Configuring pfSense as OpenVPN client

Mascot · Nov 11, 2018, 2:33 AM

I'm trying to configure pfSense as OpenVPN client, but can't make it work. What I did so far:

Added Certificate Authority provided by OpenVPN service I'm trying to connect to.
Added Certificate provided by them to System / Certificate Manager /Certificates
Added client to VPN / OpenVPN / Clients with following settings (leaving rest of them as they are by default):

set Server host to the one of my OpenVPN service;
unchecked Use a TLS Key check box;
Client Certificate set to the one I added in step №2;
Encryption Algorithm set to "BF-CBC";
Verbosity level - 4.

Added and enabled this OpenVPN client as OPT2 interface.
In Firewall / NAT / Outbound I chose Manual Outbound NAT rule generation and created copies of each rule with interface set to OPT2.
In Firewall / Rules / LAN I changed Default allow LAN to any rule Gateway to OPT2 (i.e. OpenVPN client).

At this point I lose internet connection. Current "Status / OpenVPN" is "up". Here is the OpenVPN log:

Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.254.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.252.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.254.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.254.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.255.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.128.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.128.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.240.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.248.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.252.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.192.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.248.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.248.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.252.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.248.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.254.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.254.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.254.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.128.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.224.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.254.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.254.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.240.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.240.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.254.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.254.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.248.0.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.128.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.224.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.224.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.252.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.252.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.252.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.252.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.252.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.248.0
Nov 11 04:55:46	openvpn	18678	/sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 255.255.240.0
Nov 11 04:55:46	openvpn	18678	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 11 04:55:46	openvpn	18678	Initialization Sequence Completed
Nov 11 04:55:49	openvpn	18678	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Nov 11 04:55:49	openvpn	18678	MANAGEMENT: CMD 'state 1'
Nov 11 04:55:49	openvpn	18678	MANAGEMENT: CMD 'status 2'
Nov 11 04:55:50	openvpn	18678	MANAGEMENT: Client disconnected

I'm trying to figure out if the problem in my Firewall/NAT rules or in "Client" section settings? Please, help.

Rico · Nov 11, 2018, 2:17 PM

So you want to use some VPN Provider as WAN or what is your goal?
There is a great Netgate hangout done by @jimp covering exactly this topic, check it out: https://www.youtube.com/watch?v=lp3mtR4j3Lw

-Rico

Mascot · Nov 12, 2018, 2:29 AM

@rico
Thanks for the link. I watched whole video.

So you want to use some VPN Provider as WAN or what is your goal?

I guess it's a question of terminology. I need to access internet via OpenVPN service / VPN provider, so I think the answer is - yes.

As far as I can understand, I did what is advised to be done in this video. The thing is internet access via OpenVPN still doesn't work for me at the moment. That is why I'm looking for help here.

I noted these differences between my settings and example on the video:

Instead of Hybrid Outbound NAT rule as in video, I chose Manual Outbound NAT rule generation as advised in other tutorials that I found.
Also, in Firewall / Rules as a Source I have LAN net (instead of Single host or alias as in example on video) - because that is the way it was set by default in this predefined rule.
Unlike example in the video, I did not checked Don't pull routes checkbox in "Client" settings (because tutorial I followed didn't mentioned that I should).
Another difference with the video is that Use a TLS Key option is unchecked - because I can't find this key in file provided by my OpenVPN service, so I assume it's not needed.

At the moment I cannot locate the problem - is it in firewall rules or in client settings or somewhere else?

Derelict · Nov 12, 2018, 5:12 PM

@mascot said in Configuring pfSense as OpenVPN client:

@rico
Thanks for the link. I watched whole video.

So you want to use some VPN Provider as WAN or what is your goal?

I guess it's a question of terminology. I need to access internet via OpenVPN service / VPN provider, so I think the answer is - yes.

As far as I can understand, I did what is advised to be done in this video. The thing is internet access via OpenVPN still doesn't work for me at the moment. That is why I'm looking for help here.

I noted these differences between my settings and example on the video:

Instead of Hybrid Outbound NAT rule as in video, I chose Manual Outbound NAT rule generation as advised in other tutorials that I found.

Unless you otherwise need Manual NAT, Hybrid is usually a better choice. Your other tutorials are probably too old to reference Hybrid. It's not new but relatively new.

Also, in Firewall / Rules as a Source I have LAN net (instead of Single host or alias as in example on video) - because that is the way it was set by default in this predefined rule.

Fine. That will catch traffic sourced from LAN net (the whole subnet) instead of the hosts specified there or in the referenced alias.

Unlike example in the video, I did not checked Don't pull routes checkbox in "Client" settings (because tutorial I followed didn't mentioned that I should).

If you want to Policy Route traffic to the VPN, you generally check Don't pull routes. If you pull def1 routes from the VPN provider that can affect all traffic even traffic generated on the firewall itself. If you policy route, you control what traffic coming into an interface gets routed to the VPN.

