having issues setting up Remote VPN to my network



  • I had this working a few months ago but I cant remember how I did it... to access my home network like I was physically there..
    I had to reinstall pfsense as it bricked my usb when I had installed a extra hard drive and trying out squidproxy it cached it to the usb I guess and bricked it after a month..

    but I reinstalled to latest pfsense.. I have tried different setups..
    I tried the Wizard.. the 11 steps when it comes to export it there no options at the bottom... I even made a new user and create a certificate check box.. I then noticed under certicates the wizard doesn't create a client certificate just a server so I tried creating a client.. still nothing under the export client

    so getting frustrated,,, when I did earlier get the export to work and download client etc when I try to connect I get this error

    Tue Jul 17 13:14:42 2018 SIGUSR1[soft,tls-error] received, process restarting
    Tue Jul 17 13:19:42 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]174.94.30.126:1195
    Tue Jul 17 13:19:42 2018 UDP link local (bound): [AF_INET][undef]:1194
    Tue Jul 17 13:19:42 2018 UDP link remote: [AF_INET]174.94.30.126:1195
    Tue Jul 17 13:20:42 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Tue Jul 17 13:20:42 2018 TLS Error: TLS handshake failed

    so I not sure what else I supposed to do after you run the wizard as there is different people setting up it with different ways and I thought the wizard was to take all the guess work out...
    if you guys need screen shots etc let me know or what to check



  • It seems the client cannot reach the server.

    Is the server up and running?

    Can you find something in logs or do you see massages when you start the server?

    Is the server listening on WAN?

    Do you have a firewall rule in place which is allowing the access?



  • first I followed the youtube videos from Crosstalk and that had worked before kinda least I could log on but now I noticed there has been an update of pfsense and I updated before

    I also did notice.. it would allow my cell phone to connect or my one laptop but when I downloaded the install from the client export it wouldn't allow my other laptop to connect.. but when I copied the config folder from my other laptop to the one having issues it worked.. so something went hay wire... but since the usb bricked I have started over
    as im also trying to get nordvpn to work with pfsense too as they have a trial

    but back to your questions.. yes the server is up and running under services I even stopped and started again to figure that fix it.. rebooted too.. I have uninstalled and re installed.. I have played with the firewall settings... when you run the wizard.. it only sets up CA certificate and the Server certificate.. but not the Client certiticate.. so I manually do that one...but ya I set it for WAN I just did the defaults of the Wizard
    so I frustrated ill take some pics after as I not near the machine right now..
    I still not 100% used to this pfsense I learning as I wanted more secure but I really like my Asus routers the guis are nice lol



  • ugh getting frustrated.. I tried uninstalling export client
    I rebooted pfsense
    installed package export for vpn

    I goto open vpn. wizard
    it creates the CA file. then a server certicate under Certifcates
    i follow the steps and set to 1196 port
    after its done i goto client export and there is nothing at the bottom and says if you don't see your files its a issue between Client certs and Server... like shouldn't the wizard had done all this so there is no issues/

    whaat screen shots do you need to see.. i have deleted it several times and still not working
    ill post screen shots just what parts do i need


  • Rebel Alliance Global Moderator

    The cert used by the user would be a USER cert, not a server cert. The server cert would be SERVER.

    This should take you all of 30 seconds to setup. Run through the wizard.

    Create a user cert signed by the CA you created during the wizard, it will be listed for export. Do you want a step by step screenshot guide?

    Do you have some sort of block rule you put on your wan? When the wizard creates the vpn rule on your wan to allow access it will be on the bottom. If you had placed some rule on wan blocking stuff then you would have to move the rule above your block.



  • yes i know under CA create a CA
    under Certificates you create a Server and a User certificate
    as i done that before..

    now when i did the Wizard... it creates the CA cert and the Server cert... i found a bug in pfsense
    so i noticed it doesn't create a user cert...
    and when you create a user and check the box off to crearte a Cert.. there is a bug in pfsense. if you leave the description box blank which i did as who cares really.. it screws up the certificate
    i found when i just "asdfasdf" as a description that enables the CA..
    as you think it would say you must enter a description...
    so far it works.. but its saving an old config file not sure how.. but i least found why i not getting a CA

    but ya if you could do a step by step...
    because each version of pfsense seems different settings.. now i have issue when it downloads the config under client export its using names i don't even use anymore.. very strange.. i may just have to format and start over


  • Rebel Alliance Global Moderator

    No there is no BUG... Why should the wizard ask you to create a user? Maybe you need 100 users, etc.. Its going to walk you through all of that?

