OPNSense as a VPN server

I recently posted a Raspberry Pi3 as an OpenVPN server. It worked great, but I had some issues that I was still trying to fix (at least, at the time of this writing). Basically, I could not get the Internet access working. I mean it works, but I can only get access to some websites or IP addresses.

Therefore, I tried to find some other alternatives that will let me VPN-in using my laptops (MacOS or Linux) and/or mobile devices such as (iPad/iPhone or Android). I found PFsense and OPNsense firewalls. I already have a firewall, so this post is mainly for remote access VPN. Basically, the sole purpose of this OPNsense/PFsense virtual appliance is to be my SSL VPN concentrator.

I am running this VM on my HP N54L micro server just in case you are wondering.

Here is the network topology:

opnsense

Figure 1

I am assuming that you have the OPNsense/PFsense installed and you are able to access its webUI. Also, since I am going to use this for home use, so I’d use DDNS instead of using my dynamic public IP. There are DDNS that offer free accounts – I use no-ip.

Make sure that you have at least two interfaces – one for the WAN (em0) and the other (em1) for management.

This is optional – by default, the OPNsense/PFsense will create firewall rules and Outbound NAT. In this post, I will be disabling the outbound NAT, since I don’t want to NAT my VPN from the OPNsense to my network. Also, I will create my own firewall rules.

If you do not want to do what I am going to do as I mentioned in the paragraph above then you are done once you finish from the beginning to OpenVPN Server, and no need to continue at Firewall Rules and Network Address Translation part of this guide.

Make sure that you are forwarding (destination NAT) the port 1194/udp from the Internet inbound to your OPNsense/PFsense firewall. Otherwise, it is not going to work.

Dynamic DNS

Let’s get started – login to opnsense webUI.
Navigate to Services > DNS Tools > DynDNS > Add
When done click on Save. This will take a few seconds.

Enter all necessary information  – see Figure 2

opn-figure2

Figure 2

Networking

Navigate to SystemGateway All > Add gateway
Select the WAN interface
Give it a Name
Enter the default gateway IP address in the Gateway field
Check the Default Gateway
Click Save and then Apply changes

opn-figure1-2

Figure 3

Navigate to System Settings > General
Make sure that you update the timezone

opn-figure1

Figure 4

Scroll down and set the DNS servers and select Use gateway from the drop-down menu
Uncheck the Allow DNS server list to be overridden by DHCP/PPP on WAN
Click Save and Apply

opn-figure2-2

Figure 5

Navigate to Interfaces [WAN] 
Then uncheck the Block private networks
Leave the Block bogon networks checked
Set the IPv4 Configuration Type to Static IPv4

opn-figure3

Figure 6

Scroll down and give the WAN interface a static IP and select the IPv4 Upstream Gateway that was set up earlier.
Click Save when done.

opn-figure4

Figure 7

Navigate to Interfaces > [LAN]
Set the IPv4 Configuration Type to Static IPv4

opn-figure5

Figure 8

Scroll down and give the interface an static IP for management access

opn-figure6

Figure 9

OpenVPN Package

We need to download the OpenVPN package. Navigate to System Firmware Packages
Select openvpn23reinstall icon (the one that looks like a recycle icon)

opn-figure10

Figure 10

Certificates

We need to create the CA certificate and OpenVPN Server certificate. Navigate to System Trust Authorities Add or import CA
Ensure you select ‘Create an internal Certificate Authority from the Method drop-down menu.
Enter the necessary information as shown in Figure 11 and 12 then click Save

opn ca

Figure 11

Screen Shot 2017-05-28 at 10.20.46 AM

Figure 12

To create the OpenVPN server certificate, navigate to System Trust Certificates Add or import certificates

  1. Ensure you select ‘Create an internal Certificate Authority from the Method drop-down menu
  2. Under the Certificate authority’s drop-down menu, select the CA that was created earlier
  3. The Type should be Server Certificate
Screen Shot 2017-05-28 at 10.29.54 AM

Figure 13

VPN Users

Now, we need to create the vpn users.
Navigate to System > Access  > Users
Click the + symbol to add a user

Screen Shot 2017-05-28 at 11.04.33 AM

Figure 14

Enter only the following:

  • Username
  • Password
  • Expiration (optional)
  • Make sure that you put a check mark on Certificate  > Click to create a user certificate
Screen Shot 2017-05-28 at 11.41.29 AM

Figure 15

Screen Shot 2017-05-28 at 11.41.46 AM

Figure 16

Since you marked the Click to create a user certificateafter clicking Save, it will take you automatically to System > Trust > Certificates

From here, make sure that you change the Method to Create an internal certificate
It should auto-populate the rest of the fields for you.  All you need to do is click Save

Screen Shot 2017-05-28 at 11.50.06 AM.png

Figure 17

After click Save, it will bring you back to the user creation page (Figure 15 and Figure 16). From here, just click Save

OpenVPN Server

Now we need to create the OpenVPN server. Navigate to VPN OpenVPN > Servers add server

Under General Information, set the Server Mode to Remote Access (SSL/TLS). The rest of the information should be automatically populated.

Screen Shot 2017-05-28 at 1.25.04 PM.png

Figure 18

Under the Cryptographic Settings, make sure to select the OpenVPN server certificate that was created earlier from the Server Certificate drop-down menu.
The rest of the fields should already auto-populated, but modify them if needed for better security as shown below

Screen Shot 2017-05-28 at 1.26.09 PM

Figure 19

Under the Tunnel Settings, do the following:

  1. IPv4 Tunnel Network this is the IP pool where the VPN users going to get their IP address
  2. IPv4 Local Network – this is the resources that the VPN users will have access to. You can add multiple subnets separated by a comma
  3. Redirect Gateway – enabling this will remove the IPv4 Local Network and it will tunnel all the traffic to the VPN tunnel
    1. You probably guessed it already. Leaving the ‘Redirect Gateway‘ disable, the VPN traffic will be set to split tunneling (this is the default)
  4. Concurrent connections – this is number of allowed connections that can connect to the VPN server
  5. Compression –  should be set to Enable with Adaptive Compression
Screen Shot 2017-05-28 at 1.28.03 PM.png

Figure 20

Under Client Settings, the mark the following: Dynamic IP, Address Pool, and TopologyMark the DNS Servers if you have a preferred DNS servers as shown in Figure 21

Screen Shot 2017-05-28 at 3.10.38 PM.png

Figure 21

Under Advanced Configuration,

Screen Shot 2017-05-28 at 4.42.15 PM.png

Figure 22

At this point, you everything is good to go. What is missing is exporting the users profile. Navigate to VPN > OpenVPN > Client Export

  1. Select the OpenVPN server you have created from the Remote Access Server drop-down menu. If you created just one server, then it should already be selected
  2. Select the DDNS that was created at the beginning of this post from the Host Name Resolution drop-down menu
  3. Leave everything as is. Scroll down at the bottom and you will see the users you have created
  4. Select the type of profile you will need for the user in the Export column

Firewall Rules and Network Address Translation

I am going to disable the outbound NAT and will create my own firewall rules. Now, before I disable my NAT, I had a static route for the OpenVPN subnet with the next-hop IP of the WAN interface of the OPNsense.

To disable source NAT (outbound NAT), navigate to Firewall NAT Outbound
Select the Disable outbound NAT rule generation then click Save

Screen Shot 2017-05-28 at 10.12.52 PM.png

Figure 23

The firewall rule is very simple. It is just an inbound to the WAN interface. Basically, what you needed is the second line. I have the third line because I created two OpenVPN servers for two different purposes.

Screen Shot 2017-05-28 at 11.27.00 PM.png

Figure 24

This is the OpenVPN firewall rules. I disabled the default ‘allow all’ rule and created several rules for specific needs

 

Screen Shot 2017-06-09 at 5.10.07 AM.png

Figure 25

 

I believe this is it. Hope you will find this helpful. Cheers!!!

Advertisements

About networkshinobi

This blog is about the things I learned about computers and networking to help me to remember them as I push further my studies. I created this blog to help myself to continue my education; and if you find this blog helpful for your studies, that is great. That is one of the reasons why I made this blog, to share my interest and knowledge. Also, all the entries/posts I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks
This entry was posted in Misc., Sec, Security, vmware and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s