tech_documents:vpn:opnsense_dedicated_openvpn_server

Dedicated VPN Server on OPNsense with different access for different groups.

  • Record the subnets that you'll need access to, e.g. 10.221.24.0/24, 10.221.25.0/24…
  • Record the subnets that will be used for the VPN clients using more than one if you are going to create different groups, e.g. 172.16.140.0/24, 172.16.141.0/24…
  • Record a static IP that will be assigned to the OPNsense VPN server.
  • Record the UDP port(s) you'll be using for OpenVPN client connections (1 for each intended OpenVPN server/instance)
  • Setup a DNS entry on your public DNS servers to point external clients to your WAN IP, e.g. WPN01.company.domain.com → Public WAN IP
  • Install OPNsense on a computer/vm with 1 nic, 1GB RAM, 2CPU, 10GB drive.
  • Login with installer | opnsense → Install (UFS).
  • Configure NIC as LAN interface, assign IP on LAN that you need access to or that has access/routes the the LANs you need access to, set gateway to main gateway for IP subnet you're using on LAN interface.
  • Login via Web UI (root/opnsense) → Go through Wizard → set hostname to something like WPN01 and domain to a domain the company controls → uncheck DNS override → set timezone → set the upstream gateway to your subnets main gateway → check for updates until no more updates are found.
  • Add a cron job to keep the server updated: → System → Settings → Cron → Add “Automatic firmware update” according to a schedule that suits you.
Certificate Authority
CA: System -> Trust -> Authorities -> Add -> Name WPN01-CA or similar -> Create Internal -> Key length = 4096 -> Algorithm -> SHA256 -> Lifetime = 3650 -> set locality info -> leave common name default
OpenVPN Server Certificates
System -> Trust -> Certificates -> Add -> Create Internal -> Name: OpenVPN Server Certificate -> Type: Server Certificate -> Key length 4096 -> Algorithm SHA256 -> Lifetime 3650 -> common name = fqdn such as wpn01.domainname.com
Certificate Revocation List
System -> Trust -> Revocation -> + next to the CA name ->  Name: WPN01-CA Certificate Revocation List -> Save
2FA/MFA/TOTP

Enable 2FA for OpenVPN Clients

System -> Access -> Servers -> Add server -> Descriptive Name: TOTP Server -> Type: Local + Timebased One Time Password -> Token length: 6 -> Check the box to reverse token order -> Save

</code>

OpenVPN Servers
  • VPN → OpenVPN → Servers → Add

Description: Use something like below if using several groups or just pick 1 if using a single groups.

CompanyName Employee Remote Access RDP
CompanyName Vendor Remote Access Single Server
CompanyName Employee Remote Access Full
CompanyName Vendor Remote Access Full
CompanyName IT Remote Access Full
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for authentication: TOTP Server

Local Port: pick an unused non-standard UDP port; this must be different for each OpenVPN server instance

TLS Authentication: Enabled - Authentication & encryption

Peer Certificate Revocation List: Select previously created certificate

Server Certificate: OpenVPN Server Certificate

Encryption algorithm: AES-256-GCM (Depreciated, only used by older clients)

Auth Digest Algorithm: SHA256

IPv4 Tunnel Network: this is the IPs assigned to your road warrior VPN clients, it should be different from any of the subnets at the office and different from most home network subnets: eg. 10.99.100.0/24

IPv4 Local Network: this is the subnet your remote roadwarriors need to connect to, using the main subnet of your office, you can put multiple subnets here if needed and proper routing is in place: eg. 10.4.1.0/24

Compression: No Preference

DNS Default Domain: use this only if you have an AD domain or equivalent on the office network eg. abc.companydomain.com

DNS Servers: use this if you want VPN clients to resolve hostnames/computer names instead of using IPs only and you have AD

DNS servers. Don't use if you're only giving access to a single server/computer that has a static IP. The DNS Servers should be your AD DNS server IPs.

