OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: M4DM4NZ on April 10, 2017, 01:34:53 pm
-
Hi Guys,
Below is a step by step guide to configuring Opnsense 17.1.4 to route LAN traffic out via your private VPN provider.
(In my case, AirVPN)
I have a setup where I want all computers on my LAN to have a direct connection to the Internet, but "Some" computers I want connected to the VPN *cough torrenting cough *
===================================================================
Step 1:
Get all your certificate information together: (cert files supplied from your private VPN provider)
- VPN_Provider.ovpn
- CA.crt (Certificate Athortiy)
- TA.key (OpenVPN Static key V1)
- User.crt (User Certificate)
- User.key (RSA Private Key)
===================================================================
Step 2:
Navigate to System > Trust > Authorities, "add or import CA"
- Descriptive name: VPNCA
- Certificate data: (paste the contents of your CA.crt file here)
- Certificate Private key:(paste the contents of your user.key file here, AKA RSA Private Key)
- Serial for next Certificate : None
SAVE
===================================================================
Step 3:
Navigate to System > Trust > Certificates, "add or import certificate"
- Method: Import an existing Certificate
- Descriptive name: none
- Certificate data: (paste the data in your user.crt file here)
- Private key data: Leave blank, otherwise enter your user.key data here, mine was manually entered in on the next step.
SAVE
===================================================================
Step 4:
Navigate to VPN > OpenVPN > Clients, "add client"
Edit the following settings:(some may differ depending on your VPN provider)
- Server Mode: Peer to Peer (SSL/TLS)
- Protocol: UDP (check your ovpn file)
- Device Mode: tun (check your ovpn file)
- Interface: (Your WAN interface)
- Local port:443 (check your ovpn file)
- Server Host or Address: 123.45.67.890 (check your ovpn file)
- Server Port: 443 (check your ovpn file)
- Server host name resolution: Ticked
- Description: "Name of your VPN Provider"
Cryptographic Settings:
- TLS Authentication: Ticked (paste the data in your ta.key file here, AKA OpenVPN Static key V1)
- Peer Certificate Authority: Select "VPNCA" or whatever you called the description in step 2.
- Client Certificate: Select "Userkey CA:VPNCA *In Use"
- Encryption: Check your VPN Provider, mine was AES-256-CBC (256 bit key, 128 bit lock)
- Auth Digest Algorithm: SHA1(160-bit) (Check with your VPN Provider)
- Disable IPV6: Ticked
- Advance Configuration: "Paste the below data into the field"
persist-key
persist-tun
remote-cert-tls server
auth-nocache
- Verbosity level: 3
SAVE
NOTE: The first time you enter this page, the "TLS Authentication" section to paste your ta.key does not show up until you've clicked save. So go back to this menu after saving, and paste it in
===================================================================
Step 5:
Check to see if your VPN connection is online,
- Navigate to VPN > OpenVPN > Connection Status
You should see "Status" UP with your "Remote Host" IP address supplied from the VPN Provider
Now check the log file for the words " Initialization Sequence Completed "
If you've come this far your on the right track :)
===================================================================
Step 6:
- Navigate to Interfaces > Assignments
- Select the pull down menu under "new interface" and make sure the "ovpnc1" option is selected
- Click the orange "+" button
- Tick Enable Interface and Save
- Description = VPN (note this is a "Virtual" interface, its not referenced to an physical Ethernet port)
- IPV4 Configuration type = DHCP
- IPV6 = None
- Note: Leave all other settings as default (empty/unticked)
===================================================================
Step 7.
- Navigate to Firewall > Aliases > View
- Add a new Alias
- Name: VPNTraffic
- Description : VPNTraffic
- Type: Host:
- First entry: 192.168.X.X
NOTE: (enter the IP address of Computers/devices you want to be on the VPN here. I personally enter the IP address of my Wireless router I have attached to my LAN, The wireless router has DHCP enabled so all wireless devices connected to this access point have their traffic passed via the VPN )
If you dont have a spare Wifi router, you can manually add IPs to computers on your network here.
My Network Map: WAN--->Opnsense--->LAN--->Switch--->Wifi router runing its own DHCP - - - -> "Wireless devices"
!!!WARNING!!! Dont dodge this step, even if you think you know what im doing, the whole point of making aliases is important, and it wont work without them.
- SAVE
===================================================================
Step 8:
Ok so heres the weird part, This had me going nuts for a while, but after a bottle of Jack Daniel's Tennessee Honey, it finally clicked!.
You NEED to use aliases rather than specifiying IP ranges directly, it makes all the difference for some reason, even though the concept
is the same.
- Navigate to Firewall > NAT > Outbound
- Select "Manual outbound NAT generation" (Leave the default generated WAN rules AS IS)
- Add a new rule
Rule 1.
- Interface: VPN (The one you created in Step 6)
- Source: VPNTraffic ( The alias you created in Step 7)
- Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
NOTE: Leave ALL other options as default/any
Rule 2. (Same as Rule 1, but....)
- Destination port: 500 (Select "Other" from dropdown menu and enter 500 in the field)
- Static Port: Ticked
NOTE: Leave ALL other options as default/any
Rule 3.
- Interface: VPN (The one you created in Step 6)
- Source: Single host or network, 127.0.0.0 / 8
- Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
NOTE: Leave ALL other options as default/any
NOTE: Make sure the above rules "are above" your auto generated WAN outbound rules when looking at the entire list from top to bottom.
- Apply settings.
====================================================================
Step 9.
- Navigate to Firewall > Rules > LAN
NOTE: The order of Rules from top to bottom on this page matter:
Starting at the top, you should have the "Anti-Lockout Rule"
Next, start adding rules as follows:
Rule 1. (The Rule to pass selected clients traffic out via the VPN)
- Interface: LAN
- TCP/IP Version: IPv4
- Source: VPNTraffic (Alias)
- Gateway: VPN_DHCP (ie, the auto-generated VPN Gateway option)
Rule 2. (Pass all other traffice out via the defaul gateway "WAN")
- Interface: LAN
- TCP/IP Version: IPv4
- Source: Any
- Gateway: WAN_PPPoE (ie, the auto-generated WAN Gateway, the name might be different depending
on your WAN connection method)
- Apply settings
NOTE: All other tabs in my rules section eg OPENVPN/VPN/WAN are empty NO RULES exist.
your settings may differ, but thats the basic setup. Also, check:
https://www.dnsleaktest.com/ and
https://www.ipchicken.com/
after you've completed these steps.
=================================================================
DONE :)
If I've missed anything, feel free to troll ;)
Cheers
-
This is fantastic! Thank you so much for the write-up. I just built a new router with the intention of doing this. I just set it up today when my gigabit internet connection was installed, and thanks to your write-up, I got VPN setup on my torrent server easily.
Do you have any issues with DNS leaks? Mine's failing DNS leak tests, and I'm curious how to combat that.
-
Thanks Eptesicus :)
Yeah I tested the DNS leak on my setup using dnsleaktest.com and found no issues, my results pointed to the correct DNS server of my VPN Provider so I'm guessing your issue could be with your VPN provider.
Maybe try connecting another pc directly to the DMZ and installing the VPN client software supplied from your VPN Provider, then try the dnsleaktest.com again.
Cheers :)
-
Thanks Eptesicus :)
Yeah I tested the DNS leak on my setup using dnsleaktest.com and found no issues, my results pointed to the correct DNS server of my VPN Provider so I'm guessing your issue could be with your VPN provider.
Maybe try connecting another pc directly to the DMZ and installing the VPN client software supplied from your VPN Provider, then try the dnsleaktest.com again.
Cheers :)
I was able to change the DNS servers for the VPN connection directly in OPNSense, which fixed my issue!
Have you tried other DNS providers? I tried PIA's DNS, and DNS.Watch, but their both incredibly slow. I'm currently using OpenDNS, but am skeptical if I should use one of the slower, more secure, DNSs.
Also... I just got back from a trip where I haven't had time to remote home, and I noticed that my VPN connection to the Netherlands was stopped, and the traffic on my torrent server was now unencrypted. Do you know of a way to have a kill-switch of some kind? Something that could occur in OPNSense to stop all traffic assigned to that tunnel and reconnect if the connection has dropped?
Thanks again!
-
Hey mate,
No i haven't tried using other DNS providers besides my VPN provider, but i'll look into this.
I'm pretty sure when my VPN connection drops out (which doesn't happen that often) traffic to my torrent client just stops. I'll check my settings soon and post an update.
Cheers.
-
Hi
I have been trying to get this working, all the ip addresses I setup to go through the VPN work correctly. However any traffic not going via the VPN can not reach the internet. The 1st time I tried these steps I could get the internet to work if I set a static ip address with a DNS. The second time I tried everything seemed to connect correctly to the internet but I still could not reach anything and setting a manual ip and DNS did not work this time.
Is there any way to test why this is not working correctly?
thanks
-
I just want to clarify my understanding of step one. Are these the certs I created on the OpenVPN server on my remote host, or are these newly created ones made locally?
I just rolled my own OpenVPN install on my host using this guide:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
and I'm trying the Adguard DNS entries:
https://adguard.com/en/adguard-dns/overview.html
My ultimate dream is to somehow get the SSL bump configured either locally or at my remote host to block Outbrain/Taboola and all the other crap that loads on https sites I go to. I could use some help architecting the overall solution, but first step is to route everything through VPN.
-
Hi Tsol,
The certs in step one are created by your VPN provider, ie. the ones you download from the particular VPN provider your registered with.
Not sure about the Adguard DNS stuff, haven't had time to play with it much :/
Cheers
-
Hi
I have been trying to get this working, all the ip addresses I setup to go through the VPN work correctly. However any traffic not going via the VPN can not reach the internet. The 1st time I tried these steps I could get the internet to work if I set a static ip address with a DNS. The second time I tried everything seemed to connect correctly to the internet but I still could not reach anything and setting a manual ip and DNS did not work this time.
Is there any way to test why this is not working correctly?
thanks
Hi Pauld70,
not sure whats going wrong there, but just to compare, I also have my DNS set to static using googles DNS 8.8.8.8 as secondary and opensens default IP 192.168.1.1 as the primary
Hope this helps.
Cheers
-
Hi there,
Thank you very much for such a detailed step by step really helped with a lot of the stuff (I am a total noob).
I am looking to use VPN for a single port and the rest of the traffic to be regular.
I read that it is possible on pfSense so I was thinking that at least 60% of your guide would be the same for forwarding only a single port through VPN on OpnSense.
Could you help me with that?
Thank you.
-
M4DM4NZ .....
Step 9:
Rule 1:
Shouldn't
Source: VPNRouter
actually be
Source: VPNTraffic
-
M4DM4NZ .....
Step 9:
Rule 1:
Shouldn't
Source: VPNRouter
actually be
Source: VPNTraffic
Thanks for spotting that dude, I have updated the Guide...
-
M4DM4NZ - Thank You! Excellent write-up.
I have exactly the opposite need - want my general traffic through the VPN (because everything you do on the internet now is fair game - thanks loads, congress), but since services like Netflix and Hulu block VPN traffic, I want to route only the Netflix, etc over a clear connection. Even though Nord states you can stream through their service, eventually Netflix and Hulu identify the exit node and block it - even if it is within the US.
I'm planning to go through this over the weekend and set up just the Netflix traffic. Any pointers on how to achieve that? My VPN is already set up and working fine. TIA
-
I've been trying to get this working for months (seriously) and I keep running into DNS breaking. One difference with my setup is that I'm not using a wireless router for DHCP, so I only added a single IP address into the VPNTraffic Aliases you had us create. That one computer is the only one I want to have its traffic forced over the VPN. The other difference is that I use OPNsense as a private VPN server outside of the third party provider I set up using your instructions.
