"
Good write-up! I'm sorry I never got back to this. My steps are mostly the same or equivalent.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
16.7 Legacy Series / Re: Configuring OPNsense as an OpenVPN client to a VPN server
June 03, 2017, 07:07:16 AM #2
17.1 Legacy Series / Re: 17.1.6 - default gw missing / apinger won't start
June 03, 2017, 07:03:31 AM
I'm having the exact same issue on a 16.7.x firewall I upgraded to 17.1.8 today.
Same log messages and apinger is red and won't start.
Same log messages and apinger is red and won't start.
#3
16.7 Legacy Series / Re: Configuring OPNsense as an OpenVPN client to a VPN server
April 03, 2017, 05:04:18 AM
I am on travel this week, so I'm not in a position to post anything at the moment.
Perhaps "loden_richard" can help, if your need is immediate.
Otherwise, I will try to put something together when I get back.
Perhaps "loden_richard" can help, if your need is immediate.
Otherwise, I will try to put something together when I get back.
#4
16.7 Legacy Series / Re: Configuring OPNsense as an OpenVPN client to a VPN server
April 01, 2017, 07:45:28 AM
I actually got it working too (on 16.7.x; I haven't tried to migrate it to 17.1.x yet). It would be interesting to compare notes.
I wrote down the steps and have a fairly complete write-up, but it is documented in Microsoft OneNote (with screen shots and such), so I'm not sure the best way to share it with others.
I think *someone* ought to document our collective knowledge and try to get into the official OPNsense wiki. It seems like it might be useful for others.
I wrote down the steps and have a fairly complete write-up, but it is documented in Microsoft OneNote (with screen shots and such), so I'm not sure the best way to share it with others.
I think *someone* ought to document our collective knowledge and try to get into the official OPNsense wiki. It seems like it might be useful for others.
#5
16.7 Legacy Series / Network/VPN design question
December 20, 2016, 12:18:34 AM
Greetings.
1) I have configured my home OPNsense firewall as an OpenVPN client connecting to my own Ubuntu OpenVPN server running in the cloud - a DigitalOcean droplet.
2) I have configured the firewall so that I can direct client traffic going through the firewall to exit through the WAN gateway or VPN gateway based on criteria defined in the firewall rules.
3) I am *NOT* pushing "redirect-gateway" or "dhcp-option DNS" commands from the VPN server to the firewall, though. Thus, by default, traffic goes out the WAN gateway - not the VPN gateway - including *ALL* DNS queries. However...
4) I have installed/configured "dnscrypt-proxy" on the firewall so that DNS queries go through the proxy (and are encrypted) to the DNS resolver of my choice.
I hope that is clear...
The idea is that I don't want client traffic that the firewall rules direct to exit through the WAN to depend on the VPN for DNS resolution - in case the VPN is down, for example. But at the same time I want to protect the DNS queries from disclosure to my ISP.
So while I'm technically "leaking" the DNS queries for the client traffic that the firewall rules direct to exit through the VPN, those queries are protected with encryption. And at the same time, I am also protecting the DNS queries for the client traffic that the firewall rules direct to exit through the WAN as well.
My question is this: is this a reasonably secure design? If not, why not?
Thanks and Merry Christmas!
1) I have configured my home OPNsense firewall as an OpenVPN client connecting to my own Ubuntu OpenVPN server running in the cloud - a DigitalOcean droplet.
2) I have configured the firewall so that I can direct client traffic going through the firewall to exit through the WAN gateway or VPN gateway based on criteria defined in the firewall rules.
3) I am *NOT* pushing "redirect-gateway" or "dhcp-option DNS" commands from the VPN server to the firewall, though. Thus, by default, traffic goes out the WAN gateway - not the VPN gateway - including *ALL* DNS queries. However...
4) I have installed/configured "dnscrypt-proxy" on the firewall so that DNS queries go through the proxy (and are encrypted) to the DNS resolver of my choice.
I hope that is clear...
The idea is that I don't want client traffic that the firewall rules direct to exit through the WAN to depend on the VPN for DNS resolution - in case the VPN is down, for example. But at the same time I want to protect the DNS queries from disclosure to my ISP.
So while I'm technically "leaking" the DNS queries for the client traffic that the firewall rules direct to exit through the VPN, those queries are protected with encryption. And at the same time, I am also protecting the DNS queries for the client traffic that the firewall rules direct to exit through the WAN as well.
