pfSense_fan

I would formally like to request the addition of an XMPP server as a feature.
 
Unfortunately, forums in general are not conducive for many of the types and manner of communication that Air and VPN users in general require. Privacy is a concern for many matters and Pidgin + OTR for instance offers a much higher level of security and shrinks the partition of trust during such communication.
 
Another area the forums fall short is offering an efficient manner for real time conversations, chats and even support from other forum members. For instance, there quite often is a need for personalized support for members who have followed my pfSense setup guide due to the fact that there are so many variables to consider for hardware choices and network environments. This type of support can take days or weeks with back and forth forum conversation.. or can take minutes to hours in real time chat. Posts with such personalized instruction could also potentially confuse the uninitiated, as settings for one setup could be detrimental to another. As such, I feel personal support is a much better option in such instances.
 
A group of air users and myself currently converse on XMPP using Pidgin + OTR. It has been a great convenience for all of us. However, and this is a big however, some of us have concerns over using an "unknown" XMPP Server. I personally scoured for a few days before choosing one (I will not advertise which server was chosen) based on the required use of SSL on all communications. Most servers required registration over clear http. Even though we found one that was a bit more secure, the service I don't think is meant for or ready for a large influx of users and there are frequent drops of the service. We all agree we need to find another server, but who do you trust?
 
Which brings me to my request. I believe it would be greatly beneficial to all if there was an Air supported XMPP server with end to end encryption and no logs of any sort.
 
I believe the ability to create chats will also open up access for individuals to learn more about methods of security, privacy, recommended software and even hardware discussions. Overall I feel it can help build the community, and the more that participate, the more knowledge and experience that gets shared and the community can grow. I personally would love to see that happen, and I think many more would participate if a more private arena existed. This information would trickle its way to the forums I suspect as well, only helping more and more.
 
This would be one more feature to add to the reasons why AirVPN is the best around.
 
Staff, can we make this happen?

05/06/2014, Funded with 1000€ (1355 USD). https://airvpn.org/mission/

tested it and the port forwarding is working fine, just remember when you test Air port forwarding here:
 
https://airvpn.org/ports/
 
And click the tcp test check button one has to have the actual p2p program running for it to work, the tcp button should go green if its forwarding the ports.
 
you can also if using ipleak website you can click activate and add the magnet link and it will display your IP and also port number.

Fixed the problem with pfsense_fan doing all the hard work. My MBUF usage was maxed out at 100%. I have the rangely board with 4 nics and apparently the MBUF needs tweaked if running that many integrated nics.  It was keeping me of having a steady connection with the pfsense GUI and keeping my internet connection from working properly. Well seems like the MBUF tweak worked. Now to configure everything else. Thanks pfsense_fan your the man.

NOTE: THIS IS AN ALTERNATE “STEP 7”



INTENDED FOR THOSE USING 2 NIC's


 

IN ADDITION TO THIS, THOSE USERS MUST ALSO MODIFY THE DNS FORWARDER SETTINGS AND ENSURE THAT ONLY LOCALHOST IS SELECTED. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL (CLEAR-NET) AND THE LAN (VPN). THE DNS FOR THE LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING GUIDE.


 
 






 
 



 
Setting Up pfSense for AirVPN



Using 2 NIC's


 

Step 7: Setting up the LAN (VPN) Interface


 
 




 
A:) Configuring the Interface


 
1.) Go to: Interfaces > Assign

http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php 
Here you will find your assigned interfaces. If you assigned them during original install you will have a WAN and LAN. You should also see the AirVPN_WAN interface we created earlier.
 
2.) Select the LAN interface.
 
Set it as follows: (NOTE: Some of these settings may be  set by default, edit as neccesarry.)
--General configuration
Enable = [✔] (CHECKED)
Description = [✎  LAN ]
IPv4 Configuration Type = [ Static IPv4 ▼]
IPv6 Configuration Type = [ None ▼]
MAC address = [✎_____] (empty)
MTU = [✎_____] (empty)
MSS = [✎_____] (empty)
Speed and duplex = Advanced > [ Autoselect ▼]
--Static IPv4 configuration
IPv4 address = [✎ 192.168.1.1 ] / [ 24 ▼]
Gateway = [ None ▼]
--Private networks
Block Private Networks = [_] (UNCHECKED)
Block Bogon Networks = [_] (UNCHECKED)
 
3.) Click [save]
 
4.) Click [ Apply Changes ]
 



 
 
B.) Seting up the DHCP Server for the LAN Interface


 
1.) Go to: Services > DHCP server

http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php 
2.) Ensure the "LAN" tab is selected
 
3.) Set as follows:
(NOTE: Only options we will change are listed for this section, leave the rest as they were by default)
Enable DHCP server on LAN interface = [✔] (CHECKED)
Range = [✎  192.168.1.100 ] to [✎  192.168.1.199 ]
DNS Servers = [✎ 10.4.0.1 ] and [✎________] (IMPORTANT FOR AirDNS!!!)
 
4.) Click [sAVE]
 
5.) Click [ Apply Changes ]
 



 
 
C.) Setting up the Outgoing NAT for the LAN Interface.


 

C.) NOTE: The only outbound NAT rule/s there should be are  the one/s we create. If there are others that were/are automatically created, DELETE THEM!!!


 
1.) Go to: Firewall > NAT > Outbound

http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php 
2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (If it is not selected, select it, click save and apply changes.)
 
3.) If there is already a rule for your LAN interface, select the [e] button to the right of it to edit it. If there is not a rule for your LAN interface, you will need to create one by selecting the [+] at the top right and creating a new one.
 
4.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ AirVPN_WAN ▼]
Protocol = [ Any ▼]
Source = Type: [ Network ▼]
               Address: [ 192.168.1.0 ] / [ 24 ▼]
               Source port: [_____] (empty/blank)
Destination: Type = [  Any ▼]
Translation: Address = [ Interface Address ]
Description = [ LAN -> AirVPN_WAN ]
 
5.) Click [ SAVE ]
 
6.) Click [ Apply Changes ]
 



 
 
D.) Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.


 
*NOTE: There are FOUR necessary rules for the LAN interface.  If there are any other rules, just delete them.
 



 
 
First LAN Firewall Rule:



”ALLOW_AirVPN_DNS”


 
The first LAN Firewall rule will allow DNS requests only to AirVPN DNS.
 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.) Click the [+] on the right to "Add New Rule" and[/u][/b] create a rule we will title "ALLOW_AirVPN_DNS"
 
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [ LAN ▼]
TCP/IP Version = [ IPv4 ▼]
Protocol = [ UDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ LAN net ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Single host or Alias ▼]
                     Address: [ 10.4.0.1 ]
Destination port range = From: [ DNS ▼]
                                      To: [ DNS ▼]
Log = [_] (UNCHECKED)
Description = [✎ ALLOW_AirVPN_DNS]
*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ AirVPN_WAN ▼]
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 


 
 
Second LAN Firewall Rule:



"BLOCK_DNS_LEAKS_VPN"


 
The second LAN rule will block all DNS requests that we do not explicitly allow.
 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN".
 
Set as follows:
Action = [ Reject ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [uDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Destination port range = From: [ DNS ▼]
                                      To: [ DNS ▼]
Log = [✔] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_VPN]
*** For this rule we will NOT set the advanced setting for gateway
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 


 
 
Third LAN Firewall Rule:



"Allow LAN Outbound"


 
The third LAN rule we will create will force traffic from the LAN interface to only exit via the AirVPN_WAN Gateway.
 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.)Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule"
 
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ LAN net ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log = [_] (UNCHECKED)
Description = [✎ Allow LAN Outbound]
*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ AirVPN_WAN ▼]
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 


 
 
Fourth LAN Firewall Rule:



"BLOCK ALL ELSE LAN"


 
The Fourth and final LAN firewall rule will block any and all traffic we do not alllow by use of other firewall rules on this interface.
 
1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "LAN" interface.
 
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"
 
Set as follows:
Action = [block ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log = [✔] (checked)
Description = [✎  BLOCK ALL ELSE LAN ]
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 



 
 
E.) Checking That Our Firewall Rules Are In The Correct Order


 
 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.)The order of the rules we just created is important!
They should appear in this following order when viewed:
ALLOW_AirVPN_DNS
BLOCK_DNS_LEAKS_VPN
Allow LAN Outbound
BLOCK ALL ELSE LAN
 
ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!
 
3.) Click [save]
 
4.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 
5.) Click [Yes] to Reboot
 



 
 
 
 





 
That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the LAN port and you are off and running! I hope this guide helps you!


 
 

Setting Misc Advanced Options
  




 
 
Here is a list of other options to consider setting. Some of these are related to OpenVPN while others are just to get the operating system further set up properly for your particular hardware. For the brave there are some tweaks to the network drivers and other boot loader and “system tunables”. All of these are optional, many are highly recommended and some borderline on necessary.
 
