Openvpn site 2 site



  • Hi,

    I am looking to create a site 2 site vpn between an ubuntu server and pfsense.
    But all the documentation is using 1.2.3 instead of 2.0.

    Anyone has some good docs or links on how to set it up in 2.0?


  • Rebel Alliance Developer Netgate

    Just setup a Peer-to-Peer (shared key) setup. There isn't much to it, just let it make the key automatically, fill in the subnets, etc.

    If you install the OpenVPN client export package it can give you a .zip file that contains the config and shared key file to use on the ubuntu side.

    If the ubuntu side is the server and you already have a config there, you'll just need to copy/paste the shared key into the box, and fill in the fields based on the settings in the server config.



  • Ok, tried to install the package but it still isn't working. Will give some details about my steps.
    When everything is working I will post it on the wiki.

    This is a visio on how the network looks like:

    pfsense has 10.10.5.1 as ip.

    I went to VPN then openvpn.
    Then selected server and press the + sign.
    And filed in the info that I thought that was right:

    Then I tried to use the package that you recommened but when I selected shared key export I get this:

    then I pressed configuration or configiuration archive and I get this:

    the remote server is an empty dropdownbox.

    So I tried to use some of the standard ubuntu configs:

    
    #
    # Sample OpenVPN configuration file for
    # home using a pre-shared static key.
    #
    # '#' or ';' may be used to delimit comments.
    
    # Use a dynamic tun device.
    # For Linux 2.2 or non-Linux OSes,
    # you may want to use an explicit
    # unit number such as "tun1".
    # OpenVPN also supports virtual
    # ethernet "tap" devices.
    dev tun
    
    # Our OpenVPN peer is the office gateway.
    remote homeserver.it-source.be
    
    # 10.1.0.2 is our local VPN endpoint (home).
    # 10.1.0.1 is our remote VPN endpoint (office).
    ifconfig 10.0.8.2 10.0.8.1
    
    # Our up script will establish routes
    # once the VPN is alive.
    up ./home.up
    
    # Our pre-shared static key
    secret static.key
    
    # OpenVPN 2.0 uses UDP port 1194 by default
    # (official port assignment by iana.org 11/04).
    # OpenVPN 1.x uses UDP port 5000 by default.
    # Each OpenVPN tunnel must use
    # a different port number.
    # lport or rport can be used
    # to denote different ports
    # for local and remote.
    ; port 1194
    
    # Downgrade UID and GID to
    # "nobody" after initialization
    # for extra security.
    ; user nobody
    ; group nobody
    
    # If you built OpenVPN with
    # LZO compression, uncomment
    # out the following line.
    ; comp-lzo
    
    # Send a UDP ping to remote once
    # every 15 seconds to keep
    # stateful firewall connection
    # alive.  Uncomment this
                                                # out if you are using a stateful
    # firewall.
    ; ping 15
    
    # Uncomment this section for a more reliable detection when a system
    # loses its connection.  For example, dial-ups or laptops that
    # travel to other locations.
    ; ping 15
    ; ping-restart 45
    ; ping-timer-rem
    ; persist-tun
    ; persist-key
    
    # Verbosity level.
    # 0 -- quiet except for fatal errors.
    # 1 -- mostly quiet, but display non-fatal network errors.
    # 3 -- medium output, good for normal operation.
    # 9 -- verbose, good for troubleshooting
    verb 3
    
    

    Then I start the openvpn on the ubuntu using:
    sudo openvpn –config client.conf

    I get this:

    
    Fri Mar 11 10:47:22 2011 OpenVPN 2.1_rc7 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 15 2010
    Fri Mar 11 10:47:22 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Fri Mar 11 10:47:22 2011 /usr/sbin/openvpn-vulnkey -q static.key
    Fri Mar 11 10:47:22 2011 WARNING: file 'static.key' is group or others accessible
    Fri Mar 11 10:47:22 2011 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri Mar 11 10:47:22 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Mar 11 10:47:22 2011 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri Mar 11 10:47:22 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Mar 11 10:47:22 2011 TUN/TAP device tun0 opened
    Fri Mar 11 10:47:22 2011 TUN/TAP TX queue length set to 100
    Fri Mar 11 10:47:22 2011 ifconfig tun0 10.0.8.2 pointopoint 10.0.8.1 mtu 1500
    Fri Mar 11 10:47:22 2011 ./home.up tun0 1500 1544 10.0.8.2 10.0.8.1 init
    Fri Mar 11 10:47:22 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
    Fri Mar 11 10:47:22 2011 Local Options hash (VER=V4): 'bf74dd2b'
    Fri Mar 11 10:47:22 2011 Expected Remote Options hash (VER=V4): '5599a99e'
    Fri Mar 11 10:47:22 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
    Fri Mar 11 10:47:22 2011 UDPv4 link local (bound): [undef]:1194
    Fri Mar 11 10:47:22 2011 UDPv4 link remote: ***.***.***.***:1194
    
    

    home.up is an empty file.
    On the ubuntu server I can ping 10.0.8.2 but not 10.0.8.1.
    on pfsense I can ping 10.0.8.1 but not 10.0.8.1
    I also opened the openvpn port and logged access and it shows up in the logs.

