Jump to content
TorGuard

Search the Community

Showing results for tags 'opnsense'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • The Lounge
    • General Stuff
    • Member Tutorials
    • TorGuard Reviews
  • TorGuard Software Releases
    • Network Status
    • TorGuard Client Releases
    • Android Client Releases
    • iOS App Releases
    • Chrome Extension Releases
    • Firefox Extension Releases
    • Edge Extension Releases
  • TorGuard VPN Support
    • VPN Questions and General Support
    • VPN Windows Support
    • VPN Mac Support
    • VPN Linux Support
    • VPN Router Support
    • iOS VPN Support
    • Android VPN Support
  • TorGuard Proxy Support
    • Proxy Questions and General Support
    • Firefox Extension Support
    • Chrome Extension Support

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 2 results

  1. Dear Community, First you all know the drill by now - " The Intro " - two throwbacks - https://www.youtube.com/watch?v=m5FCcDEA6mY - lyrics - https://genius.com/Neil-young-southern-man-lyrics - and don't you know - https://www.youtube.com/watch?v=wkA7ok5MySk - https://genius.com/Funkadelic-if-you-dont-like-the-effects-dont-produce-the-cause-lyrics - OK - now that our long standing tradition of public elucidation has been fulfilled - let's get down to the business at hand. Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by simply issuing command # pkg install getdns ( Special Thanks and Kudos to Franco and the marvelous OPNsense Development Team ) - Please disregard and do not use any guides and / or tutorials which predate this one which covers installation and configuration of DNS Privacy on OPNsense FireWall. This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for OPNsense. However, there has been a minor change ( yet little known ) in UNBOUND on OPNsense 21.7.1 with regard to configure it to work with Stubby for DNS Privacy DNS OVER TLS. So, let's get started strait away. See here for previous more in depth guide concerning the benefits of DNS Privacy : https://bit.ly/3j0QT1l So here we go. So go ahead and issue command : A - # pkg install getdns in order to get started. After installing getdns which includes stubby follow the steps below. 1 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: A - # su -m unbound -c /usr/local/sbin/unbound-anchor Then - B - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run this command - it works for me: C - # chmod 755 /usr/local/etc/rc.d/stubby.sh D - Yes must enable Stubby Daemon in the file - open file by : E - # nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes already configured. Save and exit. 2 - Now you must configure Stubby to resolve DNS OVER TLS - enter command below : A -# nano /usr/local/etc/stubby/stubby.yml - make your file match some thing similar to this ################################################################################ ######################## STUBBY YAML CONFIG FILE ############################### ################################################################################ # This is a yaml version of the stubby configuration file (it replaces the # json based stubby.conf file used in earlier versions of getdns/stubby). # # For more information see # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby # resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private : 1 idle_timeout: 9000 listen_addresses: - [email protected] - 0::[email protected] tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 round_robin_upstreams: 1 tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt" dnssec_trust_anchors: "/usr/local/etc/unbound/root.key" # add the right path upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 - address_data: 2a04:b900:0:100::38 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Servers #3 A+ ( NLD ) - address_data: 145.100.185.18 - address_data: 2001:610:1:40ba:145:100:185:18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## xx - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 - address_data: 2001:610:1:40ba:145:100:185:15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## xx - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 - address_data: 2001:610:1:40ba:145:100:185:16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 3 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 - address_data: 2001:470:1c:76d::53 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 4 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 139.162.112.47 - address_data: 2400:8902::f03c:92ff:fe27:344b tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: /llFOsnvj7GcXasKrojhZl6nRnnn4D8sRuDUKEdiZzM= ## xx - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 78.46.244.143 - address_data: 2a01:4f8:c17:ec67::1 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: c6xmf1GsYo1IFyxc+CWfjYo+xpSV9i98H7InJTDylsU= ## xx - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 - address_data: 2a01:4f9:c010:43ce::1 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: EVL610kmcSvN01nzJkkzl94IHiIVvW0PovbB5En2QfU= ## xx - The BlahDNS Singapore DNS TLS Server A+ ( SGP ) - address_data: 192.53.175.149 - address_data: 2400:8901::f03c:92ff:fe27:870a tls_auth_name: "dot-sg.