HOWTO - Routing Traffic over Private VPN

[M4DM4NZ]

Hi Guys,

Below is a step by step guide to configuring Opnsense 17.1.4 to route LAN traffic out via your private VPN provider.
(In my case, AirVPN)

I have a setup where I want all computers on my LAN to have a direct connection to the Internet, but "Some" computers I want connected to the VPN *cough torrenting cough *

===================================================================
Step 1:

Get all your certificate information together: (cert files supplied from your private VPN provider)

  - VPN_Provider.ovpn
  - CA.crt (Certificate Athortiy)
  - TA.key (OpenVPN Static key V1)
  - User.crt (User Certificate)
  - User.key (RSA Private Key)

===================================================================
Step 2:

Navigate to System > Trust > Authorities, "add or import CA"

- Descriptive name: VPNCA
- Certificate data: (paste the contents of your CA.crt file here)
- Certificate Private key:(paste the contents of your user.key file here, AKA RSA Private Key)
- Serial for next Certificate : None

SAVE

===================================================================
Step 3:

Navigate to System > Trust > Certificates, "add or import certificate"

- Method: Import an existing Certificate
- Descriptive name: none
- Certificate data: (paste the data in your user.crt file here)
- Private key data: Leave blank, otherwise enter your user.key data here, mine was manually entered in on the next step.

SAVE

===================================================================
Step 4:

Navigate to VPN > OpenVPN > Clients, "add client"
Edit the following settings:(some may differ depending on your VPN provider)

- Server Mode: Peer to Peer (SSL/TLS)
- Protocol: UDP (check your ovpn file)
- Device Mode: tun (check your ovpn file)
- Interface: (Your WAN interface)
- Local port:443 (check your ovpn file)
- Server Host or Address: 123.45.67.890 (check your ovpn file)
- Server Port: 443 (check your ovpn file)
- Server host name resolution: Ticked
- Description: "Name of your VPN Provider"

Cryptographic Settings:

- TLS Authentication: Ticked (paste the data in your ta.key file here, AKA OpenVPN Static key V1)
- Peer Certificate Authority: Select "VPNCA" or whatever you called the description in step 2.
- Client Certificate: Select "Userkey CA:VPNCA *In Use"
- Encryption: Check your VPN Provider, mine was AES-256-CBC (256 bit key, 128 bit lock)
- Auth Digest Algorithm: SHA1(160-bit) (Check with your VPN Provider)
- Disable IPV6: Ticked
- Advance Configuration: "Paste the below data into the field"
   
   persist-key
   persist-tun
   remote-cert-tls server
   auth-nocache
 
- Verbosity level: 3

SAVE

NOTE: The first time you enter this page, the "TLS Authentication" section to paste your ta.key does not show up until you've clicked save. So go back to this menu after saving, and paste it in 

===================================================================
Step 5:

Check to see if your VPN connection is online,

- Navigate to VPN > OpenVPN >  Connection Status

You should see "Status" UP with your "Remote Host" IP address supplied from the VPN Provider

Now check the log file for the words " Initialization Sequence Completed "
If you've come this far your on the right track :)

===================================================================
Step 6:

- Navigate to Interfaces > Assignments
- Select the pull down menu under "new interface" and make sure the "ovpnc1" option is selected
- Click the orange "+" button
- Tick Enable Interface and Save
- Description = VPN (note this is a "Virtual" interface, its not referenced to an physical Ethernet port)
- IPV4 Configuration type = DHCP
- IPV6 = None
- Note: Leave all other settings as default (empty/unticked)

===================================================================
Step 7.

- Navigate to Firewall > Aliases > View
- Add a new Alias
- Name: VPNTraffic
- Description : VPNTraffic
- Type: Host:
- First entry: 192.168.X.X

NOTE: (enter the IP address of Computers/devices you want to be on the VPN here. I personally enter the IP address of my Wireless router I have attached to my LAN, The wireless router has DHCP enabled so all wireless devices connected to this access point have their traffic passed via the VPN )

If you dont have a spare Wifi router, you can manually add IPs to computers on your network here.

My Network Map:  WAN--->Opnsense--->LAN--->Switch--->Wifi router runing its own DHCP - - - -> "Wireless devices"

!!!WARNING!!! Dont dodge this step, even if you think you know what im doing, the whole point of making aliases is important, and it wont work without them.

- SAVE
===================================================================
Step 8:

Ok so heres the weird part, This had me going nuts for a while, but after a bottle of Jack Daniel's Tennessee Honey, it finally clicked!.
You NEED to use aliases rather than specifiying IP ranges directly, it makes all the difference for some reason, even though the concept
is the same.

