Openvpn site 2 site

RpR

Hi,

I am looking to create a site 2 site vpn between an ubuntu server and pfsense.
But all the documentation is using 1.2.3 instead of 2.0.

Anyone has some good docs or links on how to set it up in 2.0?

jimp

Just setup a Peer-to-Peer (shared key) setup. There isn't much to it, just let it make the key automatically, fill in the subnets, etc.

If you install the OpenVPN client export package it can give you a .zip file that contains the config and shared key file to use on the ubuntu side.

If the ubuntu side is the server and you already have a config there, you'll just need to copy/paste the shared key into the box, and fill in the fields based on the settings in the server config.

RpR

Ok, tried to install the package but it still isn't working. Will give some details about my steps.
When everything is working I will post it on the wiki.

This is a visio on how the network looks like:

pfsense has 10.10.5.1 as ip.

I went to VPN then openvpn.
Then selected server and press the + sign.
And filed in the info that I thought that was right:

Then I tried to use the package that you recommened but when I selected shared key export I get this:

then I pressed configuration or configiuration archive and I get this:

the remote server is an empty dropdownbox.

So I tried to use some of the standard ubuntu configs:

#
# Sample OpenVPN configuration file for
# home using a pre-shared static key.
#
# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.
# For Linux 2.2 or non-Linux OSes,
# you may want to use an explicit
# unit number such as "tun1".
# OpenVPN also supports virtual
# ethernet "tap" devices.
dev tun

# Our OpenVPN peer is the office gateway.
remote homeserver.it-source.be

# 10.1.0.2 is our local VPN endpoint (home).
# 10.1.0.1 is our remote VPN endpoint (office).
ifconfig 10.0.8.2 10.0.8.1

# Our up script will establish routes
# once the VPN is alive.
up ./home.up

# Our pre-shared static key
secret static.key

# OpenVPN 2.0 uses UDP port 1194 by default
# (official port assignment by iana.org 11/04).
# OpenVPN 1.x uses UDP port 5000 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
; port 1194

# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
; user nobody
; group nobody

# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
; comp-lzo

# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive.  Uncomment this
                                            # out if you are using a stateful
# firewall.
; ping 15

# Uncomment this section for a more reliable detection when a system
# loses its connection.  For example, dial-ups or laptops that
# travel to other locations.
; ping 15
; ping-restart 45
; ping-timer-rem
; persist-tun
; persist-key

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3

Then I start the openvpn on the ubuntu using:
sudo openvpn –config client.conf

I get this:

Fri Mar 11 10:47:22 2011 OpenVPN 2.1_rc7 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 15 2010
Fri Mar 11 10:47:22 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Mar 11 10:47:22 2011 /usr/sbin/openvpn-vulnkey -q static.key
Fri Mar 11 10:47:22 2011 WARNING: file 'static.key' is group or others accessible
Fri Mar 11 10:47:22 2011 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Mar 11 10:47:22 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 11 10:47:22 2011 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Mar 11 10:47:22 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 11 10:47:22 2011 TUN/TAP device tun0 opened
Fri Mar 11 10:47:22 2011 TUN/TAP TX queue length set to 100
Fri Mar 11 10:47:22 2011 ifconfig tun0 10.0.8.2 pointopoint 10.0.8.1 mtu 1500
Fri Mar 11 10:47:22 2011 ./home.up tun0 1500 1544 10.0.8.2 10.0.8.1 init
Fri Mar 11 10:47:22 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Fri Mar 11 10:47:22 2011 Local Options hash (VER=V4): 'bf74dd2b'
Fri Mar 11 10:47:22 2011 Expected Remote Options hash (VER=V4): '5599a99e'
Fri Mar 11 10:47:22 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
Fri Mar 11 10:47:22 2011 UDPv4 link local (bound): [undef]:1194
Fri Mar 11 10:47:22 2011 UDPv4 link remote: ***.***.***.***:1194

home.up is an empty file.
On the ubuntu server I can ping 10.0.8.2 but not 10.0.8.1.
on pfsense I can ping 10.0.8.1 but not 10.0.8.1
I also opened the openvpn port and logged access and it shows up in the logs.

Hope that anyone can help me out.

