having issues setting up Remote VPN to my network

comet424

I had this working a few months ago but I cant remember how I did it... to access my home network like I was physically there..
I had to reinstall pfsense as it bricked my usb when I had installed a extra hard drive and trying out squidproxy it cached it to the usb I guess and bricked it after a month..

but I reinstalled to latest pfsense.. I have tried different setups..
I tried the Wizard.. the 11 steps when it comes to export it there no options at the bottom... I even made a new user and create a certificate check box.. I then noticed under certicates the wizard doesn't create a client certificate just a server so I tried creating a client.. still nothing under the export client

so getting frustrated,,, when I did earlier get the export to work and download client etc when I try to connect I get this error

Tue Jul 17 13:14:42 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Jul 17 13:19:42 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]174.94.30.126:1195
Tue Jul 17 13:19:42 2018 UDP link local (bound): [AF_INET][undef]:1194
Tue Jul 17 13:19:42 2018 UDP link remote: [AF_INET]174.94.30.126:1195
Tue Jul 17 13:20:42 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jul 17 13:20:42 2018 TLS Error: TLS handshake failed

so I not sure what else I supposed to do after you run the wizard as there is different people setting up it with different ways and I thought the wizard was to take all the guess work out...
if you guys need screen shots etc let me know or what to check

viragomann

It seems the client cannot reach the server.

Is the server up and running?

Can you find something in logs or do you see massages when you start the server?

Is the server listening on WAN?

Do you have a firewall rule in place which is allowing the access?

comet424

first I followed the youtube videos from Crosstalk and that had worked before kinda least I could log on but now I noticed there has been an update of pfsense and I updated before

I also did notice.. it would allow my cell phone to connect or my one laptop but when I downloaded the install from the client export it wouldn't allow my other laptop to connect.. but when I copied the config folder from my other laptop to the one having issues it worked.. so something went hay wire... but since the usb bricked I have started over
as im also trying to get nordvpn to work with pfsense too as they have a trial

but back to your questions.. yes the server is up and running under services I even stopped and started again to figure that fix it.. rebooted too.. I have uninstalled and re installed.. I have played with the firewall settings... when you run the wizard.. it only sets up CA certificate and the Server certificate.. but not the Client certiticate.. so I manually do that one...but ya I set it for WAN I just did the defaults of the Wizard
so I frustrated ill take some pics after as I not near the machine right now..
I still not 100% used to this pfsense I learning as I wanted more secure but I really like my Asus routers the guis are nice lol

comet424

ugh getting frustrated.. I tried uninstalling export client
I rebooted pfsense
installed package export for vpn

I goto open vpn. wizard
it creates the CA file. then a server certicate under Certifcates
i follow the steps and set to 1196 port
after its done i goto client export and there is nothing at the bottom and says if you don't see your files its a issue between Client certs and Server... like shouldn't the wizard had done all this so there is no issues/

whaat screen shots do you need to see.. i have deleted it several times and still not working
ill post screen shots just what parts do i need

johnpoz

The cert used by the user would be a USER cert, not a server cert. The server cert would be SERVER.

This should take you all of 30 seconds to setup. Run through the wizard.

Create a user cert signed by the CA you created during the wizard, it will be listed for export. Do you want a step by step screenshot guide?

Do you have some sort of block rule you put on your wan? When the wizard creates the vpn rule on your wan to allow access it will be on the bottom. If you had placed some rule on wan blocking stuff then you would have to move the rule above your block.

comet424

yes i know under CA create a CA
under Certificates you create a Server and a User certificate
as i done that before..

now when i did the Wizard... it creates the CA cert and the Server cert... i found a bug in pfsense
so i noticed it doesn't create a user cert...
and when you create a user and check the box off to crearte a Cert.. there is a bug in pfsense. if you leave the description box blank which i did as who cares really.. it screws up the certificate
i found when i just "asdfasdf" as a description that enables the CA..
as you think it would say you must enter a description...
so far it works.. but its saving an old config file not sure how.. but i least found why i not getting a CA

but ya if you could do a step by step...
because each version of pfsense seems different settings.. now i have issue when it downloads the config under client export its using names i don't even use anymore.. very strange.. i may just have to format and start over

johnpoz

No there is no BUG... Why should the wizard ask you to create a user? Maybe you need 100 users, etc.. Its going to walk you through all of that?

Its a SERVER wizard, not a USER wizard..

My guess to where you are running into a problem is the wizard defaults to cert+user auth... So unless you create a local user with the cert assigned to it.. It will not be listed in the export.

If you change the server to just remote access SSL/TLS, then any user cert signed with your servers CA will be listed.

