OPNSENSE + NORDVPN + SHADOWSOCKS (ULTIMATE SECURITY)
I’m citizen in Egypt, and our ISP doing DPI over network and blocking a lot of content such as (Medium, Proxy Sites, VPN Sites, Torrent, etc) and perform throttling over some services like (Streaming, Games, etc).
I needed a way so i can access the web materials freely and privately without the ISP controlling my digital life, so i bought from 1.5 years a NordVPN service.
NordVPN normal VPN servers are not working with me cause they use standard OpenVPN and ISP is blocking it, but they offer a obfuscated version on OpenVPN designed for them only and these servers accessible from the NordVPN client app only.
So i need to install the client on each device i use (Mobile, PC, Laptop) while i’m in home network, and they offer only 6 concurrent devices connected to the NordVPN Network with same account.
I worked with that for 1.5 years but i wanted to elevate the security in the home network. i wanted to VPN the entire home devices over VPN, and it was clear to me that i need to make the home router act as the VPN gateway but my ISP router doesn’t support OpenVPN so i decided to give pfSense router/firewall a try and it was big failure cause pfSense is buggy.
After some research, i found another router/firewall software called OPNSense and after trying it i was very satisfied and it was more stable and user friendly than pfSense.
I configured it with NordVPN and i started to connect to NordVPN from the firewall and it was a big failure cause the OpenVPN traffic was not obfuscated (NordVPN standard servers), so back to the same problem again.
I tried to contact NordVPN team but they couldn’t support me and i don’t blame them. they told me that the only recommended option is to use the NordVPN application on each device and use obfuscated servers.
But i’m a person who don’t quit easily, so after some research i found something called ShadowSocks or should i say “The Great Firewall of China pain in the ass software”, it’s opensource project to fight china firewall restrictions using SOCKS5 protocol as input and transmit encrypted data over TCP to another machine in the cloud and that makes the payload unknown to the local ISP cause the payload is encrypted and DPI can’t do anything about it.
There is another tools i discovered called Cloak on GitHub, it’s a promising tool also for fighting censorship but this tool utilize the HTTPS protocol standard and transmit data encrypted too like ShadowSocks. This tool is more powerful in nature cause blocking it mean that the ISP gonna block the HTTPS traffic and that could cause global internet failure for the ISP, but this tool not supported in OPNSense by default and it needed more technical part on the Firewall OS level. In this article i won’t discuss Cloak, only will discuss ShadowSocks.
I gave it a try without VPN and i was impressed, it bypassed the censorship without VPN, but ShadowSocks don’t give you privacy over internet, it’s only a way to bypass censorship.
So my idea was what if i merged ShadowSocks [Bypassing Capablities] with NordVPN [Security & Privacy] on OPNSense. Would it bypass ISP and connect to the normal standard OpenVPN servers provided by NordVPN.
I bought a cheap ShadowSocks server over cloud (Linode) and configured my firewall and VPN to connect to that server using ShadowSocks client on the firewall.
After giving it a try all the night, i found that it was successful try and i could connect to NordVPN standard server and i discovered that ShadowSocks is lightweight so it didn’t affect my bandwidth performance with NordVPN much. Only the cloud VPS bandwidth could affect the traffic cause you route your traffic though this server but Linode network is very good for me until now.
May be the ISP still can do throttling over the encrypted data or may be not, this need someone with high speed subscription to test but at least we are free and private from it.
After this long story i will explain In this article the technical steps to help anyone facing the same problem and for the good of humanity at the end we all concerned these day with our freedom and privacy over the Internet which called by physicists a (Type 1 Civilization Communication System).
- Download OPNSense
- Buy NordVPN Subscription (3$/Month)
- Buy Linode ShadowSocks VPS (Marketplace) (5$/Month)
- Download OPNSense (DVD, AMD64).
- Create a virtual machine or use physical machine and follow this user-manual for installation & configuration.
Note: OPNSense network configuration may differ between each and every network topology so understand the manual and configure the WAN & LAN as you prefer.
- Disable DHCP on your primary router and enable it on OPNSense using this manual.
- Now you are connected to the internet throw the OPNSense firwall directly. Next step is to install ShadowSocks.
- Goto System => Firmware => Plugins => Install “os-shadowsocks” from (+) icon in the right panel [Check this GIF for details].
- After installing ShadowSocks client plugin, you need to buy a VPS machine with ShadowSocks server on the cloud, for that you can use Linode cloud, after registration you will start creating Linux machine with ShadowSocks server on it from the Markerplace templates they have and it’s an easy process really.
- Enter the Linode template configurations like “ShadowSocks password”, “Linux machine root password”, “Datacenter location”, etc and press Create. [check the next GIF for demonstration]
Note: Linode cloud offer multiple plans (affect CPU,RAM,Traffic Quota, Inbound/Outbound Traffic Bandwidth) so choose what you need. the lowest price shared plan (5$) is very good plan and can meet a personal/home traffic needs.
- Now you have operational ShadowSocks server and you can get the IP of the machine from here.
- Before continue in the configuration, try first to ping that IP and make sure that connection is stable from your side [Use PingPlotter for best anaylsis].
- Now lets configure the OPNSense server ShadowSocks client to use that server.
- Goto Services => ShadowSocks => Local to configure the ShadowSocks client. (Like in down GIF)
- Enable ShadowSocks Local : Checked
- Server Address: Linode server IP
- Server Port: 8000
- Password: Linode ShadowSocks server password
- Local Address: 127.0.0.1
- Port: 1080
- Cipher: aes-256-cfb
- Now you have an online ShadowSocks connection but still not used in the firewall yet, but you can use it as a SOCK5 proxy server from your machines in the network.
- Let’s start configure NordVPN on the firewall to use that proxy and tunnel throw it.
- First you have to buy NordVPN subscription after that you can use this standard manual from NordVPN to configure your firewall with them.
Important Note: use the OpenVPN TCP4 configuration from NordVPN manual not UDP4 cause ShadowSocks don’t work with UDP.
- The standard manual don’t have a configuration about connecting to proxy server so i will add another step related to this screenshot from the standard manual.
- Add in the end of this part in the advanced box this line
socks-proxy 127.0.0.1 1080;
- This line will tell the VPN client to connect throw the ShadowSocks client you have on the firewall.
Important Note: make sure that in the VPN gateway to configure [Disable Gateway Monitoring = Checked] cause this is a virtual network gateway for the VPN (You gonna understand this line after doing the configuration from NordVPN standard manual) [Check below image].
- Last step, goto Interfaces => WAN and uncheck “Block private networks” cause this feature will make the VPN connection unstable because these firewall rules block the VPN traffic every period of time and makes the VPN client restart again.
- After that restart the firewall from Power=>Reboot in the WebUI.
- Now you can check that your are VPN protected from these sites
- Try this sites from your PC, Mobile to make sure all the devices is tunneled throw the firewall.
Note: you can choose the best NordVPN server near to you from this tool and if you faced any problem with this VPN server you can choose another one, until you find the best for you.
Feel free to contact me to exchange knowledge about another ideas in this area so i could enhance this post or release upcoming posts related to this subject.
Enjoy the ultimate security on the Internet. (RoofMan)