 


 
 

General System Tweaks
  
Go to: System > Advanced >Miscellaneous

http://192.168.1.1/system_advanced_misc.php -or- https://192.168.1.1/system_advanced_misc.php 1.) Find the section titled “Power savings”
**NOTE 1: There are some known issues with this setting on AMD motherboards that support “Cool N' Quiet in the Bios. Do not enable PowerD if your AMD Motherboard uses this option, instead just let the motherboard handle this.
 
This options works very well with Intel speedstep though.
 
**NOTE 2: This setting does not affect the VPN setup, but while we are at this page, it is useful to set. It can save on your electrical bill.
 
Set as follows:
PowerD = [√] (checked)
On AC Power Mode: = [Adaptive ▼] (Or Hiadaptive, depending on your preference)
On Battery Power Mode: = [Minimum ▼]
 


 
 
2.) Find the section titled “Cryptographic Hardware Acceleration”
***NOTE : Ths option enables the AES Instruction Set on compatible CPUs. Your CPU may not support this option. If it does, you should set it appropriately. This option will increase the performance of your appliance if supported. Check here for supporting CPU's. If your CPU supports AES instructions, set this option to “AES-NI”. It should be noted that it is highly unlikely you have AMD Geode acceleration unless you purchased embedded equipment.
 
Set as follows:
Cryptographic Hardware = [AES-NI CPU-based Acceleration (aesni) ▼] (If supported!!!)
 
 


 
 
3.) Find the section titled “Thermal Sensors”
***NOTE: This setting does not affect the setup, but while we are at this page, it is useful to set. Your CPU may not support this feature. If it does, it will allow you to monitor the CPU temp from the Dashboard by adding the “Thermal Sensors” widget there. Most somewhat recent Intel and AMD processors should have this.
 
Set as follows:
Thermal Sensors = *Set according to your CPU’s capability, None, Intel or AMD*
 
4.) Click [sAVE]
 




 

 




 
 
 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 8: Setting up the AirVPN_LAN Interface
  


 
 
A:) Configuring the Interface
 1.) Go to: Interfaces > Assign
http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php Here you will find your assigned interfaces. If you assigned them during original install you will see however many interfaces you have and should likely have a WAN, LAN, opt1 (as well as ovpn1). If you did not assign them you will have to click the [+] button at the bottom right to assign another. Once it is assigned, click save.
 
2.) Select one from the optional Interfaces (likely Opt1).
 
Set it as follows:
--General configuration
Enable = [✔] (CHECKED)
Description = [✎ AirVPN_LAN ]
IPv4 Configuration Type = [ Static IPv4 ▼]
IPv6 Configuration Type = [ None ▼]
MAC address = [✎_____] (empty)
MTU = [✎_____] (empty)
MSS = [✎_____] (empty)
Speed and duplex = Advanced > [ Autoselect ▼]
--Static IPv4 configuration
IPv4 address = [✎ 192.168.123.1 ] / [ 24 ▼]
Gateway = [ None ▼]
--Private networks
Block Private Networks = [_] (UNCHECKED)
Block Bogon Networks = [_] (UNCHECKED)
 
3.) Click [save]
 
4.) Click [ Apply Changes ]
 


 
 
 
B.) Seting up the DHCP Server for the AirVPN_LAN Interface
 1.) Go to: Services > DHCP server
http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php 2.) Ensure the "AirVPN_LAN" tab is selected
 
3.) Set as follows:
(NOTE: Only options we will change are listed for this section, leave the rest as they were by default)
Enable DHCP server on AirVPN_LAN interface = [✔] (CHECKED)
Range = [✎ 192.168.123.100 ] to [✎ 192.168.123.199 ]
DNS Servers = [✎ 10.4.0.1 ] and [✎________]
 
4.) Click [sAVE]
 
5.) Click [ Apply Changes ]
 


 
 
 
C.) Setting up the Outgoing NAT for the AirVPN_LAN Interface.
 1.) Go to: Firewall > NAT > Outbound
http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php 2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (If it is not selected, select it, click save and apply changes.)
 
3.) If there is already a rule for your AirVPN_LAN interface, select the [e] button to the right of it to edit it. If there is not a rule for your AirVPN_LAN interface, you will need to create one by selecting the [+] at the top right and creating a new one.
 
4.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ AirVPN_WAN ▼]
Protocol = [ Any ▼]
Source = Type: [ Network ▼]
               Address: [ 192.168.123.0 ] / [ 24 ▼]
               Source port: [_____] (empty/blank)
Destination: Type = [ Any ▼]
Translation: Address = [ Interface Address ]
Description = [ AirVPN_LAN -> AirVPN_WAN ]
 
5.) Click [ SAVE ]
 
6.) Click [ Apply Changes ]
 




 

 




 
 
 


 
 
 
D.) Setting Basic Firewall Rules for the AirVPN_LAN Interface to enforce the policy based routing and block DNS Hijacking
 *NOTE: There are THREE necessary rules for the AirVPN_LAN interface. You should have no firewall rules here since this is a new interface. If there are any rules, just delete them.
 

 
 
First AirVPN_LAN Firewall Rule:
"BLOCK_DNS_LEAKS_VPN"
 The first AirVPN_LAN rule will block all DNS requests that we do not explicitly allow. Pay close attention to this one.
 
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "AirVPN_LAN" interface. 
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_VPN".
 
Set as follows:
Action = [ Block ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [AirVPN_LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [TCP/UDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [✔] Not (CHECKED!!!!!!!!)
                     Type: [ Single host or alias ▼]
                     Address: [10.4.0.1]
Destination port range = From: [ DNS ▼]
                                      To: [ DNS ▼]
Log = [✔] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_VPN]
*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ AirVPN_WAN ▼]
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 

 
 
 
Second AirVPN_LAN Firewall Rule:
"Allow AirVPN_LAN Outbound"
 The second AirVPN_LAN rule we will create will force traffic from the AirVPN_LAN interface to only exit via the AirVPN_WAN Gateway.
 
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "AirVPN_LAN" interface. 
2.)Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow AirVPN_LAN to any rule"
 
Set as follows:
Action = [ Pass ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [AirVPN_LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ AirVPN_LAN Subnet ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log = [_] (UNCHECKED)
Description = [✎ Allow AirVPN_LAN Outbound]
*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ AirVPN_WAN ▼]
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 

 
 
 
Third AirVPN_LAN Firewall Rule:
"BLOCK ALL ELSE AirVPN_LAN"
 The third and final AirVPN_LAN firewall rule will block any and all traffic we do not alllow by use of other firewall rules on this interface.
 
1.) Go to: Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "AirVPN_LAN" interface. 
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE AirVPN_LAN"
 
Set as follows:
Action = [block ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [AirVPN_LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log = [✔] (checked)
Description = [✎ BLOCK ALL ELSE AirVPN_LAN ]
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 


 
 
 
E.) Checking That Our Firewall Rules Are In The Correct Order
  
1.) Go to Firewall > Rules
http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "AirVPN_LAN" interface. 
2.)The order of the rules we just created is important!
They should appear in this following order when viewed:
BLOCK_DNS_LEAKS_VPN
Allow AirVPN_LAN Outbound
BLOCK ALL ELSE AirVPN_LAN
 
ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!
 




 

 




 
 
 
3.) Click [save]
 
4.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 5.) Click [Yes] to Reboot
 




 
 
 
Verifying Our BLOCK_DNS Rule is Functioning
(Optional - For Windows and WINE Users)
 For this step we will need to download a program called “DNSBench”. This step is meant as a proof of concept to show that without the BLOCK_DNS firewall rules, a malicious program could indeed hijack your DNS requests. This program is a safe program, and one that I otherwise find very useful in finding low latency DNS servers. We will not however be using it as it is intended, but it is the best program I have found to simulate a program sending out DNS requests not received from the DHCP settings.
 
Go to:
https://www.grc.com/dns/benchmark.htm (click on the picture of the program to download it.)
 


 
 
 
1.) When you open it it will say:
• • •
 Verifying Internet Access
 • • •
  


 
 
2.) Then, if up to this point it is working it will then say:
 
Internet DNS Access Trouble
  


 
 
3.) Find and click the button toward the top that says [ Ignore Test Failure ]
 
 


 
 
4.) Then it will show:
 
DNS Benchmark
Domain Name System Benchmark Utility
  


 
 
5.) Find and click the "Nameservers" tab toward the top. If the DNS Blocking rules are enabled, entered correctly and functioning you should see this:
 


 



 
 
Only the 10.4.0.1 entry should be green (signifying it can be contacted). All other entries should be red. If you view your firewall logs on pfSense now, it should have quite a few blocks triggered by destination port 53 on the AirVPN_LAN interface. If any other DNS servers are contacted and show up as Green, review the firewall settings and correct any discrepancies you find. If you find none and otherwise cannot correct the leak, feel free to ask for help by posting to this thread.
 
For those of you that wish to verify the proof of concept, feel free to temporarily disable the BLOCK_DNS rule and verify this yourself (You have to close and re-open DNSBench, don't worry, testing this is quite safe). You will see that had this been a malicious program it could indeed hijack your browser. Be sure to re-enable the firewall rule after!
 
