Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior)

    Scheduled Pinned Locked Moved OpenVPN
    72 Posts 49 Posters 236.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      torontob
      last edited by

      Anything guys?

      Thanks

      1 Reply Last reply Reply Quote 0
      • C
        Coldaddy
        last edited by

        I will add my thanks to the many you have helped…Thank you for the very helpful guide!!

        I am confused about one point...On my client PC I install OpenVPN and walk through the steps (cert creation, etc.).  After I have pasted the certs into the pfSense interface do I still need the full OpenVPN software installed on the PC?  Can I uninstall it and only install the OpenVPN Client software (pointing to the configuration file created during the steps)?

        Thanks for any/all feedback.

        Steve

        1 Reply Last reply Reply Quote 0
        • T
          torontob
          last edited by

          Wanted to add that the instruction worked for me using CentOS and not Windows 7 as server.crt was coming out as an empty file.

          Thanks for the post.

          1 Reply Last reply Reply Quote 0
          • K
            keeper 0
            last edited by

            @torontob:

            Hi,

            Thanks for the guide. I am trying to create the server.crt with command "build-key-server.bat server" and everything seems to be fine except for /keys/server.crt is empty (0 bytes). How can this be? I am using cmd.exe with Administrative privileges.

            Any input please?

            Thanks

            Delete first the old generated files. And try to run again the build-key-server.bat server.

            Hope this help

            1 Reply Last reply Reply Quote 0
            • T
              torontob
              last edited by

              Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.

              1 Reply Last reply Reply Quote 0
              • S
                soricel_z
                last edited by

                @torontob:

                Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.

                Dear all I am new in PfSense and openVPN.
                First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
                I installed PfSense with the embedded openVPN server.
                I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
                The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
                When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
                I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
                IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
                Thanks, Robert

                1 Reply Last reply Reply Quote 0
                • C
                  chunger
                  last edited by

                  @soricel_z:

                  @torontob:

                  Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.

                  Dear all I am new in PfSense and openVPN.
                  First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
                  I installed PfSense with the embedded openVPN server.
                  I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
                  The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
                  When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
                  I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
                  IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
                  Thanks, Robert

                  I met the same problem,please give our some help for it ,tks

                  1 Reply Last reply Reply Quote 0
                  • S
                    soricel_z
                    last edited by

                    @chunger:

                    @soricel_z:

                    @torontob:

                    Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.

                    Dear all I am new in PfSense and openVPN.
                    First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
                    I installed PfSense with the embedded openVPN server.
                    I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
                    The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
                    When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
                    I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
                    IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
                    Thanks, Robert

                    I met the same problem,please give our some help for it ,tks

                    I solved it: I made a "small" misstake when I generated the certificates for the clients. The parametrer "common-name" is the one wich makes the diference between the clients. Otherwise the server think that is the same client over and over again and offers the same IP.
                    So you should put unique names here for the clients, not the same name as I did! It looks like different filenames for the generated keys did not make any difference between the clients.
                    Thank you all for the support! All the best! Robert

                    1 Reply Last reply Reply Quote 0
                    • C
                      chunger
                      last edited by

                      I am a newbie ,when I build the second client key ,it always remind me it can't find the *.old file.  I don't know the use of the *.old。
                      my first key works well,but I need create more client keys.  so pls help me find the reason,tks.

                      I have copy the procedure of building the client key.

                      I:\Program Files\OpenVPN\easy-rsa>build-key.bat
                      Loading 'screen' into random state - done
                      Generating a 1024 bit RSA private key
                      ….....++++++
                      ..........++++++
                      writing new private key to 'keys.key'

                      You are about to be asked to enter information that will be incorporated
                      into your certificate request.
                      What you are about to enter is what is called a Distinguished Name or a DN.
                      There are quite a few fields but you can leave some blank
                      For some fields there will be a default value,
                      If you enter '.', the field will be left blank.