My question is this: is this a reasonably secure design? If not, why not?
Thanks and Merry Christmas!
#6
Tutorials and FAQs / Re: Multiple dnscrypt-proxy Opnsense 16.7 :-)
December 10, 2016, 09:32:19 PM
Thanks for the great information. It saved me a ton of time! :)
1) I think there is a typo in this section:
I think it should read: 127.0.0.2, 127.0.0.3, and 127.0.0.4 to match your dnscrypt-proxy instances, right?
2) It is my understanding that adding commands like "ifconfig lo0 alias <blah>" into the rc.conf file is bad form. I found that I could achieve the same result using OPNsense Virtual IPs:
Firewall > Virtual IPs > Settings
Mode: IP Alias
Interface: Localhost
Type: Single address
Address: 127.0.0.2/32
Description: dnscrypt-proxy
Repeat for 127.0.0.3, etc.
3) A question/clarification for this section:
Which interface(s) did you specify here? I assumed since it was set to "All" I had to instead set it to "Localhost", "LAN", "OPT1", etc - everything EXCEPT "All" and the virtual IP aliases I used. And it seems to work that way.
1) I think there is a typo in this section:
QuoteNext go to System-->Setting--->General---> Specify the dns servers at 127.0.0.1 127.0.0.2 and 127.0.0.3
I think it should read: 127.0.0.2, 127.0.0.3, and 127.0.0.4 to match your dnscrypt-proxy instances, right?
2) It is my understanding that adding commands like "ifconfig lo0 alias <blah>" into the rc.conf file is bad form. I found that I could achieve the same result using OPNsense Virtual IPs:
Firewall > Virtual IPs > Settings
Mode: IP Alias
Interface: Localhost
Type: Single address
Address: 127.0.0.2/32
Description: dnscrypt-proxy
Repeat for 127.0.0.3, etc.
3) A question/clarification for this section:
QuoteIn OpnSense GUI, go to Services-->DNS Forwarder
Enable it, set it to port 53. I also specified the interface and set it to strict.
Which interface(s) did you specify here? I assumed since it was set to "All" I had to instead set it to "Localhost", "LAN", "OPT1", etc - everything EXCEPT "All" and the virtual IP aliases I used. And it seems to work that way.
#7
16.7 Legacy Series / Configuring OPNsense as an OpenVPN client to a VPN server
December 07, 2016, 06:08:42 AM
Hello.
I am relatively new to OPNsense, and I love it so far. So much so that I made my first donation ($) to the project after only a few weeks of using it. Thank you to the OPNsense team and community contributors on a great product! I'm excited for the OPNsense future.
On to the question...
I am running OPNsense 16.7.10 in an VMware ESXi VM.
I also have an OpenVPN server running in the cloud (Ubuntu 16.04.1 Digital Ocean droplet).
My goal is to be able to selectively route traffic from devices behind the OPNsense firewall through either my regular ISP *or* the OpenVPN server to the internet. In other words, I want to be able to have my traffic come from either my real IP address (the one provided by my ISP) OR from the IP address of my VPN server (provided by my Digital Ocean droplet). I will use Firewall rules to enforce that decision. I hope that's clear.
My internet searches yielded several articles, blog posts, etc. about how to do this (kind of) with a pfSense firewall and one article about how to do this with an OPNsense firewall.
Stitching bits-and-pieces from these sources together, I did get something to work!
HOWEVER, I'm not sure I understand 1) *how* it works, 2) if this is the best way to achieve my goal using OPNsense and OpenVPN, and 3) if I've configured things in the best, most robust and secure way (e.g. how to configure DNS so as not to leak queries for VPN-destined traffic on my non-VPN link, etc.).
1) In the configuration I got working, there now appear two new tabs in Firewall > Rules: one I've called "DIGITALOCEAN" that represents the interface to the OpenVPN server droplet (i.e. it appears in the "Interfaces" listing) and one that's automagically created by OPNsense called "OPENVPN".)
I don't have *ANY* rules in either of these tabs, but I can get traffic to flow either to the non-VPN link or VPN link using *only* LAN rules with either "WAN" or "DIGITALOCEAN" interface selected in the "Gateway" setting of the rule. Is that right? Can someone explain to me why that works? Does it have to do with the changes to the Firewall > NAT > Outbound settings as outlined in the "HOW TO SETUP OPENVPN CLIENT ON OPNSENSE" article references at the end of this post?
