OpenVPN

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

D

OpenVPN custom options - inline data support

Watching Ignoring Scheduled Pinned Locked Moved
5

0 Votes

5 Posts

1k Views

D

Well I have a more fundamental issue.. my provider has different TLS keys for every server and so I'm trying to figure out how to have multiple remote statements with different TLS keys. I found that as of a recent OpenVPN version, there's a notion of connection profiles, specified using <connection>tags in which you can have targeted parameters, but unfortunately they are specific ones, so I've opened a feature request with OpenVPN to allow the tls-auth and ideally cert directives to be included so you can have per-server settings. I need this to be able to have my client try different servers within the same country when one goes down. For my direct question, I've found a workaround where I can just specify an external openvpn config file with the inline configuration and it works.</connection>
D

OpenVPN Site-to-Site Server Replies not reaching Client

Watching Ignoring Scheduled Pinned Locked Moved
4

0 Votes

4 Posts

1k Views

V

@dbennett: I want only specific IP's listed in an alias to go through the tunnel. If place a value in the 'Remote networks' box will that cause any issues with traffic leaving the 'Server' site to the WAN? That just sets the route to the networks behind the client to the clients IP if the connection is up. It will have an private IP range. Your server cannot reach this network over WAN. You can also enter single hosts in this fields. @dbennett: I created an interface / Gateway for the site to site (S2S) along with an Outbound NAT rule for the Client connection to route through that interface and gateway. I did the same thing for the S2S Server. So I should have two OpenVPN interfaces / gateways on the client side; one for that site's server (1194) and for the S2S Client traffic (1195)? That's alright. However, bear in mind that you have to define your VPN firewall rules on this new interfaces now.
D

OpenVPN Site-to-Site: Allow only specific internal IPs and ports through tunnel

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

579 Views

No one has replied
Q

Help needed for VPN failure returning connection to ISP asdress

Watching Ignoring Scheduled Pinned Locked Moved
5

0 Votes

5 Posts

1k Views

M

I think here you will find some useful information https://forum.pfsense.org/index.php?topic=116626.0
J

PfSense VM Using NAT Crashing PIA Client on Host

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

559 Views

No one has replied
P

Unable to establish VPN connection

Watching Ignoring Scheduled Pinned Locked Moved
6

0 Votes

6 Posts

2k Views

J

Well if your wan IP is rfc1918, then pick other and put in your actual PUBLIC IP.. Do you know what that is? Is that really confusing for you?? Not sure how this has anything to do with pfsense.. Do you not understand what a rfc1918 address is or that 192.168.x.x is not viable address on the public internet? Your the admin?? No offense just confused how this is confusing?
M

Consultant access

Watching Ignoring Scheduled Pinned Locked Moved
2

0 Votes

2 Posts

912 Views

D

Why don't you just ask him? It is not unreasonable in my opinion as scope tends to creep to LAN-side things eventually. Regarding logging you could turn on logging on the VPN rules. That will log every connection over the VPN. It might be pretty voluminous. Make him call to get access and enable/disable the account accordingly if that helps you feel better. With just HTTPS access he can make a VPN/ssh tunnel, etc any time he feels like it anyway. If you don't trust him you're probably using the wrong guy in the first place.
J

Why no RFC 1918 or Bogon filtering on OpenVPN client interface?

Watching Ignoring Scheduled Pinned Locked Moved
13

0 Votes

13 Posts

4k Views

J

no your openvpn being udp is just the tunnel, what your seeing is blocks inside the tunnel.
S

Question!?! How to garant access to mobile client

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

762 Views

S

Hi Jimp, I very appreciate your perfect answer, i followed your tipps and now everything is working like a charm, this make my life a lot easyer ;) Best REgards Marco
M

Avahi and iOS

Watching Ignoring Scheduled Pinned Locked Moved
9

0 Votes

9 Posts

2k Views

W

Usually just a setting in openvpn's server config. I stopped using it for another reason (reload then it wouldn't work again lol).
M

OpenVPN can't communicate with IPsec tunnel

Watching Ignoring Scheduled Pinned Locked Moved
8

0 Votes

8 Posts

1k Views

M

Dear sir can you explain how did you do it ? please many thanks
K

Trying to create OpenVPN user certs manually

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

1k Views

K

Ok, this: if ( ! openssl_pkcs12_export_to_file( $req_cert, "user.p12", $req_key, "" ) ) is the problem. The .p12 produced only contains the user cert - I need to add the CA cert as well. However, it doesn't look like there's a php openssl_ function to do this - which is probably why the openVPN Client Export Plugin uses: exec("/usr/bin/openssl pkcs12 -export -in {$ecrtpath} -inkey {$ekeypath} -certfile {$ecapath} -out {$eoutpath} -passout pass:{$eoutpass}");
S

