PrivateVPN OPNsense VPN Setup Guide For Android
PrivateVPN OPNsense VPN Setup Guide For Android
To configure your OPNsense firewall as a PrivateVPN client for Android devices, begin by establishing an OpenVPN client instance. Navigate to VPN > OpenVPN > Clients and add a new client. Essential settings include:
Description: A descriptive name, e.g., "PrivateVPN-Android".
Server host or address: Obtain this from PrivateVPN. It will be an address like se-sto-wg-001.pvdata.host.
Server port: Typically 1194 for UDP or 443 for TCP. Consult PrivateVPN documentation.
Protocol: UDP is generally faster, but TCP can be more reliable in restrictive networks.
Device mode: tun is typically used.
TLS Configuration: Enable.
TLS Authentication: Set to "Authenticate Server".
Peer Certificate Authority: Import the PrivateVPN CA certificate (available from PrivateVPN's website).
Client Certificate: None (unless PrivateVPN specifies certificate-based authentication).
Client Key: None (unless PrivateVPN specifies certificate-based authentication).
Encryption algorithm: AES-256-CBC or AES-256-GCM are good choices.
Auth digest algorithm: SHA512.
Username: Your PrivateVPN username.
Password: Your PrivateVPN password.
Compression: lzo, if supported by PrivateVPN.
Custom options: Add persist-key and persist-tun to improve stability. Also, add fast-io for performance improvements, if your hardware supports it.
Gateway Creation: Enable.
After saving, ensure the OpenVPN client is enabled.
Next, configure routing to direct Android device traffic through the PrivateVPN tunnel. This involves setting up firewall rules and NAT.
Firewall Rule (LAN): On your LAN interface, create a new rule to direct traffic from your Android device(s) to the PrivateVPN gateway.
Action: Pass.
Interface: LAN.
Address Family: IPv4.
Protocol: Any.
Source: Single host or Alias containing the IP address(es) of your Android device(s).
Destination: Any.
Gateway: The PrivateVPN gateway created in the previous step (e.g., OVPN_VPNV4).
NAT Outbound Rule: Create a new NAT outbound rule to masquerade traffic originating from the Android device(s) behind the PrivateVPN tunnel IP.
Interface: The interface associated with your PrivateVPN OpenVPN client (e.g., ovpnc1).
Address Family: IPv4.
Source: Network, specifying the IP address(es) of your Android device(s) (same as in the firewall rule).
Destination: Any.
Translation / target: Interface address.
DNS: To prevent DNS leaks, configure your Android devices to use the PrivateVPN DNS servers. You can either manually configure this on each device, or push the DNS settings through DHCP on your OPNsense LAN interface. The latter is recommended for ease of management. In OPNsense, navigate to Services > DHCPv4 > [Your LAN Interface] and specify the PrivateVPN DNS servers in the "DNS servers" field.
Implement a firewall rule that blocks all traffic from your Android device(s) if the PrivateVPN tunnel is down. This acts as a kill switch.
Kill Switch Rule (LAN): Create a new rule on your LAN interface that blocks all traffic from your Android devices except traffic destined for the PrivateVPN gateway.
Action: Block.
Interface: LAN.
Address Family: IPv4.
Protocol: Any.
Source: Single host or Alias containing the IP address(es) of your Android device(s).
Destination: Any.
Gateway: Default.
Log: Enabled (optional, for monitoring).
Ensure this rule is placed above the "Pass" rule created in the routing section. This ensures that if the PrivateVPN tunnel is down (and thus the gateway is unreachable), all traffic from your Android device(s) will be blocked.
After configuration, verify that your Android device is indeed routing traffic through the PrivateVPN tunnel. On your Android device, connect to your Wi-Fi network. Then, use a website like whatismyipaddress.com to check your public IP address. It should match the IP address of the PrivateVPN server you are connected to. Also, verify DNS leak protection by using a service like dnsleaktest.com. It should only show PrivateVPN's DNS servers. If your real IP address or other DNS servers are displayed, review your configuration for errors.