Correct Order
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
2.)The order of the rules we just created is important!
They should appear in this following order when viewed:
ALLOW_AirVPN_DNS
BLOCK_DNS_LEAKS_VPN
Allow LAN Outbound
BLOCK ALL ELSE LAN
ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!
3.) Click [save]
4.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php
5.) Click [Yes] to Reboot
That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the LAN port and you are off and running! I hope this guide helps you!
-
pfSense_fan got a reaction from Wolf666 in How To Set Up pfSense 2.1 for AirVPN ...
*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****
pfSense 2.3 WAS RELEASED APRIL 12, 2016
WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3
THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN
I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA
AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST
pfSense_fan's Guide
How To Set Up pfSense 2.1 for AirVPN
Using Three or more NIC's
Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!
Table of Contents:
Preface Understanding Certificates and OpenVPN Config Files on pfSense Understanding OpenVPN Settings on pfSense Step 1: Entering our AirVPN CA (Certificate Authority) Step 2: Entering our AirVPN Certificate and Key Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface Step 5: Setting up the AirVPN Gateway Step 6: Setting up the DNS Forwarder Step 7: Setting up the LAN Interface Step 8: Setting up the AirVPN_LAN Interface Step 9: Setting Misc Advanced Options (Optional) Step 10: Setting Bootloader and System Tunables (Optional) Step 11: Setting Advanced OpenVPN Options (Optional) Alternate Step 6+7 For Dual (Two) NIC installs
-
pfSense_fan got a reaction from Lee47 in How To Set Up pfSense 2.1 for AirVPN ...
ATTENTION!
All those who follow this guide, please be advised...
I just wanted to give everyone who follows this guide a heads up that in the next week or two i will be "ending support" for this guide as it now stands.
Over the next few days I will be making some tweaks to the guide that will require everyone's attention if you want to have the tidiest and most functional setup while using the method I described here.
If anyone has any questions or suggestions, now is the time to speak up. Although I will still be "around" here and there and will gladly help, I am moving on to bigger and better things.
This guide works, but it could be better and I know that now. I don't however have the time to create a new one at this junction. I've spent a portion of each and every free day I've had over the last ten months researching and sharing what I've learned about this stuff. That is way more time than I ever imagined or intended, way too much time... and now life beckons. I no longer have free time to spare so I leave you all with this guide as it is, which should suffice at least until pfSense 2.2 comes out.
I learned so much all along the way while making this guide. I hope you all did too!
-
pfSense_fan got a reaction from Wolf666 in How To Set Up pfSense 2.1 for AirVPN ...
How to get a machine on one subnet to communicate with a machine on another?
If that is what you are asking, you need to make a firewall rule on the interface or each interface that is trying to communicate as a client to allow the communication across subnets. Making a networks alias makes this easier if you list all the local subnets you want to be able to communicate. I also use a ports alias and restrict communication on my local network to services I control. This following firewall rule is basic but should get you going if this is what you are trying to do. I use a rule like this to allow access to a network printer and a local DNS server
For this we will assume you have a printer on your LAN that you want to access from the AirVPN_LAN:
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [AirVPN_LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼] - TCP/UDP is also a consideration if you don't need pings. Best to only allow what you need.
Source = [_] Not (UNCHECKED)
Type: [ AirVPN_LAN net ▼] - (192.168.2.1 /24)
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ LAN net ▼] - (192.168.1.1 /24, or a local subnets networks alias)
Address: [______] (BLANK)
Destination port range = From: [Any▼], To: [Any▼] - (Or choose [ (other)▼] and enter a ports alias of ports you intend to use)
Log = [_] - Your choice if you wish to log
Description = [✎ Allow_Local_Services ]
(NOTE: DO NOT, repeat DO NOT select a gateway in the advanced options. We don't want to route it out one since it is local traffic
3.) Click [ Save ]
4.) Click [ Apply Changes ]
This rule MUST be placed directly above your allow all rule. Move the rule into place accordingly, save and apply changes. You will need to reboot after to make sure everything loads.
-
pfSense_fan got a reaction from Wolf666 in How To Set Up pfSense 2.1 for AirVPN ...
How to get a machine on one subnet to communicate with a machine on another?
If that is what you are asking, you need to make a firewall rule on the interface or each interface that is trying to communicate as a client to allow the communication across subnets. Making a networks alias makes this easier if you list all the local subnets you want to be able to communicate. I also use a ports alias and restrict communication on my local network to services I control. This following firewall rule is basic but should get you going if this is what you are trying to do. I use a rule like this to allow access to a network printer and a local DNS server
For this we will assume you have a printer on your LAN that you want to access from the AirVPN_LAN:
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [AirVPN_LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼] - TCP/UDP is also a consideration if you don't need pings. Best to only allow what you need.
