OpenVPN and 1.0-BETA1
-
Okay, just spoke to a guy over at Hacom. He's confused that usb keyboard isn't working, and added that he noticed in the last release that the ability to boot embedded from usb flash drive no long works. So…do we need to tweak /boot in general here? His "recommended" installation method was to use embedded from flash drive or usb cdrom to install so you don't have the tear the system down like I'm doing. That won't work. In the interim, he's going to ship me a ps2 keyboard header, but suggested I attempt to connect to a serial console and run the install from there, so I shall.
This is probably wiki-worthy material. I'll try to get by there today and add this.
-
Well, that failed miserably.
I tried 8n1, 2400, 9600, and 19200. Nothing. :\
So…I'm completely screwed for a few days until the pin header arrives, unless I go buy a female ps2 port and do some hacking. :\
-
Just so we're clear, I did try the suggetions in the wiki, but those are for FreeBSD 5.x, and we're at 6.x. The ability to press a key to do anything is not available. I've found the appropriate switches in /boot/defaults/loader.conf, and those should be added and changed in /boot/loader.conf. Here's what I'mt thinking:
Set us up with two console options prior to boot loader getting ahold of things.
console="vidconsole,comconsole"
Use multiple consoles. (Only good prior to the boot loader grabbing hold, long enough to enable USB Keyboard if desired).
boot_multicons="1"
Load the USB subsystem
usb_load="yes"
Enable USB Keyboards
ukbd_load="YES"
Enable Mass Storage (keychain drives, usb cd-rom drives, etc)
umass_load="YES"
The setup above would work particularly well for full installs and cd/floppy installs. When you run the installation to hard drive, you could set it back to normal or present the user an option, but getting out of the gate this would make more sense, wouldn't it? Vidconsole will still be the default after the beastie menu, but at least to that point you can manually enable usb keyboard. If the desire is to keep the cd install vga, only, then the loading the usb subsystem, keyboard, and mass storage would be sufficient.
-
Okay, I'm a dirty cheater. I loaded the iso up in a hex editor, hunted down the usb_load="NO", ukbd_load="NO", and umass_load="NO", changed them to "YES", and saved it, burned it.
The outcome is suprising. I get no keyboard control at the "beastie" menu (Now FreeBSD menu), nor when I get a prompt. I actually have to unplug the keyboard, plug it back in, then I get keyboard control, which is awesome, except that it won't let you install since everything throws crc errors now. :P
So…yeah. :D I'm still screwed.
-
Booooo, I'm a moron.
Okay, this is still a problem for remote management of the firewall should network be down (I have a remote access vnc-kvm), but I should be able to install. All you have to do is unplug hte keyboard and re-plug it, even with the standard distro, no modifications required. Why the unplug-plug is required, I have no idea.
That said, now it won't install to my hard drive, complaining about "non-standard geometry". Bleh. dd if=/dev/zero of=/dev/ad2 should fix that up quite nicely. Just waiting for the command to complete (expecting it to hit eof on the ad2…)
-
Please try the following steps. I had similiar problems when setting up a nexcom 1041c:
http://www.mail-archive.com/support@pfsense.com/msg03811.htmlMaybe the hacom box is similiar here (I as well mentioned the replug of the USB Keyboard there some time ago) ;)
-
Actually, I found the issue, and I'm not partcularly happy about it.
Bios I set to LBA, first thing I tried.
Then I serached here, found that you'd mentioned manually setting a low PIO mode, so I forced PIO mode 0. Nothing.
I finally, out of desperation, was going jumper by jumper on the mainboard, and noticed that there was a "cock-eyed" jumper on the mainboard next to the ide interfaces. ???
It seems this jumper manually forces ata33 vs ata 66/100. The manual isn't very clear on which it was set to before. Now I've re-seated that jumper so that it shorts the pins, and now I get the error that I have an ultra ata drive plugged into a non-ultra-ata cable, but it boots and installs.
Grrr….infuriating. The BIOS makes you think it is all soft controlled, when in reality it's on the mainboard. Go fig.
DEFINITELY needs a place in the wiki.
-
yeah, just copy and paste the nexcom additions too please :-)
-
Wiki'ed. Didn't do the nexcom stuff. Try to get to it later
http://wiki.pfsense.com/wikka.php?wakka=Hacom
Okay, now that I'm done hijacking the thread, perhaps I can get back to the business of working on OpenVPN? :P
-
I'm sorry guys, I've had zero time to come back to this. :(
I'm going to make every effort to get back to it next week, but I can't make any promises.
If anyone is up for it, we should get 2 or 3 of us to exchange openvpn connection info so we can add and remove several interfaces for testing. I'm game if anyone wants to PM me.
-
Hi!
Sorry that I didn't have time to do the testing, I've been very busy at work, "business as usual"… :(
(Man, I wish I had one of these jobs that would pay me to work for the open source community!)I have finally got some time to look into this post and do some testing with 1.0BETA2 (The BETA1-OpenVPN build wasn't available any more):
I did a very basic install into two VMWare sessions, and I have tried to test the all the available OpenVPN functionality between those two boxes.
Here are the problems which I have encountered, still TODO's:- openvpn messages not appearing in openvpn log in WebGui but in System log instead
- fix client not restarting when enabling disabled client
- XML error: not well-formed (invalid token) at line 117 when entering client-specific configuration
- fix client not restarting when changing interface configuration/when pf reloads
- XML error: not well-formed (invalid token) at line 117 when trying to configure a CRL
- firewall rules (their interface assignment) get messed up when interface is being added/removed
I hope I'll find some time this weekend to flash my WRAP at home with the new version, since the server part still seems to run without any problems.