I've done a ton of testing and it is definitely only DNS which is broken. The internet connection itself is actually functioning; even Windows says as much. For some reason, I can't get my networked computers to reach the DNS server (my OPNSense server, which is configured for OpenDNS). If I manually input a DNS server on the computers, everything works. I've tried disabling the OpenVPN firewall rule, as well as the private OpenVPN server without any change in DNS.
If I disable either the VPNTraffic to VPN_DHCP rule or the ANY to WAN_DHCP rule, DNS begins working again. Also, as expected, if I push the Default Allow Any rule above the rules I created using your guide, DNS works again.
Any insight would be greatly appreciated.
-
you need a rule on our LAN interface
-> pass -> Interface: LAN -> IPv4 -> TCP/UDP -> Source: any -> Destination: This Firewall -> DNS:DNS
the tutorial has also some errors.
CA Cert -> ca.crt
CA Key -> empty *
CERT Cert -> cert.crt
CERT Key -> priv.key
Interface ovpnc needs not IPv4 DHCP (just None)
Also there is no DNS Leakage prevention. If the Client uses another static DNS it will leak.
There needs to be either a BLOCK rule for all DNS traffic other than (in case of AirVPN 10.x.0.1) the VPN DNS Server
or you can use a NAT->Port Forward rule to redirect all DNS traffic to that DNS Server.
Another way is to use the local unbound DNS Server if you want all your local LAN traffic use the VPN but also need local DNS names.
Just use forward-zone:
name: "."
forward-addr: 10.5.0.1
forward-addr: 10.4.0.1
in unbound custom config. (for AirVPN)
I can add some details for VPN-Failover later
-
As promised (most of it is the same as in the initial post from M4DM4NZ / but DNS leak and SMB/CIFS username
leak prevention is extra)
####################################################################
Firewall -> Aliases -> view [ add a new alias ]
[ Type ] Network
[ Name ] N_LOCALNETS
[ Description ] All local Networks
[ Aliases ]
192.168.x.x/XX (your local networks)
[SAVE]
[ add a new alias ]
[ Type ] Network
[ Name ] N_VPNUSER
[ Description ] All Hosts/Networks that should use VPN
[ Aliases ]
192.168.x.x/32 (your hosts or networks that should use VPN)
[SAVE]
[ add a new alias ]
[ Type ] Hosts
[ Name ] H_ALLOWED_DNS
[ Description ] allowed DNS Server
[ Aliases ]
10.4.0.1
10.5.0.1
10.30.0.1
10.50.0.1
[SAVE]
[ add a new alias ]
[ Type ] Ports
[ Name ] P_MS_CIFS_SMB
[ Description ] block some MS ports
[ Aliases ]
137
138
139
445
[SAVE]
####################################################################
Firewall -> NAT -> Outbound
[X] Manual outbound NAT rule generation
## change the rest later
####################################################################
System -> Trust -> Authorities [ Add or import CA ]
[ Descriptive name ] AIRVPN CA
[ Method ] import an existing
[ Certificate data ]
-----BEGIN CERTIFICATE-----
<ca> section from .ovpn config
-----END CERTIFICATE-----
[SAVE]
####################################################################
System -> Trust -> Certificates [ add or import certificate ]
[ Method ] import an existing
[ Descriptive name ] AIRVPN Client Auth
[ Certificate data ]
-----BEGIN CERTIFICATE-----
<cert> section from .ovpn config
-----END CERTIFICATE-----
[ Private key data ]
-----BEGIN RSA PRIVATE KEY-----
<key> section from .ovpn config
-----END RSA PRIVATE KEY-----
[SAVE]
####################################################################
VPN -> OpenVPN -> Clients:
[ Server Mode ] Peer to Peer (SSL/TLS)
[ Protocol ] UDP (or TCP)
[ Device mode ] tun
[ Interface ] WAN
[ Server host ] nl.vpn.airdns.org (or whatever region you like)
[ Server port ] 443 ( alternative 53/80/1194 )
[ Server host name resoltion ] [X]
[ Description ] AIRVPN1
[ TLS Authentication ] [X] enable authentication
[ ] automatically generate
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
[ Peer Certificate Authority ] AIRVPN CA
[ Client Certificate ] AIRVPN Client Auth
[ Encryption algorithm ] AES-256-CBC (256 bit key, 128 bit block)
[ Auth Digest algorithm ] SHA1 (160bit)
[ Hardware Crypto ] No Hardware (AESNI is automatic)
[ Compression ] Disabled
[ Disable IPv6 ] [X]
[ Advanced ]
mssfix 1379; ## try to hide OpenVPN
fast-io; ## only for UDP
explicit-exit-notify 4; ## only UDP
server-poll-timeout 10;
key-direction 1;
key-method 2;
keysize 256;
prng SHA512 64;
remote-cert-tls server;
tls-version-min 1.2;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
reneg-sec 3600;
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
[SAVE]
####################################################################
VPN -> OpenVPN -> Clients: [ AIRVPN1 -> clone ]
[ Server host ] use a different server
[ Server port ] use a different Port ( IMPORTANT for different IP Pool https://airvpn.org/specs/ )
[ Description ] AIRVPN2
[SAVE]
####################################################################
Interfaces -> Assignments
New interface: ovpnc1 [ + ] (could be different if you have an openvpn server / use the last two)
New interface: ovpnc2 [ + ]
[ OPTx ]
[ Enable ] [x]
[ Descriptition ] AIRVPN1
[ Block bogon networks ] [x]
[SAVE]
[ OPTx ]
[ Enable ] [x]
[ Descriptition ] AIRVPN2
[ Block bogon networks ] [x]
[SAVE]
####################################################################
System -> Gateways -> All
[ AIRVPN1_VPNV6 ]
[ Disabled ] [x]
[ AIRVPN2_VPNV6 ]
[ Disabled ] [x]
[ AIRVPN1_VPNV4 ]
[ Disabled Gatetway Monitoring ] [ ] uncheck
[ AIRVPN2_VPNV4 ]
[ Disabled Gatetway Monitoring ] [ ] uncheck
####################################################################
System -> Gateways -> Group [ Add group ]
[ Group Name ] GRP_AIRVPN
[ Gateway Priority ]
[ AIRVPN1_VPNV4 ] [ Tier 1 ]
[ AIRVPN2_VPNV4 ] [ Tier 1 ]
[ Trigger Level ] Packet Loss or High Latency
[ Description ] GRP_AIRVPN Loadbalance
[SAVE]
[ Add group ]
[ Group Name ] GRP_AIRVPN_1_2
[ Gateway Priority ]
[ AIRVPN1_VPNV4 ] [ Tier 1 ]
[ AIRVPN2_VPNV4 ] [ Tier 2 ]
[ Trigger Level ] Packet Loss or High Latency
[ Description ] GRP_AIRVPN Failover 1 -> 2
[SAVE]
[ Add group ]
[ Group Name ] GRP_AIRVPN_2_1
[ Gateway Priority ]
[ AIRVPN1_VPNV4 ] [ Tier 2 ]
[ AIRVPN2_VPNV4 ] [ Tier 1 ]
[ Trigger Level ] Packet Loss or High Latency
[ Description ] GRP_AIRVPN Failover 2 -> 1
[SAVE]
####################################################################
Firewall -> Settings -> Advanced
[ Skip rules ] [x] Skip rules when gateway is down (IMPORTANT)
[ Sticky connections] [x] Use sticky connections (for loadbalance group)
####################################################################
Firewall -> NAT -> Outbound
[+]
[ Interface ] AIRVPN1
[ TCP/IP Version ] IPv4
[ Protocol ] any
[ Source address ] N_LOCALNETS
[ Destination invert ] [X]
[ Destination address ] N_LOCALNETS
[ Translation/target ] Interface address
[SAVE]
[ AIRVPN1 ] [CLONE]
[ Interface ] AIRVPN2
[SAVE]
####################################################################
Firewall -> Rules -> LAN (or whatever interface you want to force traffic to VPN /
repeat for other internal interfaces or group them and use the rules on the group interface )
[+]
[ Action ] block
[ Interface ] LAN (or LANGROUP)
[ TCP/IP Version ] IPv4
[ Protocol ] TCP/UDP
[ Source ] N_VPNUSER
[ Destination invert ] [X]
[ Destination ] N_LOCALNETS
[ Destination portrange] P_MS_CIFS_SMB
[ Description ] Block MS CIFS/SMB
[ Gateway ] GRP_AIRVPN (load balance)
[SAVE]
[+]
[ Action ] pass
[ Interface ] LAN (or LANGROUP)
[ TCP/IP Version ] IPv4
[ Protocol ] TCP/UDP
[ Source ] N_VPNUSER
[ Destination ] H_ALLOWED_DNS
[ Destination portrange] DNS DNS
[ Description ] Allow traffic to allowed DNS Server
[ Gateway ] GRP_AIRVPN (load balance)
[SAVE]
[+]
[ Action ] pass
[ Interface ] LAN (or LANGROUP)
[ TCP/IP Version ] IPv4
[ Protocol ] any
[ Source ] N_VPNUSER
[ Destination invert ] [X]
[ Destination ] N_LOCALNETS
[ Description ] force traffic over VPN
[ Gateway ] GRP_AIRVPN (load balance)
[SAVE]
####################################################################
Firewall -> NAT -> Port Forward
[ Interface ] LAN (or LANGROUP)
[ TCP/IP Version ] IPv4
[ Protocol ] TCP/UDP
[ Source ] N_VPNUSER
[ Destination invert ] [X]
[ Destination ] H_ALLOWED_DNS
[ Destination portrange] DNS DNS
[ Redirect Target ] single Host or Network
10.5.0.1 (or any other from the allowed DNS)
[ Redirect Target Port ] DNS
[ Descriptiton ] redirect all DNS to allowed DNS
[SAVE]
check results of
https://ipleak.net/
https://www.dnsleaktest.com/
http://witch.valdikss.org.ru/
https://browserleaks.com/ip
EDIT: changed remove VPN default Gateway in advanced section
-
When i try these NAT / Firewall rules, my network gets totally BLOCKED, and i have pass in the rule..
cant access the firewall, cannot ping outside internet, the pass rule in latest firmware "pass" seems to mean "block everything"..
hmm, after i disabled the rule, it started to route thru the vpn, wierdly.
-
Nice instructions!
VPN is up but I have DNS problems. I can do DNS address pings and trace route from Opnsense box ok, but not from pc's.
Can anyone tell me what the settings in General should be, and what to use, unbound or dnsmasq, and how?
Also DHCP does not work properly, also seems to be DNS, what settings should be there?
Any other suggestions? I tried a lot of different settings but I am stuck!
Nilss' instructions seems to get me the furthest. I read a lot, perhaps I need some code in a file to get it working, push DNS?
Thanks a lot all!
-
I got it working.
Can anyone tell me please if Alias for VPN user should be like this? Network
192.168.3.1/24
-
Non of these howto's are working for me.
I'm on version 17.7.12
At the best I have no access to internet, but still have access to opnsense.
At worst opnsense is bricked, no access to it.
Does someone get this running?
Can You tell me what is missing in the howto's?
-
First post :)
I too am having issues getting this setup, I've gone through all of the settings mentioned in this forum post but I'm still struggling to route my traffic through the VPN, the VPN is up and running and connected it just seems to be the firewall rules that I'm struggling with.
I will keep at it and post back when I finally get it working, hopefully between all of us that are struggling we can all get it sorted.
-
I was able to change the DNS servers for the VPN connection directly in OPNSense, which fixed my issue!
Have you tried other DNS providers? I tried PIA's DNS, and DNS.Watch, but their both incredibly slow. I'm currently using OpenDNS, but am skeptical if I should use one of the slower, more secure, DNSs.