                      Country Name (2 letter code) [US]:
                      State or Province Name (full name) [CA]:
                      Locality Name (eg, city) [SanFrancisco]:
                      Organization Name (eg, company) [OpenVPN]:
                      Organizational Unit Name (eg, section) []:
                      Common Name (eg, your name or your server's hostname) []:vpn1
                      Email Address [mail@host.domain]:chunger_qin@163.com

                      Please enter the following 'extra' attributes
                      to be sent with your certificate request
                      A challenge password []:
                      An optional company name []:
                      Using configuration from openssl.cnf
                      Loading 'screen' into random state - done
                      Check that the request matches the signature
                      Signature ok
                      The Subject's Distinguished Name is as follows
                      countryName          :PRINTABLE:'US'
                      stateOrProvinceName  :PRINTABLE:'CA'
                      localityName          :PRINTABLE:'SanFrancisco'
                      organizationName      :PRINTABLE:'OpenVPN'
                      commonName            :PRINTABLE:'vpn1'
                      emailAddress          :IA5STRING:'chunger_qin@163.com'
                      Certificate is to be certified until Sep  3 00:55:48 2020 GMT (3650 days)
                      Sign the certificate? [y/n]:y

                      1 out of 1 certificate requests certified, commit? [y/n]
                      CERTIFICATION CANCELED
                      can't find  I:\Program Files\OpenVPN\easy-rsa\keys*.old

                      1 Reply Last reply Reply Quote 0
                      • R
                        rsn
                        last edited by

                        um, this doesn't work at all.

                        1. Copy the WHOLE content of server.crt into the "Server Certificate" window
                        2. Copy the WHOLE content of server.key into the "Server Key" window
                        3. Copy the WHOLE content of dh1024.pem into the "DH parameters" window

                        Those files do not exist

                        1 Reply Last reply Reply Quote 0
                        • B
                          Bai Shen
                          last edited by

                          @bnasty:

                          Awesome guide! I got this working over TCP port 443 since we have a blanket port block here at work. If anyone else is trying to do this using TCP, remember to change the guide/defaults:

                          1. On the OpenVPN Add tab in pfSense.
                          2. On the WAN-LAN rule.
                          3. In the config file for the OVPN client install.
                          4. Change the pfSense web port from 443 to something else (4443) if using HTTPS.

                          I forgot to change the proto line in #3 from UDP to TCP, and I forgot about #4 – that wasted 20 minutes of my life.

                          I'm trying the same, using 443.  I did all four of these steps.

                          Now I'm getting a TLS handshake not found error.

                          Also, I'm a bit confused about step 32 in the OP.  Could that be why I'm getting the TLS handshake error?

                          I know I'm not having ports blocked as I was getting an address in use error until I changed my pfSense GUI port.

                          Also, I'm not getting anything in the OpenVPN log.

                          1 Reply Last reply Reply Quote 0
                          • D
                            dekopolis
                            last edited by

                            I'm not sure what command to issue when i want to invalidate one of my clients. In other words, if one of my users leaves the company and I don't want him/her to be able to access the vpn what do I need to do?

                            Thanks all!

                            1 Reply Last reply Reply Quote 0
                            • GruensFroeschliG
                              GruensFroeschli
                              last edited by

                              http://openvpn.net/index.php/open-source/documentation/howto.html#revoke

                              We do what we must, because we can.

                              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                              1 Reply Last reply Reply Quote 0
                              • T
                                trentdk
                                last edited by

                                Note for 64-bit Vista / 7 users:

                                If OpenVPN is installed in c:\Program Files (x86), then you need to change the vars.bat:

                                change line 6 in vars.bat from:
                                set HOME=%ProgramFiles%\OpenVPN\easy-rsa
                                
                                to:
                                set HOME=%ProgramFiles(x86)%\OpenVPN\easy-rsa
                                

                                pfSense 2.0 BETA at home, pfSense 1.2.3 at work

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jai23155
                                  last edited by

                                  thanks for the document. i followed the document, but setup using TCP. anyway, i can connect to the pfsense box, but neither ping pfsense box nor browse network. when i check ipconfig /all, i get 255.255.255.252 rather than 255.255.255.0. i spent a week sorting this out myself, now i am posting here, i am almost throwing pfsense out of the window. apart from openVPN, it is great though.

