Hi,
I have just implemented a solution where I connected the OpenVPN server to my Radius server (Internet Authentication Service - Microsoft).
I did this with the plugin openvpn-auth-pam. After a lot of problems it finally works ok. Te plugin you may revceive from the openvpn installation kit.
There is also a plugin named openvpn-auth-ldap on the net. Look in the forum there some pointers to it.
Good luck.

Ariel

Can you be more specific what's not working?
Also a "bit" more information would be welcome.

Perfect it runs!!!!!!!  :)

I woudn't have got it working without your guide.  :)

I've tried as well by filling in the remote network and not using the custom options or the other way around by the custom options and not the remote network.

The routing table seems the same, but the traffic still doesn't flow :-(

Added caveat about when how many networks should be involved before using this this technique.

The OpenVPN list archive is a good source of information ;)  In particular, this thread talks about a hard limit of 1024 tunnels at a time.  There are also discussions about hardward sizing if you search further.

Don't forget their documentation as another source of information.

Server:

Jan 6 19:08:40 openvpn[12109]: omniservicesrl.it/151.***.***.***:59418 [***] Inactivity timeout (--ping-restart), restarting Jan 6 19:07:57 openvpn[12109]: 88.***.***.***:59266 [***] Peer Connection Initiated with 88.***.***.***:59266 Jan 6 19:07:56 openvpn[12109]: 88.***.***.***:59266 LZO compression initialized Jan 6 19:07:56 openvpn[12109]: 88.***.***.***:59266 Re-using SSL/TLS context Jan 6 19:06:29 openvpn[12109]: 151.***.***.***:59418 [***] Peer Connection Initiated with 151.***.***.***:59418 Jan 6 19:06:28 openvpn[12109]: 151.***.***.***:59418 LZO compression initialized Jan 6 19:06:28 openvpn[12109]: 151.***.***.***:59418 Re-using SSL/TLS context

Client 1 & Client 2 are identical:

Tue Jan 06 19:06:21 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006 Tue Jan 06 19:06:21 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Tue Jan 06 19:06:21 2009 LZO compression initialized Tue Jan 06 19:06:21 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Jan 06 19:06:21 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Tue Jan 06 19:06:21 2009 Local Options hash (VER=V4): '41690919' Tue Jan 06 19:06:21 2009 Expected Remote Options hash (VER=V4): '530fdded' Tue Jan 06 19:06:21 2009 UDPv4 link local: [undef] Tue Jan 06 19:06:21 2009 UDPv4 link remote: 88.***.***.***:1194 Tue Jan 06 19:06:21 2009 TLS: Initial packet from 88.***.***.***:1194, sid=93c9ddcc 542da9de Tue Jan 06 19:06:22 2009 VERIFY OK: depth=1, /C=IT/ST=Italy/L=Nerviano__MI/O=****/CN=****/emailAddress=info@****.it Tue Jan 06 19:06:22 2009 VERIFY OK: nsCertType=SERVER Tue Jan 06 19:06:22 2009 VERIFY OK: depth=0, /C=IT/ST=Italy/O=****/CN=****/emailAddress=info@****.it Tue Jan 06 19:06:22 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Jan 06 19:06:22 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jan 06 19:06:22 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Jan 06 19:06:22 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jan 06 19:06:22 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Jan 06 19:06:22 2009 [***] Peer Connection Initiated with 88.***.***.***:1194 Tue Jan 06 19:06:24 2009 SENT CONTROL [***]: 'PUSH_REQUEST' (status=1) Tue Jan 06 19:06:24 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.115.0 255.255.255.0,dhcp-option DNS 192.168.115.1,dhcp-option WINS 192.168.115.3,dhcp-option NTP 192.168.115.1,dhcp-option DISABLE-NBT,route 192.168.200.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.200.6 192.168.200.5' Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: timers and/or timeouts modified Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: --ifconfig/up options modified Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: route options modified Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Jan 06 19:06:24 2009 TAP-WIN32 device [OpenVPN Omni] opened: \\.\Global\{633C2C01-88D5-4F6F-9413-F34D5E4F0FC6}.tap Tue Jan 06 19:06:24 2009 TAP-Win32 Driver Version 8.4 Tue Jan 06 19:06:24 2009 TAP-Win32 MTU=1500 Tue Jan 06 19:06:24 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {633C2C01-88D5-4F6F-9413-F34D5E4F0FC6} [DHCP-serv: 192.168.200.5, lease-time: 31536000] Tue Jan 06 19:06:24 2009 Successful ARP Flush on interface [11] {633C2C01-88D5-4F6F-9413-F34D5E4F0FC6} Tue Jan 06 19:06:26 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up Tue Jan 06 19:06:26 2009 route ADD 192.168.115.0 MASK 255.255.255.0 192.168.200.5 OK Tue Jan 06 19:06:26 2009 route ADD 192.168.200.0 MASK 255.255.255.0 192.168.200.5 OK Tue Jan 06 19:06:26 2009 Initialization Sequence Completed

