OPNsense Forum

English Forums => 18.1 Legacy Series => Topic started by: comet on April 01, 2018, 01:19:22 am

Title: How difficult is it to get an OpenVPN server working, really?
Post by: comet on April 01, 2018, 01:19:22 am
I've been using OPNsense for several weeks now and it's working quite well, but I really only use it as a basic router for the most part.  I don't know enough about networking to use its advanced features, and I don't understand a lot of the technical stuff that's discussed in this forum, but I like OPNsense because it gets frequent security updates.

So to get to the question, one of my relatives is currently running a router with a specific version of DD-WRT on it that does not seem to get updated frequently.  I was considering replacing it small computer running OPNsense but there is one thing that puts me off.  I need it to be able to run OpenVPN (as a server) so I can access their network remotely, and I need it to be EASY to set up.  The workings of VPNs are a bit of a mystery to me, but in DD-WRT they make setting up a VPN quite easy - they have a page where you set up the OpenVPN server, and then it generates a client.ovpn file you can take to your client machine (I may be oversimplifying that a little bit, but not much).  I have not attempted to set up OpenVPN under OPNsense so how easy it is to do (compared with setting it up in DD-WRT, if you've ever done it there)?

But also, I want to know if OpenVPN works pretty well, or if you have to fiddle with it a lot to get it working reliably.  I see a thread like the one at https://forum.opnsense.org/index.php?topic=7761.0 and it makes me wonder if setting up OpenVPN or getting it to work reliably would be a real struggle.  Given the problems I had just getting port forwarding to work, my fear is that setting up OpenVPN under OPNsense would be beyond my ability level.  Am I worried for nothing, or is setting up an OpenVPN server a complicated process in OPNsense?  And, are there any good recommended videos or pages on how to do it?
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: NOYB on April 01, 2018, 03:35:38 am
Think your questions can be answered by backing up your system and going through the process.

Setup SSL VPN Road Warrior
https://wiki.opnsense.org/manual/how-tos/sslvpn_client.html

IMO it is not difficult.
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: comet on April 01, 2018, 08:08:38 am
Thanks, but for the most part I think the page at https://wiki.opnsense.org/manual/how-tos/sslvpn_s2s.html is more applicable to what I'd be doing, other than that I do need the information in "Step 3 - Export Client Configuration" of the page you linked to, in order to get the .ovpn file.  This is more like a permanent VPN setup than a road warrior setup, and two factor authentication would not work at all in this situation.

Although I suspect those two pages give most of the information I would need, I'd still like to know if this works well or if people are having problems with it.  I don't even want to suggest replacing the existing router if this is going to be something that's not going to work well.  I guess what I really want to know is whether the problems mentioned in https://forum.opnsense.org/index.php?topic=7761.0 are things that everyone running OpenVPN on OPNsense has experienced, or if that is just a one-off problem that only seems to be affecting the person that started that thread.
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: NOYB on April 01, 2018, 10:31:48 am
If the objective is to manage their network for them (what it sounds like in your original message).  Then road warrior may be better than site to site.  With site to site you have to be at one of the sites.  Road warrior would provide remote access from anywhere.

Site to site is what you want if the two sites are to be like "one".  For instance you use their stuff like servers printers etc. and likewise they use your stuff.  All as though it is "local".
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: comet on April 01, 2018, 11:56:17 am
Can we please not argue about my intended usage?  All I will say is that the "Road Warrior" setup is NOT appropriate for my usage case because of the two-factor authentication.  Also, I am just trying to emulate the existing setup, which really is site to site (the client system always stays at one single location).  That is not my primary concern, and I'd rather we don't spend any more time discussing it.  My concern is that after seeing threads like the one at https://forum.opnsense.org/index.php?topic=7761.0 that OpenVPN doesn't work reliably under OPNsense.

My question now is whether it works reliably, and without a lot of fiddling around to correct this or that issue.  It is important that if I set it up correctly it should "just work", and not crash or have unexplained disconnections, and not require me to try and chase down problems.  If you are not currently running the OpenVPN server then you cannot answer this.  I need to hear from someone who is actually running the OpenVPN server and can tell me whether it just works reliably once set up, and if they had any problems during or after setup.  I don't have the expertise nor the willingness to try a bunch of different things in an attempt to get it to work reliably, so if there are any problems of that nature I'd like to know BEFORE suggesting a router replacement.
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: elektroinside on April 01, 2018, 12:54:27 pm
I've been running 2 different OpenVPN servers on 2 different OPNsense deployments in 2 different cities without any issues (road warrior setup). Stable, not a single disconnect, hardened firewall rules.

That's all i can say about my OpenVPN servers.
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: comet on April 01, 2018, 06:20:31 pm
I've been running 2 different OpenVPN servers on 2 different OPNsense deployments in 2 different cities without any issues (road warrior setup). Stable, not a single disconnect, hardened firewall rules.

That's all i can say about my OpenVPN servers.
Thank you.  That's exactly the sort of feedback I was looking for.  I am not sure what you mean by "hardened firewall rules", though.  But mainly I just wanted to know if people were running an OpenVPN server without having any issues, or any great difficulties in getting it working. Your comments are much appreciated!
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: Oxygen61 on April 01, 2018, 10:10:25 pm
The official OPNsense documentation is really good for an initial basic setup.
To take away some fear, i can promise you that you will get it working pretty fast, that's for sure. :)

But here is the second thought about VPN in general:
Sadly as always and every time things get harder and more difficult to configure the more features and settings you want to enable.
For VPN it's always easier to troubleshoot and configure Site-To-Site or Roadwarrior End-To-Site VPN if you are able to configure both sites, server and client. You are then able to look up error-logs or push settings and so on.
One heavy rabbit hole are the advanced settings for OpenVPN. You can heavily improve your security and performance or completely destroy your already working settings with these additional settings. :D

To get things into perspective:
my OpenVPN configuration, which differs extremely from yours, was done in 2 hours of work with just basic knowledge about OpenVPN and no knowledge at all about the OPNsense configurations i had to do. After 2 hours i had my OpenVPN configuration running and working. From there i started to analyze, improve the performance and hardened the security settings, which took me another 1-2 months (!) until i was happy. In this time the VPN was always stable and working, but "just not perfect". :)

I hope that helped a little. :)
"Just do it" ;)

Oxy
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: elektroinside on April 01, 2018, 11:33:08 pm
1-2 months? Wow.. what did you tweak?
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: Oxygen61 on April 02, 2018, 03:26:03 am
I obviously did not work on it day-in and day-out but a fair amount of time. :D
1-2 hours every week, until everything got finished. :)

Basically i wanted to separate my VLAN_Subnets into two groups.
1 group that is allowed to use the outgoing VPN-tunnel traffic without leaks and
one guest VLAN Subnet group, which should leak intentionally for guest users or working from home users.

In the end all the tiny settings and ticks i had to set or not set so that there were no leakage left and everything would be working as planed were a serious problem for me. Well that took some time and nerves but finally worked in the end.
Title: Re: How difficult is it to get an OpenVPN server working, really?
Post by: elektroinside on April 02, 2018, 06:50:21 am
Yeah, that might take a while. Thanks!