Also... I just got back from a trip where I haven't had time to remote home, and I noticed that my VPN connection to the Netherlands was stopped, and the traffic on my torrent server was now unencrypted. Do you know of a way to have a kill-switch of some kind? Something that could occur in OPNSense to stop all traffic assigned to that tunnel and reconnect if the connection has dropped?
Thanks again!
Hi,
thanks OP for the post, it works just fine.
For the kill-switch part I had the work done with an extra NAT/outbound rule,
Rule to add after the ones concerning the VPN :
Clone the WAN default rule (LAN->WAN), check "do not nat".
Put the rule AFTER rules pecified by M4D and BEFORE default rules.
WAN proxytraffic * * * NO NAT * NO proxy killswitch
The rules block the traffic from the alias_proxytraffic to go trough the normal wan gateway.
As, if the VpnClient goes down, the PC will use the default WAN gateway.
-
Well, my update:
I'm halfway there, for example, I can ping the google.com IP address and get a response but pinging the domain name doesn't work. I know it's a DNS issue but I can't for the life of me work out how to fix it.
I see Kevin99 had a similar issue but has neglected to inform the rest of us how he managed it :(
If anyone can help it would be much appreciated.
-
Any plans to update your instructions/tutorial for OPNsense version 18.1.1? I'm having a heck of a time getting my OPNsense box up as a VPN client.
-
There may be a bug in the way for outbound NAT generation on OpenVPN interfaces We're hoping for 18.1.2 to address this.
Cheers,
Franco
-
Any update as to if anyone can get this working? I have 18.1.2_2 installed, just setting up the configuration, I have followed the instructions and the vpn clients connect successfully, however when I try to connect a host to them, web pages don't load.
I also noticed, when switching the NAT outbound rules to manual, the automatic ones disappear. Is this supposed to happen? On the previous version it used to leave the standard WAN interface rules there which made things easier.
-
Hi
I have been trying to get this working, all the ip addresses I setup to go through the VPN work correctly. However any traffic not going via the VPN can not reach the internet. The 1st time I tried these steps I could get the internet to work if I set a static ip address with a DNS. The second time I tried everything seemed to connect correctly to the internet but I still could not reach anything and setting a manual ip and DNS did not work this time.
Is there any way to test why this is not working correctly?
thanks
Paul,
I'm having this exact same issue. I was previously on pfsense and recently switched over. I set up OPNsense to where all traffic routed through a VPN, but I set up specific LAN rules to allow certain boxes, like my Roku, to exit through the WAN gateway for Netflix/Amazon purposes. When I try to do that same rule in OPNsense, I get no internet connectivity at all. I tried to identity where the failure is but haven't been able to figure it out yet. If anyone has thoughts, please let me know. :)
-
I am having the exact same issue on OPNsense v18.1.1_2. I have been trying to migrate to OPNsense, but I cannot get OPENVPN to route traffic correctly which I need, and this forces me to restore my pfSense setup in the interim.
I have tried setting up OPENVPN like I have numerous times on pfSense using the same steps on a clean install of OPNsense to no avail. I can connect to my VPN provider (via client mode), but traffic does not route through the VPN even with the correct NAT and firewall rules in place.
-
Can you show us the rules in question within the OPNsense GUI that you're trying?
I use PIA and have my network default route set to my PIA interface. I then have a list of 'hosts' that should bypass PIA setup in the firewall and it works great.
-
Hi,
Here is my situation with this issue.
I'm fully updated on 18.1.2_2.
I followed this how-to when I was still on 17.7.something (one of the latest ones, in case that matters).
The only thing I did different is "Step 8, the Manual outbound NAT generation" bit, as the only way to keep the automated and manual rules in place at the same time is by using the "hybrid" setting.
Of course I also tried to use manual but it does not make any difference.
In my setup I want to have all traffic coming from a VLAN (10.55.59.0/24) to be routed through the OpenVPN connection, while untagged traffic coming from 10.55.55.0/24 will reach the internet directly.
The correct gateway for the network is 10.55.50.1, while the gateway for the OpenVPN connection is something like 46.246.85.1.
Problem #1
When OpenVPN is connected to its server, 10.55.59.0/24 correctly goes on the internet through the encrypted tunnel, but unfortunately 10.55.55.0/24 has no Internet access whatsoever (tested with something like "ping 8.8.8.8" or curl).
If it helps understanding, checking the routes I can see this:
% netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
0.0.0.0/1 46.246.85.1 UGS ovpnc1
default 10.55.50.1 UGS igb0
10.55.50.0/24 link#1 U igb0
10.55.50.1 00:e0:4c:65:25:da UHS igb0
10.55.50.2 link#1 UHS lo0
10.55.55.0/24 link#2 U igb1
10.55.55.1 link#2 UHS lo0
10.55.59.0/24 link#14 U igb1_vla
10.55.59.1 link#14 UHS lo0
10.55.60.0/24 link#3 U igb2
10.55.60.1 link#3 UHS lo0
10.55.61.0/24 link#10 U igb2_vla
10.55.61.1 link#10 UHS lo0
10.55.62.0/24 link#11 U igb2_vla
10.55.62.1 link#11 UHS lo0
46.246.85.0/27 46.246.85.1 UGS ovpnc1
46.246.85.1 link#9 UH ovpnc1
46.246.85.21 link#9 UHS lo0
84.200.69.80 00:e0:4c:65:25:dd UHS igb3
84.200.70.40 00:e0:4c:65:25:dd UHS igb3
127.0.0.1 link#6 UH lo0
128.0.0.0/1 46.246.85.1 UGS ovpnc1
178.73.195.98/32 10.55.50.1 UGS igb0
192.168.5.0/24 link#4 U igb3
192.168.5.1 00:e0:4c:65:25:dd UHS igb3
192.168.5.131 link#4 UHS lo0
192.168.17.0/24 192.168.5.1 UGS igb3
192.168.20.0/24 192.168.5.1 UGS igb3
192.168.40.0/24 192.168.5.1 UGS igb3
Problem #2
ovpnc1 has higher priority than igb0, so the router itself goes on the internet through OpenVPN, and I don't want that.
Any tips on debugging the current issues will be appreciated.
Regards,
Andrea
-
Hi Andrea,
Well, I'm a little stuck too... I wrote the original HOW-TO for getting this going under 17.x but this new version is not playing nice.
I've been trying a combination of settings but no luck so far, fingers crosses, this could just be a bug that gets corrected in the next update.
Will keep everyone posted on here if i find a work-around.
Cheers :)
-
Hi Andrea,
Well, I'm a little stuck too... I wrote the original HOW-TO for getting this going under 17.x but this new version is not playing nice.
I've been trying a combination of settings but no luck so far, fingers crosses, this could just be a bug that gets corrected in the next update.
Will keep everyone posted on here if i find a work-around.
Cheers :)
Hi @M4DM4NZ have you been able to make any progress on this issue?
-
I did manage to get it going (kinda).
I inverted my original setup so by default all traffic passes by the VPN, then set a rule pointing a single PC on my network to have access to the WAN directly. (DMZ)
After messing around with these setting for HOURS! I did manage to get it working, but it wasn't stable.
I had to flip the gateway setting in the LAN rule for the single PC that required WAN access, then flip it back so the gateway was using the VPN, then flip it back again.
It worked fine (untill that single PC released/renewed its IP address)
so, for now I've reverted back to 17.x until i can find more time to take another look at it.
Keep you posted.
-
..i have the same problem..i just switched to opnsense :(, spent 2 days for basic config, today lost whole day and unable to make routing trough VPN to work.
Is there a bug open for this? because something is obviously wrong?
Anyone managed to make this work?
-
Im following this closely aswell, and this tutorial right here is the whole reason I went with OPNSense.
-
I did fresh install of opensense and everything is working for me now :), dont ask me how. The only change I did in first try is to select LibreSSL under firmware settings..now I just use default OpenSSL.
Anyway..VPN works, policy routing works, I only need to do additional testing regarding DNS leaks..
-
I did fresh install of opensense and everything is working for me now :), dont ask me how. The only change I did in first try is to select LibreSSL under firmware settings..now I just use default OpenSSL.
Anyway..VPN works, policy routing works, I only need to do additional testing regarding DNS leaks..
So what you are saying is that if one uses OpenSSL rather than LibreSSL, VPN NAT routing works on v 18.1.2_2?
-
I can’t claim that in case LibreSSL selected routing doesn’t work, but this is the only thing i change on first installation. Maybe i also messed something else up can’t say. :)
-
Hi,
Just to give everyone an update on this - I have patched OPNsense to the latest (18.1.3) but the issues reported in my previous comment (#29) still remain a problem.
Let me know if you experience anything different please.
Regards,
Andrea
-
Has there been any progress on routing selective traffic over OpenVPN on v18.1.4? I haven't been had a chance to update and test the routing on v18.1.3 nor v18.1.4. Still on 18.1.2_2.
-
Hi,
I'm on 18.1.4 but I have not seen any progress regarding my situation.
My routing table still looks exactly the same as before, and I experience the same problems as before.
A couple of things I've noticed with the VPN on (and therefore with no connectivity):
1) checking the firewall log I can see that my ping to the google DNS servers (8.8.8.8) is allowed, but since I get no response, I assume the "reply" messages are blocked on the way back;
2) if I am pinging something (eg 8.8.8.8) while I enable the VPN, the ping keeps working - so something is blocking new connections, but not already established ones.
Regards,
Andrea
-
actually, possibly the biggest routing problem experienced (in my case) came from this rule:
0.0.0.0/1 46.246.85.1 UGS ovpnc1
I thought this was added by OpnSense (for some reason) but it isn't; this rule is added by the VPN provider I use, therefore ticking either "Don't pull routes" or "Don't add/remove routes" (not too sure about the difference at this stage) stops OpnSense from pulling extra routes and mess my routing table.
Now all VLANs can go on the Internet even when the VPN is enabled/working.
The only problem I'm left with now, is that the VLAN which should be tunneled through the VPN, isn't.
I'll have to investigate in that direction.
Regards,
Andrea
-
Are you using DNS reslover or DNS Forwarder?
-
I'm using Unbound default settings (I think).
Anyway "Enable DNS Resolver" is ticked, while "Enable Forwarding Mode" is unticked.
-
I'm using unbound in Forwarder mode, since i dont need local lan name resolving.
I couldn't make it work with default settings (also my knowledge is limited)
For test try to use;
under Services - Unbound - thick these options:
Enable Forwarder Mode
Register DHCP leases in the DNS Resolver
Register DHCP leases in the DNS Resolver
Select outgoing network interfaces ... i have selected both WAN and VPN
Under System - Settings - General insert DNS addresses eg. 8.8.8.8 and thick
Do not use the DNS Forwarder/Resolver as a DNS server for the firewall
Under VPN client settings thick; Don't pull routes
Maybee this will help you, if not, you could post your FW rules.
-
I use local name resolving.
Anyway I don't think my problem is DNS related.
After having stopped pulling new routes from my VPN provider, every VLAN/subnet can go on the Internet freely.
The problem I have right now is that even the VLAN which should go on the Internet through the VPN only, does not go through the VPN tunnel.
So either I need to find a way to specify a different gateway for the "VPN VLAN", or I need to understand policy based routing.
So far I've been following this instructions by M4DM4NZ (BTW, thank you very much!!!), but if there is a better way (particularly now with 18.1.x) to achieve what I need, I'm all ears.
Regards,
Andrea
PS: is there a single place where to retrieve all FW rules? I have lots of subnets...
-
Hello All,
I've been watching this thread with interest as it's almost exactly what I want to do (uh, except I'm not using torrent, I'm just trying to get around some "geo-location" BS). I hoped that all questions and issues associated that have come up with the HOW-TO would be resolved in short order, but it's been over 2 weeks since the last post. Can someone provide an update on the status of this??
