Setup pfSense as an OpenVPN client for specific devices

Background

[UPDATE – 20141101 – Based on trying to help a redditor with trouble shooting, I actually tried this out on my backup router.  I’ve updated the post.] [UPDATE – 20141103 – Added a note for those using pfSense 2.2 Betas.  There is a bug that  prevents this from working.]

Note: This How-To is meant for pfSense 2.1.x. For those using 2.2 Beta, there is a bug that prevents this from working.  Read about here in the pfSense forum thread, “cannot NAT trough OPT1 interface on multiwan.”  The bug has been filed in redmine and at the time of this writing, it has been fixed for IPv4 traffic.

One of the most powerful features of pfSense is it’s ability to direct your data requests through different end-points using NAT rules. In my case, I like to be able to access the content in Netflix US. In comparison, Netflix Canada’s content is somewhat anemic, although we do get such gems as Community and the Good Wife here. There are many ways to access Netflix US content (and BBC iPlayer content) outside of the geo-fence territories.  I prefer to use a Virtual Private Network (VPN). pfSense is amazing as an OpenVPN client because I can selectively route any device on my network through the VPN service (i.e., my tablets and TV go through US servers, while my smartphone, VoIP, computers go my local ISP).

There are other reasons for using a VPN:

  • Anonymize your traffic to defeat deep-packet inspection used by ISPs to throttle your data.
  • Secure your browsing / network sessions while on a public network (e.g., Coffee Shop’s Wifi).
  • Have your originating IP address  appear to be from anywhere. This is especially useful if you need to do online banking overseas.
  • Access the internet through a consistent Static IP address.
  • Unblock sites that are geo-fenced (like Netflix US or Hulu.com)

In this particular case, I am using the VPN to tunnel my Internet traffic through to a server located in the United States. This VPN server acts as a “proxy” or “end-point” for all my HTTP requests. For websites on the receiving-end of your request, I appear to be in the country that the VPN server is residing (in this case the US). I prefer VPNs because I can visit other sites (not necessarily just Netflix USA) and see the local experience on both your Desktop and device. OpenVPN provides the most secure means of doing this.  The provider that I’ve chosen is StrongVPN (although I use others) as they have:

  • Dedicated, statically-assigned IP-address (when connecting over OpenVPN)
  • A proven track record of not overselling
  • Apps for all major platforms

Things that StrongVPN does NOT offer:

One of the reasons I prefer a consistent, statically assigned IP address, is that I can guarantee access to specific servers and what not through IP Whitelisting. Although, that’s another topic.

I like using pfSense because I can set it as an OpenVPN client and use the router to offload the encryption handling (currently an upgraded Watchguard x550e). By setting up the OpenVPN client as a gateway, I effectively negate the load on the device connecting to the Internet through the VPN. Having it at the router level also means I can share the connection with multiple devices connected to my wireless or wired network.  Having a 2.0 GHz Pentium-M based router means I can easily max out my 45/4 Mbps cable connection when going through the VPN1.

I can also use NAT-based rules to select which devices use the VPN connection or which bypasses the VPN all together and access the Internet through the default WAN provided by my ISP.  For instance, my VoIP ATA connects to VOIP.ms directly because I don’t want to add latency to the connection by going through StrongVPN’s server in NYC.

NOTE: This probably works with IPSec, PPTP and L2TP, but YMMV.

How To

Get a VPN account, select a fast server, and download the OpenVPN configuration file

  1. Setup an account with StrongVPN (or any other VPN provider).
  2. Select an appropriate package based on your location.  Most VPN packages usually offer a discounted package for an annual-fee (best value).  Ensure that it has the locations that you are interested in and that the package offers OpenVPN support.
  3. Sign into StrongVPN and use their tools to select a server in the country that you would like to route your data through.  They have speed tests that I found were useful.
  4. Go to the “Setup Instructions page” > “Manual Setup – All other devices” and download the OpenVPN config file (for PC and Mac)
  5. Open the vpn-inXXX_ovpnXXX_account.ovpn in a text editor.  You’ll use this data to setup the connection in pfSense.

What is this *.ovpn file?

I won’t get into the technicals of public key encryption and what a certificate authority is and what certificates do.

The *.ovpn file is a configuration file. It is divided into 5 sections:

  1. IP addresses for the VPN server that you want to connect to and the default UDP ports required.
  2. A list of configuration flags that you will use to optimized the connection in pfSense.
  3. The certificate for your Certificate Authority (CA).  It begins with <ca> and ends with </ca>. It looks something like this:
  4. You’ll have another section that contains your private.key. It starts with <key> and ends with </key>. It looks like this:
  5. You’ll then have your VPN certificate.  It’s defined by the <cert> </cert> tags.
  6. Finally, you’ll have your OpenVPN Static Key.  It starts with <tls-auth> and ends with </tls-auth>.
    1.  

Enter your Certificates into pfSense

NOTE: I am using pfSense 2.1.5.

You’ll need to add your Certificate Authority, OpenVPN certificate and private key data into pfSense.  It’s just copy and pasting.

