OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: directnupe on July 12, 2019, 10:08:29 pm
-
Dear Community,
As is my wont as of late along with my personal inclinations and indulgences - here we go with the intro: I know you got it - lyrics to sing along : https://genius.com/Bobby-byrd-i-know-you-got-soul-lyrics and video : https://www.youtube.com/watch?v=-aY4x5l2QzA and Bonus : Take This with you as as we stroll along : https://genius.com/Hank-ballard-from-the-love-side-lyrics and video : https://www.youtube.com/watch?v=zKKcArCApx0 - Hello and here is the tutorial which details exactly how to get the great Hardened BSD based Distro OPNsense up and running with TORGUARD OpenVPN Client. OPNsense found here: https://opnsense.org/about/features/ and downloads found here : https://opnsense.org/download/
A - To begin you need to get your OpenVPN configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on OpenVPN Config Generator. On this page that opens up - select in order - VPN Server Hostname/IP, VPN Protocol, VPN Port, VPN Cipher, OpenVPN Build, and whether or not you want to require TLS 1.2 as a minimum. After entering your choices, click on green " Generate Config " Box and download and save the file as we will use this later on in this process to configure OpenVPN settings on OPNsense FireWall.
B -Open the downloaded file ( it normally has same random number - mine is 96 in this example ). The first piece you need from this file is the CA ( certificate authority ). TORGUARD has just updated their certificates and are also in the process of enabling IPV6 support. Things just keep getting better with TORGUARD. There are actually two certificates in file - along with a tls-auth key. Let me back up for a minute - I chose NJ server UDP protocol - port 1195 - sha256 - aes-256-gcm - Build OpenVPN 2.4 and above plus checked box for TLS 1.2 - Your file may have different options depending on how you choose to connect to TORGUARD Server.
C - Now - to proceed - the CA you want ( in this case ) is the first one listed. Here is a direct link to the CA in case you prefer to grab it by this method : https://torguard.net/downloads/ca.txt - After you have this certificate log into your OPNsense Firewall - you will be presented with the " Lobby: Dashboard " page. You can always get back to this page by clicking on " OPNsense Logo " at the uppermost left corner of page. This is where you find " The OPNsense Menu Settings " which is from where we will configure TORGUARD OpenVPN Client. I will be using the .ovpn file and server I mentioned earlier for the purposes of this tutorial going forward.
1 - Begin by entering the ca in the appropriate field. In order to this, first Click on > System. A sub-menu will will be revealed - look for for the entry labeled " Trust ". Click on " Trust " - from there another sub-menu pops up - In that sub-menu Click on " Authorities " so that we can add the TORGUARD-CA to our firewall. You will now be on a landing page entitled " System: Trust: Authorities ".
Follow the steps below:
Click on ( + ) Add in the uppermost right corner of this page.
Follow these instructions:
Method: Import an existing Certificate
Description: TORGUARD
Certificate data: ( enter ( copy and paste ) certificate data content between <ca> and </ca> from the CA mentioned above)
Click Save . ( Do not alter / enter anything else here - leave at defaults )
Now we need to configure OPNsense TORGUARD OpenVPN Client . Click on " OPNsense Logo " at the top of the left uppermost corner of the OPNsense Web Gui. . This action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui. Remember this as you can always get back to the full Menu by this method.
2 - Click on " VPN " in the left side vertical Menu. From the pop-up sub-menu Click on " OpenVpn ". From that pop-up sub-menu Click on " Clients ". When you click on " clients " you will be presented with the " VPN: OpenVPN: Clients " Landing page. In order to proceed,
Click on ( + ) Add in the uppermost right corner of this page.