Force DNS cache update: Enable only if you're using DNS Servers

Verbosity level: 3

Save
  • Repeat for any other servers with different permissions for access if needed, remember to use different ports and subnets.
Create OpenVPN Clients
  • System → Access → Users → Add
Username: vpn.employee.name or vpn.vendor.name
Password: use something simple since they'll need to type it in with the TOTP key
Fullname: same as Username
Comment: VPN Account. VPN Server Used. Notes if Needed. Created by NAME on DATE.
OTP seed: check the box at "Generate new secret"
  • Save then create User Certificates by clicking on +
Method: Create an internal Certificate
Key length: 4096
Digest Algorithm: SHA256
Lifetime: 825 (this is when the user certificate expires in days)
Save then Save again.

Note: when using a password on the OVPN connection, when in Linux, enter the username in the connection profile and save, and for password set “password is not required”, then it will prompt you for the password each time.

Add Rule to Allow OpenVPN Client Connections
  • Firewall → Rules → LAN → Add
Action: Pass
Interface: LAN
Direction: In
TCP/IP Version: IPv4
Protocol: UDP
Destination port: port of OpenVPN server or port range of OpenVPN servers eg. 5175
Description: OpenVPN Server(s)
Save -> Apply Changes
Add rules to block OpenVPN client access to remote subnets
  • Firewall → Rules → OpenVPN → Add
Action: Block
Description: Block OpenVPN clients by default
Save -> Apply Changes
Add other rules to allow OpenVPN clients to access specific networks/IPs.
  • Firewall → Rules → OpenVPN → Add
Action: Pass
Source: Single host or Network: Subnet assigned to OpenVPN clients of a particular group

Destination: Single host or Network: Subnet of Office LAN that remote clients need access to

Description: Name of Open VPN Server Instance eg. CompanyName Employee Remote Access Full

Save -> Apply Changes

Make sure the overall “Block” rule is always at the bottom of the firewall list, or verify explicit allow rules are processed first.

Disable NAT

Since this is a standalone VPN server for internal resources there is no need to use NAT, turning it off will also allow you to to filter IP traffic based on the IP of the VPN client in your other non-OPNSense firewalls.

Firewall -> NAT -> Outbound -> Disable outbound NAT rule generation
(outbound NAT is disabled)
  • On your edge router/firewall forward the OpenVPN server port(s) to the LAN IP assigned to the OPNsense server, allow access via firewall rules.
  • On your router for the network that is going to be accessed by your OpenVPN clients add static route(s) for your OpenVPN client Subnets, for example if you have a OpenVPN client subnet of 192.168.40.0/24 and your OPNsense server is 192.168.1.10 then a static route would need to be entered on the main router/gateway for subnet 192.168.40.0/24 with the gateway or next hop being 192.168.1.10.
  • VPN → Client Export
Remote Access Server: Choose the server with the permissions you want for this particular client
Export Type: File Only
Host Name: the public FQDN that points to your public WAN IP or your just your public WAN IP
Click on the download icon next the other user you want.

Import your OVPN config file into Tunnelier on MacOS or OpenVPN client on Windows, or if using Linux the network manager, but in linux as of 03-27-2020 the “key direction” stays at 0 and should be set to 1 for the connection to work.

NOTE!!!! When prompted for the password on connecting to the VPN, put in the username then the password and TOTP code together on the password line. So username and passwordTOTPCODE.

Record the info in such a format:

WPN01.domainname.com
Role: VPN server for road warriors
OS: OPNsense x64
Location: Virtual Guest

IP: ###.###.###.15
User/Pass: root | #############

Ports: ###6-###0 UDP
###6: CompanyName Employee Remote Access RDP 10.11.6.0/24
###7: CompanyName Vendor Remote Access ERA Server 10.11.7.0/24
###8: CompanyName Employee Remote Access Full 10.11.8.0/24
###9: CompanyName Vendor Remote Full Access 10.11.9.0/24
###0: CompanyName IT Access Full 10.11.10.0/24

Extra Note: For Linux users that use Network Manager, if you store the password in the Network Manager profile and leave it encrypted, it will prompt for the root password before prompting for the VPN password. To fix this, you'll need to choose unencrypted, but the profile where the VPN password is stored is still restricted to the root user, so if you did have other users on the same computer, as long as they don't have sudo or su or root, you'll be okay…

  • tech_documents/vpn/opnsense_dedicated_openvpn_server.txt
  • Last modified: 2023/08/30 05:27
  • by jacob.hydeman