Problem with VPN configuration, please help
-
Now because you know PPTP ist nasty unsecure and completely broken since like 2012 I can tell you that you need two NAT/Portforwarding and associated Firewall Rules:
1:
TCP
WAN ADDRESS
DEST PORT RANGE=PPTP 1723
REDIRECT TARGET IP=IP of your Windows VPN server.
REDIRECT TARGET PORT=1723
ADD ASSOCIATED FILTER RULE2:
Exact same Forwarding again, but change TCP to GRE.-Rico
-
Good luck dude.. Please do not use PPTP... Use SSTP.. It's 1 port and secure..
Maybe take a look at https://www.softether.org/
It will allow you to run sstp or openvpn, etc. L2TP/IPsec, etc.. pretty robust vpn solution... Which you can do with just pfsense - but something like this would allow you to run the ms-sstp clone so they can connect with windows client native, and then maybe transition them to openvpn, etc. Which you could then move to your firewall, the edge device.
Just a reminder windows 7 supports ends jan 2020.. This is really just around the corner.. Its not to early to start the migration plan to OS that gets you past 2020 ;)
-
@rico Thank you very much Rico. That was the key to the stupid PPTP.
You are great guys.
Now I will have time to convinse "wooden heads" to switch to the most secure solution.Thanks again.
-
You're welcome. But you need to get rid of PPTP asap seriously.
And make sure the 'wooden heads' don't blame on you if PPTP really fuck things up.-Rico
-
If you want just post up your public IP and maybe someone would be nice enough to print out some goatse images on any printers you have with the caption - PPTP is NOT SECURE ;) Should get the point across quick enough heheheh ROFL..
More fuel to catch those wooden heads on fire with
https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2012/2743314
This is from 2012 and even then MS recommended moving away from PPTP
"Microsoft recommends using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication." -
Hello guys,
Just to show off and to ask again for a help.
But first things first:
Today I successfuly convinsed the bosses that the PPTP is old facion, not secure etc. etc. etc.
We got to the agreement that Open VPN should be used.
So I successfuly started the OpenVPN on the pfsense. I tried two ways - only with SSL/TLS and with SSL/TLS + user authentication. Both methods work just perfect.
My problem now is that we have two ISP (two Internet lines). Now they are configured as main and backup (with automatic switching between them) and as a loadbalanser.
The OpenVPN works on the main (fiber-optic) line. The second one is via ADSL (which is not so important ... the starnge thing is that some time packet have less latenci on this line than on the fiber-optic ... but this is other topic).
How to make Open VPN to work on both lines, because you never know when you will have potential problem with one of the ISP's?
Any advises?
Thanks in advance.BTW your comments on this treat was my main weapon in today discussion and it was the weapon of the winner ;)
-
You can run openvpn on your public IPs all of them, You can then setup the ovpn file for the clients to try 1st and if that fails drop to 2nd one. That would be one way.
2nd way you could have fqdn that points to primary IP, and if that fails to answer ping then it resolves to 2nd IP. There are multiple dnsservices that provide this failover method..
You could do it old school and just have 2 configs for the users - and they can pick which one they want. If one doesn't work have them use the other one, etc.
To be honest if your running on connections that go down so often that your worried about failover for your road warriors maybe you need to find better isp...
-
@johnpoz What you mean John? In the VPN - OpenVPN - Servers to start one server on WAN1 and another one (identical) on the WAN2?
And second question - which openVPN client can I use in order to use option one (you proposed)? So far I use the VPN client dounloaded from here https://openvpn.net/index.php/open-source/downloads.html -
Yes the openvpn can do that, you just put them in the ovpn file..
And yes just run another instance on your other 2nd wan. You can run as many instances of openvpn you need. I run 3.. 1 on tcp 443, one on 1194 udp and another as client too my vps, etc.
-
@johnpoz Sorry to ask "stupid " questions, but teacher teached me that "it is better to ask how to do things right than to do stupid things and after that to fееl sorry".
So speaking about the config file - do you mean to have something like:dev tap
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infiniteremote xxx.xxx.xxx.xxx 1194 udp
remote yyy.yyy.yyy.yyy 1195 udp
verify-x509-name "myserver" name
pkcs12 whatevername1-UDP4-1194-myclient.p12
tls-auth whatevername1-UDP4-1194-myclient-tls.key 1pkcs12 whatevername2-UDP4-1195-myclient.p12
tls-auth whatevername2-UDP4-1195-myclient-tls.key 1remote-cert-tls server
Will this make the client if xxx.xxx.xxx.xxx (WAN1 public address) is not reachible to try to connect to the yyy.yyy.yyy.yyy (WAN2 public address)?
Or I have to add something else in the configuration file?I red the documentation, but the description of this is vague and almost not clear.
So again sorry to ask, but it is better to ask experience people than to conduct series of experiments with not clear exit :). -
And one more question.
When I added the second instance (server) for the WAN2 and try to export the configuration for the OpenVPN client, in the configuration file there is no lines for the second WAN.
I mean there is :
pkcs12 whatevername1-UDP4-1194-myclient.p12
tls-auth whatevername1-UDP4-1194-myclient-tls.key 1
But there are missing:
pkcs12 whatevername2-UDP4-1195-myclient.p12
tls-auth whatevername2-UDP4-1195-myclient-tls.key 1
Is this normal? -
Or may be I missed to issue manually certificates for the second server instance?
-
No, I just took a look at the server certificate options - there is no place where you to point to which server you issue the certificate. May be all instances using one server certificate?
-
Hi,
@jimp did some VERY great pfSense Videos on OpenVPN RAS combined with MultiWAN.
I recommend you check them out to get some things clear.
https://www.youtube.com/embed/qscIIZ10WTQ
https://www.youtube.com/embed/iJ5GACqfIGs
https://www.youtube.com/embed/ku-fNfJJV7w
https://www.youtube.com/embed/svZ6PKqGdtg-Rico
-
@rico Thanks Rico. I will take a look right now.
-
This post is deleted! -
@icomaznev just to add two cent to your problem: you have to upstream connections and want the OVPN instance to be available via both, right? Then you don't need to setup two servers or need other things in your clients configuration rather than the second "remote" statement as fallback. All you have to do (now with 2.4.4 there are other possibilities but this still works very nice for MultiWAN):
- configure your OVPN server instance running as localhost on udp/1194 (not WAN or WAN2)
- add a port forward on WAN and WAN2 (your ADSL line) for incoming traffic on WAN(2) address and port 1194 and forward that to localhost/1194
- check both forwards are active
- (optional) create DNS entries (if the IPs on WAN/WAN2 are static ones) for vpn1/vpn2.domain.example
- in OpenVPN client export choose "host name resolution" as "other" and enter IP or DNS for the WAN IP below
- in the "additional configuration options" box below enter the second "remote" statement needed für dns2/IP on WAN2
- export some client config and check both remote settings are in there
Now test that (connection to WAN1) and to test WAN2 simply edit the config and switch the remote lines to connect directly to WAN2. If both work, you're done and can rollout that configuration to your clients :)
Greets
Jens -
@Rico that was a spammer - their post has been removed and account banned (should be deleted but I don't have ability as only mod)... They had a link hidden in their post to nonsense.
-
@johnpoz Who is the spammer?
-
@jegr Thank you I will try this solution too