This is not a bug - but could prob be better documented in the wizard. Maybe allow for you to pick if you want the server to be just ssl/tls or ssl/tls+user auth

comet424

so i kinda got it working cant tell if it really works as i on my local network cant tell when i goto another location

but how do you set it up to rename the config files for the connection
i want one to be my sisters house and 1 to be my house
all i seem to have is

pfSense-UDP4-1196-mike-config
pfSense-UDP4-1196-mikehouse-config
i rename the files in the config location to mikeshouse or sistershouse and then there is a error i not even sure where they get the mike or mikeshouse

comet424

ah ok ill re try that again..
and where i ment bug
if you click User Manager
click create a user

when you check off "certificate click to create a user certificate

it asks your Description
Certificate authority.

i found if you leave description blank as why would you care to write a description it messes up the export

so when i did descritiption "safasdfasdf"
then the client export worked

but i wanna rename it and now i come to have another issue lol

comet424

it seems it creates it from the username
which is annoying because
i have user name mike on sisters pfsense and mine
so its the same damn file in the config location
i had to rename the user name to mitchshouse and then i still gotta re login
here i figured just rename the config location filenames but not so simple

as i wanted it to say mikes house..... sisters house as the 2 options in OpenVPN client

johnpoz

Are you just exporting the ovpn file? You can rename the file to whatever you want.ovpn

comet424

i export all 3 files and rename all 3

comet424

personal information file
opnvpn file
resigration entry file
as they all the same name so i rename all 3 to mitchshouse or mikeshouse

comet424

when i just rename the OpenVPN file
and then try to connect with client

error i still get is
connecting to management interface faild
view log file c:users\mike\openvpn\mitchshouse.log
Wed Jul 18 16:35:38 2018 WARNING: cannot stat file 'pfSense-UDP4-1196-mike.p12': No such file or directory (errno=2)
Options error: --pkcs12 fails with 'pfSense-UDP4-1196-mike.p12'
Wed Jul 18 16:35:38 2018 WARNING: cannot stat file 'pfSense-UDP4-1196-mike-tls.key': No such file or directory (errno=2)
Options error: --tls-auth fails with 'pfSense-UDP4-1196-mike-tls.key': No such file or directory (errno=2)
Options error: Please correct these errors.
Use --help for more information.

or when i try again and rename all 3 files to mitchshouse and mitchshouse-tls

i get same error.. its like you cant rename the files so its better labeled
and that i have to make a user account saying sistershouse not mike on my sistershouse… to distinguish between 2 user accounts mike on my sisters pfsense and my pfsese…
guess i have no simple answers i fix one issue then seem to get myself into a 2nd issue lol

i appreciate the help so far

comet424

gonna uninstall the client software and re try the pfsenses uninstall and re install both as i setting up both pfsenses at my house and then take the one for her to her house..
maybe working on 2 at same time just glitching

but fingers crossed uninstall delete the config location and what not fix's it.. least i getting experience setting this thing up (: lol

comet424

so update
both computers one called mitchsserver other called mikeserver
with user name mike... but my sisters server has like mitchsCA and mitchsclient and for mine is mikesCA and mikesclient and server name
using same port 1196

i found they both create the same damn 3 files
pfSense-UDP4-1196-mike config
pfSense-UDP4-1196-mike
pfSense-UDP4-1196-mike-tls

the config file has the location of those 2 other files but the opnvpn file is write protected and i cant seem to bypass it

so my only way i can seem to do it is
i make a different user name on my sisters pfsens

like mitchserver as the username

this seems to solve the issue of over written files
as what i had ended up with is this
mikeshouse (opnvpn file)
mitchshouse (opnvpn file)
pfSense-UDP4-1196-mike
pfSense-UDP4-1196-mike-tls

due it it making same damn files it over writes the last 2 so id directs to a different comp not the renamed opnvpn one..
would be nice to edit the opnvpn file so i could rename the other 2 files but what can ya do.. guess it wasn't really ment to have 1 computer connecting to multiple pfsense accounts

least i figured out its not so simple lol

johnpoz

I have no idea what your trying to do mate...But I can tell you this - it is simple! ;)

Why are you grabbing 3 files? Just grab the inline ovpn file.. Load it in your remote client.

What exactly are you trying to accomplish. You have a road warrior connecting to pfsense?? Or you wanting to do a site to site between mitchshouse and yours? Does mitch have pfsense as well?

comet424

ok so I have 1 laptop

I have 2 pfsense houses.... my house and my sisters house
I set up exact copies of pfsense… except
the certs..
my pfsense MikeshouseCA.. mikesServer(certificate)… mikes client(certificate)
sis pfsense MitchshouseCA, mitchsServer(Certificate).. mikes client(certificate)

like I mentioned toe get the option to export when I create a New user "mike" as the login you have to write something in "description" to work

now when you click the Vista install button
and installs... it creates 3 Files
pfSense-UDP4-1196-mike.opnvpn config file
pfSense-UDP4-1196-mike. personal info file
pfSense-UDP4-1196-mike-tls resitration file

now even though I created different certs on the 2 computers because I use "mike" as a login for both pfsense boxes.. these still create the same files above.. and the opn config file points to the personal info and registration file names and windows wont let me edit the opnvpn file to edit the names
so If I rename
pfSense-UDP4-1196-mike.opnvpn config file to mike.opnvpn config file now I have
mike.opnvpn
pfSense-UDP4-1196-mike personal info
pfSense-UDP4-1196-mike-tls

now when I run the Vista Install button on my laptop of my sisters pfsense button and it installs the 3 files I now have this

