OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior)
-
I found this information on this forum page http://forum.pfsense.org/index.php/topic,8297.msg46717.html#msg46717
as soon as I swapped over to using TCP and updated my WAN2 rules to use TCP I could connect to the OpenVPN service on WAN2 (OPT1)
-
followed this tutorial but can only ping and connect to the pfsense box
protocol: udp
locol port: 1194
address pool: 192.168.20.0/27
local network: 192.168.6.0/25attached two pics are firewall rules
results of ipconfig:
C:\Documents and Settings\Administrator>ipconfig Windows IP Configuration Ethernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.104 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 Ethernet adapter TAP-Win32 Adapter V9: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.20.6 Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . :
Results of Route Print:
Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.104 25 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 20 192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 20 192.168.1.0 255.255.255.0 192.168.1.104 192.168.1.104 25 192.168.1.104 255.255.255.255 127.0.0.1 127.0.0.1 25 192.168.1.255 255.255.255.255 192.168.1.104 192.168.1.104 25 192.168.6.0 255.255.255.128 192.168.20.5 192.168.20.6 1 192.168.14.0 255.255.255.0 192.168.20.5 192.168.20.6 1 192.168.20.1 255.255.255.255 192.168.20.5 192.168.20.6 1 192.168.20.4 255.255.255.252 192.168.20.6 192.168.20.6 30 192.168.20.6 255.255.255.255 127.0.0.1 127.0.0.1 30 192.168.20.255 255.255.255.255 192.168.20.6 192.168.20.6 30 192.168.122.0 255.255.255.0 192.168.122.1 192.168.122.1 20 192.168.122.1 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.122.255 255.255.255.255 192.168.122.1 192.168.122.1 20 224.0.0.0 240.0.0.0 192.168.0.1 192.168.0.1 20 224.0.0.0 240.0.0.0 192.168.1.104 192.168.1.104 25 224.0.0.0 240.0.0.0 192.168.20.6 192.168.20.6 30 224.0.0.0 240.0.0.0 192.168.122.1 192.168.122.1 20 255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1 255.255.255.255 255.255.255.255 192.168.1.104 192.168.1.104 1 255.255.255.255 255.255.255.255 192.168.1.104 f0008 1 255.255.255.255 255.255.255.255 192.168.1.104 10007 1 255.255.255.255 255.255.255.255 192.168.20.6 192.168.20.6 1 255.255.255.255 255.255.255.255 192.168.122.1 192.168.122.1 1 Default Gateway: 192.168.1.1
-
followed this tutorial but can only ping and connect to the pfsense box
protocol: udp
locol port: 1194
address pool: 192.168.20.0/27
local network: 192.168.6.0/25attached two pics are firewall rules
Are your clients using Vista?
I had to add the following to my Vista clients config
route-method exe
mssfix 1200
route-delay 2And then in the client specifc section in the OpenVPN setup I added the following to the custom options (not the server custom options, the client)
route-delay 2; ns-cert-type server; msssfix 1200; route-method exe;
Give that a try
-
right now just using xp clients and those settings did not help :o(
i can connect to both the vpn interface of the pfsense box and its LAN ipaddress (192.168.6.45) from the laptop on the opposite end of the vpn
i just cant ping/browse/http/telnet into any other system in the 192.168.6.0/25 and to top it off there is no log in the firewall that would suspect it of any misconfiguration
its boggling the mind and body!
–--------------------------------------
got it to work, i had to change all of the gateways on the servers that i wanted to access from the vpn...that will change when i place the proxy server before the pfsense box and should just work as they are all pointing to the proxy right nowim soooooooo flipping excited that i got all of these features for the school that i work for without paying thousands on router equipment and licensing fees!
next step is to create batch files for the staff to auto create all of the client files so i do not get phone calls after hours trying to get them to vpn to the district applications....THANK YOU PFSENSE!
-
So I've followed the instructions in this discussion, by the way great job on the howto When I get a little more familiar I'll share too.
Anyway this one got me stumped completely. I'm setting up a Vista (Ultimate) roadwarrior config to a pfsense box with dual wan, opt1 wan is static, wan is dynamic
I had issues at first with UDP, switching to TCP was helpful (proto tcp), thanks for the comments on the article guys :)Anyway I've done the vista workaround in the client config:
route-method exe
route-delay 20In the server client-specific configuration I specify
route-delay 10; ns-cert-type server; route-method exe
That being said I'm still getting this error:
Thats even after attempting the same command myself using administrator mode of course.
