OpenVPN on pfSense 2.0, Using Wizard?

mickeyholland

At the VPN/ OpenVPN menu, do you have a tab called "Client Export" ?

There you can see your list of users and to the right a column called "Export" with a link for "Windows Installer"

If you have no users listed, then add then in the System/User manager and make sure you create a cert. for the user towards the bottom of the add user page.

Disconnect

Thanks all,

At least now I am getting an export choice but when I select Windows installer I get:

I've regone through the wizard and still keep getting the same answer…

The following input errors were detected:

* Could not find a valid certificate.
    * Failed to export config files!

Thanks!

acherman

I am no help, but I am also having issues with OpenVPN now - I had a good connection set up and I tried setting up another on a different interface and now my first is not working.  So, I blew away everything and started from scratch, but no luck.  Perhaps someone that knows the OpenVPN steps a little better than us can update the old Hot-To that was done over a year ago?  Step by step including the CA, cert and user setup wold be awesome!!  ;D

Aaron

Darkk

Well, I got the OpenVPN Client to work but after connecting for 30 seconds the connection dies.

I get this on my OpenVPN screen: Management Daemon Unreachable

To get the Client OpenVPN export to work you need to create a user first with it's own CA cert.  Once you've done that then use the OpenVPN wizard to create a tunnel.  From there you'll get an idea how to manually create a tunnel yourself.

I know it was confusing at first but after a couple of tries I was able to get the export package to work.  Now have to figure out why the Daemon keeps dying.  Could be misconfigured on my end.

Darkk

acherman

I was seeing the same "Management Daemon Unreachable" message in the OpenVPN status page as well, but don't see it anymore.  Now I am getting errors in the client related to certificates.

So, I am trying, once again, to start from scratch and I am having an issue with the certificates again.  I create the CA, then create a certificate, then add it to the user.  Then when I go to create the OpenVPN server entry the CA shows up in the pulldown but the certificate does not, I only see the webConfig default - if I remove the certificate I created from the user then it shows up in the server creation window pulldown.  So, I did it backwards, create the server instance with the CA and certificate I created, then add the certificate to the user, and it disappears from the server instance.  Wtf?!  haha  Yet, when I look at my CARP backup box the exact same config works fine - but I never messed with the original so I never had to try to recreate it the way I am on the Master.  Is my problem different than the OP?  Should I start a new thread?

Aaron

Disconnect

Can someone post a step document on using the wizards, I mean setting up certs, users, then the server to export system.

I can't seem to get this to work and just need the help!

Thanks!

razzor

Here is how i did my setup that i am currently using in a corporate setting and my home.
1)go to the certificate manager and create the CA. Input values as indicated or use what ever use choose but make sure you choose create and internal certificate authority.
2)save then use the first down arrow to export the ca.crt
3)next go to the certificates and again choose create and internal certificate and the screen with show the CA you just created the fill in what ever is missing on the cert. screen. note the  common name you use as it will be needed in the client config file.
4)now  go to user manager and create a user by filling in the user credentials and add the group membership then save
5)go to the user just created and under the user certificates hit the "+" button and create the certificate with all of the defaults including the common name being the user name then hit save.
6)go back to the user and now export the certificates both of the down arrows .

7)go to VPN from the main menu and choose openvpn
8)choose the wizzard and hit next 
9)leave the default setting as local database authentication and press next
10)enter the description then the for tunnel network enter the 10.0.8.0/24
11)enter the your local network ip address range ie: 192.168.1.0/24
12)enter the number of concurrent connections and leave the rest of the fields the same and press save.
13)go to packages and install the client export utility.
14)go to the vpn from the main menu then OpenVpn and you should see the client export option
15)leave all of the fields as default and in the export field click on the configuration archive and save to a folder.
16)extract the archive and also copy the certificates you exported for the user created. You should have the following files:
a) CA.crt
b) "user".crt
c) "user".key
d) ??-udp-1194.ovpn
e) ??-udp-1194.p12
f) ??-udp-1194-tls.key
note:?? = whatever name you used. "user" is the user name. CA is the name you used for the Certificate Authority.
17)download and install openvpn 2.14 windows installer
http://openvpn.net/index.php/open-source/downloads.html
18)once installed copy all of the files from a-f into the config folder where openvpn is installed and run it. this should create a tunnel and allow you to RDP to your local network from a remote location.

This procedure is what i used in getting my setup to work and i now can connect from any remote location to my office. Hope this helps…

acherman

Hey razzor, thanks very much for the info - this worked for me!!!  Thank you sooooooo much!!!  A couple things I have learned from this:  first, you don't actually need the CA.crt, "user".crt, and "user".key on the client PC - just tried it to verify.  Also, my issue was that I was trying to use an existing certificate for the user.  Creating a dedicated one for the user worked for me.

Thanks again!!!

razzor

glad i could be of some help acherman. i will make a note of the your observation of the CA.crt for future changes. This new version 2.0 is great and works reliably for me. great work by the developers of this new version. Thank you all.

Disconnect

Thank you very much for your time and sharing you knowledge Razzor!

You are very kind and appreciated!

versendaal

Razzor's guide helped me out as wel. Thanks a lot.  ;D

razzor

To everyone that my post has helped you are all welcome. It's always great when we share solutions to such great software produced by the great coders we have develping products like Pfsense. i would like to add another addition to the configuration if anyone has seen the following error in their client config. ie client.ovpn  in the config directory.

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

To resolve this error i have added the following to the ??.ovpn file:

tls-remote "sample.domain.org"

note: replace "sample.domain.org" with the common name used in the server.crt certificate.

Enjoy…

totalimpact

That guide seems to skip the client export package.

I tried it as well, and added local certificates, which show up in the list on the export page, but when I click a name it gives the error noted before:

The following input errors were detected:

* Could not find a valid certificate.
    * Failed to export config files!

Darkk

@totalimpact:

That guide seems to skip the client export package.

I tried it as well, and added local certificates, which show up in the list on the export page, but when I click a name it gives the error noted before:

The following input errors were detected:

* Could not find a valid certificate.
    * Failed to export config files!

Make sure you also create a CA certificate called OpenVPNCert or something like that and select that in the OpenVPN server page.  The CA cert and user cert work together.

Hope this helps.

skyranger

@razzor:

Here is how i did my setup that i am currently using in a corporate setting and my home…...

lot of thanks !

This helped me out, i never hat the idea to create an local user.
this was the point.

broncoBrad

So, I was able to follow this tutorial and it worked out great!! Thanks!!

I just have one question…. I've been reading about pre-shared key authentication versus X.509 PKI authentication as seen in this article http://www.iceflatline.com/2010/10/secure-remote-access-to-your-home-network-using-pfsense-and-openvpn/, so my question is… which one does this set up.

There appears to be a 2048-bit OpenVPN static key in the server setup, which I assume is the shared key which leads me to believe this is pre-shared key authentication. Am I correct? If so, what would I need to do to turn it into X.509?

Thanks!