Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - conanTheRouter

Pages1
#1
General Discussion / Tunnel specific sites over VPN?
November 18, 2018, 06:39:57 PM
Hi guys!

I know it is possible to tunnel different sites over VPN. But I'm stuck and not know how to do it..

So how is it possible to just tunnel google.com over VPN, and how do I confirm that all traffic to google.com is passing the VPN?
#2
General Discussion / Route one IP over VPN?
June 25, 2018, 12:02:22 AM
Alright! Figured we could sort https://forum.opnsense.org/index.php?topic=4979.0 guide out so that it actually works. I have formatted it a bit and made some small changes to it. Hope this can be a discussion on solving the issues to get this working.

End state:

  • User can add client IP to alias list
  • Clients are routed through VPN
  • If VPN goes down, no Internet access to clients in alias list
  • All other clients are not routed through VPN
  • If VPN goes down, clients not listen in alias list still have Internet access

My current machine is:
OPNsense 18.1.10-amd64
FreeBSD 11.1-RELEASE-p10
OpenSSL 1.0.2o 27 Mar 2018


Step 1:
Download your certificate from your VPN provider. You should as a minimum get a certificate, password and username.

Step 2:
Navigate to System > Trust > Authorities, "Add or import CA"
- Descriptive name: VPNCA (I use mullvad VPN)
- Certificate data: (paste the contents of your CA.crt file here)
- Certificate Private key: (paste the contents of your user.key file here) (if you have any!)
- Serial for next Certificate : None

SAVE

Step 3:
Navigate to VPN > OpenVPN > Clients, "add client"
Edit the following settings: (some may differ depending on your VPN provider)

- Server Mode: Peer to Peer (SSL/TLS)
- Protocol: UDP (check your ovpn file)
- Device Mode: tun (check your ovpn file)
- Interface: (Your WAN interface)
- Local port: 443 (check your ovpn file)
- Server Host or Address: 123.45.67.890 (check your ovpn file)
- Server Port: 443 (check your ovpn file)
- Server host name resolution: Ticked
- Description: "Name of your VPN Provider"

User Authentication Settings
- Username/pass: enter your username
- Renegotiate time: leave empty

Cryptographic Settings:

- TLS Authentication: unticked
- Peer Certificate Authority: Select "VPNCA" or whatever you called the description in step 2.
- Client Certificate: None (Username and password required)
- Encryption: Check your VPN Provider, mine was AES-256-CBC (256 bit key, 128 bit lock)
- Auth Digest Algorithm: SHA1(160-bit) (Check with your VPN Provider)
- Disable IPV6: Ticked
- Don't add/remove routes: ticked
- Advance Configuration: "Paste the below data into the field"
   
  persist-key;
  persist-tun;
  remote-cert-tls server;
  reneg-sec 0;
  sndbuf 524288;
  rcvbuf 524288;
  fast-io;
 
- Verbosity level: 3

SAVE

Step 5:
Check to see if your VPN connection is online,

Navigate to VPN > OpenVPN >  Connection Status

You should see "Status" UP with your "Remote Host" IP address supplied from the VPN Provider

Now check the log file for the words "Initialization Sequence Completed"

If you see "openvpn[36641]: MANAGEMENT: Client disconnected". Thats okey, thats your client checking the status.

Step 6:
Navigate to Interfaces > Assignments
- Select the pull down menu under "new interface" and make sure the "ovpnc1" option is selected
- Click the orange "+" button
- Tick Enable Interface and Save
- Description = VPN (note this is a "Virtual" interface, its not referenced to an physical Ethernet port)
- IPV4 Configuration type = DHCP
- IPV6 = None
- Note: Leave all other settings as default (empty/unticked)

Step 7:
Navigate to Firewall > Aliases > View
- Add a new Alias
- Name: VPNTraffic
- Description : VPNTraffic
- Type: Host(s)
- First entry: 192.168.X.X

!!!WARNING!!! Dont dodge this step, even if you think you know what im doing, the whole point of making aliases is important, and it wont work without them.

