OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior)
-
Right-click on file, Open With, Notepad or something similar.
-
Thank you very mutch!!
-
Great guide, got OpenVPN up and running in 30 minutes!
Together with OpenVPN GUI this is a really slick solution, compared to using port forwards in spaghetti like soup which is inevitable if you have many machines behind a NAT router.
-
A little hint to those following this guide and then proceeding to setup their own WINS server in order to access machines by computer name instead of IP.
By default the Windows XP firewalls limits printer and file sharing access to the local subnet which causes trouble when you have a road warrior style setup with two subnets.
To allow file and printer sharing from other subnets follow the steps in this guide: http://www.dharwadkar.com/weblog/firewall_block
-
Going to read some more docs, but if anyone feels like answering…
-
If I put the 'extra option' for password in the cert when generating does that require the client to also use a password when connecting,or can I set that somewhere else?
-
How do I add (what is the starting point, I don't need a step by step...): additional clients now that the server part is all setup and I can connect with the first client. I think I can figure it out... just asking in case it's a quick reply someone can share.
-
-
- If I put the 'extra option' for password in the cert when generating does that require the client to also use a password when connecting,or can I set that somewhere else?
I would like to know how to prompt the users for a password before connecting, as well :)
- How do I add (what is the starting point, I don't need a step by step…): additional clients now that the server part is all setup and I can connect with the first client. I think I can figure it out... just asking in case it's a quick reply someone can share.
Look in the very bottom of the guide - it says "small update" and describes exactly what you are looking for :)
-
NOTE: Local Network: There is a note saying you have to save the settings before you can edit the local network text field; in pfSense 1.2.3, that field becomes editable after changing Authentication Method to PKI.
-
Hi,
Thanks for the guide. I am trying to create the server.crt with command "build-key-server.bat server" and everything seems to be fine except for /keys/server.crt is empty (0 bytes). How can this be? I am using cmd.exe with Administrative privileges.
Any input please?
Thanks
-
Anything guys?
Thanks
-
I will add my thanks to the many you have helped…Thank you for the very helpful guide!!
I am confused about one point...On my client PC I install OpenVPN and walk through the steps (cert creation, etc.). After I have pasted the certs into the pfSense interface do I still need the full OpenVPN software installed on the PC? Can I uninstall it and only install the OpenVPN Client software (pointing to the configuration file created during the steps)?
Thanks for any/all feedback.
Steve
-
Wanted to add that the instruction worked for me using CentOS and not Windows 7 as server.crt was coming out as an empty file.
Thanks for the post.
-
Hi,
Thanks for the guide. I am trying to create the server.crt with command "build-key-server.bat server" and everything seems to be fine except for /keys/server.crt is empty (0 bytes). How can this be? I am using cmd.exe with Administrative privileges.
Any input please?
Thanks
Delete first the old generated files. And try to run again the build-key-server.bat server.
Hope this help
-
Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.
-
Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.
Dear all I am new in PfSense and openVPN.
First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
I installed PfSense with the embedded openVPN server.
I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
Thanks, Robert -
Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.
Dear all I am new in PfSense and openVPN.
First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
I installed PfSense with the embedded openVPN server.
I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
Thanks, RobertI met the same problem,please give our some help for it ,tks
-
Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.
Dear all I am new in PfSense and openVPN.
First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
I installed PfSense with the embedded openVPN server.
I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
Thanks, RobertI met the same problem,please give our some help for it ,tks
I solved it: I made a "small" misstake when I generated the certificates for the clients. The parametrer "common-name" is the one wich makes the diference between the clients. Otherwise the server think that is the same client over and over again and offers the same IP.
So you should put unique names here for the clients, not the same name as I did! It looks like different filenames for the generated keys did not make any difference between the clients.
Thank you all for the support! All the best! Robert -
I am a newbie ,when I build the second client key ,it always remind me it can't find the *.old file. I don't know the use of the *.old。
my first key works well,but I need create more client keys. so pls help me find the reason,tks.I have copy the procedure of building the client key.
I:\Program Files\OpenVPN\easy-rsa>build-key.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
….....++++++
..........++++++
writing new private key to 'keys.key'You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:vpn1
Email Address [mail@host.domain]:chunger_qin@163.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'OpenVPN'
commonName :PRINTABLE:'vpn1'
emailAddress :IA5STRING:'chunger_qin@163.com'
Certificate is to be certified until Sep 3 00:55:48 2020 GMT (3650 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]
CERTIFICATION CANCELED
can't find I:\Program Files\OpenVPN\easy-rsa\keys*.old -
um, this doesn't work at all.
- Copy the WHOLE content of server.crt into the "Server Certificate" window
- Copy the WHOLE content of server.key into the "Server Key" window
- Copy the WHOLE content of dh1024.pem into the "DH parameters" window
Those files do not exist
-
Awesome guide! I got this working over TCP port 443 since we have a blanket port block here at work. If anyone else is trying to do this using TCP, remember to change the guide/defaults:
1. On the OpenVPN Add tab in pfSense.
2. On the WAN-LAN rule.
3. In the config file for the OVPN client install.
4. Change the pfSense web port from 443 to something else (4443) if using HTTPS.I forgot to change the proto line in #3 from UDP to TCP, and I forgot about #4 – that wasted 20 minutes of my life.
I'm trying the same, using 443. I did all four of these steps.
Now I'm getting a TLS handshake not found error.
Also, I'm a bit confused about step 32 in the OP. Could that be why I'm getting the TLS handshake error?
I know I'm not having ports blocked as I was getting an address in use error until I changed my pfSense GUI port.
Also, I'm not getting anything in the OpenVPN log.
-
I'm not sure what command to issue when i want to invalidate one of my clients. In other words, if one of my users leaves the company and I don't want him/her to be able to access the vpn what do I need to do?
Thanks all!