Multiple road warriors to one pfSense box



  • I've manage to establish OpenVPN connection from one PC to pfSense.
    However I'd like to add a few road warriors client more. I have started a build-key.bat ovpn_client_1 …, and make a few clients. So I get a few ovpn_client_1.crt/key files.
    Everybody is saying I shoud put this certificates somewhere on pfSense, please tell me where. I have created a new Server in OpenVPN, put my certificates there,  section but I'm unable to connect from my "other" clients.

    pls. help me out.
    cheers,

    neno



  • What exactly do you mean wit put the certificates somewhere on the pfSense?
    You mean the certificate for the clients?
    No you dont store them on the pfSense.
    You store them on the computer where you created them,

    And what exactly do you mean with: "I have created a new Server in OpenVPN, put my certificates there,  section but I'm unable to connect from my "other" clients"

    Can you please provide a diagram of what your setup should look like?

    Also please provide the logout-put of the server and the clients when they connect and "it doesnt work", and the config-files of your server and the clients



  • Tnx. for help.

    My scenario will be:

    pfSense ….. Internet ....... <open 1="" vpn="" client="">..... Internet ...... <open 2="" vpn="" client="">..................................... <open vpn="" client="" nth="">every client should attach to pfSense, this is a MUST. No interconectivity between clients is needed.
    So I have made a SUCCESSFUL connection from client 1 (open_neno.crt/key file). Now I tried to add a second one. So I installed a OpenVPN client on second PC (copied also a open_neno files, as well ca ...),  and followed again procedure described on http://forum.pfsense.org/index.php?topic=7840.msg44065. I have just put a new e-mail name, and created a open_davorin.crt/key.
    So when I run OpenVPN I got open_davorin as connection, when I press connect here is my log :
    BAD -----------------------------------
    Mon Oct 06 14:55:00 2008 OpenVPN 2.1_rc9 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 31 2008
    Mon Oct 06 14:55:00 2008 LZO compression initialized
    Mon Oct 06 14:55:00 2008 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mon Oct 06 14:55:00 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mon Oct 06 14:55:00 2008 Local Options hash (VER=V4): '41690919'
    Mon Oct 06 14:55:00 2008 Expected Remote Options hash (VER=V4): '530fdded'
    Mon Oct 06 14:55:00 2008 Socket Buffers: R=[0->0] S=[0->0]
    Mon Oct 06 14:55:00 2008 UDPv4 link local: [undef]
    Mon Oct 06 14:55:00 2008 UDPv4 link remote: 10.0.0.105:1194
    Mon Oct 06 14:55:00 2008 TLS: Initial packet from 10.0.0.105:1194, sid=e181040e efdb1441
    Mon Oct 06 14:55:00 2008 VERIFY OK: depth=1, /C=HR/ST=NA/L=Zagreb/O=Selmet/CN=pfSense-CA/emailAddress=neno@localhost
    Mon Oct 06 14:55:00 2008 VERIFY OK: nsCertType=SERVER
    Mon Oct 06 14:55:00 2008 VERIFY OK: depth=0, /C=HR/ST=NA/O=Selmet/CN=server/emailAddress=neno@localhost
    Mon Oct 06 14:56:00 2008 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Oct 06 14:56:00 2008 TLS Error: TLS handshake failed
    Mon Oct 06 14:56:00 2008 TCP/UDP: Closing socket
    Mon Oct 06 14:56:00 2008 SIGUSR1[soft,tls-error] received, process restarting
    Mon Oct 06 14:56:00 2008 Restart pause, 2 second(s)
    Mon Oct 06 14:56:02 2008 Re-using SSL/TLS context
    Mon Oct 06 14:56:02 2008 LZO compression initialized
    Mon Oct 06 14:56:02 2008 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mon Oct 06 14:56:02 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mon Oct 06 14:56:02 2008 Local Options hash (VER=V4): '41690919'
    Mon Oct 06 14:56:02 2008 Expected Remote Options hash (VER=V4): '530fdded'
    Mon Oct 06 14:56:02 2008 Socket Buffers: R=[0->0] S=[0->0]
    Mon Oct 06 14:56:02 2008 UDPv4 link local: [undef]
    Mon Oct 06 14:56:02 2008 UDPv4 link remote: 10.0.0.105:1194
    Mon Oct 06 14:56:02 2008 TLS: Initial packet from 10.0.0.105:1194, sid=13fff45d c93dc10f
    Mon Oct 06 14:56:02 2008 VERIFY OK: depth=1, /C=HR/ST=NA/L=Zagreb/O=Selmet/CN=pfSense-CA/emailAddress=neno@localhost
    Mon Oct 06 14:56:02 2008 VERIFY OK: nsCertType=SERVER
    Mon Oct 06 14:56:02 2008 VERIFY OK: depth=0, /C=HR/ST=NA/O=Selmet/CN=server/emailAddress=neno@localhost
    Mon Oct 06 14:56:05 2008 TCP/UDP: Closing socket
    Mon Oct 06 14:56:05 2008 SIGTERM[hard,] received, process exiting
    BAD –--------------------

