go558a83nk

It's connected

Hello everyone,
 
I followed the tutorial, and I think is the best tutorial I ever found on setting Vpn on PfSense.

But I can't get to route traffic trough the VPN interface.
 
Client connects correctly:

 

Int.PNG

 

But from the logs I get this:

 

OpenvpnLogs.PNG

 

And there is no way to route traffic trough, I tested several different servers and same result.

 

Anyone can help? It'd be very much apprecieted.

There's no problem here.  That's just pfsense disconnecting from monitoring itself.  I get hundreds of those notices.  The "initialization sequence completed" is what matters.

If you can't get any traffic through the VPN tunnel then your NAT and/or firewall rules are incorrect.

Have you tried just changing servers to see if that fixes it?  I was having problems and changed server and it worked.  Then I switched back to the location I liked, and it worked. 

Yeah, I think all that "management" stuff is normal.  It's just the router making a note that it checked on itself basically.

hash is not sha256.  it's sha1 unless you're using tls-crypt configs, where it's sha512.

These are my firewall rules after all was done.

 

On the tutorial, it shows only one rule, the anti-lockout rule before the staring of the new firewall rules. (the first one on the image) 

 

On the image, as you see there are two more default rules that the this part of the AirVPN tutorial.

 

Those two default rules need to be deleted and it looks like you have a duplicate rule for "airvpn_lan allow outbound".

I was able now to make AirVPN go UP.

 

 

But I am not able to access the internet from my laptop.

 

can anyone here help me?

 

I have never been so close to make AirVPN work (although without firewall rules yet) 

 

These are my NAT outbound rules.

 

 

 

Why am I missing?

You need to follow the guide.  Firewall rules are required.  This note is under the "i" at the bottom of the firewall rules pages - "Everything that isn't explicitly passed is blocked by default."

Therefore, if you don't create rules to pass traffic out the AirVPN gateway (or wherever you want it) it'll be blocked!

 

Thanks for the respons

So I think I will invest in a good router that is not to hard to configure, The Asus  RT-AC86U Dual Band Wireless Router AC2900

looks very promissing.

I also saw the Asus RT-AC88U  as a suggested alternative 

and 

Linksys WRT3200ACM AC3200 MU-MIMO Gigabit Wi-Fi-router

 

TP-Link Archer C3200 - Tri-Band Gigabit Router

and 

Netgear R7800 Nighthawk X4S - AC2600 Router

 

Which one would give the best performance?

the AC86U has an AES-NI CPU so it should be the best that I know of.

I am a noob about this matter.

 

As I have followed this tutorial, as I did the ones from PIA, ExpressVPN, NordVPN.

 

But I am not able to UP AirVPN using Pfsense on my AP2C2 

 

I did thrice. Always ending with a network without internet.

 

To be clear. I followed until the step 6  That should be enough.

 

I am using the latest Pfsense firmware 2.4.4

 

This is OpenVPN log

 