Source = [_] Not (UNCHECKED)
Type: [ AirVPN_LAN net ▼] - (192.168.2.1 /24)
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ LAN net ▼] - (192.168.1.1 /24, or a local subnets networks alias)
Address: [______] (BLANK)
Destination port range = From: [Any▼], To: [Any▼] - (Or choose [ (other)▼] and enter a ports alias of ports you intend to use)
Log = [_] - Your choice if you wish to log
Description = [✎ Allow_Local_Services ]
(NOTE: DO NOT, repeat DO NOT select a gateway in the advanced options. We don't want to route it out one since it is local traffic
3.) Click [ Save ]
4.) Click [ Apply Changes ]
This rule MUST be placed directly above your allow all rule. Move the rule into place accordingly, save and apply changes. You will need to reboot after to make sure everything loads.
-
pfSense_fan reacted to stupidcats in Does AirVPN log when it comes to the forums? ...
I'm not sure if this is the correct place for this thread but:
I know that AirVPN doesn't log when it comes to the VPN. However, does it log when it comes to the forums?
Do you know what IP I used yesterday (or any other day) to connect to the forums?
-
pfSense_fan got a reaction from Lee47 in How To Set Up pfSense 2.1 for AirVPN ...
ATTENTION!
All those who follow this guide, please be advised...
I just wanted to give everyone who follows this guide a heads up that in the next week or two i will be "ending support" for this guide as it now stands.
Over the next few days I will be making some tweaks to the guide that will require everyone's attention if you want to have the tidiest and most functional setup while using the method I described here.
If anyone has any questions or suggestions, now is the time to speak up. Although I will still be "around" here and there and will gladly help, I am moving on to bigger and better things.
This guide works, but it could be better and I know that now. I don't however have the time to create a new one at this junction. I've spent a portion of each and every free day I've had over the last ten months researching and sharing what I've learned about this stuff. That is way more time than I ever imagined or intended, way too much time... and now life beckons. I no longer have free time to spare so I leave you all with this guide as it is, which should suffice at least until pfSense 2.2 comes out.
I learned so much all along the way while making this guide. I hope you all did too!
-
pfSense_fan reacted to dssguy11 in How To Set Up pfSense 2.1 for AirVPN ...
all the best to you buddy, couldn't have done it without you.. can't wait to see and try the new way!!
-
pfSense_fan got a reaction from Lee47 in How To Set Up pfSense 2.1 for AirVPN ...
ATTENTION!
All those who follow this guide, please be advised...
I just wanted to give everyone who follows this guide a heads up that in the next week or two i will be "ending support" for this guide as it now stands.
Over the next few days I will be making some tweaks to the guide that will require everyone's attention if you want to have the tidiest and most functional setup while using the method I described here.
If anyone has any questions or suggestions, now is the time to speak up. Although I will still be "around" here and there and will gladly help, I am moving on to bigger and better things.
This guide works, but it could be better and I know that now. I don't however have the time to create a new one at this junction. I've spent a portion of each and every free day I've had over the last ten months researching and sharing what I've learned about this stuff. That is way more time than I ever imagined or intended, way too much time... and now life beckons. I no longer have free time to spare so I leave you all with this guide as it is, which should suffice at least until pfSense 2.2 comes out.
I learned so much all along the way while making this guide. I hope you all did too!
-
pfSense_fan got a reaction from Wolf666 in How To Set Up pfSense 2.1 for AirVPN ...
*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****
pfSense 2.3 WAS RELEASED APRIL 12, 2016
WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3
THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN
I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA
AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST
pfSense_fan's Guide
How To Set Up pfSense 2.1 for AirVPN
Using Three or more NIC's
Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!
Table of Contents:
Preface Understanding Certificates and OpenVPN Config Files on pfSense Understanding OpenVPN Settings on pfSense Step 1: Entering our AirVPN CA (Certificate Authority) Step 2: Entering our AirVPN Certificate and Key Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface Step 5: Setting up the AirVPN Gateway Step 6: Setting up the DNS Forwarder Step 7: Setting up the LAN Interface Step 8: Setting up the AirVPN_LAN Interface Step 9: Setting Misc Advanced Options (Optional) Step 10: Setting Bootloader and System Tunables (Optional) Step 11: Setting Advanced OpenVPN Options (Optional) Alternate Step 6+7 For Dual (Two) NIC installs
-
pfSense_fan got a reaction from Wolf666 in Problems Reaching Full Speed ...
"Only router based on fast x86 cpu can do it." <--- Pretty much this.
