Jump to content
TorGuard
Sign in to follow this  
directnupe

OpenVPN OPNsense CLIENT DEAD SIMPLE

Rate this topic

Recommended Posts

directnupe

Dear Community,
As is my wont as of late along with my personal inclinations and indulgences - here we go with the intro: I know you got it - lyrics to sing along : https://genius.com/Bobby-byrd-i-know-you-got-soul-lyrics and video : https://www.youtube.com/watch?v=-aY4x5l2QzA and Bonus : Take This with you as as we stroll along : https://genius.com/Hank-ballard-from-the-love-side-lyrics and video : https://www.youtube.com/watch?v=JrTpVWoej7Y - Hello and here is the tutorial which details exactly how to get the great Hardened BSD based Distro OPNsense up and running with TORGUARD OpenVPN Client. OPNsense found here: https://opnsense.org/about/features/ and downloads found here : https://opnsense.org/download/

A - To begin you need to get your OpenVPN configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on OpenVPN Config Generator. On this page that opens up - select in order - VPN Server Hostname/IP, VPN Protocol, VPN Port, VPN Cipher, OpenVPN Build, and whether or not you want to require TLS 1.2 as a minimum. After entering your choices, click on green " Generate Config " Box and download and save the file as we will use this later on in this process to configure OpenVPN settings on OPNsense FireWall.

B -Open the downloaded file ( it normally has same random number - mine is 96 in this example ). The first piece you need from this file is the CA ( certificate authority ). TORGUARD has just updated their certificates and are also in the process of enabling IPV6 support. Things just keep getting better with TORGUARD. There are actually two certificates in file - along with a tls-auth key. Let me back up for a minute - I chose NJ server UDP protocol - port 1195 - sha256 - aes-256-gcm - Build OpenVPN 2.4 and above plus checked box for TLS 1.2 - Your file may have different options depending on how you choose to connect to TORGUARD Server.

C - Now - to proceed - the CA you want ( in this case ) is the first one listed. Here is a direct link to the CA in case you prefer to grab it by this method : https://torguard.net/downloads/ca.txt - After you have this certificate log into your OPNsense Firewall - you will be presented with the " Lobby: Dashboard " page.  You can always get back to this page by clicking on " OPNsense Logo " at the uppermost  left corner of page. This is where you find " The OPNsense  Menu Settings  " which is from where we will configure TORGUARD OpenVPN Client. I will be using the .ovpn file and server I mentioned  earlier for the purposes of this tutorial going forward.

1 -  Begin by entering the ca in the appropriate field. In order to this, first Click on > System. A sub-menu will will be revealed - look for for the entry labeled " Trust ". Click on " Trust " - from there another sub-menu pops up - In that sub-menu Click on " Authorities " so that we can add the TORGUARD-CA to our firewall. You will now be on a landing page entitled " System: Trust: Authorities ".

Follow the steps below:

Click on ( + ) Add in the uppermost right corner of this page.
Follow these instructions:

Method: Import an existing Certificate
Description: TORGUARD
Certificate data: ( enter ( copy and paste ) certificate data content between <ca> and </ca>  from the CA mentioned above)

Click Save . ( Do not alter / enter anything else here - leave at defaults )

Now we need to configure OPNsense TORGUARD OpenVPN Client . Click on " OPNsense Logo " at the top of the left uppermost corner of the OPNsense Web Gui. . This action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui. Remember this as you can always get back to the full Menu by this method.

2 - Click on " VPN " in the left side vertical  Menu. From the pop-up sub-menu Click on " OpenVpn ".  From that pop-up sub-menu Click on " Clients ".  When you click on " clients " you will be presented with the " VPN: OpenVPN: Clients " Landing page. In order to proceed,

Click on ( + ) Add in the uppermost right corner of this page.
Follow these instructions:

Once on this page-  enter these are settings:

Disabled: Unchecked

Description: TORGUARD-NJ

Server mode: Peer to Peer ( SSL/TLS)

Protocol: UDP

Device mode: tun

Interface: WAN

Remote server: nj.east.usa.torguardvpnaccess.com  Port: 1195

Select remote server at random : Unchecked

Retry DNS resolution: Checked
(  Infinitely resolve remote server )

Proxy host or address: Blank

Proxy port: Blank

Proxy Authentication: none

Local port: Blank

User Authentication Settings:
User name/pass: ( from your TORGUARD Account )
Username: enter TORGUARD user name from Manual setup > userpass.txt file ( found on first line )
Password: enter TORGUARD password from Manual setup > userpass.txt file ( found on second line )

Renegotiate time : Blank

TLS Authentication: Leave this checked ( Uncheck box directly below it  then enter tls-auth key from TORGUARD )

Automatically generate a shared TLS authentication key. ( Uncheck this box first and then enter tls-auth key from
OpenVPN Config you generated and downloaded at the very beginning )

Peer Certificate Authority: TORGUARD ( name will be the " Descriptive name " you gave CA in Step 1 )

Client Certificate: None ( Username and Password required)