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: B+aX4NBLfDsKlOWf8RM6rjL8yOCF9sZlHQnarDNrrWM= ## xx - The BlahDNS Switzerland DNS TLS Server A+ ( CHE ) - address_data: 45.91.92.121 - address_data: 2a05:9406::175 tls_auth_name: "dot-ch.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk= ## 5 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 6 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 146.255.56.98 - address_data: 2a02:1b8:10:234::2 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: xhQVPE+X85b9LkORuEhxfsxE1X2EbOm8v5ytxCqg5BI= ## 7 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Am37BK5eBKSafYNJupWsoh5pokR3wwJ5zs7xvniF6XE= ## 8 - The dismail.de DNS TLS Server #1 A+ ( DEU ) - address_data: 80.241.218.68 tls_port: 853 tls_auth_name: "fdns1.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU= ## xx - The dismail.de DNS TLS Server #2 A+ ( USA ) - address_data: 159.69.114.157 tls_port: 853 tls_auth_name: "fdns2.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w= ## 9 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 10 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 213.196.191.96 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: yrMslOFXpWeLoNw0YgQk/pA5vl2mqXfBOASYLLeqDxc= ## 11 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: b9sJFKc+wycfm4FHB9ddNopdeKceru+sZk0w5nz4xfQ= ### Publicly Available DOT Test Servers ### ## 12 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ugm6mY2NNKi0I/Q+pofAgx0c31tbcW6xYAImZXr5Oqo= ## 13 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sS2Atff8wMigRVTxmS36FbMaXiCWsxLgD3AOtTA9eeU= ## xx - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /jchI7afFvSaVm4DCTksJcPHyK7uvbcwNUtTNNV4Bek= ## 14 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## xx - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /3AxvvuWCQmYQ4/mqHJzPL1rPC7KxaahVPmUkoSVR5A= ## 15 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 - address_data: 2a05:fc84::43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sAH7JR5A8WA+hs1ZGXPS/uq3Y1wufBi2wQ8Crk+oR2Q= ## xx - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 - address_data: 2a05:fc84::42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Fpgt86sGjlL4sbgNmd1WX0BYEIEJ7yQk9rp+uQKxI+w= ## 16 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Dn58VD18MLkmmG9wvzvSs30Tu1Rd65igDLpp1odYaAc= # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the #tls_ciphersuites option. This option can also be given per upstream. tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_max_version: GETDNS_TLS1_3 When I get some time - next day or two - I will post a separate Forum entry which lists many more DNS OVER TLS servers that are publicly available for. However, these are more than enough to get you started. 3 - In order to have OPNsense 21.7.1 use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time it helps to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # touch /etc/rc.conf.d/stubby - create the needed new file # nano /etc/rc.conf.d/stubby - in the new file enter the following two lines: stubby_enable="YES" stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh" Save and exit / then make the file executable - once again - works for me : # chmod 755 /etc/rc.conf.d/stubby 4 - Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. This is where there has been a ( major ) change to UNBOUND on OPNsense 21.7.1 . The bottom line is that there is no longer any option whatsoever for you to configure UNBOUND Custom Options via OPNsense 21.7.1 WEBGUI. A - See here for the changes - https://bit.ly/3vfx1MT - then scroll down to Advanced Configurations. There you may read about the changes I alluded to earlier. So here is how we go about configuring Unbound/Stubby combination for OPNsense 21.7.1 Some user combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as fully featured TLS forwarder). This is what we are out to achieve. Advanced Configurations Some installations require configuration settings that are not accessible in the UI. To support these, individual configuration files with a .conf extension can be put into the /usr/local/etc/unbound.opnsense.d directory. Now theoretically - you should be able to create the need file by doing the following below : B - # touch /usr/local/etc/unbound.opnsense.d/unbound_srv.conf C - # nano /usr/local/etc/unbound.opnsense.d/unbound_srv.conf enter the following in the new file as detailed