Using pfSense as OpenVPN Client
-
@tangooversway said in Using pfSense as OpenVPN Client:
I've used a few web pages like this one and this one but I can't find all the answers in one place
What about the documentation ?
@tangooversway said in Using pfSense as OpenVPN Client:
I have not found a single tutorial or HOWTO that goes over that.
I'm not using all of them, just rarely this one (see link) when I have to change my WAN IPv4 for testing purposes.
When I throw this pfsense expr*ssvpn at Google, I get an usable answer on the very first link.@tangooversway said in Using pfSense as OpenVPN Client:
is there a recipe for pfSense to use it as an OpenVPN client? How do I import the crt and key files needed for the client and is there some way to just use the client configuration file and crt and key files to set up the client?
This is how OpenVPN works.
It's hard to hide everything behind a nice looking GUI.
You have to set set up a couple of them, and then you'll get the basic picture.
A VPN client connects to a VPN server, and this means that you should have the details about how to set it up to 'that' server. The classic VPN ISP's prefer by far that you install "their app", as the can test and support the app on any device. Using the connection from a router as pfSense is often 'not supported' at all, as billions of configuration might exist, not known upfront the the VPN ISP. So not supportable.There are more modern ( ? ) VPN type possibilities, like tailscale and wiregaurd.
-
@viragomann said in Using pfSense as OpenVPN Client:
What do you call VPN subnet?
In my understanding, the VPN subnet is the tunnel network, but there is no need to rout this over the VPN at all. So you're obviously meaning something different.Say my LAN is using 192.168.0.0/255.255.255.0 and within my VPN, using OpenVPN for DNS, it's using 192.168.1.0/255.255.255.0. So if, on my LAN, I specify something like "ssh 192.168.1.1," that pfSense sends that to the VPN since it's in the VPN's subnet range. And, after I get other things set up, maybe get pfSense to send DNS request to the VPN server and, when there's no answer, then send them to an internet DNS.
@viragomann said in Using pfSense as OpenVPN Client:
Is the server already set up and running? Did you get already any connection with another client?
Yes, I have most of the work done. I just need to get the pfSense client setup so I'll have a tunnel from the server on a VPS to my LAN (via pfSense). When I asked for some help on this elsewhere, and had specified I had the server and 2 iOS clients connecting. I've had a few people tell me to switch to WireGuard - but dropping it all on the last leg of the process seems wasteful to me.
@viragomann said in Using pfSense as OpenVPN Client:
The certificates can be exported and imported by the use of the certificate manager.
Importing of a config is only available in plus versions, as far as I know.Okay, got that now. I imported ca.cert that way, but I was thinking that I'd probably have to upload the certs for OpenVPN through the OpenVPN setup - I didn't realize that I could upload all certs through the certificate manager. (I've hardly ever worked with certificates before, so I wasn't sure if there was some kind of distinction between types and uses.) I don't need to upload a config file - just thinking it'd be easier to upload something with the settings rather than having to set them all manually.
@johnpoz said in Using pfSense as OpenVPN Client:
@tangooversway Routing what traffic you want over a vpn client connection in pfsense would be a simple policy route, be it a network/vlan just specific ports (dns) or even just specific IPs of devices on any of your networks.
That's what I figured - that once I got OpenVPN working, the routing wouldn't be that hard.
@johnpoz said in Using pfSense as OpenVPN Client:
Not exactly sure what your asking - are you asking about traffic from one of your vlans on your network that wants to talk to you lan segment, this is would have no reason to go out your vpn? And would be simple firewall rules to allow the traffic, before you policy route the traffic out your vpn.
See the 2nd paragraph in this post, responding to someone else. That's what I mean. If I'm using the wrong terms, feel free to correct me.
@johnpoz said in Using pfSense as OpenVPN Client:
As to the TLS key? Or the client cert and key - the tls would be pasted into the client config gui, and the cert/key for the client cert would be installed via the cert manager and then selected in the client connection gui
Okay - got that. Thanks. I guess I was looking in the wrong places and thinking in terms of uploading a file, not in pasting it in. (Should have realized that, since I had to paste the ca.crt in.)
@gertjan said in Using pfSense as OpenVPN Client:
What about the documentation ?