~S
-
Hi Seamus,
Unfortunately I made no progress since my last post.
Regards,
Andrea
-
Hello,
has anyone managed to run openvpn client (airvpn - nordvpn - etc) under opnsense 18.x?
-
I was trying to get (Nord)VPN running and route all LAN traffic through it but I can’t get it working without pulling routes from the VPN Host, which in turn messes up my routing and all rules get “randomized”... is there any progress on this issue? Would it make sense to downgrade to 17.x?
-
have you guys tried the latest 18.1.6 yet? I haven't.
-
its still running 18.1.6 (almost the same config as in Post https://forum.opnsense.org/index.php?topic=4979.msg25066#msg25066 )
just changed
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
to
route-nopull
route 10.4.0.0 255.255.0.0 10.4.0.1
but thats only working when you know the ipaddr/net and gateway of your VPN Provider
-
@NilsS Thanks for your message. I tried out adding a route manually like you described (Advanced Options in VPN Client configuration) and now my system feels more deterministic again; I could check "Don't pull routes" and "Don't add routes" and it still works. Now I can tweak rules. Thank you!
-
Following these instructions, I had this working in Jan.. but then I wanted to bring on another interface, set up a DMZ. I then had some issue with traffic not routing appropriatly- it looks like I'm not the only one who ran into something like this, reading through the last few pages. I disabled the VPN client, and got the second interface working.
I've decided I want to tackle this again, ran through all the updates so i'm on 18.1.6. I can confirm the VPN client shows as up, I've followed the rules- but now I apparently can't get any traffic out through the VPN- no matter what host I add, (tried some VMs and some bare metal in case there was something weird I was missing), all traffic appears to hit my phyical interfaces, rather than the virtual VPN interface.
edit: I missed a basic troubleshooting step. After a reboot, I could now send from my VPN alias out through the VPN.. along with all of my other traffic. Rereading the other issues people experienced, it experimented with the flags for don't pull routes /don't add or remove routes'
With 'don't pull routes' unchecked, and 'don't add or remove routes' checked.. everything appears to work. Thought I'm not sure exactly how confident I am in this.
-
I can confirm that:
With 'don't pull routes' unchecked, and 'don't add or remove routes' checked.. everything appears to work.
also did the trick for me.
Thanks a lot everybody and regards
-
I got this working with 17 but after a crash and re-installation of 18 I can't get it to work anymore.
I tried multiple instructions for setting up a VPN Killswitch for both OPNsense and pfsense but I couldn't get any of them to work. I tried setting it up myself and it seems to be working.
Here's how it's set up on OPNsense 18.1.8:
1. I created an alias for computers restricted to VPN
2. Turned off gateway switching (not sure if this is needed)
3. Created pass firewall rule on LAN interface
- source "VPNalias"
- gateway VPN
- set local tag "VPN"
- everything else as default
4. Created floating rule
- action "reject"
- "quick" checked
- interface WAN
- direction out
- match local tag "VPN"
5. Create outbound NAT rule (hybrid mode)
- interface VPN
- source address "VPNalias"
- translation/target "interface address"
As far as I can tell this setup blocks traffic when the VPN goes down but it seems so simplistic compared to any of the guides I followed. Am I missing something?
-
Hi,
Maybe it's just me, but I can't get this to work!
I can connect to the openVPN server, that is never been a problem.
I created a subnet 10.55.59.0/24, whose hosts are the only ones which should go through the VPN.
When I connect to the VPN, the router itself goes through the VPN (which it should not).
You can see from traceroute below:
root@routy:~ # traceroute 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 64 hops max, 40 byte packets
1 c-46-246-84-1.ip4.frootvpn.com (46.246.84.1) 34.104 ms 33.843 ms 33.998 ms
2 178.73.195.97 (178.73.195.97) 35.006 ms 34.265 ms 34.585 ms
3 be-1.cr1.sto2.se.portlane.net (80.67.4.208) 35.372 ms 35.370 ms 35.383 ms
4 72.14.216.118 (72.14.216.118) 34.637 ms 34.987 ms 34.275 ms
5 108.170.253.161 (108.170.253.161) 35.504 ms
108.170.254.33 (108.170.254.33) 35.479 ms 35.283 ms
6 216.239.58.43 (216.239.58.43) 34.759 ms
72.14.236.85 (72.14.236.85) 34.908 ms
74.125.37.157 (74.125.37.157) 34.624 ms
7 google-public-dns-b.google.com (8.8.4.4) 34.819 ms 34.505 ms 35.023 ms
The dafault gateway is correct (10.55.50.1), but somehow it goes through the openVPN one.
root@routy:~ # netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
0.0.0.0/1 46.246.84.1 UGS ovpnc1
default 10.55.50.1 UGS igb0
[..]
Hosts in other subnets (other than the VPN one), cannot get on the Internet:
root@willy:~# traceroute google.com
traceroute to google.com (172.217.22.174), 30 hops max, 60 byte packets
1 routy.home (10.55.55.1) 0.200 ms 0.170 ms 0.179 ms
2 * * *
3 * * *
4 * * *
5 * * *
I've attached the NAT/outbound rules, as I'm pretty sure I'm doing something wrong there, as I don't really know what they should look like (10.55.59.0/24 is colour coded "black").
I found rules along those lines in some "random" tutorials, and a pfsense tutorial from 4 years ago! :-/
I tried both Hybrid and manual NAT rule generation (plus all sorts of combinations). No luck!
If anyone can give me some hints, it would be much appreciated.
Regards,
Andrea
-
Just in the process of migrating from pfsense and this capability is absolutely necessary for me, and I can't get it to work (set up in exactly the same way my pf box was). Currently running 18.1.9. Is there any progress on this (preferably making it easier to set up somehow)
-
It seems that I have got things working, tunneling the specific IP.
But I cannot get the other clients to reach Internet. When selecting "Manual outbound NAT rule generation", the list was empty. Shouldn't I have more rules then just the three?
-
I just got this working using a fresh OPNsense install (18.1.6). In the VPN client configuration, you definitely want to leave "Don't pull routes" unchecked and check "Don't add/remove routes".
I do have the DNS problem that some people mentioned, though. Basically, from the machine I'm forcing to go through the VPN tunnel, I am able to ping addresses on the Internet, but DNS look-ups fail.
Using Wireshark, I see the DNS requests go out from the client to OPNsense, but I never see a reply.
In the OPNsense log, I see the DNS request come in from the client, and then a DNS reply seems to come from the OpenVPN client IP assigned to the interface.
If I manually configure my client machine to use another DNS server (e.g. 8.8.8.8), then everything works.
I'm using the default DNS server - "Unbound DNS" - so the next thing I'll be trying is to use Dnsmasq instead.
-
Updated to 18.1.11 and am still having issues getting OpenVPN (PIA) working like I had it on pfSense.
I hope this How-To gets updated to include detailed instructions on how to route specific traffic over VPN on OPNsense 18.1.X.
-
Hi all,
I had the same problems with dns. (error_resolv_name)
I followed the manual from NilsS on page 2 on top. At first it wasn't working, after i placed the firewall rule autocreated by the port forward rule on nat section of firewall and restarted my openvpn clients everythinf started working.
I have noticed that after each change in the firewall, gateway and interface section the openvpn clients have to be restarted in order to get it working.
Hope some more people get it up and running now.
Update:
Now after half an hour i get connection time out. When i restart the openvpn client (s), everything starts working again for a few minutes and then i get the connection time out again. Bumber
Think i'm reverting to pfsense, got it working there before. Wanted to try out opnsense but can't find something to get it working. A lot of people are complaining over this that from some version on a bug or something causes problems.
Maybe opsense developers can look into this and post a guide how to policy based routing with openvpn client gateway (group) or a workaround.
Would like
greetings,
Nismanoke
-
Perhaps look at https://forum.opnsense.org/index.php?topic=8998.0 as a possibility .... I don't know if the method there gets the job done, but it's maybe worth a look.
And, I agree ... there should be a reliable, official method documented for opnsense. I, too, had a bullet-proof, leak-proof vpn set up in pfsense and have not been able to do that in opnsense. I really like opnsense and the developers are spot-on with where the product is going. Perhaps, at some point, they'll look into this and come up with a similar bullet-proof method ... x'ing fingers.
I've been watching this topic and the topic, in the link above, hoping someone definitively solves this.
-
Hey Guys,
M4DM4NZ here, wow this HOW-TO I started over a year ago has had some major viewing, so i figured I better keep you all up to date with my current configuration.
Sorry i haven't been on here posting much, life stuff gets in the way of geek stuff now and then...
Anyway, I recently had issues with my VPN dropping out a few months ago and figured I better update opnsense to a more current version as I've been using 17.something for a while now.
I cant say exactly what i did, but from memory I've backed up my current config from 17.x and restored it overtop of a clean install of 18.x
I do recall some funky things happening as it wasn't a smooth transfer and involved a lot of trial and error test.
So... I'm gonna go over my current working config soon and post some settings here once get home from work.
Thank you all for your effort in keeping this thread active, and big thanks to conanTheRouter and NilsS for maintaining my How-To and adding some cool functions.
Keep you all posted soon with config updates :)
-
Any progress on this? Woud really like to switch from pfsense to opnsense ut this is holding me back from switching. Thx
-
I don't have much experience with opnsense, but after some communications with tech support at PIA,
it was eventually possible to get this working. I did not read all of the problems you were having above (sorry),
but can tell you that only some small subset of settings will work, and not all are documented. In fact,
they even recommend something that definitely does not work. My settings are:
System -> Trust -> Authorities:
---------------------------------------
I added an authority called PIA-4096, and pasted this size key from PIA and saved.
VPN -> clients:
-------------------
Server mode: Peer-to-peer (SSL/TLS)
protocol: UDP4
device mode: tun
interface: WAN
Remote server: <my favorite PIA server> 1197
infinitely resolve remote server is enabled
<add your credentials to PIA>
Peer Certificate Authority: PIA-4096
Client Certificate: None
Encryption algorithm: AES-256 CBC (256 bit key,128 bit block) <this must match the same certificate, and must be CBC>
Auth Digest Algorithm: SHA-256 (256 bit)
No Hardware Crypto Acceleration
Compression: enabled with adaptive compression
Disable IPv6 is checked
Advanced:
persist-key;
persist-tun;
remote-cert-tls server;
reneg-sec 0;
auth-retry interact
I may have forgotten some details, but if you ask will look them up in my working setup.
Hope this helps.
-
Removed my post as I have all this working now. I disabled DNS resolver on the OPNSENSE box and spun up a pihole VM. Set that as DNS in the DHCP options and all works fine now.
-
Urgh - just migrated from pfSense and having the exact same issue.
Anyone have any update? I'm also running AirVPN in the UK. With my alias firewall rule in place, my system loses internet connectivity. When I disable the rule (and the device goes out the normal WAN rule) everything works as normal.
VPN is connected - verified in the GUI and also through the AirVPN site.
-
OK - it seems to be working for me now.
I had to uncheck the following settings in the OpenVPN client settings:
- Don't pull routes
- Don't add/remove routes
With those two settings unchecked, policy based routing works.
I'm seeing some weird issues with DNSSEC as well. For some reason, with DNSSEC enabled, some sites never resolve. As soon as I disable DNSSEC, they resolve just fine.
-
I somebody can borrow me an account I can try to make an official guide, but I'm not willing to pay something for what I'm not using.
-
Hi all.
Just to follow up on my previous post.
DNSSEC actually wasn't at fault. It seems that even with the VPN up and the Unbound outgoing interface set to that of the VPN WAN, DNS still resolves as if it were configured for the WAN - meaning there were DNS leaks all over the show.
