Pfsense and openvpn for new users tutorial <– with Site-To-Site now
-
cheers,
i have written a tutorial for users new to pfsense and OpenVPN, since
i can't attach it here, you may download it from my homepage (under [doc])
at:
www.uplinksecurity.deThis document is still BETA, it would be nice if some of you folks could
verify the tutorial and post corrections, mistakes, additions or whatever
right here.best regards
Gino "dairaen" ThomasHey Guys
The Link to this article is no longer working
http://www.uplinksecurity.de/data/pfsense-ovpn.pdf
Could the owner please update the link
Thanks
EDIT:
I already mailed him. No answer.
In the meantime you can find it here:
http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdfAlso note that on page 21 is a typo.
The field "Interface IP" should be 192.168.10.0/24 and NOT 192.168.1.0/24 -
Both of these documents are wrong.
You should not be assigning the tunX interface at all. pfSense handles all this behind the scenes by itself.
We fixed a number of bugs so you should be on the most recent snapshot.
-
noted, will be fixed in the next release, can you provide more info what changed
or should not be done as described in the existing documentation? -
Just leave out all parts that mention tunX
-
i will fix that this evening.
-
Just try to follow your own tutorial after you removed the tunX references. if it's working it'S most likely correct ;)
-
As it may seem stupid to ask:
Yes I saw, that pfSense did tun0 behind the scenes, but how are one supposed to create filters on that IF if it is not assigned? That was my problem first hand as I was configuring OVPN and I couldn't create any rules on the tun0 IF until I added it manually as dairaen describes, too.
While that was a few weeks ago, things may be different now, so I hope you'll enlighten me :)
-
i am going to check that tomorrow with the newest snapshot
-
You do not create filters on OpenVPN for 1.0. This has been covered already in the OpenVPN threads on this forum.
-
cheers,
updatet the documentation with the suggestions of Mr. Ullrich, and as expected
everything works fine after doing that. Pfsense can handle the tun0 stuff by itself
so everything is even easier now.Download the latest version from:
http://www.uplinksecurity.de/data/pfsense-ovpn.pdfAgain, please check the document if you can find anything thats
not easy to understand, i will try my best to fix it so that really
everybody can install pfsense and ovpn by following it.for the mods:
if theres nothing to change anymore, i will remove the BETA text
so you may add it to the tutorials section if you like to.best regards
dairaen -
You do not create filters on OpenVPN for 1.0. This has been covered already in the OpenVPN threads on this forum.
Wha….?
News to me. :) I've been adding tunX as an interface and assigning rules on mine. Oopsie! Time to go fix my configs again.
-
updatet the documentation with the suggestions of Mr. Ullrich, and as expected
everything works fine after doing that. Pfsense can handle the tun0 stuff by itself
so everything is even easier now.I scanned through it rather quickly but everything looks good at first glance.
I'll let someone more experienced with OpenVPN chime in, I just knew that tunX stuff was wrong.
-
removed the BETA tag, everything works as supposed here with that configuration.
-
updated the tutorial, Hernan Maslowski submitted "Easy-RSA on Windows",
you can download the latest Version at:http://www.uplinksecurity.de/data/pfsense-ovpn.pdf
mods, please add this to the tutorial section, you may link
directly if you like to. -
On page 15, Firewall: Rules
there is still an OVPN1 tag. On my system there is no tag, is this generated automatically? Or have you still assigned the tun interface? This is not possible any more and causes problems.
-
damn, i already cutted that, how the f*** does it made it in there again!?
Thanks, naturally thats crap. I fixed it.
-
dairaen
Nice work on the documentation, I wish it would of been around before I set it up (would of made it easier).
This will be very helpfull for users who want to setup Openvpn on Pfsense. -
cheers,
new version online, since ppl still seem to have
problems with OpenVPN i added "Site-to-Site" VPN, any volunteers
are welcome to verify the new section. -
sorry, uploaded a wrong version, please download again if you did,
a screenshot and some ip-adresses were wrong. -
Thanks for doing this! I have posted this to the tutorials section. Just let me know when to update it.