Fri Jun 13 23:34:54 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {C22CAE94-9A35-48E5-B606-DEF049045B02} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
Fri Jun 13 23:34:54 2008 Successful ARP Flush on interface [22] {C22CAE94-9A35-48E5-B606-DEF049045B02}
Fri Jun 13 23:35:05 2008 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Fri Jun 13 23:35:05 2008 route ADD 192.168.0.1 MASK 255.255.255.0 192.168.200.5
The route addition failed: The parameter is incorrect.
Fri Jun 13 23:35:05 2008 route ADD 192.168.200.1 MASK 255.255.255.255 192.168.200.5
OK!
Fri Jun 13 23:35:05 2008 Initialization Sequence CompletedThe thing that sticks in my mind is why just the one route ADD command that fails?
Oh an before anyone asks I'm running the latest RC build (2.1 rc7) and running OpenVPN GUI in administrator mode
And thats the saga, now if one of you fine gents could spare a couple minutes I'd REALLY appreciate it :)
I'm sure its gotta be something reasonably simple that I'm just not getting.Thanks in advance,
lifethetech -
Does the Vista PC have UAC enabled on it?
I enabled UAC the other day and then tried to connect to work using OpenVPN and the routes were not added. If you have UAC on try disabling it.
-
I did have UAC on, but I've turned it off and tested again, no joy yet :(
I'm still getting the same error. Just a little more info I am on the latest release of pfsense.
And I guess it would be pertinent to tell everyone that I'm using Vista with all the latest patches and SP1
Thanks in advance,
lifethetechEDIT: I've noticed in the openvpn pfsense logs errors related to the client specific openvpn settings:
laptopxxxx/n.n.n.n:49393 Options error: option 'route-delay' cannot be used in this context
laptopxxxx/n.n.n.n:49393 Options error: option 'ns-cert-type' cannot be used in this context
laptopxxxx/n.n.n.n:49393 Options error: option 'route-method' cannot be used in this contextwith the n's being the client's IP address
Not sure if that helps or not :)
edit:
A little more info, I've tried tearing down the whole setup and redoing it all then installing the client on XP here is the error from the XP box (still the same error on vista):
The route addition failed: The specified mask parameter is invalid. (Destination & Mask) != Destination
-
Fix to the link on the original post…
http://openvpn.net/index.php/documentation/howto.html
:)
-
Just for the record, I've posted a slightly modified version for my own personal records on my blog. Big thanks for the work you did here mate!
-
I just got this configuration setup and getting the following errors in the logs.
RCDec 27 15:44:09 openvpn[11789]: Use –help for more information.
Dec 27 15:44:09 openvpn[11789]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:14: lport (2.0.6)
Dec 27 12:59:14 openvpn[356]: Use –help for more information.
Dec 27 12:59:14 openvpn[356]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_client0.conf:14: remote (2.0.6)
Dec 27 12:59:12 openvpn[354]: Use –help for more information.
Dec 27 12:59:12 openvpn[354]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:14: lport (2.0.6) -
Great Tutorial,Thanks :)
-
Tried openvpn version OpenVPN 2.1_rc15 i686-pc-mingw32 and all worked fine as expected.
-
GReat tutorial! Thankx! ;)
-
Just one quick question: what encryption whould you use?
-
This is a awesome overview of OpenVPN. I got it up and running in a few hours. Once up it is now working. I just need to make sure that I can connect to more tunnels that are avaiable.
RC
-
Awesome guide! I got this working over TCP port 443 since we have a blanket port block here at work. If anyone else is trying to do this using TCP, remember to change the guide/defaults:
1. On the OpenVPN Add tab in pfSense.
2. On the WAN-LAN rule.
3. In the config file for the OVPN client install.
4. Change the pfSense web port from 443 to something else (4443) if using HTTPS.I forgot to change the proto line in #3 from UDP to TCP, and I forgot about #4 – that wasted 20 minutes of my life.
