First Timer Dabbling in VPN * Recommendations
-
So I finally Got my Box working the way I wanted, now time to put it to work.
I never Fully created a working VPN environment, but have fix clients machines that wouldn't connect. They should both be hand in hand but I never had access to the Firewall.
Anyway. I setup a Dynamic Dns for my home ip using .no-ip Im not sure if its working properly but pfsense is stating that it is updated.
I'm getting ICMP timeouts.. perhaps a rule on box. No-ip login states my correct IP.
I followed a tut on setting up Certs and user certs. I did an export on the keys, but none of them connect using opnvpn. I get TLS-handshake error
Aug 09 10:15:39: Viscosity Mac 1.4.4 (1138)
Aug 09 10:15:39: Viscosity OpenVPN Engine Started
Aug 09 10:15:39: Running on Mac OS X 10.8.4
Aug 09 10:15:39: –-------
Aug 09 10:15:39: Checking reachability status of connection...
Aug 09 10:15:39: Connection is reachable. Starting connection attempt.
Fri Aug 9 10:15:41 2013 DEPRECATED OPTION: --tls-remote, please update your configuration
Aug 09 10:15:43: OpenVPN 2.3.2 i386-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jun 7 2013
Aug 09 10:16:10: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Aug 09 10:16:10: UDPv4 link local (bound): [undef]
Aug 09 10:16:10: UDPv4 link remote: [AF_INET]xxx.no-ip.biz:1194
Aug 09 10:17:10: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 09 10:17:10: TLS Error: TLS handshake failed
Aug 09 10:17:10: SIGUSR1[soft,tls-error] received, process restartingWhats the easiest to setup of the VPN's on this distro. i'm on snapshots. 2.1.
-
Easy enough to check that your dynamic DNS is set correctly, from some computer:
nslookup xxx.no-ip.bizThe IP address should be the current WAN IP of your pfSense.
TLS handshake failed messages usually mean that the connect packet from the client never got through to the server. Make sure you have a firewall rule on WAN allowing incoming to WAN address port 1194.
If still no go, do packet capture on WAN looking for traffic coming to port 1194. -
Easy enough to check that your dynamic DNS is set correctly, from some computer:
nslookup xxx.no-ip.bizThe IP address should be the current WAN IP of your pfSense.
TLS handshake failed messages usually mean that the connect packet from the client never got through to the server. Make sure you have a firewall rule on WAN allowing incoming to WAN address port 1194.
If still no go, do packet capture on WAN looking for traffic coming to port 1194.the xxx.no-ip.biz is arbitrary. it is intact dipslaying my correct address.. i just chose to hide it. precautionary.
i believe i set that rule already. I'll have to check it again when i get back home. I can still test vpn connection locally through the same network yes?
When i run the correct nslookup it does intact show my correct IP yet under Non-authoritive answer. It also shows opendns.com servers
-
You can use a lookup tool online to know if no-ip is working for you, or someone could ping your box and tell you.
Are you trying this from inside your own LAN? If so you will need NAT reflection enabled and thats IF NAT reflection will work with the UDP protocol, which for me, it doesn't at least 75% of the time, but oddly, does seem to work for my VPN. Best way to test is from outside the network of via a cell-phone broadcasted wifi hotspot. -
You can use a lookup tool online to know if no-ip is working for you, or someone could ping your box and tell you.
Are you trying this from inside your own LAN? If so you will need NAT reflection enabled and thats IF NAT reflection will work with the UDP protocol, which for me, it doesn't at least 75% of the time, but oddly, does seem to work for my VPN. Best way to test is from outside the network of via a cell-phone broadcasted wifi hotspot.I am testing using completely separate network at the moment. the lookup tool does resolve my correct IP. so my dynamic Dns is working. however if i ping my address or my name it does not respond. which may or may not be normal in this situation. Still new to VPN.
I'll keep in mind the NAT reflection when im at home. I can use a cell for external connection. I hope I keep my LTE signal. 3G over sprint is horrendous.
are Certs the same for setting up an IPSEC?
Basically what i'm trying to do is create a vpn that requires minimal third party clients.. I used openVPN as a test run with a third party client for simplicity reasons, but didn't turn out that way for a newb. for instantance at work, we use MAC. which they support L2TP, Cisco and PPTP Natively though configuration. I'm aiming for access to my NAS from work and extras. web browsing, file shares, RDP if needed etc.
-
I'd go with openvpn totally and nothing else. I'd also put it off the usual openvpn port.
My IPsec server gets chewed on daily and nightly by the nice guys in Shanghai and Beijing (Thanks China).I think OpenVPN is mo-betta.
As far as ping, did you open ICMP on your WAN?
OpenVPN is crazy easy to set up. Like 1 or 2 minutes.
-
OpenVPN is crazy easy to set up. Like 1 or 2 minutes.
Maybe thats why i can't get it to work.. tooo easy. haha. ok sounds good to me. only confusing part on the openVPN tunneling setup it asks for IPs.
Given my default VLAN is using 192.168.1.1
IPv4 Tunnel Netwok IP setting, do i choose a random IP on my subnet or create one whatever i want.
IPv4 Local Networks should be 192.168.1.0/24
i did not open ICMP,
is it nessissary?Yes it is. -
ok I got it to connect, and its working via cell. but it doesn't see anything on my network.. only loads webpages.. i'm sure its my tunneling settings.
What should i put in place if im trying to get on my local VLAN.
-
Did you set up a site to site or are you using "Wizard" to set up the VPN and then exporting client configs to something like a windows laptop?
(Viscosity = MAC) But did you use wizard? Are you using client export package? Are you forcing all traffic across the VPN?
Also, about all that 192.168.x.x stuff, what is the IP of your pfsense LAN? The IP of the LAN your MAC (I guess) is sitting on?
-
My Local VLAN is 192.168.1.1 DHCP enabled from .50-.200 opp, forgot yes. used wizard. and client export for keys
it connects and gives me the ip i set in the tunner whatever the e.g. was. 10.0.8.x something or a nother.. but doesn't see anything on 192.168.1.1 should i set the vpn tunnel to something like an address that isn't dhcp handled but in the same subnet?
-
So, you have 192.168.1.1 in use on your network and its also in use on like half the networks on the planet. (Half is probably an understatement).
So, thats not good. I'd change your network IP addresses.
-
ok no problem. saw that Force all client generated traffic through tunnel. I should enable this yes?
-
Yes - If you want to VPN everything… Most of the time, yes.
-
Thanks for all your Help. its working.. Your awesome.. Now i can brew my coffee from work, oh and apparently tie my show laces as well
-
I hear they have an IP waiting for every ounce of matter on earth… No way possible to burn through all those addresses.
I imagine the settlers of the USA felt the same way about the trees here when they arrived, and yet...
Nano-machines will need IPs. We will find some way to exhaust them. Thats what we are best at. Using stuff up. :-\
-
isn't that what ipv6 is for. or are you including that in all 20oz. which by the way is broken for me at the moment. rtt gets worse and worse the longer i leave it connected.
-
Just lost me… RTT to what?
(Yeah - I was talking IPV6)
-
RTT to my ISP WAN address
-
I've seen worse… I've seen better.
What are you thinking? -
i'm not sure, i thought id give ipv6 a shot see what the hype is about since the modem supports it. didn't like the result.