Follow these instructions:
Once on this page- enter these are settings:
Disabled: Unchecked
Description: TORGUARD-NJ
Server mode: Peer to Peer ( SSL/TLS)
Protocol: UDP
Device mode: tun
Interface: WAN
Remote server: nj.east.usa.torguardvpnaccess.com Port: 1195
Select remote server at random : Unchecked
Retry DNS resolution: Checked
( Infinitely resolve remote server )
Proxy host or address: Blank
Proxy port: Blank
Proxy Authentication: none
Local port: Blank
User Authentication Settings:
User name/pass: ( from your TORGUARD Account )
Username: enter TORGUARD user name from Manual setup > userpass.txt file ( found on first line )
Password: enter TORGUARD password from Manual setup > userpass.txt file ( found on second line )
Renegotiate time : Blank
TLS Authentication: Leave this checked ( Uncheck box directly below it then enter tls-auth key from TORGUARD )
Automatically generate a shared TLS authentication key. ( Uncheck this box first and then enter tls-auth key from
OpenVPN Config you generated and downloaded at the very beginning )
Peer Certificate Authority: TORGUARD ( name will be the " Descriptive name " you gave CA in Step 1 )
Client Certificate: None ( Username and Password required)
Encryption Algorithm: AES-256-GCM (256 bit key, 128 bit block)
Auth digest algorithm: SHA256 (256-bit)
Hardware Crypto: No Crypto Hardware acceleration
IPv4 Tunnel Network : Blank
IPv6 Tunnel Network : Blank
IPv4 Remote Network : Blank
IPv6 Remote Network : Blank
Limit outgoing bandwidth : Blank
Compression: No Preference
Type-of-Service : Blank
Disable IPv6: Checked
Don't pull routes: Blank
Don't add/remove routes : Blank
Advanced configuration:
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
auth-retry interact
compress
auth-nocache
script-security 2
mute-replay-warnings
ncp-disable
key-direction 1
setenv CLIENT_CERT 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
Verbosity level: 3 ( recommended )
Click Save.
You are redirected to VPN: OpenVPN: Clients Landing page and you should see a "green arrow" by "UDP nj.east.usa.torguardvpnaccess.com:1195 " in this example. Once you see this arrow, you will see that you are still in the OpenVPN pop-up sub-menu. Now, click on " Connection Status " in the OpenVPN pop-up sub-menu. This takes you to the VPN: OpenVPN: Connection Status Landing page. You should check under " Status " and make sure that it indicates that you tunnel is " up ".
3 - We now need to add a Hybrid Firewall Rule in order to get OPNsense TORGUARD OpenVPN fully up, running and completed.
We do this as follows. Once again, Click on " OPNsense Logo " at the op of the left uppermost corner of the OPNsense Web Gui - this action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui.
Follow these instructions:
A- Click on Firewall ( once again a pop-up sub-menu appears )
B - On that sub-menu click on NAT ( once again a pop-up sub-menu appears )
C - From that sub-menu click on Outbound ( you will now be presented with the Firewall: NAT: Outbound Landing page )
Once on the Firewall: NAT: Outbound Landing page, place a dot in the Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules) radio button.Click Save ( which is located at the top of the page under the " Mode " section.
After clicking save, DO NOT ! - Repeat Do Not Click Apply ! at this time. Instead- Click on ( + ) Add in the uppermost right corner of this page. you will presented with the " Edit Advanced Outbound NAT entry " Landing page. Change the " Interface " setting from Wan to " OpenVPN " from the drop down menu. Also , for Description : enter ( Made For TORGUARD ). Do not touch or change anything else whatsoever on this page.
Click Save -and you will be redirected to the Firewall: NAT: Outbound Landing page. You will see at the very top of the page it says " The NAT configuration has been changed.You must apply the changes in order for them to take effect. " So, Click on Apply Changes at the top of the page. Done with Firewall Rules for OPNsense TORGUARD OpenVPN.
Once again, Click on " OPNsense Logo " at the top of the left uppermost corner of the OPNsense Web Gui - this action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui.
Follow these instructions:'
Click on " VPN " in the left side vertical Menu. From the pop-up sub-menu Click on " OpenVPN ".
A - Now, click on " Connection Status " in the OpenVPN pop-up sub-menu. you still should be up and running
B - From the same OpenVPN pop-up sub-menu - click on " Log File " and you should see that you are connected.
Good News ! I erroneously reported earlier that your WAN would not reboot without disabling OpenVPN Client using the Hybrid FireWall detailed in this tutorial. Actually, I was testing the setup on a an OPNsense VMware Work Station Machine. I can now emphatically state and assure you that your WAN will reboot if you use this setup ( along with Hybrid FireWall Rule ) on a real physical hardware installation. I disable all properties on the WAN interface when using Virtual Machines ( an old habit ) EXCEPT for VMware Bridge Protocol. This may be the problem when I deploy OPNsense on VMware Virtual Machine. I will test back and report back later. The good thing about VMware is that you can take snapshots, so you can always go back if you make an error. However, the BOTTOM LINE is that you can implement this guide on a hardware installation AS IS ! without any issues on OPNsense reboot. I will write up an updated tutorial for DNS OVER TLS WITH GETDNS+STUBBY on OPNsense. Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by simply issuing command # pkg install getdns - I am running DNS OVER TLS with OpenVPN now - and it works beautifully.
