Configuring openvpn server and client
-
Hi guys ,
I have configured openvpn server , but cant able to configure openvpn client , i want to connect two networks . anyone help me out.
–Thanks & Regards,
Jerry -
so you want a site to site connection? How about some details of your connectivity between these 2 sites and how you configured the server and how you tried to config the client side. And what networks are on each side?
-
Hi ,
Sorry for the late reply , Actually my requirement is we have 5 region ( 5 different network ) pfsense act as a firewall .
I want to set-up one network as server and remaining all as client , so that i can communicate between all region from all region .
i followed this guide but couldn't succeed . any suggestions ?
http://blog.stefcho.eu/building-site-to-site-connection-with-openvpn-on-pfsense-2-0-rc1-with-pki/
Thanks & Regards,
Jerry -
I looked at the how-to you followed and it looks essentially correct.
The general procedure with multiple OpenVPN sites is to get one pair working correctly and then successively add in more sites, testing each as you go.
Start with the first pair Site1 and Site2 - document what their LAN and OpenVPN subnets are and what works and what doesn't.
-
Hi ,
Client 1: system log for open vpn
Dec 5 04:36:39 openvpn[77064]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 5 04:36:39 openvpn[77064]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 5 04:36:39 openvpn[77064]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx
Dec 5 04:36:39 openvpn[77064]: UDPv4 link remote: [AF_INET]xxx.xxx.xx.xxx:1194
Dec 5 04:36:44 openvpn[77064]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1553', remote='link-mtu 1541'
Dec 5 04:36:44 openvpn[77064]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Dec 5 04:36:44 openvpn[77064]: [bangalore] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Dec 5 04:36:47 openvpn[77064]: Preserving previous TUN/TAP instance: ovpnc3
Dec 5 04:36:47 openvpn[77064]: Initialization Sequence CompletedSERVER: system log for openvpn
openvpn[35122]: x:59665 [cantonpfs.ctleng] Peer Connection Initiated with [AF_INET]x:59665
Dec 5 13:33:29 openvpn[35122]: canton/x:59665 send_push_reply(): safe_cap=940
Dec 5 13:33:39 openvpn[35122]: cantonp/xxx.xxxx.xx.x. Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:33:49 openvpn[35122]: cantonp/x:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:33:59 openvpn[35122]: cantonp/x:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:34:09 openvpn[35122]: cantonp/x:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:34:20 openvpn[35122]: canton/xxx.xxx.xxx:59665 Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 5 13:34:35 openvpn[35122]: x:6799 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1553'anything do you need particularly let me know . I will send the details
-
Well those log files look like the client isn't connecting properly with the server.
I would suggest you simplify your setup down to one server and one client at first. If you've already setup a number of other clients trying to connect to your server it maybe worthwhile to change the port# that the server listens on and update only the one test client with that new port. That way the previous setups won't be doing conflicting connection attempts, but can be brought online fairly simply at a later date.
So for the first connection:
What's?:
Server LAN address
Client LAN Address
OpenVPN Tunnel addressCan you post the Server config screen?
Can you post the Client config screen? -
this is going to cause it to fail every time
local='auth SHA256', remote='auth SHA1'
You have to be using the same.. I would post up your server and client configs..
-
my server conf
dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
push "route 192.168.116.0 255.255.255.0"
route 192.168.114.0 255.255.255.0one doubt –---------------> in the 3rd line why its showing "tun-ipv6" im using ip4 only .
client config
dev ovpnc3
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxxx
tls-client
client
lport 0
management /var/etc/openvpn/client3.sock unix
remote xxx.xxxx.xxx.xxxx 1194
ifconfig 10.0.8.2 10.0.8.1
ca /var/etc/openvpn/client3.ca
cert /var/etc/openvpn/client3.cert
key /var/etc/openvpn/client3.key
tls-auth /var/etc/openvpn/client3.tls-auth 1
resolv-retry infiniteserver LAN address 192.168.116.254/24
client lan address 192.168.114.254/24
tunnel 10.0.8.0/24anything else????
-
So in your client you have
auth SHA256
Where is auth statement in your server config??
