VPN Primer for Noobs

[The Automation Guy]

I agree with Mike A. You need to take a step back and start over. Remove any rules on the WAN that you created (port forwarding or otherwise). You really just want a "default" setup from OPNsense. This will stop any outside sources from accessing your BI server (along with anything else on your network). You need to do this ASAP to prevent any unauthorized access.

Once you have the OPNsense back to stock configuration, then you can start to research how to create a self-hosted VPN (with OpenVPN or similar). There are some good resources on Youtube. As MikeA mentioned, when it is all said and done, you will end up with a single port being forwarded in the WAN rules.

The easiest way to "test" if your VPN is working is to use your cell phone at home, but turn off wifi and force the phone to send data through the cellular network. If you can start the VPN software on the phone and it makes a valid connection to the OPNsense device (you can see the connection on the OPNsense overview page), it is working. If the connection fails, times out, etc, then it is not set up correctly. If it is working, you should be able to view your cameras on your phone via the BI app or a web browser just like you would at home over wifi.

 

[Sparkey]

Nobody here has any idea how you now have OPNsense set up so can't help you there much. But as a clean starting point you should not have anything from the outside getting through the firewall to hit the BI server. Whatever you've done to enable that as far as rules should be disabled. You must have something permitting that traffic through if you're seeing connection attempts at the BI server. Unless you have some specific need to permit traffic through for any other purpose, then you should take down all other outside -> inside rules permitting traffic through by port, etc. too. Then, as Automation Guy says above, you won't need any geoIP blocks since nothing will be getting through the outside interface of the firewall to bother sorting out by geo source. Any unsolicited traffic from outside will be blocked.

Once you have OpenVPN set up on your firewall, that will open one port (1194 by default) on the outside interface of the firewall which will require a password/key exchange to allow a connection to/through it. You'll set up the OpenVPN client on your phone to do that. Once you do that and have it working, then when you make that connection from outside of your network using your phone, it will (for most practical purposes) become a client on your local network and will work as if it were inside local to your network. i.e., If your local address space is 192.168.1.x, then the phone will end up with at 192.168.1.x IP address. (There are some more details re how that works which is why I said for most practical purposes but ignore that for now).

So at that point you don't need to do anything as far as setting up outside access to the BI server is concerned. It will work in the same way that it would if you were using it locally inside your network. In the BI app you'll point the IP of the local and remote address of the BI server to the same local IP. Don't bother with scanning any codes, etc. You don't need to have your other computers that are inside your network using the VPN since they are inside vs outside and don't have to come through the firewall. You can tell whether the firewall is working or not by trying to hit your network from outside with/without having the OpenVPN client enabled. It should not permit connection in the latter case.

Unless you have a static external IP address then you'll also need to set up DHCP in order to let the VPN client find your IP whatever it may be by hostname.

Thank you sir. I've downloaded he OpenVPN client to my iphone but now I'm stuck on Import Profile. OpenVPN says to scan the QR Code and the iphone is asking for either a URL or a file.

Previously I was using NAT to connect from the outside. Security has bothered me for a long time and now I'm trying to migrate to a VPN. The only device I need to connect is my iPhone. Don't really need anything else coming in. But, for future reference, I need to know how.

 

[Sparkey]

I agree with Mike A. You need to take a step back and start over. Remove any rules on the WAN that you created (port forwarding or otherwise). You really just want a "default" setup from OPNsense. This will stop any outside sources from accessing your BI server (along with anything else on your network). You need to do this ASAP to prevent any unauthorized access.

Once you have the OPNsense back to stock configuration, then you can start to research how to create a self-hosted VPN (with OpenVPN or similar). There are some good resources on Youtube. As MikeA mentioned, when it is all said and done, you will end up with a single port being forwarded in the WAN rules.

The easiest way to "test" if your VPN is working is to use your cell phone at home, but turn off wifi and force the phone to send data through the cellular network. If you can start the VPN software on the phone and it makes a valid connection to the OPNsense device (you can see the connection on the OPNsense overview page), it is working. If the connection fails, times out, etc, then it is not set up correctly. If it is working, you should be able to view your cameras on your phone via the BI app or a web browser just like you would at home over wifi.