    Its a SERVER wizard, not a USER wizard..

    My guess to where you are running into a problem is the wizard defaults to cert+user auth... So unless you create a local user with the cert assigned to it.. It will not be listed in the export.

    If you change the server to just remote access SSL/TLS, then any user cert signed with your servers CA will be listed.

    0_1531944936502_usercertdownload.png

    This is not a bug - but could prob be better documented in the wizard. Maybe allow for you to pick if you want the server to be just ssl/tls or ssl/tls+user auth



  • so i kinda got it working cant tell if it really works as i on my local network cant tell when i goto another location

    but how do you set it up to rename the config files for the connection
    i want one to be my sisters house and 1 to be my house
    all i seem to have is

    pfSense-UDP4-1196-mike-config
    pfSense-UDP4-1196-mikehouse-config
    i rename the files in the config location to mikeshouse or sistershouse and then there is a error i not even sure where they get the mike or mikeshouse



  • ah ok ill re try that again..
    and where i ment bug
    if you click User Manager
    click create a user

    when you check off "certificate click to create a user certificate

    it asks your Description
    Certificate authority.

    i found if you leave description blank as why would you care to write a description it messes up the export

    so when i did descritiption "safasdfasdf"
    then the client export worked

    but i wanna rename it and now i come to have another issue lol



  • it seems it creates it from the username
    which is annoying because
    i have user name mike on sisters pfsense and mine
    so its the same damn file in the config location
    i had to rename the user name to mitchshouse and then i still gotta re login
    here i figured just rename the config location filenames but not so simple

    as i wanted it to say mikes house..... sisters house as the 2 options in OpenVPN client


  • Rebel Alliance Global Moderator

    Are you just exporting the ovpn file? You can rename the file to whatever you want.ovpn



  • i export all 3 files and rename all 3



  • personal information file
    opnvpn file
    resigration entry file
    as they all the same name so i rename all 3 to mitchshouse or mikeshouse



  • when i just rename the OpenVPN file
    and then try to connect with client

    error i still get is
    connecting to management interface faild
    view log file c:users\mike\openvpn\mitchshouse.log
    Wed Jul 18 16:35:38 2018 WARNING: cannot stat file 'pfSense-UDP4-1196-mike.p12': No such file or directory (errno=2)
    Options error: --pkcs12 fails with 'pfSense-UDP4-1196-mike.p12'
    Wed Jul 18 16:35:38 2018 WARNING: cannot stat file 'pfSense-UDP4-1196-mike-tls.key': No such file or directory (errno=2)
    Options error: --tls-auth fails with 'pfSense-UDP4-1196-mike-tls.key': No such file or directory (errno=2)
    Options error: Please correct these errors.
    Use --help for more information.

    or when i try again and rename all 3 files to mitchshouse and mitchshouse-tls

    i get same error.. its like you cant rename the files so its better labeled
    and that i have to make a user account saying sistershouse not mike on my sistershouse… to distinguish between 2 user accounts mike on my sisters pfsense and my pfsese…
    guess i have no simple answers i fix one issue then seem to get myself into a 2nd issue lol

    i appreciate the help so far



  • gonna uninstall the client software and re try the pfsenses uninstall and re install both as i setting up both pfsenses at my house and then take the one for her to her house..
    maybe working on 2 at same time just glitching

    but fingers crossed uninstall delete the config location and what not fix's it.. least i getting experience setting this thing up (: lol