-
sorry, small update (should be the last for a while)
- removed the snapshot and RC stuff and advised ppl to use 1.0 Release.
- fixed some typos
- fixed some formatting stuff (i will never use Word & images again…)
And there is a small typo in your tutorial section, "warrior" is mispelled.
http://www.uplinksecurity.de/data/pfsense-ovpn.pdf
keep on ;)
-
dairaen, thanks a million you are the MAN!
Hunter
-
Tutorial sync'd on pfSense.com
-
cheers,
updated some parts to prevent further problems like:
http://forum.pfsense.org/index.php/topic,2448.0.htmlAs usual, latest version is found here:
http://www.uplinksecurity.de/data/pfsense-ovpn.pdfkeep on & kind regards
dairaen -
pfSense openvpn tutorial sync'd.
Thanks!
-
cheers,
again some updates:
- added a FAQ section at the bottom with solutions to the latest
postings - added link to "my certificate wizard"
http://www.uplinksecurity.de/data/pfsense-ovpn.pdf
kind regards
dairaen - added a FAQ section at the bottom with solutions to the latest
-
again some updates:
kind regards
dairaenThanks for your work! We really appreciate your help on this! :D
-
File in the tutorial section has been sync'd. Thanks!
-
For first time: sorry for my english ::)
Second: little problem
I've log in my pfsense by putty (for windows)
Option 8 (Shell)
down penvpn-2.0.9.tar.gz
tar -xvzf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
cd easy-rsa
vi vars
[…] After that some scripts need to be executed, if asked for “Common Name” enter
the hostname you used in “General Setup” this time. Here are my keystrokes:
[/tmp/openvpn-2.0.8/easy-rsa]# source ./vars […]source ./vars
export: Command not found.
D: Undefined variable.Why?
My Vars file:
_# NOTE: If you installed from an RPM,don't edit this file in place in
/usr/share/openvpn/easy-rsa –
instead, you should copy the whole
easy-rsa directory to another location
(such as /etc/openvpn) so that your
edits will not be wiped out by a future
OpenVPN package upgrade.
This variable should point to
the top level of the easy-rsa
tree.
export D=
/tmp/This variable should point to
the openssl.cnf file included
with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
Edit this variable to point to
your soon-to-be-created key
directory.
WARNING: clean-all will do
a rm -rf on this directory
so make sure you define
it correctly!
export KEY_DIR=$D/keys
Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
Increase this to 2048 if you
are paranoid. This will slow
down TLS negotiation performance
as well as the one-time DH parms
generation process.
export KEY_SIZE=1024
These are the default values for fields
which will be placed in the certificate.
Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"_I must tell too:
D=5
D=5: Command not found.
while if I make 'D=5' on other shell (like ubuntu o similar) I write a variable.
I'm niubby for linux but I think that the Shell from prompt is'nt usually shell!
Help me!
-
you use a TAP device but have to use a TUN device
if you use the redirect it has to like like this:
push "redirect-gateway def1"
push "dhcp-option DNS x.x.x.x"you push the custom DNS since the clients loose their route to their local DNS after the redirect is in place.
-
I followed the instructions on setting up remote VPN's and it worked wonderfully. I am having one problem though - i have come back to create a new client cert using build-key but when i run it i am getting an error listing a bunch of options - almost like it doesn't know what to do. Does anyone have any suggestions on what I might do to be able to build a new key that will connect to our existing server (and its already generated keys)? I know all of the files that were originally generated still exist.
-
if i remember right you just need to run the vars before using the build-key again.
-
Thanks… I tried that - no joy :-[
-
Can you describe the exact steps you took?
-
I ran it again, step by step, and its working now. It is simply running vars, then build-key <machinename>. Evidently I didn't type something correctly.
Thanks for your help. </machinename>
-
Hey Guys
The Link to this article is no longer working
http://www.uplinksecurity.de/data/pfsense-ovpn.pdf
Could the owner please update the link
Thanks
-
I already mailed him. No answer.
In the meantime you can find it here:
http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdfAlso note that on page 21 is a typo.
The field "Interface IP" should be 192.168.10.0/24 and NOT 192.168.1.0/24