At a loss to how that could go missing??? Unless your manually messing with the .conf file?
-
See in my server GUI
there is no option ,so do i want to manually add in server.conf file?
im using version 2.1.4
-
there is no option ,so do i want to manually add in server.conf file?
im using version 2.1.4No. You want to upgrade your pfSense.
-
ok i try in other network were pfsense is updated. and let you know.
-
While trying from another two network its working fine , in vpn status i got status " up and bytes sent and received are changing only in bytes:
but while trying to ping from one network to other it fails. -
sorry for the wrong update , client can access the server but server is not responding to client .
what might be the issue .
while trying ping from client its success ,
while trying ping from server to client it fails -
firewall on client is quite often blocking…
-
Still same problem , server cant able to access client
checked firewall i have made rules same as server on client.
any configuration for firewall rules do you have -
Firewall/Rules
Tab OpenVPN
Create rule: pass, any, any, anyi gave all but still now no luck
-
Which part of "firewall on client" was confusing? Most importantly - there are firewall logs, use them!!!
-
how to check firewall log?
status–>systemlogs-->firewall tab. is it so : i have found oly tcp are blocked in my client Ip varies not the server IP is blocked in there.in server config
what to mention in advanced option
push "route server.o subnet" ; route client.o subnet;
is this the correct way ? why we are doing this?
in my case
eg. push "route"192.168.114.0 255.255.255.0";route 192.168.140.0 255.255.255.0 -
Dude.. The CLIENT firewall… Why would that be in logs on pfsense?
What OS is your client?
-
the client firewall is also pfsense . i am trying to communicate b/w two pfsense.
or i mistook your question -
So where did you state that? What IP are you trying to ping? An IP on the network in your site to site connection? Or the pfsense client vpn IP, or its lan or its wan?? What?
Did you create a peer to peer or a remote access on the server pfsense? What networks do you have at each site??
edit: Dude while I don't normally mind PMs with questions, etc.. Post your stuff in this thread… And what networks are on each side and what is the tunnel network.. Who exactly are you trying to ping.. These are basic questions that we need to know if you want any sort of help..
-
peer to peer ssl/tls
my server.confdev ovpns2
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxxx.xxx.xxx.xxx
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'cantonpfs' 1 "
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 192.168.114.0 255.255.255.0"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
push "route 192.168.114.0 255.255.255.0"
route 192.168.140.0 255.255.255.0client.conf
dev ovpnc1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.1.10.11
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote xxx.xxxx.xxxx.xxxx 1194
ifconfig 10.0.8.2 10.0.8.1
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo adaptive
resolv-retry infiniteso my server ip is : 192.168.114.254
my client ip is : 192.168.140.254i can ping from client(140.254) to server(114.254) , but not from server(114.254) to client(140.254)
any other info needed , sorry for giving less details
-
please just post up a gui shot of your client config and server config.. Your not editing the .conf manually are you?
What do you have in your outbound nat on the client? On the server? What is the routing table on pfsense of the client look like and on the server side.. On the client you should be putting in what networks are remote..
-
herewith i have attached all the config screenshots
![clentspecific overrides.jpg](/public/imported_attachments/1/clentspecific overrides.jpg)
![clentspecific overrides.jpg_thumb](/public/imported_attachments/1/clentspecific overrides.jpg_thumb)
-
so your not natting anything through your vpn interfaces.. Fine since your just all local networks.. But you don't have anything in your remote or local networks You don't normally have to push routes.. Unless your doing something specific odd..
Where are you routing tables from pfsense?
-
Routing table means? how to get that?
-
I think you are asking about this
-
hey success man , i just made an entry in client specific overrides as " iroute 192.168.140.0 255.255.255.0" my client ip . it was success.
Thanks dude.
i have another question how to add multiple client in the server , do i want to continue my post in same thread or want to raise a new thread -
no that is not your routing table… under diagnostics routes, it will list out your routing table.
Why should you have to put it in overrides if you would just setup the server and client correctly in the first place? With the local and remote network fields.
-
SSL/TLS still needs an iroute via the CSC section for each client.