2) Am I overlooking an approach that is obviously better than this approach? I started to get nervous about it when I had such a hard time finding a guide about how to configure this. But, I'm not the only one who has wanted to do this. I started to wonder why there isn't an official OPNsense How to guide for this usage scenario?
I'm not looking for counterproposals like "use a commercial VPN vendor, duh" etc., but rather things like "you can do this better using a site-to-site OpenVPN tunnel, let me show you how" or "using IPSec is better, let me show you how." But, so far, I'm kind of fond of this approach.
3) Lastly, I must admit that I have not hooked up a sniffer to verify that I *am* leaking DNS queries, but I've seen some references to changing the DNS servers listed in System > Settings > General - or at least changing the "Use gateway" setting next to them. Or using or not using the OpenVPN features to push a new default gateway and DNS servers. Or any combination of the above. Maybe I can use dnsproxy instead and not worry about? I need someone who is more experienced to help me out here.
References:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
https://pixelsandwidgets.com/2014/10/setup-pfsense-openvpn-client-specific-devices/
http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/
https://wretmo.se/2016/01/24/how-to-setup-openvpn-client-on-opnsense/
I am happy to share my current configuration with the community if there is interest.
Thank you for the help!
I am relatively new to OPNsense, and I love it so far. So much so that I made my first donation ($) to the project after only a few weeks of using it. Thank you to the OPNsense team and community contributors on a great product! I'm excited for the OPNsense future.
On to the question...
I am running OPNsense 16.7.10 in an VMware ESXi VM.
I also have an OpenVPN server running in the cloud (Ubuntu 16.04.1 Digital Ocean droplet).
My goal is to be able to selectively route traffic from devices behind the OPNsense firewall through either my regular ISP *or* the OpenVPN server to the internet. In other words, I want to be able to have my traffic come from either my real IP address (the one provided by my ISP) OR from the IP address of my VPN server (provided by my Digital Ocean droplet). I will use Firewall rules to enforce that decision. I hope that's clear.
My internet searches yielded several articles, blog posts, etc. about how to do this (kind of) with a pfSense firewall and one article about how to do this with an OPNsense firewall.
Stitching bits-and-pieces from these sources together, I did get something to work!
HOWEVER, I'm not sure I understand 1) *how* it works, 2) if this is the best way to achieve my goal using OPNsense and OpenVPN, and 3) if I've configured things in the best, most robust and secure way (e.g. how to configure DNS so as not to leak queries for VPN-destined traffic on my non-VPN link, etc.).
1) In the configuration I got working, there now appear two new tabs in Firewall > Rules: one I've called "DIGITALOCEAN" that represents the interface to the OpenVPN server droplet (i.e. it appears in the "Interfaces" listing) and one that's automagically created by OPNsense called "OPENVPN".)
I don't have *ANY* rules in either of these tabs, but I can get traffic to flow either to the non-VPN link or VPN link using *only* LAN rules with either "WAN" or "DIGITALOCEAN" interface selected in the "Gateway" setting of the rule. Is that right? Can someone explain to me why that works? Does it have to do with the changes to the Firewall > NAT > Outbound settings as outlined in the "HOW TO SETUP OPENVPN CLIENT ON OPNSENSE" article references at the end of this post?
2) Am I overlooking an approach that is obviously better than this approach? I started to get nervous about it when I had such a hard time finding a guide about how to configure this. But, I'm not the only one who has wanted to do this. I started to wonder why there isn't an official OPNsense How to guide for this usage scenario?
I'm not looking for counterproposals like "use a commercial VPN vendor, duh" etc., but rather things like "you can do this better using a site-to-site OpenVPN tunnel, let me show you how" or "using IPSec is better, let me show you how." But, so far, I'm kind of fond of this approach.
3) Lastly, I must admit that I have not hooked up a sniffer to verify that I *am* leaking DNS queries, but I've seen some references to changing the DNS servers listed in System > Settings > General - or at least changing the "Use gateway" setting next to them. Or using or not using the OpenVPN features to push a new default gateway and DNS servers. Or any combination of the above. Maybe I can use dnsproxy instead and not worry about? I need someone who is more experienced to help me out here.
References:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
https://pixelsandwidgets.com/2014/10/setup-pfsense-openvpn-client-specific-devices/
http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/
https://wretmo.se/2016/01/24/how-to-setup-openvpn-client-on-opnsense/
I am happy to share my current configuration with the community if there is interest.
Thank you for the help!
Pages1