  • so update
    both computers one called mitchsserver other called mikeserver
    with user name mike... but my sisters server has like mitchsCA and mitchsclient and for mine is mikesCA and mikesclient and server name
    using same port 1196

    i found they both create the same damn 3 files
    pfSense-UDP4-1196-mike config
    pfSense-UDP4-1196-mike
    pfSense-UDP4-1196-mike-tls

    the config file has the location of those 2 other files but the opnvpn file is write protected and i cant seem to bypass it

    so my only way i can seem to do it is
    i make a different user name on my sisters pfsens

    like mitchserver as the username

    this seems to solve the issue of over written files
    as what i had ended up with is this
    mikeshouse (opnvpn file)
    mitchshouse (opnvpn file)
    pfSense-UDP4-1196-mike
    pfSense-UDP4-1196-mike-tls

    due it it making same damn files it over writes the last 2 so id directs to a different comp not the renamed opnvpn one..
    would be nice to edit the opnvpn file so i could rename the other 2 files but what can ya do.. guess it wasn't really ment to have 1 computer connecting to multiple pfsense accounts

    least i figured out its not so simple lol


  • Rebel Alliance Global Moderator

    I have no idea what your trying to do mate...But I can tell you this - it is simple! ;)

    Why are you grabbing 3 files? Just grab the inline ovpn file.. Load it in your remote client.

    What exactly are you trying to accomplish. You have a road warrior connecting to pfsense?? Or you wanting to do a site to site between mitchshouse and yours? Does mitch have pfsense as well?



  • ok so I have 1 laptop

    I have 2 pfsense houses.... my house and my sisters house
    I set up exact copies of pfsense… except
    the certs..
    my pfsense MikeshouseCA.. mikesServer(certificate)… mikes client(certificate)
    sis pfsense MitchshouseCA, mitchsServer(Certificate).. mikes client(certificate)

    like I mentioned toe get the option to export when I create a New user "mike" as the login you have to write something in "description" to work

    now when you click the Vista install button
    and installs... it creates 3 Files
    pfSense-UDP4-1196-mike.opnvpn config file
    pfSense-UDP4-1196-mike. personal info file
    pfSense-UDP4-1196-mike-tls resitration file

    now even though I created different certs on the 2 computers because I use "mike" as a login for both pfsense boxes.. these still create the same files above.. and the opn config file points to the personal info and registration file names and windows wont let me edit the opnvpn file to edit the names
    so If I rename
    pfSense-UDP4-1196-mike.opnvpn config file to mike.opnvpn config file now I have
    mike.opnvpn
    pfSense-UDP4-1196-mike personal info
    pfSense-UDP4-1196-mike-tls

    now when I run the Vista Install button on my laptop of my sisters pfsense button and it installs the 3 files I now have this

    mikes.opnvpn config
    pfSense-UDP4-1196-mike opnvpn config
    pfSense-UDP4-1196-mike personal info
    pfSense-UDP4-1196-mike-tls registration

    and you can not just have the opnvpn config file.. I deleted the other 2 files

    as I tried renaming the files so id have 6 files

    so it be

    mikeshouse opnvpn config
    mikeshouse personal info file
    mikeshouse-tls registration file
    mitchshouse opnvpn config
    mitchshouse personal info file
    mitchshouse-tls registration file

    or does it even matter or does it.. since I could have a different setting for "mike" on mitchsserver then "mike" on mikes server

    as both config files point to the same file names that I trying to rename as there is a conflict
    I have diselexia so comes out fine for me maybe not for you I tried to explain it better



  • here you see image 1.. my sisters pfsense
    0_1531998644765_pfsense issue.JPG
    now I renamed config file to mitchshouse and ran my pfsense install
    0_1531998683538_pfsense issue 1.JPG

    now I renamed my config to mikeshouse
    0_1531998717418_pfsense issue 2.JPG

    and here is the conflict.
    mitchshouse and mikeshouse both point to mikes house registration file and personal information file
    so that means when I connect to mitchshouse its actually connecting to Mikeshouse pfsense.. I do not want this

    as mitchshouse config is
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote sistersdyns 1196 udp
    verify-x509-name "mitchshouseserver" name
    auth-user-pass
    pkcs12 pfSense-UDP4-1196-mike.p12
    tls-auth pfSense-UDP4-1196-mike-tls.key 1
    remote-cert-tls server

    mikeshouse pfsense
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote myhousesdyns 1196 udp
    verify-x509-name "mikeshouseserver" name
    auth-user-pass

    so that's why I get confused I should have 6 files those 2 files are specific to each server isn't it the TLS key and u they both don't have the same key
    pkcs12 pfSense-UDP4-1196-mike.p12
    tls-auth pfSense-UDP4-1196-mike-tls.key 1
    remote-cert-tls server


  • Rebel Alliance Global Moderator

    So you want to be able to access either your sisters house or your house from your laptop? That is running windows I take it?

