OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior)

soricel_z

@chunger:

@soricel_z:

@torontob:

Nah. That doesn't help. I did the key generation on a CentOS server and it worked fine.

Dear all I am new in PfSense and openVPN.
First thank you a lot for the openVPN guide. Maybe is not the right place here to discuss this but here is the problem:
I installed PfSense with the embedded openVPN server.
I previously generated the certificates un an Ubuntu machine with a compiled openVPN server and I "copy - paste" them into the PfSense interface.
The only problem is that the server works fine but with only one client. (the acces in the network is granted, everything works fine, tunnel is stable)
When the second client try to connect the same IP address will be provided by the server and the first client is kiked off (with "connection was lost").
I tryed to generate more certificates for diferent clients, but the certifiates seems not to have any relation to the IPs.
IP pool for the VPN is 172.16.0.0/24 and the address 172.16.0.6 is the only address given to the clients.
Thanks, Robert

I met the same problem,please give our some help for it ,tks

I solved it: I made a "small" misstake when I generated the certificates for the clients. The parametrer "common-name" is the one wich makes the diference between the clients. Otherwise the server think that is the same client over and over again and offers the same IP.
So you should put unique names here for the clients, not the same name as I did! It looks like different filenames for the generated keys did not make any difference between the clients.
Thank you all for the support! All the best! Robert

chunger

I am a newbie ,when I build the second client key ,it always remind me it can't find the *.old file.  I don't know the use of the *.old。
my first key works well,but I need create more client keys.  so pls help me find the reason,tks.

I have copy the procedure of building the client key.

I:\Program Files\OpenVPN\easy-rsa>build-key.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
….....++++++
..........++++++
writing new private key to 'keys.key'

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:vpn1
Email Address [mail@host.domain]:chunger_qin@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'US'
stateOrProvinceName  :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'OpenVPN'
commonName            :PRINTABLE:'vpn1'
emailAddress          :IA5STRING:'chunger_qin@163.com'
Certificate is to be certified until Sep  3 00:55:48 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]
CERTIFICATION CANCELED
can't find  I:\Program Files\OpenVPN\easy-rsa\keys*.old

rsn

um, this doesn't work at all.

24. Copy the WHOLE content of server.crt into the "Server Certificate" window
25. Copy the WHOLE content of server.key into the "Server Key" window
26. Copy the WHOLE content of dh1024.pem into the "DH parameters" window

Those files do not exist

Bai Shen

@bnasty:

Awesome guide! I got this working over TCP port 443 since we have a blanket port block here at work. If anyone else is trying to do this using TCP, remember to change the guide/defaults:

1. On the OpenVPN Add tab in pfSense.
2. On the WAN-LAN rule.
3. In the config file for the OVPN client install.
4. Change the pfSense web port from 443 to something else (4443) if using HTTPS.

I forgot to change the proto line in #3 from UDP to TCP, and I forgot about #4 – that wasted 20 minutes of my life.

I'm trying the same, using 443.  I did all four of these steps.

Now I'm getting a TLS handshake not found error.

Also, I'm a bit confused about step 32 in the OP.  Could that be why I'm getting the TLS handshake error?

I know I'm not having ports blocked as I was getting an address in use error until I changed my pfSense GUI port.

Also, I'm not getting anything in the OpenVPN log.

dekopolis

I'm not sure what command to issue when i want to invalidate one of my clients. In other words, if one of my users leaves the company and I don't want him/her to be able to access the vpn what do I need to do?

Thanks all!

GruensFroeschli

http://openvpn.net/index.php/open-source/documentation/howto.html#revoke

trentdk

Note for 64-bit Vista / 7 users:

If OpenVPN is installed in c:\Program Files (x86), then you need to change the vars.bat:

change line 6 in vars.bat from:
set HOME=%ProgramFiles%\OpenVPN\easy-rsa

to:
set HOME=%ProgramFiles(x86)%\OpenVPN\easy-rsa

jai23155

thanks for the document. i followed the document, but setup using TCP. anyway, i can connect to the pfsense box, but neither ping pfsense box nor browse network. when i check ipconfig /all, i get 255.255.255.252 rather than 255.255.255.0. i spent a week sorting this out myself, now i am posting here, i am almost throwing pfsense out of the window. apart from openVPN, it is great though.

ivalerio

Hi, I have a small problem here. This tutorial changes a bit with pFsense 2.0. You can't add the server entry without creating the certificate first. Also the latest version of OpenVPN fails to coincide with the instructions and I had to use the second to latest openVPN package.

Anyone here able to help me set this up for a basic VPN package. I've done everything except the addition of the server entry in 2.0 which is not allowing further movement till certificates are defined first. Thanks guys and gals.

Aziz

I have the same problem with 2.0RC1, it doen't allow one to enteer the keys (steps 23-26). Can anyone help?

nambi

Great Tutorial! well appreciated

Now I have a problem I have upgraded to Pfsense 2 and the VPN settings are different does anyone have a similar tutorial for PFSense 2:

Thank You, I don't know where to copy the keys in version 2.

newmember

Just a heads up on versions of openvpn I used to create the server and client keys.
Windows7
openvpn 2.20
pfsense 1.23

I kept getting this error: "server key does not appear to be valid" when using the "server key" in pfsense's openvpn setup page.

I found that the "server.key" was being created with these:
–---BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
I was using openvpn client version 2.20 to create the keys.

I uninstalled openvpn 2.20 and installed openvpn version 2.09.
I ended up going back to openvpn version 2.09 to create the keys and now they have:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY----

After creating the keys, I then updated the openvpn client to 2.20 wouldnt connect to I tried the 2.1.x versions and finished with version 2.14 working and the connection worked fine.

