Open VPN Server

codechurn

I have followed the OpenVPN Remote Access Configuration Example recipe.

Tunnel Network: 172.17.0.0/24
WAN Address: x.y.z.65
LAN Address: 192.168.0.254
LAN Subnet: 192.168.0.0/24
DNS #1: 192.168.0.110
DNS #2: 192.168.0.111

I have configured Network Policy on Windows Server and set OpenVPN Server to use Radius Authentication. I have validated that Radius Authentication is working by using Diagnostics | Authentication and it returns a successful response from the RADIUS server.

I am using an ACME issued certificate for the OpenVPN server. I also use this same certificate for the WebGUI and it works fine. The certificate is for gateway.xxxx.org and is in Certificate store and the ACME cert is in the Certificate Authorities store.

Hostname: gateway.xxxx.org
External DNS has A record of x.y.z.65 pointing to gateway.xxxx.org
Internal DNS has A record of 192.168.0.254 pointing to gateway.xxxx.org

OpenVPN Configuration:

WAN Firewall Rule:

OpenVPN Firewall Rule:

Problem:

Both on Android (connected to a public network) and my Windows 11 machine (connected to a private network, on the 192.168/.0.0/24 network I cannot establish a VPN connection. I'm stuck and need some help.

viragomann

@codechurn
What exactly shows the client log?

Something in the OpenVPN log on pfSense?

codechurn

@viragomann
Here is what I see Client side, starting with the earliest:

Where would I find the Open VPN Server System Logs? When I look under Status | System Logs | Open VPN all I see is activity from the Open VPN Client I have configured, which is working properly.

I'm not convinced I am getting to the OpenVPN Server, even though the event log says it established a connection via IKEv2 since it keeps trying to connect using other protocols. Perhaps this is just the RADIUS authentication confirming I am authorized?

viragomann

@codechurn
Yes, you need an OpenVPN client.
Just install the client export utility on pfSense and download the proper client package from it.

codechurn

@viragomann Thanks for the info. I was hoping to setup a VPN on the gateway that would work with the out of the box client on modern versions of Windows and Android. I guess I can't do this with OpenVPN. Would IPsec be a better solution?

viragomann

@codechurn
OpenVPN isn't less eligible at all. But yes, you have to install a client software to use it. However, the OpenVPN connect apps work pretty well on Windows and mobile phones and it's easy to use.

IPSec is integrated in Windows out of the box. If there is no possibility to install a client software you can go with this.

Gertjan

@codechurn said in Open VPN Server:

Where would I find the Open VPN Server System Logs?

In the same log.

This is a paret of the server startup :

Btw : not really important, but :

Switch to IPv4 (only) :

Remove IPv6 here :

because right now, you announce IPv6 capabilities, but in reality : you have none.
Client devices will, of course, prefer IPv56 over IPv4, so if your VPN announces : IPv6 ok, you'll hit the wall.

@codechurn said in Open VPN Server:

I am using an ACME issued certificate for the OpenVPN server. I also use this same certificate for the WebGUI and it works fine.

Cool.
Bit not really needed.
I've created a self signed cert for 10 years, and be done with it (KIS principle).

Some random observations :

Just "User auth" and not "SSL+TLS + User auth" ? You don't want your VPN to be encrypted ?

This one :

ACME places a SAN (host name) in the certificate, not a 'user login name'. Not sure how this can ever match.

Here : https://www.youtube.com/@NetgateOfficial/videos are some old and very old pfSense OpenVPN server setup guides. They are still very valid, just keep in mind they were made with an old version of OpenVPN server.

"Instantiate" the ovpns1 "OpenVPN" into a (example) MYSERVERVPN - like you did with the EXPESSVPN (VPN client)à interface
Move the firewall rule present on "OpenVPN" to this new "MYSERVERVPN".

What pfSense version ?

edit : and yes : The OpenVPN client exporter is needed.
Install the free, official OpenVPN Android Apple Windows App.
https://openvpn.net/client/

This one logs just fine and is easy to handle, and works the same on every platform.
If that one works, only then try to tackle the Windows version (didn't even know it existed, and the way it looks, who want to use it ^^)

codechurn

@viragomann, @Gertjan

Thanks for the feedback guys! I didn't realize that OpenVPN required me to install a client to use it. I'm going to switch over to IPSec and see if I can get that going.

Gertjan

@codechurn said in Open VPN Server:

I didn't realize that OpenVPN required me to install a client to use it

Not really needed, but as Microsoft products like to talk with Microsoft Products, its the same for OpenVPN product.
You can of course use any 'OpenVPN' client, as long as it is compatible with OpenVPN, and you manage to make it work ^^

But it works, and during massive home works situations around 2020/2021/2022 it was fully tested.
Half the planet was using it.