nguvu

pfSense 2.3 multi VPN WAN.

Published 5 March 2016.

Introduction

AirVPN recently introduced the ability to have up to three connections active at any one time. This essentially provides us with failover protection for an AirVPN server suffering an outage or experiencing high latencies or packet losses. You dont have to use all three connections in your group, some users like to keep an AirVPN connection free for mobile devices to connect to for example.

3 * VPN WAN Connections

Identify suitable servers

The first thing to do is to select servers with the lowest latency from your location, you can use ping to establish times, for example

$ ping sabik.airvpn.org
PING sabik.airvpn.org (199.241.147.34): 56 data bytes
64 bytes from 199.241.147.34: icmp_seq=0 ttl=55 time=71.383 ms
64 bytes from 199.241.147.34: icmp_seq=1 ttl=55 time=65.201 ms
64 bytes from 199.241.147.34: icmp_seq=2 ttl=55 time=65.332 ms

This technique generated the following table for the USA servers. Don’t use my values to select your servers, unless you are in the same location as me they won’t be the same and you’ll end up with a suboptimal setup.

Server Location IP address Ping (ms)
Metallah Pennsylvania 104.243.24.235 15.68
Kaus Atlanta 23.82.53.90 16.73
Zosma New York 23.105.129.218 20.66
Pavonis Chicago 149.255.33.154 21.96
Acamar Miami 173.44.55.154 27.16
Pollux Jacksonville 198.203.28.42 28.44
Yildun Miami 173.44.55.178 29.30
Cursa Miami 96.47.229.58 30.76
Alkaid Chicago 46.21.154.82 33.56
Sabik Los Angeles 199.241.147.34 65.20
Alkes Los Angeles 199.241.146.178 66.63
Merope Los Angeles 199.241.146.162 66.75
Heze Fremont 46.21.151.106 74.77
Persei Fremont 94.100.23.162 81.44

Create VPN connections

First stage is to create three individual VPN connections to different AirVPN servers. To ensure no routing complications each will use a different connection method. We’ll stick to UPD connections as these offer greater performance over TCP connections.

Connection IP Server Port & Protocol IP DNS
1 Metallah 104.243.24.235 443, UDP 10.4.x.x 10.4.0.1
2 Kaus 23.82.53.90 80, UDP 10.6.x.x 10.6.0.1
3 Zosma 23.105.129.218 53, UDP 10.8.x.x 10.8.0.1

Create the first OpenVPN connection

If you followed my pfSense foundation guide here and already have a working system with a single working OpenVPN connection skip this step and head on to creating the second connection, otherwise,

Navigate to VPN > OpenVPN > Client

General Information

User Authentication Settings

Cryptographic settings

Tunnel Settings

Advanced Configuration

Paste the following into the advanced box

client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;bcast-buffers 4096;fast-io;mlock;keepalive 5 30;prng sha512 64;

Create the second OpenVPN connection

Navigate to VPN > OpenVPN > Client

User Authentication Settings

Cryptographic settings

Tunnel Settings

Advanced Configuration

Paste the following into the advanced box

client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;bcast-buffers 4096;fast-io;mlock;keepalive 5 30;prng sha512 64;

Create the third OpenVPN connection

Navigate to VPN > OpenVPN > Client

User Authentication Settings

Cryptographic settings

Tunnel Settings

Advanced Configuration

Paste the following into the advanced box

client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;bcast-buffers 4096;fast-io;mlock;keepalive 5 30;prng sha512 64;

Your OpenVPN connection page should look like this when you have finished,

VPN Connections

Create VPN interfaces

Navigate to Interfaces > Assign

Under available network ports, highlight the second OpenVPN interface, ovpnc2 (AirVPN client ) and click add.

Click the OPTx label to edit this interface and set it up as follows

Navigate to Interfaces > Assign again

Under available network ports, highlight the third OpenVPN interface, ovpnc3 (AirVPN client ) and click add.