My opinion is that pulling def1 routes is a better solution for a single host like a laptop, and not pulling def1 plus policy routing is a better solution for a firewall with things going on other than OpenVPN.

Another difference with the video is that Use a TLS Key option is unchecked - because I can't find this key in file provided by my OpenVPN service, so I assume it's not needed.

Right. If they didn't provide a TLS key, it should be disabled.

At the moment I cannot locate the problem - is it in firewall rules or in client settings or somewhere else?

Hard to say. That video is pretty thorough. Is the tunnel even coming up? Are all of those route add logs for another tunnel? That would be very strange for a VPN provider.

Probably time for full screenshots of your configuration.

Mascot · Nov 14, 2018, 3:04 AM

@derelict said in Configuring pfSense as OpenVPN client:

Unless you otherwise need Manual NAT, Hybrid is usually a better choice.

I chose Hybrid as you recommend. (Except that when I add RFC1918/32 in Firewall / NAT / Outbound as in video, I get an error: "A valid source must be specified.", so in a Source field I entered 192.168.1.0/24 instead.) Here are the screenshots:

My opinion is that pulling def1 routes is a better solution for a single host like a laptop, and not pulling def1 plus policy routing is a better solution for a firewall with things going on other than OpenVPN.

When I try enabling Don't pull routes setting I get these errors in OpenVPN log:

Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	PUSH: Received control message: 'PUSH_REPLY,route XXX.XXX.XXX.XXX 255.254.0.0,route XXX.XXX.XXX.XXX 255.248.0.0,route XXX.XXX.XXX.XXX 255.255.128.0,route XXX.XXX.XXX.XXX 255.255.224.0,route XXX.XXX.XXX.XXX 255.255.224.0,route XXX.XXX.XXX.XXX 255.255.252.0,route XXX.XXX.XXX.XXX 255.255.252.0,route XXX.XXX.XXX.XXX 255.255.252.0,route XXX.XXX.XXX.XXX 255.255.252.0,route XXX.XXX.XXX.XXX 255.255.252.0,route XXX.XXX.XXX.XXX 255.255.248.0,route XXX.XXX.XXX.XXX 255.255.240.0,ifconfig 192.168.100.30 255.255.252.0,peer-id 23,cipher AES-128-GCM,push-continuation 1'
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Nov 13 10:56:16	openvpn	739	OPTIONS IMPORT: timers and/or timeouts modified
Nov 13 10:56:16	openvpn	739	OPTIONS IMPORT: --ifconfig/up options modified
Nov 13 10:56:16	openvpn	739	OPTIONS IMPORT: route-related options modified
Nov 13 10:56:16	openvpn	739	OPTIONS IMPORT: peer-id set
Nov 13 10:56:16	openvpn	739	OPTIONS IMPORT: adjusting link_mtu to 1624
Nov 13 10:56:16	openvpn	739	OPTIONS IMPORT: data channel crypto options modified
Nov 13 10:56:16	openvpn	739	Data Channel: using negotiated cipher 'AES-128-GCM'
Nov 13 10:56:16	openvpn	739	Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Nov 13 10:56:16	openvpn	739	Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Nov 13 10:56:16	openvpn	739	Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Nov 13 10:56:16	openvpn	739	TUN/TAP device ovpnc1 exists previously, keep at program end
Nov 13 10:56:16	openvpn	739	TUN/TAP device /dev/tun1 opened
Nov 13 10:56:16	openvpn	739	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 13 10:56:16	openvpn	739	/sbin/ifconfig ovpnc1 192.168.100.30 192.168.100.1 mtu 1500 netmask 255.255.252.0 up
Nov 13 10:56:16	openvpn	739	/sbin/route add -net 192.168.100.0 192.168.100.1 255.255.252.0
Nov 13 10:56:16	openvpn	739	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1552 192.168.100.30 255.255.252.0 init
Nov 13 10:56:16	openvpn	739	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 13 10:56:16	openvpn	739	Initialization Sequence Completed
Nov 13 10:56:18	openvpn	739	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Nov 13 10:56:18	openvpn	739	MANAGEMENT: CMD 'state 1'
Nov 13 10:56:18	openvpn	739	MANAGEMENT: CMD 'status 2'
Nov 13 10:56:18	openvpn	739	MANAGEMENT: Client disconnected

Is the tunnel even coming up? Are all of those route add logs for another tunnel? That would be very strange for a VPN provider.

How to check this? OpenVPN status is "up", I also see Initialization Sequence Completed line in OpenVPN logs. I have no other VPN configurations. If I ping 8.8.8.8 (Google DNS) from Windows, I get reply from 192.168.100.1 (pfSense IP of OpenVPN interface) saying port is unavailable.

Here are screenshots of Firewall / Rules / LAN:

Here are OpenVPN client settings:

Derelict · Nov 14, 2018, 3:16 AM

Show a screen shot of the actual thing you are entering that results in the error. No insult intended, but it sounds like you are confused.

