PfSense as openVPN client



  • Since I was unable to get it done with IPcop and endian so far just a very general question:

    Will I be able to establish an openVPN connection with Ivacy? http://ivacy.com/en/doc/user/setup/winxp_openvpn
    So will pfSense work as a full operational openVPN client?
    Can I configure pfSense to block any traffic when openVPN connection fails?

    thank you



  • Yes pfSense can act as a client.
    I'm not sure what kind of additional authentication Ivacy does. (Your accound and password?)

    Can you find out more what it is? (Are they using a PAM module to their authentication server?)

    I think it's possible to configure the firewallrules in a way that if the openVPN connection fails everything gets dropped.
    (create a balancing pool with as gateway the other side of the VPN tunnel and use this gateway in your default LAN-rule).



  • I'm not sure what kind of additional authentication Ivacy does. (Your accound and password?)

    Yes, username and password additionally.

    I've just entered alle the information pfSense asks for and right now there is just
    a very basic problem, how can I connect/start the connection? :)
    At services there is just a ipsec server, no openvpn server to start….

    Since Ivacy offers a prepared config file, can I even copy it via shell without using the config GUI?



  • Hello,

    I use the OpenVPN-Client for quite a while with Ivacy VPN from Windows and Linux. As I just got my Alix based router up and running with pfsense, I'm curious where you entered your Ivacy login/password in the WEB-UI as I only got fields for the certs/keys there enabling PKI. Where did you put the contents of the Ivacy-tls.key file?

    custom options -> auth-user-pass file_with_login_pass

    might be a hack for the login but I currently have mo idea for the tls contents

    Regards,

    Foo



  • @FooFighter:

    custom options -> auth-user-pass file_with_login_pass

    might be a hack for the login but I currently have mo idea for the tls contents

    Well this ain't going to work for me as I only use the pfsense live CD:-(

    Or am I wrong?

    /Moelito



  • @FooFighter:

    Hello,

    I use the OpenVPN-Client for quite a while with Ivacy VPN from Windows and Linux. As I just got my Alix based router up and running with pfsense, I'm curious where you entered your Ivacy login/password in the WEB-UI as I only got fields for the certs/keys there enabling PKI. Where did you put the contents of the Ivacy-tls.key file?

    custom options -> auth-user-pass file_with_login_pass

    might be a hack for the login but I currently have mo idea for the tls contents

    Regards,

    Foo

    Hi, I'm also in need of doing this!

    I've gotten to the same point as you, did you ever find the solution to this problem?
    I've looked at the OpenVPN website for answears on how to do this but no luck so far…

    The question is of how to handle the username and password authentication and the tsl file.

    Regards,
    Lockzi



  • Hello again,

    here's an update to how far I've come…

    https://pr.ivacy.com/en/doc/help/setup/winxp_openvpn
    From there we can find that the OpenVPN should have these settings:

    client
    dev tun
    proto udp
    remote openvpn.ivacy.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ivacy-keys/ivacy-ca.crt
    cert ivacy-keys/ivacy-client.crt
    key ivacy-keys/ivacy-client.key
    tls-auth ivacy-keys/ivacy-tls.key 1
    ns-cert-type server
    comp-lzo
    verb 3
    auth-user-pass
    redirect-gateway
    script-security 3
    reneg-sec 0
    

    and they've also supplied us with the ca-cert, client-cert, client-key and tls-key.
    Beside this information we also need a username and password to connect to Ivacy.

    This user/pass information I've putted in a file called ivacy-auth.up which looks like this:

    username
    password
    

    (1: st row username, 2: nd row password.)