Being that you tried multiple ISP's, it's not likely the issue is your being throttled. It is far more likely an issue with the hardware. You don't necessarily need the fastest processor, but you will want one with hardware encryption acceleration, namely AES-NI. Let us know what hardware you are using to see if we can further help.
Many serious users have moved into a platform such as pfSense. If you can afford to build a box, there are no comprimises with it if done right. Some users I have helped can max their 150Mb connections out minus the 10% OpenVPN overhead. I am on a 60/12 connection myself.
-
pfSense_fan got a reaction from johnarcher in How To Set Up pfSense 2.1 for AirVPN ...
NOTE: THIS IS AN ALTERNATE “STEP 7”
INTENDED FOR THOSE USING 2 NIC's
IN ADDITION TO THIS, THOSE USERS MUST ALSO MODIFY THE DNS FORWARDER SETTINGS AND ENSURE THAT ONLY LOCALHOST IS SELECTED. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL (CLEAR-NET) AND THE LAN (VPN). THE DNS FOR THE LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING GUIDE.
Setting Up pfSense for AirVPN
Using 2 NIC's
Step 7: Setting up the LAN (VPN) Interface
A:) Configuring the Interface
1.) Go to: Interfaces > Assign
http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php
Here you will find your assigned interfaces. If you assigned them during original install you will have a WAN and LAN. You should also see the AirVPN_WAN interface we created earlier.
2.) Select the LAN interface.
Set it as follows: (NOTE: Some of these settings may be set by default, edit as neccesarry.)
--General configuration
Enable = [✔] (CHECKED)
Description = [✎ LAN ]
IPv4 Configuration Type = [ Static IPv4 ▼]
IPv6 Configuration Type = [ None ▼]
MAC address = [✎_____] (empty)
MTU = [✎_____] (empty)
MSS = [✎_____] (empty)
Speed and duplex = Advanced > [ Autoselect ▼]
--Static IPv4 configuration
IPv4 address = [✎ 192.168.1.1 ] / [ 24 ▼]
Gateway = [ None ▼]
--Private networks
Block Private Networks = [_] (UNCHECKED)
Block Bogon Networks = [_] (UNCHECKED)
3.) Click [save]
4.) Click [ Apply Changes ]
B.) Seting up the DHCP Server for the LAN Interface
1.) Go to: Services > DHCP server
http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php
2.) Ensure the "LAN" tab is selected
3.) Set as follows:
(NOTE: Only options we will change are listed for this section, leave the rest as they were by default)
Enable DHCP server on LAN interface = [✔] (CHECKED)
Range = [✎ 192.168.1.100 ] to [✎ 192.168.1.199 ]
DNS Servers = [✎ 10.4.0.1 ] and [✎________] (IMPORTANT FOR AirDNS!!!)
4.) Click [sAVE]
5.) Click [ Apply Changes ]
C.) Setting up the Outgoing NAT for the LAN Interface.
C.) NOTE: The only outbound NAT rule/s there should be are the one/s we create. If there are others that were/are automatically created, DELETE THEM!!!
1.) Go to: Firewall > NAT > Outbound
http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php
2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (If it is not selected, select it, click save and apply changes.)
3.) If there is already a rule for your LAN interface, select the [e] button to the right of it to edit it. If there is not a rule for your LAN interface, you will need to create one by selecting the [+] at the top right and creating a new one.
4.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ AirVPN_WAN ▼]
Protocol = [ Any ▼]
Source = Type: [ Network ▼]
Address: [ 192.168.1.0 ] / [ 24 ▼]
Source port: [_____] (empty/blank)
Destination: Type = [ Any ▼]
Translation: Address = [ Interface Address ]
Description = [ LAN -> AirVPN_WAN ]
5.) Click [ SAVE ]
6.) Click [ Apply Changes ]
D.) Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.
*NOTE: There are FOUR necessary rules for the LAN interface. If there are any other rules, just delete them.
First LAN Firewall Rule:
”ALLOW_AirVPN_DNS”
The first LAN Firewall rule will allow DNS requests only to AirVPN DNS.
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
2.) Click the [+] on the right to "Add New Rule" and[/u][/b] create a rule we will title "ALLOW_AirVPN_DNS"
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [ LAN ▼]
TCP/IP Version = [ IPv4 ▼]
Protocol = [ UDP ▼]
Source = [_] Not (UNCHECKED)
Type: [ LAN net ▼]
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ Single host or Alias ▼]
Address: [ 10.4.0.1 ]
Destination port range = From: [ DNS ▼]
To: [ DNS ▼]
Log = [_] (UNCHECKED)
Description = [✎ ALLOW_AirVPN_DNS]
*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]
3.) Click [ Save ]
4.) Click [ Apply Changes ]
Second LAN Firewall Rule:
"BLOCK_DNS_LEAKS_VPN"
The second LAN rule will block all DNS requests that we do not explicitly allow.
