nguvu

pfSense multi VPN WAN.

Last revised 21 November 2017.

Introduction

AirVPN supports up to three simultaneous VPN connections per account. This supports some failover protection for an AirVPN server suffering an outage or experiencing high latencies or packet losses.

3 * VPN WAN Connections

Identify suitable servers

The first thing to do is to select servers with the lowest latency from your location, you can use ping to establish times, for example

$ ping -c 3 sabik.airvpn.org
PING sabik.airvpn.org (199.241.147.34): 56 data bytes
64 bytes from 199.241.147.34: icmp_seq=0 ttl=51 time=40.013 ms
64 bytes from 199.241.147.34: icmp_seq=1 ttl=51 time=25.806 ms
64 bytes from 199.241.147.34: icmp_seq=2 ttl=51 time=37.330 ms

--- sabik.airvpn.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 25.806/34.383/40.013/6.163 ms

This technique generated the following table for the USA servers. Don’t use my values to select your specific servers, unless you are in the same location as me they won’t be the same and you’ll end up with a suboptimal setup. I’d also recommend trying not to select three servers in the same data center as if a data centers connection goes down, all three VPN servers are likely to go off line.

Server Location IP address Ping (ms)
Merope Los Angeles 199.241.146.162 21.334
Alkes Los Angeles 199.241.146.178 24.633
Persei Fremont 94.100.23.162 27.671
Sabik Los Angeles 199.241.147.34 34.383
Heze Fremont 46.21.151.106 43.066
Chamaeleon Dallas 199.249.230.41 56.46
Azha Atlanta 104.129.24.186 64.731
Alberio Atlanta 104.129.24.178 66.018
Draco Dallas 64.120.63.90 76.003
Alkaid Chicago 46.21.154.82 84.540
Aquarius Chicago 173.234.62.154 90.624
Pavonis Chicago 149.255.33.154 93.368
Pollux Jacksonville 198.203.28.42 94.217
Metallah Pennsylvania 104.243.24.235 98.978
Yildun Miami 173.44.55.178 110.120
Cursa Miami 96.47.229.58 112.890
Acamar Miami 173.44.55.154 119.834
Miaplacidus Newark 173.234.159.194 142.167

Create VPN connections

First stage is to create three individual VPN connections to different AirVPN servers. To ensure no routing complications each will use a different connection method. We’ll stick to UPD connections as these offer greater performance over TCP connections.

Connection IP Server Port & Protocol IP DNS  
1 Merope Los Angeles 199.241.146.162 443, UDP 10.4.x.x 10.4.0.1
2 Persei Fremont 94.100.23.162 80, UDP 10.6.x.x 10.6.0.1
3 Azha Atlanta 104.129.24.186 2018, UDP 10.8.x.x 10.8.0.1

Create the first OpenVPN connection

if you followed my pfSense baseline guide here and already have a working system with a single working OpenVPN connection, skip this step and head on to creating the second connection, otherwise lets create the first OpenVPN connection.

Navigate to VPN > OpenVPN and select Clients

General Information

User Authentication Settings

Cryptographic settings

Tunnel Settings

Advanced Configuration

Create the second OpenVPN connection

Navigate to VPN > OpenVPN and select Clients

General Information

User Authentication Settings

Cryptographic settings

Tunnel Settings

Advanced Configuration

Create the third OpenVPN connection

Navigate to VPN > OpenVPN and select Clients

General Information

User Authentication Settings

Cryptographic settings

Tunnel Settings

Advanced Configuration

Your three VPn connections should be displayed as follows:

VPN Connections
VPN Connections

Create VPN interfaces

Navigate to Interfaces > Assignments

This is optional but makes for tidier displays as we add further gateways, lets rename VPN_WAN to VPN1_WAN.

Click on VPN_WAN to edit the interface and set

Navigate back to Interfaces > Assignments, under available network ports, highlight the second OpenVPN interface, ovpnc2 (AirVPN client ) and click add.

Click the OPTx label to edit this interface and set it up as follows

Navigate to Interfaces > Assign again

Under available network ports, highlight the third OpenVPN interface, ovpnc3 (AirVPN client ) and click add.

Click the OPTx label to edit this interface and set it up as follows

Navigate back to Interfaces > Assign and verify your settings look something like those highlighted below

VPN Interfaces
VPN Interfaces

Create Gateways

Now we’ve got interfaces created for our VPN connections, we can create the associated WAN gateways.