 




 
 
That's it! You should now have a functional connection to AirVPN! Just plug your ethernet cord, switch or wireless access point into the AirVPN_LAN port and you are off and running! I hope this guide helps you! Don't forget to back up your settings you just spent all this time setting up!
  






 

Setting Up pfSense for AirVPN



Using 3 or more NIC's


 

Step 7: Setting up the LAN Interface


 
 




 
A:) Configuring the Interface


 
1.) Go to Interfaces > LAN

http://192.168.1.1/interfaces.php?if=lan -or- https://192.168.1.1/interfaces.php?if=lan 
Set it as follows:
 
--General configuration
Enable = [✔] (CHECKED)
Description = [✎  LAN ]
IPv4 Configuration Type = [ Static IPv4 ▼]
IPv6 Configuration Type = [ None ▼]
MAC address = [✎_____] (empty)
MTU = [✎_____] (empty)
MSS = [✎_____] (empty)
Speed and duplex = Advanced > [ Autoselect ▼]
--Static IPv4 configuration
IPv4 address = [✎ 192.168.1.1 ] / [ 24 ▼]
IPv4 Upstream Gateway = [ None ▼]
--Private networks
Block Private Networks = [_] (UNCHECKED)
Block Bogon Networks = [_] (UNCHECKED)
 
2.) Click [save]
 
3.) Click [ Apply Changes ]
 
 



 
B.) Setting up the DHCP Server for the LAN Interface


 
1.) Go to: Services > DHCP server

http://192.168.1.1/services_dhcp.php -or- https://192.168.1.1/services_dhcp.php 
2.) Ensure the "LAN" tab is selected
 
3.) Set as follows: (NOTE: These options may already be set by default, change as needed.)
Enable DHCP server on LAN interface = [✔] (CHECKED)
Range = [✎  192.168.1.100 ] to [✎  192.168.1.199 ]
 
4.) Click [sAVE]
 
5.) Click [ Apply Changes ]
 
 



 
C.) Setting up the Outgoing NAT for the LAN Interface AND Localhost


 
1.) Go to: Firewall > NAT > Outbound

http://192.168.1.1/firewall_nat_out.php -or- https://192.168.1.1/firewall_nat_out.php 
2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected.
 
3.) Click [ SAVE ]
 
4.) Click [ Apply Changes ]
 
This will likely spawn a number of automatically created outbound NAT rules. At this point you can check the box next to all of the ones directed to port 500 and delete them, we don't want them. This should leave you with a few default rules titled similarly to “Default LAN to WAN” and “Default Localhost to WAN”. Any other rules than these two should be deleted. Each of the default rules can just be edited by clicking the [e] button to the right of it. If there is not a rule for your LAN or Localhost, you will need to create one by selecting the [+] at the top right and creating a new one.
 


 
First we will set the LAN outbound NAT.


 
5.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ WAN ▼]
Protocol = [ any ▼]
Source = [_] Not (unchecked)
               Type: [ Network ▼]
               Address: [ 192.168.1.0 ] / [ 24 ▼]
               Source port: [_____] (empty/blank)
Destination = [_] Not (unchecked)
               Type = [ Any ▼]
               Address: [_____] / [ 24 ▼](empty/blank)
               Destination Port: [_____] (empty/blank)
Translation: Address = [ Interface Address ]
Description = [ LAN to WAN ]
 
6.) Click [ SAVE ]
 



 
Second we will set the Localhost outbound NAT.


 
7.) Set as follows:
Do not NAT = [_] (unchecked)
Interface = [ WAN ▼]
Protocol = [ any ▼]
Source = [_] Not (unchecked)
               Type: [ Network ▼]
               Address: [ 127.0.0.1 ] / [ 8 ▼]
               Source port: [_____] (empty/blank)
Destination = [_] Not (unchecked)
               Type = [ Any ▼]
               Address: [_____] / [ 24 ▼](empty/blank)
               Destination Port: [ 1024:65535 ]
Translation: Address = [ Interface Address ]
Description = [ Localhost to WAN ]
 
8.) Click [ SAVE ]
 
8.) Click [ Apply Changes ]
 
 






 
 



 
D.) Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.


 
*NOTE: There are THREE necessary rules for the LAN interface. You should have two firewall rules here by default. The “anti-lockout rule” and a “default allow LAN to any” rule. Do not touch the anti-lockout rule. You can either delete or edit the default allow rule, it is up to you.
 



 
First LAN Firewall Rule:



"BLOCK_DNS_LEAKS_LAN"


 
The first LAN firewall rule will block all DNS requests that we do not explicitly allow. This rule will force all users on this interface to use the DNS forwarder and hence the servers we entered on the general settings page. Pay close attention to this one.
 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_LAN".
 
Set as follows:
Action = [ Block ▼]
Disabled = [_] Disable this rule (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [TCP/UDP ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [✔] Not (CHECKED!!!!!!!!)
                     Type: [ LAN address ▼]
                     Address: [________]
Destination port range = From: [ DNS ▼]
                                      To: [ DNS ▼]
Log = [✔] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_LAN]
*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ WAN_DHCP ▼]
 
3.) Click [ Save ]
 
4.) Click [ Apply Changes ]
 
 


 
Second LAN Firewall Rule:



"ALLOW LAN OUTBOUND"


 
1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "LAN" interface.
 
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW LAN OUTBOUND" (Note: There may already be a rule titled " Default Allow LAN Outbound" or similar. You certainly can just edit that entry to these settings, or delete and create this.)
 
3.) Set as follows:
Action = [ Pass ▼]
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ LAN Subnet ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Description = [✎ ALLOW LAN OUTBOUND]
*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ WAN_DHCP ▼]
 
4.) Click [ SAVE ]
 
5.) Click [ Apply Changes ]
 
 


 
Third LAN Firewall Rule:



"BLOCK ALL ELSE LAN"


 
1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand select your "LAN" interface.
 
2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"
 
3.) Set as follows:
Action = [block ▼]
Disabled = [_] (UNCHECKED)
Interface = [LAN ▼]
TCP/IP Version = [iPv4 ▼]
Protocol = [Any ▼]
Source = [_] Not (UNCHECKED)
              Type: [ Any ▼]
              Address: [______] (BLANK)
Destination = [_] Not (UNCHECKED)
                     Type: [ Any ▼]
                     Address: [______] (BLANK)
Log packets that are handled by this rule = [✔] (checked)
Description = [✎  BLOCK ALL ELSE LAN ]
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default
 
4.) Click [ SAVE ]
 
5.) Click [ Apply Changes ]
 



 
 
E.) Checking That Our Firewall Rules Are In The Correct Order


 
1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php -or- https://192.168.1.1/firewall_rules.phpand Select your "LAN" interface.
 
2.) The order of the rules we just created is important!
They should appear in this following order when viewed:
BLOCK DNS LEAKS LAN
ALLOW LAN OUTBOUND
BLOCK ALL ELSE LAN
 
ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!
 





 
 

Had the exact same issue on a Fritz!Box router. Here's what I found out.
 
SIP didn't work when all traffic was routed through the tunnel. My internet telephony number could not be registered. I changed the routing of Fritz!Box and it worked partially: I added a few routes to route traffic to possible VoIP servers (SIP, STUN, etc.) - the part that worked - but encountered a very big problem which you cannot circumvent.
To transfer voice, VoIP uses RTP (Real-time Transport Protocol) which is coupled with RTCP (Real-time Transport Control Protocol). According to the specification, RTP uses an even port number while RTCP will use the next higher odd port. The problem here is that they're not bound to specific ports. They can use 1024 and 1025, 4444 and 4445 or even 65534 and 65535.
 
You cannot remote forward ports on the fly. That's why VoIP with any proxy service will not work.

*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****
pfSense 2.3 WAS RELEASED APRIL 12, 2016
WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3
THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN
I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA
AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST
   




 
 
pfSense_fan's Guide
How To Set Up pfSense 2.1 for AirVPN
Using Three or more NIC's
 Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!
 



 
 
 
Table of Contents:
Preface Understanding Certificates and OpenVPN Config Files on pfSense Understanding OpenVPN Settings on pfSense Step 1: Entering our AirVPN CA (Certificate Authority) Step 2: Entering our AirVPN Certificate and Key Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface Step 5: Setting up the AirVPN Gateway Step 6: Setting up the DNS Forwarder Step 7: Setting up the LAN Interface Step 8: Setting up the AirVPN_LAN Interface Step 9: Setting Misc Advanced Options (Optional) Step 10: Setting Bootloader and System Tunables (Optional) Step 11: Setting Advanced OpenVPN Options (Optional) Alternate Step 6+7 For Dual (Two) NIC installs
 

 



 

Guide: How to setup a pfSense VPN Gateway
In a Windows Domain Network
Also using a single subnet for the LAN
(WAN uses a different subnet just for pfSense-router comms)



 
 
This Guide will allow you to have devices on the AirVPN or Normal internet while maintaining a single lan subnet and windows domain.
 
