Beta 3 & 4 & RC1a : openvpn interface
-
I'm fixing it already. The client will not ask for the local port anymore, assuming OpenVPN will choose a random client port if one isn't specified. Those other parameters (IP block and Local/Remote IP) will be "dynamic" in the sense that they will be pushed by the server.
-
Please tell me if I'm missing something, but remote IP assignment is only possible in TLS (PKI) mode, not static key mode. That's cause ifconfig-push, ifconfig-pool and push 'ifconfig …' are only allowed in TLS mode.
So in TLS mode things will work The Right Way (tm). There'll be an address pool instead of a Local/Remote IP field, and for the client it won't be needed to specify any kind of address to assign to the local interface. In secret key mode there'll be an address pool field for clients, that'll work pretty much like Local/Remote IP did, except that it'll assign the interface to (IP & mask) + 1 => (IP & mask) + 2, which is pretty much standard for most VPNs.
Comments, ideas, suggestions or anything?
-
Hi,
1 - Thanks a lot for the fix. I don't have try at time, can i update with cvs_sync.sh releng_1 ?
2 - By the way, I think tls-auth + PKI auth working together is allowed.
So, i think dynamic push is allows with tls-auth.For exemple, a working client config file:
–-----------------------
client
dev tun
proto udp
remote X.X.X.X 62595
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
tls-auth keys/ta.key 1
auth-user-pass
cipher RC2-40-CBC
comp-lzo
verb 33 - So, is it possible to integrate some plugins features like auth-user-pass, to authenticate with a remote nis/ldap/radius/unix_file or other server ?
Or, to integrate a windows to manually add options maybe ? (like the older version?).Thanks for your work,
Best Regards,
ronan. -
1. I haven't commited to HEAD yet, so hold on. I'm still testing the PKI stuff (I changed a lot of things this time, especially in the server configuration).
2. tls-auth + PKI is not only possible, but obligatory. PKI implies tls-auth. The only problem is that shared key authentication doesn't allow ifconfig-pool, ifconfig-push or push "ifconfig …". In PKI/TLS mode, everything works as planned. Shared key is a bitch, though.
3. Yeah, I plan on using plugins to make OpenVPN integrate with Radius/LDAP/passwd. I'll first fix the interface, then I'll try to add those things when I have time. And yeah, it's pretty easy to create such an expert-mode configuration area, gonna implement it soon.
Thanks for the suggestions, keep them coming.
EDIT: It's now in CVS, HEAD branch, not RELENG_1 yet. Now the whole interface should look more like the OpenVPN config. Squished a bug or two as well. The expert-mode textarea didn't make it to this commit, but it'll certainly make it next time. Same thing with client-specific configuration. There's a great deal of logic behind the grayed out fields, I'd like more people to try this out to find any possible quirks.
-
Now commited to RELENG_1 as well.
If you are on a full installation from a shell run:
cvs_sync.sh releng_1
And you will be on the latest 1.0-BETA3 version.
-
Hi,
I juste update to RELENG_1_SNAPSHOT-04-20-2006,
and got these errors in client mode, PKI auth mode :
The following input errors were detected:
* The field 'Local IP' is required.
* The field 'Remote IP' is required.Even if there is no field blank. It seems to have a problem..
By the way, this fields must not be required ..Could you fix this problem ?
Regards,
ronan -
@r0n:
Hi,
I juste update to RELENG_1_SNAPSHOT-04-20-2006,
and got these errors in client mode, PKI auth mode :
The following input errors were detected:
* The field 'Local IP' is required.
* The field 'Remote IP' is required.Even if there is no field blank. It seems to have a problem..
By the way, this fields must not be required ..Could you fix this problem ?
Regards,
ronanRELENG_1_SNAPSHOT-04-20-2006 < BETA3
–Bill
-
Yes, DO NOT report problems on past versions. The current version is Beta 3 with the hot fix applied.
