HOWTO - Routing Traffic over Private VPN

[NilsS]

As promised (most of it is the same as in the initial post from M4DM4NZ / but DNS leak and SMB/CIFS username
leak prevention is extra)

Code Select Expand


####################################################################
Firewall -> Aliases -> view [ add a new alias ]
[ Type ]        Network
[ Name ]        N_LOCALNETS
[ Description ] All local Networks
[ Aliases ]
    192.168.x.x/XX (your local networks)
[SAVE]
                            [ add a new alias ]
[ Type ]        Network
[ Name ]        N_VPNUSER
[ Description ] All Hosts/Networks that should use VPN
[ Aliases ]
    192.168.x.x/32 (your hosts or networks that should use VPN)
[SAVE]
                            [ add a new alias ]
[ Type ]        Hosts
[ Name ]        H_ALLOWED_DNS
[ Description ] allowed DNS Server
[ Aliases ]
    10.4.0.1
    10.5.0.1
    10.30.0.1
    10.50.0.1
[SAVE]
                            [ add a new alias ]
[ Type ]        Ports
[ Name ]        P_MS_CIFS_SMB
[ Description ] block some MS ports
[ Aliases ]
    137
    138
    139
    445
[SAVE]

####################################################################
Firewall -> NAT -> Outbound
[X] Manual outbound NAT rule generation
## change the rest later
####################################################################
System -> Trust -> Authorities [ Add or import CA ]
[ Descriptive name ]            AIRVPN CA
[ Method ]                      import an existing
[ Certificate data ]
-----BEGIN CERTIFICATE-----
<ca> section from .ovpn config
-----END CERTIFICATE-----
[SAVE]
####################################################################
System -> Trust -> Certificates [ add or import certificate ]
[ Method ]                      import an existing
[ Descriptive name ]            AIRVPN Client Auth
[ Certificate data ]
-----BEGIN CERTIFICATE-----
<cert> section from .ovpn config
-----END CERTIFICATE-----

[ Private key data ]
-----BEGIN RSA PRIVATE KEY-----
<key> section from .ovpn config
-----END RSA PRIVATE KEY-----
[SAVE]
####################################################################
VPN -> OpenVPN -> Clients:
[ Server Mode ]                 Peer to Peer (SSL/TLS)
[ Protocol ]                    UDP (or TCP)
[ Device mode ]                 tun
[ Interface ]                   WAN
[ Server host ]                 nl.vpn.airdns.org (or whatever region you like)
[ Server port ]                 443 ( alternative 53/80/1194 )
[ Server host name resoltion ] [X]
[ Description ]                 AIRVPN1

[ TLS Authentication ]  [X] enable authentication
                        [ ] automatically generate
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----

[ Peer Certificate Authority ]  AIRVPN CA
[ Client Certificate ]          AIRVPN Client Auth
[ Encryption algorithm ]        AES-256-CBC (256 bit key, 128 bit block)
[ Auth Digest algorithm ]       SHA1 (160bit)
[ Hardware Crypto ]             No Hardware (AESNI is automatic)
[ Compression ]                 Disabled
[ Disable IPv6 ]                [X]

[ Advanced ]
mssfix 1379; ## try to hide OpenVPN
fast-io; ## only for UDP
explicit-exit-notify 4; ## only UDP
server-poll-timeout 10;
key-direction 1;
key-method 2;
keysize 256;
prng SHA512 64;
remote-cert-tls server;
tls-version-min 1.2;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
reneg-sec 3600;
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

[SAVE]
####################################################################
VPN -> OpenVPN -> Clients: [ AIRVPN1 -> clone ]
[ Server host ] use a different server
[ Server port ] use a different Port ( IMPORTANT for different IP Pool https://airvpn.org/specs/ )
[ Description ] AIRVPN2
[SAVE]

####################################################################
Interfaces -> Assignments
New interface: ovpnc1       [ + ] (could be different if you have an openvpn server / use the last two)
New interface: ovpnc2       [ + ]
[ OPTx ]
    [ Enable ]                  [x]
    [ Descriptition ]           AIRVPN1
    [ Block bogon networks ]    [x]
    [SAVE]
[ OPTx ]
    [ Enable ]                  [x]
    [ Descriptition ]           AIRVPN2
    [ Block bogon networks ]    [x]
    [SAVE]
####################################################################
System -> Gateways -> All
[ AIRVPN1_VPNV6 ]
    [ Disabled ]    [x]