The instructions i used to setup OpenVPN were loooong. Took me all morning to slog through them. And in the end I had more questions than I started with. A lot more. And, as usual with these sorts of things, There were several settings mentioned that did not exist, I ssume because they were written for an older version of OpenVPN.

 

[Mike A.]

Thank you sir. I've downloaded he OpenVPN client to my iphone but now I'm stuck on Import Profile. OpenVPN says to scan the QR Code and the iphone is asking for either a URL or a file.

Previously I was using NAT to connect from the outside. Security has bothered me for a long time and now I'm trying to migrate to a VPN. The only device I need to connect is my iPhone. Don't really need anything else coming in. But, for future reference, I need to know how.

Go to where the file is. Click on it. At the bottom there should be the sharing icon box with a little arrow at the top. Click that. Look for OpenVPN in the list of targets that comes up. Pick that. It then should appear as a profile in OpenVPN.

Oh wait... Sorry, I might have confused what you were calling the OpenVPN client. I was reading it as if you'd said OpenVPN client profile file.

You'll download the OpenVPN connect app. Install that. Then you'll need to generate a profile file on the OPNsense/OpenVPN server. Then you'll need to get that client profile on the phone somehow. I don't use OPNsense so I don't know how that presents the profile to you. If it gives you a QR code you can try that. Otherwise, you'll need to create and move the profile file to your phone in some way. Email isn't the most secure, but that seems to work easiest for people. From there however you get it to the phone, then you can just click on the attachment as I described above.

 

[Sparkey]

Go to where the file is. Click on it. At the bottom there should be the sharing icon box with a little arrow at the top. Click that. Look for OpenVPN in the list of targets that comes up. Pick that. It then should appear as a profile in OpenVPN.

Oh wait... Sorry, I might have confused what you were calling the OpenVPN client. I was reading it as if you'd said OpenVPN client profile file.

You'll download the OpenVPN connect app. Install that. Then you'll need to generate a profile file on the OPNsense/OpenVPN server. Then you'll need to get that client profile on the phone somehow. I don't use OPNsense so I don't know how that presents the profile to you. If it gives you a QR code you can try that. Otherwise, you'll need to create and move the profile file to your phone in some way. Email isn't the most secure, but that seems to work easiest for people. From there however you get it to the phone, then you can just click on the attachment as I described above.

QR Code would be the easiest but that's not an option so I'll have to get the file onto the iPhone. Wish Apple wouldn't make it so difficult.

 

[Sparkey]

I cannot for the life of me figure out how to transfer the client file to my iPhone. All the instructions I can find tell me to click button s that don't exist or they don't bother to tell where these buttons are. Can someone please tell me how to go about getting the client file from my computer to the OpenVPN client on my iPhone?

TIA

OK, I emailed the client file to my phone and was able to get it installed in the VPN Client but there's still something wrong because I'm getting pages of error messages when I attempt to connect from my iPhone.

Can someone direct me to instructions on how to set up OpenVPN? At this point it looks like the instructions I followed earlier don't work.

 

[Mike A.]

That was why I mentioned emailing it earlier. Probably easiest but not great practice. Doesn't make much difference for most people though.

What errors are you getting? In the client app there should be a log. Might copy and paste that over here.

Unfortunately I don't know the OpenVPN set up on OPNsense to help you much on that side.

 

[Sparkey]

That was why I mentioned emailing it earlier. Probably easiest but not great practice. Doesn't make much difference for most people though.

What errors are you getting? In the client app there should be a log. Might copy and paste that over here.

Unfortunately I don't know the OpenVPN set up on OPNsense to help you much on that side.

Thanks.

On the client side I'm getting an authentication failure.

I OPNSense OpenVPN log file I'm getting - (Last page only, there are 8 pages total. Most are client connections would exceed max but since no one is connected this probably means something else. Don't know about the last entries.)

