Подключение pfSense как OpenVPN клиента к другому серв

xpaco

Здравствуйте! Стоит задача подключить pfSense (2.3.2-RELEASE) к удаленному Open VPN серверу (сервер IHC, его описание и настройка есть тут https://support.ihc.ru/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=17 , если там есть нужная информация)

Помогите пожалуйста, не смог найти понятной инструкции на рус.яз. по данному вопросу; Пробовал сделать по англ. ( https://forum.pfsense.org/index.php?topic=76015.0 ), но ничего не вышло..
Если не трудно, пошагово объясните куда что тыкать :-[
Есть уже сгенерированные сертификаты и другие файлы, по которым windows приложение свободно подключается (ca.crt, oper1.crt, oper1.key, oper1.ovpn, ta.key)
Спасибо за ваше уделенное время и внимание.

xpaco

Попробовал сделать по этой инструкции: http://russianproxy.ru/OpenVPN-pfSense
Но, в логах вот такие записи

Aug 1 05:00:44 openvpn 73048 UDPv4 link local (bound): [AF_INET]192.168.4.108
Aug 1 05:00:44 openvpn 73048 UDPv4 link remote: [AF_INET]37.143.14.62:1194
Aug 1 05:01:44 openvpn 73048 [UNDEF] Inactivity timeout (–ping-restart), restarting
Aug 1 05:01:44 openvpn 73048 SIGUSR1[soft,ping-restart] received, process restarting
Aug 1 05:01:46 openvpn 73048 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:01:46 openvpn 73048 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:01:46 openvpn 73048 UDPv4 link local (bound): [AF_INET]192.168.4.108
Aug 1 05:01:46 openvpn 73048 UDPv4 link remote: [AF_INET]37.143.14.62:1194
Aug 1 05:02:46 openvpn 73048 [UNDEF] Inactivity timeout (–ping-restart), restarting
Aug 1 05:02:46 openvpn 73048 SIGUSR1[soft,ping-restart] received, process restarting
Aug 1 05:02:48 openvpn 73048 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:02:48 openvpn 73048 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:02:48 openvpn 73048 UDPv4 link local (bound): [AF_INET]192.168.4.108
Aug 1 05:02:48 openvpn 73048 UDPv4 link remote: [AF_INET]37.143.14.62:1194
Aug 1 05:03:48 openvpn 73048 [UNDEF] Inactivity timeout (–ping-restart), restarting
Aug 1 05:03:48 openvpn 73048 SIGUSR1[soft,ping-restart] received, process restarting
Aug 1 05:03:49 openvpn 73048 SIGTERM[hard,init_instance] received, process exiting
Aug 1 05:03:50 openvpn 59903 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Aug 1 05:03:50 openvpn 59903 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Aug 1 05:03:50 openvpn 59960 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:03:50 openvpn 59960 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:03:50 openvpn 59960 UDPv4 link local (bound): [AF_INET]192.168.4.108
Aug 1 05:03:50 openvpn 59960 UDPv4 link remote: [AF_INET]37.143.14.62:1194

Не подключается  :(

xpaco

Пробовал по этой инструкции: http://chubbable.com/setup-pfsense-as-openvpn-client