Click the OPTx label to edit this interface and set it up as follows

Navigate back to Interfaces > Assign and verify your settings look something like those highlighted below

VPN Connections

Create Gateways

Now we’ve got interfaces created for our VPN connections, we can create the associated WAN gateways.

Create second VPN connection gateway

Navigate to System > Routing

Click the ‘Copy Gateway’ icon next to the VPN2_WAN_VPNV4 gateway and edit the parameters as those below

Name = VPN2_WAN
Monitor IP = 10.6.0.1
Description = Interface VPN2_WAN Gateway
Save & Apply

Create third VPN connection gateway

Navigate to System > Routing

Click the ‘Copy Gateway’ icon next to the VPN3_WAN_VPNV4 gateway and edit the parameters as those below

Name = VPN3_WAN
Monitor IP = 10.8.0.1
Description = Interface VPN3_WAN Gateway
Save & Apply

Verify that you have three VPN_WAN gateways and that the default gateways is still WAN_DHCP as below.

VPN Gateways

Create NAT rules

We’ll now create the rules which will enable traffic on the second and third OpenVPN interface to traverse to the internet’s public address space. If you followed my previous foundation guide you will already have a VL20_VPN to VPN_WAN rule. We’ll build on this to create the NAT rules for the second and third interfaces.

Create the VPN2_WAN NAT rule

Navigate to Firewall > NAT

Click ‘Add↴’ and setup the new NAT rule as follows:

Advanced Outbound NAT entry

Translation

Misc

Create the VPN3_WAN NAT rule

Click ‘Add↴’ and setup the new NAT rule as follows:

Advanced Outbound NAT entry

Translation

Misc

VPN NAT rules

Create Firewall rules

We’ll now create the rules which block and log unauthorised inbound traffic. If you followed my previous foundation guide you will already have a set of rules associated with the VPN_WAN interface. We’ll duplicate these for the second and third VPN interfaces.

VPN2_WAN rules

Navigate to Firewall > Rules > VPN2_WAN and create the following rules:

A rule to block and log IPv4 traffic

and a rule to block IPv6 traffic

VPN3_WAN rules

Navigate to Firewall > Rules > VPN3_WAN and create the following rules:

A rule to block and log IPv4 traffic

and a rule to block IPv6 traffic

Your VPN2_WAN & VPN3_WAN interfaces should look something this this when done.

VPN2_WAN FW Rules

Update DNS servers

Besides the UDP port 443 DNS server (10.4.0.1), we now need to add the associated servers for the other gateways, i.e UDP 80 and UDP 53.

Navigate to System > General Setup

Add the following servers to the DNS Server list

Your DNS Server settings should look like this now

VPN DNS Server

Now Navigate to Services > DNS Resolver

In the outgoing interface selection, ensure the VPN_WAN, VPN2_WAN & VPN3_WAN are selected.

VPN DNS Resolver

Create Routing group

We now need to bundle the three individual OpenVPN connections into one routing interface that pfSense can load balance across as well as drop if there are any problems.

Navigate to System > Routing > Gateway Groups

Verify your gateway group looks like this when complete

VPN Gateway group

Update VL20_VPN firewall rule

We now need to update the VPN20_VPN firewall rule to process VPN traffic out of the group gateway rather than the previous single VPN_WAN gateway.

Navigate to Firewall > Rules > VL20_VPN

Verify your revised rule looks like this when complete

VL20 Firewall rule

Verify functionality and performance

First of all let check all of the DNS servers are working correctly.

Navigate to Diagnostics > DNS

You should observe results from each of the three DNS servers we configured.

Multi-wan DNS lookup

You can also view the statistics of the three VPN gateways by navigating to Status > Gateways, this displays ping times and packet loss statistics. If a gateway rises above %20 the gateway will be dropped from the group.

Multi-wan DNS lookup

Its also useful to add a dashboard widget to summarise this info on the pfSense homepgae by using the add Widget functionality icon.

Multi-wan DNS lookup

And here’s the traffic being distributed across all three VPN connections.

Multi-wan traffic