What is RFC1918/32?

Mascot · Nov 14, 2018, 3:40 AM

@derelict said in Configuring pfSense as OpenVPN client:

Show a screen shot of the actual thing you are entering that results in the error. No insult intended, but it sounds like you are confused.

Well, I am now. Entering where? I mentioned several errors in different cases.

What is RFC1918/32?

I'm a wrong person to ask this question. It should be addressed to @jimp. RFC1918 / 32 is what he enters as Source on this video (at 35:20), I just blindly copied it.

Derelict · Nov 14, 2018, 3:50 AM

OK. /32 has nothing to do with anything. What matters is the contents of your RFC1918 alias there.

It is intended that the RFC1918 alias be a network alias containing:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

The RFC1918 alias would be created in Firewall > Aliases

I didn't watch the whole video. It might have been presumed one would know to do that basic step.

Mascot · Nov 14, 2018, 5:10 AM

I created "RFC1918" alias and specified it as a Source in Firewall / NAT / Ooutbound:

Alas, internet through OpenVPN still doesn't work.

Mascot · Nov 19, 2018, 7:23 AM

This OpenVPN provider does not route all the traffic via VPN, but only traffic to certain websites. So how to make pfSense use routes sent by this OpenVPN server?

Derelict · Nov 19, 2018, 8:54 AM

It doesn't work that way. Or at least I have never seen one that takes that responsibility.

You either accept a default route from them or you policy route the traffic you want over the VPN.

If they are sending you routes and you trust them, uncheck Don't pull routes on the client configuration.

Mascot · Nov 19, 2018, 12:36 PM

@derelict said in Configuring pfSense as OpenVPN client:

It doesn't work that way.

Usually VPN doesn't work that way, but this particular one - does.

uncheck Don't pull routes on the client configuration.

It is unchecked.

I don't know, what else should I try to make it work? Maybe it is simply impossible to make pfSense work with this type of OpenVPN?

johnpoz · Nov 19, 2018, 12:39 PM

Are you getting routes from them? Simple enough to look at pfsense route table... Do you see a shitton of routes? To wherever you would want to go out your vpn vs the default one?

Your not sending traffic out a specific gateway are you - if so then your not using the pfsense route table no matter what or how many routes it has in it.

Mascot · Nov 22, 2018, 12:47 PM

@johnpoz said in Configuring pfSense as OpenVPN client:

Are you getting routes from them? Simple enough to look at pfsense route table... Do you see a shitton of routes?

I see many /sbin/route add -net XXX.XXX.XXX.XXX 192.168.100.1 entries in OpenVPN log (where XXX - are various IP addresses).

I also see these same IP addresses in Diagnostics / Routes with gateway being 192.168.100.1 (that is IP address assigned by pfSense to OpenVPN inteface).

Your not sending traffic out a specific gateway are you - if so then your not using the pfsense route table no matter what or how many routes it has in it.

In Firewall / Rules / LAN I edited Default allow LAN to any rule setting gateway to be OPT2 (192.168.100.1), that is OpenVPN interface. At this point I lose internet connection. If you mean something else, then please explain how do I send traffic out a specific gateway?

johnpoz · Nov 22, 2018, 1:44 PM

Seeing route -add doesn't mean it actually happens.

Look in the actual route table.. If you set openvpn to NOT pull routes they could be set to be put in but not actually put in.. Setting a gateway yes will force traffic out that gateway, and the route table will not even be looked at.

So if your wanting IP x to go out vpn and IP y to go out your wan without the vpn then setting gateway all traffic will go out that interface.

What is your outbound nat setup like - even if the traffic would be allowed to go out the vpn and get where it ultimately needs to go, if you do not nat your local traffic to the vpn interface IP its not going to work.

Mascot · Nov 22, 2018, 5:23 PM

@johnpoz said in Configuring pfSense as OpenVPN client:

Look in the actual route table.

Isn't Diagnostics / Routes a route table? Like I said, these IP addresses are there. If it is not a route table, then where should I look for it in pfSense?

What is your outbound nat setup like - even if the traffic would be allowed to go out the vpn and get where it ultimately needs to go, if you do not nat your local traffic to the vpn interface IP its not going to work.

I didn't change Firewall / NAT / Ooutbound setup since I posted screenshot of these settings. Interface is set to be OPT2 (OpenVPN).

Could you please describe step by step how should I set up pfSense to work with this OpenVPN? If it is even possible? I guess otherwise I just will have to accept that pfSense simply cannot be configured to work with this OpenVPN provider.

Derelict · Nov 22, 2018, 5:34 PM

What VPN provider is this?

Have you verified that the routes being pushed actually cover the addresses of the sites you think should be routed that way?

Are any of the route add logs indicating failure?

Are the pushed routes actually going tinto the routing table?

If so, pfSense and OpenVPN are working fine here.