Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN server.crt is always blank - Also, what ports should be opened for VPN?

    Scheduled Pinned Locked Moved OpenVPN
    18 Posts 4 Posters 19.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      torontob
      last edited by

      Hi,

      I am trying to create the server.crt with command "build-key-server.bat server" and everything seems to be fine except for /keys/server.crt is empty (0 bytes). How can this be? I am using cmd.exe with Administrative privileges.

      Also, what are the ports that should be opened to outside world for OpenVPN? furthermore, is it common practice to open the port to the public internet (any security flaws???? or should OpenVPN protect again malicious attacks?)

      Thanks

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        If you're running the key generation on a Windows host then the key will be created on the Windows host - is it there that you're checking?

        The ports you use are whatever you chose to use.ย  The default port is 1194, but you can use any port you chose - 443/TCP and 53/UDP are common choices to bypass traffic blocking.ย  As for OpenVPN security, read the OpenVPN documentation.ย  It covers everything you need to know about how to protect your VPN.

        1 Reply Last reply Reply Quote 0
        • T
          torontob
          last edited by

          Thanks for the feedback.

          I followed all of the documentation and I have got all the files generated and in place now. However, after opening OpenVPN client, I am faced with this error:

          IMPORT_ERROR: Profile or its references could not be read: Traceback (most recent call last): / File "capihelper.py", line 1, in <module> / File "pyovpn\client\chelper.pyo", line 3, in <module> / File "pyovpn\conf\cmerge.pyo", line 5, in <module> / File "pyovpn\util\file.pyo", line 11, in <module> / File "pyovpn\util\env.pyo", line 360, in <module> / File "pyovpn\util\env.pyo", line 354, in init_config / File "pyovpn\util\env.pyo", line 133, in new / File "pyovpn\util\env.pyo", line 48, in __init__ / File "pyovpn\util\env.pyo", line 114, in add_config_file / pyovpn.util.env.ParseError: error reading configuration file /pyovpn-etc/as.conf: [Errno 2] No such file or directory: '/pyovpn-etc/as.conf': util/env:110 (exceptions.IOError)</module></module></module></module></module>
          

          Really annoying. I don't understand why OpenVPN should be so hard. There is no straight forward WORKING documentation anywhere for this.

          Thanks

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            How is that:
            http://openvpn.net/index.php/open-source/documentation/howto.html#pki
            Not streight forward and working?

            Where did you get this error? What did you start?
            What you're showing are python errors, but the OpenVPN client is a binary and not a python script.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              If you want easy+straightforward, just install 2.0 and use the OpenVPN wizard. It'll make all of the certs and set it up for you, then you just add users and make certs for them. Easy as pie. Mmmm, pie.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                Yeah or that :D
                (yummy pie like 2.0 wizard can even generate windows installers with all files included)

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  You still have to install the OpenVPN installer exporter as a package, but yeah it can do that too.

                  I think that was due to licensing/redistribution issues, but I don't recall for certain.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • T
                    torontob
                    last edited by

                    Oh, this comes from the OpenVPN client on Windows side. When I try to connect this is the error I get.

                    I don't have the luxury of installing 2.0 as the router is in production on a phone system and that if 2.0 is beta I really can't have the client as a guinea pig to test it (down time = lost client).

                    Thanks,
                    Bruce

                    1 Reply Last reply Reply Quote 0
                    • Cry HavokC
                      Cry Havok
                      last edited by

                      If that error is from the client then it has nothing to do with the pfSense install and it suggests that your client install is broken.ย  What client version did you install, what operating system did you install it on and where did you download it from?

                      1 Reply Last reply Reply Quote 0
                      • T
                        torontob
                        last edited by

                        OpenVPN GUI Client 1.5.5. It's installed on Windows 7 operating system. Is there any better client you would suggest for Windows?

                        Thanks

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          That's rather old.

                          Use this one:
                          http://openvpn.net/release/openvpn-2.1.2-install.exe

                          Just be sure to run it as admin on Windows 7.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • T
                            torontob
                            last edited by

                            Thanks, that worked.

                            How many OpenVPN connections are safe to make to a 512mbps connection using an Alix board? I don't want to overload either the board cpu or go over my limit of bandwidth which will degrade voice quality as we have about 5 channels of ULAW (g711) SIP running on this box at any time.

                            More importantly, I am concerned about hardware limits.

                            Thanks again

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              512mbps or 512kbps?

                              An ALIX can only handle about 85Mbps without encryption, and maybe about 18Mbps with OpenVPN using the crypto chip on the ALIX. See here: http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • Cry HavokC
                                Cry Havok
                                last edited by

                                And note that PPS (packets per second) is possibly more significant than raw throughput.

                                1 Reply Last reply Reply Quote 0
                                • T
                                  torontob
                                  last edited by

                                  Sorry, that's 512kbps. So, I guess on such low bandwidth there is no hardware limit.

                                  1- If there are 5 simultaneous OpenVPN connections does the Alix2D3 handle that fine? in terms of cpu power I mean?

                                  2- Also, now that the connection is established. I would only want the user that has connected to have access to port 443 TCP, 4445 TCP, and 4569 UDP only to one specific host within the LAN network and not to be able to browse internet through the OpenVPN. What do I have to do on the pfSense side to limit this and also what do I have to do on the Windows side so that only requests to a certain IP is routed to the OpenVPN connection and others are handled by the NIC card on the Windows (which is connected an ISP totally separate from pfSense).

                                  You folks have been of great help.

                                  Thanks,

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    1. Shouldn't matter with that little bandwidth. Bandwidth matters more than concurrent connections.

                                    2. You need firewall rules for OpenVPN, which don't exist on 1.2.3. 2.0 can filter out of the box.ย  1.2.3 can do it but it takes some work: http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3

                                    Even without that, it won't get access to browse out the Internet from there without you adding an outbound NAT rule, so that should be safe.

                                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      torontob
                                      last edited by

                                      Thanks very much.

                                      But I guess I can limit the OpenVPN network of 192.168.200.0/24 to only one specific host in Firewall > Rules > LAN ???

                                      Thanks

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        torontob
                                        last edited by

                                        I have locked myself out but I have OpenVPN access. I am just doing console to the box and option 14 tells me that sshd is enabled. But when I try to reach the box with ssh 192.168.1.1 I can't get any response.

                                        I have checked and iptables -L doesn't exist either.

                                        How can I get this router to accept my HTTPs and SSH requests?

                                        What commands specifically?

                                        Thanks

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.