Friday, May 24, 2019

Use TorGuard OpenVPN servers in OPNsense firewall

This is how to use multiple Torguard OpenVPN servers in an OPNsense server. Adapted from pfSense instructions here.


System > General > DNS Servers
Add the following:

Create trust certificate

System > Trust > Certificates > Add
Select "Import an existing Certificate Authority"
Descriptive name: TG-CA
Certificate data: (get the latest key from here, copy the entire file)
Private key data: <leave blank>

Certificate authority

System > Trust > Authorities > Add
Descriptive Name: TG-internal-CA
Method: Create an internal Certificate Authority
Key length: 2048
Digest Algorithm: SHA1
Lifetime: 3650
Country Code: <put anything>
State or Province: <put anything>
City: <put anything>
Organization: <put anything>
Email Address: <put anything>
Common Name: internal-ca

Certificate manager

System > Trust > Certificates > Add
Descriptive Name: TG-Certificate
Method: Create an internal Certificate Authority
Key length: 2048
Digest Algorithm: SHA1
Lifetime: 3650
Country Code: <put anything>
State or Province: <put anything>
City: <put anything>
Organization: <put anything>
Email Address: <put anything>
Common Name: TG-Certificate

OpenVPN Client settings

VPN > OpenVPN > Clients > Add

Description: TG OpenVPN
Server Mode: Peer To Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local Port: <leave blank>

Remote server(s):

Server Port(s): 443

Select server at random: Checked
Infinitely resolve server: Checked


Peer Certificate Authority: TG-CA
Client Certificate: Web GUI SSL certificate
Encryption algorithm: BF-CBC (128-bit, 64 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Acceleration
Compression: Enabled with Adaptive Compression
Disable IPv6: Check
Verbosity level: 1 default

Create OpenVPN interface

Interfaces > Assignments > Click add to the right of TG OpenVPN
You should now see OPT1 on the left. Click OPT1.

Enable interface
Description: TGInterface

(leave everything else blank)

You should have a new interface called TGInterface

Firewall / NAT settings

Firewall > NAT > Outbound

Select: Manual outbound NAT rule generation (no automatic rules are being generated)
Click Save

Change every rule (if you have more than one) to the interface TGInterface. No other settings should change in each rule.

Check VPN status

VPN > OpenVPN > Connection Status

The status should say up


Install BlackArch from scratch on fresh Arch with Gnome GUI

(Using release: 2019.05.02 on Virtualbox 6.0)

Download Arch (or use a mirror)

BlackArch is a great pentest tool, comparable to Kali Linux, but with a steeper learning curve. The biggest issue for most new users is the lack of out-of-the-box gnome support.

I put together a combo of guides to get this working to make a comparable look and feel to Kali, but with Arch.


100GB thin provisioned HD
Network: bridged

Load the ISO and boot the machine. Once it comes up, verify network connectivity.

Disk creation

Type fdisk -l and you should see the 100GB drive.

The first partition we will create is the boot partition.

fdisk /dev/sda

p for the primary partition.

n for new 

1 for the first partition (sda1)

2048 (or enter for the default)

+500M for the space

Now we will create a swap partition.

n for create a new partition

p for primary

2 for the 2nd partition (sda2)

enter for the default sector

+8G for the swap file size

t to select the type

2 for the second, swap, partition

82 to make it a swap partition

Creating the 3rd partition

n to create the final partition using the rest of the space

p for primary

3 for the 3rd partition

enter to select the default drive sector start position

enter to select the last sector

w to write the changes

Finalize the filesystem

mkfs.ext2 /dev/sda1
mkswap /dev/sda2
mkfs.ext4 /dev/sda3

Mount the filesystem

mount /dev/sda3 /mnt
swapon /dev/sda2

Install the Base and Base-Devel repositories

pacstrap /mnt/ base base-devel

Generate the fstab and mount it to the temporary filesystem

genfstab /mnt >> /mnt/etc/fstab

Remount root to the mount

arch-chroot /mnt

Set System Language

echo "LANG=en_US.UTF-8"  > /etc/locale.conf
sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen

Or use text editor of choice and remove the comment from your language of choice.

vi /etc/locale.gen
en_US.UTF-8 UTF-8

then run

Set the timezone

ln -sf /usr/share/zoneinfo/US/Central /etc/localtime
hwclock --systohc --utc

Create unique hostname

echo "" > /etc/hostname

Change Root Password


Set up GRUB Bootloader

pacman -S grub
grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

Update repositories

pacman -Syu

Enable dhcpcd service

systemctl enable dhcpcd

Create superuser account

useradd -m -G wheel yourname
passwd yourname

Enable sudo for the “wheel” group

sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/g' /etc/sudoers

Or edit the file manually
vi /etc/sudoers
uncomment out the following line
%wheel ALL=(ALL) ALL

Eject the ISO and reboot

Once the system comes back up, now would be a good time to shut down the system and create a snapshot.

Adding Gnome and lxdm

Using your superuser account,

update the system
sudo pacman -Syu

Install the pre-requisites
sudo pacman -S xorg

Install Gnome and extras
sudo pacman -S gnome gnome-extra

Once that's complete, you need to install a display manager.
pacman -S lxdm

Enable the service to start on boot
systemctl enable lxdm.service

Once you restart, lxdm will allow you to choose to log in with Gnome.

Once you've verified everything works, turn the system off, remove the snapshot and create a new one.

Adding BlackArch software

curl -O
chmod +x
sudo ./

Download the master package list and synchronize
sudo pacman -Syyu

To install all of the tools (very large download), run
pacman -S blackarch

To see the blackarch categories, run
pacman -Sg | grep blackarch

You should now have Black Arch Linux apps installed on a fresh install of Arch using Gnome.