    Hope that anyone can help me out.



  • I've also tried to look at the config file that pfsense makes and read on the forums (http://forum.pfsense.org/index.php?topic=13123.0) that it should be in /var/etc/
    But I can't read (Not readable text, not a file security issue) both openvpn or openvpn-csc



  • Got further.
    I've added: cipher AES-128-CBC # AES to the ubuntu server client.conf and now I get:

    
    Fri Mar 11 11:10:29 2011 OpenVPN 2.1_rc7 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 15 2010
    Fri Mar 11 11:10:29 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Fri Mar 11 11:10:29 2011 /usr/sbin/openvpn-vulnkey -q static.key
    Fri Mar 11 11:10:29 2011 WARNING: file 'static.key' is group or others accessible
    Fri Mar 11 11:10:29 2011 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Fri Mar 11 11:10:29 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Mar 11 11:10:29 2011 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Fri Mar 11 11:10:29 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Mar 11 11:10:29 2011 TUN/TAP device tun0 opened
    Fri Mar 11 11:10:29 2011 TUN/TAP TX queue length set to 100
    Fri Mar 11 11:10:29 2011 ifconfig tun0 10.0.8.2 pointopoint 10.0.8.1 mtu 1500
    Fri Mar 11 11:10:29 2011 ./home.up tun0 1500 1560 10.0.8.2 10.0.8.1 init
    Fri Mar 11 11:10:29 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:4 ET:0 EL:0 ]
    Fri Mar 11 11:10:29 2011 Local Options hash (VER=V4): '8a061ebb'
    Fri Mar 11 11:10:29 2011 Expected Remote Options hash (VER=V4): 'd999b7d9'
    Fri Mar 11 11:10:29 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
    Fri Mar 11 11:10:29 2011 UDPv4 link local (bound): [undef]:1194
    Fri Mar 11 11:10:29 2011 UDPv4 link remote: 81.243.168.83:1194
    Fri Mar 11 11:10:39 2011 Peer Connection Initiated with 81.243.168.83:1194
    Fri Mar 11 11:10:40 2011 Initialization Sequence Completed
    Fri Mar 11 11:14:01 2011 event_wait : Interrupted system call (code=4)
    Fri Mar 11 11:14:01 2011 TCP/UDP: Closing socket
    Fri Mar 11 11:14:01 2011 Closing TUN/TAP interface
    Fri Mar 11 11:14:02 2011 SIGINT[hard,] received, process exiting
    vokaadmin@kvksrv58:/etc/openvpn$ sudo openvpn --config client.conf 
    Fri Mar 11 11:14:03 2011 OpenVPN 2.1_rc7 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 15 2010
    Fri Mar 11 11:14:03 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Fri Mar 11 11:14:03 2011 /usr/sbin/openvpn-vulnkey -q static.key
    Fri Mar 11 11:14:03 2011 WARNING: file 'static.key' is group or others accessible
    Fri Mar 11 11:14:03 2011 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Fri Mar 11 11:14:03 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Mar 11 11:14:03 2011 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Fri Mar 11 11:14:03 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Mar 11 11:14:03 2011 TUN/TAP device tun0 opened
    Fri Mar 11 11:14:03 2011 TUN/TAP TX queue length set to 100
    Fri Mar 11 11:14:03 2011 ifconfig tun0 10.0.8.2 pointopoint 10.0.8.1 mtu 1500
    Fri Mar 11 11:14:03 2011 ./home.up tun0 1500 1560 10.0.8.2 10.0.8.1 init
    Fri Mar 11 11:14:03 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:4 ET:0 EL:0 ]
    Fri Mar 11 11:14:03 2011 Local Options hash (VER=V4): '8a061ebb'
    Fri Mar 11 11:14:03 2011 Expected Remote Options hash (VER=V4): 'd999b7d9'
    Fri Mar 11 11:14:03 2011 Socket Buffers: R=[124928->131072] S=[124928->131072]
    Fri Mar 11 11:14:03 2011 UDPv4 link local (bound): [undef]:1194
    Fri Mar 11 11:14:03 2011 UDPv4 link remote: ***.***.***.***:1194
    Fri Mar 11 11:14:13 2011 Peer Connection Initiated with ***.***.***.***:1194
    Fri Mar 11 11:14:14 2011 Initialization Sequence Completed
    
    

    But pings don't work.



  • Ping from ubuntu server to 10.10.8.1 start to work after I set rules for the openvpn. But the other way around from pfsense to ubuntu on 10.0.8.2 doesn't work neither using the wan or lan interface to ping.



  • anyone who knows the solution?


Log in to reply