Prerequisites:
1. You must have a sound understanding of configuring windows server 2008/2012 DNS and DHCP Roles. 2. Your Router (ADSL Modem, Cable Modem etc..) must be able to live on 2 IP's, the reason is that we want to use the modem as usual for normal internet and the Alias is the upstream gateway in pfSense as we cannot or should not attempt to have the pfSense LAN and WAN interfaces on the same sub-net. (For example Billion ADSL Modems can have a LAN IP and an Alias IP configured) 3. If you have an exchange server installed on your domain controller firstly Shame on You! that's seriously bad practice and secondly when you set your DC to gateway via the pfSense issues will occur with exchange. You should still be able to send email but receiving it can be a problem as incoming connections from one gateway hit a server that has its default gateway set to a different gateway.

Step1 - Configure pfSense

 
 
My step 1 is to actually configure pfSense first, no need to reinvent the wheel here so follow pfSense_fan's guide to configure the AIRVPN setup in pfSense
(Hope you don't mind pfSense_fan !)
 
Tho not compulsory it is best practice to use windows DHCP in a windows domain environment, for the purposes of this guide i will assume that you are.
 
Now would also be a good time to configure your routers alias IP, for example give it 192.168.1.254, then your router serves as a gateway on for example 192.168.0.254 and the alias.
 
Follow this guide for steps 1 through 5, then use alternate steps 6 and 7 for 2 nics.
 
During the guide change the following instructions
1. During pfsense installation say no to VLANS and assign em1 to WAN and em0 to LAN
2. now select menu item 2 and change interface IP address's, assign your desired LAN interface IP then say no to enable DHCP and then repeat this step for WAN, remember to specify your routers alias IP as gateway on the WAN interface.
During the guide skip the steps to configure LAN, in the WAN interface uncheck to block local private and bogon and finally skip the steps to configure DHCP.
 
Example
 
WAN (wan) -> em1 -> v4: 192.168.1.253/24
LAN (lan) -> em0 -> v4: 192.168.0.137/24
 
Proceed to pfSense_fan's guide
 
https://airvpn.org/pfsense/
 



Step2 - Testing and windows server DNS

 
 
Welcome Back!
 
Ok its time to test your new pfSense gateway. change the network IPv4 settings on a computer to static IP, configure it so you use the pfSense LAN address as gateway and DNS server 10.4.0.1 then run your browser and navigate to ipleak.net to make sure your IP and DNS IP are of AirVPN. Change the computer back to DHCP.
 
Logon to your windows server and do the following
1. change the default gateway of the server NIC to the pfSense LAN address
2. make sure the DNS server configured in the NIC are ONLY 127.0.0.1 or the IP of the server itself
 
Open the DNS management tool
1. Configure windows DNS server so that the only DNS forwarder is 10.4.0.1
2. untick "Use Root Hints if no forwarders are available"
3. Click Apply / OK
 
Step3 - DHCP
 
Open the DHCP management tool and Check to ensure that the only DNS server IP's in the scope options is that of your windows DC.
Now here is a multiple choice, you can either set DHCP scope option "Router" to point to the standard router or the pfSense router. It depends because do you want all traffic to use the VPN by default or the normal net by default ?
 
Then to decide if a device is to use the other instead of the default assign that device a reservation and set that reservations router option to the other gateway.
Finally it doesn't matter if a device uses normal or VPN "ALL" DNS queries flow through the VPN.
I haven't had any issues at all with this personally and it has to be this way because all computers joined to the domain must use the DC DNS.
 
Thats it CONGRATULATIONS!
Formatting by pfSense_fan



 

*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****
pfSense 2.3 WAS RELEASED APRIL 12, 2016
WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3
THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN
I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA
AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST
   




 
 
pfSense_fan's Guide
How To Set Up pfSense 2.1 for AirVPN
Using Three or more NIC's
 Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!
 



 
 
 
Table of Contents:
Preface Understanding Certificates and OpenVPN Config Files on pfSense Understanding OpenVPN Settings on pfSense Step 1: Entering our AirVPN CA (Certificate Authority) Step 2: Entering our AirVPN Certificate and Key Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface Step 5: Setting up the AirVPN Gateway Step 6: Setting up the DNS Forwarder Step 7: Setting up the LAN Interface Step 8: Setting up the AirVPN_LAN Interface Step 9: Setting Misc Advanced Options (Optional) Step 10: Setting Bootloader and System Tunables (Optional) Step 11: Setting Advanced OpenVPN Options (Optional) Alternate Step 6+7 For Dual (Two) NIC installs
 

 



 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 6: Setting Up the DNS Forwarder
  


 
 
NOTE: Here we are going to disable the DNS Forwarder for VPN interfaces (DNS for VPN will be set through DHCP on a PER-INTERFACE BASIS), while leaving the Forwarder enabled for the LAN interface as well as the Firewall (Localhost) itself. THE DNS FORWARDER CANNOT BE SHARED BETWEEN THE FIREWALL/LAN (CLEAR-NET) AND THE AirVPN_LAN (VPN). THE DNS FOR THE AirVPN_LAN IS SET ON THE DHCP SERVER SETTINGS PAGE, AS EXPLAINED IN THE FOLLOWING STEP 8 GUIDE. Please also note that if done correctly there is no chance of DNS “leaks” (As explained in the Preface), and further, we will be creating firewall rules to prevent DNS hijacking.
 
Pay extra attention to this section. This seems to be a troublesome area for many, and is easily the biggest concern for a “leak” (we cannot share the DNS Forwarder) if a setting were to be configured incorrectly. That being said, we need to enter DNS servers on the General Setup page for the firewall to use and for initial connection to AirVPN when using URL's such as the entry address for the whole Earth or individual countries. This method also makes the firewall run more reliably as it does not require re-configuring if the VPN fails. In the event the VPN does fail, all states are dropped and the connection is severed provided you followed the instructions on setting up the gateway correctly. I suggest using OpenNIC DNS servers, however I will use OpenDNS since I cannot look up the appropriate OpenNIC servers for you. You may use the public DNS servers of your choice or ones your ISP provides (not recommended) if you wish.
 Setting DNS Options Under the General Setup Page
 1.) Go to: System > General Setup: DNS servers
http://192.168.1.1/system.php -or- https://192.168.1.1/system.php Set as Follows:
 
DNS Server –- Use gateway
[✎ 208.67.222.222 ] [ WAN_DHCP ▼]
[✎ 208.67.220.220 ] [ WAN_DHCP ▼]
[✎ (empty) ] [=== None === ▼]
[✎ (empty) ] [=== None === ▼]
 
[_] Allow DNS server list to be overwritten by DHCP/PPP on WAN = UNCHECKED
[_] Do not use the DNS Forwarder as a DNS server for the firewall = UNCHECKED
 
2.) Click [save]
 


 
 
 
Setting the DNS Forwarder Options
 1.) Go to: Services > DNS Forwarder
http://192.168.1.1/services_dnsmasq.php -or- https://192.168.1.1/services_dnsmasq.php Set as Follows:
 
--General DNS Forwarder Options
Enable = [✔] Enable DNS forwarder (CHECKED)
DHCP Registration = [_] Register DHCP leases in DNS forwarder (UNCHECKED)
Static DHCP = [_] Register DHCP static mappings in DNS forwarder (UNCHECKED)
Prefer DHCP = [_] Resolve DHCP mappings first (UNCHECKED)
DNS Query Forwarding = [_] Query DNS servers sequentially (UNCHECKED)
                                     [_] Require domain (UNCHECKED)
                                     [✔] Do not forward private reverse lookups (CHECKED)
Listen Port = [______] (Empty/Blank)
Interfaces = ***SEE STEPS BELOW
By default all interfaces are selected. This may show up as “All” being highlighted, or each individual interface being highlighted. Using the Ctrl key, DESELECT AS NEEDED, AND ENSURE ONLY LAN AND LOCALHOST ARE SELECTED/HIGHLIGHTED. IT IS CRITICAL YOU GET THIS SECTION CORRECT.
 
[✔] Strict Interface Binding
 
Advanced = [Advanced] - Show advanced options (UNCHANGED)
 
2.) Click [save]
 
3.) Click [ Apply Changes ]
 


 
 
 
Verifying Our DNS Settings (Optional Step)
 Here we will test to see if domain names are resolving from the DNS servers we entered on the General Setup page. We will do this using the built in feature of the firewall.
 
1.) Go to: Dianostics > DNS Lookup
http://192.168.1.1/diag_dns.php -or- https://192.168.1.1/diag_dns.php Set as Follows:
Hostname or IP = [ airvpn.org ]
 
2.) Click [ DNS Lookup ]
 
3.) Verify the results:
Hostname or IP = [ airvpn.org ] = 95.211.138.143
If 95.211.138.143 was returned it is resolving correctly. Feel free to resolve as many sites as you wish! This is a useful tool to keep in mind as well.
 