"Best practise" for road warriors with individual firewall rules

Watching Ignoring Scheduled Pinned Locked Moved
5

0 Votes

5 Posts

2k Views

J

Yeah how else would you skin that cat? ;) If you want user X to be allowed access to device at 1.2.3.4, then yeah you need to make sure user X always has IP address 2.3.4.5 so you can allow that via firewall rule.. User Y that gets something other than 2.3.4.5 would not have access.. If you have groups of users that all need same access you could just create different vpn connections so that users A,B and C would always get ips in network 1.2.3.0/24 and you could then create the firewall rules on that network vs specific IP and if you have other group of users that need different access then AB and C then they could be on entwork 1.2.4/24 etc..
M

No traffic through OpenVPN tunnel

Watching Ignoring Scheduled Pinned Locked Moved
4

0 Votes

4 Posts

4k Views

M

Some more logging from the OpenVPN server. At the moment I unassinged the OpenVPN interface. It wasn't clear to me if I should or should not assign the interface and configure the IP. It seems to work (or not work) either way. Aug 9 15:51:53 openvpn 99469 92.69.213.93:62051 TLS: Initial packet from [AF_INET]92.69.213.93:62051, sid=9157e45b 82f155c1 Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY SCRIPT OK: depth=1, certdata Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY OK: depth=1, C=NL, certdata Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY SCRIPT OK: depth=0, certdata Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY OK: depth=0, certdata Aug 9 15:51:54 openvpn user 'ME' authenticated Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 TLS: Username/Password authentication succeeded for username 'ME' [CN SET] Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 [mark] Peer Connection Initiated with [AF_INET]92.69.213.93:62051 Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 MULTI_sva: pool returned IPv4=10.15.10.2, IPv6=(Not enabled) Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_c22c667e5f903932f615859110b7c08c.tmp Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 MULTI: Learn: 10.15.10.2 -> ME/92.69.213.93:62051 Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 MULTI: primary virtual IP for ME/92.69.213.93:62051: 10.15.10.2 Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 PUSH: Received control message: 'PUSH_REQUEST' Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 send_push_reply(): safe_cap=940 Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 SENT CONTROL [mark]: 'PUSH_REPLY,route 172.10.15.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.150.0 255.255.255.0,dhcp-option DOMAIN argus.local,dhcp-option DNS 192.168.20.13,dhcp-option DNS 192.168.20.15,register-dns,dhcp-option NTP 192.168.20.13,redirect-gateway def1,route-gateway 10.15.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.15.10.2 255.255.255.0' (status=1) Aug 9 15:52:04 openvpn 99469 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Aug 9 15:52:04 openvpn 99469 MANAGEMENT: CMD 'status 2' Aug 9 15:52:04 openvpn 99469 MANAGEMENT: CMD 'quit' Aug 9 15:52:04 openvpn 99469 MANAGEMENT: Client disconnected Hope the log clears up anything. I don't have a clue what I'm missing.
T

How to know openvpn user logout

Watching Ignoring Scheduled Pinned Locked Moved
3

0 Votes

3 Posts

2k Views

P

You could add explicit-exit-notify 2 to your client(s) config. Then you will see in the server log SIGTERM[soft,remote-exit] received, client-instance exiting
J

Client export with multiple OpenVPN servers (one pfsense box)

Watching Ignoring Scheduled Pinned Locked Moved
6

0 Votes

6 Posts

2k Views

D

How can these settings i.e "Backend for Authentification" and "IPv4 Tunnel Network" have anything to do with exporting user certificates? The export wizard tries to limit exposing users for export that cannot possibly log in. If you had Local database selected in the server, had created the user certificate, but did not create the user in the local database, then that user would not be able to log in so the user is not exposed for export. When you select the external authentication method then all it will check for is the presence of a certificate issued by the Peer Certificate Authority.
B

Setting up OpenVPN with LDAP

Watching Ignoring Scheduled Pinned Locked Moved
1

0 Votes

1 Posts

3k Views

No one has replied
D

How to share OpenVPN conenction to my LAN?

Watching Ignoring Scheduled Pinned Locked Moved
2

0 Votes

2 Posts

761 Views

D

More information is needed to help you. What is the server? What is the client? What are the Local and Remote networks on each end? Where are you pinging from? Where are you pinging to? You generally have to specify a specific source IP address (Like the interface address of a network specified as a Local network in the OpenVPN configuration) to ping across an OpenVPN tunnel from the firewall itself so it's pretty unclear what you're actually doing.
N

Openvpn_xorpatch ( openvpn scramble option )

Watching Ignoring Scheduled Pinned Locked Moved
2

0 Votes

2 Posts

3k Views

J

You can't, and you don't want to. Read the last post on that thread. https://forums.openvpn.net/viewtopic.php?f=15&t=12605&sid=c75d657e002504a39d34ae664ddd9ad5&start=60#p49837
M

[SOLVED] Considerations to pfSense OpenVPN Server when behind NAT?

Watching Ignoring Scheduled Pinned Locked Moved
4

0 Votes

4 Posts

4k Views

M

Ok, just to confirm the issue was that the ISP device had a hidden 'advanced' setting which did not forward Internet packets by default, as I thought. Once this was found, and packets forwarded correctly, it worked fine! Thanks for your input!!

305 / 495