OpenVPN server.crt is always blank - Also, what ports should be opened for VPN?
-
Hi,
I am trying to create the server.crt with command "build-key-server.bat server" and everything seems to be fine except for /keys/server.crt is empty (0 bytes). How can this be? I am using cmd.exe with Administrative privileges.
Also, what are the ports that should be opened to outside world for OpenVPN? furthermore, is it common practice to open the port to the public internet (any security flaws???? or should OpenVPN protect again malicious attacks?)
Thanks
-
If you're running the key generation on a Windows host then the key will be created on the Windows host - is it there that you're checking?
The ports you use are whatever you chose to use.ย The default port is 1194, but you can use any port you chose - 443/TCP and 53/UDP are common choices to bypass traffic blocking.ย As for OpenVPN security, read the OpenVPN documentation.ย It covers everything you need to know about how to protect your VPN.
-
Thanks for the feedback.
I followed all of the documentation and I have got all the files generated and in place now. However, after opening OpenVPN client, I am faced with this error:
IMPORT_ERROR: Profile or its references could not be read: Traceback (most recent call last): / File "capihelper.py", line 1, in <module> / File "pyovpn\client\chelper.pyo", line 3, in <module> / File "pyovpn\conf\cmerge.pyo", line 5, in <module> / File "pyovpn\util\file.pyo", line 11, in <module> / File "pyovpn\util\env.pyo", line 360, in <module> / File "pyovpn\util\env.pyo", line 354, in init_config / File "pyovpn\util\env.pyo", line 133, in new / File "pyovpn\util\env.pyo", line 48, in __init__ / File "pyovpn\util\env.pyo", line 114, in add_config_file / pyovpn.util.env.ParseError: error reading configuration file /pyovpn-etc/as.conf: [Errno 2] No such file or directory: '/pyovpn-etc/as.conf': util/env:110 (exceptions.IOError)</module></module></module></module></module>
Really annoying. I don't understand why OpenVPN should be so hard. There is no straight forward WORKING documentation anywhere for this.
Thanks
-
How is that:
http://openvpn.net/index.php/open-source/documentation/howto.html#pki
Not streight forward and working?Where did you get this error? What did you start?
What you're showing are python errors, but the OpenVPN client is a binary and not a python script. -
If you want easy+straightforward, just install 2.0 and use the OpenVPN wizard. It'll make all of the certs and set it up for you, then you just add users and make certs for them. Easy as pie. Mmmm, pie.
-
Yeah or that :D
(yummy pie like 2.0 wizard can even generate windows installers with all files included) -
You still have to install the OpenVPN installer exporter as a package, but yeah it can do that too.
I think that was due to licensing/redistribution issues, but I don't recall for certain.
-
Oh, this comes from the OpenVPN client on Windows side. When I try to connect this is the error I get.
I don't have the luxury of installing 2.0 as the router is in production on a phone system and that if 2.0 is beta I really can't have the client as a guinea pig to test it (down time = lost client).
Thanks,
Bruce -
If that error is from the client then it has nothing to do with the pfSense install and it suggests that your client install is broken.ย What client version did you install, what operating system did you install it on and where did you download it from?
-
OpenVPN GUI Client 1.5.5. It's installed on Windows 7 operating system. Is there any better client you would suggest for Windows?
Thanks
-
That's rather old.
Use this one:
http://openvpn.net/release/openvpn-2.1.2-install.exeJust be sure to run it as admin on Windows 7.
-
Thanks, that worked.
How many OpenVPN connections are safe to make to a 512mbps connection using an Alix board? I don't want to overload either the board cpu or go over my limit of bandwidth which will degrade voice quality as we have about 5 channels of ULAW (g711) SIP running on this box at any time.
More importantly, I am concerned about hardware limits.
Thanks again
-
512mbps or 512kbps?
An ALIX can only handle about 85Mbps without encryption, and maybe about 18Mbps with OpenVPN using the crypto chip on the ALIX. See here: http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported
-
And note that PPS (packets per second) is possibly more significant than raw throughput.
-
Sorry, that's 512kbps. So, I guess on such low bandwidth there is no hardware limit.
1- If there are 5 simultaneous OpenVPN connections does the Alix2D3 handle that fine? in terms of cpu power I mean?
2- Also, now that the connection is established. I would only want the user that has connected to have access to port 443 TCP, 4445 TCP, and 4569 UDP only to one specific host within the LAN network and not to be able to browse internet through the OpenVPN. What do I have to do on the pfSense side to limit this and also what do I have to do on the Windows side so that only requests to a certain IP is routed to the OpenVPN connection and others are handled by the NIC card on the Windows (which is connected an ISP totally separate from pfSense).
You folks have been of great help.
Thanks,
-
1. Shouldn't matter with that little bandwidth. Bandwidth matters more than concurrent connections.
2. You need firewall rules for OpenVPN, which don't exist on 1.2.3. 2.0 can filter out of the box.ย 1.2.3 can do it but it takes some work: http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3
Even without that, it won't get access to browse out the Internet from there without you adding an outbound NAT rule, so that should be safe.
-
Thanks very much.
But I guess I can limit the OpenVPN network of 192.168.200.0/24 to only one specific host in Firewall > Rules > LAN ???
Thanks
-
I have locked myself out but I have OpenVPN access. I am just doing console to the box and option 14 tells me that sshd is enabled. But when I try to reach the box with ssh 192.168.1.1 I can't get any response.
I have checked and iptables -L doesn't exist either.
How can I get this router to accept my HTTPs and SSH requests?
What commands specifically?
Thanks