PfSense as openVPN client
-
Since I was unable to get it done with IPcop and endian so far just a very general question:
Will I be able to establish an openVPN connection with Ivacy? http://ivacy.com/en/doc/user/setup/winxp_openvpn
So will pfSense work as a full operational openVPN client?
Can I configure pfSense to block any traffic when openVPN connection fails?thank you
-
Yes pfSense can act as a client.
I'm not sure what kind of additional authentication Ivacy does. (Your accound and password?)Can you find out more what it is? (Are they using a PAM module to their authentication server?)
I think it's possible to configure the firewallrules in a way that if the openVPN connection fails everything gets dropped.
(create a balancing pool with as gateway the other side of the VPN tunnel and use this gateway in your default LAN-rule). -
I'm not sure what kind of additional authentication Ivacy does. (Your accound and password?)
Yes, username and password additionally.
I've just entered alle the information pfSense asks for and right now there is just
a very basic problem, how can I connect/start the connection? :)
At services there is just a ipsec server, no openvpn server to start….Since Ivacy offers a prepared config file, can I even copy it via shell without using the config GUI?
-
Hello,
I use the OpenVPN-Client for quite a while with Ivacy VPN from Windows and Linux. As I just got my Alix based router up and running with pfsense, I'm curious where you entered your Ivacy login/password in the WEB-UI as I only got fields for the certs/keys there enabling PKI. Where did you put the contents of the Ivacy-tls.key file?
custom options -> auth-user-pass file_with_login_pass
might be a hack for the login but I currently have mo idea for the tls contents
Regards,
Foo
-
custom options -> auth-user-pass file_with_login_pass
might be a hack for the login but I currently have mo idea for the tls contents
Well this ain't going to work for me as I only use the pfsense live CD:-(
Or am I wrong?
/Moelito
-
Hello,
I use the OpenVPN-Client for quite a while with Ivacy VPN from Windows and Linux. As I just got my Alix based router up and running with pfsense, I'm curious where you entered your Ivacy login/password in the WEB-UI as I only got fields for the certs/keys there enabling PKI. Where did you put the contents of the Ivacy-tls.key file?
custom options -> auth-user-pass file_with_login_pass
might be a hack for the login but I currently have mo idea for the tls contents
Regards,
Foo
Hi, I'm also in need of doing this!
I've gotten to the same point as you, did you ever find the solution to this problem?
I've looked at the OpenVPN website for answears on how to do this but no luck so far…The question is of how to handle the username and password authentication and the tsl file.
Regards,
Lockzi -
Hello again,
here's an update to how far I've come…
https://pr.ivacy.com/en/doc/help/setup/winxp_openvpn
From there we can find that the OpenVPN should have these settings:client dev tun proto udp remote openvpn.ivacy.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ivacy-keys/ivacy-ca.crt cert ivacy-keys/ivacy-client.crt key ivacy-keys/ivacy-client.key tls-auth ivacy-keys/ivacy-tls.key 1 ns-cert-type server comp-lzo verb 3 auth-user-pass redirect-gateway script-security 3 reneg-sec 0
and they've also supplied us with the ca-cert, client-cert, client-key and tls-key.
Beside this information we also need a username and password to connect to Ivacy.This user/pass information I've putted in a file called ivacy-auth.up which looks like this:
username password
(1: st row username, 2: nd row password.)
This is my directory structure of /var/etc/:
# ls -l total 40 drwxr-xr-x 2 root wheel 512 Apr 19 15:10 bak -rw-r--r-- 1 root wheel 16 Apr 17 22:49 defaultdomain.conf -rw-r--r-- 1 root wheel 90 Apr 19 15:33 hosts -rw-r--r-- 1 root wheel 0 Apr 19 16:29 inetd.conf -rw-r--r-- 1 root wheel 17 Apr 19 14:58 ivacy-auth.up -rw-r--r-- 1 root wheel 5577 Apr 19 15:33 lighty-webConfigurator.conf -rw-r--r-- 1 root wheel 234 Apr 19 15:33 miniupnpd.conf drwxr-xr-x 2 root wheel 512 Apr 17 22:42 mpd-vpn -rw-r--r-- 1 root wheel 78 Apr 19 15:33 ntpd.conf -rw-r--r-- 1 nobody nobody 1549 Apr 19 16:34 openvpn_client0.ca -rw-r--r-- 1 nobody nobody 4399 Apr 19 16:32 openvpn_client0.cert -rw-r--r-- 1 root wheel 665 Apr 19 16:29 openvpn_client0.conf -rw-r--r-- 1 nobody nobody 1675 Apr 19 16:35 openvpn_client0.key -rw-r--r-- 1 root wheel 636 Apr 19 15:14 openvpn_client0.tls drwxr-xr-x 2 nobody nobody 512 Apr 19 15:33 openvpn_csc -rw-r--r-- 1 root wheel 75 Apr 19 15:33 resolv.conf -rw------- 1 root wheel 0 Apr 17 22:40 sasyncd.conf -rw-r--r-- 1 root wheel 0 Apr 19 15:33 slbd.conf -rw-r--r-- 1 root wheel 649 Apr 19 16:29 syslog.conf
As you can see I've tried to stay consistent with how pfSense stores this information from the webgui. The extra files I've created are:
openvpn_client0.tls, and
ivacy-auth.up (as previously mentioned).What I've done from the webgui is:
Protocol: UDP
Server adress: openvpn.ivacy.com
Server port: 1194Proxy port: 3128
Cryptography: BF-CBC (128-bit) (<–--- The default, no idea what this should be for Ivacy?)
Authentication method: PKII've then copied and pasted the information supplied from Ivacy's website (which is linked to in the top of this post) for CA certificate, Client certificate and Client key.
LZO compression: enabled
Dynamic sourceport: enabled
Then in the custom options I've pasted this:
client;resolv-retry infinite;nobind;ca /var/etc/openvpn_client0.ca;crt /var/etc/openvpn_client0.cert;key /var/etc/openvpn_client0.key;tls-auth /var/etc/openvpn_client0.tls 1;ns-cert-type server;comp-lzo;verb 3;auth-user-pass /var/etc/ivacy-auth.up;redirect-gateway;script-security 3;reneg-sec 0; ```Which is a modified version of the one from Ivacy's website. When I opened up the openvpn_client0.ca/cert/key files I noticed that at the end of each row there was "^M" which didn't look right. So I removed all these, which I belive where entered because of the copy-paste to the webgui. Now, when I check in the pfSense webgui under Status->System logs->OpenVPN I find this:
Apr 19 16:37:40 openvpn[7127]: Options error: Unrecognized option or missing parameter(s) in ./openvpn_client0.conf:25: crt (2.0.6)
Apr 19 16:37:40 openvpn[7127]: Use --help for more information.This is ofcourse refering to this line from the custom options field in the webgui
crt /var/etc/openvpn_client0.cert;
This is as far as I've come… I've also found this thread regarding ubuntu and Ivacy: [http://ubuntuforums.org/showthread.php?t=1091626](http://ubuntuforums.org/showthread.php?t=1091626) where he can get further in the connection attempt. Regards, Lockzi
-
Okay!
Some more progress just after posting! Making the previous post made me find a misspelling of:
crt /var/etc/openvpn_client0.cert;Which should have been
cert /var/etc/openvpn_client0.cert;
Now when I fixed that I get this error instead…
Apr 19 17:00:05 openvpn[9203]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_client0.conf:33: script-security (2.0.6)
Apr 19 17:00:05 openvpn[9203]: Use –help for more information.