OpenVPN Config for Usenetserver VPN for one host only
-
I want to share my working config for using Usenetserver's VPN service via OpenVPN. Also I set it up to only send one host in my network through the VPN, leaving the rest through my regular WAN.
I spent a couple days trying to figure this out, because Usenetserver does not provide a guide for PFsense. All the info I found online was outdated or was just missing certain information. Finally got it working well so I thought I should share in case anyone else is looking to recreate this.
1. Create the certificate
SYSTEM -> Cert Manager -> CAs tab -> + Add
Descriptive name: Whatever "USNVPN"
Method: Import an existing Certificate AuthorityCertificate data: Paste in the box the contents of this file
Certificate Private Key: leave blank
Serial for next certificate: 1SAVE!
2. Create the VPN client
VPN -> OpenVPM -> Clients tab, +Add
General
Server mode: Peep to Peer (ssl/tls)
Protocol: UDP IPV4
Device mode: TUN layer 3
Interface: WAN
Local port:
Server host or address: Pick a nearby server's ip address from this list (you have to be logged into your account to view this page)
Server port: 1194
Proxy host or address
Proxy port
Proxy Authentication: none
Description: whatever you wantUser Authentication Settings
Username: username@usenetserver.com (this is what held me up forever… you have to add @usenetserver.com to your username)
password: same password you use to access the websiteCryptographic Settings
TLS Configuration: Unchecked (do not use tls key)
Peer Certificate Authority: Select the CA you named in step 1.
Peer Certificate Revocation list: no
Client Certificate: webconfigurator default (server, yes, in use)
Encryption Algorithm: aes-256-CBC
Enable NCP: no
NCP Algorithms: defaults
Auth digest algorithm: sha256
Auth digest algorithm: noTunnel Settings
IPv4 Tunnel Network:
IPv6 Tunnel Network:
IPv4 Remote network(s):
IPv6 Remote network(s):
Limit outgoing bandwidth:
Compression: Adaptive LZO Compression
Topology: Subnet - one ip address per client
Type of service: no
Don't pull routes: YES
Don't add/remove routes: noAdvanced Configuration
persist-key; persist-tun; persist-remote-ip; tls-client; remote-cert-tls server; comp-lzo; verb 3; auth SHA256; cipher AES-256-CBC; auth-retry nointeract;
UDP Fast I/O: no
Send/Receive Buffer: default
Verbosity level: 3SAVE!
3. Interface Assignment
Interfaces –> Assignments --> click usenetVPN (or whatever you named it in step 2)
SAVE!
4. CHECK
Status –> OpenVPN
Should say status "up". If it doesn't, click the log button top right next to the question mark. Scroll to the bottom and try to decode what the error is. If all is well you will see lots of "VERIFY EKU OK" and other such positive messages
If you're not up at this step, stop, some setting is wrong.
5. VPN Gateway
System –> Routing --> Gateways --> +Add
Interface: USENETVPN (or whatever you named it)
family: IPV4
Name: Some name USENETVPN_Gateway
Gateway: dynamic
Monitor IP: 8.8.4.4 (worked, but maybe this should be a usenetserver ip address... not entirely sure)
Description: whatever descriptionSAVE!
6. Outbound NAT
This part differs from some other guides because I only want one IP address going out the VPN.
Firewall–> Nat --> Outbound
Click manual outbound nat rule generation, click save, click apply.
ADD at top of list
Interface: USENETVPN (or whatever the interface is named)
Protocol: any
Source: Network / Ip address of the machine you want to VPN / 32 (the /32 will limit it only to this client)
Destination: ANY
Leave the rest defaultSAVE!
7. Firewall RulesFirewall –> Rules --> LAN interface
Add new on top
Action: Pass
Interface: LAN
Family: IPV4
Protocol: TCP/UDP
Source: Single host, enter in the ip of the machine you want to VPN
Destination: anyenable advanced options
Gateway: Select the Gateway you setup in step 5
SAVE!
That should be it. Go to the target machine and you should have internet access and you should appear to be somewhere else. Go to google and type in what is my IP and it will tell you. Go to a different client, and it should still be on your normal WAN IP.
Hope this saves someone some searching!
-
This post is deleted! -
Found Ubuntu manual setup and found this Line:
Remember that you will use append @usenetserver at the end of your username (ex. username@usenetserver).
so no ".com" and it worked.
thank you for the Info