Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense as openVPN client

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 5 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jjd
      last edited by

      Since I was unable to get it done with IPcop and endian so far just a very general question:

      Will I be able to establish an openVPN connection with Ivacy? http://ivacy.com/en/doc/user/setup/winxp_openvpn
      So will pfSense work as a full operational openVPN client?
      Can I configure pfSense to block any traffic when openVPN connection fails?

      thank you

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Yes pfSense can act as a client.
        I'm not sure what kind of additional authentication Ivacy does. (Your accound and password?)

        Can you find out more what it is? (Are they using a PAM module to their authentication server?)

        I think it's possible to configure the firewallrules in a way that if the openVPN connection fails everything gets dropped.
        (create a balancing pool with as gateway the other side of the VPN tunnel and use this gateway in your default LAN-rule).

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • J
          jjd
          last edited by

          I'm not sure what kind of additional authentication Ivacy does. (Your accound and password?)

          Yes, username and password additionally.

          I've just entered alle the information pfSense asks for and right now there is just
          a very basic problem, how can I connect/start the connection? :)
          At services there is just a ipsec server, no openvpn server to start….

          Since Ivacy offers a prepared config file, can I even copy it via shell without using the config GUI?

          1 Reply Last reply Reply Quote 0
          • F
            FooFighter
            last edited by

            Hello,

            I use the OpenVPN-Client for quite a while with Ivacy VPN from Windows and Linux. As I just got my Alix based router up and running with pfsense, I'm curious where you entered your Ivacy login/password in the WEB-UI as I only got fields for the certs/keys there enabling PKI. Where did you put the contents of the Ivacy-tls.key file?

            custom options -> auth-user-pass file_with_login_pass

            might be a hack for the login but I currently have mo idea for the tls contents

            Regards,

            Foo

            1 Reply Last reply Reply Quote 0
            • M
              Moelito
              last edited by

              @FooFighter:

              custom options -> auth-user-pass file_with_login_pass

              might be a hack for the login but I currently have mo idea for the tls contents

              Well this ain't going to work for me as I only use the pfsense live CD:-(

              Or am I wrong?

              /Moelito

              1 Reply Last reply Reply Quote 0
              • L
                Lockzi
                last edited by

                @FooFighter:

                Hello,

                I use the OpenVPN-Client for quite a while with Ivacy VPN from Windows and Linux. As I just got my Alix based router up and running with pfsense, I'm curious where you entered your Ivacy login/password in the WEB-UI as I only got fields for the certs/keys there enabling PKI. Where did you put the contents of the Ivacy-tls.key file?

                custom options -> auth-user-pass file_with_login_pass

                might be a hack for the login but I currently have mo idea for the tls contents

                Regards,

                Foo

                Hi, I'm also in need of doing this!

                I've gotten to the same point as you, did you ever find the solution to this problem?
                I've looked at the OpenVPN website for answears on how to do this but no luck so far…

                The question is of how to handle the username and password authentication and the tsl file.

                Regards,
                Lockzi

                1 Reply Last reply Reply Quote 0
                • L
                  Lockzi
                  last edited by

                  Hello again,

                  here's an update to how far I've come…

                  https://pr.ivacy.com/en/doc/help/setup/winxp_openvpn
                  From there we can find that the OpenVPN should have these settings:

                  client
                  dev tun
                  proto udp
                  remote openvpn.ivacy.com 1194
                  resolv-retry infinite
                  nobind
                  persist-key
                  persist-tun
                  ca ivacy-keys/ivacy-ca.crt
                  cert ivacy-keys/ivacy-client.crt
                  key ivacy-keys/ivacy-client.key
                  tls-auth ivacy-keys/ivacy-tls.key 1
                  ns-cert-type server
                  comp-lzo
                  verb 3
                  auth-user-pass
                  redirect-gateway
                  script-security 3
                  reneg-sec 0
                  

                  and they've also supplied us with the ca-cert, client-cert, client-key and tls-key.
                  Beside this information we also need a username and password to connect to Ivacy.

                  This user/pass information I've putted in a file called ivacy-auth.up which looks like this:

                  username
                  password
                  

                  (1: st row username, 2: nd row password.)

