Howto: Set up AnonVPN.io in pfSense 2.4.4
Keywords—Virtual Private Network, pfSense, AnonVPN.io
I. Import the CA and Certificate
While the AnonVPN promises no logs, as with any VPN service, you have no real way of knowing. Additionally, this service lacks features that more established services offer like:kill switch, complete set up guides, full featured applications for android/iOS, higher encryption ciphers, etc. But if you got in on a 'lifetime' subscription or just want to protect your WiFi on untrusted networks, this service will do the job.
A. Certificate Authority
Head over to 'System' -> 'Cert. Manager'. In the 'Method' drop down, select 'Import an Existing Certificate Authority'. Copy and paste the AnonVPN CA into the 'Certificate Data' text box. Finally, enter a descriptive name such as 'AnonVPN.io CA' or whatever you want. See Figure 1.
B. Import the Certificate and Private Key
While still in 'Cert. Manager', click on the 'Certificates' tab. Copy and paste the AnonVPN.io Certificate in the 'Certificate Data' text box. Do the same for the AnonVPN.io Private Key but paste that into the 'Private Key Data' text box. See Figure 2.
II. Create the VPN tunnel
A. Server IP Address and Port
Head over to 'VPN' -> 'OpenVPN'. Click the 'Clients' tab and then 'Add' in the lower right corner. The first 6 items can be left to their default. For 'Server host or address', enter the IP address of the server you want to connect to. Here is XML file the Windows app uses. Next, change the 'Server port' to one of the following: 8080, 443 or 80. Lastly, put in a 'Description' for this tunnel. See Figure 3.
Fig 1. The AnonVPN CA successfully imported.
Fig 2. The certificate successfully imported.
Fig 3. Server IP and Port
B. Authentication Settings
Scroll down a bit and enter your AnonVPN username and password. Be sure to append 'anonvpn-' to your email address so it looks like 'email@example.com' or else authentication will fail.. See Figure 4.
C. Crypto Settings
Uncheck 'Use a TLS key'. Then, use the dropdown for 'Peer Certificate Authority' to select the CA you created earlier. Do the same for the 'Client Certificate' drop down but be be sure to select the certificate.Ensure that the 'Encryption Algorithm' is set to 'AES-128-CBC (128-bit-key, 128-bit-block)'. Uncheck 'Enable NCP'. In the 'Auth Digest Algorithm' select 'SHA-1 (160-bit)'. And finally, if your CPU is capable and set up, select the correct option under 'Hardware Crypto', although set up is not covered in this article. See Figure 5.
D. Tunnel Settings
The only thing that probably needs to be changed is under 'Compression' which should be set to 'LZO Compression[compress lzo, equivalent to comp-lzo, yes for compatibility]'. You can also bar the client from pulling any routes or adding any routes to the routing table (unchecked by default), in case you are doing split tunneling. See Figure 6.
Fig 4. Authentication Settings
Fig 5. Cryptographic Settings
Figure 6. Tunnel Settings
E. Advanced Settings
Under 'Custom options' enter the following on separate lines: 'tun-mtu 1500' and 'mssfix 1450'. Optionally you can check 'Use fast I/O operations with UDP writes to tun/tap. Experimental.' under 'UDP Fast I/O' -- I have had no problems with this option and I generally get full speed out of the tunnel. Under 'Send/Receive Buffer', leave this at default, but I usually select '512 KiB'. Under 'Gateway creation', select 'IPv4 only'. Under 'Verbosity level' select '3 (recommended)'. And lastly, click 'Save'. See Figure 7.
III. Test the VPN tunnel
A. Check the log to ensure Initialization is complete.
Head over to 'Status' -> 'System Logs' -> and then select the 'OpenVPN' tab. Towards the bottom you should see 'Initialization Sequence Complete'. If you see anything else, especially anything that looks like crypto errors, double check the settings as outlined in section II, subheading E. You can also go to 'Status' -> 'OpenVPN' and you should see the tunnel. See Figure 8.
Fig 7. Advanced Configuration
Fig 8. Tunnel Status
IV. Outbound Network Address Translation Settings.
For you to be able to route traffic over the VPN from your internal network, you will have to set up the Outbound NAT rules. Go to 'Firewall' -> 'NAT' -> 'Outbound'. Change the 'Outbound NAT mode' to 'Manual Outbound NAT rule generation' and save. Under the action column to the far right, click on the copy button for each of the Outbound NAT rules, but change the 'Interface' to 'OpenVPN'. Save each rule.
In conclusion, this guide showed you how to set up a VPN tunnel to the AnonVPN.io service and setting up basic outbound NAT rules. If you want to have a more complex set up, you can always do split tunneling. For example you can have certain hosts route their traffic over the VPN and other traffic go out over the WAN connection.
About me: I am an IT professional who is passionate about technology and it's uses to propel people to their potential. I would love to talk to you!