I had to use a custom server option in Unbound to get this to work - far from ideal but I will wait for the fix to come in for the GUI. Just to re-iterate, this has all worked flawlessly in pfSense for years. It's a shame it is not quite the same in OPNSense.
Unbound custom server settings are (where x.x.x.x is the IP for the VPN DNS server you wish to use:
forward-zone:
## Fix for VPN DNS.
name: "."
forward-addr: x.x.x.x@53
forward-addr: x.x.x.x@53
-
First, I cannot find a "HOWTO - Routing Traffic over Private VPN" in the docs.opnsense.org site. Thought it might help me with my VPN for which I will raise a new topic.
-
I have been banging my head against a wall trying to get an AirVPN OpnSense gateway setup to work, with the help of this thread, and i think i might have stumbled across a bug/unexpected behavior that might explain some of the problems that people in this thread are having. The problem became apparent when trying to use policy-based routing to selectively send only some LAN traffic through the VPN tunnel.
In a nutshell, OpnSense seems to set the default gateway of the VPN interface (the one displayed under System/Gateways/Single, NOT the default gateway of the linux interface ovpnc1) to the subnet mask, leading to broken policy-based routing through that interface. I have reproduced the issue on a fresh 18.7.4 install inside a virtual machine, the steps i took are as follows:
- Start with a standard OpnSense install (default LAN and WAN interfaces with default settings). Follow the guide exactly until Step 4. There, also tick the options Don't pull routes and Don't add/remove routes.
- Continue to Step 6. Then, when creating the interface assignment, set IPV4 Configuration Type to None.
- Under System/Gateways/Single, edit the newly created VPN_VPNV4 gateway and set the Gateway option to dynamic.
- Apply changes and restart the machine to make sure everything is set correctly.
- After the restart, look under System/Gateways/Single. Both the Gateway and the Monitor IP of VPN_VPNV4 are set to 255.255.255.0, as shown in the attachment.
After setting up outbound NAT for the VPN interface created in step 6, LAN packets that are sent through it via policy-based routing are routed to the 255.255.255.0 address, leading the system to silently drop them. If the gateway IP for the interface is manually set to the one pushed by the AirVPN server (as taken from the OpenVPN log file), everything works as expected and LAN traffic is successfully routed through the VPN.
The OpenVPN server attempt to push the following interface settings:
openvpn[79283]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.5.10.1,route-gateway 10.5.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.5.10.5 255.255.255.0,peer-id 1,cipher AES-256-GCM'.
I assume the ifconfig command breaks OpnSense's parsing, leading to the subnet mask being mistaken for the gateway IP. The system interface ovpnc1 on the other hand has both its IP and gateway set correctly, as one would expect from seeing openvpn[51343]: /sbin/ifconfig ovpnc1 10.5.10.5 10.5.10.1 mtu 1500 netmask 255.255.255.0 up in the OpenVPN log.
Changing the IPv4 Configuration Type for the VPN interface from None to DHCP results in a VPN_DHCP interface being created instead of VPN_VPNV4 , also with Gateway and Monitor IP set to 255.255.255.0.
I have not reported this as a bug as i'm not fully sure that the issue isn't with my configuration. Feel free to move the post to a better location, this thread just seemed the most relevant place to post it.
-
Hi, thanks to this thread, and information from other sources, I was able to get a VPN running as I wanted:
- Fresh install of 18.7.5_1
- LibreSSL firmware
- VPN provider: AirVPN
- Wanted to route selected hosts (on different VLANs) out via the VPN, with general traffic using the default WAN.
- DNS leak test reported ok
So far, so good :)
-
Have these VPN routing issues been resolved? This thread has not had a lot of traffic in a couple of months. I have attempted many times to setup selective routing through PIA VPN on OPNsense without any luck.
Hoping someone will post an update tutorial on how to accomplish this.
-
Screenshots of Gateways, Gateway group, Firewall Rule and outbound Nat
-
Here are the pictures of my configuration.
However I am not sure that it works as 100%.
I just noticed that the floating rule doesn't work (:
Are there any other errors in the configuration?
(Except copy errors in the filter descriptions)
Gateway (Single)
(https://up.picr.de/34601123vj.png)
Gateway (Group)
(https://up.picr.de/34601117eq.png)
Outbound
(https://up.picr.de/34601118my.png)
Floating rules
(https://up.picr.de/34601119rs.png)
LAN rules
(https://up.picr.de/34601120li.png)
I also use Pi-Hole (Raspi) with Outbound DNS over TLS.
-
Here are the pictures of my configuration.
However I am not sure that it works as 100%.
What is in your "N_LOCALNETS" Alias? Mind sharing a screenshot?
-
Hi,
here the screenshot:
(https://up.picr.de/34608823fe.png)
If you want the floating rule to work check this option:
Uncheck [ ] Skip rules when gateway is down
-
Edited - I've posted my question in a new thread (https://forum.opnsense.org/index.php?topic=10849.0).
-
Hello,
Im been reading several posts about OPNsense and OpenVPN.
Im getting local DHCP clients getting routed throuh the VPN and its working.
But, i need to PortForward traffic over external VPN to a machine inside the LAN that uses static mapping but i really cant make it work..
Ill posty my config:
VPN:
Infinitely resolve remote server - Ticked
Don't pull routes - Unticked
Don't add/remove routes - Ticked
UDP enabled
Systsem\Gateways\Single:
WAN_GWv4 (default) WAN
Port Forward:
OpenVPN:
TCP/UDP
NAT reflection - Enabled
Filter rule association - Rule Nat
Firwall\Settings\Advanced:
Reflection for port forwards - Ticked
Reflection for 1:1 - Unticked
Automatic outbound NAT for Reflection - Ticked
Running OPNsense 18.7.10-amd64
OVPN over openVPN.
WAN 172.22.1.4 - Edgemax 172.22.1.4 - ISP
LAN 192.168.1.2
VPN 10.128.64.xx Puiblic 185.x.x.x
Any tip is welcome
-
Hey,
thanks for a great guide. Works perfect connecting through VPN.
I just have a question that I can't really figure out.
Is it possible to setup this functionality like this.
I'm using a Unifi USG router with two WAN ports.
I'd like to connect the computer running OPNsense to my CPE (port 1, seperate IP) and use a usb network adapter which is connected to my USG WAN2.
I'll also connect my USG to the CPE (port 2, seperate IP). on WAN1.
My noob knowledge of this .. will it work routing through my usg. Tell devices to route through the OPNsense machine through my network of the USG. It can listen and see both WAN-ports.. so, my logic tells me it works. But what should I do in opnsense?
Wold be wonderful to get a hint of how.
Thanks
/ T
-
Hello all!
I have a slightly different requirement in mind. I am not into torrents however routing via VPN is probably what is needed to do the following:
- Assume a server I have root access to, sitting in a DC
- Assume a small subnet assigned to that server from the DC
- Assume a high-speed DSL connection at home
- What I want to do is use those IPs (say in web or email server) with the latter sitting at my home network. Not in the server at the DC.
Can this be done?
Excuse my ignorance. I am fairly knowledgeable in configuring devices like PfSense but only for LAN devices that directly connected to the LAN of the firewall. What about this remote setup?
Any help is much appreciated!
-
Hey all,
I'm about to lose it soon throwing my firewall out the building.
I've done everything the guide says. The vpn connection works fine but I can not get any internet out or through the vpn.
Can someone please have a look at the screenshots and tell my if something is wrong?
Version: 19.1
Thanks
-
Hey all,
I'm about to lose it soon throwing my firewall out the building.
I've done everything the guide says. The vpn connection works fine but I can not get any internet out or through the vpn.
Can someone please have a look at the screenshots and tell my if something is wrong?
Version: 19.1
Thanks
I opened up a bug report for this... I am having similar issues as you since going from 18.7.10 to 19.1.x
https://github.com/opnsense/core/issues/3381
-
Hey all,
I'm about to lose it soon throwing my firewall out the building.
I've done everything the guide says. The vpn connection works fine but I can not get any internet out or through the vpn.
Can someone please have a look at the screenshots and tell my if something is wrong?
Version: 19.1
Thanks
Looks valid to me. Struggling with the same issue. VPN server is working fine (Remote login), VPN client (tunnel for internet) is a PITA. Following this thread for solutions.
-
Hey, all... I got some help on the subreddit, but I'm having a weird issue... I got VPN working for one of my VLANs only (VLAN10_DL in my case, which is what I want for right now), and web traffic on every other VLAN and the LAN is working fine. However, there's issues with ping.
On my VLAN10_DL network that's routing over VPN. Traffic is fine with the exception of ping/ICMP. I cannot ping outside to anything on the WAN via IP or domain name (pinging 8.8.8.8 fails, and pinging google.com fails). Also from the LAN, I can ping 10.0.70.41 in my VLAN10_DL network, but I can't ping 10.0.70.101 that's in that same network. pinging something on the LAN from 10.0.70.101 is successful however.
On my LAN and other subnets that aren't routing over VPN (just over the WAN), pinging IP resolves, but not domain name (pinging 8.8.8.8 is successful, but pinging google.com fails).
See much of the config below...
(https://i.imgur.com/h6aDzUI.jpg)
(https://i.imgur.com/9eSmUrc.jpg)
(https://i.imgur.com/P3qIPQL.jpg)
(https://i.imgur.com/QcYi4D0.jpg)
(https://i.imgur.com/9nmV7pY.jpg)
(https://i.imgur.com/oHHf51m.jpg)
(https://i.imgur.com/lbeF6kx.jpg)
(https://i.imgur.com/IdnpjqA.jpg)
(https://i.imgur.com/atQgl9I.jpg)
(https://i.imgur.com/uiybH2L.jpg)
What am I doing wrong? What could be cleaned up to make this simpler but still achieve what I'm wanting?
-
I somebody can borrow me an account I can try to make an official guide, but I'm not willing to pay something for what I'm not using.
Does this offer still stand @mimugmail? If so, we can arrange something through PM.
-
Sure, next week is good
-
Sure, next week is good
Sent a response to your Gmail account. Let's pick up from there
-
Hi,
I've been trying to get NordVPN and OPNSense to connect to the internet through the tunnel. I tried to use this tutorial on NordVPN website.
https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-18-7-setup-with-NordVPN.htm (https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-18-7-setup-with-NordVPN.htm)
No real luck with 19.1.
Spun up a couple of VirtualBox VM's, an OPNSense 18.7 and 19.1 and a Win10 client. Using the 18.7 VM the only way I can connect to the internet from the Win10 client behind the VM OPNSense 18.7 is by putting the tunnel virtual IP into the alias box for the NordVPN interface, screenshot attached.
It works until the virtual IP for the tunnel changes. Then have to go to VPN -> OpenVPN -> Connection Status and copy new tunnel virtual ip and copy it to the NordVPN (OPT1(ovpnc1)) interface alias box, like in the snip attached.
I had it working this way with 19.1, but not for long, only worked for about 15 min, but have not been able to make it repeatable since.
Have also tried to create a LAN network alias and made a rule like in the OP's post.
Is there any way to make the alias IP box take on whatever the OpenVPN client has for it's tunnel, or is there a way to include a range of IP's instead?
I have tried to insert 10.0.0.0/24, and 10.8.0.0/24 but that does not work. I have tried to use the NordVPN's hostname for the server I was trying to connect to as well, in the alias hostname box in the interface menu, that does not work either. The only way it works is with the specific IP address from the OpenVPN connection virtual IP. (In 18.7) The virtual IP in the Connection Status changes frequently.
Thoughts? Pointers? I am relatively green to OPNSense. Maybe I'm missing a really simple check box or setting/rule?
Would really prefer to use 19.1 as it's the latest, and is running in my real environment now.
Thanks for your time!
Edit for pic...
-
OK, had the same struggles as a lot of you. Finally managed to solve this for Surfshark VPN.