- Navigate to Firewall > NAT > Outbound
- Select "Manual outbound NAT generation" (Leave the default generated WAN rules AS IS)
- Add a new rule

Rule 1.
- Interface: VPN (The one you created in Step 6)
- Source: VPNTraffic ( The alias you created in Step 7)
- Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
NOTE: Leave ALL other options as default/any

Rule 2. (Same as Rule 1, but....)
- Destination port: 500 (Select "Other" from dropdown menu and enter 500 in the field)
- Static Port: Ticked
NOTE: Leave ALL other options as default/any

Rule 3.
- Interface: VPN (The one you created in Step 6)
- Source: Single host or network, 127.0.0.0 / 8
- Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
NOTE: Leave ALL other options as default/any
NOTE: Make sure the above rules "are above" your auto generated WAN outbound rules when looking at the entire list from top to bottom.

- Apply settings.
====================================================================
Step 9.

- Navigate to Firewall > Rules > LAN
NOTE: The order of Rules from top to bottom on this page matter:
Starting at the top, you should have the "Anti-Lockout Rule"
Next, start adding rules as follows:

Rule 1. (The Rule to pass selected clients traffic out via the VPN)
- Interface: LAN
- TCP/IP Version: IPv4
- Source: VPNTraffic (Alias)
- Gateway: VPN_DHCP (ie, the auto-generated VPN Gateway option)

Rule 2. (Pass all other traffice out via the defaul gateway "WAN")

- Interface: LAN
- TCP/IP Version: IPv4
- Source: Any
- Gateway: WAN_PPPoE (ie, the auto-generated WAN Gateway, the name might be different depending
on your WAN connection method)

- Apply settings

NOTE: All other tabs in my rules section eg OPENVPN/VPN/WAN are empty NO RULES exist.
your settings may differ, but thats the basic setup. Also, check:
https://www.dnsleaktest.com/ and
https://www.ipchicken.com/
after you've completed these steps.
=================================================================
DONE :)

If I've missed anything, feel free to troll ;)

Cheers

[eptesicus]

This is fantastic! Thank you so much for the write-up. I just built a new router with the intention of doing this. I just set it up today when my gigabit internet connection was installed, and thanks to your write-up, I got VPN setup on my torrent server easily.

Do you have any issues with DNS leaks? Mine's failing DNS leak tests, and I'm curious how to combat that.

[M4DM4NZ]

Thanks Eptesicus :)

Yeah I tested the DNS leak on my setup using dnsleaktest.com and found no issues, my results pointed to the correct DNS server of my VPN Provider so I'm guessing your issue could be with your VPN provider.

Maybe try connecting another pc directly to the DMZ and installing the VPN client software supplied from your VPN Provider, then try the dnsleaktest.com again.

Cheers :)

[eptesicus]

Thanks Eptesicus :)

Yeah I tested the DNS leak on my setup using dnsleaktest.com and found no issues, my results pointed to the correct DNS server of my VPN Provider so I'm guessing your issue could be with your VPN provider.

Maybe try connecting another pc directly to the DMZ and installing the VPN client software supplied from your VPN Provider, then try the dnsleaktest.com again.

Cheers :)

I was able to change the DNS servers for the VPN connection directly in OPNSense, which fixed my issue!

Have you tried other DNS providers? I tried PIA's DNS, and DNS.Watch, but their both incredibly slow. I'm currently using OpenDNS, but am skeptical if I should use one of the slower, more secure, DNSs.

Also... I just got back from a trip where I haven't had time to remote home, and I noticed that my VPN connection to the Netherlands was stopped, and the traffic on my torrent server was now unencrypted. Do you know of a way to have a kill-switch of some kind? Something that could occur in OPNSense to stop all traffic assigned to that tunnel and reconnect if the connection has dropped?

Thanks again!

[M4DM4NZ]

Hey mate,

No i haven't tried using other DNS providers besides my VPN provider, but i'll look into this.

I'm pretty sure when my VPN connection drops out (which doesn't happen that often) traffic to my torrent client just stops. I'll check my settings soon and post an update.

Cheers.

[pauld70]

Hi

I have been trying to get this working, all the ip addresses I setup to go through the VPN work correctly. However any traffic not going via the VPN can not reach the internet. The 1st time I tried these steps I could get the internet to work if I set a static ip address with a DNS. The second time I tried everything seemed to connect correctly to the internet but I still could not reach anything and setting a manual ip and DNS did not work this time.

Is there any way to test why this is not working correctly?

thanks

[tsol]

I just want to clarify my understanding of step one.     Are these the certs I created on the OpenVPN server on my remote host, or are these newly created ones made locally?   