Server config:

writepid /var/run/openvpn_server0.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto udp cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure client-to-client server 192.168.200.0 255.255.255.0 client-config-dir /var/etc/openvpn_csc push "route 192.168.115.0 255.255.255.0" lport 1194 push "dhcp-option DNS 192.168.115.1" push "dhcp-option WINS 192.168.115.3" push "dhcp-option NTP 192.168.115.1" push "dhcp-option DISABLE-NBT" ca /var/etc/openvpn_server0.ca cert /var/etc/openvpn_server0.cert key /var/etc/openvpn_server0.key dh /var/etc/openvpn_server0.dh comp-lzo

Clients config (obviously certificates are different):

#### client dev tun proto udp remote 88.***.***.*** 1194 ping 10 resolv-retry infinite nobind persist-key persist-tun ca ca-omni.crt cert fede-omni.crt key fede-omni.key ns-cert-type server comp-lzo pull verb 3 #### FOR WINDOWS VISTA: route-method exe route-delay 2 #

You can try to create N server in the OpenVPN page setup, with different port and different certificate…

@Bern:

They're in /var/etc

Jeez…you would have thought I'd look there.  Thanks for the tip.  I'll report back later to see where we get with this.

This is no pfSense problem.

http://openvpn.net/index.php/documentation/howto.html should help you.
For questions regarding FreeBSD: http://www.freebsd.org/doc/en/books/handbook/
The FreeBSD handbook is a good start.

Hi,
finally I found the relevant packages for the ldap authentication and installed them. Unfortunately The Plugin does not load up due to a missing library which indeed does not reside on my installation.
I have seen similar behavior described in the forum and the recommendation was to reinstall openvpn.
My question is: if I reinstall openvpn (pk_ad -r openvpn) do I loose my current openvpn configuration?
In addition I would like to know if there are any differneces regarding security between the radius implementation and the ldap implementation.
Thanks in advance
Ariel

also works on 1.2.1 now…

Ok thanks for clearing that up.

Yes, for connection authentication I meant user authentication, the same as what you described.

As for gmail, I guess they don't care who you are, so as long as you sign your own certificate they'll accept the connection.

Thanks.

This sounds as a good idea for a bounty.

How are you testing this?
With iperf? I had similar experiences that sometimes i got 2Mbit upstream on a 512kbit line….
Though i havent had the time to investigate further.

But 500 Kbyte/s on windows is pretty much 4Mbit which seems strange on a 3Mbit line.
So yeah there is probably some compressing going on.

If you hit the CPU-max while doing the transfers you could try to use a different encryption for the tunnel.
Maybe something less CPU intensive.

OK re-enabled slbd today and it works, even after slbds ICMP poll states DOWN and filters are reloaded, daemons stay alive. I think the problem is related to two things:

one interface changing (dhcp, dis-/enabling) reloading openvpn daemons via the stated command (sh killall -HUP openvpn)

The SIGHUP seems to kill a random number of daemons while restarting them (whysoever). ATM I'm ordering new CF-cards to try a clean new installation on one of these and do some modifications. If anyone knows more about that "restart phenomenom" or has problems alike I would be glad to hear some comments.

If you do that you could as well do what albertmm did and have a separate openVPN server ;)

This is exactly what's happening to me as of now: i needed to reboot the adsl router at the office, then trying to connect to the vpn simply doesn't work and "inactivity timeout" pops up. In my case i'm trying to connect to the vpn manually via the windows openvpn gui, it always worked great and this is the first time i've got to reboot the adsl router so i never experienced this problem before..
Any clue on what it could be?