Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Help about MediaWiki
FUTO
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
(section)
Main Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= OpenVPN: Setting up Secure Access from Anywhere = <span id="why-openvpn-why-do-i-need-this"></span> == Why OpenVPN? Why do I need this? == Because opening ports for personal use is a bad idea! “'''''but louis, every website & hosting provider opens ports!”''''' Webhosts and datacenters open ports so that millions of people can access their services. You’re opening ports to access a porn server in your closet. You’re not the same. <span id="listing-the-ports-wed-have-to-open."></span> === Listing the ports we’d have to open. === Each one of these things needs its own open port on your router. That’s like having a house with 15 different doors, each one made of cardboard with a cutout in the middle allowing them to see in. No, we’re not doing that. * '''Immich''' to do machine learning on your photos, because your self-image isn’t ''[https://imgur.com/a/HVr6oAz bad enough as it is]''. * '''Home Assistant''' to pretend you’re Tony Stark * '''Syncthing''' because [https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html screw Google]. * '''MailCow''' because you think you can run email better than Google (if you’re reading this guide, you probably can’t) * '''Frigate''' to catch your neighbor stealing your packages * '''OnlyOffice''' because you’re too cheap for Microsoft 365 * '''FreePBX''' because… actually, I don’t know why you’d torture yourself with that. [https://www.youtube.com/watch?v=vWrkDOt_IfM&pp=ygUNbGVubnkgZnJlZXBieA%3D%3D Lenny] makes it worth it. Maybe <span id="why-opening-every-port-is-dumber-than-an-820-2330-macbooks-hinge-design"></span> === Why Opening Every Port is Dumber Than an [https://rossmanngroup.com/unibody-macbook-pro-display-assembly-repair-replacement-service/ ''820-2330 Macbook’s hinge design''] === Here’s why exposing all of this directly is a terrible idea: '''You’re Advertising What You’re Running''': Any script kid with a port scanner can see exactly what you’re running. '''Your Software is Probably Full of Holes''': These projects are great, but they have 10,000 users, 5 of which believe they are entitled to 25 years of updates & bugfixes after a $3 donation, maintained by [https://www.explainxkcd.com/wiki/index.php/2347:_Dependency one person in their spare time], whose users are assholes that think [https://www.reddit.com/r/immich/comments/1codh0p/comment/l5rfpu7/ feeding yourself off of your work is too much to ask for]. <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_37a2ee92.png </gallery> </div> If I were smart (and evil), I could make a list of: * Every IP address * What software they ran * What version they ran Then, I’d keep up with exploits/vulnerabilities that are announced in the news. I’d go back to my list & double check to see who’s running that software, and see if they work. At best, you become part of a botnet and waste some electricity mining my crypto. At worst, I’ve stolen all of your data & use it to blackmail you. I like these programs; they’re fun software! But, similar to my taste in relationships; it isn’t about '''who I''' '''''like.''''' It’s about '''who I''' '''''trust'''''. The software I have the most '''fun''' with isn’t who I’d trust with banking credentials (or my future children). Maybe I got that the wrong way around…. <span id="openvpn-only-1-port-to-open-with-better-security"></span> === OpenVPN: Only 1 Port to open, with better security: === '''One Port to Worry About''': Instead of 15 points of failure, we have one potential point of failure. <blockquote>'''NOTE:''' OpenVPN uses a single port for all traffic, which is usually port 1194 UDP. Most OpenVPN servers will default to port 1194. Make sure your ISP didn’t block this. Bad ISPs will block ports commonly used for running servers so you pay 5x as much for the same internet unless you buy a “business”(extortion) plan. I paid $409.99/mo for 10 mbps upstream when I had a store in New York; hint, you’re not paying extra for better internet.. </blockquote> '''Stealth Mode''': To the outside world, you’re just running OpenVPN. They can’t see your unpatched version of [https://github.com/pjenvey/hellanzb hellanzb] from 2007. ''(shout out to pjenvey if he’s reading this today!)'' <span id="openvpn-security-in-four-pictures"></span> === OpenVPN security in four pictures: === Here is what it’s like opening ports to a bunch of random open source projects people make in their spare time: <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image55.jpg </gallery> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image56.jpg </gallery> Here is what it’s like only opening a port for OpenVPN. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image57.jpg </gallery> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image58.jpg </gallery> When you use OpenVPN, you are opening one port to get access to your network, with a door that many commercial interests have a stake in keeping strong. When you open ports for random crap, you have windows people can look through, and doors that look like… Well… Yeah. And 2 guys watching them. <span id="decreasing-attack-surface-with-openvpn-is-a-best-practice"></span> === Decreasing Attack Surface with OpenVPN is a best practice === OpenVPN isn’t a hobby project coded by your cousin’s methhead roommate. This is used by everyone, from companies with more money than sense to just about anyone who doesn’t want their data plastered all over the internet: * Having '''''ONE''''' service open to the public rather than 10 means a smaller attack surface. * Having one service * OpenVPN is designed with one purpose in mind, a secure connection. * It is over 20 years old. * Commercial interests (aka people actually paying money for software that rely on it for their infrastructure, not ''[https://www.reddit.com/r/immich/comments/1codh0p/comment/l5rfpu7/ this guy)]'' use & rely on it. * There are more eyes on the code of OpenVPN than <code>hellanzb</code>. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_f3e2603c.png </gallery> '''Marketing wankery? …Kind of, but they’re not lying here.''' <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_29f791ff.png </gallery> '''Is this 100% accurate? No.''' Are more people for whom millions of dollars rides on the security of their software using OpenVPN than hellanzb. Yes! Having a home server is cool. But the programs we’re talking about are used by [https://wiki.futo.org/index.php/FUTO:General_disclaimer 0.0001% of 0.000001%] of the world. OpenVPN can still have vulnerabilities; it isn’t perfect! But remember, in the world of network security, '''nothing is perfect!''' This isn’t about being perfect. It’s about controlling what we can control, and minimizing risk & attack surface every chance we can. A UFC fighter makes a better bodyguard than a mall cop, regardless of the fact that they’re equally useless against a bomb or a comet. This guide walks you through the process of setting up OpenVPN on '''pfSense'''. OpenVPN allows you to access your home network as if you were there. All of the services we want to use require having access to this network we are placing our server on, from anywhere. This setup will make sure that all traffic from the phone is routed through the VPN with no DNS leaks, which will be important for our adblocking-via-router section that comes after. <span id="setting-up-openvpn-within-pfsense-for-secure-access"></span> == Setting up OpenVPN within pfSense for secure access == <span id="step-1-install-openvpn-client-export-package-in-pfsense"></span> === Step 1: Install OpenVPN Client Export package in pfSense === This will make it way easier for us to create the files necessary for clients to connect. You click a button and it’ll generate a file that you put on your phone or laptop. You open the OpenVPN client, import the file, put in your username & password, & boom – you’re set. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_63b19b99.png File:lu55028jxb9s_tmp_bb0dc07e.png File:lu55028jxb9s_tmp_d66223f0.png File:lu55028jxb9s_tmp_7a9f0c8.png File:lu55028jxb9s_tmp_474565b.png </gallery> <span id="log-into-pfsense-1"></span> ==== 1.1 Log into pfSense: ==== * Open your browser and go to your '''pfSense''' IP address (e.g., <code>https://192.168.5.1</code> or <code>https://pfSense.home.arpa</code>). * Log in with your credentials (default: <code>admin</code> / '''pfSense''' unless changed). '''1.2 Install the package''' * Go to '''System > Package Manager > Available Packages'''. * Search for “openvpn-client-export”. * Install the '''OpenVPN Client Export Utility'''. <span id="step-2-set-up-certificates"></span> === Step 2: Set up Certificates === <span id="make-a-certificate-authority"></span> ==== 2.1 – Make a Certificate Authority ==== The Certificate Authority (CA) is what signs and verifies the server and client certificates used to establish secure connections. You don’t have to have any idea what that means to use a VPN. Here’s how we create the CA in '''pfSense''': <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_12971ff0.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_20129d0a.