How to create an OpenVPN client to StrongVPN

ericab

ermal, thanks for the heads up;
i have edited the how-to to reflect your advice

zoltran

Hello

Does any have StrongVPN working in pf 1.2.3 ?
Or can point me to a primer?
Thanks

Hidden

After section 1 all traffic is routerd true the VPN.

anyone got policy routing working ?
I would like to route netflix over vpn.

Hidden

after a factory reset (i screwed some thing up in squid) it works great.

Now i need some thing to route traffic over the vpn on url base.

i found this interesting setup:
http://webcache.googleusercontent.com/search?q=cache:EuMlcG_zcmIJ:www.shawnmolnar.com/blog/tag/hulu+hulu+netflix+script+vpn&cd=2&hl=nl&ct=clnk&gl=nl
( from google cache because the realsite is offline atm)

yu130960

@Hidden:

After section 1 all traffic is routerd true the VPN.

anyone got policy routing working ?
I would like to route netflix over vpn.

+1

yu130960

@Hidden:

after a factory reset (i screwed some thing up in squid) it works great.

Now i need some thing to route traffic over the vpn on url base.

i found this interesting setup:
http://webcache.googleusercontent.com/search?q=cache:EuMlcG_zcmIJ:www.shawnmolnar.com/blog/tag/hulu+hulu+netflix+script+vpn&cd=2&hl=nl&ct=clnk&gl=nl
( from google cache because the realsite is offline atm)

Would this work on pfsense?  Has anyone tried it?

0tt0

@Hidden:

After section 1 all traffic is routerd true the VPN.

anyone got policy routing working ?
I would like to route netflix over vpn.

I believe I have commented on this several times. I use policy routing with an OpenVPN cert tunnel with StrongVPN (to make only some clients use the tunnel or by other filtering means, which can be adjusted at any time), using tunnel as "virtual WAN interface" and the tunnel has been up close to 9 months now, I believe.

I haven't taken the time to finish my guide yet though.

yu130960

@0tt0:

@Hidden:

After section 1 all traffic is routerd true the VPN.

anyone got policy routing working ?
I would like to route netflix over vpn.

I believe I have commented on this several times. I use policy routing with an OpenVPN cert tunnel with StrongVPN (to make only some clients use the tunnel or by other filtering means, which can be adjusted at any time), using tunnel as "virtual WAN interface" and the tunnel has been up close to 9 months now, I believe.

I haven't taken the time to finish my guide yet though.

This would be the guide that I would be looking forward to.  I will try to figure out the tunnel as a virtual wan interface, but would love to see a guide on how to set this up.  I couldn't figure it out and just got my refund from StrongVPN within their 7 days.  I will sign back up if I can get this setup to work.

Thanks for the post.

jeffnoone

I am a complete newbie on FreeBSD and pfSense, but managing to get pfSense installed and then STrongVPN going using the various site tutorials. Suddenly pfSense has become very valuable to me for high-speed VPN connection. So thanks to ERicab and all here
Does this thread need to be updated given this post:
http://forum.pfsense.org/index.php/topic,32640.0.html

I made similar observations as ericab, as in that post
Enabling AON  uunder Firewall, NAT, outbound seems to be what was suggested in the thread linked, and seemed to work for me

Should this instruction be added to tutorial to get people up and running with most recent versions? - I dont know enough to know reliably one way or the other

Again thanks
Jeff

yu130960

@0tt0:

@Hidden:

After section 1 all traffic is routerd true the VPN.

anyone got policy routing working ?
I would like to route netflix over vpn.

I believe I have commented on this several times. I use policy routing with an OpenVPN cert tunnel with StrongVPN (to make only some clients use the tunnel or by other filtering means, which can be adjusted at any time), using tunnel as "virtual WAN interface" and the tunnel has been up close to 9 months now, I believe.

I haven't taken the time to finish my guide yet though.

I know the guide is not ready yet, but can someone point me to another guide that would help me set up PFsense 2.0 with Strongvpn with the option of routing only some clients through the VPN while allowing others to go through the default gateway.

Thanks

smirta

Better performance & policy routing

Performance
I am using pfsense 2.0 RC1. In my case the settings below in the "Advanced Configuration" field of the OpenVPN connection tab are resulting in a more stable connection:

verb 4; mute 5;tun-mtu 1500;route-method exe;route-delay 2;explicit-exit-notify 2;fragment 1300;mssfix 1450;

With these I can stream a lot more stable.

On the other hand I was interested in tunneling some clients to some ip addresses. It was quite an operation. I followed the guide above (thanks a lot to the author!) except the "all traffic through VPN" part.

Then I added a firewall rule to the LAN interface for a specific IP address to be routed through the OpenVPN . I figured out that after some time everything went through the WAN or through the VPN gateway (can't remember exactly which one). Additionally there was NAT didn't work as expected.

Fix NAT
I turned NAT off and added it manually. Firewall -> NAT -> Outbound : Add two entries there.

Interface:    WAN
Source:       CIDR of your LAN (e.g. 192.168.1.0/24)
Description:  LAN -> WAN (or anything you want)

Interface:    VPN
Source:       CIDR of your LAN (e.g. 192.168.1.0/24)
Description:  LAN -> OpenVPN (or anything you want)

Fix rules/gateways
After this NAT was working again. But there was still the problem with the routing of all traffic through either or the other interface. Somehow it was ignoring my rule. After some gambling around with the setting I was pretty surprised that "default" as gateway doesn't seem to work as expected. So I added to all rules a specific gateway. Now everything is working as expected. phew

My "Default allow LAN to any rule " looks now like this:

 * LAN net * * * WAN

For example if you want to route the client 192.168.1.5 through VPN you have to add the following line above the default rule:

 * 192.168.1.5 * * * VPN

I hope this helps and is no complete bullshit. I'm an absolute newbie to pfsense.

ericab

hi smirta;

these additional options are specific to windows only.
i would suggest removing them.

route-method exe
mssfix 1450

smirta

thanks for the input (and the great tutorial btw), eric. I'll have a closer look at the options

cmb

@smirta:

I hope this helps and is no complete bullshit. I'm an absolute newbie to pfsense.