    Or do you want your sisters house and your hose to be always connected via site to site vpn? You could setup site to site between your houses and then setup so you could access either house from either vpn server.

    The only thing you need to download if your running windows client on your laptop is the inline ovpn file. It will have everything you need.

    I would setup sistershouse and your house vpn server. From your laptop gui client you just need to pick the one you want..

    Just rename the ovpn files to whatever you want before you place them in your config dir of your openvpn client.

    Here I grabbed the opvn files from 2 of my servers. Placed them in the config directly after I renamed them to sisters and mikes.

    0_1532004675912_2vpnconnections.png

    It is that simple..



  • not at home to test but
    ya laptop is running windows 10...
    and when I click the export I click the windows vista or later button that is the EXE file and when installs creates the 3 files..

    to get the tls and the registration file in the config file.. is that the bundled button to hit in the export or I read inline..

    Ill try that when I get home

    thanks for the help so far



  • as for the site to site I want that too..

    so I want when my unraid box syncs with my sisters unraid box.. that pfsense would do site to site. then when unraid is done it would disconnect the site to site session

    but on the laptop I want to be say I at friends house or a starbucks that I can access either network via laptop



  • so what im doing currently is the remote access vpn setting it up on 1 laptop both pfsenses.. and I get the 3 files generated twice but over writes the TLS key file since they both basically the same setup



  • so

    mitchsserver mikesserver

    mitchsCA mikesCA
    mitchsserver Cert mikesserver Cert
    user name mike user name mike

    when I create user cert then I get "sdafas" because i found whatever the description and you have to give one under "user" when you create a cert has to be something or it doesn't create a user cert... so both have a user cert called "asdf" something like that as i didn't wanna give a description

    then all said and done i went down to opnvpn and client export
    and i click Vista or later button downloads the exe file it installs 3 files
    but since both servers give the same files it over writes the key file and the personal file after i rename the open config file to either mikeshouse config or mitchshouse config

    hope i summed it better



  • ugh the spacing didn't show up properly and i underlined mitchsserver and mikes server and it bolded it frig not what i wanted.. you need to add spaces between them below it


  • Rebel Alliance Global Moderator

    you don't need the EXE!!! Just install the client from openvpn site... Then export your inline ovpn..

    That is suppose to make it easy to give out the exe to someone so they don't have to do anything but run an exe and it will be already for them to connect to 1 specific server.

    Lets get your roadwarrior setup working before we work on a site to site. Why does it have to go down? Just easier to set it up and leave it up - then your unraids can sync whenever they want/need to.



  • well I wouldn't know i chose vista install exe because it says windows... and the inline says for android or apple.. is it not ill check it shortly i be home

    but ill take a lot guess there is 3rd option then for windows
    but as for to turn it down.. how much data does it use to keep open vpn connected?

    my internet is a 5mpbs download and a 400-500kilobites upload if it doesn't use much data to slow my internet down more then what i have then ill just leave it connected all the time then for that site to site as i trying to setup also NordVpn for a secure web browsing for pfsense trying there 3 day trial and having issues with it but that's another topic lol


  • Rebel Alliance Global Moderator

    See the one that says most clients, that will work just fine on windows..

    0_1532012521112_vpnovpn.png

    With such a connection I don't see how your going to be syncing any sort of data.. Be like watching paint dry ;)

    How much data do you plan on syncing? But just the vpn open doesn't use much of anything..



  • oooh ok and here I been using the windows vista and later as it said windows... ill give it a try and let you know when I get home
    I really appreciate it