App Support.

We're here to help.



Setting up an OpenVPN server with OPNsense and Viscosity

Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.

Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.

This guide will walk you through the steps involved in setting up an OpenVPN server on an OPNsense instance that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.

This guide won't treat any issues related to setting up your router. A server running OPNsense is likely to be acting as a router itself, so we will assume that the OPNsense server is directly connected to the internet with its own IP address.

Preparation

For this guide, we assume:

  • You have already installed the latest version of OPNsense (17.7.5 at time of writing)
  • OPNsense has been set up with at least a WAN interface and a LAN interface
  • You are connected with your client device to the OPNsense server via its LAN interface during this guide
  • This installation of OPNsense is a fresh install
  • You already have a copy of Viscosity installed on your client device

If you need to download and install a copy of OPNsense, information can be found at https://opnsense.org/download/. We won't be covering the details of setting up an OPNsense instance, many guides can be found online. If you are running a different version of OPNsense, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.

Your client device needs to be connected to the OPNsense server via the LAN interface. This is necessary so that you can access the OPNsense Web GUI. The specifics of how you can achieve this depend on your particular network configuration.

If you don't have a copy of Viscosity already installed on your client, then please check out this setup guide for installing Viscosity (Mac | Windows).

Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.

Getting Started

First you need to log in to the OPNsense GUI from your client device connected to the LAN interface of the OPNsense server. Open a browser on your client and navigate to the IP address of the LAN interface of your OPNsense server (https://192.168.1.1 by default). You will need to login. The default credentials are below, but you should have been prompted to change these to something personal when you installed OPNsense:

User: root
Password: installer

This setup can be done from any user account if you have created different users or roles, as long as they have System Administrator permissions.

DNS Server

If you are using OPNsense as your router, you have most likely setup DNS already. However, if this is a fresh install, at the very least OPNsense needs to know where to look to pass on DNS requests. We can set this up like so:

  1. Click System > Settings > General on the left
  2. In the DNS Servers section, set the first two DNS servers to 8.8.8.8 and 8.8.4.4 (Google DNS). If you want to use different DNS servers, feel free to use them here instead.
  3. Set the Use Gateway drop down to your WAN interface for each entry.
  4. Click Save at the bottom.

Next, we need to enable the DNS Forwarder so DNS requests sent directly to your OPNsense server are passed on to the DNS Servers you entered. To do this:

  1. Click Interfaces > Unbound DNS > General.
  2. On the new page, tick Enable Forwading Mode
  3. Ensure Enable DNS Resolver is also ticked
  4. Click Save
  5. A new blue box should appear up the top with an Apply changes button on the right, click this button.

Your OPNsense server should now be able to resolve DNS. You can test this by opening up a command prompt on Windows, or Terminal on Mac, and typing in nslookup google.com 192.168.1.1 where 192.168.1.1 is the IP address of your OPNsense server.

OpenVPN Wizard

An OpenVPN server can be setup for most use cases using the built in Wizard.

  1. Click VPN > OpenVPN > Servers on the left.
  2. At the bottom of the new page, click the wand icon on the left of Use a wizard to setup a new server.
  3. On the Authentication Type Selection page, ensure Type of Server is set to Local User Access and click Next.
  4. We now need to create a Certificate Authority (CA).
    1. Set the Description Name field to 'OPNsense-CA'.
    2. Leave the Key length at 2048 bit, and set the Lifetime to 3650
    3. The remaining fields are to identify the server, set these appropriately for you.

  5. Click Add new CA to continue.
  6. Click Add new Certificate on the next page.
  7. On the Add a Server Certificate page, set the Descriptive name to server, leave the Key length at 2048 bit and set the Lifetime to 3650. The rest of the information should be pre-filled already.
  8. Click Create new Certificate to continue.
  9. The next page should be Server Setup, set the following:
    1. Set Interface to WAN.
    2. Ensure Protocol is UDP and Port is 1194.
    3. Change DH Parameters Length to 2048 at minimum. If you are running on modern hardware, set this to 4096 (you will be waiting a long time if you are not).
    4. Change Encryption Algorithm to 'AES-256-CBC (256 bit key, 128 bit block)'
    5. Change Auth Digest Algorithm to 'SHA256 (256-bit)' at minimum. If you are running on modern hardware, change this to 'SHA512' (you may have connection problems on older hardware).
    6. In the Tunnel Network field, enter '10.0.8.0/24'
    7. To allow access to machines on the local network, enter your local IP range in the Local Network setting. It will probably be something like 10.0.0.0/24.
    8. Set the Compression to 'Enabled without Adaptive Compression'.
    9. Set DNS Server 1 to 10.8.0.1.
    10. If you entered an IP Range into Local Network to allow access to your local network, in the Advanced section all the way down the bottom, enter the following (10.0.0.0/24 should be replaced with what you entered in Local Network) - push "route 10.0.0.0 255.255.255.0";
  10. All other settings can be left as default. Click Next.
  11. On the Firewall Rule Configuration, tick both the Firewall Rule and OpenVPN rule checkboxes and click Next. If you have a non-default setup, you will need to double check what is added at the end of the wizard.
  12. You should now see Your Configuration is now complete.. Congrats, we're almost there! Click Finish.

User Setup

By default, connecting to an OPNsense OpenVPN server requires both a user certificate and username and password. This is a good practice and we will use this default for each user that wants to connect. We need to create a user account for each person you want to allow access to your server. You can use existing users if you like as well but you will need to ensure a certificate is generated for them using the CA we created during the wizard.

Creating a New User

To create a new user:

  1. Click System > Access > Users on the left.
  2. Click the + (plus) down the bottom right of the Users page to add a new user.
  3. Enter a Username, Password, and tick the box Click to create a user certificate further down.
  4. Fill in any other fields you would like, but they are not required.
  5. Click Save.
  6. You will be taken to a Certificates page. Select 'Create an internal Certificate' in the Method drop down box. The page will re-arrange itself.
  7. Ensure Certificate Authority is the name we created during the wizard which should be 'OPNsense-CA', and Type is 'Client Certificate'.
  8. Change Lifetime (days) to 3650.

  9. Click Save.
  10. You will be taken back to the Create User page, User Certificates should now have an entry, click Save down the bottom again.
  11. A blue box should appear up the box with 'The changes have been applied successfully.'. We have added a new user which we can now use.


Creating a Certificate for an Existing User

To create a certificate for an existing user:

  1. Click System > Access > Users on the left.
  2. Click the edit button (a pencil) next to the user.
  3. Click the + (plus) under Name in the User Certificates field.
  4. You will be taken to a Certificates page. Select 'Create an internal Certificate' in the Method drop down box. The page will re-arrange itself.
  5. Ensure Certificate Authority is the name we created during the wizard which should be 'OPNsense-CA', and Type is 'Client Certificate'.
  6. Change Lifetime (days) to 3650.
  7. Click Save.
  8. You will be taken back to the Create User page, User Certificates should now have an entry, click Save down the bottom again.
  9. A blue box should appear up the box with 'The changes have been applied successfully.'. We have added a new user which we can now use.

User Groups (Optional)

If you have users for various tasks that on your OPNsense server that you do not want to have access to the VPN, you can create a user group to control access to your VPN Server. To create a group:

  1. Click System > Access > Groups on the left.
  2. Click the + (plus) down the bottom right of the Users page to add a new user.
  3. Set the Group Name to 'VPN', you can also set a Description you will recognise, something like 'VPN Server access group'.
  4. You can add users to the group now but clicking their name in the left list, then click the right arrow.
  5. Click Save

Now we need to allow only this group access to the server. To do this:

  1. Click VPN > OpenVPN > Servers on the left.
  2. Click the edit button (pencil) next to your OpenVPN server.
  3. Change the Enforce local group to 'VPN' (or what you named your VPN group if something different).
  4. Scroll to the bottom and click Save.


Setting Up Viscosity

If you have made it this far, you should now be able to connect to your OpenVPN server, congratulations! We can now setup Viscosity.

Export Connection from OPNsense

First you will need to download the configuration from OPNsense. OPNsense makes this extremely easy by providing ready to go connections for various devices, including connections specifically prepared for Viscosity. To get to these:

  1. Click VPN > OpenVPN > Client Export on the left.
  2. Under Client Install Packages, click the Export drop down box next to the user you would like to export a configuration for, and select 'Viscosity Bundle'. A visz connection will be downloaded.


Import Connection into Viscosity

The interface provided by the Mac and Windows versions of Viscosity are intentionally very similar. As such, we will focus our guide on the Mac version, pointing out any differences with the Windows version as they arise.

If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.

Click the Viscosity icon in the menu bar (Windows: system tray) and select 'Preferences...':

Mac

Windows

This shows you the list of available VPN connections. We assume you recently installed Viscosity, so this list is empty. Click on the '+' button and select Import Connection > From File...:

Navigate to the location of the Viscosity configuration file and open it. You will see a pop up message to indicate that the connection has been imported.

Now double click on the connection in the Preferences window to bring up the connection settings. If you used the correct connection exported from OPNsense, all you need to do is change the connection name to something you will recognise, and double check the server address is correct.




Save the connection and you should now be able to connect.

(Optional) Allowing Access to the Internet

By default the VPN connection will allow access to the file server and other computers on the home/office (LAN) network. However if you also wish to have all internet traffic sent through the VPN connection it's necessary to make a final edit to the connection:

  1. Double-click on your connection in the Viscosity Preferences window to open the connection editor
  2. Click on the Networking tab.
  3. Click the "All Traffic" drop down and select the "Send all traffic over VPN connection" option. It is not necessary to enter a Default Gateway.
  4. Click the Save button.

Connecting and Using Your VPN Connection

You are now ready to connect. Click on the Viscosity icon in the menu bar (Windows: system tray) and select 'Connect DemoConnection'. That's it, you should see a notification that you're now connected!

To check that the VPN is up and running, you can use the Viscosity details window. Click the Viscosity menu bar (Windows: system tray) icon and select 'Details...'. This will bring up the details window.



This window will show you the traffic passing through the VPN connection.

Accessing Network Resources

Once connected to your VPN, you can access your files or other services by using the LAN IP address you would use if you were connected to them via your home/office local network.

Connect via Mac

To connect to a shared network directory from your Mac connected to the VPN:

  1. Open a Finder window
  2. Click Go on the menu bar and select "Connect to Server..."


  3. In the Server Address, type the LAN IP address of your network resource (something like 192.168.0.x) and click Connect.
  4. Enter the username and password for the network resource
  5. Select the shared volume you want to access and click OK

Network resources you would normally find appearing in the Finder sidebar will not appear when connected to via the VPN. You can find connected network resources in the Computer directory. In a Finder window, press + shift + c to jump to the Computer directory.

Connect via Windows

To connect to a shared network directory from your PC connected to the VPN:

  1. Type the \\lan-ip-address into the Search the web and Windows box in the taskbar and press Enter (something like \\192.168.0.x)


  2. Enter the username and password for the network resource
  3. You will then see the folders shared by this host