-
Creating certificates manually on Windows (by Hernan Maslowski)
You can also create the keys with a Win32 program called “My Certificate
Wizard”: http://www.openvpn.se/mycert/and tutorial easy to run
http://www.enterprisenetworkingplanet.com/linux_unix/article.php/3802221/Run-OpenVPN-on-Windows-Mac-and-LinuxUnix.htm…............ :o
-
A big thank you to Frewald and tacfit for their howto !
Even i hadn't compare the 2 howto to notice differences ;D
Just 2 questions (i admit, i've not searched before posting these two questions) :
-
Is it possible to protect the CA created locally ? i remember have read a tutorial explaining how to protect with a password (requested at each certificate creation)
-
Is it possible to implement the TLS-Auth ? i think have seen a package for this…
Well, as i've tested, i feedback ;D
-
-
I would have NEVER figured this out without this tutorial.
Working on a winxp machine to a PFSENSE box / network.
I do have one concern in the logs on OPENVPN I see
Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6080 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6080 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6078 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6077 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sep 1 15:08:08 openvpn[39663]: ovpn_client1/99.253.209.93:3040 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6077 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warningsI don't notice anything in particular strange in performance but this log is running continuously reporting errors.
Thank You!
-
This is a great manual. It worked well for me. Thanks a lot!
-
Sorry, but this tutorial did NOT work for me :-[
after 3 tries, I printed it out and checked off the steps as I performed them (now 4th try), and even disabled the f/w on my winXP client, and still no joy.
pfsense 1.2.2 which is LAN f/w, DHCP server, and openvpn gate.
Winxp, SP3, latest openvpn client, firewall disabled….On the client log, this is all i get:
Thu Sep 10 17:14:17 2009 OpenVPN 2.1_rc19 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 16 2009
Thu Sep 10 17:14:17 2009 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Thu Sep 10 17:14:17 2009 LZO compression initialized
Thu Sep 10 17:14:17 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 10 17:14:17 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Sep 10 17:14:17 2009 Local Options hash (VER=V4): '41690919'
Thu Sep 10 17:14:17 2009 Expected Remote Options hash (VER=V4): '530fdded'
Thu Sep 10 17:14:17 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Sep 10 17:14:17 2009 UDPv4 link local: [undef]
Thu Sep 10 17:14:17 2009 UDPv4 link remote: 142.25.56.3:1194
Thu Sep 10 17:14:17 2009 TLS: Initial packet from 142.25.56.3:1194, sid=8cfa3413 d6470101
Thu Sep 10 17:14:17 2009 VERIFY OK: depth=1, /C=CA/ST=BC/L=Bamfield/O=BMSC/CN=openvpnbmsc/emailAddress=admin@bms.bc.ca
Thu Sep 10 17:14:17 2009 VERIFY OK: nsCertType=SERVER
Thu Sep 10 17:14:17 2009 VERIFY OK: depth=0, /C=CA/ST=BC/O=BMSC/CN=server/emailAddress=admin@bms.bc.caOn this same firewall, as a test I was able to copy the certs from an older openvpn install at another org, and the client keys for same, and it DID connect, but any NEW clients created even using the older certgen, refused to work. Its all very puzzling… ???
regards
Ken -
how can I copy the file certificate.crt (the file in my openvpn/easy-rsa/keys) in the format x.509 insite the windows?
In your guide you sayd:Now you need to have access to some of the files created in c:\programfiles\openvpn
easy-rsa\keys (mentioned in #12)
23) Copy the WHOLE content of ca.crt into the "CA certificate" window
24) Copy the WHOLE content of server.crt into the "Server Certificate" window
25) Copy the WHOLE content of server.key into the "Server Key" window
26) Copy the WHOLE content of dh1024.pem into the "DH parameters" windowCan you help me?
-
Right-click on file, Open With, Notepad or something similar.
-
Thank you very mutch!!
-
Great guide, got OpenVPN up and running in 30 minutes!
Together with OpenVPN GUI this is a really slick solution, compared to using port forwards in spaghetti like soup which is inevitable if you have many machines behind a NAT router.
-
A little hint to those following this guide and then proceeding to setup their own WINS server in order to access machines by computer name instead of IP.
By default the Windows XP firewalls limits printer and file sharing access to the local subnet which causes trouble when you have a road warrior style setup with two subnets.
