Подключение pfSense как OpenVPN клиента к другому серв



  • Здравствуйте! Стоит задача подключить pfSense (2.3.2-RELEASE) к удаленному Open VPN серверу (сервер IHC, его описание и настройка есть тут https://support.ihc.ru/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=17 , если там есть нужная информация)

    Помогите пожалуйста, не смог найти понятной инструкции на рус.яз. по данному вопросу; Пробовал сделать по англ. ( https://forum.pfsense.org/index.php?topic=76015.0 ), но ничего не вышло..
    Если не трудно, пошагово объясните куда что тыкать :-[
    Есть уже сгенерированные сертификаты и другие файлы, по которым windows приложение свободно подключается (ca.crt, oper1.crt, oper1.key, oper1.ovpn, ta.key)
    Спасибо за ваше уделенное время и внимание.



  • Попробовал сделать по этой инструкции: http://russianproxy.ru/OpenVPN-pfSense
    Но, в логах вот такие записи

    Aug 1 05:00:44 openvpn 73048 UDPv4 link local (bound): [AF_INET]192.168.4.108
    Aug 1 05:00:44 openvpn 73048 UDPv4 link remote: [AF_INET]37.143.14.62:1194
    Aug 1 05:01:44 openvpn 73048 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Aug 1 05:01:44 openvpn 73048 SIGUSR1[soft,ping-restart] received, process restarting
    Aug 1 05:01:46 openvpn 73048 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:01:46 openvpn 73048 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:01:46 openvpn 73048 UDPv4 link local (bound): [AF_INET]192.168.4.108
    Aug 1 05:01:46 openvpn 73048 UDPv4 link remote: [AF_INET]37.143.14.62:1194
    Aug 1 05:02:46 openvpn 73048 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Aug 1 05:02:46 openvpn 73048 SIGUSR1[soft,ping-restart] received, process restarting
    Aug 1 05:02:48 openvpn 73048 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:02:48 openvpn 73048 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:02:48 openvpn 73048 UDPv4 link local (bound): [AF_INET]192.168.4.108
    Aug 1 05:02:48 openvpn 73048 UDPv4 link remote: [AF_INET]37.143.14.62:1194
    Aug 1 05:03:48 openvpn 73048 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Aug 1 05:03:48 openvpn 73048 SIGUSR1[soft,ping-restart] received, process restarting
    Aug 1 05:03:49 openvpn 73048 SIGTERM[hard,init_instance] received, process exiting
    Aug 1 05:03:50 openvpn 59903 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    Aug 1 05:03:50 openvpn 59903 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Aug 1 05:03:50 openvpn 59960 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:03:50 openvpn 59960 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:03:50 openvpn 59960 UDPv4 link local (bound): [AF_INET]192.168.4.108
    Aug 1 05:03:50 openvpn 59960 UDPv4 link remote: [AF_INET]37.143.14.62:1194

    Не подключается  :(



  • Пробовал по этой инструкции: http://chubbable.com/setup-pfsense-as-openvpn-client

    Не подключается, вот какие логи выдает:
    Aug 1 05:23:30 openvpn 59960 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:23:30 openvpn 59960 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:23:30 openvpn 59960 UDPv4 link local (bound): [AF_INET]192.168.4.108
    Aug 1 05:23:30 openvpn 59960 UDPv4 link remote: [AF_INET]37.143.14.62:1194
    Aug 1 05:23:44 openvpn 31112 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    Aug 1 05:23:44 openvpn 31112 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Aug 1 05:23:44 openvpn 31272 WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Aug 1 05:23:44 openvpn 31272 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:23:44 openvpn 31272 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:23:44 openvpn 31272 Control Channel Authentication: using '/var/etc/openvpn/client2.tls-auth' as a OpenVPN static key file
    Aug 1 05:23:44 openvpn 31272 UDPv4 link local (bound): [AF_INET]192.168.4.108
    Aug 1 05:23:44 openvpn 31272 UDPv4 link remote: [AF_INET]37.143.14.62:1194
    Aug 1 05:24:06 openvpn 31272 event_wait : Interrupted system call (code=4)
    Aug 1 05:24:06 openvpn 31272 SIGTERM[hard,] received, process exiting
    Aug 1 05:24:06 openvpn 34396 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    Aug 1 05:24:06 openvpn 34396 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Aug 1 05:24:06 openvpn 34443 WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Aug 1 05:24:06 openvpn 34443 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:24:06 openvpn 34443 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:24:06 openvpn 34443 Control Channel Authentication: using '/var/etc/openvpn/client2.tls-auth' as a OpenVPN static key file
    Aug 1 05:24:06 openvpn 34443 UDPv4 link local (bound): [AF_INET]192.168.4.108
    Aug 1 05:24:06 openvpn 34443 UDPv4 link remote: [AF_INET]37.143.14.62:1194



  • Попробовал сделать по видео-инструкции: https://www.youtube.com/watch?v=o9-J7amTBbo