Interesting. That was not the page I was getting. I got a page with links to various recipes that were not giving me what I needed. Your link is far more useful. (I have an odd habit of trying to be too specific with Google and always seem to find the links others don't find.) Thanks!
@gertjan said in Using pfSense as OpenVPN Client:
I'm not using all of them, just rarely this one (see link) when I have to change my WAN IPv4 for testing purposes.
When I throw this pfsense expr*ssvpn at Google, I get an usable answer on the very first link.Ah - I take it that we're not supposed to use the names of commercial products here and that's the reason for the asterisk? I gave up on the HOWTO pages by services after 2-3 of them, since they all had things on them that didn't work with what I'm trying to do.
@gertjan said in Using pfSense as OpenVPN Client:
It's hard to hide everything behind a nice looking GUI.
I've been comfortable with the command line since the 1970s, when I was using dead-tree terminals and did not yet even have CRT terminals available to me. Not having a GUI is not the problem. Trying to piece together all the info when some is outdated (even in "official" OpenVPN docs, for example), or finding what part can be used from, say, P---VPN, and what can be used from N---, along with what doesn't contradict what the other does. I get it. When you're coding, you test and make sure it all works, then you have to debug it and writing documentation is about the last thing a developer wants to do. And then, as things change bit by bit, it's easy to think, "I'll update it all when I get to a major version upgrade," and then the details are forgotten. I don't remember just what it was, but there were things in the OpenVPN docs I tried that gave me errors. The one I do remember is the specification for the cipher.
@gertjan said in Using pfSense as OpenVPN Client:
You have to set set up a couple of them, and then you'll get the basic picture.
Which makes it hard if you need ONE for your business, and are still working 10 hours a day on the business and trying to get this one extra task done. I looked into a number of alternatives, such as a VPN/proxy like N---, P---VPN, P--, and a number of others. I found I could use one of them for my outgoing connections, but none of them did all I need. If they did port forwarding for more than one port, they didn't have split-tunneling. If they worked with one OS I use, they didn't work with another - and so on. As for OpenVPN and their commercial server (I think that's Connexa?), I found there's no intermediate ground. (Same for many services.) Either you limit yourself to 1 or 2 connections or it's a high monthly fee. I didn't find any (and, again, sometimes I'm off on my searches) that gave me an external server, would work with iOS and pfSense, and have a reasonable monthly cost. So my only reasonable alternative seems to be setting up OpenVPN on my own. If this were about 15 years ago, when I was actually dealing with networking and a lot of sysadmin work on Linux, it'd be a lot easier because I've forgotten so much in the time in between.
@gertjan said in Using pfSense as OpenVPN Client:
There are more modern ( ? ) VPN type possibilities, like tailscale and wiregaurd.
Yes, I've seen people recommend those, but when there's only one thing left to do in a setup, it's rarely a good time to change to another system. Also, I went to the pfSense package manager to check on getting TailScale and WireGuard, but my package manager cannot access any packages. So that's another task before I can use those two, which is even more to deal with. (I want to fix it - but I need to get OpenVPN or some other way to reach systems in my LAN working first - then I can check and see if I'm too far behind on upgrades or need to fix something else to get packages working.
-
@tangooversway said in Using pfSense as OpenVPN Client:
Ah - I take it that we're not supposed to use the names of commercial products here and that's the reason for the asterisk?
Afaik, not forbidden. My '*' is just an anti index measurement.
When using OpenVPN, you have to be aware that that every pfSense has another version. Older ones use 2.4.x, the newer :
[23.01-RELEASE][admin@pfSense.near.by]/root: openvpn --version OpenVPN 2.6_beta1 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] library versions: OpenSSL 1.1.1t-freebsd 7 Feb 2023, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net> ....There are options - sorry to be vague about theme - that exist while using 2.4.x and are deprecated when using 2.6.x. So it can be a sport while matching a a client suing version x and the server using version y.
Even better : an VPN ISP doesn't tell you what version they used. They might even have compile their own version, as their main goal is : make it work with their client app.@tangooversway said in Using pfSense as OpenVPN Client:
but I need to get OpenVPN or some other way to reach systems in my LAN working first
The "do this and you'll be good" exist : Configuring OpenVPN Remote Access in pfSense Software
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@gertjan said in Using pfSense as OpenVPN Client:
There are options - sorry to be vague about theme - that exist while using 2.4.x and are deprecated when using 2.6.x. So it can be a sport while matching a a client suing version x and the server using version y.
