Thank you for this guide; with your help I got things working on pfSense 2.0.1 with a few minor alterations, some of which are cryptodev/security/regulatory requirements based, some of which are specifically to require all OPT1 (wifi) traffic to flow over AES/SHA256 VPN (no exceptions), DNS included, and I deliberate use a ta_auth.key to increase security.

Setting up your pfSense firewall - match the parms in the config files (*.ovpn)
  *** DO ENTER the interface for OpenVPN to LISTEN on
  *** DO NOT UNCHECK "Enable authentication of TLS packets.
  *** DO UNCHECK "Automatically generate a shared TLS authentication key" and instead paste in the contents of
        the file that build-ta.bat created
  *** DO CHECK "Redirect Gateway"
  *** DO LEAVE "Remote Network" blank - we're not doing a site-to-site VPN
  *** DO ENTER the maximum number of Concurrent Connections, if known
  *** DO NOT CHECK "Compression" unless you know you're going to be sending compressible data
          Note that remote desktop use is typically encrypted in and of itself, and is thus not compressible.
  *** ADD 'auth SHA256;push "redirect-gateway def1";push "dhcp-option DNS <openvpn listening="" ip="" addr="">"' without the outer single quotes to the Advanced configuration, Advanced section at the bottom.
  ??? the redirect gateway may not be required if the checkbox is checked.

Sample initial client1.ovpn (I'm still working on this - in particular, I'd like to get away from DHE entirely):

client dev tun proto udp remote YourListeningInterfaceIPAddr 1194 #ns-cert-type is a pre-2.0 way of making sure we're not being spoofed by a client acting as a server keepalive 5 60 resolv-retry infinite nobind persist-key persist-tun # Wireless networks often produce a lot # of duplicate packets.  Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server".  This is an # important precaution to protect against # a potential attack discussed here: #  http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server".  The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server ca ca.crt cert client1.crt key client1.key cipher AES-128-CBC auth SHA256 tls-cipher DHE-RSA-AES128-SHA tls-auth ta_auth.key 1 pull verb 3 # run "client.up" to add necessary # DNS entries to resolv.conf #;up /home/user/openvpnclient/sample-config-files/client.up # run "client.down" to remove # resolv.conf entries when VPN # is disconnected #;plugin "/usr/lib/openvpn/openvpn-down-root.so" "/home/user/openvpnclient/sample-config-files/client.down"

CopyClientConfigs.bat (select the files each client needs):

md keys\client1 del /q keys\client1\* copy keys\ca.crt keys\client1 copy keys\EyeWearHausta.key keys\client1 copy keys\client1.crt keys\client1 copy keys\client1.key keys\client1 copy OpenVPNConfigFiles\client1.ovpn keys\client1

build-ta.bat

openvpn --genkey --secret keys\ta_auth.key

build-key-pass.bat

@echo off cd %HOME% rem build a request for a cert that will be valid for ten years openssl req -days 9000 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% rem sign the cert request with our ca, creating a cert/key pair openssl ca -days 9000 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% rem delete any .old files created in this process, to avoid future file creation errors del /q %KEY_DIR%\*.old

And the simple RunAll.bat

call vars.bat call build-ca.bat call build-key-server.bat server call build-key-pass.bat client1 call build-ta.bat call CopyClientConfigs.bat ```</openvpn>

Static vs dynamic doesn't have anything to do with connection issues.

1.  double check your server config and firewall rules
2.  verify that the IP you THINK you have… matches what PFsense is pulling from the ISP... it is "dynamic" after all.
3.  once you've verified which public IP is attached to PFsense, make sure your clients are connecting to the correct IP.

Considering the lack of details, all anyone can do is give you their best guess.  So here goes… looking at this line in your log:

Thu May 03 22:15:48 2012 Warning: address 10.212.20.154 is not a network address in relation to netmask 255.255.255.248

I'm guessing you either entered a host address instead of a network address or entered the wrong mask.  Re-visit your server config.

OK I was being an idiot. Pulled my hair out for ages changing openVPN settings and firewall rules. Why do I always start with the complicated issues and not go first to the easier most obvious. Turning off Windows firewall on the PC which I was trying to access.

In case anyone stumbles across this with the same problem. I found with windows firewall enabled, XP PCs could be pinged, while windows 7 PCs could not. Therefore I changed the ICMP settings in the windows 7 firewall to allow incoming and outgoing packets from the subnet of the openVPN tunnel.