It seems that there is a change in the way the server.key is created between openvpn client "easy-rsa" software release versions 2.09 and 2.00.

Finished with:
Windows7
openvpn 2.14
pfsense 1.2.3

I hope this sames someone else 3 days of late nights.

Cheers

newmember

To make the install a little tidy I added the CA, CERT and KEY to the openvpn config file.
I just meant I didn't have 4 file, instead I have one file to copy or move etc.
For me I connect to many openvpn sites with different CA, CERT and KEYS and this made it easier to maintain.
Here is my sample .OPVN config

####
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194   ## Add your IP address of pfsense and port number
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
# ca ca.crt    comment out .crt
# cert client1.crt    comment out crt
# key client1.key   comment out key
ns-cert-type server
comp-lzo
pull
verb 3
 <ca>-----BEGIN CERTIFICATE-----
Put your ca here.
-----END CERTIFICATE-----</ca> 

 <cert>Put your cert here
-----END CERTIFICATE-----</cert> 

 <key>-----BEGIN RSA PRIVATE KEY-----
put your key here
-----END RSA PRIVATE KEY-----</key> 

####

Another Note:
Remember to add an another TAP if you intend to connect to two OPENVPN servers at the same time.
Hope the two sites you are connecting two have different network address spaces so that one site does not write routes over your other site.
/openvpn/utilities/Add a new TAP virtual ethernet adapter

kolkjaer

Got my firewall upgraded to version 2 RC3 and got it to work ..

Hey
I have followed the guide, but something seems to be wrong..

When I start the Open VPN client, and try to connect to my pfsense box all I get is this.

Thu Jul 21 21:31:20 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Thu Jul 21 21:31:20 2011 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Thu Jul 21 21:31:20 2011 LZO compression initialized
Thu Jul 21 21:31:20 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jul 21 21:31:20 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jul 21 21:31:20 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jul 21 21:31:20 2011 Local Options hash (VER=V4): '41690919'
Thu Jul 21 21:31:20 2011 Expected Remote Options hash (VER=V4): '530fdded'
Thu Jul 21 21:31:20 2011 UDPv4 link local: [undef]
Thu Jul 21 21:31:20 2011 UDPv4 link remote: XXX.XXX.XXX.XXX:1194

I using windows 7 x64 on the client, OpenVPN 2.1.4
Pfsense 1.2.3-RELEASE on a watchguard x700

Hop someone can help/give a hint

mabian

Hello, like others I'm a bit concerned about OpenVPN configuration on pfSense 2.0.

I imported a 1.2.2 pfSense configuration in a brand new PC with 2.0RC3; the configuration included an OpenVPN server configuration, which seems to have been imported correctly (I can see the certificate and the OpenVPN server is already set to use it); I still have to try the replaced VPN but my first question is where one should specify the server key and server certificate if a new OpenVPN with new certificates has to be created.

I guess a bit of nomenclature has changed and a new tutorial should be very welcome.

Anyway, main question, should I expect the existing migrated OpenVPN work when I'll replace the old PC with the new one or is there something that is known to need some tweaks when using a migrated 1.2 OpenVPN?

Thank you very much,
   Mario

salida

@kolkjaer:

Got my firewall upgraded to version 2 RC3 and got it to work ..

Hey
I have followed the guide, but something seems to be wrong..

When I start the Open VPN client, and try to connect to my pfsense box all I get is this.

Thu Jul 21 21:31:20 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Thu Jul 21 21:31:20 2011 NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Thu Jul 21 21:31:20 2011 LZO compression initialized
Thu Jul 21 21:31:20 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jul 21 21:31:20 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jul 21 21:31:20 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jul 21 21:31:20 2011 Local Options hash (VER=V4): '41690919'
Thu Jul 21 21:31:20 2011 Expected Remote Options hash (VER=V4): '530fdded'
Thu Jul 21 21:31:20 2011 UDPv4 link local: [undef]
Thu Jul 21 21:31:20 2011 UDPv4 link remote: XXX.XXX.XXX.XXX:1194

I using windows 7 x64 on the client, OpenVPN 2.1.4
Pfsense 1.2.3-RELEASE on a watchguard x700

Hop someone can help/give a hint

i am having the same issue as reported above
but i use pfsense 1.2.3 & windows 7 32 bit

mabian

Same here, I solved by simply enabling the OpenVPN profile - I disabled it after importing and I forgot to enable it.

• Mario

aranel

23. Copy the WHOLE content of ca.crt into the "CA certificate" window
24. Copy the WHOLE content of server.crt into the "Server Certificate" window
25. Copy the WHOLE content of server.key into the "Server Key" window
26. Copy the WHOLE content of dh1024.pem into the "DH parameters" window

Where are these windows in 2.0.1?

damascene

Here is an updated version of this guide:

OpenVPN pfSense 2 - Installation guide for (Windows) Dummies :-) (road-warrior)

look at step 22 in green

suicidegybe

I get to step 7 and I gert system cannot find the path specified
1 files copied
1 files copied

Then step 8 says the same about can't find path and a bunch of stuff about can't open config file openssl/ssl/openssl.cnf error on line 123 of openssl-1..0.cnf 6412:error:0e065068:configuration file routines:STR_COPY:variable has no value:.\crypto\conf\conf_def .c:618:line 123

All this comand line stuff is new to me again so I have no idea what any of that means. I did this when I was a kid and have stopped up until about a year ago so still relearn. command propt stuff that is obviously not OpenVPN.

Please If someone can point me in the right direction I would love that.

Thanks