OpenVPN

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

C

Routing PIA VPN to select devices on LAN

Watching Ignoring Scheduled Pinned Locked Moved
42

0 Votes

42 Posts

85k Views

M

Glad to help you! I don't think you need to change anything.
A

Cant route network through VPN without reboot

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

841 Views

A

These are P2P connections and I have the network specified in the remote networks of the main firewall. Also the route appears in both the main firewall and my remote client firewall. I can also try adding push route to the advanced options and will get the same result.
B

Site to site - no access to subnets behind client endpoint

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

853 Views

B

Tried a reboot, but no change… From the pfsense: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ovpns5, link-type NULL (BSD loopback), capture size 65535 bytes 22:06:25.727660 IP 172.16.254.21 > 172.16.101.16: ICMP echo request, id 25565, seq 7, length 64 22:06:26.727671 IP 172.16.254.21 > 172.16.101.16: ICMP echo request, id 25565, seq 8, length 64 22:06:27.727676 IP 172.16.254.21 > 172.16.101.16: ICMP echo request, id 25565, seq 9, length 64 22:06:28.727686 IP 172.16.254.21 > 172.16.101.16: ICMP echo request, id 25565, seq 10, length 64 22:06:32.620809 IP 172.16.254.21 > 192.168.73.2: ICMP echo request, id 25566, seq 1, length 64 22:06:32.920929 IP 192.168.73.2 > 172.16.254.21: ICMP echo reply, id 25566, seq 1, length 64 22:06:33.621049 IP 172.16.254.21 > 192.168.73.2: ICMP echo request, id 25566, seq 2, length 64 22:06:33.921304 IP 192.168.73.2 > 172.16.254.21: ICMP echo reply, id 25566, seq 2, length 64 And from the remote end Linux host: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 17:36:32.798639 IP 172.16.254.21 > 192.168.73.2: ICMP echo request, id 25566, seq 1, length 64 17:36:32.798655 IP 192.168.73.2 > 172.16.254.21: ICMP echo reply, id 25566, seq 1, length 64 17:36:33.799001 IP 172.16.254.21 > 192.168.73.2: ICMP echo request, id 25566, seq 2, length 64 17:36:33.799024 IP 192.168.73.2 > 172.16.254.21: ICMP echo reply, id 25566, seq 2, length 64 It only sees the traffic to the tunnel ip, not any of the traffic destined for hosts beyond
D

OpenVPN custom options - inline data support

Watching Ignoring Scheduled Pinned Locked Moved
5

0 Votes

5 Posts

1k Views

D

Well I have a more fundamental issue.. my provider has different TLS keys for every server and so I'm trying to figure out how to have multiple remote statements with different TLS keys. I found that as of a recent OpenVPN version, there's a notion of connection profiles, specified using <connection>tags in which you can have targeted parameters, but unfortunately they are specific ones, so I've opened a feature request with OpenVPN to allow the tls-auth and ideally cert directives to be included so you can have per-server settings. I need this to be able to have my client try different servers within the same country when one goes down. For my direct question, I've found a workaround where I can just specify an external openvpn config file with the inline configuration and it works.</connection>
D

OpenVPN Site-to-Site Server Replies not reaching Client

Watching Ignoring Scheduled Pinned Locked Moved
4

0 Votes

4 Posts

947 Views

V

@dbennett: I want only specific IP's listed in an alias to go through the tunnel. If place a value in the 'Remote networks' box will that cause any issues with traffic leaving the 'Server' site to the WAN? That just sets the route to the networks behind the client to the clients IP if the connection is up. It will have an private IP range. Your server cannot reach this network over WAN. You can also enter single hosts in this fields. @dbennett: I created an interface / Gateway for the site to site (S2S) along with an Outbound NAT rule for the Client connection to route through that interface and gateway. I did the same thing for the S2S Server. So I should have two OpenVPN interfaces / gateways on the client side; one for that site's server (1194) and for the S2S Client traffic (1195)? That's alright. However, bear in mind that you have to define your VPN firewall rules on this new interfaces now.
D

OpenVPN Site-to-Site: Allow only specific internal IPs and ports through tunnel

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

550 Views

No one has replied
Q

Help needed for VPN failure returning connection to ISP asdress

Watching Ignoring Scheduled Pinned Locked Moved
5

0 Votes

5 Posts

953 Views

M

I think here you will find some useful information https://forum.pfsense.org/index.php?topic=116626.0
J

PfSense VM Using NAT Crashing PIA Client on Host

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

530 Views

No one has replied
P

Unable to establish VPN connection

Watching Ignoring Scheduled Pinned Locked Moved
6

0 Votes

6 Posts

1k Views

J

Well if your wan IP is rfc1918, then pick other and put in your actual PUBLIC IP.. Do you know what that is? Is that really confusing for you?? Not sure how this has anything to do with pfsense.. Do you not understand what a rfc1918 address is or that 192.168.x.x is not viable address on the public internet? Your the admin?? No offense just confused how this is confusing?
M

Consultant access

Watching Ignoring Scheduled Pinned Locked Moved
2

0 Votes

2 Posts

867 Views

D

Why don't you just ask him? It is not unreasonable in my opinion as scope tends to creep to LAN-side things eventually. Regarding logging you could turn on logging on the VPN rules. That will log every connection over the VPN. It might be pretty voluminous. Make him call to get access and enable/disable the account accordingly if that helps you feel better. With just HTTPS access he can make a VPN/ssh tunnel, etc any time he feels like it anyway. If you don't trust him you're probably using the wrong guy in the first place.
J

Why no RFC 1918 or Bogon filtering on OpenVPN client interface?

