Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Beta 3 & 4 & RC1a : openvpn interface

    Scheduled Pinned Locked Moved General pfSense Questions
    30 Posts 7 Posters 15.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      r0n
      last edited by

      Hi,

      With the new gui interface, it is not possible to create sush client because i dont want to specify some informations.
      Theses informations are dynamics. (remote ip/local ip, remote network routes pushed etc).
      So i have to set the vpn client manually.

      The following input errors were detected:

      * The field 'Local port' is required.
          * The field 'Local IP' is required.
          * The field 'Remote IP' is required.
          * The field 'IP block' is required.
          * The field 'Local IP' is required.
          * The field 'Remote IP' is required.

      will you fix it ?

      redargs,
      ronan.

      1 Reply Last reply Reply Quote 0
      • F
        fernandotcl
        last edited by

        Well, those fields are required, why would you want not to specify them?

        EDIT:
        I took a look at the OpenVPN documentation, so, some notes:

        • Local port - It's an important setting for servers, not so much for clients. I think it defaults to 1194 even on clients, which could cause nasty stuff if you're also running an OpenVPN server in the same machine. It might as well choose a random client port to use for its side if a port isn't specified. I don't really know its behavior, I need more information on this. If that's the case, you're right, that info isn't needed, and I'll make it so that leaving this field blank will make OpenVPN choose a random client port.

        • Local/Remote IP - I just took a look at the old OpenVPN code, and apparently those aren't needed for the clients, since they're pushed by the server. I'm gonna take a look at it to correct this stuff.

        • IP block - You're right, this can be pushed by the server, gonna correct this as well.

        1 Reply Last reply Reply Quote 0
        • R
          r0n
          last edited by

          Cause i need in my configuration i need this parameters dynamic .
          and in the previous version of OpenVPN pfsense gui, it was OK.
          I want to know if it will be fix ?

          regards,
          ronan.

          1 Reply Last reply Reply Quote 0
          • F
            fernandotcl
            last edited by

            I'm fixing it already. The client will not ask for the local port anymore, assuming OpenVPN will choose a random client port if one isn't specified. Those other parameters (IP block and Local/Remote IP) will be "dynamic" in the sense that they will be pushed by the server.

            1 Reply Last reply Reply Quote 0
            • F
              fernandotcl
              last edited by

              Please tell me if I'm missing something, but remote IP assignment is only possible in TLS (PKI) mode, not static key mode. That's cause ifconfig-push, ifconfig-pool and push 'ifconfig …' are only allowed in TLS mode.

              So in TLS mode things will work The Right Way (tm). There'll be an address pool instead of a Local/Remote IP field, and for the client it won't be needed to specify any kind of address to assign to the local interface. In secret key mode there'll be an address pool field for clients, that'll work pretty much like Local/Remote IP did, except that it'll assign the interface to (IP & mask) + 1 => (IP & mask) + 2, which is pretty much standard for most VPNs.

              Comments, ideas, suggestions or anything?

              1 Reply Last reply Reply Quote 0
              • R
                r0n
                last edited by

                Hi,

                1 - Thanks a lot for the fix. I don't have try at time, can i update with cvs_sync.sh releng_1 ?

                2 - By the way, I think tls-auth + PKI auth working together is allowed.
                So, i think dynamic push is allows with tls-auth.

                For exemple, a working client config file:
                –-----------------------
                client
                dev tun
                proto udp
                remote X.X.X.X 62595
                resolv-retry infinite
                nobind
                persist-key
                persist-tun
                ca keys/ca.crt
                cert keys/client.crt
                key keys/client.key
                tls-auth keys/ta.key 1
                auth-user-pass
                cipher RC2-40-CBC
                comp-lzo
                verb 3

                3 - So, is it possible to integrate some plugins features like auth-user-pass, to authenticate with a remote nis/ldap/radius/unix_file or other server ?
                Or, to integrate a windows to manually add options maybe ? (like the older version?).

                Thanks for your work,

                Best Regards,
                ronan.

                1 Reply Last reply Reply Quote 0
                • F
                  fernandotcl
                  last edited by

                  1. I haven't commited to HEAD yet, so hold on. I'm still testing the PKI stuff (I changed a lot of things this time, especially in the server configuration).

                  2. tls-auth + PKI is not only possible, but obligatory. PKI implies tls-auth. The only problem is that shared key authentication doesn't allow ifconfig-pool, ifconfig-push or push "ifconfig …". In PKI/TLS mode, everything works as planned. Shared key is a bitch, though.

                  3. Yeah, I plan on using plugins to make OpenVPN integrate with Radius/LDAP/passwd. I'll first fix the interface, then I'll try to add those things when I have time. And yeah, it's pretty easy to create such an expert-mode configuration area, gonna implement it soon.

                  Thanks for the suggestions, keep them coming.

                  EDIT: It's now in CVS, HEAD branch, not RELENG_1 yet. Now the whole interface should look more like the OpenVPN config. Squished a bug or two as well. The expert-mode textarea didn't make it to this commit, but it'll certainly make it next time. Same thing with client-specific configuration. There's a great deal of logic behind the grayed out fields, I'd like more people to try this out to find any possible quirks.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Now commited to RELENG_1 as well.

                    If you are on a full installation from a shell run:

                    cvs_sync.sh releng_1

                    And you will be on the latest 1.0-BETA3 version.

