Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Config for Usenetserver VPN for one host only

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 2.3k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      vinistois
      last edited by

      I want to share my working config for using Usenetserver's VPN service via OpenVPN.  Also I set it up to only send one host in my network through the VPN, leaving the rest through my regular WAN.

      I spent a couple days trying to figure this out, because Usenetserver does not provide a guide for PFsense. All the info I found online was outdated or was just missing certain information.  Finally got it working well so I thought I should share in case anyone else is looking to recreate this.

      1. Create the certificate

      SYSTEM -> Cert Manager -> CAs tab -> + Add

      Descriptive name: Whatever "USNVPN"
      Method: Import an existing Certificate Authority

      Certificate data: Paste in the box the contents of this file
      Certificate Private Key: leave blank
      Serial for next certificate: 1

      SAVE!

      2. Create the VPN client

      VPN -> OpenVPM -> Clients tab, +Add

      General

      Server mode: Peep to Peer (ssl/tls)
      Protocol: UDP IPV4
      Device mode: TUN layer 3
      Interface: WAN
      Local port:
      Server host or address: Pick a nearby server's ip address from this list (you have to be logged into your account to view this page)
      Server port: 1194
      Proxy host or address
      Proxy port
      Proxy Authentication: none
      Description: whatever you want

      User Authentication Settings

      Username: username@usenetserver.com  (this is what held me up forever… you have to add @usenetserver.com to your username)
      password: same password you use to access the website

      Cryptographic Settings

      TLS Configuration: Unchecked (do not use tls key)
      Peer Certificate Authority: Select the CA you named in step 1.
      Peer Certificate Revocation list: no
      Client Certificate: webconfigurator default (server, yes, in use)
      Encryption Algorithm: aes-256-CBC
      Enable NCP: no
      NCP Algorithms: defaults
      Auth digest algorithm: sha256
      Auth digest algorithm: no

      Tunnel Settings

      IPv4 Tunnel Network:
      IPv6 Tunnel Network:
      IPv4 Remote network(s):
      IPv6 Remote network(s):
      Limit outgoing bandwidth:
      Compression: Adaptive LZO Compression
      Topology: Subnet - one ip address per client
      Type of service: no
      Don't pull routes: YES
      Don't add/remove routes: no

      Advanced Configuration

      persist-key;
persist-tun;
persist-remote-ip;
tls-client;
remote-cert-tls server;
comp-lzo;
verb 3;
auth SHA256;
cipher AES-256-CBC;
auth-retry nointeract;

      UDP Fast I/O: no
      Send/Receive Buffer: default
      Verbosity level: 3

      SAVE!

      3. Interface Assignment

      Interfaces –> Assignments --> click usenetVPN (or whatever you named it in step 2)

      SAVE!

      4. CHECK

      Status –> OpenVPN

      Should say status "up".  If it doesn't, click the log button top right next to the question mark.  Scroll to the bottom and try to decode what the error is.  If all is well you will see lots of "VERIFY EKU OK" and other such positive messages

      If you're not up at this step, stop, some setting is wrong.

      5. VPN Gateway

      System –> Routing --> Gateways --> +Add

      Interface: USENETVPN (or whatever you named it)
      family: IPV4
      Name: Some name USENETVPN_Gateway
      Gateway: dynamic
      Monitor IP: 8.8.4.4 (worked, but maybe this should be a usenetserver ip address... not entirely sure)
      Description: whatever description

      SAVE!

      6.  Outbound NAT

      This part differs from some other guides because I only want one IP address going out the VPN.

      Firewall–> Nat --> Outbound

      Click manual outbound nat rule generation, click save, click apply.

      ADD at top of list

      Interface: USENETVPN (or whatever the interface is named)
      Protocol: any
      Source: Network /  Ip address of the machine you want to VPN / 32 (the /32 will limit it only to this client)
      Destination: ANY
      Leave the rest default

      SAVE!
      7. Firewall Rules

      Firewall –> Rules --> LAN interface

      Add new on top

      Action: Pass
      Interface: LAN
      Family: IPV4
      Protocol: TCP/UDP
      Source: Single host, enter in the ip of the machine you want to VPN
      Destination: any

      enable advanced options

      Gateway:  Select the Gateway you setup in step 5

      SAVE!

      That should be it.  Go to the target machine and you should have internet access and you should appear to be somewhere else.  Go to google and type in what is my IP and it will tell you.  Go to a different client, and it should still be on your normal WAN IP.

      Hope this saves someone some searching!

      1 Reply Last reply Reply Quote 1
      • DudleydoggD Offline
        Dudleydogg
        last edited by

        This post is deleted!
        DudleydoggD 1 Reply Last reply Reply Quote 0
        • DudleydoggD Offline
          Dudleydogg @Dudleydogg
          last edited by Dudleydogg

          Found Ubuntu manual setup and found this Line:

          Remember that you will use append @usenetserver at the end of your username (ex. username@usenetserver).

          so no ".com" and it worked.

          thank you for the Info

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.