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_d4a33a40.png </gallery> </div> # '''Log into pfSense:''' # Open your browser and go to your '''pfSense''' IP address (e.g., <code>https://192.168.5.1</code> or <code>https://pfSense.home.arpa</code>). # Log in with your credentials (default: <code>admin</code> / '''pfSense''' unless changed). # '''Navigate to the Certificate Manager:''' # Go to '''System > Cert Manager''' in the top navigation menu. # '''Create a New CA:''' # Under the CAs tab, click the '''+ Add''' button to create a new Certificate Authority. # '''Fill in the CA Details:''' #* '''Descriptive Name:''' OpenVPN-CA (or any name you choose) #* '''Method:''' Create an Internal Certificate Authority #* '''Key Length:''' 4096 bits (recommended for strong security) #* '''Digest Algorithm:''' SHA-512 (for secure hashing) #* '''Lifetime (days):''' 3650 (about 10 years) #* '''Distinguished Name:''' #** '''Country Code:''' Your country’s two-letter code (e.g., US for the United States) #** '''State or Province:''' Your state or province #** '''City:''' Your city or locality #** '''Organization:''' Your organization name # '''Common Name:''' OpenVPN-CA (or another descriptive name) # '''Save the CA:''' <span id="creating-the-openvpn-server-certificate"></span> ==== 2.2 - Creating the OpenVPN Server Certificate ==== Next, create the server certificate that the OpenVPN server will use for secure client connections. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_bfc83cc1.png File:lu55028jxb9s_tmp_fe565fd6.png File:lu55028jxb9s_tmp_ffd201ba.png </gallery> <ol style="list-style-type: decimal;"> <li><p>Navigate to the <code>Certificates</code> tab in Cert Manager.</p> <ul> <li>'''Add a New Server Certificate:'''</li></ul> </li> <li><p>Click '''+ Add/Sign''' to create a new certificate.</p></li> <li><p>'''Fill in the Server Certificate Details:'''</p> <ul> <li><p>'''Method:''' Create an Internal Certificate</p></li> <li><p>'''Descriptive Name:''' OpenVPN-ServerCert – name it something that makes it easy to identify as a '''SERVER''' certificate later for OpenVPN</p></li> <li><p>'''Certificate Authority:''' Select OpenVPN-CA (the CA you just created)</p></li> <li><p>'''Key Length:''' 4096 bits</p></li> <li><p>'''Digest Algorithm:''' SHA-512</p></li> <li><p>'''Certificate Type:''' Server Certificate.</p> <blockquote><p>'''WARNING:''' Make sure you do not leave this set to user certificate, which is the default option.</p></blockquote></li> <li><p>'''Lifetime (days):''' 3650</p></li> <li><p>'''Distinguished Name:''' Match the details you used for the CA</p></li> <li><p>'''Common Name:''' louis.chickenkiller.com (you can use whatever you put for your dynamic DNS domain name here)</p></li></ul> </li> <li><p>Click '''Save'''. You should now see OpenVPN-ServerCert listed under the Certificates tab.</p></li></ol> <span id="create-a-vpn-group-for-your-vpn-users"></span> ==== 2.3 Create a VPN Group for your VPN users ==== To connect your Android phone to the VPN, create a user account with an associated client certificate. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_25f3872b.png File:lu55028jxb9s_tmp_838eb68a.png File:lu55028jxb9s_tmp_1e4e6e6e.png File:lu55028jxb9s_tmp_8a57a6ce.png </gallery> '''Log into pfSense:''' * Open your browser and navigate to your '''pfSense''' IP address (e.g., <code>https://192.168.5.1</code> or <code>https://pfSense.home.arpa</code> or <code>pfSense.home.arpa</code>). * Log in using your admin credentials. '''Open User Manager:''' Go to '''System > User Manager'''. '''Add a New Group:''' * In the '''Groups''' tab of User Manager, click the '''+ Add''' button to create a new Group. * '''Fill Out the Group Information:''' ** '''Group name:''' Choose a group name that makes sense for VPN users (e.g., <code>vpnusers</code>). ** Click '''Save'''. <span id="create-a-vpn-user"></span> ==== 2.4 Create a VPN user ==== <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_260205ab.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_bc14297e.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_cd15d249.png </gallery> </div> # In the '''Users''' tab of User Manager, click the '''+ Add''' button to create a new user. # '''Fill Out the User Information:''' ## '''Username:''' Choose a username (e.g., <code>vpnuser1</code>). ## '''Password:''' Enter a strong password. # Add the user to the <code>vpnusers</code> group you just made. # For '''Certificate''', check '''“Click to create a user certificate”'''. '''DO NOT FORGET TO CREATE A USER CERTIFICATE FOR THE USER.''' # Create a name for the user certificate, such as <code>vpnuser_client_cert</code> so you can recognize it as the USER cert later. '''BEFORE YOU HIT SAVE:''' ''Before you hit save on adding a new user account:'' # Scroll to the '''Certificates''' section