[ AIRVPN2_VPNV6 ]
    [ Disabled ]    [x]

[ AIRVPN1_VPNV4 ]
    [ Disabled Gatetway Monitoring ]    [ ] uncheck

[ AIRVPN2_VPNV4 ]
    [ Disabled Gatetway Monitoring ]    [ ] uncheck

####################################################################
System -> Gateways -> Group [ Add group ]
[ Group Name ]          GRP_AIRVPN
[ Gateway Priority ]
        [ AIRVPN1_VPNV4 ]       [ Tier 1 ]
        [ AIRVPN2_VPNV4 ]       [ Tier 1 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GRP_AIRVPN Loadbalance
[SAVE]
                            [ Add group ]
[ Group Name ]          GRP_AIRVPN_1_2
[ Gateway Priority ]
        [ AIRVPN1_VPNV4 ]       [ Tier 1 ]
        [ AIRVPN2_VPNV4 ]       [ Tier 2 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GRP_AIRVPN Failover 1 -> 2
[SAVE]

                            [ Add group ]
[ Group Name ]          GRP_AIRVPN_2_1
[ Gateway Priority ]
        [ AIRVPN1_VPNV4 ]       [ Tier 2 ]
        [ AIRVPN2_VPNV4 ]       [ Tier 1 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GRP_AIRVPN Failover 2 -> 1
[SAVE]

####################################################################
Firewall -> Settings -> Advanced
[ Skip rules ]          [x] Skip rules when gateway is down (IMPORTANT)
[ Sticky connections]   [x] Use sticky connections (for loadbalance group)
####################################################################
Firewall -> NAT -> Outbound
[+]
    [ Interface ]           AIRVPN1
    [ TCP/IP Version ]      IPv4
    [ Protocol ]            any
    [ Source address ]      N_LOCALNETS
    [ Destination invert ]  [X]
    [ Destination address ] N_LOCALNETS
    [ Translation/target ]  Interface address
    [SAVE]
[ AIRVPN1 ] [CLONE]
    [ Interface ]           AIRVPN2
    [SAVE]
####################################################################
Firewall -> Rules -> LAN (or whatever interface you want to force traffic to VPN /
            repeat for other internal interfaces or group them and use the rules on the group interface )
[+]
    [ Action ]                  block
    [ Interface ]               LAN (or LANGROUP)
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                TCP/UDP
    [ Source ]                  N_VPNUSER
    [ Destination invert ]      [X]
    [ Destination ]             N_LOCALNETS
    [ Destination portrange]    P_MS_CIFS_SMB
    [ Description ]             Block MS CIFS/SMB
    [ Gateway ]                 GRP_AIRVPN (load balance)
    [SAVE]
[+]
    [ Action ]                  pass
    [ Interface ]               LAN (or LANGROUP)
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                TCP/UDP
    [ Source ]                  N_VPNUSER
    [ Destination ]             H_ALLOWED_DNS
    [ Destination portrange]    DNS DNS
    [ Description ]             Allow traffic to allowed DNS Server
    [ Gateway ]                 GRP_AIRVPN (load balance)
    [SAVE]
[+]
    [ Action ]                  pass
    [ Interface ]               LAN (or LANGROUP)
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                any
    [ Source ]                  N_VPNUSER
    [ Destination invert ]      [X]
    [ Destination ]             N_LOCALNETS
    [ Description ]             force traffic over VPN
    [ Gateway ]                 GRP_AIRVPN (load balance)
    [SAVE]
####################################################################
Firewall -> NAT -> Port Forward
[ Interface ]                   LAN (or LANGROUP)
[ TCP/IP Version ]              IPv4
[ Protocol ]                    TCP/UDP
[ Source ]                      N_VPNUSER
[ Destination invert ]          [X]
[ Destination ]                 H_ALLOWED_DNS
[ Destination portrange]        DNS DNS
[ Redirect Target ]             single Host or Network
                                10.5.0.1 (or any other from the allowed DNS)
[ Redirect Target Port ]        DNS
[ Descriptiton ]                redirect all DNS to allowed DNS
[SAVE]


check results of
https://ipleak.net/
https://www.dnsleaktest.com/
http://witch.valdikss.org.ru/
https://browserleaks.com/ip


EDIT: changed remove VPN default Gateway in advanced section

[Gargamel]

When i try these NAT / Firewall rules, my network gets totally BLOCKED, and i have pass in the rule..

cant access the firewall, cannot ping outside internet, the pass rule in latest firmware "pass" seems to mean "block everything"..

hmm, after i disabled the rule, it started to route thru the vpn, wierdly.