Nov 5 19:29:35	openvpn	36189	ifconfig_pool_start = 0.0.0.0
Nov 5 19:29:35	openvpn	36189	ifconfig_pool_end = 0.0.0.0
Nov 5 19:29:35	openvpn	36189	ifconfig_pool_netmask = 0.0.0.0
Nov 5 19:29:35	openvpn	36189	ifconfig_pool_persist_filename = '[UNDEF]'
Nov 5 19:29:35	openvpn	36189	ifconfig_pool_persist_refresh_freq = 600
Nov 5 19:29:35	openvpn	36189	ifconfig_ipv6_pool_defined = DISABLED
Nov 5 19:29:35	openvpn	36189	ifconfig_ipv6_pool_base = ::
Nov 5 19:29:35	openvpn	36189	ifconfig_ipv6_pool_netbits = 0
Nov 5 19:29:35	openvpn	36189	n_bcast_buf = 256
Nov 5 19:29:35	openvpn	36189	tcp_queue_limit = 64
Nov 5 19:29:35	openvpn	36189	real_hash_size = 256
Nov 5 19:29:35	openvpn	36189	virtual_hash_size = 256
Nov 5 19:29:35	openvpn	36189	client_connect_script = '[UNDEF]'
Nov 5 19:29:35	openvpn	36189	learn_address_script = '[UNDEF]'
Nov 5 19:29:35	openvpn	36189	client_disconnect_script = '[UNDEF]'
Nov 5 19:29:35	openvpn	36189	client_config_dir = '[UNDEF]'
Nov 5 19:29:35	openvpn	36189	ccd_exclusive = DISABLED
Nov 5 19:29:35	openvpn	36189	tmp_dir = '/tmp'
Nov 5 19:29:35	openvpn	36189	push_ifconfig_defined = DISABLED
Nov 5 19:29:35	openvpn	36189	push_ifconfig_local = 0.0.0.0
Nov 5 19:29:35	openvpn	36189	push_ifconfig_remote_netmask = 0.0.0.0
Nov 5 19:29:35	openvpn	36189	push_ifconfig_ipv6_defined = DISABLED
Nov 5 19:29:35	openvpn	36189	push_ifconfig_ipv6_local = ::/0
Nov 5 19:29:35	openvpn	36189	push_ifconfig_ipv6_remote = ::
Nov 5 19:29:35	openvpn	36189	enable_c2c = DISABLED
Nov 5 19:29:35	openvpn	36189	duplicate_cn = DISABLED
Nov 5 19:29:35	openvpn	36189	cf_max = 0
Nov 5 19:29:35	openvpn	36189	cf_per = 0
Nov 5 19:29:35	openvpn	36189	max_clients = 1024
Nov 5 19:29:35	openvpn	36189	max_routes_per_client = 256
Nov 5 19:29:35	openvpn	36189	auth_user_pass_verify_script = '[UNDEF]'
Nov 5 19:29:35	openvpn	36189	auth_user_pass_verify_script_via_file = DISABLED
Nov 5 19:29:35	openvpn	36189	auth_token_generate = DISABLED
Nov 5 19:29:35	openvpn	36189	auth_token_lifetime = 0
Nov 5 19:29:35	openvpn	36189	port_share_host = '[UNDEF]'
Nov 5 19:29:35	openvpn	36189	port_share_port = '[UNDEF]'
Nov 5 19:29:35	openvpn	36189	client = ENABLED
Nov 5 19:29:35	openvpn	36189	pull = ENABLED
Nov 5 19:29:35	openvpn	36189	auth_user_pass_file = '[UNDEF]'
Nov 5 19:29:35	openvpn	36189	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 4 2018
Nov 5 19:29:35	openvpn	36189	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Nov 5 19:29:35	openvpn	36437	PO_INIT maxevents=1 flags=0x00000002
Nov 5 19:29:35	openvpn	36437	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Nov 5 19:29:35	openvpn	36437	mlockall call succeeded
Nov 5 19:29:35	openvpn	36437	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Nov 5 19:29:35	openvpn	36437	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 5 19:29:35	openvpn	36437	PO_INIT maxevents=4 flags=0x00000002
Nov 5 19:29:35	openvpn	36437	PRNG init md=SHA512 size=128
Nov 5 19:29:35	openvpn	36437	Insufficient key material or header text not found in file '/var/etc/openvpn/client1.tls-auth' (0/128/256 bytes found/min/max)
Nov 5 19:29:35	openvpn	36437	Exiting due to fatal error

Everything was running fine up to the point I had to create the NAT Outbound rules. After this first reboot, my internet went down. I am not able to access it from my laptop anymore. But from pfsense it is still connected.

 

This is my rules. It is a simple setup. I never imagined AirVPN would be so hard to set up

 

.

 

 I don't wanna start all over again. If anyone can help please, let me know.

 

 

Thanks.

Looks like you did something wrong around the TLS key.

Also, is your local network really 192.168.0.0?  What is your DHCP server subnet?

That CPU has AES-NI and can go up to 2.8ghz.  I don't think it's your CPU keeping your speed down.

 

I can't say much about most of your problems but I will say that trackers block VPN IPs.  Air is not blocking your access to trackers.

