OPNsense & OpenVPN on VMWare

I decided to pull my dedicated server from “collocation” and rebuild it for home use. I was running VMWare on my NAS (see earlier post) and was about to hit the maximum utilization of the hardware (not just CPU but also networking). My goal was to create a new VMware server for my virtual park and setup a virtual firewall with, besides

OpenVPN, basic router functions. So I stole my CPU’s and memory from my 1U server and ordered a case, power supply, aftermarket CPU coolers and a RAID controller (As VMware does not allow you to run a software RAID). This is my current build;

2 x Intel Xeon X5560 Boxed
1 x Intel Server Board S5520HCT
2 x WD Green WD20NPVX
1 x Phanteks Eclipse P300
2 x Noctua NH-U12DXi4
1 x Corsair RM850i
2 x OCZ Vertex 460A 120GB
1 x IBM ServeRAID M5015
12x MicroMemory 8GB DDR3 1066MHZ ECC/REG

[Networking Setup]

I am not going into deep on howto setup VMWare as I did nothing special there. Downloaded ESXi from VMWare (with a free account) and put it on a USB stick using Rufus. Though a little bit on my network might be handy. I have a default modem that my provider gave me. Though advanced stuff like VPN and the firewall functionality is lacking hence the need for a own Firewall with router features. My server has two NIC (Network Interface Cards) where one of them is connected to the modem and the other one to my switch. Here is the separation between “public” aka the Internetz and “Private” my internal LAN. I created two virtual switches with two physical NIC’s. The picture from my ESXi should be explanatory.

I created a Virtual Machine (VM) called “OPNsense” and gave the VM two Network adapters. One in the WAN (Public) and one in the LAN (Private). I used PFSense in the past and it worked great though I like the slick look of OPNsense and I could not discover a performance difference in throughput hence the choice for OPNsense. In terms of sizing; OPNsense has a wiki that list several configurations where I used the “recommended” specifications (4 x vCPU’s, 4GB Memory and 20GB SSD). For “Guest OS family” select “Other” and “FreeBSD” with your architecture (64-bit in my case).

[Installing OPNsense]

You can download OPNsense for free, make sure you download the ISO (select dvd in the “image type”) and the right architecture. Upload the ISO to your datastore (You can use “Datastore browser” in the storage section to upload an ISO or, alternatively, enable SSH and use WinSCP). Power on the VM and, if you setup everything right, you end up with a login prompt. Instead of the typical “root” user, login with the user “installer” with password “opnsense” and the installation begin. By default it runs a liveCD version of OPNsense meaning after a reboot you will lose your settings. After the “guided” installation it will reboot and you see an IP where the web server is running.

[Basics]

During the first boot OPNsense is trying to automatic determine the WAN and the LAN interface. I suspect that OPNsense is checking on what interface a DHCP server is running and assigns that as the WAN. This means if you have not moved your router prior to booting, this automatic step will fail or result in a wrong setup. Luckily you can change this on the console and redo the auto-discovery. I manually set a LAN IP address (10.0.0.x) and continued my setup from the browser. If you login at first you can use the “Wizard” to complete the basic setup (its listed underneath “System”). After the basic hostname and NTP (Time Server) the WAN Interface is listed. My only dislike about OPNSense is that you can not change the adapter in the next screen “System: Wizard: Configure WAN Interface”. Although we already checked on the terminal during the installation if this was set right. I left everything default and changed the password at the end.

The only thing I changed is the “Services: Unbound DNS: General” as I want to lookup on my internal network using “hostnames”. You can configure it on Services –> Unbound DNS –> General. Just enable it and check the “DHCP Registration”. I do have some static mappings and if you also want those to be part of the DNS Resolver, hit the checkbox on the “DHCP Static Mappings”.

[OpenVPN]

I love wizards as its making sure that you don’t miss a single step during a setup. Hence I used it to setup my OpenVPN server.  Below are the steps I took for the complete setup;

1. For the “Type of Server” I am using “Local User Access”
2. In the next screen add a new CA (Certificate Authority)
   1. Fill out all the fields and leave the Key Length default
   2. You could add a 0 to the Lifetime so it will be 3650.
   3. To complete hit “Add new CA”,
3. Next we should create a Server Certificate
   1. Set a name in the Descriptive field
   2. up the Lifetime with another 0 so it reads 3650
   3. Leave the rest and hit Create new Certificate
4. The next page should be Server Setup 
   1. Set the interface to WAN
   2. Local port and protocol should be UDP and 1194
   3. To have better security I changed the following settings (4 to 6). Although this is optional and it does require more modern hardware and might even result in connection problems on older hardware! 
   4. Set DH Parameters Length to [4096]
   5. Set Encryption Algorithm to [AES-256-CBC (256 bit key, 128 bit block)]
   6. Set  Auth Digest Algorithm to [SHA256 (256-bit)]
   7. In the Tunnel Network enter [10.0.8.0/24] (yes the example one :D)
   8. Set the CIDR range in  Local Network from the local LAN port. In my case this is [10.0.0.0/24]. This is the CIDR for the DHCP range we setup during the Basic setup. We need this to connect to the local machines
   9. In Advanced we have to push the route because of step 8. The example is correct [push “route 10.0.0.0 255.255.255.0”]
   10. Leave the rest default and hit Next
5. On the Firewall Rule Configuration check both check boxes to create automatic rules  and hit Next 
6. This should finish the configuration and you should return to the VPN: OpenVPN: Servers where you should see the, the just created, OpenVPN server running
7.  The final step is the User Setup
   1. Go to Systems –> Access –> Users
   2. Hit the + to add a new user
   3. Fill out the Username and Password fields
   4. Check the box at Click to create a user certificate 
   5. Hit Safe
   6. This should take you to the System: Trust: Certificates page
   7. Change the Method to “Create an internal Certificate”
   8. The Certificate authority should have the same name as the CA we created in step 2
   9. Set the Lifetime (days) to 3650.
   10. Hit Save which should take you back to the Create User page and you should hit Save again
   11. If you see the box  “The changes have been applied successfully.”

That’s it for the configuration part on OPNsense. For Client Access you can easily download all the required client files in the Client Export tab in the VPN section. The only thing you will need to select is the type of export which is there for the most common client. You do have to change one thing though; by default the local IP of the WAN port is used for the destination server. This does not work outside of your network so you will manually have to change that. Just open the configuration file and check for your local WAN IP. Change that with your public IP address (to check this use whatismyipaddress.com i.e.).

[Forward ports]

The final thing to do is to forward the OpenVPN ports from my router to my OPNsense server. This is different for every router out there though if you look for “Port Forwarding” in any Advanced and/or Security tab on your router, it should be an easy find. You will need to create a rule that forward the port 1194 (the one we set for OpenVPN) to the internal WAN IP address connected to your OPNsense system.

That’s it! Once you are connected on your device (outside your local network) you can see the status using VPN –> OpenVPN –> Connection Status and it should look like the screen below

One small remark; depending on the browser you are using, some copy/paste actions do not work good! If your VPN Server is unable to start, check the Advanced field as, in my case, there where characters added (/) to the push route. Once you hit save after the service should start fine.