OPNSense – OpenVPN Instance – Remote Access (SSL/TLS + User Auth)

Author:
Introduction

The main advantages of using OpenVPN for remote access instead of IPsec are:

  • Easy setup on almost all mobile clients using OPNsense’s Client Configuration Export.
  • Fine-grained access control by using multiple servers or Client Specific Overrides.

Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:

Prerequisites

If your internet service provider (ISP) doesn’t provide you with a static IP address, your IP address will change from time to time. A dynamic IP address makes it challenging to remotely access your device since the IP address keeps changing. This is where Dynamic Domain Name System (DDNS) comes in handy.

Step 1: Adding a Local Certificate Authority
  • To sign client or server certificates, the VPN server requires a certificate authority.
  • To add a new certificate authority, navigate to System ‣ Trust ‣ Authorities and click on Add in the top right corner of the form.
  • To add a new certificate authority, click on the ‘Save‘ button.
Step 2: Adding a Server Certificate

After creating the Authority, we will also need a certificate. To create a new certificate, go to System ‣ Trust ‣ Certificates and click Add in the upper right corner of the form.

  • Method: Select Create an internal Certificate.
  • Descriptive name: create a unique Certificate name.
  • Select Certificate Authority created in step 1.
  • Key Type: match the Key Type in step 1.
  • Key length (bits): match the Key length in step 1.
  • Digest Algorithm: match the Digest Algorithm in step 1.
  • Lifetime (days): input the appropriate number of days. Ex: 3650 (the equivalent of 10 years).
  • Private key location: Select Save on this firewall or Download and do not save.
  • Common Name: Enter your Fully Qualified Domain Name (FQDN).
  • Note: if you don’t have an FQDN, use internal-ca for Common Name.
  • Select Save when finished.
Step 3: Create a User and Add a User Certificate
  • If you have already created a user, to set up a new certificate authority, go to System ‣ Access ‣ Users and click Edit on the user to whom you want to add the certificate.
  • Under User Certificates, click Add.
  • If you have not created a User, skip to the next step.
  • To set up a new User, click Add (plus sign icon).
  • Username: Enter a unique user name.
  • Password: Create a strong password.
  • Full name: Enter the User’s Full name.
  • Click Edit on the user to whom you want to add the certificate.
  • Under User Certificates, click Add.
  • Method: Select Create an internal Certificate.
  • Descriptive name: prepopulated user name
  • Select Certificate Authority created in step 1.
  • Key Type: match the Key Type in step 1.
  • Key length (bits): match the Key length in step 1.
  • Digest Algorithm: match the Digest Algorithm in step 1.
  • Lifetime (days): input the appropriate number of days. Ex: 3650 (the equivalent of 10 years).
  • Private key location: Select Save on this firewall or Download and do not save.
  • If anything is not mentioned, leave blank or default values.
  • Select Save when done.
Step 4: Create Static Key
  • To create a Static Key, navigate to VPN ‣ OpenVPN ‣ Instances ‣ Static Keys and select Add (plus sign icon).
  • Create a unique description.
  • Under Mode, select crypt (Encrypt and authenticate all control channel packets).
  • Select Save when finished.
Step 5: Create an OpenVPN Instance
  • Create a new server instance via VPN ‣ OpenVPN ‣ Instances.
  • Select Server.
  • Create a unique Description.
  • Select Protocol.
  • Specify a Port number. Note: 1194 is the default port for OpenVPN. However, I chose 1190 since another OpenVPN server has used port 1194.
  • Server (IPv4): 10.1.8.0/24
  • Use Class A or Class B addresses:
    • Class A Private Range: 10.0.0.0 to 10.255.255.255
    • Class C Private Range: 192.168.0.0 to 192.168.255.255
    • Choose a unique one
    • Avoid using common default router IP addresses such as 10.0.0.1/24 or 192.168.1.1/24. VPN won’t know how to route packets between multiple sites if those sites don’t use a subnet that uniquely identifies them.
  • Server (IPv6): 2001:db8:abcd:0012::0/64 (Optional)
  • Topology: select subnet.
  • Certificate: Select the Server Certificate created in step 2.
  • Certificate Revocation List: Optional.
  • Verify Client Certificate: select required.
  • Certificate Depth: Select One (Client+Server).
  • TLS static key: select the static key created in step 4.