mikes.opnvpn config
pfSense-UDP4-1196-mike opnvpn config
pfSense-UDP4-1196-mike personal info
pfSense-UDP4-1196-mike-tls registration

and you can not just have the opnvpn config file.. I deleted the other 2 files

as I tried renaming the files so id have 6 files

so it be

mikeshouse opnvpn config
mikeshouse personal info file
mikeshouse-tls registration file
mitchshouse opnvpn config
mitchshouse personal info file
mitchshouse-tls registration file

or does it even matter or does it.. since I could have a different setting for "mike" on mitchsserver then "mike" on mikes server

as both config files point to the same file names that I trying to rename as there is a conflict
I have diselexia so comes out fine for me maybe not for you I tried to explain it better

comet424

here you see image 1.. my sisters pfsense

now I renamed config file to mitchshouse and ran my pfsense install

now I renamed my config to mikeshouse

and here is the conflict.
mitchshouse and mikeshouse both point to mikes house registration file and personal information file
so that means when I connect to mitchshouse its actually connecting to Mikeshouse pfsense.. I do not want this

as mitchshouse config is
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote sistersdyns 1196 udp
verify-x509-name "mitchshouseserver" name
auth-user-pass
pkcs12 pfSense-UDP4-1196-mike.p12
tls-auth pfSense-UDP4-1196-mike-tls.key 1
remote-cert-tls server

mikeshouse pfsense
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote myhousesdyns 1196 udp
verify-x509-name "mikeshouseserver" name
auth-user-pass

so that's why I get confused I should have 6 files those 2 files are specific to each server isn't it the TLS key and u they both don't have the same key
pkcs12 pfSense-UDP4-1196-mike.p12
tls-auth pfSense-UDP4-1196-mike-tls.key 1
remote-cert-tls server

johnpoz

So you want to be able to access either your sisters house or your house from your laptop? That is running windows I take it?

Or do you want your sisters house and your hose to be always connected via site to site vpn? You could setup site to site between your houses and then setup so you could access either house from either vpn server.

The only thing you need to download if your running windows client on your laptop is the inline ovpn file. It will have everything you need.

I would setup sistershouse and your house vpn server. From your laptop gui client you just need to pick the one you want..

Just rename the ovpn files to whatever you want before you place them in your config dir of your openvpn client.

Here I grabbed the opvn files from 2 of my servers. Placed them in the config directly after I renamed them to sisters and mikes.

It is that simple..

comet424

not at home to test but
ya laptop is running windows 10...
and when I click the export I click the windows vista or later button that is the EXE file and when installs creates the 3 files..

to get the tls and the registration file in the config file.. is that the bundled button to hit in the export or I read inline..

Ill try that when I get home

thanks for the help so far

comet424

as for the site to site I want that too..

so I want when my unraid box syncs with my sisters unraid box.. that pfsense would do site to site. then when unraid is done it would disconnect the site to site session

but on the laptop I want to be say I at friends house or a starbucks that I can access either network via laptop

comet424

so what im doing currently is the remote access vpn setting it up on 1 laptop both pfsenses.. and I get the 3 files generated twice but over writes the TLS key file since they both basically the same setup

comet424

so

mitchsserver mikesserver

mitchsCA mikesCA
mitchsserver Cert mikesserver Cert
user name mike user name mike

when I create user cert then I get "sdafas" because i found whatever the description and you have to give one under "user" when you create a cert has to be something or it doesn't create a user cert... so both have a user cert called "asdf" something like that as i didn't wanna give a description

then all said and done i went down to opnvpn and client export
and i click Vista or later button downloads the exe file it installs 3 files
but since both servers give the same files it over writes the key file and the personal file after i rename the open config file to either mikeshouse config or mitchshouse config

hope i summed it better

comet424

ugh the spacing didn't show up properly and i underlined mitchsserver and mikes server and it bolded it frig not what i wanted.. you need to add spaces between them below it

johnpoz

you don't need the EXE!!! Just install the client from openvpn site... Then export your inline ovpn..

That is suppose to make it easy to give out the exe to someone so they don't have to do anything but run an exe and it will be already for them to connect to 1 specific server.

Lets get your roadwarrior setup working before we work on a site to site. Why does it have to go down? Just easier to set it up and leave it up - then your unraids can sync whenever they want/need to.

comet424

well I wouldn't know i chose vista install exe because it says windows... and the inline says for android or apple.. is it not ill check it shortly i be home

but ill take a lot guess there is 3rd option then for windows
but as for to turn it down.. how much data does it use to keep open vpn connected?

my internet is a 5mpbs download and a 400-500kilobites upload if it doesn't use much data to slow my internet down more then what i have then ill just leave it connected all the time then for that site to site as i trying to setup also NordVpn for a secure web browsing for pfsense trying there 3 day trial and having issues with it but that's another topic lol

johnpoz

See the one that says most clients, that will work just fine on windows..

With such a connection I don't see how your going to be syncing any sort of data.. Be like watching paint dry ;)

How much data do you plan on syncing? But just the vpn open doesn't use much of anything..

comet424

oooh ok and here I been using the windows vista and later as it said windows... ill give it a try and let you know when I get home
I really appreciate it