OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: nikkon on January 11, 2021, 12:04:57 am
-
Hi all,
My first time writing a howto, if there are inconsistencies just let me know and I'll be happy to address them.
Long story short: I was looking for a VPN provider for only 1 of my local ips (one Jail in particular). As so I decided to go with SurfShark VPN, and bellow is the step-by-step config:
Step 1
Create SurfShark account and login
Once in, Go to Manual Setup -> Manual -> Credentials. (Keep those safe)
Switch back to Files and choose one of the servers you want (servers in the respective country you decide you
will use as exit point)
Step 2
In Opnsesen: Go to System -> Trust -> Certificates
Press on + Add button. Then fill the fields out like this:
Descriptive Name: SurfsharkVPN
Method: Import an existing Certificate Authority
Certificate data:
-----BEGIN CERTIFICATE-----
MII3...
/UplsM=
-----END CERTIFICATE-----
This data can be also found in the CA&TLS certificates archive under the "Other configuration files" section on your SurfShark account.
Step 3
In Opnsense: Under VPN -> OpenVPN -> Clients
Add new client:
Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP on IPv4 only (you can also use TCP);
Device mode: tun – Layer 3 Tunnel Mode;
Interface: WAN; (whatever name your wan interface has)
Local port: leave blank;
Server host or address: The server hostname that you want to connect to from the list of servers from
Step 1
Server port: 1194 (use 1443 if you use TCP as I do);
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy Authentication: None;
Description: Any name you like.
Remember to use your credentials from step1 (the one advised to be kept safe :P)
Enable TLS Authentication for packets and use the following TLS Key:
-----BEGIN OpenVPN Static key V1-----
b02c4f079a4a49888da566b9978346
.......
e7279ff1a19cb092659e8c1860fbad0d
-----END OpenVPN Static key V1-----
TLS Key Usage Mode: TLS Authentication
Peer certificate authority: SurfsharkVPN;
Client certificate: webConfigurator default or as in my case the Let's Encrypt one
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM (256 bit key, 128 bit block)
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.
Don't pull routes: check
Compression: No prefference
Add this under Advanced:
tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
Step 4
In Opnsense interface go to Interfaces -> Assignment -> Add Interface ovpnc1 (in my case) to the interfaces and give it a name (in my case is simply Surfshark)
Once the interface is created: IPv4 Configuration Type : None
Step 4.1
If you want all your traffic to be routed via Surfshark, then select this new created interface as the outgoing interface for DNS (Unbound & any other resolver)
In order for the DNS to work, you need to :
check Forwarding Mode
uncheck DNSSEC support
Services-> Unbound DNS-> Advanced: check both Hide Identity & Hide Version
Step 5
Firewall -> NAT-> Outbound: change from Automatic outbound NAT rule generation
(no manual rules can be used) to Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules)
Add one rule :
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
Surfshark <localhost you want to route > <ports you want to route> * * Interface address * NO SurfSharkVPN
#this will apply only to 1 host in your network
If you want to route all your traffic simply change source with the ip address of your lan interface (192.168.1.1/24 as example)
Step 6
Firewall-> Rules-> Surfshark
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 * Lan_Wired net * <my specific host> * SURFSHARK_VPNV4 * VPN allow traffic
Firewall-> Rules-> Lan
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 * <my specific host> * * * SURFSHARK_VPNV4 * gateway VPN
Step 7
System-> Settings-> General:
Under DNS Servers add:
DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4
Step 8
Check the connection - VPN-> OpenVPN-> Log File & VPN-> OpenVPN-> Connection Status
I hope this will help.
enjoy
-
@nikkon
Step number 3:
* Don't pull routes: check
This causes me to get an IP checker error:
Test here -> : https://surfshark.com/what-is-my-ip
Shouldn't it be according to Surfshark's manual:
Read here-> : https://support.surfshark.com/hc/en-us/articles/360010789259-How-to-set-up-pfSense-2-4-4-with-Surfshark
be like this? :
* Don't pull routes: uncheck
Greetings from Germany
-
Hi,
If you route all your traffic, or one entire network then I believe it makes sense not to check it.
I only need one IP to be routed and this was the only way.
however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.
All the best from Amsterdam
Sent from my iPad using Tapatalk
-
Hey thanks for the guide I had a similar setup to yours but for some reason it would kill NAT reflection. I have some hosted services that I use my domain to access them internally. I ended up finding this guide which is working but its setup its a bit weird using private address rules. Mind you its for pfsense but basically the same. https://crepaldi.us/2020/08/30/setting-up-vpn-client-on-your-pfsense-surfshark/ With your method should I be able to use NAT reflection still?
-
I believe you could use it too
-
something happen after the last update.
I cannot route 1 internal IP through the VPN tunnel anymore.
Does it work for the rest of you?
-
Is it working for anyone post upgrade to 22.1.6
For me the SURFSHARK_VPNV4 gateway is not marked as active. Hence no internet for the clients
-
Mine looks active, but no internet for clients as well.
Investigating
-
Please do share your investigation outcome!
-
Seems dns related. If i add the interface in unbound under the list of served interfaces it works.
However i want to use specific dns fw for this interface and i define them manually on the clients.
Still working on understanding the issue
-
thank yhou . this is awesome! got me up and running