below : #################################################### ### Unbound Advanced Configuration server: tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt" hide-trustanchor: yes harden-glue: yes harden-dnssec-stripped: yes num-threads: 4 rrset-cache-size: 256m msg-cache-size: 128m so-rcvbuf: 1m val-clean-additional: yes minimal-responses: yes harden-referral-path: yes aggressive-nsec: yes prefetch: yes qname-minimisation: yes qname-minimisation-strict: yes rrset-roundrobin: yes target-fetch-policy: "0 0 0 0 0" max-udp-size: 3072 harden-below-nxdomain: yes ip-ratelimit: 300 ip-ratelimit-factor: 10 incoming-num-tcp: 100 edns-buffer-size: 1472 do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] forward-addr: 0::[email protected] ################################################## *** Note that the file you create must end in .conf in order to be automatically included by the UI generated configuration. Also, Name collisions with plugin code, which use this extension point e. g. dnsbl.conf, may occur. So be sure to use a unique filename. unbound_srv.conf is a unique filename on OPNsense 21.7.1 for sure - trust me. 5 - Now, I have one caveat - when I created this file ( as described above ) via SSH - there was an issue where DNS OVER TLS did not work at all or as it should - the resolvers did not connect. Perhaps the file needs permissions - you can try - chmod 664 /usr/local/etc/unbound.opnsense.d/unbound_srv.conf and see how this works out for you GUARANTEED SOLUTION: What I did was use WINSCP in order to have this setup perform as intended. Use your favorite text editor ( I use EditPad Pro ) and copy Unbound Advanced Configuration above - into a new file labeled - unbound_srv.conf - Save this file to a local directory on your computer. Next, follow the steps below : A - WINSCP into your OPNsense 21.7.1 Firewall via SFTP protocol - SCP will not connect on OPNsense. Make sure to use SFTP protocol. Go into ( open ) the directory below on the right side of WINSCP interface : /usr/local/etc/unbound.opnsense.d/ B - Go into the directory on your computer where you have the unbound_srv.conf file which you previously created and filled out with the Unbound Advanced Configuration. This will be on the left side of WINSCP. C - Drag and Drop unbound_srv.conf ( on the left side of WINSCP ) into the /usr/local/etc/unbound.opnsense.d/unbound_srv.conf ( directory which is open ) on the right side of of WINSCP. Done - close and exit This WINSCP method is GUARANTED to work !!! - I strongly suggest that you choose to make this your preferred Unbound Advanced Configuration option for OPNsense 21.7.1 !!! XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Easiest Method To Bring Back Unbound Advanced Configuration For OPNsense 21.7.1 WEBGUI Special Thanks to cookiemonster from the OPNsense forum. You can add the mimugmail / opn-repo to your OPNsense 21.7.1 Firewall found here ( https://tinyurl.com/4r4xdrtp ) see details below : A - # fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf B - # pkg update Then either add plugin os-unboundcustom-maxit from WEBGUI C - or issue command # pkg install os-unboundcustom-maxit Then go to Services > Unbound DNS > Custom Options - you may enter your Unbound Advanced Configuration entries here - enable Custom Options - then restart Unbound DNS and then issue command F - # /usr/local/etc/rc.d/stubby.sh restart FYI - os-unboundcustom-maxit plugin while adding Custom Options to WEBGUI - creates a file named custom-maxit.conf in the /usr/local/etc/unbound.opnsense.d/ directory ALTERNATE METHOD TO INSTALL mimugmail /opn-repo Sometimes you may get an error with fetch command ( SSL ) when trying to add mimugmail /opn-repo . This is a workaround to add mimugmail /opn-repo manually. touch /usr/local/etc/pkg/repos/mimugmail.conf nano /usr/local/etc/pkg/repos/mimugmail.conf Then enter the contents contained between the lines below : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX mimugmail: { url: "https://opn-repo.routerperformance.net/repo/${ABI}", priority: 190, enabled: yes } XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Next after manually adding mimugmail /opn-repo to OPNsense 21.7.1 continue as normal : # pkg update # pkg install os-unboundcustom-maxit You are then all set XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 6 - Next -Under System > Settings > General Settings A - Set the first DNS Server to 127.0.0.1 with no gateway selected / Make sure that DNS server option B - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked ! and DNS server option C - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked ! D - Save and Apply Reboot your router or run command # /usr/local/etc/rc.d/stubby.sh restart You are all set up and now. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server.
