OpenVPN migration and consolidation to pfSense



  • In our current network, we have a dedicate OpenVPN server (running OpenVPN Server 2.1 on Fedora) to serve dozens people to access our LAN form remote site. We also use an old SonicWall router which has port 1194 UDP forwarded to the server.

    Now I want use the great pfSense 2.0 to replace the old OpenVPN server and the old SonicWall. So I need safely and smoothly move all users from the old box to the new pfSense server with minimal interruption.

    Is there a How-to that I can start from? Or someone can give me some advises before I mess up my new pfSense? (OK, I did backup already.)  ;)



  • Setting up pfsense in an VM or on an extra machine and configure everything like in the sonicwall (firewall, open ports, dhcp, port forwarding)

    Import all Certificates from your fedora OpenVPN into pfsense. configure the OpenVPN server on pfsense and try to connect it from the WAN interface of the pfsense with the certificates you use actually with the VPN Server on fedora.
    After you did this all and did some testing, save the configuration of pfsense and then you could setup your final pfsense machine and replace it with your actual ones (just switching over the LAN cables) and if something didn't work and you need to fix this really fast, just switch back to your old environment.

    if you have no IP/subnet changes there shouldn't be a problem.
                                                /–-Clients
    Internet - sonicwall -----SWITCH----Fedora-OVPN
                                          |
                                          |  from here try to connect to pfsense OpenVPN with the imported certs
                                          |
                                          |
                                      pfsense (WAN with NAT)
                                          |
                                        Test environment



  • Thanks for the help.

    I now setup OpenVPN on the pfSense using information from the old Fedora box and now I can successfully let client connect to the pfSense. But it seems I have a routing issue so even the client get connected but can't do anything. (for example, ping failed)

    Here is the log from the OpenVPN client:

     May  4 13:54:28 gateway daemon.notice openvpn[12073]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2010
    May  4 13:54:28 gateway daemon.warn openvpn[12073]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    May  4 13:54:28 gateway daemon.warn openvpn[12073]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    May  4 13:54:28 gateway daemon.notice openvpn[12073]: LZO compression initialized
    May  4 13:54:28 gateway daemon.notice openvpn[12073]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    May  4 13:54:28 gateway daemon.notice openvpn[12073]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    May  4 13:54:28 gateway daemon.notice openvpn[12079]: Socket Buffers: R=[112640->131072] S=[112640->131072]
    May  4 13:54:28 gateway daemon.notice openvpn[12079]: UDPv4 link local: [undef]
    May  4 13:54:28 gateway daemon.notice openvpn[12079]: UDPv4 link remote: 24.207.43.101:1194
    May  4 13:54:28 gateway daemon.notice openvpn[12079]: TLS: Initial packet from 24.207.43.101:1194, sid=4506cb1d b7a47e1e
    May  4 13:54:28 gateway daemon.notice openvpn[12079]: VERIFY OK: depth=1, /C=CA/ST=BC/L=DELTA/O=SJGEOPHYSICS/CN=openvpn-gateway2/emailAddress=admin@mydomain.com
    May  4 13:54:28 gateway daemon.notice openvpn[12079]: VERIFY OK: depth=0, /C=CA/ST=BC/O=BLAHBLAH/CN=openvpn-gateway2/emailAddress=admin@mydomain.com
    May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    May  4 13:54:30 gateway daemon.notice openvpn[12079]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    May  4 13:54:30 gateway daemon.notice openvpn[12079]: [openvpn-gateway2] Peer Connection Initiated with 24.xxx.xxx.xxx:1194
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: SENT CONTROL [openvpn-gateway2]: 'PUSH_REQUEST' (status=1)
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.123.0 255.255.255.0,route 10.66.77.1,topology net30,ping 10,ping-restart 60,ifconfig 10.66.77.6 10.66.77.5'
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: OPTIONS IMPORT: timers and/or timeouts modified
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: OPTIONS IMPORT: --ifconfig/up options modified
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: OPTIONS IMPORT: route options modified
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: TUN/TAP device tun11 opened
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: TUN/TAP TX queue length set to 100
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/ifconfig tun11 10.66.77.6 pointopoint 10.66.77.5 mtu 1500
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.66.77.5
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/route add -net 10.66.77.1 netmask 255.255.255.255 gw 10.66.77.5
    May  4 13:54:32 gateway daemon.notice openvpn[12079]: Initialization Sequence Completed
    

    I noticed that in this log, this line is different :

    May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/route add -net 10.66.77.1 netmask 255.255.255.255 gw 10.66.77.5
    

    When I switch the client using the old Fedora box, the route add line is:

    May  4 14:08:40 gateway daemon.notice openvpn[12177]: /sbin/ifconfig tun11 10.66.77.6 pointopoint 10.66.77.5 mtu 1500
    May  4 14:08:40 gateway daemon.notice openvpn[12177]: /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.66.77.5
    May  4 14:08:40 gateway daemon.notice openvpn[12177]: /sbin/route add -net 10.66.77.0 netmask 255.255.255.0 gw 10.66.77.5
    May  4 14:08:40 gateway daemon.notice openvpn[12177]: Initialization Sequence Completed
    

    Is there something I missed?

