Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN migration and consolidation to pfSense

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    11 Posts 2 Posters 9.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dynaguy
      last edited by

      In our current network, we have a dedicate OpenVPN server (running OpenVPN Server 2.1 on Fedora) to serve dozens people to access our LAN form remote site. We also use an old SonicWall router which has port 1194 UDP forwarded to the server.

      Now I want use the great pfSense 2.0 to replace the old OpenVPN server and the old SonicWall. So I need safely and smoothly move all users from the old box to the new pfSense server with minimal interruption.

      Is there a How-to that I can start from? Or someone can give me some advises before I mess up my new pfSense? (OK, I did backup already.)  ;)

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Setting up pfsense in an VM or on an extra machine and configure everything like in the sonicwall (firewall, open ports, dhcp, port forwarding)

        Import all Certificates from your fedora OpenVPN into pfsense. configure the OpenVPN server on pfsense and try to connect it from the WAN interface of the pfsense with the certificates you use actually with the VPN Server on fedora.
        After you did this all and did some testing, save the configuration of pfsense and then you could setup your final pfsense machine and replace it with your actual ones (just switching over the LAN cables) and if something didn't work and you need to fix this really fast, just switch back to your old environment.

        if you have no IP/subnet changes there shouldn't be a problem.
                                                    /–-Clients
        Internet - sonicwall -----SWITCH----Fedora-OVPN
                                              |
                                              |  from here try to connect to pfsense OpenVPN with the imported certs
                                              |
                                              |
                                          pfsense (WAN with NAT)
                                              |
                                            Test environment

        1 Reply Last reply Reply Quote 0
        • D
          dynaguy
          last edited by

          Thanks for the help.

          I now setup OpenVPN on the pfSense using information from the old Fedora box and now I can successfully let client connect to the pfSense. But it seems I have a routing issue so even the client get connected but can't do anything. (for example, ping failed)

          Here is the log from the OpenVPN client:

           May  4 13:54:28 gateway daemon.notice openvpn[12073]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2010
          May  4 13:54:28 gateway daemon.warn openvpn[12073]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
          May  4 13:54:28 gateway daemon.warn openvpn[12073]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
          May  4 13:54:28 gateway daemon.notice openvpn[12073]: LZO compression initialized
          May  4 13:54:28 gateway daemon.notice openvpn[12073]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
          May  4 13:54:28 gateway daemon.notice openvpn[12073]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
          May  4 13:54:28 gateway daemon.notice openvpn[12079]: Socket Buffers: R=[112640->131072] S=[112640->131072]
          May  4 13:54:28 gateway daemon.notice openvpn[12079]: UDPv4 link local: [undef]
          May  4 13:54:28 gateway daemon.notice openvpn[12079]: UDPv4 link remote: 24.207.43.101:1194
          May  4 13:54:28 gateway daemon.notice openvpn[12079]: TLS: Initial packet from 24.207.43.101:1194, sid=4506cb1d b7a47e1e
          May  4 13:54:28 gateway daemon.notice openvpn[12079]: VERIFY OK: depth=1, /C=CA/ST=BC/L=DELTA/O=SJGEOPHYSICS/CN=openvpn-gateway2/emailAddress=admin@mydomain.com
          May  4 13:54:28 gateway daemon.notice openvpn[12079]: VERIFY OK: depth=0, /C=CA/ST=BC/O=BLAHBLAH/CN=openvpn-gateway2/emailAddress=admin@mydomain.com
          May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
          May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
          May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
          May  4 13:54:30 gateway daemon.notice openvpn[12079]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
          May  4 13:54:30 gateway daemon.notice openvpn[12079]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
          May  4 13:54:30 gateway daemon.notice openvpn[12079]: [openvpn-gateway2] Peer Connection Initiated with 24.xxx.xxx.xxx:1194
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: SENT CONTROL [openvpn-gateway2]: 'PUSH_REQUEST' (status=1)
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.123.0 255.255.255.0,route 10.66.77.1,topology net30,ping 10,ping-restart 60,ifconfig 10.66.77.6 10.66.77.5'
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: OPTIONS IMPORT: timers and/or timeouts modified
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: OPTIONS IMPORT: --ifconfig/up options modified
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: OPTIONS IMPORT: route options modified
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: TUN/TAP device tun11 opened
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: TUN/TAP TX queue length set to 100
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/ifconfig tun11 10.66.77.6 pointopoint 10.66.77.5 mtu 1500
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.66.77.5
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/route add -net 10.66.77.1 netmask 255.255.255.255 gw 10.66.77.5
          May  4 13:54:32 gateway daemon.notice openvpn[12079]: Initialization Sequence Completed
          