 

RARBG wouldn't.. In fact they're one of the ones like Pirate Bay and Demonoid that have warnings all over the place about how you SHOULD be using a VPN. Some providers however, have been flagged. I get a message when I go to RARBG that my IP range has caused suspicious activity in the past, but the site still works fine (I get one at ETTV as well). I cant recall running into trouble with any of the Nor Cal servers, but I spend most of my time on the LA ones and they're all fine with RARBG. Been using the new Arizona ones the last few weeks, and believe it or not, they're faster and seem to be running even better than the ones here at home in LA.. Shorter ping times too.

RARBG trackers *do* block many of Air servers.  I use them too and usually have to rely on DHT only as the RARBG trackers don't respond.    On a few servers I've tried their trackers respond normally.  Again, it's not AirVPN doing the blocking, so it must be RARBG.

I understand it seems ironic for them to suggest you use a VPN but then block some VPN IP but it's the truth.

Sounds like sometimes your torrent client doesn't bootstrap DHT - maybe those DHT bootstrap servers are overloaded or blocking some VPN servers?

The one remedy I know of is to just keep everything connected.  If your torrent client continues to have an internet connection (through the VPN) it'll gather up many DHT nodes and won't lose them.

Hopping around or disconnecting causes your torrent client to lose DHT nodes and then it has to bootstrap again.

I can't say much about most of your problems but I will say that trackers block VPN IPs.  Air is not blocking your access to trackers.

Well. I followed this guide.

 

And all I got was this:

 

 

Oct 27 03:18:01 openvpn 68284 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock

Oct 27 03:18:01 openvpn 68284 MANAGEMENT: CMD 'state 1'

Oct 27 03:18:01 openvpn 68284 MANAGEMENT: Client disconnected

Oct 27 03:18:21 openvpn 68284 SIGTERM[hard,init_instance] received, process exiting

Oct 27 03:18:22 openvpn 45695 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6

Oct 27 03:18:22 openvpn 45695 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [sSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 4 2018

Oct 27 03:18:22 openvpn 45695 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10

Oct 27 03:18:22 openvpn 45966 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock

Oct 27 03:18:22 openvpn 45966 mlockall call succeeded

Oct 27 03:18:22 openvpn 45966 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Oct 27 03:18:22 openvpn 45966 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA' for HMAC authentication

Oct 27 03:18:22 openvpn 45966 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA' for HMAC authentication

Oct 27 03:18:22 openvpn 45966 TCP/UDP: Preserving recently used remote address: [AF_INET]199.249.230.31:443

Oct 27 03:18:22 openvpn 45966 Socket Buffers: R=[42080->524288] S=[57344->524288]

Oct 27 03:18:22 openvpn 45966 UDPv4 link local (bound): [AF_INET]192.168.1.232:0

Oct 27 03:18:22 openvpn 45966 UDPv4 link remote: [AF_INET]199.249.230.31:443

Oct 27 03:18:27 openvpn 45966 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock

Oct 27 03:18:27 openvpn 45966 MANAGEMENT: CMD 'state 1'

Oct 27 03:18:27 openvpn 45966 MANAGEMENT: Client disconnected

 

 

Can anyone help me?

Hash algorithm is SHA1 (not SHA) for tls-auth configs.

I am currently playing with both. My initial idea was to use port forward on my home router not via Client Area. Preferred would be with Eddie client, but I have no idea how to configure it, because routes are created automatically and if I use settings from my previous post routes will be removed and no traffic will go over VPN.

OK, either way (router, or eddie) you must create a port forward rule in the client area on this web site.  The servers must know to forward a port to you. 

If you use your raspi as openvpn client then you must create some iptables rules I imagine, much like other routers.  Though I'm not sure as I've never used one.  Anyway, the iptables rules basically tell the OS to forward traffic from the openvpn interface to whatever LAN device.  Your ISP router can remain untouched, as the VPN tunnel (between raspi and VPN server) contains all traffic and can't be manipulated by the ISP router anyway.

If using eddie it's easier.  Once a rule is created in client area on this web site it should just work for any server listening on the same device that's running eddie.  Again, do not touch the ISP router.