RpR

I've also tried to look at the config file that pfsense makes and read on the forums (http://forum.pfsense.org/index.php?topic=13123.0) that it should be in /var/etc/
But I can't read (Not readable text, not a file security issue) both openvpn or openvpn-csc

RpR

Got further.
I've added: cipher AES-128-CBC # AES to the ubuntu server client.conf and now I get:

Fri Mar 11 11:10:29 2011 OpenVPN 2.1_rc7 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 15 2010
Fri Mar 11 11:10:29 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Mar 11 11:10:29 2011 /usr/sbin/openvpn-vulnkey -q static.key
Fri Mar 11 11:10:29 2011 WARNING: file 'static.key' is group or others accessible
Fri Mar 11 11:10:29 2011 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Mar 11 11:10:29 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 11 11:10:29 2011 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Mar 11 11:10:29 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 11 11:10:29 2011 TUN/TAP device tun0 opened
Fri Mar 11 11:10:29 2011 TUN/TAP TX queue length set to 100
Fri Mar 11 11:10:29 2011 ifconfig tun0 10.0.8.2 pointopoint 10.0.8.1 mtu 1500
Fri Mar 11 11:10:29 2011 ./home.up tun0 1500 1560 10.0.8.2 10.0.8.1 init
Fri Mar 11 11:10:29 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:4 ET:0 EL:0 ]
Fri Mar 11 11:10:29 2011 Local Options hash (VER=V4): '8a061ebb'
Fri Mar 11 11:10:29 2011 Expected Remote Options hash (VER=V4): 'd999b7d9'
Fri Mar 11 11:10:29 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
Fri Mar 11 11:10:29 2011 UDPv4 link local (bound): [undef]:1194
Fri Mar 11 11:10:29 2011 UDPv4 link remote: 81.243.168.83:1194
Fri Mar 11 11:10:39 2011 Peer Connection Initiated with 81.243.168.83:1194
Fri Mar 11 11:10:40 2011 Initialization Sequence Completed
Fri Mar 11 11:14:01 2011 event_wait : Interrupted system call (code=4)
Fri Mar 11 11:14:01 2011 TCP/UDP: Closing socket
Fri Mar 11 11:14:01 2011 Closing TUN/TAP interface
Fri Mar 11 11:14:02 2011 SIGINT[hard,] received, process exiting
vokaadmin@kvksrv58:/etc/openvpn$ sudo openvpn --config client.conf 
Fri Mar 11 11:14:03 2011 OpenVPN 2.1_rc7 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 15 2010
Fri Mar 11 11:14:03 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Mar 11 11:14:03 2011 /usr/sbin/openvpn-vulnkey -q static.key
Fri Mar 11 11:14:03 2011 WARNING: file 'static.key' is group or others accessible
Fri Mar 11 11:14:03 2011 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Mar 11 11:14:03 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 11 11:14:03 2011 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Mar 11 11:14:03 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 11 11:14:03 2011 TUN/TAP device tun0 opened
Fri Mar 11 11:14:03 2011 TUN/TAP TX queue length set to 100
Fri Mar 11 11:14:03 2011 ifconfig tun0 10.0.8.2 pointopoint 10.0.8.1 mtu 1500
Fri Mar 11 11:14:03 2011 ./home.up tun0 1500 1560 10.0.8.2 10.0.8.1 init
Fri Mar 11 11:14:03 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:4 ET:0 EL:0 ]
Fri Mar 11 11:14:03 2011 Local Options hash (VER=V4): '8a061ebb'
Fri Mar 11 11:14:03 2011 Expected Remote Options hash (VER=V4): 'd999b7d9'
Fri Mar 11 11:14:03 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
Fri Mar 11 11:14:03 2011 UDPv4 link local (bound): [undef]:1194
Fri Mar 11 11:14:03 2011 UDPv4 link remote: ***.***.***.***:1194
Fri Mar 11 11:14:13 2011 Peer Connection Initiated with ***.***.***.***:1194
Fri Mar 11 11:14:14 2011 Initialization Sequence Completed

But pings don't work.

RpR

Ping from ubuntu server to 10.10.8.1 start to work after I set rules for the openvpn. But the other way around from pfsense to ubuntu on 10.0.8.2 doesn't work neither using the wan or lan interface to ping.

RpR

anyone who knows the solution?