          I noticed that in this log, this line is different :

          May  4 13:54:32 gateway daemon.notice openvpn[12079]: /sbin/route add -net 10.66.77.1 netmask 255.255.255.255 gw 10.66.77.5
          

          When I switch the client using the old Fedora box, the route add line is:

          May  4 14:08:40 gateway daemon.notice openvpn[12177]: /sbin/ifconfig tun11 10.66.77.6 pointopoint 10.66.77.5 mtu 1500
          May  4 14:08:40 gateway daemon.notice openvpn[12177]: /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.66.77.5
          May  4 14:08:40 gateway daemon.notice openvpn[12177]: /sbin/route add -net 10.66.77.0 netmask 255.255.255.0 gw 10.66.77.5
          May  4 14:08:40 gateway daemon.notice openvpn[12177]: Initialization Sequence Completed
          

          Is there something I missed?

          Attached screen shot of my

          Screenshot-1.png
          Screenshot-1.png_thumb

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            After setting up the OpenVPN Server under pfsense there is a new "OpenVPN" tab in the firewall. There you have to add an allow rule.

            1 Reply Last reply Reply Quote 0
            • D
              dynaguy
              last edited by

              Thanks for the help.

              I created a simple firewall rule – pass everything. (Not sure if this is correct.) But it still not working.

              The log shows some TLS errors, but when I enabled the OpenVPN server, I unchecked "Enable authentication of TLS packets".

              Here is the log:

              Last 50 OpenVPN log entries
              May 5 12:27:26 openvpn[940]: openvpn-jiangao/206.116.xxx.xxx:63308 send_push_reply(): safe_cap=960
              May 5 12:27:25 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
              May 5 12:27:25 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
              May 5 12:27:23 openvpn[940]: MULTI_sva: pool returned IPv4=10.66.77.6, IPv6=64da:bfbf:26:5028:e8d7:bfbf:391:608
              May 5 12:27:23 openvpn[940]: 206.116.xxx.xxx:63308 [openvpn-test] Peer Connection Initiated with [AF_INET]206.116.xxx.xxx:63308
              May 5 12:27:21 openvpn[940]: 206.116.xxx.xxx:63308 LZO compression initialized
              May 5 12:27:21 openvpn[940]: 206.116.xxx.xxx:63308 Re-using SSL/TLS context
              May 5 12:27:17 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
              May 5 12:27:17 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
              May 5 12:27:13 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
              May 5 12:27:13 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
              May 5 12:27:11 openvpn[20744]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
              May 5 12:27:11 openvpn[940]: 24.xxx.xxx.xxx:9464 TLS Error: reading acknowledgement record from packet
              May 5 12:27:11 openvpn[940]: 24.xxx.xxx.xxx:9464 LZO compression initialized
              May 5 12:27:11 openvpn[940]: 24.xxx.xxx.xxx:9464 Re-using SSL/TLS context
              May 5 12:27:11 openvpn[20744]: UDPv4 link remote: [AF_INET]24.xxx.xxx.xxx:1194
              May 5 12:27:11 openvpn[20744]: UDPv4 link local (bound): [AF_INET]24.xxx.xxx.xxx
              May 5 12:27:11 openvpn[20744]: Re-using SSL/TLS context
              May 5 12:27:11 openvpn[20744]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
              May 5 12:27:11 openvpn[20744]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
              May 5 12:27:10 openvpn[940]: 24.xxx.xxx.xxx:49511 TLS Error: TLS handshake failed
              May 5 12:27:10 openvpn[940]: 24.xxx.xxx.xxx:49511 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
              May 5 12:27:09 openvpn[20744]: SIGUSR1[soft,ping-restart] received, process restarting
              May 5 12:27:09 openvpn[20744]: [UNDEF] Inactivity timeout (–ping-restart), restarting

