Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior)

    Scheduled Pinned Locked Moved OpenVPN
    72 Posts 49 Posters 236.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chpalmerC
      chpalmer
      last edited by

      Fix to the link on the original post…

      http://openvpn.net/index.php/documentation/howto.html

      :)

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • T
        tacfit
        last edited by

        Just for the record, I've posted a slightly modified version for my own personal records on my blog. Big thanks for the work you did here mate!

        http://www.jpuddy.net/2008/11/25/setting-up-a-road-warrior-style-vpn-connection-with-pfsense-and-openvpn/

        1 Reply Last reply Reply Quote 0
        • F
          fastcon68
          last edited by

          I just got this configuration setup and getting the following errors in the logs.
          RC

          Dec 27 15:44:09 openvpn[11789]: Use –help for more information.
          Dec 27 15:44:09 openvpn[11789]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:14: lport (2.0.6)
          Dec 27 12:59:14 openvpn[356]: Use –help for more information.
          Dec 27 12:59:14 openvpn[356]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_client0.conf:14: remote (2.0.6)
          Dec 27 12:59:12 openvpn[354]: Use –help for more information.
          Dec 27 12:59:12 openvpn[354]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:14: lport (2.0.6)

          1 Reply Last reply Reply Quote 0
          • K
            kangbobon
            last edited by

            Great Tutorial,Thanks  :)

            1 Reply Last reply Reply Quote 0
            • N
              newmember
              last edited by

              Tried openvpn version OpenVPN 2.1_rc15 i686-pc-mingw32  and all worked fine as expected.

              1 Reply Last reply Reply Quote 0
              • H
                Hugovsky
                last edited by

                GReat tutorial! Thankx! ;)

                1 Reply Last reply Reply Quote 0
                • H
                  Hugovsky
                  last edited by

                  Just one quick question: what encryption whould you use?

                  1 Reply Last reply Reply Quote 0
                  • F
                    fastcon68
                    last edited by

                    This is a awesome overview of OpenVPN.  I got it up and running in a few hours.  Once up it is now working.  I just need to make sure that I can connect to more tunnels that are avaiable.

                    RC

                    1 Reply Last reply Reply Quote 0
                    • B
                      bnasty
                      last edited by

                      Awesome guide! I got this working over TCP port 443 since we have a blanket port block here at work. If anyone else is trying to do this using TCP, remember to change the guide/defaults:

                      1. On the OpenVPN Add tab in pfSense.
                      2. On the WAN-LAN rule.
                      3. In the config file for the OVPN client install.
                      4. Change the pfSense web port from 443 to something else (4443) if using HTTPS.

                      I forgot to change the proto line in #3 from UDP to TCP, and I forgot about #4 – that wasted 20 minutes of my life.

                      1 Reply Last reply Reply Quote 0
                      • G
                        gladizxx
                        last edited by

                        Creating certificates manually on Windows (by Hernan Maslowski)
                        You can also create the keys with a Win32 program called “My Certificate
                        Wizard”: http://www.openvpn.se/mycert/

                        and tutorial easy to run

                        http://www.enterprisenetworkingplanet.com/linux_unix/article.php/3802221/Run-OpenVPN-on-Windows-Mac-and-LinuxUnix.htm…............ :o

                        1 Reply Last reply Reply Quote 0
                        • X
                          XZed
                          last edited by

                          A big thank you to Frewald and tacfit for their howto !

                          Even i hadn't compare the 2 howto to notice differences  ;D

                          Just 2 questions (i admit, i've not searched before posting these two questions) :

                          • Is it possible to protect the CA created locally ? i remember have read a tutorial explaining how to protect with a password (requested at each certificate creation)

                          • Is it possible to implement the TLS-Auth ? i think have seen a package for this…

                          Well, as i've tested, i feedback  ;D

                          1 Reply Last reply Reply Quote 0
                          • N
                            nambi
                            last edited by

                            I would have NEVER figured this out without this tutorial.

                            Working on a winxp machine to a PFSENSE box / network.

                            I do have one concern in the logs on OPENVPN I see

                            Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6080 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
                            Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6080 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
                            Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6078 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
                            Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6077 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
                            Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6077 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

                            I don't notice anything in particular strange in performance but this log is running continuously reporting errors.

                            Thank You!

                            1 Reply Last reply Reply Quote 0
                            • X
                              Xefan
                              last edited by

                              This is a great manual. It worked well for me. Thanks a lot!

