build your own passthrough device capable of PIA openVPN AES 256 SHA 256 RSA-4096

[mxnerd]

OT...I thought those were Level 3's DNS? Does Verizon own Level 3?

(goes to look)...

It used to be long time ago. Don't if it's own by Level3 now.

 

[sdifox]

Here is a list with q and a on what service they provide.

https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/3/


Why us based? They are under patriot act...

 

[mxnerd]

Of course I should have only one VPNBook tunnel active, but this shows that my pfsense connected to 4 VPNBook servers at the same time.

It works even it's a double NAT, using UDP port 53 or 25000.

 

[BirdDad]

but no AES256 and the SHA was actually 1

 

[mxnerd]

I don't know how to help if you can't read instructions & follow videos.

And I don't have PIA account to test for you.

 

[mxnerd]

but no AES256 and the SHA was actually 1

I see. That video is for pfsense 2.2.x so the UI is different

in 2.1.5 you then put "auth sha256" at the end of Client Advanced configuration area,

I already mentioned this in post #292

http://forums.anandtech.com/showpost.php?p=37752431&postcount=292

You better ask for help in PIA support forum if it still doesn't work.

 

[BirdDad]

it will work if I adhere to the videos or tutorials but they are all for BF128CBC and SHA-1
I want AES and if I change a working install to AES it craps out.
Even SHA-1 is tolerable at this point.

 

[mxnerd]

it's my understanding since the readme file is like this from the link you gave here

https://www.privateinternetaccess.com/forum/discussion/9093/pia-openvpn-client-encryption-patch/p1

- to use a different cipher add the configuration option '--cipher CIPHER'
- supported ciphers are:
- AES-128: '--cipher aes-128-cbc' << recommended
- AES-256: '--cipher aes-256-cbc'
- Blowfish: '--cipher bf-cbc'
- No Encryption: '--cipher none'

- to use a different authentication digest add the configuration option '--auth DIGEST'
- supported digests are:
- SHA1: '--auth sha1' << recommended
- SHA256: '--auth sha256'
- No Authentication: '--auth none'

- to use differnet handshake encryption change the configuration option '--ca CERT'
- supported handshake encryptions are:
- RSA-2048: '--ca ca_rsa2048.crt' << recommended
- RSA-3072: '--ca ca_rsa3072.crt'
- RSA-4096: '--ca ca_rsa4096.crt'
- ECC-256k1: '--ca ca_ecdsa256k1.crt'
- ECC-256r1: '--ca ca_ecdsa256r1.crt'
- ECC-521: '--ca ca_ecdsa521.crt'

You take this and ask PIA user/support how to put it in pfsense 2.1.x or pfsense 2.2.x

It works for VPNBook.

PIA could be different, all I can only help is up to this point.

 

[mxnerd]

don't know sdifox's experience for running pfsense in VM

In the past few days, I did experience some difficulty with running pfsense in VM.

Like what I mentioned earlier about "Diagnostics-Edit" doesn't work in VirtualBox

Today when I tried to install TinyDNS package in pfsense VMware VM, either the package install halfway and stuck, or even if it completes the installation, after that, I can't even login into the pfsense at all.

I have tried several times, and it did the same. pfsense installation in a VM seems always causes some quirky situation.

I have never experience anything like this before.

Maybe it's better install pfsense directly on real machine.

=====

Turns out that TinyDNS installed fine on 2.2.4, and available as DNS Resolver under Services menu. Installation failure could be unique to 2.1.5

 

[BirdDad]

IPVanish works but they only allow a 16 character password.

 

[sdifox]

don't know sdifox's experience for running pfsense in VM

In the past few days, I did experience some difficulty with running pfsense in VM.

Like what I mentioned earlier about "Diagnostics-Edit" doesn't work in VirtualBox

Today when I tried to install TinyDNS package in pfsense VMware VM, either the package install halfway and stuck, or even if it completes the installation, after that, I can't even login into the pfsense at all.

I have tried several times, and it did the same. pfsense installation in a VM seems always causes some quirky situation.

I have never experience anything like this before.

Maybe it's better install pfsense directly on real machine.