When to use UDP vs. TCP

  • When streaming videos or playing online games, it’s recommended to use UDP, as it doesn’t use TCP’s error correction mechanism. This results in a faster connection and reduced latency.
  • If you are having trouble connecting to ProtonVPN service using UDP or have an unstable network, I recommend switching to TCP and attempting to connect again. ProtonVPN application uses port 443 by default for TCP, which is the same port used for HTTPS traffic, making it difficult to block. If a network administrator or government official were to attempt to block this port, they would inadvertently block access to a significant portion of the internet. Additionally, traffic sent over TCP appears identical to traffic with HTTPS encryption, making it challenging to detect.
  • TCP can be used to access a VPN even if you are in a country that has blocked VPNs. However, if the government is using deep-packet inspection, they may still be able to detect and block your VPN even if you are using TCP. TCP can also be useful when you are connected to a controlled WiFi network, like the ones at work or university. It is important to note that TCP is not as effective as our Stealth protocol when it comes to defeating censorship.
  • If you use the Proton VPN Windows app, the smart protocol selection feature will automatically switch to OpenVPN or WireGuard TCP if it detects a block.
  • Authentication: Select the authentication method. Ex: Local Database or TOTP Server.
  • Enforce local group: Optional.
  • Strict User/CN Matching: Optional.
  • Note: Selecting the “Strict User/CN Matching” option warrants only a matching user/certificate can log in; when sharing a single certificate between clients, this option needs to be deselected.
  • Local network: Optional.
  • Remote Network: Blank
  • Options:
    • client-to-client if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server.
    • duplicate-cn: connections with same Common Name (CN) are allowed, so one cert can be used by more than one connection/users.
    • passtos: Set the TOS field of the tunnel packet to what the payload’s TOS is.
    • persist-remote-ip: Preserve most recently authenticated remote IP address and port number
    • route-nopull: accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp options like DNS servers
    • route-noexec: don’t add or remove routes automatically.
    • remote-random: can be used to initially “scramble” the connection list
  • Push Options:
    • block-outside-dns: Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel.
    • register-dns: Run ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
  • Redirect gateway:
    • local: Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless.
    • autolocal: Try to automatically determine whether to enable local flag above.
    • default: Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN
    • bypass-dhcp: Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
    • bypass-dns: Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
    • block-local: Block access to local LAN when the tunnel is active, except for the LAN gateway itself. This is accomplished by routing the local LAN (except for the LAN gateway address) into the tunnel.
    • ipv6 (default): Redirect IPv6 routing into the tunnel
    • not ipv4 (default): Do not redirect IPv4 traffic – typically used in the flag pair ipv6 !ipv4 to redirect IPv6-only.
  • Register DNS: Checked
  • DNS Default Domain: leave blank if you don’t have a DNS server. Otherwise, enter your domain name.
  • DNS Servers: Enter your DNS server IP Address; if you do not have a DNS Server, use Quad9 DNS or Cloudflare DNS.
  • Select Save when finished.
  • Don’t forget to select Apply when finished.
Step 6: Assign an interface to OpenVPN Server (required if not setting NAT rules)
  • Navigate to Interfaces ‣ Assignments
  • Under Device: Select the OpenVPN Server you just created.
  • Select Add when done.
  • Navigate to Interfaces ‣ SYSADMIN102VPNServer1190 (The interface you just created).
  • Checked Enable Interface and Prevent interface removal.
  • Select Apply changes.
Step 7: Create Firewall rules
  1. The first rule will allow clients to connect to the OpenVPN server.
  • Navigate to Firewall ‣ Rules ‣ WAN and add a rule to allow traffic on the port you selected in step 5 when creating an OpenVPN Instance.
  • Click Add to add a new rule.
  • The firewall rule should be set as shown in the below screenshot.
  • Select OpenVPN from the drop-down list if you use the default port 1194. Otherwise, select (other), and specify the port number. Ex: 1190.
  • Select Save when done.
  • Select Apply changes.

2. The second rule is to allow clients access to whatever IPs they intend to access.

  • Navigate to Firewall ‣ Rules ‣ SYSADMIN102VPNServer1190 (Interface you just created); for this example, we keep it simple and add one to allow all.
  • Select Add New rule.
  • Destination: Specify the IPs that client peers should be able to access, eg. “any” or specific IPs/subnets
  • Select Apply changes when done.
Step 8: Client Export
  • Navigate to VPN ‣ OpenVPN ‣ Client Export and export a profile for the remote client.
  • Remote Access Server: Select the server created in step 5.
  • Export type: Select File Only.
  • Hostname: Enter your DDNS Fully Qualified Domain Name (FQDN) or Static Public IP Address.
  • Port: same as the one selected in step 5.
  • Select the Cloud icon to download the Client Certificate.
Ways to support my channel

If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or using the affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:
🚀 NextDNS: https://nextdns.io/?from=btsm4vsx 
🚀 Things I used for my server: https://amzn.to/3hudohP
🚀 Tools I used: https://amzn.to/3uXaSUr
🚀 Devices I used: https://amzn.to/3FYlfxk
🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0
🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »