Configuring OpenVPN
With spring break right around the corner, I am looking forward to going home and spending time with family for the week I have off. At the same time, I want to continue working on and exploring my home lab and OPNsense while I have extra free time. Luckily, OPNsense provides the capabilities to set up a VPN so I can connect to my network from anywhere.
OPNsense allows users to choose between OpenVPN, IPsec, and WireGuard for their VPN solution. For this project, I am going to use WireGuard. I had to do some research to determine which of the three I wanted to use. IPsec is an older option that is primarily used in corporate environments to connect across different firewall vendors. For me, the real comparison was between WireGuard and OpenVPN. WireGuard utilizes UDP, which allows for faster speeds at the expense of some reliability. OpenVPN, on the other hand, can be configured to use TCP, which will work better for unstable connections. Both options are secure, although OpenVPN provides more options for secure authentication. Overall, WireGuard is going to be faster, lighter weight, and simpler, which is enough reason for me to use it.
The first step is to create a WireGuard server instance in OPNsense. The above image shows the configuration settings I used. The public/private keys can be generated by OPNsense, and port 51820 is the default for WireGuard.
Next, I had to create a rule on the WAN side of the firewall. The reason for this is that, by default, my firewall is configured to deny inbound connections on port 51820. If I were to try to connect to the VPN without adding an exception, the firewall would drop the VPN request traffic.
Additionally, I had to create a firewall rule in the WireGuard group. This would allow connections through WireGuard to access both LAN and WAN resources when connected to the network.
Now that the VPN server was set up and the firewall configured to allow the traffic, I had to create the configuration for the peer that I wanted to connect with. OPNsense makes this easy by generating the necessary config file while setting up the peer in their web GUI. I named this client “Client1” to keep it simple and set the endpoint address to the public IP address of my network. From here, a public and private key was generated for this client. Again, keeping things simple, I assigned this host the address of 192.168.50.2 since 192.168.50.1 is the VPN tunnel address. The keepalive interval is a feature that will periodically send a ping packet to prevent a UDP connection from timing out when there is no traffic being sent across the network for a period of time. After filling out all the required fields, I was able to save the config text into a file and move it over to my laptop, where I planned on using the VPN connection while I was back with my family.
The final step was installing the WireGuard client on my laptop and creating the configuration file to match the one generated by OPNsense. From here, all I had to do was press “Activate” and I should be all good and connected! Hooray!
Unfortunately, it didn’t quite work out like that. I press the button and then try to ping some devices that I know are reachable within my home lab’s LAN, but I get no response. Confused, I take a look at the log section of WireGuard, and I am greeted with this:
My laptop continuously tries to initiate a handshake with my router, but my router has none of it. I start to brainstorm why this isn’t working. This is exactly why I went and created the firewall rule to allow this traffic instead of dropping it, so why doesn’t it work?
Then, all of a sudden, in a moment of crushing revelation, I saw the truth unfold—my desperate attempts to pierce the veil of the internet were not failing at the gates of OPNsense, but dying, suffocated and silenced, within the labyrinthine grasp of my apartment’s router and firewall, a digital prison I had never even thought to escape.
Since my home lab and OPNsense are configured behind my apartment’s original router, the connection is being dropped there and never even reaches OPNsense. Normally, there are ways to rectify this. One way would be to set up port forwarding on the apartment router. This means that traffic trying to enter the network on port 51820 will be automatically sent directly to my OPNsense router at 192.168.1.1 instead of being dropped. From here, everything would function as intended. Unfortunately, I don’t have the ability to log in and configure this router since it doesn’t belong to me. I completely failed to realize this, and unfortunately, there doesn’t seem like there is going to be any way I can access my home lab during spring break :(
While this whole exercise may seem like it was a colossal waste of time because it failed miserably, I wholeheartedly disagree. Even if the VPN is not functioning, I learned a lot about WireGuard and OPNsense through this project. Learning is the entire point of this home lab and even this website. So, while I am disappointed I won’t be working on my home lab while I am away for spring break, I am not disappointed that my VPN doesn’t work.