Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN server.crt is always blank - Also, what ports should be opened for VPN?

    Scheduled Pinned Locked Moved OpenVPN
    18 Posts 4 Posters 19.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GruensFroeschliG
      GruensFroeschli
      last edited by

      How is that:
      http://openvpn.net/index.php/open-source/documentation/howto.html#pki
      Not streight forward and working?

      Where did you get this error? What did you start?
      What you're showing are python errors, but the OpenVPN client is a binary and not a python script.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you want easy+straightforward, just install 2.0 and use the OpenVPN wizard. It'll make all of the certs and set it up for you, then you just add users and make certs for them. Easy as pie. Mmmm, pie.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          Yeah or that :D
          (yummy pie like 2.0 wizard can even generate windows installers with all files included)

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You still have to install the OpenVPN installer exporter as a package, but yeah it can do that too.

            I think that was due to licensing/redistribution issues, but I don't recall for certain.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • T
              torontob
              last edited by

              Oh, this comes from the OpenVPN client on Windows side. When I try to connect this is the error I get.

              I don't have the luxury of installing 2.0 as the router is in production on a phone system and that if 2.0 is beta I really can't have the client as a guinea pig to test it (down time = lost client).

              Thanks,
              Bruce

              1 Reply Last reply Reply Quote 0
              • Cry HavokC
                Cry Havok
                last edited by

                If that error is from the client then it has nothing to do with the pfSense install and it suggests that your client install is broken.ย  What client version did you install, what operating system did you install it on and where did you download it from?

                1 Reply Last reply Reply Quote 0
                • T
                  torontob
                  last edited by

                  OpenVPN GUI Client 1.5.5. It's installed on Windows 7 operating system. Is there any better client you would suggest for Windows?

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    That's rather old.

                    Use this one:
                    http://openvpn.net/release/openvpn-2.1.2-install.exe

                    Just be sure to run it as admin on Windows 7.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • T
                      torontob
                      last edited by

                      Thanks, that worked.

                      How many OpenVPN connections are safe to make to a 512mbps connection using an Alix board? I don't want to overload either the board cpu or go over my limit of bandwidth which will degrade voice quality as we have about 5 channels of ULAW (g711) SIP running on this box at any time.

                      More importantly, I am concerned about hardware limits.

                      Thanks again

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        512mbps or 512kbps?

                        An ALIX can only handle about 85Mbps without encryption, and maybe about 18Mbps with OpenVPN using the crypto chip on the ALIX. See here: http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • Cry HavokC
                          Cry Havok
                          last edited by

                          And note that PPS (packets per second) is possibly more significant than raw throughput.

                          1 Reply Last reply Reply Quote 0
                          • T
                            torontob
                            last edited by

                            Sorry, that's 512kbps. So, I guess on such low bandwidth there is no hardware limit.

                            1- If there are 5 simultaneous OpenVPN connections does the Alix2D3 handle that fine? in terms of cpu power I mean?

                            2- Also, now that the connection is established. I would only want the user that has connected to have access to port 443 TCP, 4445 TCP, and 4569 UDP only to one specific host within the LAN network and not to be able to browse internet through the OpenVPN. What do I have to do on the pfSense side to limit this and also what do I have to do on the Windows side so that only requests to a certain IP is routed to the OpenVPN connection and others are handled by the NIC card on the Windows (which is connected an ISP totally separate from pfSense).

                            You folks have been of great help.

                            Thanks,

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              1. Shouldn't matter with that little bandwidth. Bandwidth matters more than concurrent connections.

                              2. You need firewall rules for OpenVPN, which don't exist on 1.2.3. 2.0 can filter out of the box.ย  1.2.3 can do it but it takes some work: http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3

                              Even without that, it won't get access to browse out the Internet from there without you adding an outbound NAT rule, so that should be safe.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • T
                                torontob
                                last edited by

                                Thanks very much.

                                But I guess I can limit the OpenVPN network of 192.168.200.0/24 to only one specific host in Firewall > Rules > LAN ???

                                Thanks

                                1 Reply Last reply Reply Quote 0
                                • T
                                  torontob
                                  last edited by

                                  I have locked myself out but I have OpenVPN access. I am just doing console to the box and option 14 tells me that sshd is enabled. But when I try to reach the box with ssh 192.168.1.1 I can't get any response.

                                  I have checked and iptables -L doesn't exist either.

                                  How can I get this router to accept my HTTPs and SSH requests?

                                  What commands specifically?

                                  Thanks

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.