Configuring a VPN Appliance as an Internet Gateway

16/06/2017 2:01 PM
- VPN Appliance powered by OPNsense

VPN Appliance Powered by OPNsense

The eApps VPN Appliance is powered by OPNsense, a leading open source network security platform based on FreeBSD. See https://www.opnsense.org. This powerful security platform will allow you to easily create an Internet Gateway, which will allow you to connect from your local network through the VPN Appliance, and then out through the eApps network to the Internet. All of your traffic that is routed through the VPN Appliance will appear to be coming from the eApps network that is located in the US. The configuration of the VPN Appliance is done using the OPNsense user interface. This guide explains how to set up your VPN Appliance as an Internet Gateway. If you would like to have eApps perform the setup and configuration for you, contact sales@eapps.com.

Create an Internal Certificate Authority

Log in to your VPN Appliance dashboard and navigate to System > Trust > Authorities and click on + Add or import CA. Use the following settings:

Descriptive name: VPN CA
Method: Create an in ternal Certificate Authority
Key lengh (bits): Leave default
Digest Algorithm: Leave default
Lifetime (days): Leave default
Country Code: Your country code
State or Province: Your state or province
City: Your city
Organization: Your orgniazation. Any value will do. If you are an individual, your name is fine. 
Email address: Your email address. Does not have to be valid
Common Name: Leave default

Click Save

Create a VPN User

Log in to your VPN Appliance dashboard and navigate to System > Access > Users and click the + icon to add a new user. Use the following settings:

Disabled: Unchecked
Username: Type a desired username
Password: Type a desired secure password
Full name: Type the user's full name
Expiration date: Leave blank
Group Memberships: Leave default
Certificate: Checked
OTP Seed: Leave blank
Authorized keys: Leave blank
IPsec Pre-Shared Key: Leave blank

Click Save

You will be redirected to a page to create the certificate for the user. Use the following settings:

Method: Create an internal Certificate

Leave the rest of the settings at their default. All fields should already be populated with the values from the Certificate Authority you created earlier. You will be redirected back to the System: Access: Users page to finish creating the user. Click Save again at the bottom of this page.

Configuring OpenVPN

Log in to your VPN Appliance dashboard and navigate to VPN > OpenVPN > Servers > and click the icon to the left of Use a wizard to setup a new server. Use the following settings:

Type of Server: Local User Access
Certificate Authority: VPN CA
Certificate: Add New Certificate

Fill in the VPN: OpenVPN: Servers: Add a Server Certificate page with the following settings:

Descriptive name: VPN CERT
Key length: Leave default
Lifetime: Leave default
Country Code: Your country code
State or Province: Your state or province
City: Your city
Organization: Your orgniazation. Any value will do. If you are an individual, your name is fine. 
Email: Your email address. Does not have to be valid

Click Save

On the VPN: OpenVPN: Servers: Server Setup page, use the following settings:

===General OpenVPN Server Information===
Interface: WAN
Protocol: Leave default
Local Port: Leave default
Description: The name that will appear when you select the connection in your mobile and desktop clients

===Cryptographic Settings===
TLS Authentication: Checked
Generate TLS Key: Checked
TLS Shared Key: Leave blank
DH Parameters Length: Leave default
Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA256 (256 bit)
Hardware Crypto: Leave default

===Tunnel Settings===
Tunnel Network: The private IP network range that will be given to each client that connects to the VPN. 172.20.0.0/24 is a safe choice. 
Redirect Gateway: Checked
Local Network: Leave blank
Concurrent Connections: Leave blank
Compression: Leave default
Type-of-Service: Unchecked
Inter-Client Communication: Unchecked
Duplicate Connections: Unchecked

===Client Settings===
Dynamic IP: Checked
Address Pool: Checked
DNS Server 1: 216.154.208.4
DNS Server 2: 216.154.208.5
DNS Server 3: Leave blank
DNS Server 4: Leave blank
NTP Server: Leave blank
NTP Server 2: Leave blank
NetBIOS Options: Unchecked
NetBIOS Node Type: Leave default
NetBIOS Scope ID: Leave blank
WINS Server 1: Leave blank
WINS Server 2: Leave blank
Advanced: Leave blank

Click Next

On the VPN: OpenVPN: Servers: Firewall Rule Configuration page, make sure both the Firewall rule and the OpenVPN rule are checked and click Next

Click Finish

Configuring Mobile and Desktop Clients

Log in to your VPN Appliance dashboard and navigate to VPN > OpenVPN > Client Export and scroll down to Client Install Packages. You should see the user you created earlier. Select your client platform from the dropdown next to the user and download the corresponding OpenVPN package. There are links at the bottom of the page for desktop and mobile client setups.

Enable Firewall

You will need to enable the VPN Appliance firewall in order to browse the internet from your mobile and desktop clients. Note that with this change you will no longer be able to access the VPN Appliance GUI using its public IP address. You will have to connect to the VPN you just created and use your VPN Appliance private IP address in order to access the GUI. Make sure you establish a connection to the VPN with your mobile or desktop clients before you enable the firewall in the GUI.

Log in to your VPN Appliance dashboard and navigate to Firewall > Settings > Advanced
Uncheck the box next to Disable all packet filtering
Click Save

Testing

Once your client is set up, visit https://www.whatismyip.com and make sure the IP address displayed is the public IP address assigned to your VPN Appliance. Please login to comment