I just rolled my own OpenVPN install on my host using this guide: 

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04


and I'm trying the Adguard DNS entries: 

https://adguard.com/en/adguard-dns/overview.html


My ultimate dream is to somehow get the SSL bump configured either locally or at my remote host to block Outbrain/Taboola and all the other crap that loads on https sites I go to.     I could use some help architecting the overall solution, but first step is to route everything through VPN.

[M4DM4NZ]

Hi Tsol,

The certs in step one are created by your VPN provider, ie. the ones you download from the particular VPN provider your registered with.

Not sure about the Adguard DNS stuff, haven't had time to play with it much :/

Cheers

[M4DM4NZ]

Hi

I have been trying to get this working, all the ip addresses I setup to go through the VPN work correctly. However any traffic not going via the VPN can not reach the internet. The 1st time I tried these steps I could get the internet to work if I set a static ip address with a DNS. The second time I tried everything seemed to connect correctly to the internet but I still could not reach anything and setting a manual ip and DNS did not work this time.

Is there any way to test why this is not working correctly?

thanks

Hi Pauld70,

not sure whats going wrong there, but just to compare, I also have my DNS set to static using googles DNS 8.8.8.8 as secondary and opensens default IP 192.168.1.1 as the primary

Hope this helps.

Cheers

[tatail]

Hi there,

Thank you very much for such a detailed step by step really helped with a lot of the stuff (I am a total noob).

I am looking to use VPN for a single port and the rest of the traffic to be regular.
I read that it is possible on pfSense so I was thinking that at least 60% of your guide would be the same for forwarding only a single port through VPN on OpnSense.

Could you help me with that?

Thank you.

[ThePOO]

M4DM4NZ .....

Step 9:

Rule 1:

Shouldn't

Source:  VPNRouter

actually be

Source:  VPNTraffic

[M4DM4NZ]

M4DM4NZ .....

Step 9:

Rule 1:

Shouldn't

Source:  VPNRouter

actually be

Source:  VPNTraffic

Thanks for spotting that dude, I have updated the Guide...

[Noctur]

M4DM4NZ - Thank You! Excellent write-up.

I have exactly the opposite need - want my general traffic through the VPN (because everything you do on the internet now is fair game - thanks loads, congress), but since services like Netflix and Hulu block VPN traffic, I want to route only the Netflix, etc over a clear connection. Even though Nord states you can stream through their service, eventually Netflix and Hulu identify the exit node and block it - even if it is within the US.

I'm planning to go through this over the weekend and set up just the Netflix traffic. Any pointers on how to achieve that? My VPN is already set up and working fine. TIA

[skirge01]

I've been trying to get this working for months (seriously) and I keep running into DNS breaking.  One difference with my setup is that I'm not using a wireless router for DHCP, so I only added a single IP address into the VPNTraffic Aliases you had us create. That one computer is the only one I want to have its traffic forced over the VPN.  The other difference is that I use OPNsense as a private VPN server outside of the third party provider I set up using your instructions.

I've done a ton of testing and it is definitely only DNS which is broken. The internet connection itself is actually functioning; even Windows says as much.  For some reason, I can't get my networked computers to reach the DNS server (my OPNSense server, which is configured for OpenDNS). If I manually input a DNS server on the computers, everything works. I've tried disabling the OpenVPN firewall rule, as well as the private OpenVPN server without any change in DNS.

If I disable either the VPNTraffic to VPN_DHCP rule or the ANY to WAN_DHCP rule, DNS begins working again. Also, as expected, if I push the Default Allow Any rule above the rules I created using your guide, DNS works again.

Any insight would be greatly appreciated.

[NilsS]

you need a rule on our LAN interface
-> pass -> Interface: LAN -> IPv4 -> TCP/UDP -> Source: any -> Destination: This Firewall -> DNS:DNS

the tutorial has also some errors.
CA Cert -> ca.crt
CA Key -> empty *
CERT Cert -> cert.crt
CERT Key -> priv.key

Interface ovpnc needs not IPv4 DHCP (just None)

Also there is no DNS Leakage prevention. If the Client uses another static DNS it will leak.
There needs to be either a BLOCK rule for all DNS traffic other than (in case of AirVPN 10.x.0.1) the VPN DNS Server
or you can use a NAT->Port Forward rule to redirect all DNS traffic to that DNS Server.

Another way is to use the local unbound DNS Server if you want all your local LAN traffic use the VPN but also need local DNS names.
Just use forward-zone:
  name: "."
  forward-addr: 10.5.0.1
  forward-addr: 10.4.0.1
in unbound custom config. (for AirVPN)

I can add some details for VPN-Failover later