Selective devices and/or netfl!x/spot!fy/whatever via VPN - How to



  • These have been tested and working for me more than one time on pfSense 2.2, for my personal use. Mine is a single WAN & single LAN. Everything should be left to the default setting unless otherwise stated below. The second post details how to route selected sites via VPN.

    1. Add remote server's certificate(s)
    System: Cert Manager: CAs [+ [color=blue]New]
    Descriptive name: "Mycert"
    Certificate data: Copy & paste contents of ca.crt
    Certificate Private Key(optional): Copy & paste contents of user.key
    [[color=limegreen]Save]

    2. Create ovpn client **
    VPN: OpenVPN: Client [+ [color=blue]New]
    Protocol: UDP
    Deivce mode: tun
    Interface: WAN (Default)
    Server host or address: xxxxx
    Server port: xxxx
    Infinitely resolve server [Check]
    Description: "my_vpn"
    User name/pass: xxxxx xxxxx
    TLS Authentication: Enable authentication of TLS packets [Uncheck]
    Peer Certificate Authority: "Mycert" *(From Step 1)
    Encryption algorithm: BF-CBC (128-bit) ***
    Compression: Enabled with Adaptive Compression
    Disable IPv6 [Check]
    Don't add/remove routes [Check]
    Advanced:```
    tun-mtu 1500;tun-mtu-extra 32;

    [[color=limegreen]Save]
    
    3\. Check to see if ovpn connected successfully ***
    Status: System logs: OpenVPN
    
    > May 17 03:11:56 openvpn[17265]: **Initialization Sequence Completed**
    > May 17 03:11:56 openvpn[17265]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1576 10.8.0.6 10.8.0.5 init
    > May 17 03:11:56 openvpn[17265]: /sbin/ifconfig ovpnc1 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
    > May 17 03:11:56 openvpn[17265]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    > May 17 03:11:56 openvpn[17265]: TUN/TAP device /dev/tun1 opened
    > May 17 03:11:56 openvpn[17265]: TUN/TAP device ovpnc1 exists previously, keep at program end
    > May 17 03:11:53 openvpn[17265]: [xxx.xxx.xxx.xxx] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:443
    > May 17 03:11:45 openvpn[17265]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    > May 17 03:11:45 openvpn[17265]: TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
    > May 17 03:11:45 openvpn[17265]: TCPv4_CLIENT link local (bound): [AF_INET]yyy.yyy.yyy.yyy
    > May 17 03:11:45 openvpn[17265]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
    > May 17 03:11:44 openvpn[17265]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
    > May 17 03:11:44 openvpn[17265]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    > May 17 03:11:44 openvpn[17265]: WARNING: No server certificate verification method has been enabled. See [http://openvpn.net/howto.html#mitm](http://openvpn.net/howto.html#mitm) for more info.
    > May 17 03:11:44 openvpn[17092]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
    > May 17 03:11:44 openvpn[17092]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    > May 17 03:11:44 openvpn[17092]: OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Apr 8 2015
    
    4\. Create VPN network interface & assign ovpn to it
    Interfaces: Assign [+ [color=blue]New]
    For **OPT3**, Select **Network port** as _ovpnc1 (my_vpn)_ *(From Step 2)
    [[color=limegreen]Save]
    Interfaces: OPT3
    Enable [Check]
    Description: _VPN1_
    [[color=limegreen]Save]
    
    5\. Configure FW NAT
    Firewall: NAT: Outbound
    Select _"Hybrid Outbound NAT"_
    [[color=limegreen]Save]
    Firewall: NAT: Outbound [+ [color=blue]New]
    Interface: _VPN1_ *(from step 4)
    Source type: _Network_
    Source Address: _192.168.1.0/24_
    [[color=limegreen]Save]
    
    6\. Make selected devices on the LAN to access internet via VPN
    Firewall: Aliases: IP [+ [color=blue]New]
    Name: _LAN_IP_via_vpn_
    Type: _Hosts_
    IP: _192.168.1.201-192.168.1.249_
    [[color=limegreen]Save]
    
    Firewall: Rules: LAN [+ [color=blue]New]
    Source Type: "Single host or alias"
    Source Address: _"LAN_IP_via_vpn_"
    Destination: not [Check]
    Destination Type: "_LAN net"_
    Gateway: _"VPN1 - 10.8.0.5"_ *(from step 4)
    [[color=limegreen]Save]
    
    ** Details from your config file _something.ovpn_. Different for various VPN providers.
    *** Connect to your VPN once using OpenVPN client for your OS & check the log to:
    1\. See if connection is established successfully & remote server is working
    2\. If connected, note down from the log, the encryption algorithm type to use in STEP 2\. Because many times it's not found in the ovpn config files provided.
    
    > Tue Mar 12 22:01:23 2013 Data Channel Encrypt: Cipher '**BF-CBC**' initialized with 128 bit key
    > Tue Mar 12 22:01:23 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    > Tue Mar 12 22:01:23 2013 Data Channel Decrypt: Cipher '**BF-CBC**' initialized with 128 bit key
    > Tue Mar 12 22:01:23 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication


  • Part two: Configure netfl!x/spot!fy/whatever via VPN (when traveling abroad)

    1. Install & Configure pfBlockerNG pkg
    Install pfBlockerNG

    Firewall: pfBlockerNG: General Settings
    Enable pfBlockerNG [Check]
    Keep Settings [Check]
    Enable De-Duplication [Check]
    Enable Suppression [Check]
    Disable MaxMind Country Database CRON Updates [Check]
    Inbound Firewall Rules - Interface: "WAN", "VPN1"
    Outbound Firewall Rules - Interface: "LAN"
    Floating Rules [Check]
    [[color=limegreen]Save]

    Firewall: pfBlockerNG: IPv4 [+ [color=blue]New]
    Alias Name: "sites_via_vpn"
    IPv4 Lists: Format "html", State "ON", URL "http://bgp.he.net/search?search[search]=netfl!x&commit=Search", Header "Netfl!x"
    +Add another list for spot!fy
    List Action: "Alias native"
    Update Frequency: "Weekly" (Please don't select Every hour)
    [[color=limegreen]Save]

    Firewall: pfBlockerNG: Update
    Click "Force reload"

    2. Create custom FW rule w/ pfBlockerNG
    Firewall: Rules: LAN [+ [color=blue]New]
    TCP/IP Version: "IPV4"
    Protocol: "Any"
    Destination Type: Single host or alias
    Destination Address: "pfB_sites_via_vpn" (pfBNG creates alias name with pfB_ prefix and the alias name in Step 1)
    Description: "pfb_sites_via_vpn" (Must be exactly same as Destination Address, except change capital B to small)
    Gateway: "VPN1 - 10.8.0.5"
    [[color=limegreen]Save]

    PS: In Step 1, replace exclamation marks with "i". Don't put whitespace or weird symbols in pfBNG's alias name or header.