 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 5: Setting the AirVPN Gateway
  


 
 
1.) Go to: System > Routing
http://192.168.1.1/system_gateways.php  -or-  https://192.168.1.1/system_gateways.php 2.) Find and select the [+] on the same line asAirVPN_WAN_VPN4
***** NOTE: BE VERY CAREFUL OF WHICH [+] YOU SELECT HERE. “MOUSING OVER” THE [+] BUTTONS WILL REVEAL THEIR TITLE. DO NOT SELECT THE ONE FOR WAN DHCP! What you will see here may vary. When I got to this point in my setup I had two gateways that were added but not yet enabled, You may only see your default/WAN gateway until you add a new one. I had AirVPN_WAN_VPN4 (IPv4) and AirVPN_WAN_VPN6 (IPv6, if you have IPv6 disabled you will not see this). You are not able to edit the names of these gateways. What I did to get around this was to create a new IPv4 gateway (by clicking the [+] on the same line as AirVPN_WAN_VPN4) and give it the name I wanted (AirVPN_WAN). Then, after saving this new interface, the old AirVPN_WAN_VPN4 Gateway will have automatically have been deleted. If IPv6 is not disable on your system, ignore the “grayed out”/disabled AirVPN_WAN_VPN6. It cannot be deleted, only made to disappear if you disable IPv6. I will not go into how to do that at this time.
 
3.) This will bring you to the edit gateway page for your OpenVPN IPv4 interface. Here we will enter a Name, Settings and description for it.
 
Set as follows:
Disabled = [_] (UNCHECKED)
Interface = [AirVPN_WAN ▼]
Address Family = [iPv4 ▼]
Name = [✎ AirVPN_WAN]
Gateway = [dynamic]
Default Gateway = [_] (*****UNCHECKED, SEE NOTES BELOW)
Disable Gateway Monitoring = [√] (CHECKED) The monitoring servicve has caused more issues then it has corrected as of late, so we will disable it.
Monitor IP = [______] (Blank) If you do decide to enable this, set it to 10.4.0.1
Mark Gateway as Down = [_] (UNCHECKED)
Advanced = **Unchanged**
Description = [✎ AirVPN_WAN]
 
***** NOTE: In the past, the default gateway setting was advised to be checked. This was to act as a fail-safe in the event something went wrong, all traffic would attempt to route through the VPN and have no chance of being re-routed to the clear_net. While this "works", THIS IS NOT CORRECT FROM A ROUTING STAND POINT. Trying to use it this way causes what is known as a routing loop and can quickly exhaust network buffers. This can be seen in the OpenVPN Logs when using the "verb 4" setting. It shows up as:
write UDPv4: No buffer space available (code=55)The idea of having the VPN as the default gateway is nice on paper, but should not be used. If all other settings are correct, this is not an issue and should not be worried about. Focus instead on having all settings correct! 
4.) Click [save]
 
5.) Click [Apply Changes]
 


 
 
 
6.) Go to: System > Advanced >Miscellaneous
http://192.168.1.1/system_advanced_misc.php  -or-  https://192.168.1.1/system_advanced_misc.php 7.) Find the section titled “Gateway Monitoring”
*****NOTE***** The following settings are important!!!
 
Set as follows:
State Killing on Gateway Failure = [_] (NOT CHECKED!!!)
Skip rules when gateway is down = [√] (CHECKED)
 
8.) Click [sAVE]
 
 


 
 
9.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php  -or-  https://192.168.1.1/reboot.php 10.) Click [Yes] to Reboot
 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 4: Assigning the OpenVPN Interface
  


 
 
1.) Go to: Interfaces > Assign
http://192.168.1.1/interfaces_assign.php -or- https://192.168.1.1/interfaces_assign.php 2.) Find and select the [+] on the lower right for “Add Interface”
A new interface should appear - [ovpnc1(AirVPN) ▼]
 
3.) Click [save]
 
4.) While still on the assign interfaces page, find the link for your newly created “ovpnc1” interface and select it. This will bring you to the configuration page for this interface.
 
Set as Follows:
--General configuration
Enable = [√] (CHECKED)
Description = [✎ AirVPN_WAN ]
IPv4 Configuration Type = [None ▼]
IPv6 Configuration Type = [None ▼]
MAC Address = [✎_____] (Blank/Empty)
MTU = [✎_____] (Blank/Empty)
MSS = [✎_____] (Blank/Empty)
--Private Networks
Block Private Networks = [_] (NOT CHECKED!!!)
Blocks Bogon Networks = [_] (NOT CHECKED!!!)
 
5.) Click [save]
 
6.) Click [Apply Changes]
 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 3: Setting up the OpenVPN Client
  


 
 
1.) Go to: VPN > OpenVPN > Client
http://192.168.1.1/vpn_openvpn_client.php -or- https://192.168.1.1/vpn_openvpn_client.php 2.) Find and select the [+] on the lower right for “Add Client”
 
3.) Here we will enter our settings, a descriptive name and advanced settings. Settings that go here are taken from our OpenVPN Config file, from the section highlighted YELLOW, as well as our tls-auth cert, highlighted PINK
 
Set as follows:
 
--General information
Disabled = [_] (NOT CHECKED!!!)
Server Mode = [Peer to Peer (SSL/TLS) ▼]
Protocol = [uDP ▼]
Device Mode = [tun ▼]
Interface = [WAN ▼]
Local Port = [✎ _____] (Blank/Empty)
Server Host or Address = [✎ XXX.XXX.XXX.XXX] IP of your preferred AirVPN Entry (From the "remote" line in the config)
Server Port = [✎ 443] (From the "remote" line in the config)
Proxy Host or address = [✎ _____] (Blank/Empty)
Proxy Port = [✎ _____] (Blank/Empty)
Proxy Authentication Extra Options = [none ▼}
Server Host Name Resolution = [√] Infinitely Resolve Server (checked)
Description = [✎ AirVPN]
 
--User Authentication Settings
User name/pass      Leave empty when no user name and/or password are needed.
                                   Username: [✎ _____] (Blank/Empty)
                                   Password: [✎ _____] (Blank/Empty)
 
--Cryptographic Settings
TLS Authentication = [√ ] Enable authentication of TLS packets. (CHECKED)
                                 [_] Automatically generate a shared TLS authentication key. (NOT CHECKED)
  ___________________________________
 | #
 | # 2048 bit OpenVPN static key
 | #
 | -----BEGIN OpenVPN Static key V1-----
 | XXXXXXXXXXXXXXXXXXXXXX
 | XXXXXXXXXXXXXXXXXXXXXX
 | XXXXXXXXXXXXXXXXXXXXXX
 | XXXXXXXXXXXXXXXXXXXXXX
 | XXXXXXXXXXXXXXXXXXXXXX
 | -----END OpenVPN Static key V1-----
 |____________________________________
Peer Certificate Authority = [AirVPN_CA ▼]
Cient Certificate = [ AirVPN_CERT ▼]
Encryption Algorithm = [ AES-256-CBC (256 bit) ▼]
Auth Digest Algorithm = [ SHA1 (160 bit) ▼]
Hardware Crypto = SET THIS BASED ON YOUR CPU’s CAPABILITY!!! NOTE: Ivy Bridge, Haswell and newer Intel Processors support RD-RAND. If you have a different CPU you will have to research if BSD Cryptodev is compatible with your processor. If you are unsure, set this to BSD Cryptodev, it should not harm anything even if not supported. If supported, this setting can (will) increase performance of your pfSense appliance.
 
--Tunnel Settings
IPv4 Tunnel Network = [✎ _____] (Blank/Empty)
IPv6 Tunnel Network = [✎ _____] (Blank/Empty)
IPv4 Remote Networks = [✎ _____] (Blank/Empty)
IPv6 Remote Networks = [✎ _____] (Blank/Empty)
Limit Outgoing Bandwidth = [✎ _____] (Blank/Empty)
Compression = [Disabled - No Compression ▼ ]
Type-of-Service = [_] (NOT CHECKED!!!)
Disable IPv6 = [✔] (CHECKED)
Don't pull routes = [✔] (CHECKED)
Don't add/remove routes = [✔] (CHECKED)
 