  1. Go to “System” > “Cert Manager”
  2. You will see three tabs:
    1. CAs
    2. Certificates
    3. Certificate Revocation
  3. In the CAs tab, click the “+” icon to add a new certificate Authority
    1. Provide a name like “<VPN PROVIDER> CA”
    2. Copy and paste the <ca> section from the .ovpn file. NOTE: do NOT include the <CA> and </CA> tags.
    3. It should look like this:
  4. Click “Save”.
  5. Go to the “Certificates” Tab and click the “+” icon to add your VPN certificate and private key.
    1. Provide a name like “<VPN PROVIDER> CERT”
    2. Copy and paste the <cert> section from the .ovpn file into the “Certificate data” text box. NOTE: do NOT include the <cert> and </cert> tags.
    3. Copy and paste your the <key> section from the .ovpn file into the “Private key data” text box. NOTE: do NOT include the <key> and </key> tags.
    4. It should look like this:
  6. Click “Save”.

Configure your OpenVPN Client

You’ll need to configure pfSense to act as the OpenVPN client.

  1. Go to “VPN” > “OpenVPN”
  2. You’ll see 4 tabs:
    1. Server – Makes your pfSense router into a server.
    2. Client – connect your router to an OpenVPN server. <– You want this tab
    3. Client Specific Overrides – Allows you to set special directives that change the behaviour of the client you are connected to.  For instance, you force the OpenVPN client to send out Google DNS servers.
    4. Wizards – Helpful step-by-step tutorial to set things up.
  3. Click the “Client” tab
  4. Click the “+” icon to add a new client.
  5. You’ll be required to enter your static key and use the details from sections 1 and 2 from the .ovpn file to configure it.  Use the image below as a guide.
    1. NOTE: This is very specific to StrongVPN.  You will need to experiment with the settings given to you by your VPN provider.
    2. You’ll need to copy your OpenVPN Static Key into the TLS Authentication text box. Note: remember leave out the <tls-auth> and </tls-auth> tags.
    3. Strong VPN offers several Ports to connect with. I specify the first, port 4672, type UDP.
    4. In the “Peer Certificate Authority” dropdown, select the “<VPN PROVIDER> CA” certificate authority you made above.
    5. In the “Client Certificate” dropdown, select the “<VPN PROVIDER> Cert” you made.
    6. Set the Encryption Algorithm based on the option available to you in the .ovpn file.
    7. Depending on your hardware, you should select whether you have hardware crypto acceleration (e.g., Via Nano, AMD Geode, Hifen, or AES-NI capable CPU).
    8. In the advanced configuration text box, you’ll enter the items from section 2 of the .ovpn file. Experiment with what works.  You’ll see errors in the log files if an attribute doesn’t work. This is what I use:

      verb 4;tun-mtu 1500;fragment 1390;mssfix 1390;keysize 128;key-direction 1;redirect-gateway def1;persist-tun;persist-key;route-delay 2;explicit-exit-notify 2;comp-lzo yes;

  6. Provide a name and click “Save”.

Check your VPN logs now!

You’ll want to see if you can successfully connect with your service provider through the system logs.

  1. Go to “Status” > “System Logs”
  2. Select the “OpenVPN” Tab
  3. Verify that you have successfully connected. Specifically you want to see, “Initialization Sequence Completed”.

If you don’t see it, it means you are not connected.  Check your configuration again. Use the log to look for errors.  These are probably flags in your advance settings. Double check that you pasted in the right TLS Authentication key.

Time to set up our OpenVPN gateway interface

If you’ve gotten this far, congratulations.  Now all you need to do is setup pfSense to route traffic through the dedicated VPN tunnel we’ve just created.  What we’re going to do set up the tunnel as a gateway interface and then route traffic based on IP address using firewall rules.

  1.  Go to “Interfaces” > “(assign)”.
  2. Assign click the “+” icon and add a new interface. It will be called “OPT1” if you don’t already have it.
  3. In the “Network Port” dropdown, select  “ovpnc1 <VPN PROVIDER>”.  This is a virtual network port for you to send data through.
  4. Now change the name of OPT1 into something more useful.
    1. Click the “OPT1” hyperlink on the left side.
    2. Provide a descriptive name.
    3. Click “Save”
  5. It should look like this:

TROUBLE SHOOTING: Verify that you have working gateways

When I tried configuring a spare box, I ran into trouble getting this tutorial to work on a fresh install of 2.1.5.2

Verify that you are getting an IP address in the pfSense homepage.

  1. Click the pfSense logo in the top, left-hand corner.
  2. Verify that you have an IP Address for your VPN.
  3. If no, go to “Status” > “Services”
  4. Restart the OpenVPN service by clicking the stop button, waiting, and then the play button.

Verify that your gateways are available in “System” > “Routing”

  1. Go to “System” > “Routing”
  2. In the “Gateway” Tab, You should see 4Gateways:
    1. WAN IPv4 with an XXX.XXX.XXX.XXX IP Address
    2. WAN IPv6 with a hexadecimal IP Address
    3. StrongVPN IPv4 with a ZZZ.ZZZ.ZZZ.ZZZ IP Address
    4. StrongVPN IPv6 with either “dynamic” or a hexadecimal IP Address

It should look like this:

If no IP Addresses are there.  Open the StrongVPN entries, scroll down and click, “Save”.  That seemed to restart it for me.

