OpenVPN Config for Usenetserver VPN for one host only
vinistois last edited by
I want to share my working config for using Usenetserver's VPN service via OpenVPN. Also I set it up to only send one host in my network through the VPN, leaving the rest through my regular WAN.
I spent a couple days trying to figure this out, because Usenetserver does not provide a guide for PFsense. All the info I found online was outdated or was just missing certain information. Finally got it working well so I thought I should share in case anyone else is looking to recreate this.
1. Create the certificate
SYSTEM -> Cert Manager -> CAs tab -> + Add
Descriptive name: Whatever "USNVPN"
Method: Import an existing Certificate Authority
Certificate data: Paste in the box the contents of this file
Certificate Private Key: leave blank
Serial for next certificate: 1
2. Create the VPN client
VPN -> OpenVPM -> Clients tab, +Add
Server mode: Peep to Peer (ssl/tls)
Protocol: UDP IPV4
Device mode: TUN layer 3
Server host or address: Pick a nearby server's ip address from this list (you have to be logged into your account to view this page)
Server port: 1194
Proxy host or address
Proxy Authentication: none
Description: whatever you want
User Authentication Settings
Username: firstname.lastname@example.org (this is what held me up forever… you have to add @usenetserver.com to your username)
password: same password you use to access the website
TLS Configuration: Unchecked (do not use tls key)
Peer Certificate Authority: Select the CA you named in step 1.
Peer Certificate Revocation list: no
Client Certificate: webconfigurator default (server, yes, in use)
Encryption Algorithm: aes-256-CBC
Enable NCP: no
NCP Algorithms: defaults
Auth digest algorithm: sha256
Auth digest algorithm: no
IPv4 Tunnel Network:
IPv6 Tunnel Network:
IPv4 Remote network(s):
IPv6 Remote network(s):
Limit outgoing bandwidth:
Compression: Adaptive LZO Compression
Topology: Subnet - one ip address per client
Type of service: no
Don't pull routes: YES
Don't add/remove routes: no
persist-key; persist-tun; persist-remote-ip; tls-client; remote-cert-tls server; comp-lzo; verb 3; auth SHA256; cipher AES-256-CBC; auth-retry nointeract;
UDP Fast I/O: no
Send/Receive Buffer: default
Verbosity level: 3
3. Interface Assignment
Interfaces –> Assignments --> click usenetVPN (or whatever you named it in step 2)
Status –> OpenVPN
Should say status "up". If it doesn't, click the log button top right next to the question mark. Scroll to the bottom and try to decode what the error is. If all is well you will see lots of "VERIFY EKU OK" and other such positive messages
If you're not up at this step, stop, some setting is wrong.
5. VPN Gateway
System –> Routing --> Gateways --> +Add
Interface: USENETVPN (or whatever you named it)
Name: Some name USENETVPN_Gateway
Monitor IP: 220.127.116.11 (worked, but maybe this should be a usenetserver ip address... not entirely sure)
Description: whatever description
6. Outbound NAT
This part differs from some other guides because I only want one IP address going out the VPN.
Firewall–> Nat --> Outbound
Click manual outbound nat rule generation, click save, click apply.
ADD at top of list
Interface: USENETVPN (or whatever the interface is named)
Source: Network / Ip address of the machine you want to VPN / 32 (the /32 will limit it only to this client)
Leave the rest default
7. Firewall Rules
Firewall –> Rules --> LAN interface
Add new on top
Source: Single host, enter in the ip of the machine you want to VPN
enable advanced options
Gateway: Select the Gateway you setup in step 5
That should be it. Go to the target machine and you should have internet access and you should appear to be somewhere else. Go to google and type in what is my IP and it will tell you. Go to a different client, and it should still be on your normal WAN IP.
Hope this saves someone some searching!
Dudleydogg last edited by
This post is deleted!
Dudleydogg last edited by Dudleydogg
Found Ubuntu manual setup and found this Line:
Remember that you will use append @usenetserver at the end of your username (ex. username@usenetserver).
so no ".com" and it worked.
thank you for the Info