SAVE

Step 8:
Navigate to Firewall > NAT > Outbound

- Select "Manual outbound NAT generation" (Leave the default generated WAN rules AS IS)
- Add a new rule

Rule 1.
(if not autogenerated)
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: any
- Source address: Singel host or Network -> 127.0.0.0/8
- Destination port: other -> 500
- Static port: ticked
- Translation / target: Interface address
- Description: "Rule for ISAKMP - localhost to WAN"

Rule 2.
(if not autogenerated)
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: any
- Translation / target: Interface address
- Source address: Singel host or Network -> 127.0.0.0/8
- Description: "Rule for - localhost to WAN"

Rule 3.
(if not autogenerated)
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: any
- Translation / target: Interface address
- Source address: Singel host or Network -> 192.168.1.0/24
- Destination port: other -> 500
- Static port: ticked
- Description: "Rule for ISAKMP - LAN to WAN"

Rule 4.
(if not autogenerated)
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: any
- Translation / target: Interface address
- Source address: Singel host or Network -> 192.168.1.0/24
- Description: "Rule - LAN to WAN"

Rule 5.
- Interface: VPN (The one you created in Step 6)
- Source: VPNTraffic ( The alias you created in Step 7)
- Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
NOTE: Leave ALL other options as default/any

Rule 6. (Same as Rule 5, but....)
- Destination port: 500 (Select "Other" from dropdown menu and enter 500 in the field)
- Static Port: Ticked
NOTE: Leave ALL other options as default/any

Rule 7.
- Interface: VPN (The one you created in Step 6)
- Source: Single host or network, 127.0.0.0 / 8
- Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)

NOTE: Leave ALL other options as default/any
NOTE: Make sure the above rules "are above" your auto generated WAN outbound rules when looking at the entire list from top to bottom.

APPLY SETTING

Step 9.
Navigate to Firewall > Rules > LAN

NOTE: The order of Rules from top to bottom on this page matter:
Starting at the top, you should have the "Anti-Lockout Rule"
Next, start adding rules as follows:

Rule 1. (The Rule to pass selected clients traffic out via the VPN)
- Interface: LAN
- TCP/IP Version: IPv4
- Source: VPNTraffic (Alias)
- Gateway: VPN_DHCP (ie, the auto-generated VPN Gateway option)
- Advance options: Set local tag: PIA_NO_WAN_EGRESS

Rule 2. (Copy the above rule)(Killswitch if OpenVPN client goes down)
- Advance options: Set local tag: PIA_NO_WAN_EGRESS

Rule 2. (Pass all other traffice out via the defaul gateway "WAN")

- Interface: LAN
- TCP/IP Version: IPv4
- Source: Any
- Gateway: WAN_PPPoE (ie, the auto-generated WAN Gateway, the name might be different depending
on your WAN connection method)

Apply settings

Step 10.
Navigate to Firewall > Rules > floating
Add new Rule

- Action: Block
- Interface: WAN
- Direction: out
- Direction: any
- Match local tag: PIA_NO_WAN_EGRESS


Todo:

  • Port forward through VPN
#3
General Discussion / Why does adding a OPNVPN client break my internet connection?
June 18, 2018, 11:59:09 PM
Hi!

So when I add an OPNVPN connection it somehow breaks my Internet connection, whiteout that I'm tampering with any rules. Very strange. If I manually stop the vpn client, everything is back to normal!

Can someone explain this behavior?

#4
General Discussion / Block ads with alias?
June 17, 2018, 11:32:55 PM
Hi!

So I'm trying to block ads why adding aliases.

I have found this thread: https://forum.opnsense.org/index.php?topic=7207.msg32357#msg32357

I have added my list under "Firewall -> Aliases -> View", https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

Then, according to the thread, I added a block rule under "Rules -> Floating". But, it doesn't work when visiting https://pi-hole.net/pages-to-test-ad-blocking-performance/

Can someone pls tell me how the floating rule should be set-up to work?
Pages1