Не подключается, вот какие логи выдает:
Aug 1 05:23:30 openvpn 59960 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:23:30 openvpn 59960 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:23:30 openvpn 59960 UDPv4 link local (bound): [AF_INET]192.168.4.108
Aug 1 05:23:30 openvpn 59960 UDPv4 link remote: [AF_INET]37.143.14.62:1194
Aug 1 05:23:44 openvpn 31112 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Aug 1 05:23:44 openvpn 31112 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Aug 1 05:23:44 openvpn 31272 WARNING: using –pull/--client and --ifconfig together is probably not what you want
Aug 1 05:23:44 openvpn 31272 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:23:44 openvpn 31272 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:23:44 openvpn 31272 Control Channel Authentication: using '/var/etc/openvpn/client2.tls-auth' as a OpenVPN static key file
Aug 1 05:23:44 openvpn 31272 UDPv4 link local (bound): [AF_INET]192.168.4.108
Aug 1 05:23:44 openvpn 31272 UDPv4 link remote: [AF_INET]37.143.14.62:1194
Aug 1 05:24:06 openvpn 31272 event_wait : Interrupted system call (code=4)
Aug 1 05:24:06 openvpn 31272 SIGTERM[hard,] received, process exiting
Aug 1 05:24:06 openvpn 34396 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Aug 1 05:24:06 openvpn 34396 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Aug 1 05:24:06 openvpn 34443 WARNING: using –pull/--client and --ifconfig together is probably not what you want
Aug 1 05:24:06 openvpn 34443 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:24:06 openvpn 34443 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:24:06 openvpn 34443 Control Channel Authentication: using '/var/etc/openvpn/client2.tls-auth' as a OpenVPN static key file
Aug 1 05:24:06 openvpn 34443 UDPv4 link local (bound): [AF_INET]192.168.4.108
Aug 1 05:24:06 openvpn 34443 UDPv4 link remote: [AF_INET]37.143.14.62:1194

xpaco

Попробовал сделать по видео-инструкции: https://www.youtube.com/watch?v=o9-J7amTBbo

Но тоже нет успешного подключения :-[
[/b]
Aug 1 05:40:27 check_reload_status Reloading filter
Aug 1 10:40:28 xinetd 18567 Starting reconfiguration
Aug 1 10:40:28 xinetd 18567 Swapping defaults
Aug 1 10:40:28 xinetd 18567 readjusting service 6969-udp
Aug 1 10:40:28 xinetd 18567 Reconfigured: new=0 old=1 dropped=0 (services)
Aug 1 05:40:36 check_reload_status Reloading filter
Aug 1 10:40:37 xinetd 18567 Starting reconfiguration
Aug 1 10:40:37 xinetd 18567 Swapping defaults
Aug 1 10:40:37 xinetd 18567 readjusting service 6969-udp
Aug 1 10:40:37 xinetd 18567 Reconfigured: new=0 old=1 dropped=0 (services)
Aug 1 05:41:41 check_reload_status Syncing firewall
Aug 1 10:41:41 kernel ovpnc1: changing name to 'tun1'
Aug 1 05:41:50 check_reload_status Reloading filter
Aug 1 10:41:51 xinetd 18567 Starting reconfiguration
Aug 1 10:41:51 xinetd 18567 Swapping defaults
Aug 1 10:41:51 xinetd 18567 readjusting service 6969-udp
Aug 1 10:41:51 xinetd 18567 Reconfigured: new=0 old=1 dropped=0 (services)

xpaco

:-[ По этой пытался сделать, тоже безуспешно(
https://support.hidemyass.com/hc/en-us/articles/202720876-pfSense-configuration-for-routing-all-traffic-via-VPN

[b]Логи:

Aug 1 05:40:27 openvpn 46653 Exiting due to fatal error
Aug 1 05:40:36 openvpn 49440 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Aug 1 05:40:36 openvpn 49440 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Aug 1 05:40:36 openvpn 49736 WARNING: using –pull/--client and --ifconfig together is probably not what you want
Aug 1 05:40:36 openvpn 49736 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:40:36 openvpn 49736 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:40:36 openvpn 49736 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Aug 1 05:40:36 openvpn 49736 Cannot load private key file /var/etc/openvpn/client2.key
Aug 1 05:40:36 openvpn 49736 Error: private key password verification failed
Aug 1 05:40:36 openvpn 49736 Exiting due to fatal error
Aug 1 05:41:05 openvpn 59960 [UNDEF] Inactivity timeout (–ping-restart), restarting
Aug 1 05:41:05 openvpn 59960 SIGUSR1[soft,ping-restart] received, process restarting
Aug 1 05:41:07 openvpn 59960 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:41:07 openvpn 59960 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:41:07 openvpn 59960 UDPv4 link local (bound): [AF_INET]192.168.4.108
Aug 1 05:41:07 openvpn 59960 UDPv4 link remote: [AF_INET]37.143.14.62:1194
Aug 1 05:41:41 openvpn 59960 event_wait : Interrupted system call (code=4)
Aug 1 05:41:41 openvpn 59960 SIGTERM[hard,] received, process exiting
Aug 1 05:41:50 openvpn 74724 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Aug 1 05:41:50 openvpn 74724 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Aug 1 05:41:50 openvpn 74771 WARNING: using –pull/--client and --ifconfig together is probably not what you want
Aug 1 05:41:50 openvpn 74771 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:41:50 openvpn 74771 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:41:50 openvpn 74771 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Aug 1 05:41:50 openvpn 74771 Cannot load private key file /var/etc/openvpn/client2.key
Aug 1 05:41:50 openvpn 74771 Error: private key password verification failed
Aug 1 05:41:50 openvpn 74771 Exiting due to fatal error
Aug 1 05:46:09 openvpn 86768 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Aug 1 05:46:09 openvpn 86768 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Aug 1 05:46:09 openvpn 86789 WARNING: using –pull/--client and --ifconfig together is probably not what you want
Aug 1 05:46:09 openvpn 86789 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:46:09 openvpn 86789 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:46:09 openvpn 86789 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Aug 1 05:46:09 openvpn 86789 Cannot load private key file /var/etc/openvpn/client2.key
Aug 1 05:46:09 openvpn 86789 Error: private key password verification failed
Aug 1 05:46:09 openvpn 86789 Exiting due to fatal error
Aug 1 05:58:16 openvpn 59695 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Aug 1 05:58:16 openvpn 59695 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Aug 1 05:58:16 openvpn 59968 WARNING: using –pull/--client and --ifconfig together is probably not what you want
Aug 1 05:58:16 openvpn 59968 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:58:16 openvpn 59968 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:58:16 openvpn 59968 Error: private key password verification failed
Aug 1 05:58:16 openvpn 59968 Exiting due to fatal error
Aug 1 05:58:23 openvpn 69184 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Aug 1 05:58:23 openvpn 69184 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Aug 1 05:58:23 openvpn 69261 WARNING: using –pull/--client and --ifconfig together is probably not what you want
Aug 1 05:58:23 openvpn 69261 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 1 05:58:23 openvpn 69261 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 1 05:58:23 openvpn 69261 Error: private key password verification failed
Aug 1 05:58:23 openvpn 69261 Exiting due to fatal error

pigbrother

OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Приватный ключ задан неверно.

xpaco

@pigbrother:

OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Приватный ключ задан неверно.

Скажите, по какой инструкции лучше сделать?

