English Forums > Tutorials and FAQs

HOWTO - Routing Traffic over Private VPN

(1/26) > >>

M4DM4NZ:
Hi Guys,

Below is a step by step guide to configuring Opnsense 17.1.4 to route LAN traffic out via your private VPN provider.
(In my case, AirVPN)

I have a setup where I want all computers on my LAN to have a direct connection to the Internet, but "Some" computers I want connected to the VPN *cough torrenting cough *

===================================================================
Step 1:

Get all your certificate information together: (cert files supplied from your private VPN provider)

  - VPN_Provider.ovpn
  - CA.crt (Certificate Athortiy)
  - TA.key (OpenVPN Static key V1)
  - User.crt (User Certificate)
  - User.key (RSA Private Key)

===================================================================
Step 2:

Navigate to System > Trust > Authorities, "add or import CA"

 - Descriptive name: VPNCA
 - Certificate data: (paste the contents of your CA.crt file here)
 - Certificate Private key:(paste the contents of your user.key file here, AKA RSA Private Key)
 - Serial for next Certificate : None

SAVE

===================================================================
Step 3:

Navigate to System > Trust > Certificates, "add or import certificate"

 - Method: Import an existing Certificate
 - Descriptive name: none
 - Certificate data: (paste the data in your user.crt file here)
 - Private key data: Leave blank, otherwise enter your user.key data here, mine was manually entered in on the next step.

SAVE

===================================================================
Step 4:

Navigate to VPN > OpenVPN > Clients, "add client"
Edit the following settings:(some may differ depending on your VPN provider)

 - Server Mode: Peer to Peer (SSL/TLS)
 - Protocol: UDP (check your ovpn file)
 - Device Mode: tun (check your ovpn file)
 - Interface: (Your WAN interface)
 - Local port:443 (check your ovpn file)
 - Server Host or Address: 123.45.67.890 (check your ovpn file)
 - Server Port: 443 (check your ovpn file)
 - Server host name resolution: Ticked
 - Description: "Name of your VPN Provider"

Cryptographic Settings:

 - TLS Authentication: Ticked (paste the data in your ta.key file here, AKA OpenVPN Static key V1)
 - Peer Certificate Authority: Select "VPNCA" or whatever you called the description in step 2.
 - Client Certificate: Select "Userkey CA:VPNCA *In Use"
 - Encryption: Check your VPN Provider, mine was AES-256-CBC (256 bit key, 128 bit lock)
 - Auth Digest Algorithm: SHA1(160-bit) (Check with your VPN Provider)
 - Disable IPV6: Ticked
 - Advance Configuration: "Paste the below data into the field"
   
   persist-key
   persist-tun
   remote-cert-tls server
   auth-nocache
 
- Verbosity level: 3

SAVE

NOTE: The first time you enter this page, the "TLS Authentication" section to paste your ta.key does not show up until you've clicked save. So go back to this menu after saving, and paste it in 

===================================================================
Step 5:

Check to see if your VPN connection is online,

 - Navigate to VPN > OpenVPN >  Connection Status

You should see "Status" UP with your "Remote Host" IP address supplied from the VPN Provider

Now check the log file for the words " Initialization Sequence Completed "
If you've come this far your on the right track :)

===================================================================
Step 6:

 - Navigate to Interfaces > Assignments
 - Select the pull down menu under "new interface" and make sure the "ovpnc1" option is selected
 - Click the orange "+" button
 - Tick Enable Interface and Save
 - Description = VPN (note this is a "Virtual" interface, its not referenced to an physical Ethernet port)
 - IPV4 Configuration type = DHCP
 - IPV6 = None
 - Note: Leave all other settings as default (empty/unticked)

===================================================================
Step 7.

 - Navigate to Firewall > Aliases > View
 - Add a new Alias
 - Name: VPNTraffic
 - Description : VPNTraffic
 - Type: Host:
 - First entry: 192.168.X.X

NOTE: (enter the IP address of Computers/devices you want to be on the VPN here. I personally enter the IP address of my Wireless router I have attached to my LAN, The wireless router has DHCP enabled so all wireless devices connected to this access point have their traffic passed via the VPN )

If you dont have a spare Wifi router, you can manually add IPs to computers on your network here.

My Network Map:  WAN--->Opnsense--->LAN--->Switch--->Wifi router runing its own DHCP - - - -> "Wireless devices"

!!!WARNING!!! Dont dodge this step, even if you think you know what im doing, the whole point of making aliases is important, and it wont work without them.

