Hi all,

Although this thread is slightly old, I still thought it would be worthwhile to post my solution. In summary, pfSense 2.x on ALIX hardware using OpenVPN with DuoSecurity PUSH authentication is working (for me) and hopefully the following notes will help :D

The following setup works for the three forms of authentication from DuoSecurity - PUSH, Call and SMS.

I used a server, separate from pfSense, to run the DuoSecurity RADIUS proxy, FreeRADIUS and authentication database (UNIX). Once you have identified the server, follow these instructions on DuoSecurity's website: http://www.duosecurity.com/docs/radius

During the DuoSecurity Generic RADIUS configuration, follow the instructions for RADIUS (not Active Directory) and add the IP address of pfSense (not hostname) as a RADIUS client

Test the RADIUS installation locally as suggested by DuoSecurity and be certain it is working before continuing

Add the RADIUS details in pfSense:

Go to System -> User Manager -> Servers

Add the RADIUS client with the RADIUS secret you set during DuoSecurity proxy configuration. Set Services offered: to Authentication.

Save

Test authentication via DuoSecurity SMS only (PUSH won't work yet) by going to Diagnostics -> Authentication. Password is in the format <password>,sms</password> and if you already have the SMS OTPs, the format is e.g. <password>,A123456</password>. Once this is working, you can continue with the final steps.

To set the RADIUS client timeout and retry limit to the values recommended by DuoSecurity, do the following:

In pfSense, select Diagnostics -> Edit File

Press Browse and select /etc/inc/radius.inc

|     | NOTE: If the editing window is grey and you can't edit the file, you will have to amend the file via SSH and making the file system writeable by typing |
|     | mount -u -w /dev/ufs/<pfsense_partition></pfsense_partition> |
|     | To make it read-only after the change type |
|     | mount -u -r /dev/ufs/<pfsense_partition></pfsense_partition> |

In the editor, find the lines: function addServer($servername = 'localhost', $port = 0, $sharedSecret = 'testing123', $timeout = 3, $maxtries = 3) function putServer($servername, $port = 0, $sharedsecret = 'testing123', $timeout = 3, $maxtries = 3) Change the timeout and maxtries values to the DuoSecurity recommended values e.g.: function addServer($servername = 'localhost', $port = 0, $sharedSecret = 'testing123', $timeout = 10, $maxtries = 10) function putServer($servername, $port = 0, $sharedsecret = 'testing123', $timeout = 10, $maxtries = 10)

Save the changes

Test authentication via DuoSecurity PUSH by going to Diagnostics -> Authentication. Password is in the format <password>,push</password>

Hopefully it works.

Phil, I just wanted to say thank you.  It was as simple as you suggested.  I've just now had the time/focus to configure and test this properly.  I just wish there was a way to get these darn iDevices to automatically reconnect to the IPsec VPN when turning back on.  I think that's out of the option because I'm using xauth with a pre-shared key, due to my inability to produce a certificate the iPad will accept.  Too bad Apple won't open the API for tunnel management so the OpenVPN project can use it.

Anyway, thank you Phil - you helped me implement something that makes my life a little easier :)

–
Dennis

Ok :)

The E-Mail notification does not report many events until now but If one of my WAN is going down I get an email notification. If the Gateway is up again I will get a notification again.
Of course it must be possible for pfsense to send the email to the email server you added on pfsense. (SYSTEM -> advanced -> notifications)

Jim:

Indeed you're correct about the docs, the guide here http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29#Setting_up_advanced_outbound_NAT

is clear about the step about choosing "advanced outbound NAT"  and changing to the carp translation address, which I haven't done.

Kindly notice the screen dedicated to configuring virtual IP's on PFSense does not do as you've noted: refer the reader to PF's FAQ on the matter, but instead openbsd's carp docs– where the term NAT appears not at all.  That's what I was referring to upstream as not catching that I ought to have been using AON as PF's automatic outbound nat settings don't pick up on the carp vip outbound automatically.

I suggest two cosmetic changes:

1:  Might PF consider removing the subtitle (AON - Advanced Outbound NAT) on the outbound NAT screen?  Generally 'automatic' is held to be more 'advanced' than something with a 'manual' (aka less advanced than automatic) component.   I wonder if others weren't foxed into thinking the reference AON meant 'automatic outbound nat' over against the 'advanced outbound nat with manually edited entries'.   Unfortunate that 'Advanced' and 'Automatic' both begin with 'A.'