I also had to do the same for both XP and win7 for SMB -> allow the openVPN tunnel subnet access. Now everything works as expected with windows firewall enabled ;D

@elkmoose:

As I said, here's my config file for my VPN host.  I hope it may help somebody else having difficulty connecting.  The file is located under /var/etc/openvpn and should have a name like "clientN.conf".  I did a "factory reset" on my box before setting this up, so it shouldn't be related to any other settings.  Since pfSense reports the connection as working, I'll consider this solved.  Unfortunately, if the VPN connection is active, my computers can't get out to brows the web or anything, neither through the WAN (as they do if I simply disable the OpenVPN rule) nor through the VPN (which as far as I know does nothing other than be connected when not disabled).

I don't know if this is intended behavior or not.  It would make sense to block outgoing traffic if a VPN connection is active.  I know more needs to be done to send traffic through the VPN connection instead of the WAN connection.  My goal was first to see if I can connect to the VPN (yes), and then see if my regular network WAN access is still functioning (no).  It's easy enough to turn the VPN connection on and off as needed, but I hope this is the correct behavior.

This guide seems to work just fine:
https://www.privateinternetaccess.com/pages/client-support/#pfsense_openvpn

Static vs. dynamic IP's have nothing to do with your issue.

Double check that your clients are connecting to the correct IP…. then double check your config and that you're allowing connections in the firewall.

I have the same problem?

Some internal IT politics do not allow users to have admin rights.
OpenVPN needs them to add routes in Windows 7 (doesn't related to Win XP) or Vista, I think.

Some guy writed to me from Italy, they have to:

open 1194 udp port in their main company firewall, add .BAT script manual adding routes (as temporary) since user do not have admin rights on his laptop.
Then it worked.

Some public internet access sites, like airports also do not allow VPN traffic. Then You have to use port forwarding instead.

Remember, You are not limited to single VPN solution.
If You have for example Windows 2008 Server You can use it's internal PPTP VPN solution also with pfSense and both will work.

I can confirm it's not needed.
I never assing admin group to anyone, expect IT staff..
You can just create separate certificate for every user.

pfsense-users.png
pfsense-users.png_thumb

Hi,

After a lot of  tests, I can't fid my solution.

So I decided to burn everything and start again…

And.. surprise! everything works ... :)

I think that I had problems wth my certificate, .

Now it's all good.

We currently use a custom build of the Windows OpenVPN client that fully supports IPv6. If/when that client is based on a version of OpenVPN (2.3 I think?) that also fully supports IPv6, we could consider changing.

Can you show your client config file?

Also from the pfSense side, the output of "ifconfig -a" and perhaps the config from /var/etc/openvpn/ for this server.

The code is better on 2.1 for tap bridging (though bridging in general is broken there at the moment) but I made the tap fix package to backport most of the good bits. I've installed it several times and had it working.

Also, if you are not giving DHCP from the OpenVPN instance on pfSense (your server bridge start/end boxes are blank) it will try to get DHCP from the DHCP server on your LAN1 interface. Trying to pass DNS servers and a default domain may be conflicting with that. Either fill in a Server Bridge DHCP Start/End box, or clear out the search domain and DNS server.

I believe this is your problem.

http://forum.pfsense.org/index.php/topic,8773.0.html

You need to use Advanced outbound NAT.  (Manual NAT).

And make an entry under the Firewall > NAT > Outbound which lists your openvpn client subnet as the source, to destinations that you specify, for example, any destination.

If its not AON, then check the OpenVPN tab under: Firewall -> Rules and make sure that the source openvpn network in question can talk to for example, anything, or ! Local Subnet (not the local subnet but anything else).

An example of a firewall rule for the OpenVPN tab:

Proto      Source    Port  Dest.  Port  GW    Queue

openvpn net * * * * none

@wanie:

Hi

I am trying to route all my lan traffice through an openVPN provider like perfect-privacy.
To me it looks like, there is something blocking the traffic throug this tunnel.

If i connect with the openVPN client i can't open any website.
Anyway i can't ping any public domain or ip, but DNS works.
If i ping on google.com i see the resolved ip but got no ping answer.

I allready tried to play arround with the AON settings but no luck.