Oh, and make sure your server is listening on the port that is setup in the rule you create in client area.

Give some more details on what ports you've opened, including if you specified a local port, and what port your game is listening on.

My guess is that you haven't told the game to listen on the port that AirVPN has opened for you.

Furthermore, unless your game can tell your buddies what internet facing port (that of the VPN server) to connect to, it still won't work.

I'm confused about how your setup.  Are you using your RasPi as openvpn client, or Eddie?

Much needed for it seems those northeast USA servers are often quite loaded.  Thanks!

 

If you connect to a regional domain (e.g. ca.vpn.airdns.org) your IP address may change because you may connect to a different server.

 

If you specify a single server (e.g. alhena.airservers.org) you'll always get the same internet facing IP address.

 

The problem is that you now connect to the load balance. And the load balancer assigns you to a server. The IP address depends on which server it assigns you to. So you cannot control this any more. Unless AiVPN has relented from doing this load balancing? They were (justifiably) pleased about this. So I doubt they have removed it.

 

https://airvpn.org/topic/28494-tunnel-private-subnet-changed/?p=75305

 

>... and you can't say in advance which subnet your system will enter because of the load balancing system which "welcomes" the clients and "assigns" them to the OpenVPN daemon running in the less loaded core (at the moment of connection).

 

The huge convenience of this implementation is that now we can break the previous throughput limits caused by the lack of "parallelization" of OpenVPN.

 

The Moore's law is being infringed and we can't expect significantly more powerful CPus (at one core level) for a long time; in computing power advancements we will probably never experience again (at least in our life) the peaks of 1996-1998; it's time to fight the software bloat, but a fully scalable multi-core OpenVPN release is probably not coming out soon; therefore the load balancing we have implemented is an immediate break through.

 

Kind regards

 

I added the underline.

 

I think that's internally a load balancing across CPU cores, not servers.  My external IP is consistently what I expect it to be depending on the server I use.

If you connect to a regional domain (e.g. ca.vpn.airdns.org) your IP address may change because you may connect to a different server.

If you specify a single server (e.g. alhena.airservers.org) you'll always get the same internet facing IP address.

 

I’ve been saying this exact stuff re pfsense and tls-crypt since the first gen 2 test server (castor) came online many months ago.

Please don’t act like you discovered something new.

Is this aimed at me??

Sent from my BND-L34 using Tapatalk

No. At the OP.

I’ve been saying this exact stuff re pfsense and tls-crypt since the first gen 2 test server (castor) came online many months ago.

Please don’t act like you discovered something new.

I'm having some trouble getting port forwarding to work for by torrent client (I tried both Deluge on a Raspberry Pi and Transmission on the router). I have set up the incoming port in my torrent client to the same port as I've set in the client area on this website.

 

While running airVPN on my openWrt router:

-If port forwarding on router is off: port closed according to torrent client

-If port fowarding on router is on: port open according to client

 

However, on: https://airvpn.org/faq/p2p/ it says:

IMPORTANT: do NOT forward on your router the same ports you use on your Bittorrent or eMule client (or any other listening service) while connected to the VPN. Doing so exposes your system to correlation attacks and potentially causes uncencrypted packets to be sent outside the tunnel from your client.

 

So my understanding is that I should not open the port on the router, so how can I get this to work?

 

Thanks!

When running the openvpn client from the router you do forward ports on it.  See https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables/?hl=%2Bdd-wrt+%2Btomato+%2Bport+%2Bforward for details.

I have followed the guide and i was able to have my Pfsense box and airvpn always on untill this morning when by itself the connection stopped working.

From the Client Area in air vpn i can see the pfsense router is connected with the air server but i have no Air-WAN traffic...

It seems there are issues in the rules but ibam unable ro find which one might be and what's wrong as I haven't made any change and the problem suddenly appeared.

If anyone might help, it would be great

Have you rebooted your pfsense box?  Is there something wrong with the AirVPN server you're trying to connect to?

You'll need to post logs for us to help.

Fafnir is still here according to status page but Pictor left when this announcement was made.  Of course, the other 3 didn't even survive the temporary time.

Is Fafnir going to become permanent?