To allow file and printer sharing from other subnets follow the steps in this guide: http://www.dharwadkar.com/weblog/firewall_block
-
Going to read some more docs, but if anyone feels like answering…
-
If I put the 'extra option' for password in the cert when generating does that require the client to also use a password when connecting,or can I set that somewhere else?
-
How do I add (what is the starting point, I don't need a step by step...): additional clients now that the server part is all setup and I can connect with the first client. I think I can figure it out... just asking in case it's a quick reply someone can share.
-
-
- If I put the 'extra option' for password in the cert when generating does that require the client to also use a password when connecting,or can I set that somewhere else?
I would like to know how to prompt the users for a password before connecting, as well :)
- How do I add (what is the starting point, I don't need a step by step…): additional clients now that the server part is all setup and I can connect with the first client. I think I can figure it out... just asking in case it's a quick reply someone can share.
Look in the very bottom of the guide - it says "small update" and describes exactly what you are looking for :)
-
NOTE: Local Network: There is a note saying you have to save the settings before you can edit the local network text field; in pfSense 1.2.3, that field becomes editable after changing Authentication Method to PKI.
-
Hi,
Thanks for the guide. I am trying to create the server.crt with command "build-key-server.bat server" and everything seems to be fine except for /keys/server.crt is empty (0 bytes). How can this be? I am using cmd.exe with Administrative privileges.
Any input please?
Thanks
-
Anything guys?
Thanks
-
I will add my thanks to the many you have helped…Thank you for the very helpful guide!!
I am confused about one point...On my client PC I install OpenVPN and walk through the steps (cert creation, etc.). After I have pasted the certs into the pfSense interface do I still need the full OpenVPN software installed on the PC? Can I uninstall it and only install the OpenVPN Client software (pointing to the configuration file created during the steps)?
Thanks for any/all feedback.
Steve
-
Wanted to add that the instruction worked for me using CentOS and not Windows 7 as server.crt was coming out as an empty file.
Thanks for the post.
-
Hi,
Thanks for the guide. I am trying to create the server.crt with command "build-key-server.bat server" and everything seems to be fine except for /keys/server.crt is empty (0 bytes). How can this be? I am using cmd.exe with Administrative privileges.
Any input please?
Thanks
Delete first the old generated files. And try to run again the build-key-server.bat server.
Hope this help
-
Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.
-
Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.
Dear all I am new in PfSense and openVPN.
First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
I installed PfSense with the embedded openVPN server.
I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
Thanks, Robert -
Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.
Dear all I am new in PfSense and openVPN.
First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
I installed PfSense with the embedded openVPN server.
I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
Thanks, RobertI met the same problem,please give our some help for it ,tks
-
Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.
Dear all I am new in PfSense and openVPN.
First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
I installed PfSense with the embedded openVPN server.
I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
Thanks, RobertI met the same problem,please give our some help for it ,tks
I solved it: I made a "small" misstake when I generated the certificates for the clients. The parametrer "common-name" is the one wich makes the diference between the clients. Otherwise the server think that is the same client over and over again and offers the same IP.
So you should put unique names here for the clients, not the same name as I did! It looks like different filenames for the generated keys did not make any difference between the clients.
Thank you all for the support! All the best! Robert -
I am a newbie ,when I build the second client key ,it always remind me it can't find the *.old file. I don't know the use of the *.old。
my first key works well,but I need create more client keys. so pls help me find the reason,tks.I have copy the procedure of building the client key.
I:\Program Files\OpenVPN\easy-rsa>build-key.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
….....++++++
..........++++++
writing new private key to 'keys.key'You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:vpn1
Email Address [mail@host.domain]:chunger_qin@163.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'OpenVPN'
commonName :PRINTABLE:'vpn1'
emailAddress :IA5STRING:'chunger_qin@163.com'
Certificate is to be certified until Sep 3 00:55:48 2020 GMT (3650 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]
CERTIFICATION CANCELED
can't find I:\Program Files\OpenVPN\easy-rsa\keys*.old -
um, this doesn't work at all.
- Copy the WHOLE content of server.crt into the "Server Certificate" window
- Copy the WHOLE content of server.key into the "Server Key" window
- Copy the WHOLE content of dh1024.pem into the "DH parameters" window
Those files do not exist