                              1 Reply Last reply Reply Quote 0
                              • K
                                kjurkic
                                last edited by

                                Sorry, but this tutorial did NOT work for me :-[

                                after 3 tries, I printed it out and checked off the steps as I performed them (now 4th try), and even disabled the f/w on my winXP client, and still no joy.

                                pfsense 1.2.2 which is LAN f/w, DHCP server, and openvpn gate.
                                Winxp, SP3, latest openvpn client, firewall disabled….

                                On the client log, this is all i get:
                                Thu Sep 10 17:14:17 2009 OpenVPN 2.1_rc19 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 16 2009
                                Thu Sep 10 17:14:17 2009 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
                                Thu Sep 10 17:14:17 2009 LZO compression initialized
                                Thu Sep 10 17:14:17 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
                                Thu Sep 10 17:14:17 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
                                Thu Sep 10 17:14:17 2009 Local Options hash (VER=V4): '41690919'
                                Thu Sep 10 17:14:17 2009 Expected Remote Options hash (VER=V4): '530fdded'
                                Thu Sep 10 17:14:17 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
                                Thu Sep 10 17:14:17 2009 UDPv4 link local: [undef]
                                Thu Sep 10 17:14:17 2009 UDPv4 link remote: 142.25.56.3:1194
                                Thu Sep 10 17:14:17 2009 TLS: Initial packet from 142.25.56.3:1194, sid=8cfa3413 d6470101
                                Thu Sep 10 17:14:17 2009 VERIFY OK: depth=1, /C=CA/ST=BC/L=Bamfield/O=BMSC/CN=openvpnbmsc/emailAddress=admin@bms.bc.ca
                                Thu Sep 10 17:14:17 2009 VERIFY OK: nsCertType=SERVER
                                Thu Sep 10 17:14:17 2009 VERIFY OK: depth=0, /C=CA/ST=BC/O=BMSC/CN=server/emailAddress=admin@bms.bc.ca

                                On this same firewall, as a test I was able to copy the certs from an older openvpn install at another org, and the client keys for same, and it DID connect, but any NEW clients created even using the older certgen, refused to work. Its all very puzzling… ???

                                regards
                                Ken

                                1 Reply Last reply Reply Quote 0
                                • C
                                  charneval
                                  last edited by

                                  how can I copy the file certificate.crt (the file in my openvpn/easy-rsa/keys) in the format x.509 insite the windows?
                                  In your guide you sayd:

                                  Now you need to have access to some of the files created in c:\programfiles\openvpn
                                  easy-rsa\keys (mentioned in #12)
                                  23) Copy the WHOLE content of ca.crt into the "CA certificate" window
                                  24) Copy the WHOLE content of server.crt into the "Server Certificate" window
                                  25) Copy the WHOLE content of server.key into the "Server Key" window
                                  26) Copy the WHOLE content of dh1024.pem into the "DH parameters" window

                                  Can you help me?

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mnovotny
                                    last edited by

                                    Right-click on file, Open With, Notepad or something similar.

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      the_true_way
                                      last edited by

                                      Thank you very mutch!!

                                      1 Reply Last reply Reply Quote 0
                                      • U
                                        Unlogic
                                        last edited by

                                        Great guide, got OpenVPN up and running in 30 minutes!

                                        Together with OpenVPN GUI this is a really slick solution, compared to using port forwards in spaghetti like soup which is inevitable if you have many machines behind a NAT router.

                                        1 Reply Last reply Reply Quote 0
                                        • U
                                          Unlogic
                                          last edited by

                                          A little hint to those following this guide and then proceeding to setup their own WINS server in order to access machines by computer name instead of IP.

                                          By default the Windows XP firewalls limits printer and file sharing access to the local subnet which causes trouble when you have a road warrior style setup with two subnets.

                                          To allow file and printer sharing from other subnets follow the steps in this guide: http://www.dharwadkar.com/weblog/firewall_block

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            eihcet
                                            last edited by

                                            Going to read some more docs, but if anyone feels like answering…

                                            1. If I put the 'extra option' for password in the cert when generating does that require the client to also use a password when connecting,or can I set that somewhere else?

                                            2. How do I add (what is the starting point, I don't need a step by step...): additional clients now that the server part is all setup and I can connect with the first client.  I think I can figure it out... just asking in case it's a quick reply someone can share.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.