of the user creation form: # Click '''+ Add''' to generate a new certificate for this user. # '''Configure the User Certificate:''' ## '''Certificate Authority:''' <code>OpenVPN-CA</code> ## '''Key Length:''' 4096 bits ## '''Digest Algorithm:''' <code>SHA-512</code> # '''Save the user with the certificate:''' # Click '''Save'''. # Verify User Creation. You should now see the user listed under '''System > User Manager > Users'''. <span id="step-3-configure-openvpn-server"></span> === Step 3: Configure OpenVPN Server === <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_ebaec37d.png </gallery> </div> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_91ffd839.png File:lu55028jxb9s_tmp_eb0c6c58.png File:lu55028jxb9s_tmp_f489358.png File:lu55028jxb9s_tmp_bb26515e.png File:lu55028jxb9s_tmp_8d38ee89.png File:lu55028jxb9s_tmp_b8064fd8.png File:lu55028jxb9s_tmp_a7ea3e22.png File:lu55028jxb9s_tmp_72e7ba8d.png File:lu55028jxb9s_tmp_6ed741ea.png </gallery> <span id="open-the-openvpn-wizard-and-set-settings-according-to-what-you-see-below-in-section-3.2-and-in-images-above"></span> ==== 3.1 Open the OpenVPN Wizard, and set settings according to what you see below in section 3.2 and in images above ==== # '''Log into '''pfSense''':''' # Go to '''VPN > OpenVPN'''. # Click on the '''Wizards''' tab. # Fill out details according to what you see above. Keep in mind that when you are DONE, you will have to go back in & edit settings for that VPN server that were NOT EDITABLE while you were creating the VPN. <span id="openvpn-server-configuration"></span> ==== 3.2 OpenVPN Server Configuration ==== <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_1be84c25.png File:lu55028jxb9s_tmp_1ed49b8.png File:lu55028jxb9s_tmp_a3fa0f3a.png </gallery> After you have finished, go back and edit that server you just made to make sure all of this matches: # '''Description:''' openvpn server itself #* This is for your reference only. You can name it something descriptive like “HomeVPN” or “MyVPNServer.” # '''Protocol:''' UDP on IPv4 only #* UDP is faster and more efficient for VPN traffic, and IPv4 only is typically sufficient unless you have a specific need for IPv6. # '''Interface:''' WAN #* This setting makes sure that your OpenVPN server will listen for incoming VPN connections on the WAN interface. # '''Local Port:''' 1195 #* Default is 1194 and TOTALLY FINE. I chose 1195 because I already use 1194 for another system. # '''TLS Authentication:''' Enabled '''Cryptographic Settings''' # '''DH Parameters Length:''' 4096 bits #* Stronger than the default 2048-bit encryption. # '''Data Encryption Algorithms:''' #* The following algorithms are listed in the priority you selected: #** AES-256-GCM #** AES-128-GCM #** CHACHA20-POLY1305 # '''Fallback Data Encryption Algorithm:''' AES-256-CBC #* Used for compatibility if a client doesn’t support GCM encryption algorithms. # '''Auth Digest Algorithm:''' SHA-512 #* SHA-512 provides a high level of integrity protection for your VPN packets, making sure that the data hasn’t been altered. # '''Hardware Crypto:''' Intel RDRAND engine - RAND '''Tunnel Settings''' # '''IPv4 Tunnel Network:''' <code>192.168.6.0/24</code> #* This is the virtual network that your VPN clients will use. # '''Redirect IPv4 Gateway:''' Checked #* This forces all client traffic through the VPN tunnel. #* IF, for some reason, you have changed the Outgoing NAT to Manual, you'll have to add the outgoing NAT rule yourself. # '''IPv4 Local Network:''' <code>192.168.5.0/24</code> #* This allows VPN clients to access your local network. # '''Allow Compression:''' Refuse any non-stub compression (Most Secure) # '''Type-of-Service:''' Unchecked # '''Inter-Client Communication:''' Unchecked # '''Duplicate Connections:''' Unchecked '''Client Settings''' # '''Topology:''' Subnet # '''DNS Default Domain:''' newvpn # '''DNS Server 1:''' <code>192.168.5.1</code> # '''DNS Server 2:''' <code>94.140.14.14</code> (AdGuard DNS) # '''DNS Server 3:''' <code>94.140.15.15</code> (another AdGuard DNS server) '''Advanced Client Settings''' <ol style="list-style-type: decimal;"> <li><p>'''Dynamic IP:''' Checked</p></li> <li><p>'''Advanced Configuration:'''</p> <ul> <li><p>Custom Options:</p> <pre>tun-mtu 1200; mssfix 1160; push "dhcp-option DNS 192.168.5.1";</pre></li></ul> </li> <li><p>'''Gateway Creation:''' IPv4 only</p> <blockquote><p>'''For the <code>Gateway creation</code> OpenVPN server setting:''' CHOOSE ''IPv4 only'' This will save you lots of hassle and misery later! Explanation at the end of the OpenVPN section.