[HOW-TO] Use OpenVPN to connect to vpntunnel.se (or similar)
After having some problems routing all my traffic over my VPN provider (vpntunnel.se), I thought it might be useful for others to learn from my mistakes, and just use this guide instead. It could very well spare the world for a couple of thousand cursewords. ;)
The reasons as to why I chose to use vpntunnel.se is simple. They are cheap (14€ for three months), there is no limit on bandwidth or speed, the encryption is solid, and without a doubt the most important reason, they allow filesharing and all ports are open.
Here is the guide. I have used the "How to create an OpenVPN client to a public OpenVPN provider" thread as a baseline, and edited where it was needed. Thanks a lot to MrHorizontal!
This How-To is designed for use with vpntunnel.se, but should also apply to any public VPN provider that uses a combination of certificate and username/password. If that is the case, change the fields to match your configuration file.
The ca certificate and the OpenVPN configuration file. Logon to the dashboard and download them from the Software tab.
Step 1: Import Certificates
- Navigate to System -> Cert Manager. You should be in the 'CAs' tab
- Click the '+' to add a new CA.
- Provide a descriptive name like 'ProviderName / ServerLocation / CA', leave 'Import an existing Certification Authority' selected.
- Paste the contents of the ca.crt from your provider in the 'Certificate data' box.
- Press Save.
Step 2: Configure your username/password
- Navigate to Diagnostics -> Edit file
- Write /conf/openvpn-auth.conf in the “Save/Load from path” field
- Add your username to the first line, and your password on the second, and press save. It should look like this:
Step 3: Configure the OpenVPN Client
- Navigate to VPN -> OpenVPN -> Clients tab
- Click the '+' button to add a new connection.
- Make sure that Server Mode is set to “Peer to Peer (SSL/TLS)”
- Set protocol to UDP
- Change the device mode to “tap”
- Leave the “Interface” as WAN
- (Optional) Under 'Local port', enter some arbitrary port you don't use like '50011'. This allows the management interface to keep tabs on the connection and for it to appear under Status -> OpenVPN
- In “Server host or address” enter the domain name supplied in the configuration file, for me it was “melissa.vpntunell.se”
- In “Server port” choose from one of the ports in your config file. The choices I had was 1194, 10010, 10020.
- Write a description
- Uncheck “TLS Authentication”
- Under 'Peer Certificate Authority' select the name you entered for the 'CA' certificate you entered for this provider.
- Under 'Client Certificate' leave the default certificate enabled. It doesn’t matter which is marked.
- Under 'Encryption algorithm', choose BF-CBC
- Leave 'Tunnel Network' empty
- Leave 'Remote Network' empty
- Leave 'Limit outgoing bandwidth' unchecked
- Check 'Compress tunnel packets using the LZO algorithm'
- Here comes the fun part. In the advanced field we need to enter several options, all separated by a ';':
keepalive 10 60
Just copy-paste this if you're lazy.
float;auth-user-pass /conf/openvpn-auth.conf;keepalive 10 60;verb 5
Now we need to check what happens and look at the logs.
- First navigate to Status -> System Logs -> OpenVPN tab
- Because we entered 'verb 5' in the advanced field, you'll see a lot more information than normal being logged. This can be removed afterwards, but is useful to find errors if you’re having problems.
- You need to look for is the line that says:
openvpn: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 18.104.22.168,dhcp-option DNS 22.214.171.124,redirect-gateway def1,route-gateway 126.96.36.199,ping 10,ping-restart 30,ifconfig 188.8.131.52 255.255.255.0'
- If that line says 'redirect-gateway def1', then your pfSense should be routing all traffic over the VPN connection.
You should now be connected to the VPN tunnel. To make computers on your LAN use the VPN tunnel to connect to the internet, we need to enable Outbound NAT, so that it appears that the traffic is originating from the OpenVPN client, and not a client computer connected to the LAN.
To do this, navigate to Firewall – NAT and select the “Outbound” tab. Change from “Automatic outbound NAT rule generation” to “Manual outbound NAT rule generation” and press “Save” followed by apply.
Two listings should appear in the table below. Press the plus sign next to the one that says “Auto created rule for LAN to WAN”. In the edit window, just change the interface from “WAN” to “OpenVPN” and press “Save”. Press “Apply” at the top, and you should be good to go.
Test if your config works by running tracert on a Windows computer or traceroute on a linux computer. If everything is jolly allright, you should see something similar to this:
$ traceroute www.google.com 1 v1-link.vpntunnel.se (184.108.40.206) 16.678 ms 16.517 ms 16.324 ms 2 220.127.116.11 (18.104.22.168) 16.550 ms 16.706 ms 16.545 ms 3 kn1-2.sth.portlane.net (22.214.171.124) 17.675 ms 17.403 ms 18.533 ms 4 sol-ix.net.google.com (126.96.36.199) 16.785 ms 16.832 ms 16.840 ms 5 188.8.131.52 (184.108.40.206) 17.389 ms 17.444 ms 220.127.116.11 (18.104.22.168) 16.927 ms 6 22.214.171.124 (126.96.36.199) 38.399 ms 38.408 ms 38.641 ms 7 188.8.131.52 (184.108.40.206) 34.031 ms 220.127.116.11 (18.104.22.168) 44.088 ms 43.844 ms 8 22.214.171.124 (126.96.36.199) 39.410 ms 39.059 ms 188.8.131.52 (184.108.40.206) 34.677 ms 9 220.127.116.11 (18.104.22.168) 44.509 ms * 48.447 ms 10 ey-in-f147.1e100.net (22.214.171.124) 35.181 ms 39.899 ms 39.699 ms
The main thing is that a vpntunnel.se address is the second part of the trace.
Part II: Port forwarding
Now that you've got your OpenVPN connection up and running, you might want to forward ports. To make port forwarding work, you need to make a few changes to the default NAT config.
On interface, choose OpenVPN.
To make portforwarding work over changes in your IP address, you need to create a dynamic DNS. I use DynDNS.com, but any provider supported by pfSense will work.
When you are configuring the dynamic DNS updater in pfSense (Services -> Dynamic DNS), make sure that you use the LAN interface (Note: If you have bridged two interfaces, you need to select the bridge). Otherwise you won't get your OpenVPN IP address. After you have configured it, wait a couple of minutes, and see if the IP address detected is the same as the one you get in the OpenVPN log. Look for the line that says:
openvpn: /sbin/ifconfig ovpnc1 126.96.36.199 netmask 255.255.255.0 mtu 1500 up
After you have done this, we need to create an Alias for the hostname, to enable pfSense to use it.
1. Go to Firewall -> Aliases
2. Press the plus sign to add a new alias
3. Type a name for your alias
4. Select Type: Network
5. Enter your dynamic DNS hostname
6. Save and apply.
On destination, choose Single host or alias, then write your alias.
Configure the rest of the settings as needed.
That should be it. Hope you get this up and running!
If you use this how-to for another VPN provider, please send me a PM, and I'll add it here.
Hope this helps!
Great stuff! I also want to check out vpntunnel.se and hope that I can max out my VDSL 50/10 line with it. The DynDNS part is not working for me. When I change the interface to LAN then the address doesn't get recognised (0.0.0.0). Any other things you changed in order for this to work?
Okay. Now it works! I have my WLAN and LAN interfaces bridged so I needed to choose the bridge as an interface! Thanks for the great tutorial m8!
Glad things worked out for you ;)
Hmm. But I am not really satisfied! :(
I have got a VDSL 50/10 connection which I max out at 6Mbyte/s without vpntunnel.se. With the VPN enabled I get around 500Kbyte/s, that is more than lame…
Also pinging german websites I have around 20ms reply time, with the VPN enabled it is around 180ms....
That's pretty lame yes.
I have a 10/10 connection, and I have no problems with maxing my bandwidth. I have sustained around 1 MB/s down, and similary up, depending on the server I connect to.
Where are you located? Their servers are located in Sweden, so if you are in Germany and try to ping german sites the traffic first have to travel to Sweden, and then back to Germany.
edit: Which computer are you running pfSense on? The OpenVPN en-/decryption requires a fair amount of CPU power.
Yes I know. I am located in north Germany. Well probably that service isn't supposed to be used by me. I will drop them a line…
I am a Linux noob, using Ubuntu 10.10 – I use openvpn with vpntunnel.se in windows -- I followed their instruction guide for linux and I get assigned an IP but when I use mozilla it doesn't connect to any web page, and when I disable openvpn it works again.
I also don't find the paths you speak about in your first post -- my openvpn is terminal based.
Hope you can assist me as vpntunnel.se have not replied to my support ticket in 7 days.
EDIT Oh crap, I just saw this forum is for a firewall application! No wonder I can't find the tabs and stuff you talk about sigh :-(
This is great! Browsing works fine.
Three additional questions are remaining for me:
1) within the firewall logs the vpntunnel seems trying to acess bogon networks:
Last 50 firewall log entries. Max(50) Act Time If Source Destination Proto block Jul 15 12:44:07 ovpnc1 188.8.131.52:60704 184.108.40.206:5355 UDP block Jul 15 12:44:07 ovpnc1 220.127.116.11:63766 18.104.22.168:3702 UDP block Jul 15 12:44:07 ovpnc1 22.214.171.124:6771 126.96.36.199:6771 UDP block Jul 15 12:44:07 ovpnc1 188.8.131.52:6771 184.108.40.206:6771 UDP block Jul 15 12:44:07 ovpnc1 220.127.116.11:52375 18.104.22.168:6771 UDP block Jul 15 12:44:07 ovpnc1 22.214.171.124:63766 126.96.36.199:3702 UDP block Jul 15 12:44:06 ovpnc1 188.8.131.52:51097 184.108.40.206:5355 UDP
Why does the ovpnc do so? Would it be a good idea to allow ovpnc1 to talk to bogons?
- Within Rules -> OpenVPN I allowed the following:
ID Proto Source Port Destination Port Gateway Queue Schedule Description UDP 220.127.116.11/20 * 18.104.22.168/20 * * none Schwedenserver
Otherwise there are lots of firewall logs blocking transfer between two different IP's both within the vpntunnel network.
- Is it possible to connect some special IP's, i.e. my SIP-Phone directly to the Internet, not using the VPN-tunnel to avoid latency? How could I do that?
Thank You in advance.