  2. Dear Community, As is my wont as of late along with my personal inclinations and indulgences - here we go with the intro: I know you got it - lyrics to sing along : https://genius.com/Bobby-byrd-i-know-you-got-soul-lyrics and video : https://www.youtube.com/watch?v=-aY4x5l2QzA and Bonus : Take This with you as as we stroll along : https://genius.com/Hank-ballard-from-the-love-side-lyrics and video : https://www.youtube.com/watch?v=zKKcArCApx0 - Hello and here is the tutorial which details exactly how to get the great Hardened BSD based Distro OPNsense up and running with TORGUARD OpenVPN Client. OPNsense found here: https://opnsense.org/about/features/ and downloads found here : https://opnsense.org/download/ A - To begin you need to get your OpenVPN configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on OpenVPN Config Generator. On this page that opens up - select in order - VPN Server Hostname/IP, VPN Protocol, VPN Port, VPN Cipher, OpenVPN Build, and whether or not you want to require TLS 1.2 as a minimum. After entering your choices, click on green " Generate Config " Box and download and save the file as we will use this later on in this process to configure OpenVPN settings on OPNsense FireWall. B -Open the downloaded file ( it normally has same random number - mine is 96 in this example ). The first piece you need from this file is the CA ( certificate authority ). TORGUARD has just updated their certificates and are also in the process of enabling IPV6 support. Things just keep getting better with TORGUARD. There are actually two certificates in file - along with a tls-auth key. Let me back up for a minute - I chose NJ server UDP protocol - port 1195 - sha256 - aes-256-gcm - Build OpenVPN 2.4 and above plus checked box for TLS 1.2 - Your file may have different options depending on how you choose to connect to TORGUARD Server. C - Now - to proceed - the CA you want ( in this case ) is the first one listed. Here is a direct link to the CA in case you prefer to grab it by this method : https://torguard.net/downloads/ca.txt - After you have this certificate log into your OPNsense Firewall - you will be presented with the " Lobby: Dashboard " page. You can always get back to this page by clicking on " OPNsense Logo " at the uppermost left corner of page. This is where you find " The OPNsense Menu Settings " which is from where we will configure TORGUARD OpenVPN Client. I will be using the .ovpn file and server I mentioned earlier for the purposes of this tutorial going forward. 1 - Begin by entering the ca in the appropriate field. In order to this, first Click on > System. A sub-menu will will be revealed - look for for the entry labeled " Trust ". Click on " Trust " - from there another sub-menu pops up - In that sub-menu Click on " Authorities " so that we can add the TORGUARD-CA to our firewall. You will now be on a landing page entitled " System: Trust: Authorities ". Follow the steps below: Click on ( + ) Add in the uppermost right corner of this page. Follow these instructions: Method: Import an existing Certificate Description: TORGUARD Certificate data: ( enter ( copy and paste ) certificate data content between <ca> and </ca> from the CA mentioned above) Click Save . ( Do not alter / enter anything else here - leave at defaults ) Now we need to configure OPNsense TORGUARD OpenVPN Client . Click on " OPNsense Logo " at the top of the left uppermost corner of the OPNsense Web Gui. . This action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui. Remember this as you can always get back to the full Menu by this method. 2 - Click on " VPN " in the left side vertical Menu. From the pop-up sub-menu Click on " OpenVpn ". From that pop-up sub-menu Click on " Clients ". When you click on " clients " you will be presented with the " VPN: OpenVPN: Clients " Landing page. In order to proceed, Click on ( + ) Add in the uppermost right corner of this page. Follow these instructions: Once on this page- enter these are settings: Disabled: Unchecked Description: TORGUARD-NJ Server mode: Peer to Peer ( SSL/TLS) Protocol: UDP Device mode: tun Interface: WAN Remote server: nj.east.usa.torguardvpnaccess.com Port: 1195 Select remote server at random : Unchecked Retry DNS resolution: Checked ( Infinitely resolve remote server ) Proxy host or address: Blank Proxy port: Blank Proxy Authentication: none Local port: Blank User Authentication Settings: User name/pass: ( from your TORGUARD Account ) Username: enter TORGUARD user name from Manual setup > userpass.txt file ( found on first line ) Password: enter TORGUARD password from Manual setup > userpass.txt file ( found on second line ) Renegotiate time : Blank TLS Authentication: Leave this checked ( Uncheck box directly below it then enter tls-auth key from TORGUARD ) Automatically generate a shared TLS authentication key. ( Uncheck this box first and then enter tls-auth key from OpenVPN Config you generated and downloaded at the very beginning ) Peer Certificate Authority: TORGUARD ( name will be the " Descriptive name " you gave CA in Step 1 ) Client Certificate: None ( Username and Password required) Encryption Algorithm: AES-256-GCM (256 bit key, 128 bit block) Auth digest algorithm: SHA256 (256-bit) Hardware Crypto: No Crypto Hardware