</p></blockquote></li></ol> <blockquote>'''NOTE:''' Let’s talk about RDRAND. This is the hardware random number generator (RNG) built into Intel processors. It’s fast, easy to use & pfSense might already be using it. '''WARNING: For 99% of the people reading, this will be a total waste of time.''' </blockquote> <blockquote>'''1. What is RDRAND? Why care?''' RDRAND makes random numbers using your CPU. but it’s a closed source black box. You can’t see how it works, and there have been [concerns that some random number generators might not be as random as you’d like. There are all sorts of [https://www.theregister.com/2013/09/10/torvalds_on_rrrand_nsa_gchq/ pissing matches] going on over this stuff on the internet by people way smarter than you or I. '''Point being, if you care about privacy or you’re handling sensitive data, you might not want to rely ''solely'' on a system you can’t inspect.''' At the same time, if you’re reading this guide, you’re enough of a newbie that rdrand is not going to be how someone “gets” you. </blockquote> <blockquote>'''2. Why not use just RDRAND?''' While it is fast, if the hardware random number generator fails or is compromised, your security goes down without noticing. A VPN depends on top-notch [https://www.youtube.com/watch?v=9mxE9sEGNmA randomness] for encryption, so you need more than one source of entropy to stay safe. </blockquote> <blockquote>'''3. How do I make it safer?''' pfSense already mixes entropy from several sources which includes rdrand. In most cases, you’re good to go. </blockquote> <blockquote>'''4. Should I disable it?''' Probably not. RDRAND is fine. Think of it as an ingredient rather than the entire thing. '''5. THen why did you mention it?''' The ''“uhm, akshually”'' people. They’re in the bushes, always waiting. </blockquote> <blockquote>'''TL;DR:''' RDRAND isn’t bad, but don’t trust it alone. Let pfSense do its thing and mix it with other entropy sources. If you’re running anything highly sensitive and don’t like trusting Intel, you can disable it—but for most people, you’ll be fine with the default settings. </blockquote> <span id="step-4-get-.ovpn-file-to-connect-your-phone-to-the-vpn"></span> === Step 4: Get .ovpn file to connect your phone to the VPN === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_5ee24475.png File:lu55028jxb9s_tmp_cc7231bd.png </gallery> <span id="export-the-openvpn-client-configuration-for-your-android-device"></span> ==== 4.1 Export the OpenVPN Client Configuration for Your Android Device ==== # Go to '''VPN > OpenVPN > Client Export'''. # For “remote access server,” choose the OpenVPN server you made. # For “Host Name,” enter the URL you made on FreeDNS for dynamic DNS. In our case, this was <code>louishomeserver.chickenkiller.com</code>. # Under '''Export Type''', choose '''Android - OpenVPN Connect'''. # Download the configuration file (e.g., <code>vpnuser1-android.ovpn</code>). <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106121731554.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106121809040.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106121822988.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106121830675.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106121845493.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106121937304.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106121943336.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106121948680.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106121953605.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106122002345.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106122017732.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106122022741.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106122027679.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106122036058.png </gallery> </div> <span id="import-the-configuration-into-openvpn-connect-on-android-securely"></span> ==== 4.2 Import the Configuration into OpenVPN Connect on Android – SECURELY!!!!! ==== # Transfer the <code>.ovpn</code> file to your Android device. ''DO THIS SECURELY.'' # Install the OpenVPN Connect app from the Play Store. # Import the configuration file and connect to the VPN. VPN connectivity can be done with a certificate alone, without a username or password. This means that ''if you misconfigured something, and this file gets into the wrong hands, '''any Tom, Dick or Harry has access to your home network!''''' '''Don’t upload the file to public file transfer sites''' Don’t do this. Do not store the key to your front door on megaupload. '''Instead, do this:''' * Connect your phone directly to your computer with a USB cable to transfer the file; simple and secure. * Or, use an encrypted messenger you trust. Just make sure it’s actually secure, not just convenient. '''Why