Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Selective devices and/or netfl!x/spot!fy/whatever via VPN - How to

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 879 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pf3000
      last edited by

      These have been tested and working for me more than one time on pfSense 2.2, for my personal use. Mine is a single WAN & single LAN. Everything should be left to the default setting unless otherwise stated below. The second post details how to route selected sites via VPN.

      1. Add remote server's certificate(s)
      System: Cert Manager: CAs [+ [color=blue]New]
      Descriptive name: "Mycert"
      Certificate data: Copy & paste contents of ca.crt
      Certificate Private Key(optional): Copy & paste contents of user.key
      [[color=limegreen]Save]

      2. Create ovpn client **
      VPN: OpenVPN: Client [+ [color=blue]New]
      Protocol: UDP
      Deivce mode: tun
      Interface: WAN (Default)
      Server host or address: xxxxx
      Server port: xxxx
      Infinitely resolve server [Check]
      Description: "my_vpn"
      User name/pass: xxxxx xxxxx
      TLS Authentication: Enable authentication of TLS packets [Uncheck]
      Peer Certificate Authority: "Mycert" *(From Step 1)
      Encryption algorithm: BF-CBC (128-bit) ***
      Compression: Enabled with Adaptive Compression
      Disable IPv6 [Check]
      Don't add/remove routes [Check]
      Advanced:```
      tun-mtu 1500;tun-mtu-extra 32;

      [[color=limegreen]Save]

3\. Check to see if ovpn connected successfully ***
Status: System logs: OpenVPN

> May 17 03:11:56 openvpn[17265]: **Initialization Sequence Completed**
> May 17 03:11:56 openvpn[17265]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1576 10.8.0.6 10.8.0.5 init
> May 17 03:11:56 openvpn[17265]: /sbin/ifconfig ovpnc1 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
> May 17 03:11:56 openvpn[17265]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
> May 17 03:11:56 openvpn[17265]: TUN/TAP device /dev/tun1 opened
> May 17 03:11:56 openvpn[17265]: TUN/TAP device ovpnc1 exists previously, keep at program end
> May 17 03:11:53 openvpn[17265]: [xxx.xxx.xxx.xxx] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:443
> May 17 03:11:45 openvpn[17265]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
> May 17 03:11:45 openvpn[17265]: TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
> May 17 03:11:45 openvpn[17265]: TCPv4_CLIENT link local (bound): [AF_INET]yyy.yyy.yyy.yyy
> May 17 03:11:45 openvpn[17265]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
> May 17 03:11:44 openvpn[17265]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
> May 17 03:11:44 openvpn[17265]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
> May 17 03:11:44 openvpn[17265]: WARNING: No server certificate verification method has been enabled. See [http://openvpn.net/howto.html#mitm](http://openvpn.net/howto.html#mitm) for more info.
> May 17 03:11:44 openvpn[17092]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
> May 17 03:11:44 openvpn[17092]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
> May 17 03:11:44 openvpn[17092]: OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Apr 8 2015

4\. Create VPN network interface & assign ovpn to it
Interfaces: Assign [+ [color=blue]New]
For **OPT3**, Select **Network port** as _ovpnc1 (my_vpn)_ *(From Step 2)
[[color=limegreen]Save]
Interfaces: OPT3
Enable [Check]
Description: _VPN1_
[[color=limegreen]Save]

5\. Configure FW NAT
Firewall: NAT: Outbound
Select _"Hybrid Outbound NAT"_
[[color=limegreen]Save]
Firewall: NAT: Outbound [+ [color=blue]New]
Interface: _VPN1_ *(from step 4)
Source type: _Network_
Source Address: _192.168.1.0/24_
[[color=limegreen]Save]

6\. Make selected devices on the LAN to access internet via VPN
Firewall: Aliases: IP [+ [color=blue]New]
Name: _LAN_IP_via_vpn_
Type: _Hosts_
IP: _192.168.1.201-192.168.1.249_
[[color=limegreen]Save]

Firewall: Rules: LAN [+ [color=blue]New]
Source Type: "Single host or alias"
Source Address: _"LAN_IP_via_vpn_"
Destination: not [Check]
Destination Type: "_LAN net"_
Gateway: _"VPN1 - 10.8.0.5"_ *(from step 4)
[[color=limegreen]Save]

** Details from your config file _something.ovpn_. Different for various VPN providers.
*** Connect to your VPN once using OpenVPN client for your OS & check the log to:
1\. See if connection is established successfully & remote server is working
2\. If connected, note down from the log, the encryption algorithm type to use in STEP 2\. Because many times it's not found in the ovpn config files provided.

> Tue Mar 12 22:01:23 2013 Data Channel Encrypt: Cipher '**BF-CBC**' initialized with 128 bit key
> Tue Mar 12 22:01:23 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
> Tue Mar 12 22:01:23 2013 Data Channel Decrypt: Cipher '**BF-CBC**' initialized with 128 bit key
> Tue Mar 12 22:01:23 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      1 Reply Last reply Reply Quote 0
      • P
        pf3000
        last edited by

        Part two: Configure netfl!x/spot!fy/whatever via VPN (when traveling abroad)

        1. Install & Configure pfBlockerNG pkg
        Install pfBlockerNG

        Firewall: pfBlockerNG: General Settings
        Enable pfBlockerNG [Check]
        Keep Settings [Check]
        Enable De-Duplication [Check]
        Enable Suppression [Check]
        Disable MaxMind Country Database CRON Updates [Check]
        Inbound Firewall Rules - Interface: "WAN", "VPN1"
        Outbound Firewall Rules - Interface: "LAN"
        Floating Rules [Check]
        [[color=limegreen]Save]

        Firewall: pfBlockerNG: IPv4 [+ [color=blue]New]
        Alias Name: "sites_via_vpn"
        IPv4 Lists: Format "html", State "ON", URL "http://bgp.he.net/search?search[search]=netfl!x&commit=Search", Header "Netfl!x"
        +Add another list for spot!fy
        List Action: "Alias native"
        Update Frequency: "Weekly" (Please don't select Every hour)
        [[color=limegreen]Save]

        Firewall: pfBlockerNG: Update
        Click "Force reload"

        2. Create custom FW rule w/ pfBlockerNG
        Firewall: Rules: LAN [+ [color=blue]New]
        TCP/IP Version: "IPV4"
        Protocol: "Any"
        Destination Type: Single host or alias
        Destination Address: "pfB_sites_via_vpn" (pfBNG creates alias name with pfB_ prefix and the alias name in Step 1)
        Description: "pfb_sites_via_vpn" (Must be exactly same as Destination Address, except change capital B to small)
        Gateway: "VPN1 - 10.8.0.5"
        [[color=limegreen]Save]

        PS: In Step 1, replace exclamation marks with "i". Don't put whitespace or weird symbols in pfBNG's alias name or header.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.