Encryption Algorithm: AES-256-GCM (256 bit key, 128 bit block)

Auth digest algorithm: SHA256 (256-bit)

Hardware Crypto: No Crypto Hardware acceleration

 IPv4 Tunnel Network : Blank

 IPv6 Tunnel Network : Blank

 IPv4 Remote Network : Blank

IPv6 Remote Network : Blank

Limit outgoing bandwidth : Blank

Compression: No Preference

Type-of-Service : Blank

Disable IPv6: Checked

Don't pull routes: Blank

Don't add/remove routes : Blank

Advanced configuration:

persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
auth-retry interact
compress
auth-nocache
script-security 2
mute-replay-warnings
ncp-disable
key-direction 1
setenv CLIENT_CERT 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"


Verbosity level: 3 ( recommended )

Click Save.

You are redirected to VPN: OpenVPN: Clients Landing page and you should see a "green arrow" by "UDP nj.east.usa.torguardvpnaccess.com:1195 " in this example. Once you see this arrow, you will see that you are still in the OpenVPN pop-up sub-menu. Now, click on " Connection Status " in the OpenVPN pop-up sub-menu. This takes you to the VPN: OpenVPN: Connection Status Landing page. You should check under " Status " and make sure that it indicates that you tunnel is " up ".

3 - We now need to add a Hybrid Firewall Rule in order to get OPNsense TORGUARD OpenVPN fully up, running and completed.
We do this as follows. Once again, Click on " OPNsense Logo " at the op of the left uppermost corner of the OPNsense Web Gui - this action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui.
Follow these instructions:

A- Click on Firewall ( once again a pop-up sub-menu appears )
B - On that sub-menu click on NAT ( once again a pop-up sub-menu appears )
C - From that sub-menu click on  Outbound  ( you will now be presented with the Firewall: NAT: Outbound Landing page )

Once on the Firewall: NAT: Outbound Landing page, place a dot in the Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules) radio button.Click Save ( which is located at the top of the page under the " Mode " section.

After clicking save, DO NOT ! - Repeat Do Not  Click Apply ! at this time. Instead- Click on ( + ) Add in the uppermost right corner of this page.  you will presented with the " Edit Advanced Outbound NAT entry " Landing page. Change the " Interface " setting from Wan to " OpenVPN " from the drop down menu.  Also , for Description : enter ( Made For TORGUARD ). Do not touch or change anything else whatsoever on this page.

Click Save -and you will be redirected to the Firewall: NAT: Outbound Landing page. You will see at the very top of the page it says " The NAT configuration has been changed.You must apply the changes in order for them to take effect. " So, Click on Apply Changes at the top of the page. Done with Firewall Rules for OPNsense TORGUARD OpenVPN.

Once again, Click on " OPNsense Logo " at the top of the left uppermost corner of the OPNsense Web Gui - this action refreshes the Web Gui. which brings us back to the full Menu on the furthest most left column of the OPNsense Web Gui.
Follow these instructions:'

Click on " VPN " in the left side vertical  Menu. From the pop-up sub-menu Click on " OpenVPN ".

A -  Now, click on " Connection Status " in the OpenVPN pop-up sub-menu.  you still should be up and running
B - From the same OpenVPN pop-up sub-menu - click on " Log File " and you should see that you are connected.

Good News ! I erroneously reported earlier that your WAN would not reboot without disabling OpenVPN Client using the Hybrid FireWall detailed in this tutorial. Actually, I was testing the setup on a an OPNsense VMware Work Station Machine. I can now emphatically state and assure you that your WAN will reboot if you use this setup ( along with Hybrid FireWall Rule ) on a real physical hardware installation. I disable all properties on the WAN interface when using Virtual Machines ( an old habit ) EXCEPT for VMware Bridge Protocol. This may be the problem when I deploy OPNsense on VMware Virtual Machine. I will test back and report back later. The good thing about VMware is that you can take snapshots, so you can always go back if you make an error. However, the BOTTOM LINE is that you can implement this guide on a hardware installation AS IS ! without any issues on OPNsense reboot. I will write up an updated tutorial for DNS OVER TLS WITH GETDNS+STUBBY on OPNsense. Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by  simply issuing command # pkg install getdns  - I am running DNS OVER TLS with OpenVPN now - and it works beautifully.
   
Lastly, in order to check that your are connected to TORGUARD - go to : https://torguard.net/whats-my-ip.php . At the very top of the page on the upper left hand side - click on " Check Now " and down under " Your Current Info " you will see your TORGUARD ROUTED OpenVPN IP Address - next to it you will see this : IP Address: 23.226.128.162 (Protected) - the key is you are now " Protected " which means that you are now successfully connected via TORGUARD OPNsense OpenVPN CLIENT. This setup will work with virtually any commercial OpenVPN Service Provider - trust me; I have tested a few others in addition to TORGUARD as outlined here in this tutorial. Remember that you may have to modify settings depending on your personal configuration and / or the features ( cryptography and so on ) that your commercial OpenVPN Service Provider supports and deploys.

Peace & Universal Love

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...