OpenVPN for local clients



  • Hi,

    Ive read some of the guides on this forum for setting up openvpn on pfsense. I already done all the certificates and "uploaded" them to the pfsense server. The guides I see on this forum is for setting up openvpn for road-warriors (people from outside should be able to connect to the LAN through openvpn). I would like to have a setup where people on my local WIFI should connect to my WAN through Openvpn and only be able to connect in this way to the WAN.

    I have done some openvpn installations on debian/ubuntu earlier but it seems to be working differently on pfsense (no TUN/TAP interface? etc.).

    Is my solution possible, if so any ideas on how to accomplish it would be appreciated.

    Thanks.



  • What do you mean with you "uploaded" the certificates to the pfSense server?

    Generally: do everything through the GUI.

    The tap interface is there, you just dont see it (it's hidden in the GUI).

    What you want to do is doable.
    Delete all firewall rules on your WLAN interface and create a single firewall rule allowing access to the pfSense on UDP on port 1194 only.

    You might want to use the custom command push "redirect-gateway local"



  • Sorry for the wrong expression. I meant that Ive created all the certificates and copy/pasted them into the GUI as described in the guides regarding openvpn on pfsense.

    Iam not sure that I understand you right. You want me to delete all rules on the WIFI interface and then create one rule that allows traffic on UDP port 1194?
    What do you mean here?

    You might want to use the custom command push "redirect-gateway local"



  • Deleting all rules means you deny all traffic.
    (well you would also need a rule to allow DHCP-traffic)

    The rule to allow UDP 1194 is to let the users access the OpenVPN server.

    Read the howtos on the openVPN page:
    http://openvpn.net/howto.html#redirect



  • Just one more question, how can i see which interface or IP address the OpenVPN server is running on, I am getting timeout when I try to connect to it, I guess that it is because I am using the wrong IP address to connect.

    This is the IP settings in my OpenVPN page:

    address pool: 192.168.50.0/24
    local network: 192.168.10.0/24

    The IP address on the interface I would like to run the OpenVPN server is:

    192.168.10.1



  • It runns on all interfaces.
    The "local network" referrs to the subnet you want for the clients to be accessible.
    Since your clients are in the 192.168.10.0/24 subnet itself you dont need to set this field.

    Did you make sure you created the right firewall rule?
    Could you show screenshots?



  • It helped remove the IP address from the "local network" field, or I got one step further I guess.

    Now when i try to connect I get this error (on the client):

    mathias@mathias-laptop:~/diverse filer$ sudo sh vpn.sh
    mathias@mathias-laptop:~/diverse filer$ Thu Feb 12 21:22:39 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008
    Thu Feb 12 21:22:39 2009 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Thu Feb 12 21:22:39 2009 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted="">Thu Feb 12 21:22:39 2009 LZO compression initialized
    Thu Feb 12 21:22:39 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Thu Feb 12 21:22:39 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Thu Feb 12 21:22:39 2009 Local Options hash (VER=V4): '69109d17'
    Thu Feb 12 21:22:39 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
    Thu Feb 12 21:22:39 2009 NOTE: UID/GID downgrade will be delayed because of –client, --pull, or --up-delay
    Thu Feb 12 21:22:39 2009 Attempting to establish TCP connection with 192.168.10.1:1194 [nonblock]
    Thu Feb 12 21:22:40 2009 TCP connection established with 192.168.10.1:1194
    Thu Feb 12 21:22:40 2009 Socket Buffers: R=[87380->131072] S=[16384->131072]
    Thu Feb 12 21:22:40 2009 TCPv4_CLIENT link local: [undef]
    Thu Feb 12 21:22:40 2009 TCPv4_CLIENT link remote: 192.168.10.1:1194
    Thu Feb 12 21:22:40 2009 TLS: Initial packet from 192.168.10.1:1194, sid=522eaa2f 1795c961
    Thu Feb 12 21:22:40 2009 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=DA/ST=NF/L=Nykobing/O=Mejborn/CN=albert/emailAddress=***@***.dk
    Thu Feb 12 21:22:40 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Thu Feb 12 21:22:40 2009 TLS Error: TLS object -> incoming plaintext read error
    Thu Feb 12 21:22:40 2009 TLS Error: TLS handshake failed
    Thu Feb 12 21:22:40 2009 Fatal TLS error (check_tls_errors_co), restarting
    Thu Feb 12 21:22:40 2009 TCP/UDP: Closing socket
    Thu Feb 12 21:22:40 2009 SIGUSR1[soft,tls-error] received, process restarting
    Thu Feb 12 21:22:40 2009 Restart pause, 5 second(s)

    Have I done something wrong copy/pasting the certificates?</modulus>



  • I guess I can show you some screenshots, what would you like to see?



  • i get the same errors… similar problem i guess. if anyone could help? :-\



  • No one that has any idea to what bravo83 and I are doing wrong?


Log in to reply