Watching Ignoring Scheduled Pinned Locked Moved
13

0 Votes

13 Posts

4k Views

J

no your openvpn being udp is just the tunnel, what your seeing is blocks inside the tunnel.
S

Question!?! How to garant access to mobile client

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

675 Views

S

Hi Jimp, I very appreciate your perfect answer, i followed your tipps and now everything is working like a charm, this make my life a lot easyer ;) Best REgards Marco
M

Avahi and iOS

Watching Ignoring Scheduled Pinned Locked Moved
9

0 Votes

9 Posts

2k Views

W

Usually just a setting in openvpn's server config. I stopped using it for another reason (reload then it wouldn't work again lol).
M

OpenVPN can't communicate with IPsec tunnel

Watching Ignoring Scheduled Pinned Locked Moved
8

0 Votes

8 Posts

1k Views

M

Dear sir can you explain how did you do it ? please many thanks
K

Trying to create OpenVPN user certs manually

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

1k Views

K

Ok, this: if ( ! openssl_pkcs12_export_to_file( $req_cert, "user.p12", $req_key, "" ) ) is the problem. The .p12 produced only contains the user cert - I need to add the CA cert as well. However, it doesn't look like there's a php openssl_ function to do this - which is probably why the openVPN Client Export Plugin uses: exec("/usr/bin/openssl pkcs12 -export -in {$ecrtpath} -inkey {$ekeypath} -certfile {$ecapath} -out {$eoutpath} -passout pass:{$eoutpass}");
S

"Best practise" for road warriors with individual firewall rules

Watching Ignoring Scheduled Pinned Locked Moved
5

0 Votes

5 Posts

2k Views

J

Yeah how else would you skin that cat? ;) If you want user X to be allowed access to device at 1.2.3.4, then yeah you need to make sure user X always has IP address 2.3.4.5 so you can allow that via firewall rule.. User Y that gets something other than 2.3.4.5 would not have access.. If you have groups of users that all need same access you could just create different vpn connections so that users A,B and C would always get ips in network 1.2.3.0/24 and you could then create the firewall rules on that network vs specific IP and if you have other group of users that need different access then AB and C then they could be on entwork 1.2.4/24 etc..
M

No traffic through OpenVPN tunnel

Watching Ignoring Scheduled Pinned Locked Moved
4

0 Votes

4 Posts

4k Views

M

Some more logging from the OpenVPN server. At the moment I unassinged the OpenVPN interface. It wasn't clear to me if I should or should not assign the interface and configure the IP. It seems to work (or not work) either way. Aug 9 15:51:53 openvpn 99469 92.69.213.93:62051 TLS: Initial packet from [AF_INET]92.69.213.93:62051, sid=9157e45b 82f155c1 Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY SCRIPT OK: depth=1, certdata Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY OK: depth=1, C=NL, certdata Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY SCRIPT OK: depth=0, certdata Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY OK: depth=0, certdata Aug 9 15:51:54 openvpn user 'ME' authenticated Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 TLS: Username/Password authentication succeeded for username 'ME' [CN SET] Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 [mark] Peer Connection Initiated with [AF_INET]92.69.213.93:62051 Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 MULTI_sva: pool returned IPv4=10.15.10.2, IPv6=(Not enabled) Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_c22c667e5f903932f615859110b7c08c.tmp Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 MULTI: Learn: 10.15.10.2 -> ME/92.69.213.93:62051 Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 MULTI: primary virtual IP for ME/92.69.213.93:62051: 10.15.10.2 Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 PUSH: Received control message: 'PUSH_REQUEST' Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 send_push_reply(): safe_cap=940 Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 SENT CONTROL [mark]: 'PUSH_REPLY,route 172.10.15.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.150.0 255.255.255.0,dhcp-option DOMAIN argus.local,dhcp-option DNS 192.168.20.13,dhcp-option DNS 192.168.20.15,register-dns,dhcp-option NTP 192.168.20.13,redirect-gateway def1,route-gateway 10.15.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.15.10.2 255.255.255.0' (status=1) Aug 9 15:52:04 openvpn 99469 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Aug 9 15:52:04 openvpn 99469 MANAGEMENT: CMD 'status 2' Aug 9 15:52:04 openvpn 99469 MANAGEMENT: CMD 'quit' Aug 9 15:52:04 openvpn 99469 MANAGEMENT: Client disconnected Hope the log clears up anything. I don't have a clue what I'm missing.
T

How to know openvpn user logout

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

2k Views

P

You could add explicit-exit-notify 2 to your client(s) config. Then you will see in the server log SIGTERM[soft,remote-exit] received, client-instance exiting
J

Client export with multiple OpenVPN servers (one pfsense box)

Watching Ignoring Scheduled Pinned Locked Moved
6

0 Votes

6 Posts

2k Views

D

How can these settings i.e "Backend for Authentification" and "IPv4 Tunnel Network" have anything to do with exporting user certificates? The export wizard tries to limit exposing users for export that cannot possibly log in. If you had Local database selected in the server, had created the user certificate, but did not create the user in the local database, then that user would not be able to log in so the user is not exposed for export. When you select the external authentication method then all it will check for is the presence of a certificate issued by the Peer Certificate Authority.
B

Setting up OpenVPN with LDAP

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

3k Views

No one has replied

303 / 493