IPCOP to Pfsense OpenVPN
-
I have been using IPCop and OpenVPN and now that I have moved over to pfsense I am unable to get a road warrior connection even when following the stickied tutorial for windows dummies. I did notice that if I password protect the file it is impossible to copy and paste that file into the servers webgui. I did manage to copy them over by using the edit command at the command prompt and copying the key and saving it to a different named file so that I could open it in notepad and then copy and paste to the webgui. But I still cant get a connection…It just hangs and I get a TLS failure to connect in 60sec. Also I would thihnk that I would get password prompted to connect since some of the certs were password protected. ???
I guess I will try without password protecting the certificate....I'm a little concerned about the security implication of not password protecting them. I'm beginning to think IPcop is more secure -
It's of no use to password protect the certificates on the firewall.
The firewall would need to store the password to decrypt the certificates to use them at all, which is just as (in)secure as using them without a password.
-
but if someone were to get a hold of the client cert and key without password protection they have full access to your network. At least with password protection someone cant just copy your keys/crt and connect :)
-
They are unlikely to get the client cert/key off of a firewall box, and even so, if they can get the keys they can get the config file, which would have to contain the password.
You can password protect the certificate/key that goes on your road warrior clients, as they will be prompted by the OpenVPN client on connect. You just don't put a password on the certificates that go onto the firewall.
-
So I decided to go ahead and try setting up OpenVPN without password protecting the server key and only password protecting the client key. I have followed your stickied tutorial "OVPN for windows dummies" But I still am not prompted for a password when I go to connect.
I guess I'm not sure how to setup OpenVPN on pfsense. When using embcop I was able to get the addon Zerina which created a pkcs12 package that was password protected. I simply imported the package to either windows or gentoo and I was able to have several roadwarrior connections that required a password to connect. I am actually using a pc-engines wrap and so I am trying out pfsense-nanobsd but it is setup as read-only so I am really unable to do anything except paste the keys to the gui. How can I set it up so that I am prompted for a password before I can connect. I dont require a user, separate client key pairs will do but I really need a password prompt to be secure. By the way the client config file will never has the password. So if someone were to get a hold of your key pair that you store on say a flash drive. They will be worthless because they wont have your key password :-) I have heard wonderful things about pfsense and love how it is setup but I am unwilling to give up password protection. I hope someone on the forum can help me out. Otherwise I guess I'll be going back to embcop. -
That is all part of the client certificates, which really have nothing to do with the pfSense GUI in 1.2.x
Whatever you generate the certificates with should be able to password protect them and your client software should prompt you for that. That will be the same regardless of what server you are using.
In pfSense 2.0 there is a certificate manager which can produce a pk12 package for you also.
-
Is there a tls-auth option with the pfsense 1.2.3 image. Remember since I am using a wrap image it is a read only file system….why do they do that? Also I have been succesful at connecting using the latest windows OVPN gui but still no pass word prompt. Is there an option I have to set in the config file on the client or server? I don't want to setup usernames. I just want to have to be prompted for a password to connect. I have done a lot of googleing but haven't had much luck. Also by password I mean have to enter the pem passphrase.
-
The embedded image is read only to protect the integrity of the CF over time. It is switched to read/write when needed for working with the config or other system files.
You can change it by hand by running:
/etc/rc.conf_mount_rw
And then when you are done, run
/etc/rc.conf_mount_ro
As for the prompting, I don't think you need to do anything in the client config (it would not be on the server) you just need to give it a password when you first generate the certificate.
-
I haven't tried it on my windows client yet but on my linux client…using kvpnc I get an options error "No client-side authentication method is specified. Use either --cert/--key, --pkcs12, or --auth-user-pass." I created the client crt and key using the ./build-key-pass client* command. It promps for pem pass phrase which is what I want. Do you know the option in the client config file that will set this up. I have seen auth-user-pass in a config file but is the actual command auth-key ? Does that sound right to you?
-
I was testing openvpn on Pfsense, yesterday and stumbled across you post….
I had previously worked with Openvpn using the Openvpn how-to which specifies using .crt, .key, and dh.pem filesLike you, I was not sure how to use certs generated by IPCOP on pfsense openvpn....
It turned out that I was able to past the IPCOP PEM files into the PFSense openvpn config (I had wondered if I needed to convert to .crt file)
Then I was able to use the downloaded IPCOP client package as it was.
There was no need to convert pk12 to pem or crt.