werter

2 xpaco

Доброе
Прочтите ЛС

lamerrrr

Здравствуйте.
Имею подобную проблему, только не особо знаю что за OpenVPN в качестве сервера c другой стороны (вроде как из комплекта UBUNTU)
есть набор сертификатов и ключей, и ovpn файл.
виндовый клиент подключается.
на pfsense 2.3.2
–-
Aug 4 09:10:51 openvpn 37648 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 4 09:10:51 openvpn 37648 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 4 09:10:51 openvpn 37648 Re-using SSL/TLS context
Aug 4 09:10:51 openvpn 37648 Control Channel MTU parms [ L:1541 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Aug 4 09:10:51 openvpn 37648 Socket Buffers: R=[42080->42080] S=[57344->57344]
Aug 4 09:10:51 openvpn 37648 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:12 ET:0 EL:3 ]
Aug 4 09:10:51 openvpn 37648 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Aug 4 09:10:51 openvpn 37648 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Aug 4 09:10:51 openvpn 37648 Local Options hash (VER=V4): '70f5b3af'
Aug 4 09:10:51 openvpn 37648 Expected Remote Options hash (VER=V4): 'a2e2498c'
Aug 4 09:10:51 openvpn 37648 UDPv4 link local (bound): [AF_INET]Z.Z.Z.Z
Aug 4 09:10:51 openvpn 37648 UDPv4 link remote: [AF_INET]X.X.X.X:1194
Aug 4 09:10:51 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
Aug 4 09:10:51 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
Aug 4 09:10:53 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
Aug 4 09:10:53 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
Aug 4 09:10:56 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
Aug 4 09:10:56 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
Aug 4 09:11:04 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
Aug 4 09:11:04 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
Aug 4 09:11:21 openvpn 37648 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=f36eb0c6 7c04e91c
Aug 4 09:11:21 openvpn 37648 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194
Aug 4 09:11:51 openvpn 37648 [UNDEF] Inactivity timeout (–ping-restart), restarting
Aug 4 09:11:51 openvpn 37648 TCP/UDP: Closing socket
Aug 4 09:11:51 openvpn 37648 SIGUSR1[soft,ping-restart] received, process restarting
Aug 4 09:11:51 openvpn 37648 Restart pause, 2 second(s)
–-

ovpn файл

dev tun
proto udp
port 1194
remote X.X.X.X
tls-client
remote-cert-tls server
route-method exe
route-delay 10
route Y.Y.Y.Y 255.255.255.0
pull
ca "ca.crt"
cert "vpn233.crt"
key "vpn233.key"
dh "dh1024.pem"
cipher BF-CBC
comp-lzo
verb 1
keepalive 5 60

подскажите куда копать?
спасибо.

pigbrother

dev tun
persist-tun
persist-key
dev tun
persist-tun
persist-key

cipher AES-128-CBC
auth SHA1 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194

Неправильно настроен\отсутствует ключ для  TLS Authentication
В настройках клиента

Enable authentication of TLS packets
и вставить туда ключ, которого у вас похоже нет

В настройках конфига клиента эта директива выглядит так:

tls-auth tls.key 1

А на сервере так:
tls-auth /../.tls-key 0

pigbrother

Форум опять не дает редактировать сообщение, игнорируйте предыдущий пост.

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]X.X.X.X:1194

Неправильно настроен\отсутствует ключ для  TLS Authentication
В настройках клиента pfSense нужно включить

Enable authentication of TLS packets
и вставить туда ключ как текст, которого у вас похоже нет

В настройках конфига клиента эта директива выглядит так:

tls-auth tls.key 1

А на сервере так:
tls-auth /путь/tls.key 0

Запросите у владельца сервера tls.key, заставить его отключить у себя tls-auth врядли выйдет.

lamerrrr

Простите, но чего то не понимаю? если недостаточно исходных данных для подключения, то как виндовый клиент подключается и работает???

lamerrrr

Гм… я чего то совсем запутался.
Убрал галку
Enable authentication of TLS packets

и соединение установилось. адрес в туннеле получен.
но все равно что-то не работает, наверное беда с правилами мсэ pfsense.

kainpain

@lamerrrr:

Гм… я чего то совсем запутался.
Убрал галку
Enable authentication of TLS packets

и соединение установилось. адрес в туннеле получен.
но все равно что-то не работает, наверное беда с правилами мсэ pfsense.

Теперь нужно настроить Routes (Gateways) и правила в FireWall;
· В интерфейсах добавляете vpn (Interfaces —› Assign, зелёную кнопочку "add" и далее понятно);
· Заходите в "System —› Routing", должно появится два VPN Gateways (ipv4 и ipv6[, почему-то я отключаю ipv6, вы как хотите], не забудьте установить им "Monitor IP"); Переходите во вкладку "Gateway Groups", создаете FailOver группу, где vpn gateway-ю устанавливаете 'Tier 1', а обычному 'Tier 2'
· Переходите в "Firewall" —› "Rules", создаете правило о том, что весь трафик отправлять по созданному "Gateway group" (если затруднения с созданием правила, напишите, поможем)