OpenVPN migration and consolidation to pfSense

dynaguy

In our current network, we have a dedicate OpenVPN server (running OpenVPN Server 2.1 on Fedora) to serve dozens people to access our LAN form remote site. We also use an old SonicWall router which has port 1194 UDP forwarded to the server.

Now I want use the great pfSense 2.0 to replace the old OpenVPN server and the old SonicWall. So I need safely and smoothly move all users from the old box to the new pfSense server with minimal interruption.

Is there a How-to that I can start from? Or someone can give me some advises before I mess up my new pfSense? (OK, I did backup already.)  ;)

Nachtfalke

Setting up pfsense in an VM or on an extra machine and configure everything like in the sonicwall (firewall, open ports, dhcp, port forwarding)

Import all Certificates from your fedora OpenVPN into pfsense. configure the OpenVPN server on pfsense and try to connect it from the WAN interface of the pfsense with the certificates you use actually with the VPN Server on fedora.
After you did this all and did some testing, save the configuration of pfsense and then you could setup your final pfsense machine and replace it with your actual ones (just switching over the LAN cables) and if something didn't work and you need to fix this really fast, just switch back to your old environment.

if you have no IP/subnet changes there shouldn't be a problem.
                                            /–-Clients
Internet - sonicwall -----SWITCH----Fedora-OVPN
                                      |
                                      |  from here try to connect to pfsense OpenVPN with the imported certs
                                      |
                                      |
                                  pfsense (WAN with NAT)
                                      |
                                    Test environment

dynaguy

Thanks for the help.

I now setup OpenVPN on the pfSense using information from the old Fedora box and now I can successfully let client connect to the pfSense. But it seems I have a routing issue so even the client get connected but can't do anything. (for example, ping failed)

Here is the log from the OpenVPN client:

 May  4 13:54:28 gateway daemon.notice openvpn[12073]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2010
May  4 13:54:28 gateway daemon.warn openvpn[12073]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
May  4 13:54:28 gateway daemon.warn openvpn[12073]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
May  4 13:54:28 gateway daemon.notice openvpn[12073]: LZO compression initialized
May  4 13:54:28 gateway daemon.notice openvpn[12073]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
May  4 13:54:28 gateway daemon.notice openvpn[12073]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
May  4 13:54:28 gateway daemon.notice openvpn[12079]: Socket Buffers: R=[112640->131072] S=[112640->131072]
May  4 13:54:28 gateway daemon.notice openvpn[12079]: UDPv4 link local: [undef]
May  4 13:54:28 gateway daemon.notice openvpn[12079]: UDPv4 link remote: 24.207.43.101:1194
May  4 13:54:28 gateway daemon.notice openvpn[12079]: TLS: Initial packet from 24.207.43.101:1194, sid=4506cb1d b7a47e1e
May  4 13:54:28 gateway daemon.notice openvpn[12079]: VERIFY OK: depth=1, /C=CA/ST=BC/L=DELTA/O=SJGEOPHYSICS/CN=openvpn-gateway2/emailAddress=admin@mydomain.com
May  4 13:54:28 gateway daemon.notice openvpn[12079]: VERIFY OK: depth=0, /C=CA/ST=BC/O=BLAHBLAH/CN=openvpn-gateway2/emailAddress=admin@mydomain.com
May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May  4 13:54:30 gateway daemon.notice openvpn[12079]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
May  4 13:54:30 gateway daemon.notice openvpn[12079]: [openvpn-gateway2] Peer Connection Initiated with 24.xxx.xxx.xxx:1194
May  4 13:54:32 gateway daemon.notice openvpn[12079]: SENT CONTROL [openvpn-gateway2]: 'PUSH_REQUEST' (status=1)
May  4 13:54:32 gateway daemon.notice openvpn[12079]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.123.0 255.255.255.0,route 10.66.77.1,topology net30,ping 10,ping-restart 60,ifconfig 10.66.77.6 10.66.77.5'
May  4 13:54:32 gateway daemon.notice openvpn[12079]: OPTIONS IMPORT: timers and/or timeouts modified
May  4 13:54:32 gateway daemon.notice openvpn[12079]: OPTIONS IMPORT: --ifconfig/up options modified
May  4 13:54:32 gateway daemon.notice openvpn[12079]: OPTIONS IMPORT: route options modified
May  4 13:54:32 gateway daemon.notice openvpn[12079]: TUN/TAP device tun11 opened
May  4 13:54:32 gateway daemon.notice openvpn[12079]: TUN/TAP TX queue length set to 100
May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/ifconfig tun11 10.66.77.6 pointopoint 10.66.77.5 mtu 1500
May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.66.77.5
May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/route add -net 10.66.77.1 netmask 255.255.255.255 gw 10.66.77.5
May  4 13:54:32 gateway daemon.notice openvpn[12079]: Initialization Sequence Completed

I noticed that in this log, this line is different :

May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/route add -net 10.66.77.1 netmask 255.255.255.255 gw 10.66.77.5

When I switch the client using the old Fedora box, the route add line is:

May  4 14:08:40 gateway daemon.notice openvpn[12177]: /sbin/ifconfig tun11 10.66.77.6 pointopoint 10.66.77.5 mtu 1500
May  4 14:08:40 gateway daemon.notice openvpn[12177]: /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.66.77.5
May  4 14:08:40 gateway daemon.notice openvpn[12177]: /sbin/route add -net 10.66.77.0 netmask 255.255.255.0 gw 10.66.77.5
May  4 14:08:40 gateway daemon.notice openvpn[12177]: Initialization Sequence Completed

Is there something I missed?