                                  1 Reply Last reply Reply Quote 0
                                  • I
                                    ivalerio
                                    last edited by

                                    Hi, I have a small problem here. This tutorial changes a bit with pFsense 2.0. You can't add the server entry without creating the certificate first. Also the latest version of OpenVPN fails to coincide with the instructions and I had to use the second to latest openVPN package.

                                    Anyone here able to help me set this up for a basic VPN package. I've done everything except the addition of the server entry in 2.0 which is not allowing further movement till certificates are defined first. Thanks guys and gals.

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      Aziz
                                      last edited by

                                      I have the same problem with 2.0RC1, it doen't allow one to enteer the keys (steps 23-26). Can anyone help?

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        nambi
                                        last edited by

                                        Great Tutorial! well appreciated

                                        Now I have a problem I have upgraded to Pfsense 2 and the VPN settings are different does anyone have a similar tutorial for PFSense 2:

                                        Thank You, I don't know where to copy the keys in version 2.

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          newmember
                                          last edited by

                                          Just a heads up on versions of openvpn I used to create the server and client keys.
                                          Windows7
                                          openvpn 2.20
                                          pfsense 1.23

                                          I kept getting this error: "server key does not appear to be valid" when using the "server key" in pfsense's openvpn setup page.

                                          I found that the "server.key" was being created with these:
                                          –---BEGIN PRIVATE KEY-----
                                          -----END PRIVATE KEY-----
                                          I was using openvpn client version 2.20 to create the keys.

                                          I uninstalled openvpn 2.20 and installed openvpn version 2.09.
                                          I ended up going back to openvpn version 2.09 to create the keys and now they have:
                                          -----BEGIN RSA PRIVATE KEY-----
                                          -----END RSA PRIVATE KEY----

                                          After creating the keys, I then updated the openvpn client to 2.20 wouldnt connect to I tried the 2.1.x versions and finished with version 2.14 working and the connection worked fine.

                                          It seems that there is a change in the way the server.key is created between openvpn client "easy-rsa" software release versions 2.09 and 2.00.

                                          Finished with:
                                          Windows7
                                          openvpn 2.14
                                          pfsense 1.2.3

                                          I hope this sames someone else 3 days of late nights.

                                          Cheers

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            newmember
                                            last edited by

                                            To make the install a little tidy I added the CA, CERT and KEY to the openvpn config file.
                                            I just meant I didn't have 4 file, instead I have one file to copy or move etc.
                                            For me I connect to many openvpn sites with different CA, CERT and KEYS and this made it easier to maintain.
                                            Here is my sample .OPVN config

                                            ####
                                            client
                                            dev tun
                                            proto udp
                                            remote XXX.XXX.XXX.XXX 1194   ## Add your IP address of pfsense and port number
                                            ping 10
                                            resolv-retry infinite
                                            nobind
                                            persist-key
                                            persist-tun
                                            # ca ca.crt    comment out .crt
                                            # cert client1.crt    comment out crt
                                            # key client1.key   comment out key
                                            ns-cert-type server
                                            comp-lzo
                                            pull
                                            verb 3
                                             <ca>-----BEGIN CERTIFICATE-----
                                            Put your ca here.
                                            -----END CERTIFICATE-----</ca> 
                                            
                                             <cert>Put your cert here
                                            -----END CERTIFICATE-----</cert> 
                                            
                                             <key>-----BEGIN RSA PRIVATE KEY-----
                                            put your key here
                                            -----END RSA PRIVATE KEY-----</key> 
                                            
                                            ####
                                            

                                            Another Note:
                                            Remember to add an another TAP if you intend to connect to two OPENVPN servers at the same time.
                                            Hope the two sites you are connecting two have different network address spaces so that one site does not write routes over your other site.
                                            /openvpn/utilities/Add a new TAP virtual ethernet adapter

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.