    Но тоже нет успешного подключения :-[
    [/b]
    Aug 1 05:40:27 check_reload_status Reloading filter
    Aug 1 10:40:28 xinetd 18567 Starting reconfiguration
    Aug 1 10:40:28 xinetd 18567 Swapping defaults
    Aug 1 10:40:28 xinetd 18567 readjusting service 6969-udp
    Aug 1 10:40:28 xinetd 18567 Reconfigured: new=0 old=1 dropped=0 (services)
    Aug 1 05:40:36 check_reload_status Reloading filter
    Aug 1 10:40:37 xinetd 18567 Starting reconfiguration
    Aug 1 10:40:37 xinetd 18567 Swapping defaults
    Aug 1 10:40:37 xinetd 18567 readjusting service 6969-udp
    Aug 1 10:40:37 xinetd 18567 Reconfigured: new=0 old=1 dropped=0 (services)
    Aug 1 05:41:41 check_reload_status Syncing firewall
    Aug 1 10:41:41 kernel ovpnc1: changing name to 'tun1'
    Aug 1 05:41:50 check_reload_status Reloading filter
    Aug 1 10:41:51 xinetd 18567 Starting reconfiguration
    Aug 1 10:41:51 xinetd 18567 Swapping defaults
    Aug 1 10:41:51 xinetd 18567 readjusting service 6969-udp
    Aug 1 10:41:51 xinetd 18567 Reconfigured: new=0 old=1 dropped=0 (services)



  • :-[ По этой пытался сделать, тоже безуспешно(
    https://support.hidemyass.com/hc/en-us/articles/202720876-pfSense-configuration-for-routing-all-traffic-via-VPN

    [b]Логи:

    Aug 1 05:40:27 openvpn 46653 Exiting due to fatal error
    Aug 1 05:40:36 openvpn 49440 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    Aug 1 05:40:36 openvpn 49440 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Aug 1 05:40:36 openvpn 49736 WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Aug 1 05:40:36 openvpn 49736 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:40:36 openvpn 49736 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:40:36 openvpn 49736 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    Aug 1 05:40:36 openvpn 49736 Cannot load private key file /var/etc/openvpn/client2.key
    Aug 1 05:40:36 openvpn 49736 Error: private key password verification failed
    Aug 1 05:40:36 openvpn 49736 Exiting due to fatal error
    Aug 1 05:41:05 openvpn 59960 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Aug 1 05:41:05 openvpn 59960 SIGUSR1[soft,ping-restart] received, process restarting
    Aug 1 05:41:07 openvpn 59960 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:41:07 openvpn 59960 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:41:07 openvpn 59960 UDPv4 link local (bound): [AF_INET]192.168.4.108
    Aug 1 05:41:07 openvpn 59960 UDPv4 link remote: [AF_INET]37.143.14.62:1194
    Aug 1 05:41:41 openvpn 59960 event_wait : Interrupted system call (code=4)
    Aug 1 05:41:41 openvpn 59960 SIGTERM[hard,] received, process exiting
    Aug 1 05:41:50 openvpn 74724 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    Aug 1 05:41:50 openvpn 74724 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Aug 1 05:41:50 openvpn 74771 WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Aug 1 05:41:50 openvpn 74771 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:41:50 openvpn 74771 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:41:50 openvpn 74771 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    Aug 1 05:41:50 openvpn 74771 Cannot load private key file /var/etc/openvpn/client2.key
    Aug 1 05:41:50 openvpn 74771 Error: private key password verification failed
    Aug 1 05:41:50 openvpn 74771 Exiting due to fatal error
    Aug 1 05:46:09 openvpn 86768 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    Aug 1 05:46:09 openvpn 86768 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Aug 1 05:46:09 openvpn 86789 WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Aug 1 05:46:09 openvpn 86789 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:46:09 openvpn 86789 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:46:09 openvpn 86789 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    Aug 1 05:46:09 openvpn 86789 Cannot load private key file /var/etc/openvpn/client2.key
    Aug 1 05:46:09 openvpn 86789 Error: private key password verification failed
    Aug 1 05:46:09 openvpn 86789 Exiting due to fatal error
    Aug 1 05:58:16 openvpn 59695 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    Aug 1 05:58:16 openvpn 59695 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Aug 1 05:58:16 openvpn 59968 WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Aug 1 05:58:16 openvpn 59968 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:58:16 openvpn 59968 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:58:16 openvpn 59968 Error: private key password verification failed
    Aug 1 05:58:16 openvpn 59968 Exiting due to fatal error
    Aug 1 05:58:23 openvpn 69184 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    Aug 1 05:58:23 openvpn 69184 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Aug 1 05:58:23 openvpn 69261 WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Aug 1 05:58:23 openvpn 69261 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 1 05:58:23 openvpn 69261 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 1 05:58:23 openvpn 69261 Error: private key password verification failed
    Aug 1 05:58:23 openvpn 69261 Exiting due to fatal error



  • OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    Приватный ключ задан неверно.



  • @pigbrother:

    OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    Приватный ключ задан неверно.

    Скажите, по какой инструкции лучше сделать?