acceleration IPv4 Tunnel Network : Blank IPv6 Tunnel Network : Blank IPv4 Remote Network : Blank IPv6 Remote Network : Blank Limit outgoing bandwidth : Blank Compression: No Preference Type-of-Service : Blank Disable IPv6: Checked Don't pull routes: Blank Don't add/remove routes : Blank Advanced configuration: persist-key persist-tun remote-cert-tls server reneg-sec 0 auth-retry interact compress auth-nocache script-security 2 mute-replay-warnings ncp-disable key-direction 1 setenv CLIENT_CERT 0 tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 sndbuf 524288 rcvbuf 524288 push "sndbuf 524288" push "rcvbuf 524288" Verbosity level: 3 ( recommended ) Click Save. You are redirected to VPN: OpenVPN: Clients Landing page and you should see a "green arrow" by "UDP nj.east.usa.torguardvpnaccess.com:1195 " in this example. Once you see this arrow, you will see that you are still in the OpenVPN pop-up sub-menu. Now, click on " Connection Status " in the OpenVPN pop-up sub-menu. This takes you to the VPN: OpenVPN: Connection Status Landing page. You should check under " Status " and make sure that it indicates that you tunnel is " up ". 3 - We now need to add a Hybrid Firewall Rule in order to get OPNsense TORGUARD OpenVPN fully up, running and completed. We do this as follows. Once again, Click on " OPNsense Logo " at the op of the left uppermost corner of the OPNsense Web Gui - this action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui. Follow these instructions: A- Click on Firewall ( once again a pop-up sub-menu appears ) B - On that sub-menu click on NAT ( once again a pop-up sub-menu appears ) C - From that sub-menu click on Outbound ( you will now be presented with the Firewall: NAT: Outbound Landing page ) Once on the Firewall: NAT: Outbound Landing page, place a dot in the Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules) radio button.Click Save ( which is located at the top of the page under the " Mode " section. After clicking save, DO NOT ! - Repeat Do Not Click Apply ! at this time. Instead- Click on ( + ) Add in the uppermost right corner of this page. you will presented with the " Edit Advanced Outbound NAT entry " Landing page. Change the " Interface " setting from Wan to " OpenVPN " from the drop down menu. Also , for Description : enter ( Made For TORGUARD ). Do not touch or change anything else whatsoever on this page. Click Save -and you will be redirected to the Firewall: NAT: Outbound Landing page. You will see at the very top of the page it says " The NAT configuration has been changed.You must apply the changes in order for them to take effect. " So, Click on Apply Changes at the top of the page. Done with Firewall Rules for OPNsense TORGUARD OpenVPN. Once again, Click on " OPNsense Logo " at the top of the left uppermost corner of the OPNsense Web Gui - this action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui. Follow these instructions:' Click on " VPN " in the left side vertical Menu. From the pop-up sub-menu Click on " OpenVPN ". A - Now, click on " Connection Status " in the OpenVPN pop-up sub-menu. you still should be up and running B - From the same OpenVPN pop-up sub-menu - click on " Log File " and you should see that you are connected. Good News ! I erroneously reported earlier that your WAN would not reboot without disabling OpenVPN Client using the Hybrid FireWall detailed in this tutorial. Actually, I was testing the setup on a an OPNsense VMware Work Station Machine. I can now emphatically state and assure you that your WAN will reboot if you use this setup ( along with Hybrid FireWall Rule ) on a real physical hardware installation. I disable all properties on the WAN interface when using Virtual Machines ( an old habit ) EXCEPT for VMware Bridge Protocol. This may be the problem when I deploy OPNsense on VMware Virtual Machine. I will test back and report back later. The good thing about VMware is that you can take snapshots, so you can always go back if you make an error. However, the BOTTOM LINE is that you can implement this guide on a hardware installation AS IS ! without any issues on OPNsense reboot. I will write up an updated tutorial for DNS OVER TLS WITH GETDNS+STUBBY on OPNsense. Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by simply issuing command # pkg install getdns - I am running DNS OVER TLS with OpenVPN now - and it works beautifully. Lastly, in order to check that your are connected to TORGUARD - go to : https://torguard.net/whats-my-ip.php . At the very top of the page on the upper left hand side - click on " Check Now " and down under " Your Current Info " you will see your TORGUARD ROUTED OpenVPN IP Address - next to it you will see this : IP Address: 23.226.128.162 (Protected) - the key is you are now " Protected " which means that you are now successfully connected via TORGUARD OPNsense OpenVPN CLIENT. This setup will work with virtually any commercial OpenVPN Service Provider - trust me; I have tested a few others in addition to TORGUARD as outlined here in this tutorial. Remember that you may have to modify settings depending on your personal configuration and / or the features ( cryptography and so on ) that your commercial OpenVPN Service Provider supports and deploys. Peace & Universal Love
×
×
  • Create New...