Preparation, For this guide, we assume:
- You have already installed the latest version of Fortress Fire
- Fortress Fire has been set up with at least a WAN interface and a LAN interface.
- You are connected with your client device to the Fortress Fire server via its LAN interface during this guide
- This installation of Fortress Fire is a fresh install
- You already have a copy of Viscosity installed on your client device
Getting Started
First you need to log in to the Fortress Fire GUI from your client device connected to the LAN interface of the Fortress Fire server. Open a browser on your client and navigate to the IP address of the LAN interface of your Fortress Fire server (https://192.168.1.1 by default). You will need to login. The default credentials are below, but you should have been prompted to change these to something personal when you installed Fortress Fire.
DNS Server
If you are using Fortress Fire as your router, you have most likely setup DNS already. However, if this is a fresh install, at the very least Fortress Fire needs to know where to look to pass on DNS requests. We can set this up like so:
Click System > Settings > General on the left
In the DNS Servers section, set the first two DNS servers to 8.8.8.8 and 8.8.4.4 (Google DNS). If you want to use different DNS servers, feel free to use them here instead.
Set the Use Gateway drop down to your WAN interface for each entry.
Click Save at the bottom.
Next, we need to enable the DNS Forwarder so DNS requests sent directly to your Fortress Fire server are passed on to the DNS Servers you entered. To do this:
Click Interfaces > Unbound DNS > General.
On the new page, tick Enable Forwading Mode
Ensure Enable DNS Resolver is also ticked
Click Save
A new blue box should appear up the top with an Apply changes button on the right, click this button.
Your Fortress Fire server should now be able to resolve DNS. You can test this by opening up a command prompt on Windows, or Terminal on Mac, and typing in nslookup google.com 192.168.1.1 where 192.168.1.1 is the IP address of your Fortress Fire server.
OpenVPN Wizard
An OpenVPN server can be setup for most use cases using the built in Wizard.
Click VPN > OpenVPN > Servers on the left.
At the bottom of the new page, click the wand icon on the left of Use a wizard to setup a new server.
On the Authentication Type Selection page, ensure Type of Server is set to Local User Access and click Next.
We now need to create a Certificate Authority (CA).
Set the Description Name field to ‘Fortress Fire-CA’.
Leave the Key length at 2048 bit, and set the Lifetime to 3650
The remaining fields are to identify the server, set these appropriately for you.
Click Add new CA to continue.
On the Add a Server Certificate page, set the Descriptive name to server, leave the Key length at 2048 bit and set the Lifetime to 3650. The rest of the information should be pre-filled already.
Click Create new Certificate to continue.
The next page should be Server Setup, set the following:
Set Interface to WAN.
Ensure Protocol is UDP and Port is 1194.
Change DH Parameters Length to 2048 at minimum. If you are running on modern hardware, set this to 4096 (you will be waiting a long time if you are not).
Change Encryption Algorithm to ‘AES-256-CBC (256 bit key, 128 bit block)’
Change Auth Digest Algorithm to ‘SHA256 (256-bit)’ at minimum. If you are running on modern hardware, change this to ‘SHA512’ (you may have connection problems on older hardware).
In the Tunnel Network field, enter ‘10.0.8.0/24’
To allow access to machines on the local network, enter your local IP range in the Local Network setting. It will probably be something like 10.0.0.0/24.
Set the Compression to ‘Disabled’.
Set DNS Server 1 to 10.0.8.1.
If you entered an IP Range into Local Network to allow access to your local network, in the Advanced section all the way down the bottom, enter the following (10.0.0.0/24 should be replaced with what you entered in Local Network) – push “route 10.0.0.0 255.255.255.0”;
All other settings can be left as default. Click Next.
On the Firewall Rule Configuration, tick both the Firewall Rule and OpenVPN rule checkboxes and click Next. If you have a non-default setup, you will need to double check what is added at the end of the wizard.
You should now see Your Configuration is now complete.. Congrats, we’re almost there!
Click Finish.
