Pfsense and openvpn for new users tutorial <– with Site-To-Site now



  • cheers,

    i have written a tutorial for users new to pfsense and OpenVPN, since
    i can't attach it here, you may download it from my homepage (under [doc])
    at:
    www.uplinksecurity.de

    This document is still BETA, it would be nice if some of you folks could
    verify the tutorial and post corrections, mistakes, additions or whatever
    right here.

    best regards
    Gino "dairaen" Thomas

    Hey Guys

    The Link to this article is no longer working

    http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

    Could the owner please update the link

    Thanks

    EDIT:
    I already mailed him. No answer.
    In the meantime you can find it here:
    http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf

    Also note that on page 21 is a typo.
    The field "Interface IP" should be 192.168.10.0/24 and NOT 192.168.1.0/24



  • Both of these documents are wrong.

    You should not be assigning the tunX interface at all.  pfSense handles all this behind the scenes by itself.

    We fixed a number of bugs so you should be on the most recent snapshot.



  • noted, will be fixed in the next release, can you provide more info what changed
    or should not be done as described in the existing documentation?



  • Just leave out all parts that mention tunX



  • i will fix that this evening.



  • Just try to follow your own tutorial after you removed the tunX references. if it's working it'S most likely correct  ;)


  • LAYER 8 Moderator

    As it may seem stupid to ask:

    Yes I saw, that pfSense did tun0 behind the scenes, but how are one supposed to create filters on that IF if it is not assigned? That was my problem first hand as I was configuring OVPN and I couldn't create any rules on the tun0 IF until I added it manually as dairaen describes, too.

    While that was a few weeks ago, things may be different now, so I hope you'll enlighten me :)



  • i am going to check that tomorrow with the newest snapshot



  • You do not create filters on OpenVPN for 1.0.  This has been covered already in the OpenVPN threads on this forum.



  • cheers,

    updatet the documentation with the suggestions of Mr. Ullrich, and as expected
    everything works fine after doing that. Pfsense can handle the tun0 stuff by itself
    so everything is even easier now.

    Download the latest version from:
    http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

    Again, please check the document if you can find anything thats
    not easy to understand, i will try my best to fix it so that really
    everybody can install pfsense and ovpn by following it.

    for the mods:
    if theres nothing to change anymore, i will remove the BETA text
    so you may add it to the tutorials section if you like to.

    best regards
    dairaen



  • @sullrich:

    You do not create filters on OpenVPN for 1.0.  This has been covered already in the OpenVPN threads on this forum.

    Wha….?

    News to me. :)  I've been adding tunX as an interface and assigning rules on mine.  Oopsie!  Time to go fix my configs again.



  • @dairaen:

    updatet the documentation with the suggestions of Mr. Ullrich, and as expected
    everything works fine after doing that. Pfsense can handle the tun0 stuff by itself
    so everything is even easier now.

    I scanned through it rather quickly but everything looks good at first glance.

    I'll let someone more experienced with OpenVPN chime in, I just knew that tunX stuff was wrong.



  • removed the BETA tag, everything works as supposed here with that configuration.



  • updated the tutorial, Hernan Maslowski submitted "Easy-RSA on Windows",
    you can download the latest Version at:

    http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

    mods, please add this to the tutorial section, you may link
    directly if you like to.



  • On page 15, Firewall: Rules

    there is still an OVPN1 tag. On my system there is no tag, is this generated automatically? Or have you still assigned the tun interface? This is not possible any more and causes problems.



  • damn, i already cutted that, how the f*** does it made it in there again!?

    Thanks, naturally thats crap. I fixed it.



  • dairaen

    Nice work on the documentation, I wish it would of been around before I set it up (would of made it easier).
    This will be very helpfull for users who want to setup Openvpn on Pfsense.



  • cheers,

    new version online, since ppl still seem to have
    problems with OpenVPN i added "Site-to-Site" VPN, any volunteers
    are welcome to verify the new section.

    http://www.uplinksecurity.de/data/pfsense-ovpn.pdf



  • sorry, uploaded a wrong version, please download again if you did,
    a screenshot and some ip-adresses were wrong.



  • Thanks for doing this!  I have posted this to the tutorials section.  Just let me know when to update it.