Lastly, in order to check that your are connected to TORGUARD - go to : https://torguard.net/whats-my-ip.php . At the very top of the page on the upper left hand side - click on " Check Now " and down under " Your Current Info " you will see your TORGUARD ROUTED OpenVPN IP Address - next to it you will see this : IP Address: 23.226.128.162 (Protected) - the key is you are now " Protected " which means that you are now successfully connected via TORGUARD OPNsense OpenVPN CLIENT. This setup will work with virtually any commercial OpenVPN Service Provider - trust me; I have tested a few others in addition to TORGUARD as outlined here in this tutorial. Remember that you may have to modify settings depending on your personal configuration and / or the features ( cryptography and so on ) that your commercial OpenVPN Service Provider supports and deploys.
Peace & Universal Love
-
Other tutorials say to assign an interface, and set IPv4 Configuration Type: DHCP
This worked in 19.1 but in 19.7 it shows an error "Cannot assign an IP configuration type to a tunnel interface".
I noticed in your tutorial here, you do not assign an interface at all. Is it not necessary to assign an interface?
-
Dear firetron,
Hello and I hope that you are well. I have seen the DHCP option you mention, but I find that this is not necessary.
Just follow this tutorial as detailed here and everything will work as described as laid out here. Have you tried to implement the configuration as put forth here ? - if not - do so and report back with your results. My prediction is that you will find that your OpenVPN Client will function as designed. My setup works flawlessly - otherwise, I would not have posted this tutorial in the first istance.
Peace and God Bless,
directnupe
-
I had a VPN client set up in 18.6, upgrading broke it, and your tutorial helped me get things working.
However, it only works if i try to route ALL traffic through it. If i try to only route certain hosts through it, my other internet traffic breaks (Because my VPN provider pushes routes that try to take all traffic). If i check 'don't pull routes', so that the OPenVPN client doesn't override my default routes, then I have no way of sending traffic to my VPN.
I know in the older version, I could put a rule that passed traffic from the WAN to the VPN gateway if it was the correct source, but now that the system doesn't recognize the VPN client as a interface or allow a gateway for it- Any Ideas?
-
Dear quirkyferret,
Hello and I hope that you are well. I suspect that the "simple" firewall rule which I detail in this tutorial is what is causing your inability to route the traffic in the manner you describe. Try this solution below - go to this page :
https://torguard.net/article/254/pfsense-openvpn.html -- and then set up your firewall rules as described in Step 6. Hopefully this will allow you to accomplish which you are out to achieve. See this guide if you wish which also describes the same firewall creation method : https://www.privateinternetaccess.com/helpdesk/guides/routers/pfsense/pfsense-2-4-3-setup-guide in Step 6
Peace
directnupe
-
Thanks for the tutorial. Works great!
One question though, is it possible to use torguards ad-blocking dns with this guide?
I'm unable to figure out where/how to add those dns into torguard or openvpn.
-
Dear DataKnights,
Hello and Happy Holidays - please excuse the delay in my getting back to you regarding your inquiry. Now - as far as setting TorGuard DNS. You can follow this guide : https://torguard.net/article/254/pfsense-openvpn.html
; however skip / scroll down to :
Step 7:
Navigate to System > General Setup and set DNS Servers to:
104.223.91.194
104.223.91.210
That should suffice. I use DNS OVER TLS so that I am fully encrypted. You can see my guide / tutorial for that
solution here : https://forum.opnsense.org/index.php?PHPSESSID=k6ivse7g94849ga6nk9r8kg9g5&topic=13487.0
I hope this helps and Peace Always
directnupe
-
Good day,
being a "noob" on the subject, and also to OpenSense (I have acquired a APU4 to build a little home firewall, without much knowledge though), I am struggling with this. Though I agree, the process is dead simple :-)
I plan to use the device with static DHCP, blocking for schedule for my kids (check, works), Remote VPN Access with OpenVPN (check, works), FTP Proxy (check, works) and the most complicated thing so far, which I am badly failing at, is OpenVPN client to a provider named "SurfShark". I will need to route 1 or 2 devices through this connection, not the whole network.
Surfshark has a guide for PFSense, which I have tried to follow. Now with yours. And hereĀ“s where i get stuck:
Connection is up, but no traffic going over VPN. It even blocks internet traffic at some point when I create the FW rules.
I also tried with the 4 FW rules described in the other guide, but I do not see these 4 auto generated rules...
I have tried things with adding interfaces for OpenVPN, Gateways, etc etc... all no luck.
Any tips would be welcome!
Thanks.
-
Dear bpalob,
You said -
" I also tried with the 4 FW rules described in the other guide, but I do not see these 4 auto generated rules... "
The correct Answer :
You need to create all of these manually. One by one - create first rule then clone it - and do this for each following rule.