--Advanced Configuration
Advanced = (Copy and Paste The following text directly into the advanced box. Anything to the right of a # symbol is "commented out" and has no effect. I have added a few settings that make the use of pfSense and tighten up security, and have left comments with descriptions of many. Some options I have left in but commented out from use for users to have handy in the event of troubleshooting and can be ignored or deleted if not desired.)
##### CLIENT OPTIONS #####; server-poll-timeout 10 ### When polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. ###; explicit-exit-notify 5; ##### TUNNEL OPTIONS #####; ### Use Multple "remote" entries with the according entry IP address of your favorite servers ###; ### other than the server entered in the "Server Host or Address" entry above and pfSense ###; ### will automatically recconnect in a round robin fashion if the server you are connected to ###; ### goes down or is having quality issues. Edit and uncomment the fake lines below or add your own. ###; ###remote XX.XX.XX.XX 443 ###AirVPN_US-Atlanta-Georgia_Kaus_UDP-443###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Acamar_UDP-2018###; ###remote XXX.XX.XX.XXX 2018 ###AirVPN_US-Miami_Yildun_UDP-2018###; ###remote XX.XX.XX.XX 53 ###AirVPN_US-Miami_Cursa_UDP-53###; ###remote XXX.XX.XX.XX 443 ###AirVPN_CA-Dheneb_UDP-443###; ###remote XXX.XX.XXX.XXX 443 ###AirVPN_CA-Saiph_UDP-443###; rcvbuf 262144; sndbuf 262144; mlock ### Using this option ensures that key material and tunnel data are never written to disk due to virtual memory paging operations which occur under most modern operating systems. ###; fast-io ### Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. ###; ###tun-mtu 1500; ###mssfix 1450; ###keepalive 5 15; ##### DATA CHANNEL ENCRYPTION OPTIONS #####; key-direction 1; keysize 256 ### Size of key from cipher ###; prng SHA512 64 ### (Pseudo-random number generator) ALG = SHA1,SHA256,SHA384,SHA512 | NONCE = 16-64 ###; ### replay-window n [t] ### Default = replay-window 64 15 ###; ### mute-replay-warnings; ##### TLS MODE OPTIONS #####; tls-version-min 1.2 ### set the minimum TLS version we will accept from the peer ###; key-method 2 ### client generates a random key ###; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 ### Use TLS-DHE-RSA-WITH-AES-256-CBC-SHA if GCM fails. ###; tls-timeout 2 ### Default = 2 ###; ns-cert-type server ### Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server". ###; remote-cert-tls server ###Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. ###; ### reneg-sec 3600;  Verbosity level = [ 3 (Recommended) ▼ ]
 
4.) Click [save]
 
5.) Go to: Diagnostics > Reboot System
http://192.168.1.1/reboot.php -or- https://192.168.1.1/reboot.php 6.) Click [Yes] to Reboot
 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 2: Entering our AirVPN Certificate and Key
  


 
 
1.) Go to: System > Cert Manager > Certificate Manager
http://192.168.1.1/system_certmanager.php -or- https://192.168.1.1/system_certmanager.php 2.) Find and select the [+] on the lower right for “Add or Import Certificate”
 
3.) Here we will enter a descriptive name and enter our Certificate and Key data.
 
Set as follows:
Descriptive name = [✎ AirVPN_CERT ]
Method = [ Import an Existing Certificate Authority ▼]
Certificate Data = [Everything BETWEEN <cert> and </cert> but NOT INCLUDING <cert> and </cert>] - (Everything highlighted ORANGE in the Sample ovpn config):
 
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
 
Private key data = [Everything BETWEEN <key> and </key> but NOT INCLUDING <key> and </key>] - (Everything highlighted GREEN in the Sample ovpn config):
 
<key>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</key>
 
4.) Click [save]
 


 

Setting Up pfSense for AirVPN
Using 3 or more NIC's
 Step 1: Entering our AirVPN CA (Certificate Authority)
  


 
 
1.) Go to: System > Cert Manager
http://192.168.1.1/system_camanager.php -or- https://192.168.1.1/system_camanager.php 2.) Find and select the [+] on the lower right for “Add or Import CA”
 
3.) Here we will enter a descriptive name and enter our CA certificate data.
 
Set as follows:
Descriptive name = [✎ AirVPN_CA ]
Method = [ Import an Existing Certificate Authority ▼]
Certificate Data = [Everything BETWEEN <ca> and </ca> but NOT INCLUDING <ca> and </ca>)] - (Everything highlighted LIGHT BLUE in the Sample ovpn config):
 
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
 
Certificate Private Key(optional) = [_____] (Blank/Empty)
 
4.) Click [save]
 
 


 

Understanding OpenVPN Settings on pfSense
   




 
 
Here is the list of settings given to us in the config files we download for a standard UDP connection. Below are descriptions of what they do and where they are located or how they are entered in pfSense.
 
They are as follows:
client dev tun proto udp remote xxx.xxx.xxx.xxx 443 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo no verb 3 explicit-exit-notify 5 key-direction 1
 
 
1.) "client" – This setting denotes whether this configuration is for a OpenVPN client or server. We are connecting to AirVPN as clients. There is no corresponding setting in pfSense as we are denoting this by selecting the client tab.
 
 


 
 
2.) dev tun = "Device Mode" on the OpenVPN client settings page. This setting selects the virtual network type.
 
From the OpenVPN manual:
   


 
 
3.) proto udp = "Protocol" drop down selection on the OpenVPN client settings page.
 
 
From the OpenVPN manual:
   


 
 
4.) remote xxx.xxx.xxx.xxx 443 = "Server Host or Address" AND "Server Port" entries on the pfSense client settings page. The host or address is the xxx.xxx.xxx.xxx entry replaced by the IP address or hostname of your preferred AirVPN entry server. The port is the 443 that follows, or could be any of the other optional ports you can choose with the config generator. For the purposes of this tutorial I chose to use the basic config of UDP 443.
 
From the OpenVPN manual:
   


 
 
5.) "resolv-retry infinite" = The check box next to the "Server Host Name Resolution" titled "Infinitely Resolve Server". From pfSense: "Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet."
 
From the OpenVPN manual:
   


 
 
6.) nobind = “Local Port” on the OpenVPN settings page and is set by leaving the entry BLANK or entering a number “0”.
 
From psSense: “Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port “
 
From the OpenVPN manual:
   


 
 
7.) persist-key = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-key;" but without the quotes.
 
From the OpenVPN manual:
   


 
 
8.) persist-tun = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "persist-tun;" but without the quotes.
 
From the OpenVPN manual:
   


 
 
9.) remote-cert-tls server = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "remote-cert-tls server;" but without the quotes.
 
From the OpenVPN manual:
   


 
 
10.) cipher = "Encryption Algorythm" in the pfSense client settings page. AirVPN uses "AES-256-CBC" according to the config generator files.
 
From the OpenVPN manual:
   


 
 
11.) comp-lzo no = The check box labled “Compress tunnel packets using the LZO algorithm.” on the OpenVPN Client Settings page.
 
From the OpenVPN manual:
   


 
 
12.) verb 3 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "verb 3;" but without the quotes.
 
From the OpenVPN manual:
   


 
 
13.) Explicit-exit-notify 5 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "explicit-exit-notify 5;" but without the quotes.
 
From the OpenVPN manual:
   


 
 
 
14.) key-direction 1 = This setting must be entered into the advanced options box on the OpenVPN client settings page. It is entered as "key-direction 1;" but without the quotes.
 
From the OpenVPN manual:
   




 
 
 
Here is the list of settings that are further “pushed” to us when connecting. By entering them manually we take an additional step to prevent the use of or depreciation to “lower”, less secure settings. Below are descriptions of what they do. All of these following settings are entered into the Advanced box on the OpenVPN Client page.
 
 
They are as follows:
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA keysize 256 auth SHA1 key-method 2
 
 
1.) tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA = OpenVPN > Client > Advanced: tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;
 
This setting is automatically “pushed” when connecting to the server. That being said, it can also be set manually which has the benefit of preventing the use of/falling back to a lower encryption version.
 
From the OpenVPN manual:
   


 
 
2.) keysize 256 = OpenVPN > Client > Advanced: keysize 256;
 
From the OpenVPN manual:
   


 
 
3.) auth SHA1 = OpenVPN > Client > Advanced: auth SHA1;
 
From the OpenVPN manual:
   


 
 
4.) key-method 2 = OpenVPN > Client > Advanced: key-method 2;
 
From the OpenVPN manual:
   


 
 
 
 
 




 

Understanding Certificates and OpenVPN Config Files
   


 
 
I noticed on the forums that many people trying to set up pfSense struggle with entering their certificates properly. I will try to be as detailed as possible here.
 
First, if you have not done so already, we have to download the OpenVPN Config File (.ovpn) for our preferred AirVPN entry server. You can do this by logging into airvpn.org and then proceeding to https://airvpn.org/generator/ . Choose the entry server of your choice (the air entry server can be changed later whenever you need, we will focus on one for this tutorial) by selecting the corrisponding check box the scroll down and select the “Direct, protocol UDP, port 443”. Scroll down again and select both check boxes agreeing to the AirVPN terms of service, then click the “Generate” button. Once you have the config file you can open it with your favorite text editor. What you should see will look very similar as the sample ovpn config I pasted below (this one was downloaded for a windows client). The config is broken into FIVE main parts that we will need to identify for our uses.
 
The five parts are as follows:

 
 

 
 

 
 

 
 

 
 
Settings and Advanced Settings CA (Certificate Authority, everything between <ca> and </ca>) Cert (Certificate Data, everything between <cert> and </cert>) Key (RSA Private Key, everything between <key> and </key>) tls-auth (2048 bit OpenVPN static key, everything between <tls-auth> and </tls-auth>)

 
 

Sample OpenVPN Config File
We will need to copy these settings from YOUR config file you downloaded from the AirVPN config generator into pfSense to set up our certificates and OpenVPN. DO NOT USE THESE, they are fictional.
 