    When I use open_neno I can establish a connection. Here is GOD log:
    GOD --------------------------------------------
    Mon Oct 06 14:31:16 2008 OpenVPN 2.1_rc9 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 31 2008
    Mon Oct 06 14:31:16 2008 LZO compression initialized
    Mon Oct 06 14:31:16 2008 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mon Oct 06 14:31:16 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mon Oct 06 14:31:16 2008 Local Options hash (VER=V4): '41690919'
    Mon Oct 06 14:31:16 2008 Expected Remote Options hash (VER=V4): '530fdded'
    Mon Oct 06 14:31:16 2008 Socket Buffers: R=[0->0] S=[0->0]
    Mon Oct 06 14:31:16 2008 UDPv4 link local: [undef]
    Mon Oct 06 14:31:16 2008 UDPv4 link remote: 10.0.0.105:1194
    Mon Oct 06 14:31:16 2008 TLS: Initial packet from 10.0.0.105:1194, sid=b39ebb1d 4a2a5352
    Mon Oct 06 14:31:16 2008 VERIFY OK: depth=1, /C=HR/ST=NA/L=Zagreb/O=Selmet/CN=pfSense-CA/emailAddress=neno@localhost
    Mon Oct 06 14:31:16 2008 VERIFY OK: nsCertType=SERVER
    Mon Oct 06 14:31:16 2008 VERIFY OK: depth=0, /C=HR/ST=NA/O=Selmet/CN=server/emailAddress=neno@localhost
    Mon Oct 06 14:31:16 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Oct 06 14:31:16 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Oct 06 14:31:16 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Oct 06 14:31:16 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Oct 06 14:31:16 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Mon Oct 06 14:31:16 2008 [server] Peer Connection Initiated with 10.0.0.105:1194
    Mon Oct 06 14:31:17 2008 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Mon Oct 06 14:31:17 2008 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 192.168.200.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.200.6 192.168.200.5'
    Mon Oct 06 14:31:17 2008 OPTIONS IMPORT: timers and/or timeouts modified
    Mon Oct 06 14:31:17 2008 OPTIONS IMPORT: –ifconfig/up options modified
    Mon Oct 06 14:31:17 2008 OPTIONS IMPORT: route options modified
    Mon Oct 06 14:31:17 2008 TAP-WIN32 device [Local Area Connection 4] opened: \.\Global{735E96DC-8831-41AF-B5BE-ECAE39027C81}.tap
    Mon Oct 06 14:31:17 2008 TAP-Win32 Driver Version 9.4
    Mon Oct 06 14:31:17 2008 TAP-Win32 MTU=1500
    Mon Oct 06 14:31:17 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {735E96DC-8831-41AF-B5BE-ECAE39027C81} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
    Mon Oct 06 14:31:17 2008 Successful ARP Flush on interface [25] {735E96DC-8831-41AF-B5BE-ECAE39027C81}
    Mon Oct 06 14:31:23 2008 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Mon Oct 06 14:31:23 2008 C:\WINDOWS\system32\route.exe ADD 10.0.0.0 MASK 255.255.255.0 192.168.200.5
    Mon Oct 06 14:31:23 2008 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Mon Oct 06 14:31:23 2008 Route addition via IPAPI succeeded [adaptive]
    Mon Oct 06 14:31:23 2008 C:\WINDOWS\system32\route.exe ADD 192.168.200.0 MASK 255.255.255.0 192.168.200.5
    Mon Oct 06 14:31:23 2008 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Mon Oct 06 14:31:23 2008 Route addition via IPAPI succeeded [adaptive]
    Mon Oct 06 14:31:23 2008 Initialization Sequence Completed
    Mon Oct 06 14:32:19 2008 TCP/UDP: Closing socket
    Mon Oct 06 14:32:19 2008 C:\WINDOWS\system32\route.exe DELETE 192.168.200.0 MASK 255.255.255.0 192.168.200.5
    Mon Oct 06 14:32:19 2008 Route deletion via IPAPI succeeded [adaptive]
    Mon Oct 06 14:32:19 2008 C:\WINDOWS\system32\route.exe DELETE 10.0.0.0 MASK 255.255.255.0 192.168.200.5
    Mon Oct 06 14:32:19 2008 Route deletion via IPAPI succeeded [adaptive]
    Mon Oct 06 14:32:19 2008 Closing TUN/TAP interface
    Mon Oct 06 14:32:19 2008 SIGTERM[hard,] received, process exiting
    GOD –--------------------------------

    If you need any more details don't hesitate to contact me.</open></open></open>



  • Here it goes log on pfSense

    Oct 6 14:54:25 openvpn[347]: 10.0.0.235:51612 TLS Error: TLS object -> incoming plaintext read error
    Oct 6 14:54:25 openvpn[347]: 10.0.0.235:51612 TLS Error: TLS handshake failed
    Oct 6 14:55:04 openvpn[347]: 10.0.0.235:51613 Re-using SSL/TLS context
    Oct 6 14:55:04 openvpn[347]: 10.0.0.235:51613 LZO compression initialized
    Oct 6 14:55:04 openvpn[347]: 10.0.0.235:51613 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=HR/ST=NA/O=Selmet/CN=ovpn_davorin/emailAddress=davorin@localhost
    Oct 6 14:55:04 openvpn[347]: 10.0.0.235:51613 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned



  • tnx. all.

    solved

    recreated everything once again, like http://forum.pfsense.org/index.php?topic=7840.msg44065, just created a few ovpn_client files
    and it works.


Log in to reply