HOWTO - Routing Opnsense traffic over SurfsharkVPN

[nikkon]

Hi all,

My first time writing a howto, if there are inconsistencies just let me know and I'll be happy to address them.
Long story short: I was looking for a VPN provider for only 1 of my local ips (one Jail in particular). As so I decided to go with SurfShark VPN, and bellow is the step-by-step config:

Step 1
  Create SurfShark account and login
  Once in, Go to Manual Setup -> Manual -> Credentials. (Keep those safe)
  Switch back to Files and choose one of the servers you want (servers in the respective country you decide you
  will use as exit point)

Step 2
   In Opnsesen: Go to System -> Trust -> Certificates
     Press on + Add button. Then fill the fields out like this:
Descriptive Name: SurfsharkVPN
Method: Import an existing Certificate Authority
Certificate data:

-----BEGIN CERTIFICATE-----
MII3...

/UplsM=
-----END CERTIFICATE-----

This data can be also found in the CA&TLS certificates archive under the "Other configuration files" section on your SurfShark account.

Step 3
   In Opnsense: Under VPN -> OpenVPN -> Clients 
   Add new client:
  Disable this client: leave unchecked.
  Server mode: Peer to Peer (SSL/TLS);
  Protocol: UDP on IPv4 only (you can also use TCP);
  Device mode: tun – Layer 3 Tunnel Mode;
  Interface: WAN; (whatever name your wan interface has)
  Local port: leave blank;
  Server host or address: The server hostname that you want to connect to from the list of servers from
  Step 1
  Server port: 1194 (use 1443 if you use TCP as I do);
  Proxy host or address: leave blank;
  Proxy port: leave blank;
  Proxy Authentication: None;
  Description: Any name you like.
 
  Remember to use your credentials from step1 (the one advised to be kept safe  )
 
  Enable TLS Authentication for packets and use the following TLS Key:

-----BEGIN OpenVPN Static key V1-----
b02c4f079a4a49888da566b9978346
.......
e7279ff1a19cb092659e8c1860fbad0d

-----END OpenVPN Static key V1-----

TLS Key Usage Mode: TLS Authentication
Peer certificate authority: SurfsharkVPN;
Client certificate: webConfigurator default or as in my case the Let's Encrypt one
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM (256 bit key, 128 bit block)
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.
Don't pull routes: check
Compression: No prefference

Add this under Advanced:
   tls-client;
   remote-random;
   tun-mtu 1500;
   tun-mtu-extra 32;
   mssfix 1450;
   persist-key;
   persist-tun;
   reneg-sec 0;
   remote-cert-tls server;

Step 4
   In Opnsense interface go to Interfaces -> Assignment -> Add Interface ovpnc1 (in my case) to the interfaces and give it a name (in my case is simply Surfshark)
   Once the interface is created:  IPv4 Configuration Type : None

Step 4.1
   If you want all your traffic to be routed via Surfshark, then select this new created interface as the outgoing interface for DNS (Unbound & any other resolver)
   In order for the DNS to work, you need to :
   check Forwarding Mode
   uncheck DNSSEC support
   Services-> Unbound DNS-> Advanced: check both Hide Identity & Hide Version
   
Step 5
   Firewall -> NAT-> Outbound:  change from Automatic outbound NAT rule generation
  (no manual rules can be used) to Hybrid outbound NAT rule generation
  (automatically generated rules are applied after manual rules)
   Add one rule :
   Interface      Source                                 Source Port                   Destination       Destination Port   NAT Address      NAT Port   Static Port   Description   
Surfshark   <localhost you want to route >     <ports you want to route>     *                         *   Interface address   *   NO    SurfSharkVPN

#this will apply only to 1 host in your network
If you want to route all your traffic simply change source with the ip address of your lan interface (192.168.1.1/24 as example)

Step 6
Firewall-> Rules-> Surfshark
Protocol   Source       Port   Destination        Port   Gateway                Schedule   Description    
IPv4 *   Lan_Wired net   *   <my specific host>    *   SURFSHARK_VPNV4     *           VPN allow traffic
Firewall-> Rules-> Lan
Protocol        Source                Port  Destination        Port   Gateway                    Schedule   Description
IPv4 *   <my specific host>     *   *                  *   SURFSHARK_VPNV4   *   gateway VPN

Step 7
System-> Settings-> General:
Under DNS Servers add:
DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4

Step 8
Check the connection - VPN-> OpenVPN-> Log File & VPN-> OpenVPN-> Connection Status


I hope this will help.
enjoy

[Mondmann]

@nikkon

Step number 3:
* Don't pull routes: check

This causes me to get an IP checker error:
Test here -> : https://surfshark.com/what-is-my-ip

Shouldn't it be according to Surfshark's manual:

Read here-> : https://support.surfshark.com/hc/en-us/articles/360010789259-How-to-set-up-pfSense-2-4-4-with-Surfshark

be like this? :

* Don't pull routes: uncheck


Greetings from Germany

[nikkon]

Hi,

If you route all your traffic, or one entire network then I believe it makes sense not to check it.
I only need one IP to be routed and this was the only way.

however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

All the best from Amsterdam


Sent from my iPad using Tapatalk

[mkono87]

Hey thanks for the guide I had a similar setup to yours but for some reason it would kill NAT reflection. I have some hosted services that I use my domain to access them internally. I ended up finding this guide which is working but its setup its a bit weird using private address rules. Mind you its for pfsense but basically the same. https://crepaldi.us/2020/08/30/setting-up-vpn-client-on-your-pfsense-surfshark/ With your method should I be able to use NAT reflection still?

[nikkon]

I believe you could use it too

[nikkon]

something happen after the last update.
I cannot route 1 internal IP through the VPN tunnel anymore.
Does it work for the rest of you?

[panks21]

Is it working for anyone post upgrade to 22.1.6
For me the SURFSHARK_VPNV4 gateway is not marked as active. Hence no internet for the clients

[nikkon]

Mine looks active, but no internet for clients as well.
Investigating

[panks21]

Please do share your investigation outcome!

[nikkon]

Seems dns related. If i add the interface in unbound under the list of served interfaces it works.
However i want to use specific dns fw for this interface and i define them manually on the clients.

Still working on understanding the issue

[cardins2u]

thank yhou . this is awesome! got me up and running