go558a83nk

2 hours ago, jgiambona said:

Sorry to resurrect such an old thread, but is it possible to use VPN over SSL with tls-crypt on iOS. Don't see any way to do it. Thanks!

iOS can't run stunnel unless it's jailbroken.  Besides, this question is offtopic for this thread.

2 hours ago, jgiambona said:

Is it possible to use OpenVPN over SSL with tls-crypt on iOS? Thank you!

You shouldn't need openvpn through SSL tunnel (which isn't possible on iOS without jailbreaking anyway).  Just load up several tls-crypt configs to try in openvpn connect.

3 hours ago, Mad_Max said:

Thank you @go558a83nk for your reply.
So, The i5-5200u is enough to run full time vpn with 100mbps speed?

 

 

Yes, even the i3 should be plenty.  Just be sure to enable cryptographic hardware here /system_advanced_misc.php and then select that hardware in your openvpn config you create.  Then AES-NI plus whatever else is on the CPU is in use.

You don't need that much ram or storage for pfsense.  You need a good CPU and good network card(s). The celeron j1900 is out due to lacking AES-NI which is very important for running openvpn.  Both have intel network cards so you're good there.

That's just the limitation of the CPU.  It takes a lot of power to encrypt/decrypt openvpn quickly.  Or AES-NI.

Yes though I don't know if you need to install entware for just SSH tunnel.

 

I've done it in the past with an old asus router with merlin and entware.  SSL tunnel too.

The bottom line is Air isn't blocking your access to those trackers.  So it must be them blocking Air.  Why is another question and it really makes one ponder.  Could be related to them favoring VPNs that they're working with.  But that doesn't explain public trackers....  Maybe all public trackers are just honeypots that want to see your real IP address? 

Air has port forwarding which is what you probably need. (I do know some security systems don't require port fowarding for you to be able to monitor them remotely)

 

However, you'll need to run VPN on a router so that the devices (blue iris) behind the router go through the VPN.  That means buying another router to sit behind your ISP router.

 

Further steps can be discussed after you decide what to do.

It's just not resolving your remote address in the openvpn config because your DNS server is a private address in AirVPN's network.  Since you're not connected yet, you can't access that private address to resolve the remote host.

 

There are 2 solutions.

 

1) Resolve the remote host separately, then put in the IP address of the remote server, not the domain.  This keeps you to the one server.  It won't be some random European server, which is what you may intend.

 

2) Use a public DNS in your general dd-wrt settings, then make sure that the openvpn client switches the router to VPN DNS upon connection.  If your version of dd-wrt can't do that, then I suggest you find a firmware that does.

It's stated in the specifications that outbound port 25 is blocked to prevent spam.

 

I got to ask, cause I'm lazy to search, can pfsense be installed on this puppy

 

Sent from my SM-N960U using Tapatalk

No idea.

 

But I am curious, can this thing really do OpenVPN at 300Mbps with that CPU?

 

 

Where are you getting 300mbps from?  Are you reading the wifi standard speed and confusing that with openvpn speed?

Merlin firmware using the policy routing option gives you the additional option to block VPN routed clients if the tunnel goes down.  Is that the "killswitch" you're talking about?

In the past squid proxy and openvpn usage didn't play well together.  What was meant to go through openvpn tunnel was in the clear.  I don't know if that's still the case.

There are different ways to setup pfsense so this is not an easy thing to help with.  And, this isn't an AirVPN topic but a pfsense topic.  So, it should be moved to an off topic section.

 

If it were my setup I'd create NAT outgoing and LAN firewall rules that allow a device out the WAN instead of the VPN.  But, I don't know how you've set yours up.

If you can use tls-crypt over UDP that will likely give you better speed than TCP.  What port you use is up to you.

 

You'll need to use the tls-crypt key from a config for entry IP 3 or 4, be sure to use the correct entry IP address too, change the key usage mode to TLS encryption and authentication, and change the auth digest algorithm to SHA512.

DNS records don't exist yet from what I'm seeing.

 

 

While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build.

 

refer to these threads.

https://forum.pfsense.org/index.php?topic=128698.15

https://forum.pfsense.org/index.php?topic=130350.0

 

It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page)

 

 

I was having some issues with my OpenVPN clients from a pfSense box. Setting the send/receive buffers to 512 more than doubled my speeds from ~10-15Mbps to 30-35Mbps on a 50Mbps internet connection. I have the SG-3100, so there's no aes-ni because it's an ARM a9 processor. Curious if you have any other suggestions?

 

 

Since its a netgate (pfsense) it has built in aes-ni into the arm chip. At 349 USD for the base it better support crypto since 2.5 will require it

 

 

https://www.netgate.com/solutions/pfsense/sg-3100.html  This says nothing about AES-NI.  Unfortunately, I think a lot of people will either be buying new hardware or won't be updating to 2.5.

You've confirmed your openvpn instance is running on interface TUN1?

SSD isn't necessary.  What is necessary is two ethernet ports.  Yes, I'd certainly recommend pfsense on that laptop over a high end router.

 

As far as wifi AP you just need coverage and speed that you want.  You'll want something that can run in AP mode and not router mode, so that pfsense can handle your network.

 

If you use another DNS like 1.1.1.1 you also still have some anonymity since you're one of dozens of people using the VPN server.

 

Could you elaborate on this in detail ? I feel I'm not fully getting your statement...

 

So if I use 1.1.1.1 as DNS they will see that and then in turn could inquire with AirVPN who that user was at that point in time... ? 

 

(1) since AirVPN does not store data, there should be no concern, right ?

(2) and since there will most likely be multiple users using 1.1.1.1 it would be impossible to identify, right... ?

 

trying to completely understand whether using DNS of 1.1.1.1 is defeating the purpose of using a VPN at all...

 

Thanks for the info.

 

 

You seem to understand things properly.

Yes, using a VPN adds overhead.

Looks correct.  Are the subnets (yours and the VPN's internal) overlapping?

show us your iptables rules for port forwarding.

If you're using the AirVPN (Eddie) app then you certainly do *not* want to enable DMZ on your router.  That's a potential security risk.  DMZ is not needed in this case.  In fact, I can't really think of a case where DMZ is needed in conjunction with openvpn.

 

As to why port forwarding isn't working we'd need more information on your setup.

Thanks for the replies but i'm a little confused now.

 

Does this mean if i have a permanent connection to a server, via a pfsense box, with say port 1234 forwarded to it and then use the eddie client on a windows machine to make another connection there is a chance the eddie client will pick the same server to connect to as the pfsense box and thus screw up the port forwarding for it or will the eddie client realize I'm already connected to that server and pick any other server but that one?

 

The reason i ask is because i DONT wont the eddie client to connect to the same server. I want my pfsense box to connect to server A and the eddie client to connect to any other server but server A automatically to avoid any problems. Is this how the system is set up or is there a chance I'll end up with 2 connections being made to the same server?

 

the easy thing to do is just blacklist (in eddie) the server you don't want to connect to.