Devoted pfSense user founders on the rocky shoals of OpenVPN



  • I am an enthusiastic user and supporter of pfSense.  I find it invaluable in setting up networks both for personal use and at my company.  Its strong suit has always been its powerful yet easy-to-use web interface.  It's what makes the underlying FreeBSD firewall usable by ordinary mortals.

    Yet I see this changing with OpenVPN.

    I have spent three evenings trying to get site-to-site VPN working using OpenVPN.  It is the most frustrating and non-productive time I have ever spent with pfSense.  I understand that a lot of the complexity is just inherent in VPNs to begin with.  But I have had no such trouble setting up IPSec tunnels on pfSense.

    I realize that OpenVPN is a fairly new feature, but documentation of it is scant.  The docs on the wiki were taken down because they were misleading, I guess.  Without seeing them I couldn't say if they would have helped me or not.  The OpenVPN section of the forum is just stuffed with pleas for help, many sounding very similar.  i think it's because there is no understanding of the underlying model for those of us who are new to this sofware.  The openvpn site isn't a lot of help.  They focus on "how to" docs that are centered around the config files, making them of little value to pfSense users, since it isn't known which fields affect which commands.

    At This point I must call a halt to the experiment and go back to IPSec tunnels.  I just want my abject failure to serve as a warning to others – OpenVPN is a tar pit just waiting to snare unsuspecting novices.  Perhaps OpenVPN should be an add-on package.  I would hate for it to tarnish the image of pfSense and its impressive  ease of use.



  • The documentation on http://openVPN.net very much applies to pfSense.
    If you set up a connection following the directions on the openVPN page you will understand how it works.
    Afterwards you will have absolutely no problems setting up a connection on pfSense.

    Maybe you should have written here before you spent so long trying to get something to work without understanding it ;)

    Did you read the stickies here in this forum?
    There are HOWTOs, how to set up a site-to-site connection with a:
    PKI: http://forum.pfsense.org/index.php/topic,12888.0.html
    PSK: http://forum.pfsense.org/index.php/topic,2228.0.html



  • I set it up on pfSense having done nothing more than read the documentation on the OpenVPN site.  It all worked first time.

    Most problems I see here about OpenVPN, or on the OpenVPN mailing list, seem to be caused by a lack of appropriate routing, using the same subnet everywhere (usually 192.168.x.y/24) or attempting to mix tap and tun (bridged and routed).


  • Rebel Alliance Developer Netgate

    Site-to-Site OpenVPN works fine, but there are some quirks. I thought most of them were documented though, as in the how-tos linked above.

    There is also a great section on site-to-site OpenVPN in the pfSense book (see the link in my sig).

    I use it for my home-to-work setup and it's great.

    The general rule of thumb is that for site-to-site, use Shared Key, for remote access, use a PKI setup. If you try to do a site-to-site using PKI, it can lead to some issues.

    This has been cleaned up a lot in 2.0.



  • Perhaps my problems are due to using RC3 on a server and RC1 on a client.  I have another RC3 client that works (or doesn't work) exactly the same, however.

    Oddly enough, I can ssh into any of the firewalls and ping the other firewall thru the openvpn tunnel.  I can ping the client pfSense box from the server and vice-versa.  But no computer attached to the LAN of either side can ping thru the tunnel.  I've been over my firewall settings with a fine-toothed comb but I've not found any rule blocking the access.  (Yes, I did create the rule on the WAN i/f that permits traffic to 1194-1196, my chosen openvpn ports, and I have a default LAN rule that I broadened to include any source address, not just "LAN subnet".  Nothing helped.)

    When I make changes I see remnants of old addresses in the logs.  For instance, I changed one of the tunnels to use a different 10.x.x.x space for the "Interface IP" (with matching entries on both sides) but now when I start it up I see the following in the server log:

    openvpn[2706]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.51.1 10.0.51.2', remote='ifconfig 10.0.10.1 10.0.10.2'

    Yet the client log says:

    openvpn[32031]: /sbin/ifconfig tun0 10.0.51.2 10.0.51.1 mtu 1500 netmask 255.255.255.255 up

    Oddly enough 10.0.10.1/24 was the address I changed to 10.0.51.0/24 on both sides.  But the server (RC3) complains that the client (RC1) is using the "old" address.

    The other link, which is RC3 to RC3, does not exhibit this error, yet its tunnel exhibits the same behavior – pinging between client and server pfSense box is OK, pinging between machines is not.

    For three evenings I have been all over this forum and the wiki.  I am disappointed that more work is not being done on the wiki because it is the easier vehicle to use.  PHPBBS has a lot of good features, but search is not one of them.  For example last night I couldn't even get one document when I searched for "ifconfig" in the openvpn forum.  Today it returns dozens of hits.

    I see frustrated comments from moderators about answering basically the same question ten times.  That's a hint that the information is not easily accessible -- it's not only due to lazy and incompetent newbies (although those do exist also ;)).  The link for site-to-site vpn using shared key spends most of its time on the installation of pfSense and little on the actual task of site-to-site setup.

    It all contributes to the "perfect storm" of missed expectations, frustration (on both sides) and disappointment.


  • Rebel Alliance Developer Netgate

    If you can ping from the routers but not from behind, it is likely a routing issue. Perhaps this?

    http://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes%3F



  • I thought similarly, and I tried all combinations of routes in the "custom options" fields of the client and server.  (Which makes me wonder why I enter the target subnet in "remote network" field on the page, if I also have to put it in the "custom options" box.)   I also tried both SSL and PKI scenarios, but was never able to achieve computer-to-computer communications.  Only router-to-router.

    It all makes me feel like I know nothing at all about routing.  Well, at least the IPSEC came back up and is running perfectly.


  • Rebel Alliance Developer Netgate

    You shouldn't have to enter the remote subnet into the custom options box unless you need more than one subnet on the far side.

    Have you made any progress on this? It might help if you posted screencaps or a list of all the settings for both sides of the connection.



  • I'm holding off until I can upgrade my RC1 box to RC3.  Call me chicken but I didn't want to do that remotely (1200 miles away from physical access).  I also have the book ordered from the big river so I'll give it a look and see what I've missed.



  • Well well well.

    The same OpenVPN tunnel definitions that failed before work now.  All I did was update my home router to 1.2.3 RC3 (it was RC1 before).  It's starting to look like there is something amiss between RC1 and RC3 in OpenVPN implementations.

    Easy enough to fix, if you know about the problem…


Log in to reply