Date
Severity
Process
Line
2023-09-16T16:22:58-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:57-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:56-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:55-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:54-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:53-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:52-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:51-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:50-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:49-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:48-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:47-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:46-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:45-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:44-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:22:15-04:00    Error    openvpn_server1    192.168.10.52:56840 TLS Error: Unroutable control packet received from [AF_INET]192.168.10.52:56840 (si=3 op=P_CONTROL_V1)   
2023-09-16T16:22:15-04:00    Error    openvpn_server1    192.168.10.52:56840 TLS Error: Unroutable control packet received from [AF_INET]192.168.10.52:56840 (si=3 op=P_CONTROL_V1)   
2023-09-16T16:22:14-04:00    Error    openvpn_server1    192.168.10.52:56840 TLS Error: Unroutable control packet received from [AF_INET]192.168.10.52:56840 (si=3 op=P_CONTROL_V1)   
2023-09-16T16:22:14-04:00    Error    openvpn_server1    192.168.10.52:56840 TLS Error: Unroutable control packet received from [AF_INET]192.168.10.52:56840 (si=3 op=P_CONTROL_V1)   
2023-09-16T16:22:13-04:00

 

[Mike A.]

You're getting to the server and attempting the connection at least so that much is good.

Look more at the log from the start of the connection. Try to see if you can tell where the initial error is and copy some above and below that. You'll have a ton of errors that follow if something's not right. No sense chasing all of those. They'll resolve once you find the root cause.

Is there somewhere on the OPNsense side that you can set the maximum number of clients? Set it at 10 or something. Also should be something about allowing multiple connections from the same client. Though again that's likely more a result of prior failure ahead of that though.

 

[Sparkey]

I set the number of concurrent connections 10. Below is the first part of the log. Most of the log are incoming connection would exceed........

2023-09-16T20:39:57-04:00    Warning    openvpn_server1    Could not determine IPv4/IPv6 protocol. Using AF_INET   
2023-09-16T20:39:57-04:00    Warning    openvpn_server1    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts   
2023-09-16T20:39:57-04:00    Warning    openvpn_server1    WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.   
2023-09-16T20:39:57-04:00    Warning    openvpn_server1    WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.   
2023-09-16T20:39:56-04:00    Error    openvpn_server1    event_wait : Interrupted system call (fd=-1,code=4)   
2023-09-16T20:37:16-04:00    Warning    openvpn_server1    Could not determine IPv4/IPv6 protocol. Using AF_INET   
2023-09-16T20:37:15-04:00    Warning    openvpn_server1    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts   
2023-09-16T20:37:15-04:00    Warning    openvpn_server1    WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.   
2023-09-16T20:37:15-04:00    Warning    openvpn_server1    WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.   
2023-09-16T20:37:15-04:00    Error    openvpn_server1    event_wait : Interrupted system call (fd=-1,code=4)   
2023-09-16T16:23:18-04:00    Warning    openvpn    user 'Sparkey' could not authenticate.   
2023-09-16T16:23:16-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:23:15-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:23:14-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:23:13-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:23:12-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:23:11-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:23:10-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:23:09-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)   
2023-09-16T16:23:08-04:00    Error    openvpn_server1    192.168.10.52:62993 MULTI: new incoming connection would exceed maximum number of clients (2)

 

[Mike A.]

Unfortunately nothing very helpful there. Your client isn't properly authenticating for whatever reason. Unless that happens you're not going to get in (kind of the point of the VPN). Again, don't know the set up on OPNsense well enough to help much. You're getting to the server, it's making the network connection, it's attempting to authenticate, and there aren't other setup- or server-type errors showing in what you've posted here, so I'd guess likely something to do with certificates, user name/password (both case sensitive), encryption/cipher type (needs to be the same).

 

[concord]

Just incase you haven't seen this, check out this video below; note that he has his own domain, so you need to adjust your input accordingly. I used to use openVPN, then Wireguard on my Home Assistant system, however it's been awhile, now use PfSense and ZeroTier.

