Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - geofflowemn

#1
16.7 Legacy Series / Network/VPN design question
December 20, 2016, 12:18:34 AM
Greetings.

1) I have configured my home OPNsense firewall as an OpenVPN client connecting to my own Ubuntu OpenVPN server running in the cloud - a DigitalOcean droplet.

2) I have configured the firewall so that I can direct client traffic going through the firewall to exit through the WAN gateway or VPN gateway based on criteria defined in the firewall rules.

3) I am *NOT* pushing "redirect-gateway" or "dhcp-option DNS" commands from the VPN server to the firewall, though.  Thus, by default, traffic goes out the WAN gateway - not the VPN gateway - including *ALL* DNS queries.  However...

4) I have installed/configured "dnscrypt-proxy" on the firewall so that DNS queries go through the proxy (and are encrypted) to the DNS resolver of my choice.

I hope that is clear...


The idea is that I don't want client traffic that the firewall rules direct to exit through the WAN to depend on the VPN for DNS resolution - in case the VPN is down, for example.  But at the same time I want to protect the DNS queries from disclosure to my ISP.

So while I'm technically "leaking" the DNS queries for the client traffic that the firewall rules direct to exit through the VPN, those queries are protected with encryption.  And at the same time, I am also protecting the DNS queries for the client traffic that the firewall rules direct to exit through the WAN as well.


My question is this:  is this a reasonably secure design?  If not, why not?

Thanks and Merry Christmas!
#2
Hello.

I am relatively new to OPNsense, and I love it so far.  So much so that I made my first donation ($) to the project after only a few weeks of using it.  Thank you to the OPNsense team and community contributors on a great product!  I'm excited for the OPNsense future.

On to the question...

I am running OPNsense 16.7.10 in an VMware ESXi VM.
I also have an OpenVPN server running in the cloud (Ubuntu 16.04.1 Digital Ocean droplet).

My goal is to be able to selectively route traffic from devices behind the OPNsense firewall through either my regular ISP *or* the OpenVPN server to the internet.  In other words, I want to be able to have my traffic come from either my real IP address (the one provided by my ISP) OR from the IP address of my VPN server (provided by my Digital Ocean droplet).  I will use Firewall rules to enforce that decision.  I hope that's clear.

My internet searches yielded several articles, blog posts, etc. about how to do this (kind of) with a pfSense firewall and one article about how to do this with an OPNsense firewall.

Stitching bits-and-pieces from these sources together, I did get something to work!

HOWEVER, I'm not sure I understand 1) *how* it works, 2) if this is the best way to achieve my goal using OPNsense and OpenVPN, and 3) if I've configured things in the best, most robust and secure way (e.g. how to configure DNS so as not to leak queries for VPN-destined traffic on my non-VPN link, etc.).

1) In the configuration I got working, there now appear two new tabs in Firewall > Rules:  one I've called "DIGITALOCEAN" that represents the interface to the OpenVPN server droplet (i.e. it appears in the "Interfaces" listing) and one that's automagically created by OPNsense called "OPENVPN".)

I don't have *ANY* rules in either of these tabs, but I can get traffic to flow either to the non-VPN link or VPN link using *only* LAN rules with either "WAN" or "DIGITALOCEAN" interface selected in the "Gateway" setting of the rule.  Is that right?  Can someone explain to me why that works?  Does it have to do with the changes to the Firewall > NAT > Outbound settings as outlined in the "HOW TO SETUP OPENVPN CLIENT ON OPNSENSE" article references at the end of this post?

2) Am I overlooking an approach that is obviously better than this approach?  I started to get nervous about it when I had such a hard time finding a guide about how to configure this.  But, I'm not the only one who has wanted to do this.  I started to wonder why there isn't an official OPNsense How to guide for this usage scenario?

I'm not looking for counterproposals like "use a commercial VPN vendor, duh" etc., but rather things like "you can do this better using a site-to-site OpenVPN tunnel, let me show you how" or "using IPSec is better, let me show you how."  But, so far, I'm kind of fond of this approach.

3) Lastly, I must admit that I have not hooked up a sniffer to verify that I *am* leaking DNS queries, but I've seen some references to changing the DNS servers listed in System > Settings > General - or at least changing the "Use gateway" setting next to them.  Or using or not using the OpenVPN features to push a new default gateway and DNS servers.  Or any combination of the above.  Maybe I can use dnsproxy instead and not worry about?  I need someone who is more experienced to help me out here.

References:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
https://pixelsandwidgets.com/2014/10/setup-pfsense-openvpn-client-specific-devices/
http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/
https://wretmo.se/2016/01/24/how-to-setup-openvpn-client-on-opnsense/

I am happy to share my current configuration with the community if there is interest.

Thank you for the help!