 
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Friday xxx of xxx 2014 xx:xx:xx AM
# OpenVPN Client Configuration
# AirVPN_XXXXXXXXXXX-xxxx
# --------------------------------------------------------
 
 
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5

<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>
 
 
 


 

Preface
   




 
 
Here is a guide on how to set up pfSense 2.1 as a firewall, router and OpenVPN client for connecting to AirVPN and Clear-Net using three or more NIC's.
   


 
 
Why pfSense?
  PfSense is a firewall distribution based on FreeBSD and forked from m0n0wall. The primary focus of pfSense is security, not features as many consumer products are. It is not prone to the weak security and vulnerabilities that many consumer routers are. Because it is based on PC hardware, it is also far more powerful. As where an OpenVPN client on a consumer router might max out at 20-30 Mbit / sec, The newest generation of Xeon E3 12XX V3 could do upwards of 500 Mbit / sec on a properly configured pfSense install. For most of us that is far more than our ISP's even provide us with. Personally I have seen speeds as high as 150 Mbit / sec, and can easily get 60-75 Mbit / sec through the VPN when my use demands it, but I am limited by my ISP. If you have ever wondered how people accomplish the speeds they do on the status page, consider that I have been in that #1 spot more than once and frequently appear in the top 10.
 
Some other considerations on “Why pfSense”? Your entire network can be protected by a strong firewall and routing all trafic through your AirVPN connection, not just one device, without even a hint of slowing down your connection. For the more advanced user, you can even set up an OpenVPN SERVER and remotely connect your mobile phones, tablets, laptops and any other device you wish to your firewall and then route that traffic out through your AirVPN connection as well. This is exactly what I do. I route my mobile devices though the firewall which allows me to scan that traffic for viruses, firewall it and encrypt it with the VPN. At a later date I will also make a tutorial on how to accomplish this.
 
pfSense also has a “Packages” system for adding more things such as “pfBlocker” which is similar to peerblock. Other packages include Snort (Intrusion Detection), Squid (Caching proxy, the newest version has anti-virus and can even scan SSL on your network if you permit it) and Dansgaurdian (content filter). These can enhance your security if used properly.
 
There are many more reasons on top of this as well. Simply put; I have yet to find a better solution for connecting with AirVPN.
 
 


 
 
Why I made this guide.
  After searching for many months on how to correctly accomplish this, I was unable to find proper documentation. After months of piecing together the information I did find combined with tedious testing of settings not documented elsewhere, I started to document what I learned as I was also helping others get set up. I also wanted to document this for my own use, although at this point I know this like the back of my hand. After seeing more and more people have questions on using pfSense on AirVPN I decided to share what I learned and continue to learn. It is my hope that in using this guide, I can help others gain confidence in understanding and using pfSense, both in general and with AirVPN.
 
Further more, I believe strongly in the mission statement of the folks at AirVPN, and this is my thank you to them for offering a great service and an avenue for those that truly need privacy and anonymity. I can only hope this guide will some day help someone communicate important information or avert oppression and censorship.
 


 
 
Things to Consider Before Following This Guide
   
 
THIS TUTORIAL IS INTENDED TO BE USED ON A FRESH INSTALL OF PFSENSE!!!
  Everything in the following tutorial assumes your settings are as they were, default, after a fresh install. You most certainly can add to it, especially firewall rules, when set correctly. Many people will have many uses requiring additional settings. I consider these variables to be outside the scope of this tutorial as this is aimed at beginners. I cannot guarantee functionality if you attempt to integrate this guide into your previous settings. Therefore, these issues and settings will not be addressed in the tutorial, but are welcome in discussion in replies to the guide.
 

 
 
THIS TUTORIAL IS INTENDED FOR THOSE THAT NEED CONNECTIONS TO BOTH CLEAR NET AND VPN
  Most users will need connections for some of their devices through the clear net just as I do for things such as VOIP and gaming. Setting it up this way also has the added benefit that if the VPN fails you do not need to reconfigure anything to test why it failed. Constantly having to reconfigure things is a quick way to forget something and poor planning with security. This is why I STRONGLY recommend the use of 3 or more network interface cards. This creates a sort of “Air Gap” between the clear-net and VPN configured networks, considering you have to physically move a network cable to access the different networks. In fact, I personally do not condone the use of only two interfaces for beginners for this reason. I have however, as a courtesy, added a basic addendum to the guide for those who choose to go this route. There is no clear-net configured interface in the two interface guide, only VPN. If the VPN goes down, internet connectivity will go down. I do not use this method myself, and made that section “in my head”. If it needs amending, users of it will need to notify me. I will update that section, although not as frequently as the main guide.
 

 
 
THIS TUTORIAL IS INTENDED FOR BEGINNERS AND THOSE WHO ARE OTHERWISE NOT CONFIDENT IN WHAT THEY ARE DOING
  “Tim Toady” - There's more than one way to do it. As the old saying goes, there is more than one way to skin a cat. Well, on pfSense there are quite a few different ways to go about setting it up for using it with AirVPN. I want to make this clear up front that this tutorial is not the only way to set this up. I'm not going to cover them all, in fact I'm not going to cover any other method than the one I believe to be the safest, easiest and most noob proof. I have added in a few steps (Dropping all states and preventing the gateway from re-routing if the VPN drops as well as blocking all other DNS other than the one we intend to use – the AirVPN DNS or otherwise) that go beyond just “getting it to work” because they further secure the setup for VPN uses. I consider these basic security precautions part of a basic guide to using a VPN, not a later addendum. I intended this to be educational to those who don't know or are not quite confident in what they are doing. If this does not suit your uses or you have your own security policies you choose to follow, you are free to play with my settings as you see fit or use a different guide. If you have constructive criticism or insight on further security policies I’d love to hear it. This tutorial was never intended for experienced users who just wanted to get OpenVPN going. It was meant to give someone who has no previous experience with a commercial firewall the tools they need to make the jump away from weak and insecure consumer grade equipment. The focus will continue to be with that in mind.
 

 
 
ON THE SUBJECT OF DNS LEAKS
NOTE: READ AND UNDERSTAND THIS IN IT'S ENTIRETY
  DNS leaks are not an "issue" on pfSense or its core underlying operating system, FreeBSD. DNS leaks are primarily an issue on Windows operating system. If pfSense is set correctly, the OPERATING SYSTEM will not leak a DNS request. If we tell an interface to use a specific DNS server, it will. It (pfSense) will not send a request out of an alternate interface or gateway.
 
That being said, an uninformed user, foreign hardware (mobile devices etc) or program may try to contact an alternate DNS server from behind the firewall. This can be harmless (an uninformed user contacting an external DNS), or this could be a malicious attack (DNS Hijacking or DNS Rebinding Attack). This is not a fault of pfSense, and the following scenario can happen on ANY platform. A virus, worm, or malicious browser code could hijack and reroute the DNS request to a poisoned or malicious server. This could lead to you seeing an incorrect hijacked web page and could be an attempt to expose you by an adversary. I have added this consideration to the firewall rules that protect against this. IT SHOULD BE NOTED HOWEVER THAT EVEN IF A USER OR PROGRAM SOMEHOW USED AN ALTERNATE EXTERNAL DNS, IT IS NOT A "LEAK" IN THE SAME SENSE THAT IS OFTEN DISCUSSED ON THE AIRVPN.ORG FORUMS. That type of leak requires that a DNS request would leave your network on an interface other than the one you intended (In our case this would mean it would leave an interface other than the AirVPN_LAN or AirVPN_WAN). In the event that a program (malicious or not) sent out a request to an EXTERNAL DNS server other than AirDNS, if all of our settings are set correctly it would still go through the VPN we have set up. While this prevents an outside observer from knowing exactly who is sending the DNS requests, it does not stop this alternate DNS from replying with a poisoned site. The only real way a DNS LEAK would happen is through user error with the DNS Forwarder settings. WE CANNOT SHARE THE DNS FORWARDER BETWEEN CLEAR-NET AND VPN CONFIGURED INTERFACES. Even though we will configure DNS for VPN interfaces through DHCP, at this point (and without further intervention) the DNS forwarder is still ACCESSIBLE from any device behind a VPN configured interface. We need to manually block this availability to prevent devices from unknowingly causing leaks. If you have a wireless network behind a VPN interface, and a mobile device with a manually configured DNS of 192.168.1.1 entered the network, it would cause a DNS leak unless we create a firewall rule to block such connectivity. THIS COULD POTENTIALLY EXPOSE THE VPN USER WITHOUT SUCH A RULE. The way the DNS forwarder works is it sends queries to and then collects (caches) information from all DNS servers entered on the general settings page. If you were to use VPN and Clear-net DNS, it would send requests potentially inside and outside (or just outside) the VPN tunnel. Avoiding this has been covered in the guide, where I explain two steps to isolate VPN DNS requests from those of clear-net requests - how to set the DNS servers for VPN interfaces through DHCP and firewall rules to block all DNS requests to anything that we do not explicitly allow, including the built in DNS forwarder. These blocks are necessary to prevent accidental or malicious DNS leaks and hijacking.
 