 

[Sparkey]

Just incase you haven't seen this, check out this video below; note that he has his own domain, so you need to adjust your input accordingly. I used to use openVPN, then Wireguard on my Home Assistant system, however it's been awhile, now use PfSense and ZeroTier.

Thanks. I'll check it out after my morning coffee.

 

[The Automation Guy]

I cannot for the life of me figure out how to transfer the client file to my iPhone. All the instructions I can find tell me to click button s that don't exist or they don't bother to tell where these buttons are. Can someone please tell me how to go about getting the client file from my computer to the OpenVPN client on my iPhone?

TIA

OK, I emailed the client file to my phone and was able to get it installed in the VPN Client but there's still something wrong because I'm getting pages of error messages when I attempt to connect from my iPhone.

Can someone direct me to instructions on how to set up OpenVPN? At this point it looks like the instructions I followed earlier don't work.

First, there is an "OpenVPN Export" plugin that you should install on your OPNsense device. Once that is installed, it will add a new "export" tab in your OPNsense settings with all the other OpenVPN settings. That tab will have several options to "export" your encryption file depending on what type of device you will be using to try to connect to the VPN while remote. Hopefully this is the processed you used to generate that file.

Second, you asked what the best way to get that file to your devices. The best way is to simply navigate to that "export" screen on your iPhone (or whatever device you want to use to connect to the VPN while remote) while on the local network. Open your phone's browser, navigate to and log into the OPNsense device, and get to that "export" section of the settings. When you "export" that file, it will get downloaded directly to the iPhone. By emailing it to yourself, you have potentially exposed that encryption file to the world. Now the chances of anyone actually being able to use it is almost zero because even if someone was able to compromise the email transfer (which is not encrypted by default and therefore possible) or your email system itself, they would have to also have your local network's public IP address. If a person just has the encryption file, but doesn't know how to connect to your VPN service, then the file is useless to them. Still, it is simpler and far more secure to simply download the file directly to each device that you expect to use remotely.

 

[Sparkey]

First, there is an "OpenVPN Export" plugin that you should install on your OPNsense device. Once that is installed, it will add a new "export" tab in your OPNsense settings with all the other OpenVPN settings. That tab will have several options to "export" your encryption file depending on what type of device you will be using to try to connect to the VPN while remote. Hopefully this is the processed you used to generate that file.

Second, you asked what the best way to get that file to your devices. The best way is to simply navigate to that "export" screen on your iPhone (or whatever device you want to use to connect to the VPN while remote) while on the local network. Open your phone's browser, navigate to and log into the OPNsense device, and get to that "export" section of the settings. When you "export" that file, it will get downloaded directly to the iPhone. By emailing it to yourself, you have potentially exposed that encryption file to the world. Now the chances of anyone actually being able to use it is almost zero because even if someone was able to compromise the email transfer (which is not encrypted by default and therefore possible) or your email system itself, they would have to also have your local network's public IP address. If a person just has the encryption file, but doesn't know how to connect to your VPN service, then the file is useless to them. Still, it is simpler and far more secure to simply download the file directly to each device that you expect to use remotely.

Thanks. I guess you've never used an iPhone before, it doesn't work like any other computer device. What you suggest does not apply. But I did manage to get the file to my iPhone by emailing it as an attachment. At this point the iPhone does try to connect to the VPN but cannot. I can see the connection attempts in OpenVPN on the server so I know the two can see each other. So apparently the problem lies in the way I set up OpenVPN. I followed instructions I found on the web. At this point I'm going to delete everything and start over. I'm looking for simpler instructions as the ones I followed the first time were 4 pages long, this is rather humorous as it said in the beginning that OpenVPN was considerably easier to set up than IPsec. I find this hard to believe but what do I know.

PS: I so rarely find accurate, up to date and thorough instructions to do anything on the Internet. The Internet is the mother of all misinformation sources.

 

[Mike A.]

