OpenVPN on pfSense 2.0, Using Wizard?
-
Can someone post a step document on using the wizards, I mean setting up certs, users, then the server to export system.
I can't seem to get this to work and just need the help!
Thanks!
-
Here is how i did my setup that i am currently using in a corporate setting and my home.
1)go to the certificate manager and create the CA. Input values as indicated or use what ever use choose but make sure you choose create and internal certificate authority.
2)save then use the first down arrow to export the ca.crt
3)next go to the certificates and again choose create and internal certificate and the screen with show the CA you just created the fill in what ever is missing on the cert. screen. note the common name you use as it will be needed in the client config file.
4)now go to user manager and create a user by filling in the user credentials and add the group membership then save
5)go to the user just created and under the user certificates hit the "+" button and create the certificate with all of the defaults including the common name being the user name then hit save.
6)go back to the user and now export the certificates both of the down arrows .7)go to VPN from the main menu and choose openvpn
8)choose the wizzard and hit next
9)leave the default setting as local database authentication and press next
10)enter the description then the for tunnel network enter the 10.0.8.0/24
11)enter the your local network ip address range ie: 192.168.1.0/24
12)enter the number of concurrent connections and leave the rest of the fields the same and press save.
13)go to packages and install the client export utility.
14)go to the vpn from the main menu then OpenVpn and you should see the client export option
15)leave all of the fields as default and in the export field click on the configuration archive and save to a folder.
16)extract the archive and also copy the certificates you exported for the user created. You should have the following files:
a) CA.crt
b) "user".crt
c) "user".key
d) ??-udp-1194.ovpn
e) ??-udp-1194.p12
f) ??-udp-1194-tls.key
note:?? = whatever name you used. "user" is the user name. CA is the name you used for the Certificate Authority.
17)download and install openvpn 2.14 windows installer
http://openvpn.net/index.php/open-source/downloads.html
18)once installed copy all of the files from a-f into the config folder where openvpn is installed and run it. this should create a tunnel and allow you to RDP to your local network from a remote location.This procedure is what i used in getting my setup to work and i now can connect from any remote location to my office. Hope this helps…
-
Hey razzor, thanks very much for the info - this worked for me!!! Thank you sooooooo much!!! A couple things I have learned from this: first, you don't actually need the CA.crt, "user".crt, and "user".key on the client PC - just tried it to verify. Also, my issue was that I was trying to use an existing certificate for the user. Creating a dedicated one for the user worked for me.
Thanks again!!!
-
glad i could be of some help acherman. i will make a note of the your observation of the CA.crt for future changes. This new version 2.0 is great and works reliably for me. great work by the developers of this new version. Thank you all.
-
Thank you very much for your time and sharing you knowledge Razzor!
You are very kind and appreciated!
-
Razzor's guide helped me out as wel. Thanks a lot. ;D
-
To everyone that my post has helped you are all welcome. It's always great when we share solutions to such great software produced by the great coders we have develping products like Pfsense. i would like to add another addition to the configuration if anyone has seen the following error in their client config. ie client.ovpn in the config directory.
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
To resolve this error i have added the following to the ??.ovpn file:
tls-remote "sample.domain.org"
note: replace "sample.domain.org" with the common name used in the server.crt certificate.
Enjoy…
-
That guide seems to skip the client export package.
I tried it as well, and added local certificates, which show up in the list on the export page, but when I click a name it gives the error noted before:
The following input errors were detected:
* Could not find a valid certificate.
* Failed to export config files! -
That guide seems to skip the client export package.
I tried it as well, and added local certificates, which show up in the list on the export page, but when I click a name it gives the error noted before:
The following input errors were detected:
* Could not find a valid certificate.
* Failed to export config files!Make sure you also create a CA certificate called OpenVPNCert or something like that and select that in the OpenVPN server page. The CA cert and user cert work together.
Hope this helps.
-
Here is how i did my setup that i am currently using in a corporate setting and my home…...
lot of thanks !
This helped me out, i never hat the idea to create an local user.
this was the point. -
So, I was able to follow this tutorial and it worked out great!! Thanks!!
I just have one question…. I've been reading about pre-shared key authentication versus X.509 PKI authentication as seen in this article http://www.iceflatline.com/2010/10/secure-remote-access-to-your-home-network-using-pfsense-and-openvpn/, so my question is… which one does this set up.
There appears to be a 2048-bit OpenVPN static key in the server setup, which I assume is the shared key which leads me to believe this is pre-shared key authentication. Am I correct? If so, what would I need to do to turn it into X.509?
Thanks!