Create first VPN connection gateway

Navigate to System > Routing

Click the ‘Copy Gateway’ icon next to the VPN1_WAN_VPNV4 gateway and edit the parameters as those below

Interface = VPN1_WAN
Address Family = IPv4
Name = VPN1_WAN
Gateway = dynamic
Default Gateway =
Gateway Monitoring =
Gateway Action =
Monitor IP =
Force State =
Description = Interface VPN1_WAN Gateway
Save & Apply

Create second VPN connection gateway

Click the ‘Copy Gateway’ icon next to the VPN2_WAN_VPNV4 gateway and edit the parameters as those below

Interface = VPN2_WAN
Address Family = IPv4
Name = VPN2_WAN
Gateway = dynamic
Default Gateway =
Gateway Monitoring =
Gateway Action =
Monitor IP =
Force State =
Description = Interface VPN2_WAN Gateway
Save & Apply

Create third VPN connection gateway

Navigate to System > Routing

Click the ‘Copy Gateway’ icon next to the VPN3_WAN_VPNV4 gateway and edit the parameters as those below

Interface = VPN3_WAN
Address Family = IPv4
Name = VPN3_WAN
Gateway = dynamic
Default Gateway =
Gateway Monitoring =
Gateway Action =
Monitor IP =
Force State =
Description = Interface VPN3_WAN Gateway
Save & Apply

Verify that you have three VPN WAN gateways and that the default gateways is still WAN_DHCP as shown below.

VPN Gateways
VPN Gateways

Create NAT rules

We’ll now create the rules which will enable traffic on the second and third OpenVPN interface to traverse to the internet’s public address space. If you followed my pfSense baseline configuration guide you will already have a VL20_VPN to VPN1_WAN rule. We’ll build on this to create the NAT rules for the second and third interfaces.

Create the VPN2_WAN NAT rule

Navigate to Firewall > NAT and select Outbound

Click ‘Add↴’ and setup the new NAT rule as follows:

Advanced Outbound NAT entry

Translation

Misc

Create the VPN3_WAN NAT rule

Click ‘Add↴’ and setup the new NAT rule as follows:

Advanced Outbound NAT entry

Translation

Misc

VPN NAT
VPN NAT

Create Firewall rules

We’ll now create the rules which block and log unauthorised inbound traffic. If you followed my previous foundation guide you will already have a set of rules associated with the VPN1_WAN interface. We’ll duplicate these for the second and third VPN interfaces.

VPN2_WAN rules

Navigate to Firewall > Rules > VPN2_WAN and create the following rules:

A rule to block and log IPv4 traffic

and a rule to block IPv6 traffic

VPN3_WAN rules

Navigate to Firewall > Rules > VPN3_WAN and create the following rules:

A rule to block and log IPv4 traffic

and a rule to block IPv6 traffic

Your VPN2_WAN & VPN3_WAN interfaces should look like this when done.

VPN2_WAN firewall
VPN2_WAN firewall

Update DNS servers

To enable these additional VPN connections for DNS resolution, edit the DNS Resolver’s outgoing network interfaces setting.

Navigate to Services > DNS Resolver

In the outgoing interface selection, ensure the VPN1_WAN, VPN2_WAN & VPN3_WAN are all selected.

VPN DNS
VPN DNS

Create Routing group

We now need to bundle the three individual OpenVPN connections into one routing interface that pfSense can load balance across as well as drop if there are any problems.

Navigate to System > Routing > Gateway Groups

This is what it will look like before hitting Save

VPN gateway group
VPN gateway group

and the summary page after hitting Save

VPN gateway group summary
VPN gateway group summary

Update VL20_VPN firewall rule

We now need to update the VPN20_VPN firewall rule to process VPN traffic out of the group gateway rather than the previous single VPN WAN gateway.

Navigate to Firewall > Rules > VL20_VPN

Verify your revised rule looks like this when complete

VL20_VPN firewall rules
VL20_VPN firewall rules

Sticky connections

Without this enabled, traffic will round-robin across the gateways which is good for load balancing, but can cause some problems with sites that don’t handle your traffic source appearing from numerous IP addresses. Enabling sticky-connections resolves these issues.

Navigate to System > Advanced > Miscellaneous

Load Balancing =
Source tracking timeout = 0
Default gateway switching =

Verify functionality and performance

You can also view the statistics of the three VPN gateways by navigating to Status > Gateways, this displays ping times and packet loss statistics. If a gateway rises above %20 the gateway will be dropped from the group.

Gateway status
Gateway status

Its also useful to add a dashboard widget to summarise this info on the pfSense homepage by using the add Widget functionality icon.

And here’s the traffic being distributed across all three VPN connections.

Gateway traffic widget
Gateway traffic widget

Verify DNS results and leak test

Open a browser and head over to DNSLeaktest.com.

It worth running an extended test on each subnet to verify functionality. If you find the test doesn’t start correctly, disable ‘Experimental Bit 0x20 Support’ under the DNS Resolver’s advanced settings and try again.

My VL20_VPN subnet is displaying a DNS server per VPN connection, and isn’t leaking any additional details.

VL20_VPN DNS Test
VL20_VPN DNS Test

Changelog

21 Novemeber 2017
Fixed DNSLeakTest link

5 September 2017
Fixed naming error in server ping table