I can understand the reason for the vagueness - sometimes it's hard to keep current with those issues. But thanks for the warning about version changes - those sound like dramatic changes that one has to keep track of, so it's good to know about that issue.
@gertjan said in Using pfSense as OpenVPN Client:
Even better : an VPN ISP doesn't tell you what version they used. They might even have compile their own version, as their main goal is : make it work with their client app.
I've run into that with VPN, too. There are changing options, one specific is encryption. It changes from version to version. Since Debian is more focused on stability than on bleeding or leading edge, it often has older versions in their distros. (And that's one reason I like it. I used Debian back when I ran a data mining business - it was non-exploitive, believe it or not - and I actually slept better at night knowing my software was running on one of the most over-tested systems around. At that time, and I can't remember the reasoning, Debian had gone 3 years between versions, so I knew what I was using had been tested by thousands of people for a long time before that new version went solid and I installed it.
Sorry - sidetracked. So the Debian 11 OpenVPN version is something like 2.5.x and the version on my iOS devices is 3.3.x.
@gertjan said in Using pfSense as OpenVPN Client:
The "do this and you'll be good" exist : Configuring OpenVPN Remote Access in pfSense Software
I'll go through that tomorrow. As it is, it's late, even for a night-owl like me. I had a problem with certs and keys and had to redo them. That's easy - but I'm tired enough I'm having trouble keeping up with making sure all the right files are going to the right client and so on. So it's time to stop and pick it up tomorrow. Thanks - I'll let you know what I find and how things workout.
-
@gertjan said in Using pfSense as OpenVPN Client:
The "do this and you'll be good" exist : Configuring OpenVPN Remote Access in pfSense Software
Got a chance to watch that today. It's for using pfSense as a VPN server, not as a client. In fact, it's a good example of this issue: They don't mention "server" for a while into the video, as if it's assumed if you're using OpenVPN on pfSense, it's as a server. I'm finding that issue over and over.
-
@tangooversway what exactly are you having an issue with.. What options in the client tab are you not understanding.. Do you have your server setup, have you connected via some other client like windows or your iphone to the server you setup.. So you can then setup pfsense to connect to this server
I run an openvpn-as on a vps of mine out on the net, its like a 2 minute process to get pfsense to connect to it.. Way less than that if your using + and can just import the ovpn file..
But your trying to setup openvpn community version, you do need to understand what all the stuff is to create your client config that you can then put into the pfsense client gui..
a quick goog for pfsense as client - the first hit is this
https://www.comparitech.com/blog/vpn-privacy/pfsense-openvpn-client/
Which from a breeze over seems to be a pretty detailed walk through of connecting pfsense to a vpn service - but if your the service, ie you setup a server somewhere - you are going to need to understand the items you need from the server to connect as a client.. And be able to provide this info so you can put it into pfsense.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@tangooversway said in Using pfSense as OpenVPN Client:
It's for using pfSense as a VPN server, not as a client. In fact, it's a good example of this issue: They don't mention "server" for a while into the video, as if it's assumed if you're using OpenVPN on pfSense, it's as a server.
When I saw your :
@tangooversway said in Using pfSense as OpenVPN Client:
but I need to get OpenVPN or some other way to reach systems in my LAN working first
I thought your "reaching systems in" was about reaching (from the outside == internet) your systems in your LAN.
Last 2 years, during the "world medical issues period", this was a very needed setup.And, you need to set up a OpenVPN server anyway, as this permits you to access your pfsense and LANs from wherever you are.
It's the typical setup "if you have it, you don't need it" ;)And then there is the most important thing : to understand web access, mail access ftp access and openvpn access, its a good thing to set up your own client and server of every type. That really helps understanding things as you see it working on both sides == have access to logs on both sides.
-
@johnpoz said in Using pfSense as OpenVPN Client:
So you can then setup pfsense to connect to this server
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-client.html#client-configuration-optionsI have that - I started another thread that was more specific, and included logs. pfSense connects now. The issue I'm dealing with is routing and connecting to my LAN from the VPN server or clients. (Well, I'll say from the server, since that has a terminal and I can troubleshoot from there. The clients - just add client-to-client in the config and they should connect, too.)