Yeah, it's not trivial to set up on some platforms and specific details matter even if you have some general understanding. And as you said hard navigating through open source stuff sometimes.

Killing everything off and starting fresh probably is a good idea. You've been through it once and maybe missed a step that you'll pick up the next time through. Might also look at WireGuard to see if that's any better. It is a little easier for pfSense. Performance is the same or better.

 

[wittaj]

Thanks. I guess you've never used an iPhone before, it doesn't work like any other computer device. What you suggest does not apply. But I did manage to get the file to my iPhone by emailing it as an attachment. At this point the iPhone does try to connect to the VPN but cannot. I can see the connection attempts in OpenVPN on the server so I know the two can see each other. So apparently the problem lies in the way I set up OpenVPN. I followed instructions I found on the web. At this point I'm going to delete everything and start over. I'm looking for simpler instructions as the ones I followed the first time were 4 pages long, this is rather humorous as it said in the beginning that OpenVPN was considerably easier to set up than IPsec. I find this hard to believe but what do I know.

PS: I so rarely find accurate, up to date and thorough instructions to do anything on the Internet. The Internet is the mother of all misinformation sources.

Having set up OpenVPN on both an android and iphone, the iphone is ridiculously stupid to set up compared to android. Android can be done quickly. There is some quirk way you have to do with iphone that isn't documented well at all. All the instructions were based on an older iOS and the newer ones wouldn't allow you to simply import the file, but it has been awhile since I set it up so I might be off a little, but I do remember it was not quick and easly like Android.

In fact I just switched android phones and I was able to get OpenVPN going in under 2 minutes.

 

[The Automation Guy]

Thanks. I guess you've never used an iPhone before, it doesn't work like any other computer device. What you suggest does not apply. But I did manage to get the file to my iPhone by emailing it as an attachment. At this point the iPhone does try to connect to the VPN but cannot. I can see the connection attempts in OpenVPN on the server so I know the two can see each other. So apparently the problem lies in the way I set up OpenVPN. I followed instructions I found on the web. At this point I'm going to delete everything and start over. I'm looking for simpler instructions as the ones I followed the first time were 4 pages long, this is rather humorous as it said in the beginning that OpenVPN was considerably easier to set up than IPsec. I find this hard to believe but what do I know.

PS: I so rarely find accurate, up to date and thorough instructions to do anything on the Internet. The Internet is the mother of all misinformation sources.

Don't get too discouraged. Honestly I had a similar situation when I tried to set mine up. I don't know why, but the instructions simply were not "clicking" with my brain either. I will say that the whole concept of certificates and certificate authorities was very hard for me to grasp as a non-IT person. Added to this is the fact that some VPN instructions are created by business users who want to use a RADIUS server or other more advanced VPN features and it was very confusing to me and I didn't really understand the differences to know what should apply to my "simple" setup vs a complicated business setup. Once I got it set up and working, I realized how "overly complicated" I was trying to make it. Now I could add a new VPN connection very quickly because I understand the process so much better after successfully doing it.

 

[Sparkey]

Don't get too discouraged. Honestly I had a similar situation when I tried to set mine up. I don't know why, but the instructions simply were not "clicking" with my brain either. I will say that the whole concept of certificates and certificate authorities was very hard for me to grasp as a non-IT person. Added to this is the fact that some VPN instructions are created by business users who want to use a RADIUS server or other more advanced VPN features and it was very confusing to me and I didn't really understand the differences to know what should apply to my "simple" setup vs a complicated business setup. Once I got it set up and working, I realized how "overly complicated" I was trying to make it. Now I could add a new VPN connection very quickly because I understand the process so much better after successfully doing it.

Yea, an understanding is always a good thing. step by step instructions might get you there but you won't know where you are.

 

[Ollie]

By the way, which of the vpn protocols are considered to be fast?
I'm using an openVPN and the speed is dramatically dropped down in compare to not having a vpn.
i get about 1 Giga bit/sec (from ISP) on each side (client and remote server) and when i connect the client via a vpn, the speed is only ~20 Mb/s .