As a bonus, I have added a section at the end of the “Setting Up the DNS Forwarder” section describing how to verify your DNS settings are working within the firewall. I also added instructions at the very end of the tutorial for Windows and Wine users on how to internally and externally test for DNS leaks.
 

 
 

 
ON THE SUBJECT OF IP LEAKS
  When using a VPN configured interface according to the steps in this guide, If the VPN fails, all states are cleared and the connection is severed. Even if the connection somehow did not drop, the “Block All” firewall rule which is addressed in this guide will block any attempts for a connection that does not go out the AirVPN_WAN gateway. In this, redundancies are in place to block IP leaks.
 


 
 
Why multiple Network Interface Cards?
Why use both clear-net and AirVPN?
Why not force all traffic through the VPN?
  These questions can all be summed up into one answer. I have many devices and many users connected in my residence. I needed a method to divide, isolate, protect and route these devices and users. With the use of multiple subnets on multiple NIC's I can achieve this while also maintaining very specific firewall rules for each interface. As an example, one setup I have used was as follows:
 
WAN
LAN
XBOX
VOIP
AirVPN_WAN
AirVPN_LAN_1
AirVPN_LAN_2
AirVPN_LAN_3
AirVPN_LAN_4
 
I needed a setup that allowed Clear-Net access for the Firewall, LAN (to ensure connectivity even if the VPN goes down), XBOX and VOIP interfaces, while requiring the AirVPN_LAN interfaces to route through my AirVPN OpenVPN client. This also required no leaks, either IP or DNS. This guide accomplishes that by explaining how to set up one interface for clear-net and another for VPN access. This can then be extrapolated for additional interfaces of either sort.
 
I do not suspect the average user will go the same route as I have (having 8+ NIC's), but quad port NIC's and motherboards that include quad port NIC's and on board low power VGA are becoming common and recommended for this use.
 


 
 
What kind of hardware can run pfSense?
  While the quick answer is “pretty much any pc equipment” there are many considerations for this such as cost of hardware, energy efficiency and how it will be used. Will you use packages such as Snort? How much memory is really required? How “fast” is your internet connection? How long do you intend to use this? At the time of this writing, I personally recommend Rangely or Avoton (Rangely is intended for network devices, Avoton has turbo boost) based Intel Atom boards or the newest generation of Xeon E3 12X0 V3 processors(Ones without graphics on the chip). There is a number of motherboards from SuperMicro and ASRock that have Quad Port Intel Server Class NIC's built onto the board as well as having built on VGA. I cannot stress how much and why I recommend these. Having those on board saves a lot of money and hassle as many cheap motherbord NIC's are not supported as where the Intel Server NIC's are well supported. Those processors also have built in encryption “instructions” (AES-NI, RDRAND) that OpenVPN/OpenSSL can take advantage of and they are quite energy efficient. Energy efficiency must be considered, as the cost of electricity to run an older piece of hardware could easily pay itself off in 1-2 years of running. There certainly is nothing wrong with using equipment you have laying around, however I do not advocate seeking for purchase or “upgrading” old hardware in any way. I consider it a waste of money when considering performance and electrical/upgrading costs over that of new hardware. Ultimately you must decide what you want, what you need and how much to spend on the build.
 
(Eventually I will post links to the hardware I suggest with a more in depth explanation of why)
 
 




 
 
A general disclaimer about this guide
  I wrote this guide under my own free will and provide it for all to use. I am not in any way affiliated with pfSense, AirVPN or any of the hardware manufacturers mentioned in this article. This guide was formed from research, trial and error and extensive testing. I make no guarantee of this article's accuracy further than to say it works for me. Under no circumstance will myself or any of the previously mentioned entities be responsible for your choice to use this guide, successes or failures in using it, or any further support. Like anything in life, you should research accordingly and use your best judgement.
 
 




 
 
Last but not least, I want to say thank you to user Refresh for his participation and support in the making of this, which without that support this may not have been possible!
   




 
 
Time to get started!
   




 

*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE*****
pfSense 2.3 WAS RELEASED APRIL 12, 2016
WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3
THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN
I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA
AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST
   




 
 
pfSense_fan's Guide
How To Set Up pfSense 2.1 for AirVPN
Using Three or more NIC's
 Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!!
 



 
 
 
Table of Contents:
Preface Understanding Certificates and OpenVPN Config Files on pfSense Understanding OpenVPN Settings on pfSense Step 1: Entering our AirVPN CA (Certificate Authority) Step 2: Entering our AirVPN Certificate and Key Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface Step 5: Setting up the AirVPN Gateway Step 6: Setting up the DNS Forwarder Step 7: Setting up the LAN Interface Step 8: Setting up the AirVPN_LAN Interface Step 9: Setting Misc Advanced Options (Optional) Step 10: Setting Bootloader and System Tunables (Optional) Step 11: Setting Advanced OpenVPN Options (Optional) Alternate Step 6+7 For Dual (Two) NIC installs
 

 



 

Hi pfsense-fan,
as a complete newbie, your guide was a life saver! I followed it as written and I am up and running with no problems.
 
As a newb to this, when I downloaded the certificate and opened it in Notepad or Notepad++ the certificate part doesn't look like your example at all so being new I thought I was doing something wrong and downloaded it a few times and opened it with other programs. I believe it's because of the 4096 encryption the cert part is now just about 30 lines of encrypted data, nothing readable like your example.
 
The other part I am wondering about is this;
 
 
2.) The order of the rules we just created is important!
They should appear in this following order when viewed:
BLOCK DNS LEAKS LAN
ALLOW LAN OUTBOUND
BLOCK ALL ELSE LAN
 
ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!
 
    

 
    
 You have the three rules listed that we created but in the screen shot the first rule isn't in your list and I don't have that.
 
My pfsense box is a
 
Lenovo thinkserver
70A4001LUX 5Uts140
Xeon E3-1225 v3 3.2 ghz
4gb 1600mhz ram
500gb hd
 
I installed a 4 port intel NIC
motherboard ethernet port is WAN
port 1 of intel card is AirVPN with a four port netgear switch running a PC/Roku/wifi router
Port 2 gaming pc
port 3 wifi router through isp
port 4 voip
 
My internet is only 45Mbps down and with this box and AirVPN I notice no slow down in speed what so ever. Needless to say I am ecstatic!
 
Once again I am very grateful you took the time to write this guide for the uninitiated. 

I have not seen much discussion here about the struggles going on between ISP-s (especially in the U.S.) and backbone providers. And the effect it is having on customers. Including (I think) AirVPN users. So I thought I would post a link to a recent blog post on the Level 3 web site:
 
http://blog.level3.com/global-connectivity/observations-internet-middleman/
 
A note worthy bit:
 
"That leaves the remaining six peers with congestion on almost all of the interconnect ports between us. Congestion that is permanent, has been in place for well over a year and where our peer refuses to augment capacity. They are deliberately harming the service they deliver to their paying customers. They are not allowing us to fulfill the requests their customers make for content.
 
Five of those congested peers are in the United States and one is in Europe. There are none in any other part of the world. All six are large Broadband consumer networks with a dominant or exclusive market share in their local market. In countries or markets where consumers have multiple Broadband choices (like the UK) there are no congested peers."
 
While Level 3 and other backbone providers (e.g. Cogent) are refusing to give in, some service providers (e.g. Netflix) have caved in and made private agreements with ISP-s to let their traffic through the blockade:
 
http://www.forbes.com/sites/halsinger/2014/03/30/connections-between-communications-networks-should-the-fcc-breathe-life-into-internet-middlemen/
 
I know that people here are worried about the effect surveillance can have on the internet, but I think this should also very much be on people's minds.
 
UPDATE:
 
I changed the topic name to include "Net Neutrality", because it may not have been obvious that this falls into that general topic. See also this earlier post here by anonym:
 
/topic/11519-united-states-fcc-now-accepting-public-comments-on-net-neutrality/
 
 
Hopefully my post will help people understand that Net Neutrality is not just about lofty ideals. It can have a very real effect on the quality of your internet experience, even if you are not an idealist.

Hello everyone,
 
I know Air and its customers (myself included) take a strong stance for Net Neutrality.
I just want to make sure Air's United States customers know, the FCC is now accepting public comments on its proposed Net Neutrality (they refer to it as Open Internet) regulations. In their current state, they would enable US broadband companies to charge customers more for faster access to some sites sites, while providing access to other sites (whose operators pay the US telecoms fees) at a higher speed with no additional cost.
It's critical we stand up against this!
If you want to make a difference for the future of the open and free Internet, at least in the US, see the links below.
 
Open Internet Info
FCC Establishes New Inbox For Open Internet Comments
Public Notice of Comment Period
File Your Public Comments in the Docket
 
If you have any additional info on this issue, feel free to post links.
 
Best regards,
 
anonym