I started out with the NordVPN guidelines and could get the Tunnel connected, but could not reach the internet. DNS issues and such. For me, there were some critical differences in configuration to make VPN work with the guide.
Tunnel was connecting, but I never got internet to work. After reading this thread over and over again, the most helpful information I gathered came from this (https://forum.opnsense.org/index.php?topic=4979.msg24982#msg24982) reply from user NilsS
My learnings/changes in configuration:
- Interface Configuration Type:
DHCP NONE; - Create a LAN pass rule for DNS to your Gateway IP (192.168.1.1)
- Solve DNS leak by forwarding VPN traffic to Cloudflare
See attached screenshots for my setup. Good luck in replicating.
-
Thanks Northguy!
I believe I have it working now. Although, can't tell you why. Setting the Interface Config Type to NONE, helped a lot at first. Then updated the 18.7 VM to 18.7.10. Lost DNS. Copied your rules, a few reboots later and DNS still not working.
Tried a few other things, lost internet connectivity again, until I switched Interface Config Type back to DHCP and copied the tunnel address to the alias. Weird thing is, at this point, only have to do that once. When the tunnel changes it's virtual IP, I still have connectivity, even through a reboot of client and router (VMs). *shrug*
Then all of a sudden DNS started working. Undid the few things I had tried, rebooted after undoing each one, and it still works. :o
Updated the VM to 19.1 and then to the latest 19.1.8 and after router VM and client VM reboot. DNS and internet still working...
...now to integrate this setup on my real network....
Just curious, can I ask what you have in your VPN_DNS_Servers alias?
I had the one that NordVPN has in the tutorial, and then also added Cloudflare's as well. Does yours only contain Couldflare's?
Once I get this working on the real deal, I would like to try grouping gateways that NilsS had posted on page 2 of this thread.
Thanks again!!
-
Regarding the SharkVPN guide, it should be AES-CBC and not GCM, GCM doesn't make sense and produces errors in log.
-
Regarding the SharkVPN guide, it should be AES-CBC and not GCM, GCM doesn't make sense and produces errors in log.
Correct. This is also stated in the SurfShark *.ovpn file. Don't know about NordVPN though, so Bennyhaha68 should check that for himself
-
Yes, that was very early in the troubleshooting process. Matching the cipher algos with the .opvn files from NordVPN for the specific server that I was attempting to connect to. It did throw errors if they did not match, however the connection would still show as "up".
Felt better about it if they did match though, probably works better too.
Also, I see the tun-mtu (or mss?, can't remember off hand) number mismatched when connecting at times, log states it decides to match them, and does not seem to affect connection.
So, because the VM OPNSense is attached to a bridged VM adapter, all traffic still travels through my physical machine, and does not change my public ip. However, I was suffering the wrath of wifey and kids messing with the physical machine trying to troubleshoot. Now that I have the VM passing internet with the VPN service as the interface, I believe it can be repeated with the physical machine.
Thanks again!
-
Someone had any lucky in forwarding a port trought the VPN tunnel?
If yes can you please explain how you configured OPNsense. Thanks
-
i am rly struggling with adding "privateinternetaccess" to my opnsense.
everything is fine, till the step "Firewall-Nat-Outbound" actually i am on hybrid, and after i click on "Manual outbound NAT" and click save and reply. i got no rules autogenerated and i am offline.
Hybrid-Mode-Settings:
(https://abload.de/thumb/hybridpgkb1.jpg) (https://abload.de/image.php?img=hybridpgkb1.jpg)
Manual Mode Settings:
(https://abload.de/thumb/manualluk87.jpg) (https://abload.de/image.php?img=manualluk87.jpg)
My goal is to have some clients specific to use PIA, the rest just go online the usual way. How can i do this?
-
When you switch from Hybrid to manual you need those auto rules already manually added. Otherwise they are gone.
-
okay i got it work, but i dont know if this is the best way. the problem was the dns server from pia i have to add to the client by dhcp reservation. is this fine? i dont know if there is a better way to tell the clients the dns server from pia
-
I just got this working using a fresh OPNsense install (18.1.6). In the VPN client configuration, you definitely want to leave "Don't pull routes" unchecked and check "Don't add/remove routes".
I do have the DNS problem that some people mentioned, though. Basically, from the machine I'm forcing to go through the VPN tunnel, I am able to ping addresses on the Internet, but DNS look-ups fail.
Using Wireshark, I see the DNS requests go out from the client to OPNsense, but I never see a reply.
In the OPNsense log, I see the DNS request come in from the client, and then a DNS reply seems to come from the OpenVPN client IP assigned to the interface.
If I manually configure my client machine to use another DNS server (e.g. 8.8.8.8), then everything works.
I'm using the default DNS server - "Unbound DNS" - so the next thing I'll be trying is to use Dnsmasq instead.
The changes you mentioned for the OpenVPN client config got it working (I'm running 20.7), though I haven't figure out why. Thanks a ton!
For the DNS problem you are facing, it might be because you have your DNS configured as your router and if you only have 2 rules (one to route via VPN, one to block), you won't be able to reach your router. I have to add yet another rule on top to pass traffic to "LAN net" with the default gateway setting.
-
Hi All.
I could manage doing selective routing by performing the NordVPN OPNsense 19.x online tutorial on the newest and latest OPNsense 20.7..., additionally created (DE, UK-) Aliases with Host IPs and defining them in the rules after the basic ones and defining within the clients "Don't pull routes" selected. I have clients in the network going direct to WAN, to NordVPN servers in Germany and UK. Works fine every Alias does have his own dedicated VPN. I've used pfSense 2.4.5 before and now using the same NordVPN servers as before. In OPNsense everything behaves feelable slower. Every change takes a while to be approved from the system and a restart takes very long comparing to pfSense. Everything would be fine but the VPN d/l speed is much slower now than under pfSense - about 40% loss in speed. OPNsense gives me about 60Mbps whereas under pfSense I measured full ISP speed (105Mbps). Hardware is a APU2C4 which does have the capability of at least 150Mbps - may be I have to update the APU-BIOS which I couldn't figure out until now what BIOS it has and what BIOS Flashrom software is compatible. Does somebody have experiences in OpenVPN speed differences using different BIOS'es? The flashrom pkg I've installed already via OPNsense ssh but more was not possible. I can't give a feedback about stability now....need to await. I was not unhappy with pfSense, just want to try out. But the speed would be an issue to go back to pf when I can't optimise it. On pf for example there was an "Use fast I/O operation with UDP writes to tun/tab.Experimental."-option which really pushed up the speed. I also used pfBlocker_NG_Devil which worked perfect. No I use Unbound with Blacklists but I think I have to manually adjust some more. Nice regards.
-
Hi Guys,
Seems that what I'm trying to do is almost the same as topics starter M4DM4NZ (thanks to Koldnitz for pointed me to this topic!)
And that is adding a VPN (Nord) enabled (physical) Interface, so that one of the ports on my opensense (supermicro) box is a VPN Interface that allows me to
connect it to a switch (plain cisco) and then use any switch port to attach a device that is then "protected/behind" the VPN connection
I've combined the guide from M4DM4NZ and NilsS to combine them into something that works for me, well i thought I did and of course it doesn't work ;)
I'm on OPNsense 20.7.7
Here we go:
STEP 1:
####################################################################
Firewall -> Aliases
[ hit the + sign to add a new alias ]
[ Type ] Network(s)
[ Name ] Firewall_Alias_LocalNetwork
[ Description ] All local Networks
[ Content ]
192.168.1.1/24,192.168.2.1/24 (my current local networks)
[SAVE]
[ hit the + sign to add a new alias ]
[ Type ] Network(s)
[ Name ] Firewall_Alias_VPNNetwork
[ Description ] All Hosts/Networks that should use VPN
[ Content ]
192.168.3.1/32
(This one has got me confused a bit, it has netmask 255.255.255.255 aka 32 and that's just for 1 ip? I use 192.168.3.1/24 for my new Interface in step 6)
[SAVE]
[ hit the + sign to add a new alias ]
[ Type ] Host(s)
[ Name ] Firewall_Alias_Allowed_DNS
[ Description ] Allowed DNS Servers
[ Content ]
103.86.99.100 (These are the ones from VPN provider NordVPN)
103.86.96.100
[SAVE]
[ hit the + sign to add a new alias ]
[ Type ] Port(s)
[ Name ] Firewall_Alias_MS_Port_Block
[ Description ] Blocked MS Ports
[ Content ]
137
138
139
445
[SAVE]
STEP 2:
####################################################################
Firewall -> NAT -> Outbound
[X] Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules)
## Used this option instead of:
## Manual outbound NAT rule generation (no automatic rules are being generated)
## So that the automatically generated rules are not removed.
## Change the rest of the settings in step 10
STEP 3:
####################################################################
Setup Nord VPN connection, this is different then the original writeup (since I use Nord)
I've used the guide from:
https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm
However I've changed "Encryption Algorithm: AES-256-GCM" to "Encryption Algorithm: AES-256-CBC" in the TLS Authentication section
since I got a waring in the OpenVPN logs
STEP 4:
####################################################################
VPN -> OpenVPN -> Clients:
[ Server Mode ] Peer to Peer (SSL/TLS)
[ Protocol ] UDP4 (As mentioned in the Nord guide)
[ Device mode ] tun
[ Interface ] WAN
[ Server host ] xxxxx.nordvpn.com
[ Server port ] 1194
[ Retry DNS resolution ] [X] Infinitely resolve remote server
[ User name/pass ] Copied from by Nord Account page
[ TLS Authentication ] [X] enable authentication of TLS packets
[ Peer Certificate Authority ] As per the Nord guide
[ Encryption Algorithm ] AES-256-CBC
[ Auth Digest Algorithm ] SHA512 (512-bit)
[ Hardware Crypto ] No Hardware Crypto Acceleration
[ Compression ] Disabled - No Compression
[ Disable IPV6 ] [X]
[ Don't add/remove routes ] [X]
[ Description ] NordVPN_1
[ Advanced ]
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
[ Verbosity level ] 3 (recommended)
[SAVE]
STEP 5:
####################################################################
VPN -> OpenVPN -> Clients: [ NordVPN_1 -> clone ]
[ Server host ] use a different server
[ Server port ] 1194 used the same port, not sure if the tip to use a different port holds for Nord as well?