Attached screen shot of my

Nachtfalke

After setting up the OpenVPN Server under pfsense there is a new "OpenVPN" tab in the firewall. There you have to add an allow rule.

dynaguy

Thanks for the help.

I created a simple firewall rule – pass everything. (Not sure if this is correct.) But it still not working.

The log shows some TLS errors, but when I enabled the OpenVPN server, I unchecked "Enable authentication of TLS packets".

Here is the log:

Last 50 OpenVPN log entries
May 5 12:27:26 openvpn[940]: openvpn-jiangao/206.116.xxx.xxx:63308 send_push_reply(): safe_cap=960
May 5 12:27:25 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
May 5 12:27:25 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
May 5 12:27:23 openvpn[940]: MULTI_sva: pool returned IPv4=10.66.77.6, IPv6=64da:bfbf:26:5028:e8d7:bfbf:391:608
May 5 12:27:23 openvpn[940]: 206.116.xxx.xxx:63308 [openvpn-test] Peer Connection Initiated with [AF_INET]206.116.xxx.xxx:63308
May 5 12:27:21 openvpn[940]: 206.116.xxx.xxx:63308 LZO compression initialized
May 5 12:27:21 openvpn[940]: 206.116.xxx.xxx:63308 Re-using SSL/TLS context
May 5 12:27:17 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
May 5 12:27:17 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
May 5 12:27:13 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
May 5 12:27:13 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
May 5 12:27:11 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
May 5 12:27:11 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
May 5 12:27:11 openvpn[940]: 24.xxx.xxx.xxx:9464 LZO compression initialized
May 5 12:27:11 openvpn[940]: 24.xxx.xxx.xxx:9464 Re-using SSL/TLS context
May 5 12:27:11 openvpn[20744]: UDPv4 link remote: [AF_INET]24.xxx.xxx.xxx:1194
May 5 12:27:11 openvpn[20744]: UDPv4 link local (bound): [AF_INET]24.xxx.xxx.xxx
May 5 12:27:11 openvpn[20744]: Re-using SSL/TLS context
May 5 12:27:11 openvpn[20744]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
May 5 12:27:11 openvpn[20744]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
May 5 12:27:10 openvpn[940]: 24.xxx.xxx.xxx:49511 TLS Error: TLS handshake failed
May 5 12:27:10 openvpn[940]: 24.xxx.xxx.xxx:49511 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 5 12:27:09 openvpn[20744]: SIGUSR1[soft,ping-restart] received, process restarting
May 5 12:27:09 openvpn[20744]: [UNDEF] Inactivity timeout (–ping-restart), restarting

dynaguy

Here is the real conf file I found from shell:

cat /var/etc/openvpn/server1.conf

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.xxx.xxx.xxx
tls-server
server 10.66.77.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.123.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048

–------------------------------------
I don't remember I ever transfer the dh parameters from my Fedora to the pfSense. I looked around and I did't find anywhere I can import this on the Web GUI. Could this be a problem?
Just found the answer for the DH Parameter on FAQ. :)

Nachtfalke

Could you post your client.conf, too ?

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194

I think this is something with the tls-auth. Mismatch of the static key between client and server or server disabled and client enabled.

Firewall rules:
Why just pass TCP ? Why not TCP/UDP or better "any" ?

dynaguy

I changed the TCP to UDP at Firewall/Rule/OpenVPN. Thank you for point it out. But it doesn't make any different.

Here is my client config.ovpn:

client
dev tun11
proto udp
remote 24.xxx.xxx.xxx 1194
resolv-retry 30
nobind
persist-key
persist-tun
comp-lzo yes
verb 3
ca ca.crt
cert client.crt
key client.key
status-version 2
status status

Nachtfalke

couldn't find

cipher BF-CBC

in your client.conf

and

comp-lzo

is without "yes" in my config. Not sure if this really is a mistake.

dynaguy

I got it works finally! ;D

I set Firewall/Rules/OPenVPN/Protocol to "any". Now I can ping through the VPN tunnel. But why has to be "any"? My guess is it refer the protocol inside the VPN tunnel. UDP does't work because PING is ICMP(TCP). Right?

Another thing is, that "TLS Error: cannot locate HMAC in incoming packet " still exist in the log file.

Nachtfalke

I think there is a misunderstanding:

the protocol you configure in the client config and the server config is the protocol to establish the VPN tunnel. It has NOTHING to do with the protocols you use inside this tunnel. The firewall rules tab "OpenVPN" is for the traffic inside the VPN tunnel and not the tunnel itself.