    This is my directory structure of /var/etc/:

    # ls -l
    total 40
    drwxr-xr-x  2 root    wheel    512 Apr 19 15:10 bak
    -rw-r--r--  1 root    wheel     16 Apr 17 22:49 defaultdomain.conf
    -rw-r--r--  1 root    wheel     90 Apr 19 15:33 hosts
    -rw-r--r--  1 root    wheel      0 Apr 19 16:29 inetd.conf
    -rw-r--r--  1 root    wheel     17 Apr 19 14:58 ivacy-auth.up
    -rw-r--r--  1 root    wheel   5577 Apr 19 15:33 lighty-webConfigurator.conf
    -rw-r--r--  1 root    wheel    234 Apr 19 15:33 miniupnpd.conf
    drwxr-xr-x  2 root    wheel    512 Apr 17 22:42 mpd-vpn
    -rw-r--r--  1 root    wheel     78 Apr 19 15:33 ntpd.conf
    -rw-r--r--  1 nobody  nobody  1549 Apr 19 16:34 openvpn_client0.ca
    -rw-r--r--  1 nobody  nobody  4399 Apr 19 16:32 openvpn_client0.cert
    -rw-r--r--  1 root    wheel    665 Apr 19 16:29 openvpn_client0.conf
    -rw-r--r--  1 nobody  nobody  1675 Apr 19 16:35 openvpn_client0.key
    -rw-r--r--  1 root    wheel    636 Apr 19 15:14 openvpn_client0.tls
    drwxr-xr-x  2 nobody  nobody   512 Apr 19 15:33 openvpn_csc
    -rw-r--r--  1 root    wheel     75 Apr 19 15:33 resolv.conf
    -rw-------  1 root    wheel      0 Apr 17 22:40 sasyncd.conf
    -rw-r--r--  1 root    wheel      0 Apr 19 15:33 slbd.conf
    -rw-r--r--  1 root    wheel    649 Apr 19 16:29 syslog.conf
    

    As you can see I've tried to stay consistent with how pfSense stores this information from the webgui. The extra files I've created are:
    openvpn_client0.tls, and
    ivacy-auth.up (as previously mentioned).

    What I've done from the webgui is:

    Protocol: UDP
    Server adress: openvpn.ivacy.com
    Server port: 1194

    Proxy port: 3128

    Cryptography: BF-CBC (128-bit) (<–--- The default, no idea what this should be for Ivacy?)
    Authentication method: PKI

    I've then copied and pasted the information supplied from Ivacy's website (which is linked to in the top of this post) for CA certificate, Client certificate and Client key.

    LZO compression: enabled

    Dynamic sourceport: enabled

    Then in the custom options I've pasted this:

    client;resolv-retry infinite;nobind;ca /var/etc/openvpn_client0.ca;crt /var/etc/openvpn_client0.cert;key /var/etc/openvpn_client0.key;tls-auth /var/etc/openvpn_client0.tls 1;ns-cert-type server;comp-lzo;verb 3;auth-user-pass /var/etc/ivacy-auth.up;redirect-gateway;script-security 3;reneg-sec 0;
    ```Which is a modified version of the one from Ivacy's website.
    
    When I opened up the openvpn_client0.ca/cert/key files I noticed that at the end of each row there was "^M" which didn't look right. So I removed all these, which I belive where entered because of the copy-paste to the webgui.
    
    Now, when I check in the pfSense webgui under Status->System logs->OpenVPN I find this:
    

    Apr 19 16:37:40 openvpn[7127]: Options error: Unrecognized option or missing parameter(s) in ./openvpn_client0.conf:25: crt (2.0.6)
    Apr 19 16:37:40 openvpn[7127]: Use --help for more information.

    
    This is ofcourse refering to this line from the custom options field in the webgui
    

    crt /var/etc/openvpn_client0.cert;

    
    This is as far as I've come…
    I've also found this thread regarding ubuntu and Ivacy: [http://ubuntuforums.org/showthread.php?t=1091626](http://ubuntuforums.org/showthread.php?t=1091626) where he can get further in the connection attempt.
    
    Regards,
    Lockzi


  • Okay!

    Some more progress just after posting! Making the previous post made me find a misspelling of:
    crt /var/etc/openvpn_client0.cert;

    Which should have been

    cert /var/etc/openvpn_client0.cert;

    Now when I fixed that I get this error instead…

    Apr 19 17:00:05 openvpn[9203]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_client0.conf:33: script-security (2.0.6)
    Apr 19 17:00:05 openvpn[9203]: Use –help for more information.


Log in to reply