Here is the openVPN log:

Feb 5 18:55:04 openvpn[25458]: real_hash_size = 256 Feb 5 18:55:04 openvpn[25458]: virtual_hash_size = 256 Feb 5 18:55:04 openvpn[25458]: client_connect_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: learn_address_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: client_disconnect_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: client_config_dir = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: ccd_exclusive = DISABLED Feb 5 18:55:04 openvpn[25458]: tmp_dir = '/tmp' Feb 5 18:55:04 openvpn[25458]: push_ifconfig_defined = DISABLED Feb 5 18:55:04 openvpn[25458]: push_ifconfig_local = 0.0.0.0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_remote_netmask = 0.0.0.0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_defined = DISABLED Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_local = ::/0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_remote = :: Feb 5 18:55:04 openvpn[25458]: enable_c2c = DISABLED Feb 5 18:55:04 openvpn[25458]: duplicate_cn = DISABLED Feb 5 18:55:04 openvpn[25458]: cf_max = 0 Feb 5 18:55:04 openvpn[25458]: cf_per = 0 Feb 5 18:55:04 openvpn[25458]: max_clients = 1024 Feb 5 18:55:04 openvpn[25458]: max_routes_per_client = 256 Feb 5 18:55:04 openvpn[25458]: auth_user_pass_verify_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: auth_user_pass_verify_script_via_file = DISABLED Feb 5 18:55:04 openvpn[25458]: ssl_flags = 0 Feb 5 18:55:04 openvpn[25458]: port_share_host = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: port_share_port = 0 Feb 5 18:55:04 openvpn[25458]: client = ENABLED Feb 5 18:55:04 openvpn[25458]: pull = ENABLED Feb 5 18:55:04 openvpn[25458]: auth_user_pass_file = '/conf/perfect-privacy.pas' Feb 5 18:55:04 openvpn[25458]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011 Feb 5 18:55:04 openvpn[25458]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client3.sock Feb 5 18:55:04 openvpn[25458]: WARNING: file '/conf/perfect-privacy.pas' is group or others accessible Feb 5 18:55:04 openvpn[25458]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Feb 5 18:55:04 openvpn[25458]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 5 18:55:04 openvpn[25458]: Control Channel Authentication: using '/var/etc/openvpn/client3.tls-auth' as a OpenVPN static key file Feb 5 18:55:04 openvpn[25458]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:04 openvpn[25458]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:04 openvpn[25458]: Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ] Feb 5 18:55:04 openvpn[25458]: Socket Buffers: R=[42080->65536] S=[57344->65536] Feb 5 18:55:04 openvpn[25458]: RESOLVE: NOTE: moscow.perfect-privacy.com resolves to 3 addresses Feb 5 18:55:04 openvpn[25458]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] Feb 5 18:55:04 openvpn[25458]: Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Feb 5 18:55:04 openvpn[25458]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Feb 5 18:55:04 openvpn[25458]: Local Options hash (VER=V4): 'ed844052' Feb 5 18:55:04 openvpn[25458]: Expected Remote Options hash (VER=V4): '8a244582' Feb 5 18:55:04 openvpn[25739]: UDPv4 link local (bound): [AF_INET]192.168.178.22:50013 Feb 5 18:55:04 openvpn[25739]: UDPv4 link remote: [AF_INET]192.162.100.209:1149 Feb 5 18:55:05 openvpn[25739]: TLS: Initial packet from [AF_INET]192.162.100.209:1149, sid=0dffcb99 ea51437a Feb 5 18:55:05 openvpn[25739]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Feb 5 18:55:06 openvpn[25739]: VERIFY OK: depth=1, /C=NZ/ST=Glenside/L=Wellington/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppca/emailAddress=admin@perfect-privacy.com Feb 5 18:55:06 openvpn[25739]: VERIFY OK: depth=0, /C=NZ/ST=Glenside/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppserver/emailAddress=admin@perfect-privacy.com Feb 5 18:55:18 openvpn[25739]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1562' Feb 5 18:55:18 openvpn[25739]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Feb 5 18:55:18 openvpn[25739]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic' Feb 5 18:55:18 openvpn[25739]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Feb 5 18:55:18 openvpn[25739]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:18 openvpn[25739]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Feb 5 18:55:18 openvpn[25739]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:18 openvpn[25739]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Feb 5 18:55:18 openvpn[25739]: [ppserver] Peer Connection Initiated with [AF_INET]192.162.100.209:1149 Feb 5 18:55:20 openvpn[25739]: SENT CONTROL [ppserver]: 'PUSH_REQUEST' (status=1) Feb 5 18:55:21 openvpn[25739]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.4,route 10.0.16.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.16.14 10.0.16.13' Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: timers and/or timeouts modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: --ifconfig/up options modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: route options modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Feb 5 18:55:21 openvpn[25739]: ROUTE default_gateway=192.168.178.1 Feb 5 18:55:21 openvpn[25739]: TUN/TAP device /dev/tun3 opened Feb 5 18:55:21 openvpn[25739]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Feb 5 18:55:21 openvpn[25739]: /sbin/ifconfig ovpnc3 10.0.16.14 10.0.16.13 mtu 1500 netmask 255.255.255.255 up Feb 5 18:55:21 openvpn[25739]: /usr/local/sbin/ovpn-linkup ovpnc3 1500 1557 10.0.16.14 10.0.16.13 init Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 192.162.100.209 192.168.178.1 255.255.255.255 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 0.0.0.0 10.0.16.13 128.0.0.0 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 128.0.0.0 10.0.16.13 128.0.0.0 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 10.0.16.1 10.0.16.13 255.255.255.255 Feb 5 18:55:21 openvpn[25739]: Initialization Sequence Completed