              Screenshot-2.png
              Screenshot-2.png_thumb

              1 Reply Last reply Reply Quote 0
              • D
                dynaguy
                last edited by

                Here is the real conf file I found from shell:

                cat /var/etc/openvpn/server1.conf

                dev ovpns1
                dev-type tun
                dev-node /dev/tun1
                writepid /var/run/openvpn_server1.pid
                #user nobody
                #group nobody
                script-security 3
                daemon
                keepalive 10 60
                ping-timer-rem
                persist-tun
                persist-key
                proto udp
                cipher BF-CBC
                up /usr/local/sbin/ovpn-linkup
                down /usr/local/sbin/ovpn-linkdown
                local 24.xxx.xxx.xxx
                tls-server
                server 10.66.77.0 255.255.255.0
                client-config-dir /var/etc/openvpn-csc
                lport 1194
                management /var/etc/openvpn/server1.sock unix
                push "route 192.168.123.0 255.255.255.0"
                ca /var/etc/openvpn/server1.ca
                cert /var/etc/openvpn/server1.cert
                key /var/etc/openvpn/server1.key
                dh /etc/dh-parameters.2048

                –------------------------------------
                I don't remember I ever transfer the dh parameters from my Fedora to the pfSense. I looked around and I did't find anywhere I can import this on the Web GUI. Could this be a problem?
                Just found the answer for the DH Parameter on FAQ. :)

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  Could you post your client.conf, too ?

                  TLS Error: cannot locate HMAC in incoming packet from [AF_INET]24.xxx.xxx.xxx:1194
                  

                  I think this is something with the tls-auth. Mismatch of the static key between client and server or server disabled and client enabled.

                  Firewall rules:
                  Why just pass TCP ? Why not TCP/UDP or better "any" ?

                  1 Reply Last reply Reply Quote 0
                  • D
                    dynaguy
                    last edited by

                    I changed the TCP to UDP at Firewall/Rule/OpenVPN. Thank you for point it out. But it doesn't make any different.

                    Here is my client config.ovpn:

                    client
                    dev tun11
                    proto udp
                    remote 24.xxx.xxx.xxx 1194
                    resolv-retry 30
                    nobind
                    persist-key
                    persist-tun
                    comp-lzo yes
                    verb 3
                    ca ca.crt
                    cert client.crt
                    key client.key
                    status-version 2
                    status status

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      couldn't find

                      cipher BF-CBC
                      

                      in your client.conf

                      and

                      comp-lzo
                      

                      is without "yes" in my config. Not sure if this really is a mistake.

                      1 Reply Last reply Reply Quote 0
                      • D
                        dynaguy
                        last edited by

                        I got it works finally! ;D

                        I set Firewall/Rules/OPenVPN/Protocol to "any". Now I can ping through the VPN tunnel. But why has to be "any"? My guess is it refer the protocol inside the VPN tunnel. UDP does't work because PING is ICMP(TCP). Right?

                        Another thing is, that "TLS Error: cannot locate HMAC in incoming packet " still exist in the log file.

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nachtfalke
                          last edited by

                          I think there is a misunderstanding:

                          the protocol you configure in the client config and the server config is the protocol to establish the VPN tunnel. It has NOTHING to do with the protocols you use inside this tunnel. The firewall rules tab "OpenVPN" is for the traffic inside the VPN tunnel and not the tunnel itself.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.