I have it running in hyperv. Mind you I am using server hardware so much less driver issues. And I am not doing VPN and not dealing with PIA.

 

[sdifox]

IPVanish works but they only allow a 16 character password.

Login to the VPN service is not all that critical.

 

[mxnerd]

IPVanish works but they only allow a 16 character password.

http://www.dslreports.com/forum/r27511810-Recommended-password-length-for-openvpn

by Packeteers

a password does not matter with OpenVPN as long as your client side is not physically accessible by anyone else. the OpenVPN client itself authenticates with both a master and individual certificate, passes unique keys, and encrypts based on config files or definitions your VPN service will provide, so the password you use only activates the login script nothing more.

I don't use a login name and password at all because I OpenVPN on a home computer I alone can access, and I'm on/off my VPN so often that I don't want to be bothered with yet another login request. besides even if some robber broke into my home and used my PC and VPN, what would the added insult of using my VPN really matter in the scheme of things. the point is the login password itself does not add any more protection to the VPN tunnel integrity, only whether a user sitting on your PC can activate the tunnel or not. at work where I use a pair of SonicWall boxes to hardware VPN a branch to a home office, I don't use passwords to activate that tunnel either, since it's impossible to form a tunnel anywhere else without those 2 boxes which are configured with insanely long mixed case alphanumeric certificates(255) and keys(2023) that even DARPA cannot crack or even deep packet inspect.

even if a person on another computer got your name and password, knew and configured his PC with the same config files the VPN provider gives by default when you sign up, he still could not login and use the service on your account because the VPN provider has a record of what certificates and keys it shares with each account, so your username/password would not match up thus your login information would be worthless to anyone else. this is why when you sign up with a VPN provider you need to notify him if you are using the same account on two or more devices since they must make allowances for that level of flexibility. so far the VPN providers I've seen will market by either one or up to three different devices per account.

 

[mxnerd]

I have it running in hyperv. Mind you I am using server hardware so much less driver issues. And I am not doing VPN and not dealing with PIA.

I see.

 

[John Connor]

Upgrade the RAM in this: http://www.amazon.com/Intel-Fanless...p/B008KB5YCK/ref=cm_cr_pr_product_top?ie=UTF8

 

[sdifox]

Upgrade the RAM in this: http://www.amazon.com/Intel-Fanless...p/B008KB5YCK/ref=cm_cr_pr_product_top?ie=UTF8

I think op already decided on the hardware.

 

[John Connor]

Okay, didn't read this gigantic thread. LOL

 

[mxnerd]

Found that pfsense 2.1 & 2.2 did support INTEL AES-NI !

under System - Advanced - Misc - Cryptographic Hardware Acceleration

 

[Engineer]

Found that pfsense 2.1 & 2.2 did support INTEL AES-NI !

under System - Advanced - Misc - Cryptographic Hardware Acceleration

But OpenVPN does not (it uses some other AES acceleration but AESNI is coming in a future release).

(I'm assuming that BirdDad is trying to use OpenVPN).

Edit: I seem to be wrong on this one: https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

OpenVPN

To take advantage of acceleration in OpenVPN, choose a supported cipher such as aes-128-cbc on each end of a given tunnel, then select BSD Cryptodev Engine for Hardware Crypto.

Similarly, if the system employs the VIA Padlock engine, choose an appropriate cipher and select VIA Padlock for Hardware Crypto.

Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.
IPsec

IPsec will take advantage of cryptodev automatically when a supported cipher is chosen. For AMD Geode systems, this is AES with a 128-bit key length, and for Hifn card users, 3DES or others known to be accelerated by the crypto card.

For AES-NI acceleration, use AES-GCM on both sides of the tunnel. (Requires pfSense 2.2)

 

[mxnerd]

Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.

Thanks for the info. I searched and it was mention on OpenSSL website

Changes between 1.0.1l and 1.0.2 [22 Jan 2015]

https://www.openssl.org/news/changelog.html#x5

*) Support for new and upcoming Intel processors, including AVX2,
BMI and SHA ISA extensions. This includes additional "stitched"
implementations, AESNI-SHA256 and GCM, and multi-buffer support
for TLS encrypt.