This are my routes before the openVPN connection is active:

Destination Gateway Flags Refs Use Mtu Netif Expire default 192.168.178.1 UGS 0 537611 1500 vr1 127.0.0.1 link#5 UH 0 1009 16384 lo0 192.168.1.0/24 link#1 U 0 8769280 1500 vr0 192.168.1.1 link#1 UHS 0 0 16384 lo0 192.168.178.0/24 link#2 U 0 1 1500 vr1 192.168.178.1 00:0d:b9:23:01:1d UHS 0 88556 1500 vr1 192.168.178.22 link#2 UHS 0 0 16384 lo0

Here the routes after initializing the tunnel:

Destination Gateway Flags Refs Use Mtu Netif Expire 0.0.0.0/1 10.0.16.73 UGS 0 177 1500 ovpnc3 => default 192.168.178.1 UGS 0 538564 1500 vr1 10.0.16.1/32 10.0.16.73 UGS 0 0 1500 ovpnc3 10.0.16.73 link#11 UH 0 0 1500 ovpnc3 10.0.16.74 link#11 UHS 0 0 16384 lo0 95.128.242.224/32 192.168.178.1 UGS 0 59 1500 vr1 127.0.0.1 link#5 UH 0 1027 16384 lo0 128.0.0.0/1 10.0.16.73 UGS 0 154 1500 ovpnc3 192.168.1.0/24 link#1 U 0 8770408 1500 vr0 192.168.1.1 link#1 UHS 0 0 16384 lo0 192.168.178.0/24 link#2 U 0 1 1500 vr1 192.168.178.1 00:0d:b9:23:01:1d UHS 0 88678 1500 vr1 192.168.178.22 link#2 UHS 0 0 16384 lo0

Has anybody experience with problems like this?
I am thankful for every hint in the right way!

Either you didn't create a certificate for that client, or the certificate you created is on the wrong CA.

don't double post.

if I turn the interface off via: ifconfig (vpn interface) down

PID stays on.  The service itself doesn't report any type of error in any of the logs that I can see… (system logs, status).  So OpenVPN doesn't seem concerned about the interface status.

when i do: ifconfig (vpn interface) up

the connection is back up.  This could work good also it seems, but can't really see a true status unless I do a ping test, or do an ifconfig to see the "UP" flag on the interface, or no "UP" flag.

I feel like its a toss up as far as purpose.  Maybe one is cleaner than the other.

@wm408:

Good question.  I am not sure if the pid stays open while the interface is off.  But I will test it.

@jamesc:

Couldnt you just bring the openvpn interface up/down on a cron job using the ifconfig command?

@cmb:

You don't use the wizard to connect to someone else's server. You'll have to import their CA cert, the user cert and key they give you, and then configure a client (VPN>OpenVPN, Client) to connect to them with the parameters they provide.

I did use the Cert issued by the PrivateTunnel and set it up according to the instructions given by them.
I never set up OpenVPN or used it before.
So for me its like stumbling in the dark…
Thats why im here !

There was a duplex mismatch as well.  Got that corrected too.  Between that and the limiter the loss is much better (max of 1.6% during heavy traffic).

Perfect, it works like a charm  8)