I repeat, WE DO NOT SUPPORT OLDER VERSIONS.
-
Now commited to RELENG_1 as well.
If you are on a full installation from a shell run:
cvs_sync.sh releng_1
And you will be on the latest 1.0-BETA3 version.
I just have done this to update to RELENG_1_SNAPSHOT-04-20-2006.
Its the latest BETA3 no ?ronan.
-
Yes, that is the latest. Sorry, I thought you downloaded an image somewhere.
-
ok, no pbs :)
So, fernandotcl, what do yout hink about that ?
Regards,
ronan.@r0n:
Hi,
I juste update to RELENG_1_SNAPSHOT-04-20-2006,
and got these errors in client mode, PKI auth mode :
The following input errors were detected:
* The field 'Local IP' is required.
* The field 'Remote IP' is required.Even if there is no field blank. It seems to have a problem..
By the way, this fields must not be required ..Could you fix this problem ?
Regards,
ronan -
Hmmm, I'll take a look at that, should be simple to fix. Today I'll be very busy, maybe by the end of day I'll take a look at it. Thanks for reporting.
-
Hmmm wait a second… This is old stuff.
I think the newest code hasn't been commited to RELENG_1 yet. To update OpenVPN to HEAD, do as follows:
- Backup your stuff. The files: /etc/inc/openvpn.inc, /usr/local/pkg/openvpn.xml, /usr/local/pkg/openvpn_cli.xml.
- Go to CVSweb ( http://www.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/ ). Browse through CVSweb to the directory pfSense. Grab the following files: /etc/inc/openvpn.inc, /usr/local/pkg/openvpn.xml, /usr/local/pkg/openvpn_cli.xml, /usr/local/pkg/openvpn_csc.xml. When you find those files, click on them, and then click on "Download" for the newest version of the file that is available, i.e., the one in HEAD. The latest version of the files have something like: "Branches: MAIN; CVS tags: HEAD" in their description as you click them.
- Install those files into pfSense. The /etc files go to /etc, the /usr/local/pkg ones go to /usr/local/pkg. If everything goes right, you'll see the changes in the interface. If not, restore your backups and post more info here.
-
All files with exception of /usr/local/pkg/openvpn_csc.xm (which does not exist in head) have been MFC'd to RELENG_1.
To get the updates do a cvs_sync.sh RELENG_1 from a shell prompt.
-
Hi !
I have update via cvs_sync.sh. Thank for the new interface, it works fine.
Btw, after some time of inactivity, (hours or days), openvpn seems to be down.
The process "openvpn" is not present on the process list and/or the tun0 interface is up,
with the correct IP, but remote IP/subnet is not pingable (no openvpn logs on the remote server).You need to manually launch the openvpn process to make it up, or to reboot the pfsense server.
What do you think about that ?
Regards,
ronan. -
Sounds like the process dies for some reason. Anything in the logs? You should retest this behavior with the upcoming beta4 which is build on FreeBSD 6.1R.
-
I will,
no, there is nothing in the logs.
I will set the daemon to be more verbose.But is there any system that monitor the openvpn, and relaunch it when it dies ?
(it could be usefull, but crappy cause the existents tcp sessions results to be closed)regards,
ronan. -
Hi all,
After some days testing 1beta4, i have these results :
Openvpn Client process do not crash on this new pfsense. After some days of activity, i am unable to use the vpn.
In the remote server side, i have these logs when i try to ping through the vpn from the client side (from pfsense).WRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRW
RMon May 22 10:33:59 2006 us=338268 client/86.220.X.X:1194 MULTI: bad source address from client [10.255.254.6], packet dropped
RMon May 22 10:34:00 2006 us=338125 client/86.220.X.X:1194 MULTI: bad source address from client [10.255.254.6], packet dropped
RMon May 22 10:34:01 2006 us=337632 client/86.220.X.X:1194 MULTI: bad source address from client [10.255.254.6], packet droppedI need to Kill openvpn process on pfsense client side and to restart it to make it working.
