pfsense with Always-On Load Balanced OpenVPN Connections
Following this guide will allow you to create always-on load-balanced OpenVPN connections to your favorite VPN provider and force all your Internet traffic through the OpenVPN connections.
This guide was developed using Newshosting VPN account. The information contained will probably work with most other VPN providers with little or no modifications.
This guide is written for the privacy conscious who do not want their activities monitored by their ISP or other entities since the OpenVPN traffic is encrypted.
This guide is NOT written in order to assist you in conducting nefarious activities on the Internet undetected. A simple VPN connection is not enough to completely hide your digital tracks. Be warned!!
Import VPN Provider CA Certificate
- Obtain the CA Certificate from the VPN Provider.
- Navigate to System --> Cert. Manager.
- Click the Add button.
- Under the Descriptive name field, enter a description for the CA certificate your are importing.
- Under the Certificate data, paste the certificate contents including the -----BEGIN CERTIFICATE----- and the -----END CERTIFICATE----- parts.
- Click the Save button (Figure 1).
Figure 1
Create OpenVPN client connections
Figure 2
- In the Username field, enter the username for your VPN Provider.
- In the Password field, enter the password for your VPN Provider.
- Ensure the Use a TLS Key field is unchecked.
- In the Peer Certificate Authority field, ensure you select the CA that you created in the import VPN Provider CA Certificate section above.
- In the Client Certificate field, ensure that None (Username and/or Password required) is selected. Please note that this field may need to be adjusted to your VPN provider's requirements, however most of the VPN providers I've used, Username/Password has been sufficient.
- In the Encryption Algorithm field, select the highest encryption that your VPN provider supports. I've used AES-256-CBC (256 bit key, 128 bit block) with no problems (Figure 3).
Figure 3
- Ensure the Enable NCP field is unchecked.
- In the Auth digest algorithm field, select the auth digest algorithm supported by your VPN provider. I've used SHA256 (256-bit) with no problems.
- In the Hardware Crypto field, ensure No Hardware Crypto Acceleration is selected (Figure 4).
Figure 4
- In the Compression field, ensure that Adaptive LZO Compression [Legacy style, comp-lzo adaptive] is selected.
- Ensure Don't add or remove routes field is checked.
- In the Custom options field, paste the following options (Figure 5):
persist-key;
persist-tun;
persist-remote-ip;
resolv-retry infinite;
Figure 5
- Click the Save button.
- Create additional OpenVPN client connections as needed.
Verify OpenVPN Client Connections are Up
Figure 6
Assign Interfaces to each OpenVPN Connection
Figure 7
- Assign all the OpenVPN connections you created and you will end up with your OpenVPN connections having been assigned an OPTX interface name where X is a number assigned by the system. Ensure you click the Save button at the bottom of the screen to save your changes. (Figure 8).
Figure 8
- Next, click on each of the OPTX interfaces that were assigned to your OpenVPN connections and you will be re-directed to the Interfaces / OPTX configuration page where X is the interface number assigned by the system.
- Ensure the Enable field is checked.
- In the Description field enter a name for this connection (Ex: NewsHostingOpenVPN1).
- Ensure IPv4 Configuration Type is set to None.
- Ensure IPv6 Configuration Type is set to None (Figure 9).
Figure 9
- Click the Save button at the bottom of the page and then click the Apply Changes that appears on the top of the page after clicking the Save button.
- Navigate back to Interfaces --> Assignments and repeat Steps 9 through 14 from above to assign the rest of the OpenVPN connections.
- In the end you should end up with a listing like below under Interfaces -->Assignments (Figure 10).
Figure 10
Create OpenVPN Gateway Group
In this section, we are going to be creating a Gateway Group that's going to include all the OpenVPN gateways that were automatcially created by the system when we assigned the OpenVPN connections to Interfaces in the previous section. Using this method, we willl be having more than one connection available for load balancing as well as failover in case one of the OpenVPN connections goes down. You will notice below that we will give both OpenVPN gateways the same priority (Tier 1) which will effectively create a load-balanced connection using multiple OpenVPN gateways.
Figure 11
- Next, click on the Gateway Groups tab and then click the Add button (Figure 12).
Figure 12
- You will be re-directed to the Edit Gateway Group Entry page
- In the Group Name field, enter a name for your Gateway Group (Ex: OpenVPNGatewayGroup).
- Under the Gateway Priority section, ensure your main WAN gateway is set to Never.
- Ensure all the OpenVPN IPv4 gateways denoted with a _VPNV4 suffix are set to Tier 1. Ensure that any OpenVPN IPv6 gateways denoted with a _VPNV6 suffix are NOT set to Tier 1 and if necessary be set to Never just like the main WAN gateway.
- Ensure the Trigger Level field is set to Member down
- Optionally, enter a description in the Description field.
- Click the Save button (Figure 13).
