OpenVPN Config for Usenetserver VPN for one host only



  • I want to share my working config for using Usenetserver's VPN service via OpenVPN.  Also I set it up to only send one host in my network through the VPN, leaving the rest through my regular WAN.

    I spent a couple days trying to figure this out, because Usenetserver does not provide a guide for PFsense. All the info I found online was outdated or was just missing certain information.  Finally got it working well so I thought I should share in case anyone else is looking to recreate this.

    1. Create the certificate

    SYSTEM -> Cert Manager -> CAs tab -> + Add

    Descriptive name: Whatever "USNVPN"
    Method: Import an existing Certificate Authority

    Certificate data: Paste in the box the contents of this file
    Certificate Private Key: leave blank
    Serial for next certificate: 1

    SAVE!

    2. Create the VPN client

    VPN -> OpenVPM -> Clients tab, +Add

    General

    Server mode: Peep to Peer (ssl/tls)
    Protocol: UDP IPV4
    Device mode: TUN layer 3
    Interface: WAN
    Local port:
    Server host or address: Pick a nearby server's ip address from this list (you have to be logged into your account to view this page)
    Server port: 1194
    Proxy host or address
    Proxy port
    Proxy Authentication: none
    Description: whatever you want

    User Authentication Settings

    Username: username@usenetserver.com  (this is what held me up forever… you have to add @usenetserver.com to your username)
    password: same password you use to access the website

    Cryptographic Settings

    TLS Configuration: Unchecked (do not use tls key)
    Peer Certificate Authority: Select the CA you named in step 1.
    Peer Certificate Revocation list: no
    Client Certificate: webconfigurator default (server, yes, in use)
    Encryption Algorithm: aes-256-CBC
    Enable NCP: no
    NCP Algorithms: defaults
    Auth digest algorithm: sha256
    Auth digest algorithm: no

    Tunnel Settings

    IPv4 Tunnel Network:
    IPv6 Tunnel Network:
    IPv4 Remote network(s):
    IPv6 Remote network(s):
    Limit outgoing bandwidth:
    Compression: Adaptive LZO Compression
    Topology: Subnet - one ip address per client
    Type of service: no
    Don't pull routes: YES
    Don't add/remove routes: no

    Advanced Configuration

    persist-key;
    persist-tun;
    persist-remote-ip;
    tls-client;
    remote-cert-tls server;
    comp-lzo;
    verb 3;
    auth SHA256;
    cipher AES-256-CBC;
    auth-retry nointeract;
    

    UDP Fast I/O: no
    Send/Receive Buffer: default
    Verbosity level: 3

    SAVE!

    3. Interface Assignment

    Interfaces –> Assignments --> click usenetVPN (or whatever you named it in step 2)

    SAVE!

    4. CHECK

    Status –> OpenVPN

    Should say status "up".  If it doesn't, click the log button top right next to the question mark.  Scroll to the bottom and try to decode what the error is.  If all is well you will see lots of "VERIFY EKU OK" and other such positive messages

    If you're not up at this step, stop, some setting is wrong.

    5. VPN Gateway

    System –> Routing --> Gateways --> +Add

    Interface: USENETVPN (or whatever you named it)
    family: IPV4
    Name: Some name USENETVPN_Gateway
    Gateway: dynamic
    Monitor IP: 8.8.4.4 (worked, but maybe this should be a usenetserver ip address... not entirely sure)
    Description: whatever description

    SAVE!

    6.  Outbound NAT

    This part differs from some other guides because I only want one IP address going out the VPN.

    Firewall–> Nat --> Outbound

    Click manual outbound nat rule generation, click save, click apply.

    ADD at top of list

    Interface: USENETVPN (or whatever the interface is named)
    Protocol: any
    Source: Network /  Ip address of the machine you want to VPN / 32 (the /32 will limit it only to this client)
    Destination: ANY
    Leave the rest default

    SAVE!
    7. Firewall Rules

    Firewall –> Rules --> LAN interface

    Add new on top

    Action: Pass
    Interface: LAN
    Family: IPV4
    Protocol: TCP/UDP
    Source: Single host, enter in the ip of the machine you want to VPN
    Destination: any

    enable advanced options

    Gateway:  Select the Gateway you setup in step 5

    SAVE!

    That should be it.  Go to the target machine and you should have internet access and you should appear to be somewhere else.  Go to google and type in what is my IP and it will tell you.  Go to a different client, and it should still be on your normal WAN IP.

    Hope this saves someone some searching!