    Attached screen shot of my




  • After setting up the OpenVPN Server under pfsense there is a new "OpenVPN" tab in the firewall. There you have to add an allow rule.



  • Thanks for the help.

    I created a simple firewall rule – pass everything. (Not sure if this is correct.) But it still not working.

    The log shows some TLS errors, but when I enabled the OpenVPN server, I unchecked "Enable authentication of TLS packets".

    Here is the log:

    Last 50 OpenVPN log entries
    May 5 12:27:26 openvpn[940]: openvpn-jiangao/206.116.xxx.xxx:63308 send_push_reply(): safe_cap=960
    May 5 12:27:25 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
    May 5 12:27:25 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
    May 5 12:27:23 openvpn[940]: MULTI_sva: pool returned IPv4=10.66.77.6, IPv6=64da:bfbf:26:5028:e8d7:bfbf:391:608
    May 5 12:27:23 openvpn[940]: 206.116.xxx.xxx:63308 [openvpn-test] Peer Connection Initiated with [AF_INET]206.116.xxx.xxx:63308
    May 5 12:27:21 openvpn[940]: 206.116.xxx.xxx:63308 LZO compression initialized
    May 5 12:27:21 openvpn[940]: 206.116.xxx.xxx:63308 Re-using SSL/TLS context
    May 5 12:27:17 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
    May 5 12:27:17 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
    May 5 12:27:13 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
    May 5 12:27:13 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
    May 5 12:27:11 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
    May 5 12:27:11 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
    May 5 12:27:11 openvpn[940]: 24.xxx.xxx.xxx:9464 LZO compression initialized
    May 5 12:27:11 openvpn[940]: 24.xxx.xxx.xxx:9464 Re-using SSL/TLS context
    May 5 12:27:11 openvpn[20744]: UDPv4 link remote: [AF_INET]24.xxx.xxx.xxx:1194
    May 5 12:27:11 openvpn[20744]: UDPv4 link local (bound): [AF_INET]24.xxx.xxx.xxx
    May 5 12:27:11 openvpn[20744]: Re-using SSL/TLS context
    May 5 12:27:11 openvpn[20744]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    May 5 12:27:11 openvpn[20744]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    May 5 12:27:10 openvpn[940]: 24.xxx.xxx.xxx:49511 TLS Error: TLS handshake failed
    May 5 12:27:10 openvpn[940]: 24.xxx.xxx.xxx:49511 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 5 12:27:09 openvpn[20744]: SIGUSR1[soft,ping-restart] received, process restarting
    May 5 12:27:09 openvpn[20744]: [UNDEF] Inactivity timeout (–ping-restart), restarting




  • Here is the real conf file I found from shell:

    cat /var/etc/openvpn/server1.conf

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 24.xxx.xxx.xxx
    tls-server
    server 10.66.77.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.123.0 255.255.255.0"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048

    –------------------------------------
    I don't remember I ever transfer the dh parameters from my Fedora to the pfSense. I looked around and I did't find anywhere I can import this on the Web GUI. Could this be a problem?
    Just found the answer for the DH Parameter on FAQ. :)



  • Could you post your client.conf, too ?

    TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
    

    I think this is something with the tls-auth. Mismatch of the static key between client and server or server disabled and client enabled.

    Firewall rules:
    Why just pass TCP ? Why not TCP/UDP or better "any" ?



  • I changed the TCP to UDP at Firewall/Rule/OpenVPN. Thank you for point it out. But it doesn't make any different.

    Here is my client config.ovpn:

    client
    dev tun11
    proto udp
    remote 24.xxx.xxx.xxx 1194
    resolv-retry 30
    nobind
    persist-key
    persist-tun
    comp-lzo yes
    verb 3
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    status status



  • couldn't find

    cipher BF-CBC
    

    in your client.conf

    and

    comp-lzo
    

    is without "yes" in my config. Not sure if this really is a mistake.



  • I got it works finally! ;D

    I set Firewall/Rules/OPenVPN/Protocol to "any". Now I can ping through the VPN tunnel. But why has to be "any"? My guess is it refer the protocol inside the VPN tunnel. UDP does't work because PING is ICMP(TCP). Right?

    Another thing is, that "TLS Error: cannot locate HMAC in incoming packet " still exist in the log file.



  • I think there is a misunderstanding:

    the protocol you configure in the client config and the server config is the protocol to establish the VPN tunnel. It has NOTHING to do with the protocols you use inside this tunnel. The firewall rules tab "OpenVPN" is for the traffic inside the VPN tunnel and not the tunnel itself.


Log in to reply