How to route all Opnsense traffic through your private VPN

This is for your home network, yes.  I tried several how-tos, and basically had to figure it out for myself.  Here’s how I did it.

Preface:  I have two LANs;  one for computers, tablets, and phones, and the other for IOT devices, including my Roku (which cannot use a VPN).  I’m using Opnsense 18.7, so menu item labels or locations might change in the future.

Step 1:  Get all your certificates and such from your VPN provider.  They might give you a single file with labeled sections or a series of files.  You need:

  • somename.ovpn  (If you open this file with Notepad or Wordpad, it contains all the below except for the username and password, but it might also contain other directives for your provider.)
  • CA.crt (Certificate Authority–it might be a section of your .ovpn file.)
  • TA.key (OpenVPN Static key–Some VPN providers will give you a username and password instead of a static key. It might be a section of your .ovpn file.)
  • User.crt (User Certificate–it might be a section of your .ovpn file.)
  • User.key (RSA Private Key–it might be a section of your .ovpn file.)

Step 2:  Log into Opnsense and navigate to System -> Trust -> Authorities.  Click Add.

  • Put anything (within reason) in “descriptive name.”  I suggest the name of your VPN provider.
  • Leave Method “Import an existing Certificate Authority”
  • Paste the contents of your CA.crt (Certificate Authority) file.  If you just have one big file, copy and paste the CA certificate including the “begin” and “end” bits.
  • Click Save.

This Certificate Authority should now show up in Opnsense on the Authorities page.  Opnsense should fill in information about your VPN provider here that it got from the certificate.

Step 3:  Navigate to System -> Trust -> Certificates.  Click Add.

  • Leave Method “Import an existing Certificate”
  • Put anything (within reason) in “descriptive name.”  I suggest the name of your VPN provider.
  • Paste the contents of User.crt into Certificate Data.  If you just have one big file, copy and paste the user certificate including the “begin” and “end” bits.
  • I think I pasted the contents of User.key into the private key area, but the How-To I followed left this blank, so apparently both work.
  • Click Save.

If you view Certificates, Opnsense will now have more information about your certificate (including email address of issuer, etc.).

Step 4:  Navigate to VPN -> OpenVPN -> Clients.  Click Add.

This is where the How-To guides started to fall apart for me.  You might need to trial and error a little here.  You’ll also need to open that .ovpn file with Notepad or Wordpad (if you haven’t already).

  • Put anything (within reason) in “description.”  I suggest the name of your VPN provider.
  • Server Mode: Peer to Peer (SSL/TLS)
  • Protocol: (check your ovpn file)
  • Device Mode: (check your ovpn file)
  • Interface: (Your WAN interface–it’s probably literally called “WAN”)
  • Local port: (mine is blank, but check your ovpn file)
  • Server Host or Address: (check your ovpn file)
  • Server Port: (check your ovpn file)
  • Server host name resolution: Ticked

Cryptographic Settings:

  • TLS Authentication: Ticked unless you’re using username and password instead.  (If you’re using username and password, put them in the blanks.  If you’re using TLS, paste the data in your ta.key file here, AKA OpenVPN Static key.  If this option doesn’t appear, enter everything else, click save, and look again.)
  • Peer Certificate Authority: Select whatever you called it in step 2.
  • Client Certificate: Select whatever you called it in step 3.
  • Encryption: (check your ovpn file)
  • Auth Digest Algorithm: (check your ovpn file)
  • Disable IPV6: Ticked

Click Save.

The various How-Tos debate whether you need to paste the advanced settings from the ovpn file into the advanced settings on the Add Client page.  My tunnel didn’t work until I cleared all that data out.  Sigh.  In other words, try it without the advanced settings and see if it works first.

Step 5:  Check to see if your tunnel is working by navigating to VPN -> OpenVPN -> Connection Status.

You should see Status Up with a Virtual IP and all that good stuff.  If you don’t, navigate to VPN -> OpenVPN -> Log File and see if it says anything useful there.  You’ll probably then have to go back to Step 4 and tweak the settings to look more like your .ovpn file.  You might also need to contact your VPN provider if you’re really lost.

You cannot proceed further until you have a working tunnel.

Step 6:  This is where the other guides really went off the rails for me.  (Sorry, guys!)  This is what I did.  It may or may not be the best way to do it, but it worked.  Navigate to Firewall -> NAT -> Outbound.

  • Click “Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules) ,” then click Save.

Click Add.

  • Interface:  OpenVPN
  • Translation target:  “Interface Address”
  • Leave everything else any or default.

At this point, all of your traffic is going through your VPN.  YAY! except that Netflix, Hulu, etc. are now giving you an obnoxious “You appear to be using a proxy/unblocker, turn it off or no media for you!” message.  This is where my having the Roku on its own LAN makes things easy.  If you don’t have your network segregated like that, you can assign a static IP to your Roku or other streaming device and do the following steps with that static IP.

Step 7 (optional, unblocking Netflix on your Streaming Devices):  Navigate to Firewall -> Rules.

If your streaming devices have their own network card in Opnsense (mine do):

  • Navigate to Firewall -> Rules -> Opt1 (or whatever that network card is called).
  • Click Add
  • Leave everything default except changing the Gateway to WAN_DHCP (or whatever it’s called).
  • Click Save.

If your streaming devices have static IPs on your regular LAN:

  • Navigate to Firewall -> Rules -> LAN.
  • Click Add
  • Leave everything default except changing the source to your device’s static IP and the Gateway to WAN_DHCP (or whatever it’s called).  (If you have more than one, create an Alias first in Firewall -> Aliases -> View, click Add.  Type host, add however many lines for however many streaming devices you have, click save, and use that Alias as the source.)
  • Click Save.

If you want to get super-fancy and still access Netflix from any computer while sending all other traffic through the VPN, you probably need to create an alias with this information and route all traffic to that destination through WAN_DHCP.  That’s, like, more than I really wanted to get into for this article, though.  You can also turn off the VPN, or create a rule that sends your laptop straight through WAN_DHCP and turn it off or on, but those both suck (IMHO).

Happy tunneling!

Leave a Comment

Filed under geekiness

Leave a Reply

Your email address will not be published. Required fields are marked *