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN".
Set as follows:
Action = [ Reject ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [uDP ▼]
Source = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Destination port range = From: [ DNS ▼]
To: [ DNS ▼]
Log = [✔] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_VPN]
*** For this rule we will NOT set the advanced setting for gateway
3.) Click [ Save ]
4.) Click [ Apply Changes ]
Third LAN Firewall Rule:
"Allow LAN Outbound"
The third LAN rule we will create will force traffic from the LAN interface to only exit via the AirVPN_WAN Gateway.
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
2.)Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule"
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
Type: [ LAN net ▼]
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Log = [_] (UNCHECKED)
Description = [✎ Allow LAN Outbound]
*****IMPORTANT STEP: [ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]
3.) Click [ Save ]
4.) Click [ Apply Changes ]
Fourth LAN Firewall Rule:
"BLOCK ALL ELSE LAN"
The Fourth and final LAN firewall rule will block any and all traffic we do not alllow by use of other firewall rules on this interface.
1.) Go to: Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "LAN" interface.
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"
Set as follows:
Action = [block ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Log = [✔] (checked)
Description = [✎ BLOCK ALL ELSE LAN ]
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default
3.) Click [ Save ]
4.) Click [ Apply Changes ]
E.) Checking That Our Firewall Rules Are In The Correct Order
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
2.)The order of the rules we just created is important!
They should appear in this following order when viewed:
ALLOW_AirVPN_DNS
BLOCK_DNS_LEAKS_VPN
Allow LAN Outbound
BLOCK ALL ELSE LAN
ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!
3.) Click [save]
4.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php
5.) Click [Yes] to Reboot
That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the LAN port and you are off and running! I hope this guide helps you!
-
pfSense_fan reacted to iwih2gk in How to improve average speed ...
Crappy consumer level routers can account for a huge difference if you are using wireless. Those $100.00 -$200.00 routers really struggle with a heavy encryption load on their "cheap internals". If you are using wireless try an experiment and go to the router. From there connect using a good quality ethernet cable. Even on consumer level routers there is usually one gigabit port to connect to. Try that. I went from 6-9 meg to over 40 meg just by eliminating wireless overhead and NOTHING else was changed. If you experience this then you know what it is and you can decide how to proceed. Some will use ethernet, some will decide to endure the slower speeds for the portability/convenience of a laptop, and others will trade up to a quality pfsense high end router and have both. At least you'll know if its the cheaper hardware.
Certainly worth a look just to know.
-
pfSense_fan got a reaction from Lee47 in Feature Request: XMPP Server ...
I would formally like to request the addition of an XMPP server as a feature.
Unfortunately, forums in general are not conducive for many of the types and manner of communication that Air and VPN users in general require. Privacy is a concern for many matters and Pidgin + OTR for instance offers a much higher level of security and shrinks the partition of trust during such communication.
Another area the forums fall short is offering an efficient manner for real time conversations, chats and even support from other forum members. For instance, there quite often is a need for personalized support for members who have followed my pfSense setup guide due to the fact that there are so many variables to consider for hardware choices and network environments. This type of support can take days or weeks with back and forth forum conversation.. or can take minutes to hours in real time chat. Posts with such personalized instruction could also potentially confuse the uninitiated, as settings for one setup could be detrimental to another. As such, I feel personal support is a much better option in such instances.
A group of air users and myself currently converse on XMPP using Pidgin + OTR. It has been a great convenience for all of us. However, and this is a big however, some of us have concerns over using an "unknown" XMPP Server. I personally scoured for a few days before choosing one (I will not advertise which server was chosen) based on the required use of SSL on all communications. Most servers required registration over clear http. Even though we found one that was a bit more secure, the service I don't think is meant for or ready for a large influx of users and there are frequent drops of the service. We all agree we need to find another server, but who do you trust?
Which brings me to my request. I believe it would be greatly beneficial to all if there was an Air supported XMPP server with end to end encryption and no logs of any sort.
I believe the ability to create chats will also open up access for individuals to learn more about methods of security, privacy, recommended software and even hardware discussions. Overall I feel it can help build the community, and the more that participate, the more knowledge and experience that gets shared and the community can grow. I personally would love to see that happen, and I think many more would participate if a more private arena existed. This information would trickle its way to the forums I suspect as well, only helping more and more.
This would be one more feature to add to the reasons why AirVPN is the best around.
Staff, can we make this happen?