Host-to-LAN (OpenVPN) drop in replacement from ZeroShell to OPNsense

Due to the lack of IPv6 support in ZeroShell I’ve recently had to move over to a different routing operating system.

My setup is fairly complex with lots of needs:

-The ability to tcpdump
-Failover and routing rules for multiple internet connections
-VPN hosting for me to get into my network remotely and site-to-site to access remote LANs.
-Multiple IPs per LAN interface
-A mix of NAT and PPPoE routed subnets.
-Requirement to be able to “intercept” and give my own responses to DNS zones and hosts.
-QoS to prevent a single device on the network causing my internet to perform badly.
-NTP Server
-Bandwidth reporting globally and per device.

Lots of you may be saying “just do NTP on a linux machine” or similar.. which I could do. But it is nice to have all of the above in a single system. My previous ZeroShell setup does that.

After a bit of hunting around it looked like OPNsense is a suitable replacement.

This specific article is about what you need to set on OPNsense to allow windows based OpenVPN TAP clients to connect to your new OPNsense without needing to upgrade their configuration.
I use only user and password authentication so things may be different if you use Certificate Authentication for users.

To start – on your ZeroShell machine take a copy of the certificate and private key for the certificate authority:

root@zeroshell ssl> cat /Database/etc/ssl/certs/cacert.pem




root@zeroshell ssl> cat /Database/etc/ssl/private/cakey.pem



On OPNsense go to System.. Trust .. Authorites. Click on Add.
Give the Trust Authority a name and paste in the certificate data (the “cacert.pem” content) and the private key box (“cakey.pem” content).

To find the serial number for next certificate go to your ZeroShell web interface and then “X.509 CA”. Look at the Serial column and find the highest used number and add one. On my system it was 8, so on OPNsense I put in 9.

Click Save on OPNsense.
In the Trust menu on OPNsense. Click on Certificates. Click on Add.
Change the Method to “Create an internal Certificate”.
In the Name type in whatever you want. Make sure you select “Type” to be “Combined client/server certificate”.
Fill in the Sate, City, Organisation etc.. and click Save.

Now go to VPN on the left menu of OPNsense then to OpenVPN.
Click Servers. Click Add. Type in any description you like.
In Server Mode select “Remote Access ( User Auth )”
Backend for authentication needs to be “Local Database”.
On Protocol I had to select UDP4 as otherwise it seemed to automatically only listen on IPv6.
Make sure Device Mode is “TAP” as this is the old style connection that ZeroShell used. Make sure your Interface to listen for connections on is selected correctly and the Local port is the same as you used on ZeroShell.

Un-tick “TLS Authentication // Enable authentication of TLS packets.”

In the Peer Certificate Authority select the one you imported from your ZeroShell in the first step where you copy and pasted the pem files.

In Server Certificate click and select the certificate you created rather than “Web GUI SSL”.

In the “IPv4 Tunnel Network” box type in “” if you use the default ZeroShell setup.. otherwise just copy the IP range you use in the ZeroShell “Client IP Address Assignment” box on the “Host-to-LAN” Screen. You may need to ask someone for help converting it from a “from IP to IP” range to CIDR notation.

In the “IPv4 Remote Network” box type in: “”

In the “Compression” drop down make sure it is selected on “Enabled without Adaptive Compression”.

On my setup I made sure “Dynamic IP” and “Address Pool” were ticked.. I’m not sure if either help so if you know better than I do – make sure you select what you think is best and also leave me a comment.

I ticked “DNS Servers” and typed in the first IP within the “IPv4 Tunnel Network” range.. in the default setup this would be “” for “Server #1”.

The screenshot below shows my setup – note that I use an unusual UDP port and most default setups will be on a port like 1194.

Once done you also need to make sure that your users exist in OPNsense under System, Access, Users. The root / administration user should also be able to connect anyway without adding any other users.

I expect your firewall will also need the inbound port adding for the OpenVPN server.


Hope this helps.. it was a lot of trial and error to get to this stage for me so documenting it will also help me in the future.


This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s