Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up OpenVPN to access work

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 952 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cobrahead
      last edited by

      The IT guy at work gave me all the certs, password, addresses, etc to setup a openvpn connection from my home to our work.

      Is there a tutorial on setting this type of connection up and then assigning it to a unused ether port on my pf box?

      Thanks

      "PERFECTION IS THE ENEMY OF PERFECTLY ADEQUATE."

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You would set it up via client connection in pfsense. Pretty much like any guide on connecting to any vpn service.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        C chpalmerC 2 Replies Last reply Reply Quote 0
        • C
          cobrahead @johnpoz
          last edited by

          @johnpoz Thanks. It looks like the guide 'Configuring a Site-to-Site Static Key OpenVPN Instance' is probably the guide I need. After I get that going, I just need to assign it to one of the unused ether ports on my router box, right?

          "PERFECTION IS THE ENEMY OF PERFECTLY ADEQUATE."

          1 Reply Last reply Reply Quote 0
          • chpalmerC
            chpalmer @johnpoz
            last edited by chpalmer

            As a client device you need to assign yourself neither a port nor any firewall rules other than the local default rules you already have on your LAN.

            Triggering snowflakes one by one..
            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Your work wants you to setup a site to site vpn, or you can be a client?? I would check with your IT guy on that.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              C 1 Reply Last reply Reply Quote 0
              • C
                cobrahead @johnpoz
                last edited by

                @johnpoz I would be a client. Is there a 'how-to' on the OpenVPN netgate docs on setting this up?

                "PERFECTION IS THE ENEMY OF PERFECTLY ADEQUATE."

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  That is a bit more complicated that you would think to be honest, since each server could be setup different.. Did your IT guy give you the .ovpn file? This file would tell you how to connect - then you just need to put that info into the pfsense gui..

                  Like I said there are a bajillion guides on connecting to vpn services. You just need the details from your IT guy.. Whats the IP or FQDN, what port tcp or udp?

                  Are you using tls for auth and encryption or just auth. What encryption, what auth digest algo, etc..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  C 1 Reply Last reply Reply Quote 0
                  • C
                    cobrahead @johnpoz
                    last edited by

                    @johnpoz Yes, he did include a 'client.ovpn' along with ca.crt, client.crt, and client.key

                    "PERFECTION IS THE ENEMY OF PERFECTLY ADEQUATE."

                    1 Reply Last reply Reply Quote 1
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Well if you open up the client.ovpn file it will give you all the details (its just text file).. Just transpose that to the client gui..

                      If you post it - hiding the public IP of your server we can walk through it. Or if you don't want to post it - PM me the details.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      C 1 Reply Last reply Reply Quote 0
                      • C
                        cobrahead @johnpoz
                        last edited by

                        @johnpoz Just sent you a PM with .ovpn details

                        "PERFECTION IS THE ENEMY OF PERFECTLY ADEQUATE."

                        1 Reply Last reply Reply Quote 1
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          auth SHA1

                          Yeah that should be updated ;) sha1 has been deprecated.

                          So your tcp over 1194, seems really ODD as well..

                          You understand his redirect command in there is going to send all traffic to him, even your internet.. Doesn't make a lot of sense. Are you trying to setup this pfsense client actually at work, the autolocal in that cmd doesn't make a lot of sense unless you share a common network.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          C 1 Reply Last reply Reply Quote 0
                          • C
                            cobrahead @johnpoz
                            last edited by

                            @johnpoz said in Setting up OpenVPN to access work:

                            auth SHA1

                            Yeah that should be updated ;) sha1 has been deprecated.

                            So your tcp over 1194, seems really ODD as well..

                            You understand his redirect command in there is going to send all traffic to him, even your internet.. Doesn't make a lot of sense. Are you trying to setup this pfsense client actually at work, the autolocal in that cmd doesn't make a lot of sense unless you share a common network.

                            The network that I will be connecting to is the one at my small business. The 'IT guy' is offsite, we are not big enough to have an IT dept... so we have used his company's services for about 10 years now. In his opinion it was safer to have a tunnel to my business network, where I can then RDP into a couple of PCs and also login to some various network devices without having ports open left and right.

                            He did mention that 'routes' could be setup to keep all of my traffic from going though to my business network. What would you recommend in place of sha1? Also, what is odd about the tcp over 1194?

                            Thanks

                            "PERFECTION IS THE ENEMY OF PERFECTLY ADEQUATE."

                            1 Reply Last reply Reply Quote 0
                            • PippinP
                              Pippin
                              last edited by

                              From memory,
                              With regards to SHA1 being broken, this is not the case in OpenVPN.
                              This is because of the way it is used (HMAC-SHA1).
                              Add to that the key that changes hourly by default (--reneg-sec).
                              If one would be able to break through OpenVPN's layered security (if setup that way) one could get one hour of data.

                              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                              Halton Arp

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.