Much easier in 2.2.5 than it used to be, but that iroute is often a last Gotcha in S2S links.
-
ok then its necessary right.
-
Definitely necessary, in the current pfSense versions, you simply enter into the server screen a comma delimited list of all the subnet "LANs" on all the client OpenVPN's you want to reach.
Then in the Client Specific Overrides section you make an entry for each client and list the LAN subnets that client will use.
It seems a little convoluted for a single S2S connection, but it lets you setup a single server and easily connect many (I have a link that uses 20+) clients each with more than one subnet.
The only hitch is that the client subnets can't overlap - takes a little planning, but welcome to networking ;)
-
Thank you all for helping me out . see you in next thread soon. going to configure multiple client ,if any error occurs reach you guys , please provide support…. ;D ;D 8) 8) ??? ??? ??? :P :P :P :P
-
Dude another issue .
I cant export client .
there is no option in remote server what to do?
-
Client export is only for Remote access type OpenVPN servers ("Roadwarriors").
If you need both S2S and Remote access on the same pfSense box, I normally just create a second server instance listening on a different port and using different CA's and Server Certs.
Personally I prefer to keep them separate anyway, easier to track who's logging in remotely.
-
my requirement is
one vpn server have multiple clients ==> so that users can have access all regions
if i want to work from home i need vpn key
so users from other network should connect this server using openvpn. so client export is necessary.so what type of vpn server i have to use S2S or remote access open vpn server .
-
When you create an OpenVPN server you have to specify the "Server Mode":
Peer to Peer (SSL/TLS) - Used for pfSense to pfSense connections, two routers that are connected 24/7
or
Remote Access (SSL/TLS) - Used for mobile or sporadic devices, laptops, cell phones, users at home computers. They connect when needed.As I said before, you create the type (or both) that you need for your situation.
Perhaps it would be worthwhile to draw a simple diagram of your envisioned setup so we can all be clear as to what you're trying to accomplish.
-
I am not good at networking , but i tried my level best . Please acknowledge
-
OK, that's a good start.
If we label these starting with your OpenVPN server and going clockwise:
Site1 LAN:192.168.114.0/24 OpenVPN tunnel:10.0.8.0/24
Site2 LAN:192.168.140.0/24
Site3 LAN:192.168.141.0/24 (just my guess I didn't see it posted)
Site4 LAN:192.168.142.0/24 (just my guess I didn't see it posted)
(You could add the labels and LAN subnets to your diagram to further improve the picture)
You have two different types of client connecting to your OpenVPN Server, the 3 Peer-Peer connections (Site2,Site3,Site4) and the Remote access connections (RoadWarriors -laptops, cell phones, etc.)
The easiest way to handle these IMHO is with two different OpenVPN instances on Site1.
The first you've mostly setup already with the main Peer-Peer instance.
You just need to make sure that instance has two lists entered properly:
1) "IPv4 Local Network/s" listed as: "192.168.114.0/24"
2) "IPv4 Remote Network/s" listed as: "192.168.140.0/24,192.168.141.0/24,192.168.142.0/24"You then make individual "Client Specific Overrides" for each of Site2, Site3, and Site4 and specify in the "IPv4 Remote Network/s" which of the subnets applies to that Site.
If you've set things up properly you should have all 4 sites communicating.
For the Remote access connections (RoadWarriors) you create a second OpenVPN server on Site1.
First create a new Certificate of Authority and a new Server Certificate using that CA.
Then make a new OpenVPN server and choose "Remote Access (SSL/TLS)" for the "Server Mode"
Choose a different "Port" than you used for the Peer-Peer server (1195 will work)
Use the new Peer CA and Server certificate you just created.
Pick a different "IPv4 Tunnel Network" eg:10.0.9.0/24
List ALL the connected subnets in "IPv4 Local Network/s" : "192.168.114.0/24,192.168.140.0/24,192.168.141.0/24,192.168.142.0/24"
Save your new server and make sure you add a rule allow UDP on WAN at the port you chose.Make certificates for your clients using the new CA and then export the packages you need for the clients.
Install the clients on your devices, connect and test.