  • 2 xpaco

    Доброе
    Прочтите ЛС



  • Здравствуйте.
    Имею подобную проблему, только не особо знаю что за OpenVPN в качестве сервера c другой стороны (вроде как из комплекта UBUNTU)
    есть набор сертификатов и ключей, и ovpn файл.
    виндовый клиент подключается.
    на pfsense 2.3.2
    –-
    Aug 4 09:10:51 openvpn 37648 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 4 09:10:51 openvpn 37648 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 4 09:10:51 openvpn 37648 Re-using SSL/TLS context
    Aug 4 09:10:51 openvpn 37648 Control Channel MTU parms [ L:1541 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    Aug 4 09:10:51 openvpn 37648 Socket Buffers: R=[42080->42080] S=[57344->57344]
    Aug 4 09:10:51 openvpn 37648 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:12 ET:0 EL:3 ]
    Aug 4 09:10:51 openvpn 37648 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Aug 4 09:10:51 openvpn 37648 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Aug 4 09:10:51 openvpn 37648 Local Options hash (VER=V4): '70f5b3af'
    Aug 4 09:10:51 openvpn 37648 Expected Remote Options hash (VER=V4): 'a2e2498c'
    Aug 4 09:10:51 openvpn 37648 UDPv4 link local (bound): [AF_INET]Z.Z.Z.Z
    Aug 4 09:10:51 openvpn 37648 UDPv4 link remote: [AF_INET]X.X.X.X:1194
    Aug 4 09:10:51 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
    Aug 4 09:10:51 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
    Aug 4 09:10:53 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
    Aug 4 09:10:53 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
    Aug 4 09:10:56 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
    Aug 4 09:10:56 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
    Aug 4 09:11:04 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
    Aug 4 09:11:04 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
    Aug 4 09:11:21 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
    Aug 4 09:11:21 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
    Aug 4 09:11:51 openvpn 37648 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Aug 4 09:11:51 openvpn 37648 TCP/UDP: Closing socket
    Aug 4 09:11:51 openvpn 37648 SIGUSR1[soft,ping-restart] received, process restarting
    Aug 4 09:11:51 openvpn 37648 Restart pause, 2 second(s)
    –-

    ovpn файл

    dev tun
    proto udp
    port 1194
    remote X.X.X.X
    tls-client
    remote-cert-tls server
    route-method exe
    route-delay 10
    route Y.Y.Y.Y 255.255.255.0
    pull
    ca "ca.crt"
    cert "vpn233.crt"
    key "vpn233.key"
    dh "dh1024.pem"
    cipher BF-CBC
    comp-lzo
    verb 1
    keepalive 5 60

    подскажите куда копать?
    спасибо.



  • dev tun
    persist-tun
    persist-key
    dev tun
    persist-tun
    persist-key

    cipher AES-128-CBC
    auth SHA1 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194

    Неправильно настроен\отсутствует ключ для  TLS Authentication
    В настройках клиента

    Enable authentication of TLS packets
    и вставить туда ключ, которого у вас похоже нет

    В настройках конфига клиента эта директива выглядит так:

    tls-auth tls.key 1

    А на сервере так:
    tls-auth /../.tls-key 0



  • Форум опять не дает редактировать сообщение, игнорируйте предыдущий пост.

    TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194

    Неправильно настроен\отсутствует ключ для  TLS Authentication
    В настройках клиента pfSense нужно включить

    Enable authentication of TLS packets
    и вставить туда ключ как текст, которого у вас похоже нет

    В настройках конфига клиента эта директива выглядит так:

    tls-auth tls.key 1

    А на сервере так:
    tls-auth /путь/tls.key 0

    Запросите у владельца сервера tls.key, заставить его отключить у себя tls-auth врядли выйдет.



  • Простите, но чего то не понимаю? если недостаточно исходных данных для подключения, то как виндовый клиент подключается и работает???



  • Гм… я чего то совсем запутался.
    Убрал галку
    Enable authentication of TLS packets

    и соединение установилось. адрес в туннеле получен.
    но все равно что-то не работает, наверное беда с правилами мсэ pfsense.



  • @lamerrrr:

    Гм… я чего то совсем запутался.
    Убрал галку
    Enable authentication of TLS packets

    и соединение установилось. адрес в туннеле получен.
    но все равно что-то не работает, наверное беда с правилами мсэ pfsense.

    Теперь нужно настроить Routes (Gateways) и правила в FireWall;
    · В интерфейсах добавляете vpn (Interfaces —› Assign, зелёную кнопочку "add" и далее понятно);
    · Заходите в "System —› Routing", должно появится два VPN Gateways (ipv4 и ipv6[, почему-то я отключаю ipv6, вы как хотите], не забудьте установить им "Monitor IP"); Переходите во вкладку "Gateway Groups", создаете FailOver группу, где vpn gateway-ю устанавливаете 'Tier 1', а обычному 'Tier 2'
    · Переходите в "Firewall" —› "Rules", создаете правило о том, что весь трафик отправлять по созданному "Gateway group" (если затруднения с созданием правила, напишите, поможем)


Log in to reply