So, what to do next?
Should I try and look into the above problems and then post a patch again?Marc
-
So, what to do next?
Should I try and look into the above problems and then post a patch again?Yep, that would be ideal. Or someone else… ;)
-
Apparently, for the OpenVPN VPN to work, you need to have a "pass in on tunX" and a "pass out on tunX" rule. Problem is, the pfSense user rules don't all you to create "pass out" rules.
So, instead of letting the user allow what goes through the tun interfaces, adding "pass out on tunX" and "pass in on tunX" in filter.inc depending on the number of tun interfaces configured sounds reasonable. It'd save us a lot of trouble, simplifying a lot things, I think.
The only drawback of this approach is that the user wouldn't have granulated control over the tun interfaces, but the user can control the access to the VPN using the rules for the interface used to connect to the VPN instead.
Or am I overlooking the issue?
-
We create pass out rules on bridges, too so this would be the solution.
create_firewall_outgoing_rules_to_itself() in /etc/inc/filter.inc contains these items so we simply need to ammend this to include tun rules if OpenVPN is in effect.
Someone want to take this on and submit a patch?
-
Nevermind, I did it myself.
http://cvstrac.pfsense.com/chngview?cn=10547
Let me know if it works.
-
Updated filter.inc here and testing now. Appears to work beautifully. Now if I could only figure out why my linksys wrt54gs recently decided to stop routing across the openvpn…
BTW, there's something that is just driving me nuts. Is there a reason that when using a pre-shared key there is a "0" appended at the end of the line?
secret /var/db/ovpn_srv_psk_tun0.pem 0
I keep having to manually delete the zero and restart openvpn mysellf. I don't want to go modding the code if there's a legit reason for it being there...I can't think of one though.
Here's the error generated if I leave it there:
Wed Mar 22 14:12:16 2006 Authenticate/Decrypt packet error: packet HMAC authentication failed
Deletion of the zero resolves the problem.
-
While we're on the matter, I need to allow routing to networks on the other side of the tunnel. I'm finding that I can't use the route-up command in the advanced options. For example:
route-up 172.16.31.0/24 10.0.1.3
Where 10.0.1.3 is the IP of this side of the openvpn tunnel. OpenVPN dies with this error:
Wed Mar 22 14:00:07 2006 Initialization Sequence Completed
Wed Mar 22 14:03:13 2006 event_wait : Interrupted system call (code=4)
route: must be root to alter routing table
Wed Mar 22 14:03:13 2006 ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
Wed Mar 22 14:03:13 2006 SIGTERM[hard,] received, process exitingOops. I can of course either add a static route or manually work around it otherwise, but I don't think that's intended behavior. Individual tunnels should be able to bring up or take down routes via the advanced options, right?
-
Aside from the route-up issue above, and the fact that I have to keep manually removing that zero, your patch is functioning well. I guess I get to go code-digging to find where that zero is being generated and comment it out…
EDIT: Found it. /etc/openvpn.inc, line 420/1500
Originally:
$ovpn_config .= "secret {$g['vardb_path']}/ovpn_srv_psk_{$tun}.pem 0\n";Copied that line, commented out the first and removed the space and zero from the end of the line.
Also on line 991, did the same thing:
$ovpn_config .= "secret {$g['vardb_path']}/ovpn_cli_psk_{$tun}.pem 0\n";That should resolve that problem. The only other thing that comes to mind is flag –log /var/log/openvpn_tunx.log should be created instead of what is there now, which is just "openvpn statistics".
-
Just a head's up. The inability to place a route-up statement in expert mode is a bigger problem than I thought. What happens is that if you define a static route to work around the issue, is that if for some reason your tunnel is not up, you'll start getting arplookup x.x.x.x is not on local network errors, as the route gets assigned to something other than tunx (since it doesn't exist).
So that's no good. It looks as though we need either temporary privelege escalation, or stop running as nobody and run it as root (eep!!!!).
-
….and there's more. It seems that rules don't like to have "TUNx Network" chosen as a source or destination in a rule, as the variable does not resolve itself correctly:
# cat /tmp/notices a:1:{i:1143065694;a:5:{s:2:"id";s:11:"filter_load";s:6:"notice";s:328:"There were error(s) loading the rules: /tmp/rules.debug:143: syntax error /tmp/rules.debug:144: syntax error pfctl: Syntax error in config file: pf rules not loaded The line in question reads [143]: pass in quick on $TUN0 from /30 to 10.10.101.0/24 keep state label "USER_RULE: Allow all traffic from tunnel to Shadwick Home." ";s:3:"url";s:0:"";s:8:"category";s:13:"Filter Reload";s:8:"priority";i:1;}}pass in quick on tun0 from /30 huh? :P That should be the IP address of tun0, which in this case would be 10.0.2.1/30 (I think that's right. It hits a piece of subnetting screwy-ness in my brain. /32 allows no subnet bits for the network. /31 steals 1 bit for the network, and /30 steals 2 host bits. I'm not sure what the practical difference in a subnet situation there is between /32, /31, and /30. /29 is the first subnet mask that begins to make any sense, giving you 4 host bits for the network, 1 for network, 1 for broadcast, and 2 hosts…).
Long story short, we have a variable that doesn't get resolved someplace.