 - SAVE
===================================================================
Step 8:

Ok so heres the weird part, This had me going nuts for a while, but after a bottle of Jack Daniel's Tennessee Honey, it finally clicked!.
You NEED to use aliases rather than specifiying IP ranges directly, it makes all the difference for some reason, even though the concept
is the same.

 - Navigate to Firewall > NAT > Outbound
 - Select "Manual outbound NAT generation" (Leave the default generated WAN rules AS IS)
 - Add a new rule

Rule 1.
 - Interface: VPN (The one you created in Step 6)
 - Source: VPNTraffic ( The alias you created in Step 7)
 - Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
 NOTE: Leave ALL other options as default/any

Rule 2. (Same as Rule 1, but....)
 - Destination port: 500 (Select "Other" from dropdown menu and enter 500 in the field)
 - Static Port: Ticked
 NOTE: Leave ALL other options as default/any

Rule 3.
 - Interface: VPN (The one you created in Step 6)
 - Source: Single host or network, 127.0.0.0 / 8
 - Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
NOTE: Leave ALL other options as default/any
NOTE: Make sure the above rules "are above" your auto generated WAN outbound rules when looking at the entire list from top to bottom.

- Apply settings.
====================================================================
Step 9.

 - Navigate to Firewall > Rules > LAN
NOTE: The order of Rules from top to bottom on this page matter:
Starting at the top, you should have the "Anti-Lockout Rule"
Next, start adding rules as follows:

Rule 1. (The Rule to pass selected clients traffic out via the VPN)
 - Interface: LAN
 - TCP/IP Version: IPv4
 - Source: VPNTraffic (Alias)
 - Gateway: VPN_DHCP (ie, the auto-generated VPN Gateway option)

Rule 2. (Pass all other traffice out via the defaul gateway "WAN")

 - Interface: LAN
 - TCP/IP Version: IPv4
 - Source: Any
 - Gateway: WAN_PPPoE (ie, the auto-generated WAN Gateway, the name might be different depending
on your WAN connection method)

- Apply settings

NOTE: All other tabs in my rules section eg OPENVPN/VPN/WAN are empty NO RULES exist.
your settings may differ, but thats the basic setup. Also, check:
https://www.dnsleaktest.com/ and
https://www.ipchicken.com/
after you've completed these steps.
=================================================================
DONE :)

If I've missed anything, feel free to troll ;)

Cheers


eptesicus:
This is fantastic! Thank you so much for the write-up. I just built a new router with the intention of doing this. I just set it up today when my gigabit internet connection was installed, and thanks to your write-up, I got VPN setup on my torrent server easily.

Do you have any issues with DNS leaks? Mine's failing DNS leak tests, and I'm curious how to combat that.

M4DM4NZ:
Thanks Eptesicus :)

Yeah I tested the DNS leak on my setup using dnsleaktest.com and found no issues, my results pointed to the correct DNS server of my VPN Provider so I'm guessing your issue could be with your VPN provider.

Maybe try connecting another pc directly to the DMZ and installing the VPN client software supplied from your VPN Provider, then try the dnsleaktest.com again.

Cheers :)

eptesicus:

--- Quote from: M4DM4NZ on May 11, 2017, 04:34:11 am ---Thanks Eptesicus :)

Yeah I tested the DNS leak on my setup using dnsleaktest.com and found no issues, my results pointed to the correct DNS server of my VPN Provider so I'm guessing your issue could be with your VPN provider.

Maybe try connecting another pc directly to the DMZ and installing the VPN client software supplied from your VPN Provider, then try the dnsleaktest.com again.

Cheers :)

--- End quote ---


I was able to change the DNS servers for the VPN connection directly in OPNSense, which fixed my issue!

Have you tried other DNS providers? I tried PIA's DNS, and DNS.Watch, but their both incredibly slow. I'm currently using OpenDNS, but am skeptical if I should use one of the slower, more secure, DNSs.

Also... I just got back from a trip where I haven't had time to remote home, and I noticed that my VPN connection to the Netherlands was stopped, and the traffic on my torrent server was now unencrypted. Do you know of a way to have a kill-switch of some kind? Something that could occur in OPNSense to stop all traffic assigned to that tunnel and reconnect if the connection has dropped?

Thanks again!

M4DM4NZ:
Hey mate,

No i haven't tried using other DNS providers besides my VPN provider, but i'll look into this.

I'm pretty sure when my VPN connection drops out (which doesn't happen that often) traffic to my torrent client just stops. I'll check my settings soon and post an update.

Cheers.

Navigation

[0] Message Index

[#] Next page

Go to full version