[ Description ] NordVPN_2
[SAVE]
STEP 6:
####################################################################
Interfaces -> Assignments
New interface: ovpnc1 [ + ]
New interface: ovpnc2 [ + ]
[ OPTx ]
[ Enable Interface ] [X]
[ Description ] NORDVPN1
[ Block bogon networks ] [X]
[SAVE]
[ OPTx ]
[ Enable Interface ] [X]
[ Description ] NORDVPN2
[ Block bogon networks ] [X]
[SAVE]
And I've added a new Interface called NORD:
[ OPTx ]
[ Enable Interface ] [X]
{ Device ] igbX (in my case)
[ Description ] NORD
[ Block bogon networks ] [X]
[ IPv4 Configuration Type] Static IPv4
[ IPv4 address ] 192.168.3.1/24
[ IPv4 Upstream Gateway ] Auto-detect
[SAVE]
Services -> DHCPv4 -> NORD
[ Enable ] [X]
[ Range ] [ 192.168.3.11 - 192.168.3.244 ]
STEP 7:
####################################################################
System -> Gateways -> Single
[ NORDVPN1_VPNV6 ]
[ Disabled ] [X]
[ NORDVPN2_VPNV6 ]
[ Disabled ] [X]
[ NORDVPN1_VPNV4 ]
[ Disabled Gatetway Monitoring ] [ ] uncheck
[ NORDVPN2_VPNV4 ]
[ Disabled Gateway Monitoring ] [ ] uncheck
STEP 8:
####################################################################
System -> Gateways -> Group
[ + Add ]
[ Group Name ] GRP_NORDVPN
[ Gateway Priority ]
[ WAN_GW ] [ Never ]
[ NORDVPN1_VPNV4 ] [ Tier 1 ]
[ NORDVPN2_VPNV4 ] [ Tier 1 ]
[ Trigger Level ] Packet Loss or High Latency
[ Description ] GROUP_NORDVPN_LOADBALANCE
[SAVE]
[ + Add ]
[ Group Name ] GRP_NORDVPN_1_2
[ Gateway Priority ]
[ NORDVPN1_VPNV4 ] [ Tier 1 ]
[ NORDVPN2_VPNV4 ] [ Tier 2 ]
[ Trigger Level ] Packet Loss or High Latency
[ Description ] GROUP_NORDVPN_FAILOVER_1->-2
[SAVE]
[ + Add ]
[ Group Name ] GRP_NORDVPN_2_1
[ Gateway Priority ]
[ NORDVPN1_VPNV4 ] [ Tier 2 ]
[ NORDVPN2_VPNV4 ] [ Tier 1 ]
[ Trigger Level ] Packet Loss or High Latency
[ Description ] GROUP_NORDVPN_FAILOVER_2->-1
[SAVE]
STEP 9:
####################################################################
Firewall -> Settings -> Advanced
[ Skip rules ] [X] Skip rules when gateway is down
# Does this mean that traffic will go over the "normal" connection (non VPN) in case the VPN tunnel fails?
# OR does this mean that the rest of the network (in my case the LAN) will continue to function if the VPN Tunnel is down
# A kill switch would be nice, so if the VPN Tunnel fails (in this case, if both of them fail because we defined a group of 2) i want interface NORD to
# have no connection.
[ Sticky connections] [X] Use sticky connections (for load balance group)
STEP 10:
####################################################################
Firewall -> NAT -> Outbound
[+ Add]
[ Interface ] NORDVPN1
[ TCP/IP Version ] IPv4
[ Protocol ] any
[ Source address ] Firewall_Alias_LocalNetwork
[ Destination invert ] [X]
[ Destination address ] Firewall_Alias_LocalNetwork
[ Translation/target ] Interface address
[SAVE]
[ NORDVPN1 ] [CLONE]
[ Interface ] NORDVPN2
[SAVE]
STEP 11:
####################################################################
Firewall -> Rules -> NORD (The new interface I added in step 6)
[+ Add]
[ Action ] block
[ Interface ] NORD
[ TCP/IP Version ] IPv4
[ Protocol ] TCP/UDP
[ Source ] Firewall_Alias_VPNNetwork
[ Destination invert ] [X]
[ Destination ] Firewall_Alias_LocalNetwork
[ Destination port range] Firewall_Alias_MS_Port_Block
[ Description ] Block MS CIFS/SMB
[ Gateway ] GRP_NORDVPN
[SAVE]
[+ Add]
[ Action ] pass
[ Interface ] NORD
[ TCP/IP Version ] IPv4
[ Protocol ] TCP/UDP
[ Source ] Firewall_Alias_VPNNetwork
[ Destination ] Firewall_Alias_Allowed_DNS
[ Destination port range] DNS DNS
[ Description ] Allow traffic to allowed DNS Server
[ Gateway ] GRP_NORDVPN
[SAVE]
[+ Add]
[ Action ] pass
[ Interface ] NORD
[ TCP/IP Version ] IPv4
[ Protocol ] any
[ Source ] Firewall_Alias_VPNNetwork
[ Destination invert ] [X]
[ Destination ] Firewall_Alias_LocalNetwork
[ Description ] Force traffic over VPN
[ Gateway ] GRP_NORDVPN
[SAVE]
STEP 12:
####################################################################
Firewall -> NAT -> Port Forward
[ Interface ] NORD
[ TCP/IP Version ] IPv4
[ Protocol ] TCP/UDP
[ Source ] Firewall_Alias_VPNNetwork
[ Destination invert ] [X]
[ Destination ] Firewall_Alias_Allowed_DNS
[ Destination port range] DNS DNS
[ Redirect Target IP ] single Host or Network
103.86.96.100 (picked one of the 2 NordVPN DNS servers)
[ Redirect Target Port ] DNS
[ Description ] Redirect all DNS to allowed DNS
[SAVE]
After this I did some checks:
VPN -> OpenVPN -> Connection Status
Both are "UP"
System -> Gateways -> SIngle
All Green
I've added some widgets on the Dashboard page and:
Gateways all green
Interfaces connected and have an IP
OpenVPN
All green and Remote/Virtual IP is present
However... When I connect a device to the Switch (that is connected to the NORD interface on the OPNSense box) I get "nothing"
(the device is configured to use DHCP and gets an IP address so at least that part works ;) )
I've no Internet at all (can't ping 8.8.8.8 for example)
And I cant ping any of the internal IP's
192.168.1.1
192.168.2.1
192.168.3.1
The only thing that I can ping is the switch on 192.168.3.254 however that's kind of expected ;)
I think I made some kind of mistake between step 9 and 12
Any Hints would be appreciated :)
-
Nothing is jumping out at me (I cursorily compared what you have to what I have)
My thoughts:
My local network alias looks like this 192.168.1.0/24
You need to put your 192.168.3.0/24 here (I am not sure if it needs to be 0 but my setup is definitely working)
I have other subnets (management subnet for when I hose main subnet) that will never see the VPN and I do not include them (they do not exist as far as these rules go). If you are never going to force IPs on your 1 and 2 subnets I do not think they need to be in alias for now.
Your host / networks that should use vpn alias should look like this 192.168.3.2/24 (?) ... mine looks like this 192.168.1.240/28 but I have made it where IP 240 through 254 are forced through the vpn on this subnet. I do not think you should start at 1 because your router dhcp service will be sitting there ... but I could be wrong.
Your range is 11 through 244.
try 192.168.3.11/25 (you will get 126 IP addresses) http://jodies.de/ipcalc (http://jodies.de/ipcalc)
I think you might consider using a smaller range on the vpn switch, then you can hook up a device (I manually set my macmini's IP inside the range and see if it works / hook up outside the range to see if it worked / check for dns leakage). If the outside range (whole switch) does not work you have narrowed down focus and you can work your way towards getting some IPs forwarded correctly. Once you have that working it "should" be easy to make all IPs on switch go where you want.
I also recommend following NilsS naming conventions. It makes it so much easier to figure out what the alias is meant to be when you have:
n_vpn_user
A network (192.168.1.240/8)
p_udp_callofduty
A port (to make call of duty work correctly)
h_allowed_dns
hosts where dns requests are allowed to go
Your aliases work they just were giving me a headache....imagine trying to figure this out again in 6 months (I did when I decided to lagg my interface and hosed the whole install).
I turned off sticky connections and now I sometimes use both interfaces together (much faster). Fail over only randomly worked before and I have set it up to reconnect randomly to my VPN servers every 8 hours.
I also put this:
persist-key
persist-tun
auth-nocache
fast-io
explicit-exit-notify 5
remote-cert-tls server
server-poll-timeout 10
key-direction 1
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
reneg-sec 3600
inside advanced configuration.
I use AirVPN so your mileage may vary.
I am by no means an expert, just managed to get it to work for me. I hope this helps you, if just a little bit.
Cheers,
-
Hi Koldnitz,
Great!!! That did the trick! thank you very much :)I've also renamed the aliases per your advice, my original ones didn't make that much sense indeed :-[
One thing left on the todo list is to be able to access a device that is connected to the VPN
(behind that Cisco switch) through ssh from the 192.168.1.x/24 subnet so that I can check logs etc
or would this open up a can of worms?
Anyway, thank you very much for getting me up and running!
-
(https://i.imgur.com/SXF11co.png)
Do you have something like this in your firewall rules (these are first three firewall rules on my router)?
I do not see why you would be unable to ssh into something inside your network if you yourself are inside your network (with the correct rules enabled).
across_milwee is a firewall group which includes all my subnets by the way.
I am able to connect to an IP that is routed through my vpn connection from any browser(https) in my network (macmini, ipad, or PC; both on wifi and hardwired).
I usually am on the same subnet with all my devices but I have connected from a different subnet as well.
I do not think these rules do anything other than route all internet traffic through the VPN for the IP addresses you set it up too.
A lot of this is supposition, but if you think about how the rules are working, they are not for blocking traffic from an IP inside you network to another IP inside your network.
You might need to ask someone who is more initiated at the ins and outs of firewall rules to help you, if already have these anti-lockout rules set up on your vpn subnet (they are usually only made automatically on your install interface / subnet; I think).
Cheers,
-
Hi Koldnitz,
And thanks again! the addition of some extra rules (well basically the same as your example) did the trick!
I only had autogenerated DHCP rules and the rules from the "howto" so it was quite logical that my connection attempt failed.
Thanks a million!
:D
-
Hi again :)
So with help of Koldnitz I was able to get my setup running (thanks!),
however after some testing I did find some odd behaviour (I think) the connection seems to be dropping intermittently, I think this is also what Koldnitz experienced when he mentioned:
"I turned off sticky connections and now I sometimes use both interfaces together (much faster).
Fail over only randomly worked before and I have set it up to reconnect randomly to my VPN servers every 8 hours."
So I was wondering what do I need to change in order to do this? Turning off sticky is just deselecting a tick box however I'm not sure how to use both VPN connections simultaneously in order to increase speed and set the random reconnect every X hours.
-
(https://i.imgur.com/RyUDkB2.png)
This is how I reconnect.
I test my dns leakage here https://ipleak.net/ (https://ipleak.net/)
I tried it again over the weekend (when I first read your post) and as far as I can tell I do not have any leakage.
As always your mileage may very.
Cheers,
-
Great thanks!
The vpn connections are currently configured in a group (as described in the settings of NilsS), so if one of the two in the group goes down the other takes over.
In my case I think that load balancing is a bit to enthousiastic and I need to increase the sticky timeout.
Update:
Seems that if I set both vpn connections in the loadbalancing group to Tier1 (as opposed to tier1 and tier2) it does work.
There is one thing I don't get though, the configuration defines 3 gateway groups and only the load balancing group is used in the rules, the two failover groups are not referenced is that correct?
Thanks allot!
-
I hope this is a right place to post.
I have PIA VPN and trying to get it to work via OpenVPN.
What I basically want: route none but specific machines through PIA.
I've read most of this thread, and in the essence, I can either:
- have a full tunnel and everything going through the VPN or
- nothing
I tried various combinations with the boxes set in the Client-Connection (Don't pull routes and Don't add/remove routes), first, second or both checked.
NAT is configured manually, I have created both NAT for the LAN net and localhost net.
I created a rule saying IPv4* LAN net over PIA_VPN gateway.
Yet, I get the ISP-IP when querying the IP over internet.
And the same thing happens when I try doing it the other way: everything over VPN, except client x. In that case, the client remains in the VPN, although the rule is in place.
Where do I start troubleshooting?
Small edit:
I found out that if I use a "Don't pull routes" configuration, and both NAT and rules as needed, I can't browse... but I figured I can ping. Apparently resolution isn't working... so, how do I get DNS to work?
From the log:
2021-02-16T21:04:16 openvpn[76240] Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
2021-02-16T21:04:16 openvpn[76240] Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
2021-02-16T21:04:16 openvpn[76240] Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
2021-02-16T21:04:16 openvpn[76240] PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.32.112.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.32.112.224 255.255.255.0,peer-id 2,cipher AES-128-GCM'
-
I hope this is a right place to post.
I have PIA VPN and trying to get it to work via OpenVPN.
What I basically want: route none but specific machines through PIA.
I've read most of this thread, and in the essence, I can either:
- have a full tunnel and everything going through the VPN or
- nothing
I tried various combinations with the boxes set in the Client-Connection (Don't pull routes and Don't add/remove routes), first, second or both checked.