                    1 Reply Last reply Reply Quote 0
                    • R
                      r0n
                      last edited by

                      Hi,

                      I juste update to RELENG_1_SNAPSHOT-04-20-2006,

                      and got these errors in client mode, PKI auth mode :

                      The following input errors were detected:

                      * The field 'Local IP' is required.
                          * The field 'Remote IP' is required.

                      Even if there is no field blank. It seems to have a problem..
                      By the way, this fields must not be required ..

                      Could you fix this problem ?

                      Regards,
                      ronan

                      1 Reply Last reply Reply Quote 0
                      • B
                        billm
                        last edited by

                        @r0n:

                        Hi,

                        I juste update to RELENG_1_SNAPSHOT-04-20-2006,

                        and got these errors in client mode, PKI auth mode :

                        The following input errors were detected:

                        * The field 'Local IP' is required.
                            * The field 'Remote IP' is required.

                        Even if there is no field blank. It seems to have a problem..
                        By the way, this fields must not be required ..

                        Could you fix this problem ?

                        Regards,
                        ronan

                        RELENG_1_SNAPSHOT-04-20-2006 < BETA3

                        –Bill

                        pfSense core developer
                        blog - http://www.ucsecurity.com/
                        twitter - billmarquette

                        1 Reply Last reply Reply Quote 0
                        • S
                          sullrich
                          last edited by

                          Yes, DO NOT report problems on past versions.  The current version is Beta 3 with the hot fix applied.

                          I repeat, WE DO NOT SUPPORT OLDER VERSIONS.

                          1 Reply Last reply Reply Quote 0
                          • R
                            r0n
                            last edited by

                            @sullrich:

                            Now commited to RELENG_1 as well.

                            If you are on a full installation from a shell run:

                            cvs_sync.sh releng_1

                            And you will be on the latest 1.0-BETA3 version.

                            I just have done this to update to RELENG_1_SNAPSHOT-04-20-2006.
                            Its the latest BETA3 no ?

                            ronan.

                            1 Reply Last reply Reply Quote 0
                            • S
                              sullrich
                              last edited by

                              Yes, that is the latest.  Sorry, I thought you downloaded an image somewhere.

                              1 Reply Last reply Reply Quote 0
                              • R
                                r0n
                                last edited by

                                ok, no pbs :)

                                So, fernandotcl, what do yout hink about that ?

                                Regards,
                                ronan.

                                @r0n:

                                Hi,

                                I juste update to RELENG_1_SNAPSHOT-04-20-2006,

                                and got these errors in client mode, PKI auth mode :

                                The following input errors were detected:

                                * The field 'Local IP' is required.
                                    * The field 'Remote IP' is required.

                                Even if there is no field blank. It seems to have a problem..
                                By the way, this fields must not be required ..

                                Could you fix this problem ?

                                Regards,
                                ronan

                                1 Reply Last reply Reply Quote 0
                                • F
                                  fernandotcl
                                  last edited by

                                  Hmmm, I'll take a look at that, should be simple to fix. Today I'll be very busy, maybe by the end of day I'll take a look at it. Thanks for reporting.

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    fernandotcl
                                    last edited by

                                    Hmmm wait a second… This is old stuff.

                                    I think the newest code hasn't been commited to RELENG_1 yet. To update OpenVPN to HEAD, do as follows:

                                    1. Backup your stuff. The files: /etc/inc/openvpn.inc, /usr/local/pkg/openvpn.xml, /usr/local/pkg/openvpn_cli.xml.
                                    2. Go to CVSweb ( http://www.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/ ). Browse through CVSweb to the directory pfSense. Grab the following files: /etc/inc/openvpn.inc, /usr/local/pkg/openvpn.xml, /usr/local/pkg/openvpn_cli.xml, /usr/local/pkg/openvpn_csc.xml. When you find those files, click on them, and then click on "Download" for the newest version of the file that is available, i.e., the one in HEAD. The latest version of the files have something like: "Branches: MAIN; CVS tags: HEAD" in their description as you click them.
                                    3. Install those files into pfSense. The /etc files go to /etc, the /usr/local/pkg ones go to /usr/local/pkg. If everything goes right, you'll see the changes in the interface. If not, restore your backups and post more info here.
                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      sullrich
                                      last edited by

                                      All files with exception of /usr/local/pkg/openvpn_csc.xm (which does not exist in head) have been MFC'd to RELENG_1.

                                      To get the updates do a cvs_sync.sh RELENG_1 from a shell prompt.

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        r0n
                                        last edited by

                                        Hi !

                                        I have update via cvs_sync.sh. Thank for the new interface, it works fine.

                                        Btw, after some time of inactivity, (hours or days), openvpn seems to be down.
                                        The process "openvpn" is not present on the process list and/or the tun0 interface is up,
                                        with the correct IP, but remote IP/subnet is not pingable (no openvpn logs on the remote server).

                                        You need to manually launch the openvpn process to make it up, or to reboot the pfsense server.

                                        What do you think about that ?

                                        Regards,
                                        ronan.

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          hoba
                                          last edited by

                                          Sounds like the process dies for some reason. Anything in the logs? You should retest this behavior with the upcoming beta4 which is build on FreeBSD 6.1R.

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            r0n
                                            last edited by

                                            I will,
                                            no, there is nothing in the logs.
                                            I will set the daemon to be more verbose.

                                            But is there any system that monitor the openvpn, and relaunch it when it dies ?
                                            (it could be usefull, but crappy cause the existents tcp sessions results to be closed)

                                            regards,
                                            ronan.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.