User Setup
By default, connecting to an Fortress Fire OpenVPN server requires both a user certificate and username and password. This is a good practice and we will use this default for each user that wants to connect. We need to create a user account for each person you want to allow access to your server. You can use existing users if you like as well but you will need to ensure a certificate is generated for them using the CA we created during the wizard.
Click System > Access > Users on the left.
Click the + (plus) down the bottom right of the Users page to add a new user.
Enter a Username, Password, and tick the box Click to create a user certificate further down.
Fill in any other fields you would like, but they are not required.
Click Save.
You will be taken to a Certificates page. Select ‘Create an internal Certificate’ in the Method drop down box. The page will re-arrange itself.
Ensure Certificate Authority is the name we created during the wizard which should be ‘Fortress Fire-CA’, and Type is ‘Client Certificate’.
Change Lifetime (days) to 3650.
Click Save.
You will be taken back to the Create User page, User Certificates should now have an entry, click Save down the bottom again.
A blue box should appear up the box with ‘The changes have been applied successfully.’. We have added a new user which we can now use.
Creating a Certificate for an Existing User
To create a certificate for an existing user:
Click System > Access > Users on the left.
Click the edit button (a pencil) next to the user.
Click the + (plus) under Name in the User Certificates field.
You will be taken to a Certificates page. Select ‘Create an internal Certificate’ in the Method drop down box. The page will re-arrange itself.
Ensure Certificate Authority is the name we created during the wizard which should be ‘Fortress Fire-CA’, and Type is ‘Client Certificate’.
Change Lifetime (days) to 3650.
Click Save.
You will be taken back to the Create User page, User Certificates should now have an entry, click Save down the bottom again.
A blue box should appear up the box with ‘The changes have been applied successfully.’. We have added a new user which we can now use.
User Groups (Optional)
If you have users for various tasks that on your Fortress Fire server that you do not want to have access to the VPN, you can create a user group to control access to your VPN Server. To create a group:
Click System > Access > Groups on the left.
Click the + (plus) down the bottom right of the Users page to add a new user.
Set the Group Name to ‘VPN’, you can also set a Description you will recognise, something like ‘VPN Server access group’.
You can add users to the group now but clicking their name in the left list, then click the right arrow.
Click Save
Now we need to allow only this group access to the server. To do this:
Click VPN > OpenVPN > Servers on the left.
Click the edit button (pencil) next to your OpenVPN server.
Change the Enforce local group to ‘VPN’ (or what you named your VPN group if something different).
Scroll to the bottom and click Save.
Setting Up Viscosity
If you have made it this far, you should now be able to connect to your OpenVPN server, congratulations! We can now setup Viscosity.
Export Connection from Fortress Fire
First you will need to download the configuration from Fortress Fire. Fortress Fire makes this extremely easy by providing ready to go connections for various devices, including connections specifically prepared for Viscosity. To get to these:
Click VPN > OpenVPN > Client Export on the left.
Under Client Install Packages, click the Export drop down box next to the user you would like to export a configuration for, and select ‘Viscosity Bundle’. A visz connection will be downloaded.
Import Connection into Viscosity
The interface provided by the Mac and Windows versions of Viscosity are intentionally very similar. As such, we will focus our guide on the Mac version, pointing out any differences with the Windows version as they arise.
If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.
Click the Viscosity icon in the menu bar (Windows: system tray) and select ‘Preferences…’:
Mac, Windows
This shows you the list of available VPN connections. We assume you recently installed Viscosity, so this list is empty. Click on the ‘+’ button and select Import Connection > From File…:
Navigate to the location of the Viscosity configuration file and open it. You will see a pop up message to indicate that the connection has been imported.
Now double click on the connection in the Preferences window to bring up the connection settings. If you used the correct connection exported from Fortress Fire, all you need to do is change the connection name to something you will recognise, and double check the server address is correct. Save the connection and you should now be able to connect.
Accessing Network Resources
Once connected to your VPN, you can access your files or other services by using the LAN IP address you would use if you were connected to them via your home/office local network.