NAT is configured manually, I have created both NAT for the LAN net and localhost net.
I created a rule saying IPv4* LAN net over PIA_VPN gateway.
Yet, I get the ISP-IP when querying the IP over internet.
And the same thing happens when I try doing it the other way: everything over VPN, except client x. In that case, the client remains in the VPN, although the rule is in place.
Where do I start troubleshooting?
Small edit:
I found out that if I use a "Don't pull routes" configuration, and both NAT and rules as needed, I can't browse... but I figured I can ping. Apparently resolution isn't working... so, how do I get DNS to work?
From the log:
2021-02-16T21:04:16 openvpn[76240] Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
2021-02-16T21:04:16 openvpn[76240] Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
2021-02-16T21:04:16 openvpn[76240] Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
2021-02-16T21:04:16 openvpn[76240] PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.32.112.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.32.112.224 255.255.255.0,peer-id 2,cipher AES-128-GCM'
This will be basic and quick but I believe I got it.
1) Configure your aliases- just whatever you want to put behind a vpn.
2) Configure your client- this varies between VPN providers but the stickler is leaving don't pull routes unchecked but do check "Don't add/remove routes".
3) Add the interface- don't change defaults- just add it.
4) NAT outbound- make it hybrid and then add a rule
- VPN interface
- Source- your VPN alias for what is behind it
- NAT Address- VPN interface (I did not leave this as Interface Address)
5) Firewall rule on LAN that is pass, IPv4, direction in, vpn alias as source, sent out the VPN gateway, then expand advanced and set local tag NO_WAN_EGRESS or other. This rule needs to be above your default LAN pass rule.
6) I like this one just in case- firewall rule on LAN above #5- reject, ipv4 tcp/udp, source is your vpn alias, dest is LAN address, port 53 (or select DNS). This will block VPN clients from your internal DNS just in case.
7) Firewall rule on floating- Reject, IPv4, direction out, source and dest are any, gateway is your normal WAN gateway. Expand advanced and on Match tag put NO_WAN_EGRESS (or whatever common thing you want- we are just matching the tags for policy routing.)
Going off memory but I believe that is it. You can test for dns leaks while it's up with whatever client you want that is in your alias list. Should ping, have DNS, etc. If you are assigning clients into a certain subnet (which I do), you can set them statically in your VPN alias range AND set their DNS options there like using OpenDNS or other. Or set them on the client itself- whichever works.
I tested for leaks and found it worked. Then I set a constant ping and confirmed it was going out properly. From there I disabled the VPN tunnel and having 2 windows on the GUI I could see that the firewall blocked it as it was catching the NO_WAN_EGRESS floating rule. Enabled the client, ping did not start going through because I think the state was kept. In any case, restarted the ping fine and then did another dns leak test and it was confirmed good.
-
I just switched over from pFsense and I am really liking OPNsense very much. I was wondering if there is an updated working guide for routing certain traffic over NordVPN using alias?
I really appreciate any help you can provide.
Thank you.
-
I've been trying to get this to work off an on for a couple of weeks.
How do you get around the error "Policy based routing (gateway setting) is only supported on inbound rules." when you try to specify the gateway on the outbound LAN rule? I tried to get around it by putting in the outbound LAN rule under floating rules but it still doesn't work. The box(s) that I want to go through the VPN still show the WAN IP.
Nevermind. I made an inbound rule using the VPN gateway and it works.
-
Hi,
I had a VPN working like this in the past but it broke a while ago after an update. After failing to get it to work i completely removed everything and set it up again, but I can't get it to work.
The VPN is connected and the interface is up, I can also ping devices behind the VPN from the opnsense diagnostics but not from any device on the LAN. DNS resolve for names in the VPN is working (I have no idea why that is working and pinging/connecting not). The routes are also pushed correctly and appear in Routes -> Status.
The logs look fine but it seems like responses are lost somewhere.
I've added the NAT Outbound rules and the LAN rule as seen in the attachments.
Looking forward to any hint :)
-
I made a walk thru here.. https://thehotelhero.com/opnsense-protonvpn-setup that works for me.
-
Hello,
have a question regarding the openvpn client tunnel configuration, specific regarding the setting Dont add/remove routes as some VPN Guides suggest to enable mark this setting.
When i enable the setting, my VPN Client Connection stops working, when i disable the setting, the Tunnel comes Up and start to work again.
What should be the correct setting here?
Any Idea?
Thx!
-
I'm posting a quick solution for those with a DNS failure using Policy Based Routing (or just VPN in general).
I set up a fresh opnSense install.
I set up a VPN per this tutorial: https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm
The only deviation I have is on Step 13, for a PBR. Instead of routing all LAN through the VPN, I set up a rule to only send a subset (addresses below 192.168.x.y/z)
I had all the same issues of others in which IPs not going through the VPN were just fine but those going through the VPN could ping and text, but not "connect".
After hours of searching, I came across this tutorial: https://homenetworkguy.com/how-to/configure-opnsense-firewall-rules/
I added a firewall rule for DNS (port 53) and put it at the top of my Firewall -> LAN -> Rules list.
Voila. It's currently stable for me at the moment.
-
Hi,
Merry Christmas Everyone 😊
I have a question to NAT – Outbound Rules regarding the correct and secure configuration. I set Outbound Rules to manual, and choose the specific VPN Clients as Interface and Source to LAN, VLAN1, VLAN2 etc, so the Clients in the different Networks go over the different VPN Tunnels, that’s fine.
But I was wondering, how should Loopack networks, 127.0.0.0/8 (when switching to Hybrid or Automatic) NAT Rule generation be handled correctly. Should they also be defined when set Manual outbound NAT rule generation?
What is also not clear for me yet, under Firewall – Rules – Loopback there are 2 automatically generated rules to pass all looback requests (IPv4 / IPv6) source / destination is Any, is there anything to define manually to be sure that the VPN is not leaking somewhere?
Thx!
-
Hello,
i hope someone can explain me the implications / correct settings of the openvpn client configuration Don't pull routes and Dont add/remove routes
Every VPN Provider seems to have different settings here.
NordVPN
Don't pull routes -> Unchecked
Dont add/remove routes -> Checked
AirVPN
Don't pull routes -> Checked
Dont add/remove routes -> Unchecked
PIA
Don't pull routes -> Unchecked
Dont add/remove routes -> Unchecked
Can someone please help here?
Thx!
-
Hi Everyone,
Wanted to share a configuration option to help with port forwarding. My setup:
Interfaces
WAN
VyprVPN
LAN
Thanks to this thread I was able to get Transmission to route out of the VPN interface instead of the WAN interface. However, Transmission reported that my peer listening port was closed. I setup port forwarding on the VyprVPN interface to forward inbound traffic to my Transmission host but it didn't work. After doing a bunch of tcpdumps, I found that inbound traffic entered the VyprVPN interface but left using the WAN interface.
I also have an OpenVPN server setup and found a rule in the OpenVPN server rule in that ruleset was affecting my Transmission traffic. The rule is the one that allows for all traffic to enter OpenVPN (see attachment). If I disabled the rule then all traffic to and from Transmission went over the VPN. If the rule was enabled, then I experienced asymmetric routing. I found that if I unchecked "apply rule immediately" then my routing worked as expected. :-). Hope this helps.
-
Hello everyone and thanks to you all and especially M4DM4NZ for getting this thread going years ago. That said I do have a couple issues I'm still ironing out and I'm trying to really understand this. The original How To said to create a rule for port 500. Was that a thing back in 2018 because I can't see any reason why I would need this rule. Any thought on that?
Also Thank you
Hello,
i hope someone can explain me the implications / correct settings of the openvpn client configuration Don't pull routes and Dont add/remove routes
Every VPN Provider seems to have different settings here.
NordVPN
Don't pull routes -> Unchecked
Dont add/remove routes -> Checked
AirVPN
Don't pull routes -> Checked
Dont add/remove routes -> Unchecked
PIA
Don't pull routes -> Unchecked
Dont add/remove routes -> Unchecked
Can someone please help here?
Thx!
That is what really helped me get this going. Nowhere is it mentioned that these settings are so important, but they are. The VPN providers don't even seem to mention them.
-
hi, sorry to bump this thread, but i'm a new opnsense user and just looking to check if the instructions at the start of this thread (from 2017) will allow me to do what i'm trying to achieve.
i'm new to opnsense, but not new to basic network config and tinkering with config.
i've added my nordvpn account to opnsense as a vpn client (using https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm although stopped at the unbound part), and it's showing as connected (albeit no traffic actually routing thru it just now).
i want to route either specific URLs or specific LAN clients thru the VPN (ie not ALL traffic), i believe this will probably be policy based routing?
example
i want to route all traffic from 192.168.50.10 thru the VPN
i want to route any device accessing www.blah.com thru the VPN
i also don't want any DNS leak
-
I am having this issue, is theres a known fix yet ?
thanks
andrew
-
Hi Guys,
Below is a step by step guide to configuring Opnsense 17.1.4 to route LAN traffic out via your private VPN provider.
(In my case, AirVPN)
I have a setup where I want all computers on my LAN to have a direct connection to the Internet, but "Some" computers I want connected to the VPN *cough torrenting cough *
Hello. Thank you for your article. It really works.
How about Multi WAN?
When we have two OpenVPN clients and two LANs.
LAN1 - VPN1
LAN2 - VPN2
If VPN1 is off, all traffic from LAN1 should go via VPN2.
-
Hello,
i hope someone can explain me the implications / correct settings of the openvpn client configuration Don't pull routes and Dont add/remove routes
Every VPN Provider seems to have different settings here.
NordVPN
Don't pull routes -> Unchecked
Dont add/remove routes -> Checked
AirVPN
Don't pull routes -> Checked
Dont add/remove routes -> Unchecked
PIA
Don't pull routes -> Unchecked
Dont add/remove routes -> Unchecked
Can someone please help here?
Thx!
I am also confused about this - trying to set up a VPN client for PIA, but since I only want certain clients to go via this interface, I was thinking that also for PIA I should check "Dont add/remove routes". Am I wrong?
-
Step 7.
- Navigate to Firewall > Aliases > View
- Add a new Alias
- Name: VPNTraffic
- Description : VPNTraffic
- Type: Host:
- First entry: 192.168.X.X
NOTE: (enter the IP address of Computers/devices you want to be on the VPN here. I personally enter the IP address of my Wireless router I have attached to my LAN, The wireless router has DHCP enabled so all wireless devices connected to this access point have their traffic passed via the VPN )
Something seems to have changed since the OP - there is nowhere to put "First entry". I have a field "Content", but there I can only choose between a list of other aliases. There is also a "Categories" field.
Where should I enter the ip address(es)?
-
Hello everyone and thanks to you all and especially M4DM4NZ for getting this thread going years ago. That said I do have a couple issues I'm still ironing out and I'm trying to really understand this. The original How To said to create a rule for port 500. Was that a thing back in 2018 because I can't see any reason why I would need this rule. Any thought on that?
Also Thank you
Hello,
i hope someone can explain me the implications / correct settings of the openvpn client configuration Don't pull routes and Dont add/remove routes
Every VPN Provider seems to have different (https://rentenversicherungen-testsieger.de/generali/) settings here.
NordVPN
Don't pull routes -> Unchecked
Dont add/remove routes -> Checked
AirVPN
Don't pull routes -> Checked
Dont add/remove routes -> Unchecked
PIA
Don't pull routes -> Unchecked
Dont add/remove routes -> Unchecked
Can someone please help here?
Thx!
That is what really helped me get this going. Nowhere is it mentioned that these settings are so important, but they are. The VPN providers don't even seem to mention them.
Many things can be a waste of your effort, but a helping hand is not.