(SOLVED) ProtonVPN on OPNSense

[Patuff]

Changed the explanation, maybe better to understand where my problems at.

Hello together,

i am trying to set up ProtonVPN on OPNSense.
I followed this tutorial:
https://thehotelhero.com/opnsense-protonvpn-setup

I get the Certificate done, status is up. Also Gateway setup should be understandable.
What is meant by the Part under NAT:
"Interface" should be changed to you VPN connection
I clicked there my "ovpnc1" interface. In his example it is "ovpnc2" i guess, because he show it on a second VPN Interface he made. I am right? I am a bit confues, he choosed OpenVPN there. Why?

Select the interface that should have VPN under the "Source address"
As example, i take LAN net because i want my whole LAN net beeing on this VPN, right also?

So what i do not understand, what is meant about the part
Other rules that

How do i have to setup those rules, i dont get it.
Now i have rules on my LAN net:

Pass
Source: LAN net
Destination: this Firewall
Port: 53 (DNS)

Pass
Source: LAN net
Destination: any
Port(s): 80,443 (HTTP,HTTPS)

If i change the gateway there to the Gateway i made, i dont get any internet access.
What do i have set in the rules?
Do i have to change the rules in the VPN Interface? And when yes, which rules/how they have to be?

I am a bit lost here.


---- Old Post -----


Hello together,

i tried to follow the step by step tutorial from here:

https://thehotelhero.com/opnsense-protonvpn-setup

But i dont get. What is with the step "Other rules that".. Where i have to set rules and which one exactly. Everything i tried my connected devices just dont get access to the internet.

Perhaps i understand any step wrong. I followed one by one.
Do you guys need any pictures of this steps i did?
I get showed the uplink after using my account data for ProtonVPN as he said. Assignon a Interface isnt that hart. Changing to hybrid and set those rules isnt hard either.

Thank you!

[zz00mm]

This is marked as SOLVED, did you get it working? I have/had this working until the last day or so. I have a connection to US that has stopped working, the second connection to NLseems to be working at this time.

[DEC670airp414user]

Works fine here. Sounds like an isolated server that is down
Add more remote servers to reconnect to so you don't have downtime

[hushcoden]

Is there a way to decide which internal IPs can use the VPN?

I have about 20 devices connect to my LAN, and I'd like just a couple of those devices to use the VPN, is it feasible?

Tia.

[kinch]

Is there a way to decide which internal IPs can use the VPN?

I have about 20 devices connect to my LAN, and I'd like just a couple of those devices to use the VPN, is it feasible?

Tia.

yes it is. just use firewall rules with client IP as source and selected ProtonVPN as Gateway in that Rule

https://protonvpn.com/support/pfsense-2-5-x-vpn-setup/
BR

[hushcoden]

Thanks kinch !

[retariatus]

As with the other people in this post, I followed the same post :https://thehotelhero.com/opnsense-protonvpn-setup. Unfortunately when I go VPN -> OpenVPN -> Connection Status it just says "connecting"... but never connects. Has anyone else encountered this issue? I was able to complete the setup but no traffic passes through the VPN. My belief is that it has to do with the above mentioned status. Can anyone point me in the right direction? I'm thiiiis close to getting it to work  :-\

[swILeZBa]

Can someone maybe add a summary of the firewall rules they had to add? I think I have completed steps 1-7 correctly and 9-10 but not sure about 8.
In my LAN rules I had a rule allowing everything !RFC1918 and then punched holes through that rule to allow some packets to go around the private subnets. e.g. allow LAN net to be able to access local DNS etc.

But now adding another rule I am not sure where to put it exactly

[hushcoden]

I'm also trying to follow the steps as per that link, but as soon as I save the VPN client - step 8 - all my LAN devices stop connecting to the Internet, why is that ?

Also:
a. where is the kill switch feature ?
b. how to avoid DNS leaks?

Tia.

[hushcoden]

One step ahead: I checked the option 'Don't pull routes' in the OpenVPN client section and my LAN devices are now connected to the Internet via default gateway, so far so good.

What I want to achieve is to route the devices connected to another port (LAN2) of my OPNsense appliance through ProtonVPN.

After creating the VPN client, I assigned the interface, I crated two Outbound rules as per this guide, and one 'allow any' rule in the LAN2 section, but still the devices connected to LAN2 have no Internet: can anyone suggested anything, please?

Tia.

EDIT: Found the error in the firewall rule, it works.

[benyamin]

@hushcoden, you might want to check if you have working "kill switch" functionality. If you can still access internet resources from LAN2 when ProtonVPN is down, you don't.

To add the functionality, add another firewall rule to your LAN2 interface (Firewall: Rules: LAN2) under the existing rule which uses the ProtonVPN gateway. The action for this rule should be "Block" and the gateway should be "*", but otherwise identical. That way, when your ProtonVPN gateway is down, the next matching rule is to block the traffic on that interface.

You can also do the same for devices on you LAN by specifying a source address(es) or alias(es) in your LAN interface rules for any devices you want to use ProtonVPN, and have two rules, one allowing access via the ProtonVPN gateway and the other blocking access via any other gateway. By doing so, you could consolidate your interfaces, but whether or not that is appropriate for your environment is something you would need to assess.

I generally use a Network(s) or Host(s) alias (or combination of the two) with all the devices I want to access the internet via a VPN and then use that in the abovementioned rules.

[hushcoden]

Thanks @benyamin, much appreciated: I did create the kill switch functionality by following this guide, but I'm too newbie to understand which one it's better, would you mind to confirm?  ::)

Thanks.

EDIT: Actually yours makes more sense  8)

[benyamin]

I think the main difference is that in the solution you posted, all devices with a private (RFC1918) IP address are blocked from accessing the internet directly. If you want to permit some devices to bypass the VPN, you would need to populate the alias with the addresses of just the devices you don't want to bypass the VPN rather than the whole RFC1918 address space.

Otherwise, it's six to one and half-a-dozen to the other, in a whole range of different scenarios, including but not limited to multi-WAN deployments (additional interfaces are checked in the floating rule), multi-VPN deployments (where devices can fail through a list of VPNs), etc. I'm pretty sure my solution could be configured for multiple interfaces as a floating rule too.

I'm not a big fan of inverting rules or using advanced options on rules, but that's just my preference. It's certainly an elegant if not intuitive solution.

As best as I can tell they are pretty much the same. Someone else might have a different opinion...

[hushcoden]

As said, I'll use yours as it better suits my case, many thanks again.

Also, do I need the ISAKMP NAT rule as per the ProtonVPN guide for pfSense here? I thought it's needed for IPsec only?

Tia.

[benyamin]

No, the ISAKMP NAT rule is not required for OpenVPN connections.

Yes, it is only needed for IPSec tunnels.

Those were auto-generated rules in the pfSense guide. I cannot remember if OPNsense creates them too (due to IPsec being a standard VPN offering). I always delete them anyway (unless I'm using IPsec).