PfSense as openVPN client

jjd

Since I was unable to get it done with IPcop and endian so far just a very general question:

Will I be able to establish an openVPN connection with Ivacy? http://ivacy.com/en/doc/user/setup/winxp_openvpn
So will pfSense work as a full operational openVPN client?
Can I configure pfSense to block any traffic when openVPN connection fails?

thank you

GruensFroeschli

Yes pfSense can act as a client.
I'm not sure what kind of additional authentication Ivacy does. (Your accound and password?)

Can you find out more what it is? (Are they using a PAM module to their authentication server?)

I think it's possible to configure the firewallrules in a way that if the openVPN connection fails everything gets dropped.
(create a balancing pool with as gateway the other side of the VPN tunnel and use this gateway in your default LAN-rule).

jjd

I'm not sure what kind of additional authentication Ivacy does. (Your accound and password?)

Yes, username and password additionally.

I've just entered alle the information pfSense asks for and right now there is just
a very basic problem, how can I connect/start the connection? :)
At services there is just a ipsec server, no openvpn server to start….

Since Ivacy offers a prepared config file, can I even copy it via shell without using the config GUI?

FooFighter

Hello,

I use the OpenVPN-Client for quite a while with Ivacy VPN from Windows and Linux. As I just got my Alix based router up and running with pfsense, I'm curious where you entered your Ivacy login/password in the WEB-UI as I only got fields for the certs/keys there enabling PKI. Where did you put the contents of the Ivacy-tls.key file?

custom options -> auth-user-pass file_with_login_pass

might be a hack for the login but I currently have mo idea for the tls contents

Regards,

Foo

Moelito

@FooFighter:

custom options -> auth-user-pass file_with_login_pass

might be a hack for the login but I currently have mo idea for the tls contents

Well this ain't going to work for me as I only use the pfsense live CD:-(

Or am I wrong?

/Moelito

Lockzi

@FooFighter:

Hello,

I use the OpenVPN-Client for quite a while with Ivacy VPN from Windows and Linux. As I just got my Alix based router up and running with pfsense, I'm curious where you entered your Ivacy login/password in the WEB-UI as I only got fields for the certs/keys there enabling PKI. Where did you put the contents of the Ivacy-tls.key file?

custom options -> auth-user-pass file_with_login_pass

might be a hack for the login but I currently have mo idea for the tls contents

Regards,

Foo

Hi, I'm also in need of doing this!

I've gotten to the same point as you, did you ever find the solution to this problem?
I've looked at the OpenVPN website for answears on how to do this but no luck so far…

The question is of how to handle the username and password authentication and the tsl file.

Regards,
Lockzi

Lockzi

Hello again,

here's an update to how far I've come…

https://pr.ivacy.com/en/doc/help/setup/winxp_openvpn
From there we can find that the OpenVPN should have these settings:

client
dev tun
proto udp
remote openvpn.ivacy.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ivacy-keys/ivacy-ca.crt
cert ivacy-keys/ivacy-client.crt
key ivacy-keys/ivacy-client.key
tls-auth ivacy-keys/ivacy-tls.key 1
ns-cert-type server
comp-lzo
verb 3
auth-user-pass
redirect-gateway
script-security 3
reneg-sec 0

and they've also supplied us with the ca-cert, client-cert, client-key and tls-key.
Beside this information we also need a username and password to connect to Ivacy.

This user/pass information I've putted in a file called ivacy-auth.up which looks like this:

username
password

(1: st row username, 2: nd row password.)