[Kevin99]

Nice instructions!
VPN is up but I have DNS problems. I can do DNS address pings and trace route from Opnsense box ok, but not from pc's.
Can anyone tell me what the settings in General should be, and what to use, unbound or dnsmasq, and how?
Also DHCP does not work properly, also seems to be DNS, what settings should be there?
Any other suggestions? I tried a lot of different settings but I am stuck!
Nilss' instructions seems to get me the furthest. I read a lot, perhaps I need some code in a file to get it working, push DNS?

Thanks a lot all!

[Kevin99]

I got it working.
Can anyone tell me please if Alias for VPN user should be like this? Network
192.168.3.1/24

[ExGarder]

Non of these howto's are working for me.
I'm on version 17.7.12

At the best I have no access to internet, but still have access to opnsense.
At worst opnsense is bricked, no access to it.

Does someone get this running?
Can You tell me what is missing in the howto's?

[richardmountain]

First post :)

I too am having issues getting this setup, I've gone through all of the settings mentioned in this forum post but I'm still struggling to route my traffic through the VPN, the VPN is up and running and connected it just seems to be the firewall rules that I'm struggling with.

I will keep at it and post back when I finally get it working, hopefully between all of us that are struggling we can all get it sorted.

[kein]

I was able to change the DNS servers for the VPN connection directly in OPNSense, which fixed my issue!

Have you tried other DNS providers? I tried PIA's DNS, and DNS.Watch, but their both incredibly slow. I'm currently using OpenDNS, but am skeptical if I should use one of the slower, more secure, DNSs.

Also... I just got back from a trip where I haven't had time to remote home, and I noticed that my VPN connection to the Netherlands was stopped, and the traffic on my torrent server was now unencrypted. Do you know of a way to have a kill-switch of some kind? Something that could occur in OPNSense to stop all traffic assigned to that tunnel and reconnect if the connection has dropped?

Thanks again!

Hi,

thanks OP for the post, it works just fine.
For the kill-switch part I had the work done with an extra NAT/outbound rule,
Rule to add after the ones concerning the VPN :
Clone the WAN default rule (LAN->WAN), check "do not nat".
Put the rule AFTER rules pecified by M4D and BEFORE default rules.

WAN    proxytraffic     *    *    *    NO NAT    *    NO    proxy killswitch 

The rules block the traffic from the alias_proxytraffic to go trough the normal wan gateway.
As, if the VpnClient goes down, the PC will use the default WAN gateway.

[richardmountain]

Well, my update:

I'm halfway there, for example, I can ping the google.com IP address and get a response but pinging the domain name doesn't work.  I know it's a DNS issue but I can't for the life of me work out how to fix it.

I see Kevin99 had a similar issue but has neglected to inform the rest of us how he managed it :(

If anyone can help it would be much appreciated.

[tibere86]

Any plans to update your instructions/tutorial for OPNsense version 18.1.1? I'm having a heck of a time getting my OPNsense box up as a VPN client.

[franco]

There may be a bug in the way for outbound NAT generation on OpenVPN interfaces We're hoping for 18.1.2 to address this.


Cheers,
Franco

[paulswansea]

Any update as to if anyone can get this working?  I have 18.1.2_2 installed, just setting up the configuration, I have followed the instructions and the vpn clients connect successfully, however when I try to connect a host to them, web pages don't load.

I also noticed, when switching the NAT outbound rules to manual, the automatic ones disappear. Is this supposed to happen? On the previous version it used to leave the standard WAN interface rules there which made things easier.

[ragemachinest]

Hi

I have been trying to get this working, all the ip addresses I setup to go through the VPN work correctly. However any traffic not going via the VPN can not reach the internet. The 1st time I tried these steps I could get the internet to work if I set a static ip address with a DNS. The second time I tried everything seemed to connect correctly to the internet but I still could not reach anything and setting a manual ip and DNS did not work this time.