2:  A link on the VIP screen to PF's own CARP faq, and moving the Openbsd link to PF's faq?

Also:  The outbound nat rule you suggested worked splendidly to provide openVPN client running on the master access to the backup pf box also running the openvpn server.

Is the proper approach to create an outbound nat destination network a one box '/32' specific link to the backup if on the master, and another like rule on the backup pointing to the master (while checking the box on each to not replicate the rule?)

@Nachtfalke:

Check the firewall on the systems behin pfsense if they allow traffic on UDP ports from the OpenVPN subnet - or disable it for testing

Pfsense is the only firewall and gateway on our local network involved.  The device serving both http (TCP) over port 80 and proprietary UDP over port 1876 has no firewall.  Also, as I mentioned, that computer when on the local network can access both resources just fine.  It's only when remote and connecting via OpenVPN that UDP/1876 traffic doesn't seem to get through.

Hi
thanks for the help
i have to say that now the client is getting the routes that i have added this morning
without any changes
just added this line
push "route 172.16.10.0 255.255.255.0";push "route 172.16.11.0 255.255.255.0"
up until know the route wont work for some reason
thanks for the help  Daniel :)

I am using Quagga and the dual vpn connection works fine initally. Its only when one of the connection drops, that error appears.
Its looks like a potential bug when the loopback interface is trying to use a route already in use by the other VPN instance?

Hi! It works, thank you.

What happened? I know that the server and client didn't match. Do you know by why?

Hi,
I just reboot my pfsense and my VPN works now….

Thanks for the help.

can be done on 1 appliance. in fact it would be more of a hassle to do the same on multiple appliances

I am trying this from at home behind my home router.

When I connect to the VPN server the connection will be established - the systray icon turns into green. But "netstat -rn" does not show me additional routes - just the route for the tunnel network.

When I run the OpenVPN client with admin rights the routes will be added.

But when I run it with admin rights I got a similar error message:

Wed Oct 03 21:17:58 2012 Successful ARP Flush on interface [50] {FBDB3111-D2E3-4899-A765-87EAFB843546} Wed Oct 03 21:18:03 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object still exists.  [status=5010 if_index=50] Wed Oct 03 21:18:03 2012 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Wed Oct 03 21:18:03 2012 Initialization Sequence Completed

But then I can connect to the pfsense server and to the LAN clients behind pfsense.

No need to create three OpenVPN server instances. Just connect all sites to one server.
The most difficult to do ist setup the correct routes on OpenVPN server and OpenVPN Client to connect to the LANs behind each pfsense.

I think this forum post will explain it:
http://forum.pfsense.org/index.php/topic,12888.0.html

You probably need these 3 commands as custom OpenVPN options:

push "route IP.IP.IP.IP SM.SM.SM.SM"; route IP.IP.IP.IP SM.SM.SM.SM; iroute IP.IP.IP.IP SM.SM.SM.SM;

Here's one issue:

Tunnel Settings_________________
tunnel 10.0.8.0/24
Bridge(none)
local 10.0.0.0/8
Compress tunnel packets using the LZO algorithm.

Your tunnel needs to be outside of your LAN.

Not by domain name, no. You'd have to somehow identify them base on IP address (or block of IP addresses)

Following cmb's remark: we put the vpn on the primary pfsense box (and upgrading its hardware a bit)

I know next to nothing about pfSense specifically, so don't take this as gospel: I think you need to set a floating rule at both b and c to use A as the gateway for matched traffic (either by port, classification, subnet or something else). Have you solved your issue yet?

–
Dennis

Windows won't do OSPF so that's not an option. You need a proper router to do failover, you'll really have to move the OpenVPN off the Windows server to do that properly.

@cmb:

You need manual outbound NAT and to NAT traffic leaving your OpenVPN connection. The StrongVPN guide here has that documented if I recall, it's the same process regardless of VPN provider.

Many thanks for your help. I tried that guide, several times actually, but it didn't work for me (same no web browsing after connecting). So I'm guessing maybe my pfSense version is different. (I have the latest x86 version).

@nadaron:

I looked around and found a strange thing in the ifconfig output (server and client):

Not strange, that's just how it works when using certificates. My guess is you're missing either a route or an iroute.
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)