  • sorry, small update (should be the last for a while)

    • removed the snapshot and RC stuff and advised ppl to use 1.0 Release.
    • fixed some typos
    • fixed some formatting stuff (i will never use Word & images again…)

    And there is a small typo in your tutorial section, "warrior" is mispelled.

    http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

    keep on ;)



  • dairaen, thanks a million you are the MAN!

    Hunter



  • Tutorial sync'd on pfSense.com



  • cheers,

    updated some parts to prevent further problems like:
    http://forum.pfsense.org/index.php/topic,2448.0.html

    As usual, latest version is found here:
    http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

    keep on & kind regards
    dairaen



  • pfSense openvpn tutorial sync'd.

    Thanks!



  • cheers,

    again some updates:

    • added a FAQ section at the bottom with solutions to the latest
      postings
    • added link to "my certificate wizard"

    http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

    kind regards
    dairaen



  • @dairaen:

    again some updates:

    kind regards
    dairaen

    Thanks for your work! We really appreciate your help on this!  :D



  • File in the tutorial section has been sync'd.  Thanks!



  • For first time: sorry for my english  ::)

    Second: little problem

    I've log in my pfsense by putty (for windows)

    Option 8 (Shell)

    down penvpn-2.0.9.tar.gz

    tar -xvzf openvpn-2.0.9.tar.gz

    cd openvpn-2.0.9

    cd easy-rsa

    vi vars

    […] After that some scripts need to be executed, if asked for “Common Name” enter
    the hostname you used in “General Setup” this time. Here are my keystrokes:
    [/tmp/openvpn-2.0.8/easy-rsa]# source ./vars […]

    source ./vars

    export: Command not found.
    D: Undefined variable.

    Why?

    My Vars file:
    _# NOTE: If you installed from an RPM,

    don't edit this file in place in

    /usr/share/openvpn/easy-rsa –

    instead, you should copy the whole

    easy-rsa directory to another location

    (such as /etc/openvpn) so that your

    edits will not be wiped out by a future

    OpenVPN package upgrade.

    This variable should point to

    the top level of the easy-rsa

    tree.

    export D=/tmp/

    This variable should point to

    the openssl.cnf file included

    with easy-rsa.

    export KEY_CONFIG=$D/openssl.cnf

    Edit this variable to point to

    your soon-to-be-created key

    directory.

    WARNING: clean-all will do

    a rm -rf on this directory

    so make sure you define

    it correctly!

    export KEY_DIR=$D/keys

    Issue rm -rf warning

    echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

    Increase this to 2048 if you

    are paranoid.  This will slow

    down TLS negotiation performance

    as well as the one-time DH parms

    generation process.

    export KEY_SIZE=1024

    These are the default values for fields

    which will be placed in the certificate.

    Don't leave any of these fields blank.

    export KEY_COUNTRY=KG
    export KEY_PROVINCE=NA
    export KEY_CITY=BISHKEK
    export KEY_ORG="OpenVPN-TEST"
    export KEY_EMAIL="me@myhost.mydomain"_

    I must tell too:

    D=5

    D=5: Command not found.

    while if I make 'D=5' on other shell (like ubuntu o similar) I write a variable.

    I'm niubby for linux but I think that the Shell from prompt is'nt usually shell!

    Help me!



  • you use a TAP device but have to use a TUN device

    if you use the redirect it has to like like this:
    push "redirect-gateway def1"
    push "dhcp-option DNS x.x.x.x"

    you push the custom DNS since the clients loose their route to their local DNS after the redirect is in place.



  • I followed the instructions on setting up remote VPN's and it worked wonderfully.  I am having one problem though - i have come back to create a new client cert using build-key but when i run it i am getting an error listing a bunch of options - almost like it doesn't know what to do.  Does anyone have any suggestions on what I might do to be able to build a new key that will connect to our existing server (and its already generated keys)?  I know all of the files that were originally generated still exist.



  • if i remember right you just need to run the vars before using the build-key again.



  • Thanks…  I tried that - no joy  :-[



  • Can you describe the exact steps you took?



  • I ran it again, step by step, and its working now.  It is simply running vars, then build-key <machinename>.  Evidently I didn't type something correctly.

    Thanks for your help. </machinename>



  • Hey Guys

    The Link to this article is no longer working

    http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

    Could the owner please update the link

    Thanks



  • I already mailed him. No answer.
    In the meantime you can find it here:
    http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf

    Also note that on page 21 is a typo.
    The field "Interface IP" should be 192.168.10.0/24 and NOT 192.168.1.0/24


Log in to reply