Friday, May 24, 2019

Use TorGuard OpenVPN servers in OPNsense firewall

This is how to use multiple Torguard OpenVPN servers in an OPNsense server. Adapted from pfSense instructions here.

DNS

System > General > DNS Servers
Add the following:
104.223.91.194
104.223.91.210

Create trust certificate

System > Trust > Certificates > Add
Select "Import an existing Certificate Authority"
Descriptive name: TG-CA
Certificate data: (get the latest key from here, copy the entire file)
Private key data: <leave blank>

Certificate authority

System > Trust > Authorities > Add
Descriptive Name: TG-internal-CA
Method: Create an internal Certificate Authority
Key length: 2048
Digest Algorithm: SHA1
Lifetime: 3650
Country Code: <put anything>
State or Province: <put anything>
City: <put anything>
Organization: <put anything>
Email Address: <put anything>
Common Name: internal-ca

Certificate manager

System > Trust > Certificates > Add
Descriptive Name: TG-Certificate
Method: Create an internal Certificate Authority
Key length: 2048
Digest Algorithm: SHA1
Lifetime: 3650
Country Code: <put anything>
State or Province: <put anything>
City: <put anything>
Organization: <put anything>
Email Address: <put anything>
Common Name: TG-Certificate

OpenVPN Client settings

VPN > OpenVPN > Clients > Add

Description: TG OpenVPN
Server Mode: Peer To Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local Port: <leave blank>

Remote server(s):
atl.east.usa.torguardvpnaccess.com
chi.central.usa.torguardvpnaccess.com
dal.central.usa.torguardvpnaccess.com
fl.east.usa.torguardvpnaccess.com
la.west.usa.torguardvpnaccess.com
lv.west.usa.torguardvpnaccess.com
nj.east.usa.torguardvpnaccess.com
ny.east.usa.torguardvpnaccess.com
sa.west.usa.torguardvpnaccess.com
sf.west.usa.torguardvpnaccess.com

Server Port(s): 443

Select server at random: Checked
Infinitely resolve server: Checked

Username: YOURTGUSERNAME
Password: YOURTGPASSWORD

Peer Certificate Authority: TG-CA
Client Certificate: Web GUI SSL certificate
Encryption algorithm: BF-CBC (128-bit, 64 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Acceleration
Compression: Enabled with Adaptive Compression
Disable IPv6: Check
Verbosity level: 1 default

Create OpenVPN interface

Interfaces > Assignments > Click add to the right of TG OpenVPN
You should now see OPT1 on the left. Click OPT1.

Enable interface
Description: TGInterface

(leave everything else blank)

You should have a new interface called TGInterface

Firewall / NAT settings

Firewall > NAT > Outbound

Select: Manual outbound NAT rule generation (no automatic rules are being generated)
Click Save

Change every rule (if you have more than one) to the interface TGInterface. No other settings should change in each rule.

Check VPN status

VPN > OpenVPN > Connection Status

The status should say up

Visit https://ipleak.net/ 


No comments:

Post a Comment