That's ok for your typical home setup, but what you're actually doing there is overriding the fact that StrongVPN is pushing you a default route and modifying your firewall's routing table so it sends everything over the VPN (unless you override it with policy routing as you're doing). That will cause a number of issues with more advanced setups, as it's going to default to sending traffic initiated from the firewall out of the VPN which is usually going to be undesirable.

smirta

Thanks for your reply. As I updated to the latest snapshot everything became obsolete. You just have to follow the initial guide, disable the "automatic outbound NAT" (it will fill in the rules done so far) and modify the rules described as in my post above.

yu130960

@smirta:

Thanks for your reply. As I updated to the latest snapshot everything became obsolete. You just have to follow the initial guide, disable the "automatic outbound NAT" (it will fill in the rules done so far) and modify the rules described as in my post above.

I have come back after some time away, but this remains an issue for me.  Glad to hear that you have had some success, just wanted to get clarification on your current set up under the latest snapshot.  Which of the above posts should I look to to establish a strongvpn connection for only 1 specific internal IP with all the other IPs going through the default gateway.

Thanks

ericab

hi yu130960;

A) go to Firewall –> Rules

B) select the LAN tab.

C) add a new rule with the following:

D) click save and your done

***Edit
ive fixed an error.

yu130960

Thanks post #1 and #15 solved my issue and I am up and running.

I had to make the Rule to put the the target IP in the source box not the destination and then it worked.

It took a while, but it is great to see it work.

Thanks to all in the thread.

Arisian

Hey guys,

I hate to drag this post out of the depths - it's better than starting a new thread when this is exactly the topic I need help w/, but I'm dying here.  I've been using pfsense boxes for about 4 years but that, by no means, should be read to suggest that I know what I'm doing.  I know very little, unfortunately and what I do know is probably wrong.

I've followed this exact tutorial before w/ success, but I think some things have changed in recent releases causing me to…basically, have to make changes to things I don't really understand.  I am using 2.0-RC2 (i386) - Built on May 18th.

Here's the basic situation.  I live in China and have 5 VPN accounts for business purposes as well as getting anything done here.  3 Are specifically for work in different locations and 2 are for play and backup.  One of those is an OpenVPN account w/ StrongVPN.

My home network looks like the following:

A pfsense box built around 5 nics, each separting an area in my home

_**- 1 WAN Nic

• 1 LAN Nic (my office computer)
• 1 Wifi Nic, dedicated to a wireless router - DD-WRT
• 1 Media - goes to my tv an entertainment system
• 1 VOIP - use a voip phone/adapter for business.  DMZ'd basically…**_

I know that seems like overkill, but I really like to dedicate the NICs to each work area/task and I can really see the separation when it comes to data usage - plus I like to keep track of what the Chinese government is doing to my network.

My Media section of the house is really where Im dying.  I have an Xbox, AppleTV, Computer, Wii all attached to a Hub that all goes into the media nic.  Needless to say, to really be able to use these gaming and entertainment boxes, I really need these all to be connected to a VPN.  Thus this tutorial.  I'd like to keep the other segments off the VPN because I have PPTP accounts that I use for my 3 home computers that are much faster.

So here's where I'm having issues.  I follow this tutorial to a T, get the VPN to connect, set up the firewall rule to pass the VPN data to the WAN data, just like is mentioned in the tutorial… and nothing!  I set the VPN up as a DHCP interface like the review asks for but I still get NOTHING across the board.  At the point I'm not even connected to the WAN.  I don't have any firewall rules infront of the VPN gateway rule.  I'm at a complete loss here after trying to fix this for the last 6 hours.

I fear it has a lot to do w/ the NAT settings

I've attached screenshots to my setup.  Just as an FYI, Im testing it out on the WIFI nic here, I've done the exact same setup on the LAN nic.  Also, under NAT, AON (Manual Outbound NAT rule generation) is on.

Guys, I'd really appreciate some help with this  :).  Any thoughts on what I'm doing wrong?

If I need to clarify anything, please let me know.  I tried to stuff what I could into this post, but its 1am here and Im sure I missed something

Also, I can get the VPN to connect but I have to use BF-CBC(128-bit) encryption to make it work - id prefer no encryption since this really is just for a media center to get the US IP address so I can download games, watch netflix, etc.  Does anyone know how to do this… or could point me in the correct direction?

Very much appreciate your help!!!
http://www.brianhirschy.com/vpn/1.png
http://www.brianhirschy.com/vpn/2.png
http://www.brianhirschy.com/vpn/3.png
http://www.brianhirschy.com/vpn/4.png

ericab

hi Arisian;

first, i see you mentioned your using a HUB on your MEDIA nic… if your really using a HUB, you should seriously consider updating to a switch, but...
as for your vpn issue, can you go back to my tutorial and see the "edit - March 9 2011"  note at the bottom? i believe that will fix you right up; if not please report back and i or someone else will gladly assist you. (also check and make sure the strong vpn device is using TUN mode)