What do you think about that.The WAN interface is an ADSL line, with non-static IP.
Is there a way to automaticly refresh all the vpn configuration(client side & server side), make it accepting the New IP configuration ?It would be nice to be able to configure a "HMAC firewall", with tls-auth ta.key in a PKI auth mode.
On pfsense, openvpn logs appear 2 times in the System Logs on the webgui. And not in the openvpn tab :
May 22 11:32:24 openvpn[17519]: Cannot allocate TUN/TAP dev dynamically
May 22 11:32:24 openvpn[17519]: Cannot allocate TUN/TAP dev dynamically
May 22 11:32:24 openvpn[17519]: Exiting
May 22 11:32:24 openvpn[17519]: Exiting
May 22 11:35:16 openvpn[18825]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
May 22 11:35:16 openvpn[18825]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
May 22 11:35:16 openvpn[18825]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
May 22 11:35:16 openvpn[18825]: IMPORTANT: OpenVPN's default port number is now 1194, based on an officia
Another thing, it would be nice too to have a bigger window to add the Custom options no ? ;)
Thats all ! :)
Thanks,regards,
ronan. -
I am looking to setup OpenVPN on my system. The problem is that I can't find a way to create the keys. I would assume I should be able to using SSH but I can't find the openvpn directory. Can anybody make any suggestions?
-
i have some logs to point the problem (from the pfsense openvpn client), before the crash,
before the adsl rotation of the dynamic adress of the pppoe WAN interface :
Mon May 22 12:49:07 2006 [server] Peer Connection Initiated with 194.X.X.X:27594
Mon May 22 12:49:09 2006 gw 86.X.X.1
Mon May 22 12:49:09 2006 TUN/TAP device /dev/tun0 opened
Mon May 22 12:49:09 2006 /sbin/ifconfig tun0 10.255.254.6 10.255.254.5 mtu 1500 netmask 255.255.255.255 up
add net 10.2.0.0: gateway 10.255.254.5
add net 10.1.0.0: gateway 10.255.254.5
add net 10.9.0.0: gateway 10.255.254.5
add net 10.255.254.1: gateway 10.255.254.5
Mon May 22 12:49:09 2006 GID set to nobody
Mon May 22 12:49:09 2006 UID set to nobody
Mon May 22 12:49:09 2006 Initialization Sequence Completed
Tue May 23 12:48:36 2006 write UDPv4: Network is unreachable (code=51)
Tue May 23 12:50:26 2006 [server] Inactivity timeout (–ping-restart), restarting
Tue May 23 12:50:26 2006 SIGUSR1[soft,ping-restart] received, process restarting
Tue May 23 12:50:28 2006 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue May 23 12:50:28 2006 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue May 23 12:50:28 2006 Re-using SSL/TLS context
Tue May 23 12:50:28 2006 LZO compression initialized
Tue May 23 12:50:28 2006 UDPv4 link local (bound): [undef]:1194
Tue May 23 12:50:28 2006 UDPv4 link remote: 194.X.X.X:27594
Tue May 23 12:50:29 2006 [server] Peer Connection Initiated with 194.X.X.X:27594
Tue May 23 12:50:30 2006 Preserving previous TUN/TAP instance: tun0
Tue May 23 12:50:30 2006 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
route: must be root to alter routing table
Tue May 23 12:50:30 2006 ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
route: must be root to alter routing table
Tue May 23 12:50:30 2006 ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
route: must be root to alter routing table
Tue May 23 12:50:30 2006 ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
route: must be root to alter routing table
Tue May 23 12:50:30 2006 ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
Tue May 23 12:50:31 2006 gw 86.X.X.X.1
Tue May 23 12:50:31 2006 Cannot allocate TUN/TAP dev dynamically
Tue May 23 12:50:31 2006 Exiting
regards,
ronan.