the extra caution?''' * This <code>.ovpn</code> file is sensitive. It’s part of what allows access to your server. * If someone gets this file & figures out your password, they’re in. Not good. * And if there’s a config mistake (it happens), they might not even need the password. * Without this file, even if someone knows your username & password, they’re not getting in. '''Treat this file like your bank details. Don’t put it on a post-it note to the 4:3 monitor in front of your Windows XP Service Pack 1 computer.''' Don’t leave it lying around in your downloads folder. Don’t share it casually. The chances of someone intercepting this file and using it maliciously are low, but we don’t take unnecessary risks with security. It’s not paranoia, it’s good practice. Do it right, and you’ll save yourself potential headaches down the road. Plus, you’ll have the satisfaction of knowing you’ve set things up properly. <span id="edit-settings-on-openvpn-android-application"></span> ==== 4.3 Edit Settings on OpenVPN Android Application ==== # Open the OpenVPN Connect application. # Go to the three lines in the upper left corner and tap '''Settings'''. # Scroll down to '''Advanced Settings'''. # Switch security level from “legacy” to “preferred”. # Uncheck '''“DNS fallback”'''. <blockquote>'''NOTE:''' Disabling “DNS fallback” keeps the VPN connection from going back to using non-ad-blocking(and usually google) DNS when something fails. When your setup breaks, I want you to KNOW - by way of it not working. I don’t want it to training-wheels you back to a working setup using Google’s DNS. </blockquote> You now have an OpenVPN server on '''pfSense''' you can connect to from anywhere in the world; your Android device will have all its traffic routed through the VPN. You’ll fully benefit from '''pfBlockerNG'''’s ad-blocking via IP blocking and DNS domain name blocking when you’re logged in through the VPN, and you’ll have access to all of the services we will be setting up for calendar, contacts, email, backup, office, home automation & surveillance, business phone, password management & more. <span id="ipv4-vs-ipv4ipv6-vpn-nightmares"></span> == IPv4 vs IPv4+IPv6 & VPN nightmares: == Choosing IPv4 + IPv6 can cause issues. I’ve seen this cause random disconnects after about 10 minutes of connection that is miserable to figure out. In my case, I am combining two of the worst things in the world: American residential cable broadband & T-Mobile on a [https://9to5google.com/2021/11/17/pixel-6-modem-analysis/ Pixel phone]. I lose 5G when I walk under a tree, and my internet goes down more often than yours. <span id="why-using-ipv4-ipv6-with-openvpn-for-this-setup-is-discouraged."></span> == Why using IPv4 & IPv6 with OpenVPN for this setup is discouraged. == Enabling both IPv4 and IPv6 may be the way to go for enterprise class connections. If you’re reading this, you might be stuck on horrible residential broadband & unable to pick a better ISP. In these environments, the 1% benefit IPv6 enables # '''NAT64/DNS64 Compatibility Issues''': Mobile networks often use NAT64/DNS64 for IPv6-only networks. This can clash with your VPN’s IPv6 routing, causing random failures. # '''Path MTU Discovery (PMTUD) Quirks''': IPv6 relies heavily on PMTUD. If there are issues along the path, you can have connectivity problems that are hard to diagnose. # '''ISP IPv6 Implementation''': Some ISPs (spectrum) can have less-than-great IPv6 implementations. This can lead to unstable connections when you’re trying to use both IPv4 and IPv6. # '''Dual-Stack Timeout Issues''': When both protocols are available, your devices might try connections on both. If IPv6 is unstable, you’ll experience timeouts and apparent connection failures. '''THIS MAKES UP FOR ANY & ALL POTENTIAL BENEFITS OF IPv6, WHICH YOU WILL NEVER NOTICE IN EVERYDAY USAGE.''' # '''Carrier-Grade NAT (CGN) Interactions''': The interplay between CGN for IPv4 and IPv6 routing through your VPN can lead to connection state inconsistencies. <span id="the-practical-solution"></span> == The Practical Solution == You have two main options: # '''Live In a Nightmare''': Dive deep into network engineering, potentially spend $150,000 backhauling fiber to your house to get around your [https://www.youtube.com/watch?v=vbHqUNl8YFk&t=37s horrible cable company]. # '''A Practical Approach''': Click “IPv4 only” in OpenVPN server settings. Option #1 can gargle my balls. <span id="setting-up-pfblockerng-for-ad-blocking-in-pfsense"></span>
Summary:
Please note that all contributions to FUTO may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
FUTO:Copyrights
for details).
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)