April 19, 2018

Please reload

Recent Posts

Fundamentals of Computer Networking

October 18, 2019

1/5
Please reload

Featured Posts

Howto: Set up AnonVPN.io in pfSense 2.4.4

October 10, 2019


Howto: Set up AnonVPN.io in pfSense 2.4.4

 

Abstract— AnonVPN.io is similar to many other Virtual Private Network (VPN) services that are available. Their goal is to potentially increase privacy as that to any server or service on the internet, the outside IP will be that of the VPN servers exit. Since there is usually many users on that one IP, it generally makes it harder to track individuals. In addition, the user is protected by the VPN's network security measures such as client isolation, NAT and packet filtering. However, not all VPN services are equal, be sure to look at the privacy policy to get an idea about what information they claim or do not claim to collect and store. It should go without saying,  but don't get a VPN service to do anything illegal. And finally, there is zero instructions on the 'net on how to set this up, hence the reason for this information.

 

Keywords—Virtual Private Network, pfSense, AnonVPN.io

 

I.     Import the CA and Certificate

 

A. Introduction

          While the AnonVPN promises no logs, as with any VPN service, you have no real way of knowing. Additionally, this service lacks features that more established services offer like:kill switch, complete set up guides, full featured applications for android/iOS, higher encryption ciphers, etc. But if you got in on a 'lifetime' subscription or just want to protect your WiFi on untrusted networks, this service will do the job. 

 

A. Certificate Authority  

          Head over to 'System' -> 'Cert. Manager'. In the 'Method' drop down, select 'Import an Existing Certificate Authority'. Copy and paste the AnonVPN CA into the 'Certificate Data' text box. Finally, enter a descriptive name such as 'AnonVPN.io CA' or whatever you want. See Figure 1.

 

 

B. Import the Certificate and Private Key

         While still in 'Cert. Manager', click on the 'Certificates' tab. Copy and paste the AnonVPN.io Certificate in the 'Certificate Data' text box. Do the same for the AnonVPN.io Private Key but paste that into the 'Private Key Data' text box. See Figure 2.

 

II.     Create the VPN tunnel

 

A. Server IP Address and Port

          Head over to 'VPN' -> 'OpenVPN'. Click the 'Clients' tab and then 'Add' in the lower right corner. The first 6 items can be left to their default. For 'Server host or address', enter the IP address of the server you want to connect to. Here is XML file the Windows app uses. Next, change the 'Server port' to one of the following: 8080, 443 or 80. Lastly, put in a 'Description' for this tunnel. See Figure 3.

 

Fig 1. The AnonVPN CA successfully imported.

 

Fig 2. The certificate successfully imported. 

 

 Fig 3. Server IP and Port

 

 

B. Authentication Settings

          Scroll down a bit and enter your AnonVPN username and password. Be sure to append 'anonvpn-' to your email address so it looks like 'anonvpn-someguy@someemail.xyz' or else authentication will fail.. See Figure 4.

 

C. Crypto Settings

          Uncheck 'Use a TLS key'. Then, use the dropdown for 'Peer Certificate Authority' to select the CA you created earlier. Do the same for the 'Client Certificate' drop down but be be sure to select the certificate.Ensure that the 'Encryption Algorithm' is set to 'AES-128-CBC (128-bit-key, 128-bit-block)'. Uncheck 'Enable NCP'. In the 'Auth Digest Algorithm' select 'SHA-1 (160-bit)'. And finally, if your CPU is capable and set up, select the correct option under 'Hardware Crypto', although set up is not covered in this article. See Figure 5.

 

D. Tunnel Settings

          The only thing that probably needs to be changed is under 'Compression' which should be set to 'LZO Compression[compress lzo, equivalent to comp-lzo, yes for compatibility]'. You can also bar the client from pulling any routes or adding any routes to the routing table (unchecked by default), in case you are doing split tunneling. See Figure 6.

 

 Fig 4. Authentication Settings

 

 Fig 5. Cryptographic Settings

 

 Figure 6. Tunnel Settings

 

E. Advanced Settings

          Under 'Custom options' enter the following on separate lines: 'tun-mtu 1500' and 'mssfix 1450'. Optionally you can check 'Use fast I/O operations with UDP writes to tun/tap. Experimental.' under 'UDP Fast I/O' -- I have had no problems with this option and I generally get full speed out of the tunnel. Under 'Send/Receive Buffer', leave this at default, but I usually select '512 KiB'. Under 'Gateway creation', select 'IPv4 only'. Under 'Verbosity level' select '3 (recommended)'. And lastly, click 'Save'. See Figure 7. 

 

III.     Test the VPN tunnel

 

A. Check the log to ensure Initialization is complete. 

          Head over to 'Status' -> 'System Logs' -> and then select the 'OpenVPN' tab. Towards the bottom you should see 'Initialization Sequence Complete'. If you see anything else, especially anything that looks like crypto errors, double check the settings as outlined in section II, subheading E. You can also go to 'Status' -> 'OpenVPN' and you should see the tunnel. See Figure 8.

 

 Fig 7. Advanced Configuration 

 

 Fig 8. Tunnel Status

 

IV. Outbound Network Address Translation Settings.

 

          For you to be able to route traffic over the VPN from your internal network, you will have to set up the Outbound NAT rules. Go to 'Firewall' -> 'NAT' -> 'Outbound'. Change the 'Outbound NAT mode' to 'Manual Outbound NAT rule generation' and save. Under the action column to the far right, click on the copy button for each of the Outbound NAT rules, but change the 'Interface' to 'OpenVPN'. Save each rule. 

.

VI, Conclusion

 

          In conclusion, this guide showed you how to set up a VPN tunnel to the AnonVPN.io service and setting up basic outbound NAT rules. If you want to have a more complex set up, you can always do split tunneling. For example you can have certain hosts route their traffic over the VPN and other traffic go out over the WAN connection.  

 

About me: I am an IT professional who is passionate about technology and it's uses to propel people to their potential. I would love to talk to you!

Share on Facebook
Share on Twitter
Please reload

Follow Us