This is my directory structure of /var/etc/:

# ls -l
total 40
drwxr-xr-x  2 root    wheel    512 Apr 19 15:10 bak
-rw-r--r--  1 root    wheel     16 Apr 17 22:49 defaultdomain.conf
-rw-r--r--  1 root    wheel     90 Apr 19 15:33 hosts
-rw-r--r--  1 root    wheel      0 Apr 19 16:29 inetd.conf
-rw-r--r--  1 root    wheel     17 Apr 19 14:58 ivacy-auth.up
-rw-r--r--  1 root    wheel   5577 Apr 19 15:33 lighty-webConfigurator.conf
-rw-r--r--  1 root    wheel    234 Apr 19 15:33 miniupnpd.conf
drwxr-xr-x  2 root    wheel    512 Apr 17 22:42 mpd-vpn
-rw-r--r--  1 root    wheel     78 Apr 19 15:33 ntpd.conf
-rw-r--r--  1 nobody  nobody  1549 Apr 19 16:34 openvpn_client0.ca
-rw-r--r--  1 nobody  nobody  4399 Apr 19 16:32 openvpn_client0.cert
-rw-r--r--  1 root    wheel    665 Apr 19 16:29 openvpn_client0.conf
-rw-r--r--  1 nobody  nobody  1675 Apr 19 16:35 openvpn_client0.key
-rw-r--r--  1 root    wheel    636 Apr 19 15:14 openvpn_client0.tls
drwxr-xr-x  2 nobody  nobody   512 Apr 19 15:33 openvpn_csc
-rw-r--r--  1 root    wheel     75 Apr 19 15:33 resolv.conf
-rw-------  1 root    wheel      0 Apr 17 22:40 sasyncd.conf
-rw-r--r--  1 root    wheel      0 Apr 19 15:33 slbd.conf
-rw-r--r--  1 root    wheel    649 Apr 19 16:29 syslog.conf

As you can see I've tried to stay consistent with how pfSense stores this information from the webgui. The extra files I've created are:
openvpn_client0.tls, and
ivacy-auth.up (as previously mentioned).

What I've done from the webgui is:

Protocol: UDP
Server adress: openvpn.ivacy.com
Server port: 1194

Proxy port: 3128

Cryptography: BF-CBC (128-bit) (<–--- The default, no idea what this should be for Ivacy?)
Authentication method: PKI

I've then copied and pasted the information supplied from Ivacy's website (which is linked to in the top of this post) for CA certificate, Client certificate and Client key.

LZO compression: enabled

Dynamic sourceport: enabled

Then in the custom options I've pasted this:

client;resolv-retry infinite;nobind;ca /var/etc/openvpn_client0.ca;crt /var/etc/openvpn_client0.cert;key /var/etc/openvpn_client0.key;tls-auth /var/etc/openvpn_client0.tls 1;ns-cert-type server;comp-lzo;verb 3;auth-user-pass /var/etc/ivacy-auth.up;redirect-gateway;script-security 3;reneg-sec 0;
```Which is a modified version of the one from Ivacy's website.

When I opened up the openvpn_client0.ca/cert/key files I noticed that at the end of each row there was "^M" which didn't look right. So I removed all these, which I belive where entered because of the copy-paste to the webgui.

Now, when I check in the pfSense webgui under Status->System logs->OpenVPN I find this:

Apr 19 16:37:40 openvpn[7127]: Options error: Unrecognized option or missing parameter(s) in ./openvpn_client0.conf:25: crt (2.0.6)
Apr 19 16:37:40 openvpn[7127]: Use --help for more information.

This is ofcourse refering to this line from the custom options field in the webgui

crt /var/etc/openvpn_client0.cert;

This is as far as I've come…
I've also found this thread regarding ubuntu and Ivacy: [http://ubuntuforums.org/showthread.php?t=1091626](http://ubuntuforums.org/showthread.php?t=1091626) where he can get further in the connection attempt.

Regards,
Lockzi

Lockzi

Okay!

Some more progress just after posting! Making the previous post made me find a misspelling of:
crt /var/etc/openvpn_client0.cert;

Which should have been

cert /var/etc/openvpn_client0.cert;

Now when I fixed that I get this error instead…

Apr 19 17:00:05 openvpn[9203]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_client0.conf:33: script-security (2.0.6)
Apr 19 17:00:05 openvpn[9203]: Use –help for more information.