Is there any way to test why this is not working correctly?



thanks

Paul,

I'm having this exact same issue. I was previously on pfsense and recently switched over. I set up OPNsense to where all traffic routed through a VPN, but I set up specific LAN rules to allow certain boxes, like my Roku, to exit through the WAN gateway for Netflix/Amazon purposes. When I try to do that same rule in OPNsense, I get no internet connectivity at all. I tried to identity where the failure is but haven't been able to figure it out yet. If anyone has thoughts, please let me know. :)

[jelly-ck]

I am having the exact same issue on OPNsense v18.1.1_2. I have been trying to migrate to OPNsense, but I cannot get OPENVPN to route traffic correctly which I need, and this forces me to restore my pfSense setup in the interim.
I have tried setting up OPENVPN like I have numerous times on pfSense using the same steps on a clean install of OPNsense to no avail. I can connect to my VPN provider (via client mode), but traffic does not route through the VPN even with the correct NAT and firewall rules in place.

[slackadelic]

Can you show us the rules in question within the OPNsense GUI that you're trying?


I use PIA and have my network default route set to my PIA interface.  I then have a list of 'hosts' that should bypass PIA setup in the firewall and it works great.

[andreab]

Hi,

Here is my situation with this issue.

I'm fully updated on 18.1.2_2.

I followed this how-to when I was still on 17.7.something (one of the latest ones, in case that matters).

The only thing I did different is "Step 8, the Manual outbound NAT generation" bit, as the only way to keep the automated and manual rules in place at the same time is by using the "hybrid" setting.
Of course I also tried to use manual but it does not make any difference.

In my setup I want to have all traffic coming from a VLAN (10.55.59.0/24) to be routed through the OpenVPN connection, while untagged traffic coming from 10.55.55.0/24 will reach the internet directly.

The correct gateway for the network is 10.55.50.1, while the gateway for the OpenVPN connection is something like 46.246.85.1.

Problem #1
When OpenVPN is connected to its server, 10.55.59.0/24 correctly goes on the internet through the encrypted tunnel, but unfortunately 10.55.55.0/24 has no Internet access whatsoever (tested with something like "ping 8.8.8.8" or curl).

If it helps understanding, checking the routes I can see this:

% netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          46.246.85.1        UGS      ovpnc1
default            10.55.50.1         UGS        igb0
10.55.50.0/24      link#1             U          igb0
10.55.50.1         00:e0:4c:65:25:da  UHS        igb0
10.55.50.2         link#1             UHS         lo0
10.55.55.0/24      link#2             U          igb1
10.55.55.1         link#2             UHS         lo0
10.55.59.0/24      link#14            U      igb1_vla
10.55.59.1         link#14            UHS         lo0
10.55.60.0/24      link#3             U          igb2
10.55.60.1         link#3             UHS         lo0
10.55.61.0/24      link#10            U      igb2_vla
10.55.61.1         link#10            UHS         lo0
10.55.62.0/24      link#11            U      igb2_vla
10.55.62.1         link#11            UHS         lo0
46.246.85.0/27     46.246.85.1        UGS      ovpnc1
46.246.85.1        link#9             UH       ovpnc1
46.246.85.21       link#9             UHS         lo0
84.200.69.80       00:e0:4c:65:25:dd  UHS        igb3
84.200.70.40       00:e0:4c:65:25:dd  UHS        igb3
127.0.0.1          link#6             UH          lo0
128.0.0.0/1        46.246.85.1        UGS      ovpnc1
178.73.195.98/32   10.55.50.1         UGS        igb0
192.168.5.0/24     link#4             U          igb3
192.168.5.1        00:e0:4c:65:25:dd  UHS        igb3
192.168.5.131      link#4             UHS         lo0
192.168.17.0/24    192.168.5.1        UGS        igb3
192.168.20.0/24    192.168.5.1        UGS        igb3
192.168.40.0/24    192.168.5.1        UGS        igb3

Problem #2
ovpnc1 has higher priority than igb0, so the router itself goes on the internet through OpenVPN, and I don't want that.


Any tips on debugging the current issues will be appreciated.


Regards,
Andrea