Figure 13
- You will be re-directed back to Gateway Groups page where the you will be able to see the Gateway Group you just created. Click on the Apply Changes button on the top of the page to apply your changes (Figure 14).
Figure 14
Create Firewall Rules
In this section, we are going to create a floating firewall rule to Reject any LAN outbound packets that are tagged as NO_WAN_OUTBOUND and then we are going to create a LAN rule that will tag all traffic as NO_WAN_OUTBOUND as well as use the OpenVPNGatewayGroup we created in the section above as the default gateway for that traffic. Using this method, we are going to ensure that ALL LAN traffic will ONLY go through the OpenVPN connections.
Figure 15
Figure 16
- You will be re-directed to the Edit firewall Rule page.
- In the Action field ensure Reject is selected.
- In the Interface field ensure the WAN interface is selected.
- In the Direction field ensure out is selected.
- In the Address Family ensure IPv4 is selected.
- In the Protocol field ensure Any is selected(Figure 17).
Figure 17
- In the Log field, check the Log packets that are handled by this rule.
- In the Description field, enter the following description: Reject Packets tagged with NO_WAN_OUTBOUND.
- In the Advanced Options field, click Display Advanced button (Figure 18).
Figure 18
- Clicking the Advanced Options button from the previous step, will display the Advanced Options section.
- In the Tagged field, enter the following: NO_WAN_OUTBOUND (Figure 19). Ensure you make a note of the NO_WAN_OUTBOUND tag because we are going to be using it in LAN rule we are going to be creating next.
Figure 19
- Click the Save button at the bottom of the page.
- You will be re-directed back to the Floating rules tab page.
- Click on the Apply Changes button on the top of the page to apply the changes (Figure 20).
Figure 20
- Next click on the LAN tab (Figure 21).
Figure 21
Figure 22
- You will be re-directed to the Edit firewall Rule page.
- In the Action field ensure Pass is selected.
- In the Disabled field ensure Disable this rule is Unchecked.
- In the Interface field ensure the LAN interface is selected.
- In the Address Family ensure IPv4 is selected.
- In the Protocol field ensure Any is selected (Figure 23).
Figure 23
- Under the Source section, in the Source field, ensure LAN net is selected.
- Under the Destination section, in the Destination field, ensure any is selected.
- Under the Extra Options section, in the Log field, ensure Log packets that are handled by this rule is checked.
- Under the Extra Options section, in the Description field, enter a description for this rule (Ex: Allow LAN to any via VPN Only).
- Under the Extra Options section, in the Advanced Options field, click the Display Advanced button (Figure 24).
Figure 24
- Clicking the Advanced Options button from the previous step, will display the Advanced Options section.
- Under the Advanced Options section, in the Tag field, enter NO_WAN_OUTBOUND (Figure 25).
Figure 25
- Under the Advanced Options section, in the Gateway field, ensure the OpenVPNGatewayGroup gateway is selected (Figure 26).
Figure 26
- Click the Save button at the bottom of the page.
- You will be re-directed back to the LAN rules tab page.
- Click on the Apply Changes button on the top of the page to apply the changes (Figure 27).
Figure 27
Create a Rule to Bypass OpenVPN Connections
If you have a need for certain IPs inside your LAN to bypass the OpenVPN connections and go through the WAN gateway like normally, you would simply create a LAN rule and place it ABOVE the Allow LAN to any via VPN Only rule we created above.
Figure 28
Figure 29
- Under the Host(s) section, enter any LAN IPs (one per line) that you want to bypass the OpenVPN connections (You can add more lines by clicking the Add Host button at the bottom of the page).
- When finished, click the Save button at the bottom of the page (Figure 30).
Figure 30
- You will be re-directed back to the Aliases IP tab page.
- Click on the Apply Changes button on the top of the page to apply the changes (Figure 31).
Figure 31
Figure 32
Figure 33
- You will be re-directed to the Edit firewall Rule page.
- In the Action field ensure Pass is selected.
- In the Disabled field ensure Disable this rule is Unchecked.
- In the Interface field ensure the LAN interface is selected.
- In the Address Family ensure IPv4 is selected.
- In the Protocol field ensure Any is selected.
- Uder the Source section, in the Source field, ensure Single host or alias is selected and then enter the name of the alias you created above (Outbound_Direct_NO_VPN).
- Under the Destination section, in the Destination field, ensure any is selected (Figure 34).
Figure 34
- Under the Extra Options section, in the Log field, ensure Log packets that are handled by this rule is checked.
- Under the Extra Options section, in the Description field, enter a description for this rule (Ex: Allow LAN to any rule NO VPN) (Figure 35).
Figure 35
- Click the Save button at the bottom of the page.
- You will be re-directed back to the LAN rules tab page.
- Click on the Apply Changes button on the top of the page to apply the changes (Figure 36).
Figure 36