Set your Outbound NAT rules to Manual Generation

You will need to know the IP address of the device you are using.  I set up static mappings for my own devices, but it’s not really necessary because most home networks don’t really need this.

  1. Go to “Firewall” > “NAT”.
  2. Select the “Outbound” tab.
  3. Select the “Manual Outbound NAT Rule Generation (AON) radio button.
  4. Click “Save”
  5. You’ll see a list of interfaces that look like the picture below:

TROUBLE SHOOTING: Only 3 entries for Outbound NAT rules, not 6

You should see 6 entries (like above) when you set your system to “Manual Outbound NAT rule generation).  However, when I tried doing this for a fresh Install of 2.1.5, I was only given 3 NAT entries for WAN.2  Since your VPN is another gateway, you should have an additional 3 (as depicted above).  In the case that you don’t see it.  Verify that the gateway is there with an IP address by going to “System” > “Routing”.

If the gateway is there, then you need to create the proper WAN rules.

  1. Make a copy of the first WAN Rule that says, “Auto created rule for ISAKMP – LAN to WAN”, click the “+” button beside it.
  2. In the “Interface” dropdown.  Select “<VPN PROVIDER>”.
  3. Change the name to “Auto created rule for ISAKMP – LAN to <VPN NAME>”
  4. Repeat this for the next 2 WAN rules.
  5. Position the rules as seen in the image above.

You want to duplicate all the rules so that the VPN has proper NAT directions.

Create firewall rules for your devices

You’ll need to create rules for StrongVPN and OpenVPN tabs under “Firewall” > “Rules”.  After that all you need to do is specify the IPs of which devices you want to send through the VPN. The last rule you create is a blanket rule that directs all other non-specific devices through WAN (rather than the VPN).

Note: I am making an assumption that most traffic goes through your ISP and not your VPN.

  1. Go to “Firewall” > “Rules”.
  2. Select the “<VPN PROVIDER>” tab
  3. Click the “+” icon to add a new rule.
  4. Create a “Pass” action for all IPV4 traffic through the “<VPN Provider>” Interface.
  5. It should look like this:
  6. Click “Save”
  7. Click “Apply Changes”
  8. Select the “OpenVPN” tab.
  9. Create a “Pass” action for all IPv4 traffic through the “OpenVPN” Interface.
  10. In the “Advanced features” > “Gateway” dropdown,  select your “<VPN Provider>”.
  11. It should look like this:
  12. Provide a descriptive name and click “Save”
  13. Click “Apply Changes”.

Now it’s time to select your devices.  You’ll need to know their IP address.

  1. Go to “Firewall” > “Rules”.
  2. Select the “Lan” tab.
  3. Click the “+” icon the add a rule.
  4. Create a “Pass” action for the device
    1. Set “Action” dropdown to “Pass”
    2. Set Interface to “LAN”
    3. TCP/IP Version to “IPv4”
    4. Protocol to “Any”
    5. Source: Set to “Single host or alias” and provide the IP address or “alias name”
    6. Provide a descriptive Name
    7. In “Advance features” > “Gateway”, select the gateway you want to use:
      1. “WAN” for your ISP, or
      2. “VPN” to route traffic through OpenVPN.
    8. Click “Save”
  5. It should look like this:
  6. Click “Apply All”

Repeat for any device (Tablet, SmartTV, XBox, Hackintosh etc.)

Create a rule for non-specific devices

Finally, the last rule that you need to make is to specify all other devices in your Lan to use the default WAN.

  1. Go to “Firewall” > “Rules”.
  2. Select the “Lan” tab.
  3. Click the “+” icon the add a rule.
  4. Create a “Pass” action for the device
    1. Set “Action” dropdown to “Pass”
    2. Set Interface to “LAN”
    3. TCP/IP Version to “IPv4”
    4. Protocol to “Any”
    5. Source: Set type to “LAN Net”
    6. Provide a descriptive Name like “DEFAULT REST OF LAN TO WAN
    7. In “Advance features” > “Gateway”, select the “WAN_DHCP – XXX.XXX.XXX.XXX”
  5. Click “Save”
  6. It should look like this:
  7. Click “Apply All”

Ensuring rules are applied in the proper order

In order to ensure that the rules are applied in the proper order, you’ll need to move the items up and down the list in the “LAN” tab under the “Firewall > Rules” section of pfSense.

Make sure that all the rules are above the line in red. Device specific overrides are at the top with the non-specific devices the last rule above the red line.

Use this image to help out:

Make sure to apply the changes and let the firewall rules process.

You can verify your external IP address by visiting StrongVPN’s website and look at the IP and country of origin.

Hope you found this useful.

NOTE: FWIW, I think you could accomplish this through VLANs.

Tai


  1. Provided by Teksavvy.com
  2. I suspect it is because my VPN gateways were not registered yet.