@johnpoz said in Using pfSense as OpenVPN Client:
I run an openvpn-as on a vps of mine out on the net, its like a 2 minute process to get pfsense to connect to it.. Way less than that if your using + and can just import the ovpn file..
About 15-20 years ago I had to deal with routing. I knew what to do - back then. Since then I've done a lot of programming and other work with no need to deal with networking - other than setting up my DHCP server on my LAN. So I've forgotten a lot. This is one of those things that is easy if you know what you're doing, but if you don't, it's easy for it to eat up more and more time in trying to figure out and understand all the options, or even in finding out what the options are.
@johnpoz said in Using pfSense as OpenVPN Client:
But your trying to setup openvpn community version, you do need to understand what all the stuff is to create your client config that you can then put into the pfsense client gui..
I think I have all the OpenVPN client options in place. Unless I misunderstand, my issue is handling the routing and what to do in pfSense outside of the OpenVPN client configuration. I've found some pages that talk about that, but I'm running into issues. First, my server says it's up to date, but it's running pfSense 2.4.4. So I have an issue with updates (I've told it to stay on the latest stable version) and with packages. I suspect they're the same issue. (That was something that came up on the other thread.) Some of the things some of the tutorials I've found seem to be for a version of pfSense I don't have and many of those pages are done by VPN providers. (Well, more like proxy providers that say they're VPN providers.) Plus they include some actions that (since I barely remember anything about routing work) look like they might cause issues, so I don't know whether following those tutorials would fix things or make things worse.
I've talked about upgrading and why I haven't just tried to fix that on the other thread I mentioned. (Normally I wouldn't try to have two threads on one topic, but I thought I was moving on to other issues with setting things up that were more specific, so I felt it better to add a post that would be focused on those more specific issues.)
@johnpoz said in Using pfSense as OpenVPN Client:
a quick goog for pfsense as client - the first hit is this
https://www.comparitech.com/blog/vpn-privacy/pfsense-openvpn-client/That looks like a good page, it's one I've found, but it talks about ping settings - and I don't see those at all in my OpenVPN client setup page, so I stopped there, unsure if I could still use everything else there that was available in my version of pfSense.
@gertjan said in Using pfSense as OpenVPN Client:
And then there is the most important thing : to understand web access, mail access ftp access and openvpn access, its a good thing to set up your own client and server of every type. That really helps understanding things as you see it working on both sides == have access to logs on both sides.
I've done a LOT of those - years ago when I ran a software based business. But that was a LONG time ago and I have not had to do any of that for years. Now I'm working on a new business and figured setting up OpenVPN would be an easy setup, since I need it for controlling machinery in my shop from outside my LAN. And the problem is sometimes there's other work and you can only devote but so much time to a topic and have to focus more on "how do I do this?" than, "I want to learn everything about OpenVPN, then I'll be able to do it."
-
@johnpoz said in Using pfSense as OpenVPN Client:
a quick goog for pfsense as client - the first hit is this
https://www.comparitech.com/blog/vpn-privacy/pfsense-openvpn-client/I "bit the bullet" and updated my system. There were a few glitches, but it's at 22.01 now and I can't upgrade until I get the software from Netgate to change the EFI partition size. Still, it's much more current than what it was.
It looks like everything in that link you included is more fitting for the version I have now. You said you went over it quickly. My concern is the 3 last sections (Firewall Rules, NAT Rules, and DNS). Do those look like they'll work with a regular OpenVPN setup or is there a chance they're made for a specific VPN provider?
-
@tangooversway said in Using pfSense as OpenVPN Client:
My concern is the 3 last sections (Firewall Rules, NAT Rules, and DNS).
What your trying to do requires some basic understanding of routing, dns, etc. So no you wouldn't follow some vpn guide to connect to their service and route all your traffic out it..
-
@johnpoz said in Using pfSense as OpenVPN Client:
What your trying to do requires some basic understanding of routing, dns, etc. So no you wouldn't follow some vpn guide to connect to their service and route all your traffic out it..
I think I should not have listened to the people who told me, "Sure, this is easy to do and only takes a few hours." OpenVPN wasn't that hard to set up, in the long run, but dealing with the firewall rules and NAT to redirect ONLY the LAN traffic that is either responding to requests from within the VPN or that is only going to the VPN turns out to take a lot more than I thought it would from trying to remember what I was doing 15-20 years ago.