This work was sponsored by Intel Corp.
[Andy Polyakov]

 

[Engineer]

Finally connected the PC with pfsense on it to my network, made a few changes to the settings and rebooted the modem. Received a connection and was tweaking. Started watching TWC app on the Xbox 360 and hard crashed pfsense. I'll connect to the IPMI port later to see if I can see what crashed on it.

Back on Asus router for the moment.

Edit: Connected monitor and console was still up with no error messages. Know that it had not rebooted because I could see the console messages from the previous logins to the GUI. Strange. Couldn't get anything from the GUI and no Internet. Still not rebooted. Will play with. Need to get the IPMI SuperMicro management software up so I can do all of this without a monitor/keyboard attached.

 

[sdifox]

Finally connected the PC with pfsense on it to my network, made a few changes to the settings and rebooted the modem. Received a connection and was tweaking. Started watching TWC app on the Xbox 360 and hard crashed pfsense. I'll connect to the IPMI port later to see if I can see what crashed on it.

Back on Asus router for the moment.

Edit: Connected monitor and console was still up with no error messages. Know that it had not rebooted because I could see the console messages from the previous logins to the GUI. Strange. Couldn't get anything from the GUI and no Internet. Still not rebooted. Will play with. Need to get the IPMI SuperMicro management software up so I can do all of this without a monitor/keyboard attached.

You just needa browser no?

 

[mxnerd]

Run memtest86 on the new build to test RAM first.

Plug & unplug ethernet cable to make sure you assign the correct port to LAN and WAN since you have 4 ports.

 

[Engineer]

You just needa browser no?

Yes, I discovered that after I installed the IPMI view tool from SuperMicro. Never did this before so it was all new. Very cool (and convenient) that I can monitor and control this thing even to BIOS settings, etc. The SuperMicro utility does show temperatures, fan speeds, etc. Not sure if the browser shows that stuff or not. Will look at it as soon as I get a chance (i.e. when wife and kids are gone so I can work on stuff without complaints! :awe: )

Run memtest86 on the new build to test RAM first.

Plug & unplug ethernet cable to make sure you assign the correct port to LAN and WAN since you have 4 ports.

The cables were correct. I would have thought if there was a memory error, the whole console and/or system would have locked up. I'll dig out a memtest+ CD and give it a run when I get a chance.

Edit: 50% through memtest 86+ and no errors so far. Seems from reading around that 2.2.x has this issue far more than 2.1.5. Might have to look at that if I can't solve this. I'll let it finish memtest tonight and if no errors, I may reset the configuration and start from scratch. Might try a different SSD if I can't solve it via other methods (that fixed at least one person's locking up from reading around).

Edit #2: No memtest 86+ errors. As soon as I can get everyone out of the house, I'll test it with a full reset and configuration. If that doesn't work, I'll roll to 2.1.5 (or wait for 2.2.5 which is the nightly build right now).

Edit #3: Not sure how but the pfsense router installed into my network has hosed my WMC PC / Extender setup, even though they have static IP addresses. Have had to reboot my HDHomerun Prime's multiple times (pulling the power), setting them up on WMC again and finally adding the extenders again. Sigh.....

Edit #4: I think the WMC issue is the fact that I had the Asus router assign a static IP to the HDHomeRun Prime units and not the pfsense box. I've figured out how to use the hdhomerun prime utility to manually set permanent static IP address. Hopefully, that will resolve the issue of switching out routers and the WMC network.

 

[mxnerd]

Edit #4: I think the WMC issue is the fact that I had the Asus router assign a static IP to the HDHomeRun Prime units and not the pfsense box. I've figured out how to use the hdhomerun prime utility to manually set permanent static IP address. Hopefully, that will resolve the issue of switching out routers and the WMC network.

Maybe use DHCP IP reservation is a better idea?

pfsense lets you reserve IP addresses. Under DHCP Server page, go to the bottom and you will find "DHCP Static Mappings for this interface." option

You can then check DHCP leases through http://pfsense_ip/status_dhcp_leases.php in the future.