                  This is my directory structure of /var/etc/:

                  # ls -l
                  total 40
                  drwxr-xr-x  2 root    wheel    512 Apr 19 15:10 bak
                  -rw-r--r--  1 root    wheel     16 Apr 17 22:49 defaultdomain.conf
                  -rw-r--r--  1 root    wheel     90 Apr 19 15:33 hosts
                  -rw-r--r--  1 root    wheel      0 Apr 19 16:29 inetd.conf
                  -rw-r--r--  1 root    wheel     17 Apr 19 14:58 ivacy-auth.up
                  -rw-r--r--  1 root    wheel   5577 Apr 19 15:33 lighty-webConfigurator.conf
                  -rw-r--r--  1 root    wheel    234 Apr 19 15:33 miniupnpd.conf
                  drwxr-xr-x  2 root    wheel    512 Apr 17 22:42 mpd-vpn
                  -rw-r--r--  1 root    wheel     78 Apr 19 15:33 ntpd.conf
                  -rw-r--r--  1 nobody  nobody  1549 Apr 19 16:34 openvpn_client0.ca
                  -rw-r--r--  1 nobody  nobody  4399 Apr 19 16:32 openvpn_client0.cert
                  -rw-r--r--  1 root    wheel    665 Apr 19 16:29 openvpn_client0.conf
                  -rw-r--r--  1 nobody  nobody  1675 Apr 19 16:35 openvpn_client0.key
                  -rw-r--r--  1 root    wheel    636 Apr 19 15:14 openvpn_client0.tls
                  drwxr-xr-x  2 nobody  nobody   512 Apr 19 15:33 openvpn_csc
                  -rw-r--r--  1 root    wheel     75 Apr 19 15:33 resolv.conf
                  -rw-------  1 root    wheel      0 Apr 17 22:40 sasyncd.conf
                  -rw-r--r--  1 root    wheel      0 Apr 19 15:33 slbd.conf
                  -rw-r--r--  1 root    wheel    649 Apr 19 16:29 syslog.conf
                  

                  As you can see I've tried to stay consistent with how pfSense stores this information from the webgui. The extra files I've created are:
                  openvpn_client0.tls, and
                  ivacy-auth.up (as previously mentioned).

                  What I've done from the webgui is:

                  Protocol: UDP
                  Server adress: openvpn.ivacy.com
                  Server port: 1194

                  Proxy port: 3128

                  Cryptography: BF-CBC (128-bit) (<–--- The default, no idea what this should be for Ivacy?)
                  Authentication method: PKI

                  I've then copied and pasted the information supplied from Ivacy's website (which is linked to in the top of this post) for CA certificate, Client certificate and Client key.

                  LZO compression: enabled

                  Dynamic sourceport: enabled

                  Then in the custom options I've pasted this:

                  client;resolv-retry infinite;nobind;ca /var/etc/openvpn_client0.ca;crt /var/etc/openvpn_client0.cert;key /var/etc/openvpn_client0.key;tls-auth /var/etc/openvpn_client0.tls 1;ns-cert-type server;comp-lzo;verb 3;auth-user-pass /var/etc/ivacy-auth.up;redirect-gateway;script-security 3;reneg-sec 0;
                  ```Which is a modified version of the one from Ivacy's website.
                  
                  When I opened up the openvpn_client0.ca/cert/key files I noticed that at the end of each row there was "^M" which didn't look right. So I removed all these, which I belive where entered because of the copy-paste to the webgui.
                  
                  Now, when I check in the pfSense webgui under Status->System logs->OpenVPN I find this:
                  

                  Apr 19 16:37:40 openvpn[7127]: Options error: Unrecognized option or missing parameter(s) in ./openvpn_client0.conf:25: crt (2.0.6)
                  Apr 19 16:37:40 openvpn[7127]: Use --help for more information.

                  
                  This is ofcourse refering to this line from the custom options field in the webgui
                  

                  crt /var/etc/openvpn_client0.cert;

                  
                  This is as far as I've come…
                  I've also found this thread regarding ubuntu and Ivacy: [http://ubuntuforums.org/showthread.php?t=1091626](http://ubuntuforums.org/showthread.php?t=1091626) where he can get further in the connection attempt.
                  
                  Regards,
                  Lockzi
                  1 Reply Last reply Reply Quote 0
                  • L
                    Lockzi
                    last edited by

                    Okay!

                    Some more progress just after posting! Making the previous post made me find a misspelling of:
                    crt /var/etc/openvpn_client0.cert;

                    Which should have been

                    cert /var/etc/openvpn_client0.cert;

                    Now when I fixed that I get this error instead…

                    Apr 19 17:00:05 openvpn[9203]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_client0.conf:33: script-security (2.0.6)
                    Apr 19 17:00:05 openvpn[9203]: Use –help for more information.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.