Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN on pfsense 2.0

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 4 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      davidfic
      last edited by

      After much search the boards and the web I've finally broken down and decided to ask for help on the boards.

      I'm running pfsense 2.0:

      2.0-BETA1
      built on Sat Apr 10 13:09:49 EDT 2010

      And I can't get the OpenVPN server to work. I've tried every way from Sunday and still no dice. Here is what I have so far.

      I've mainly tried just using the webpage to do all the server creation and certificate creation although I did have one attempt with using the OpenVPN download and easy-rsa.

      I have a server certificate installed as well as a client certificate that was generated from the webpage off of that server cert. I've also uploaded the keys that my Macbook is using to successfully connect to another VPN.

      I'm using Tunnelblick as my client software.

      Here is the output from my latest connection attempt:

      2011-05-28 06:53:15 *Tunnelblick: OS X 10.6.7; Tunnelblick 3.1.7 (build 2190.2413); OpenVPN 2.1.4
      2011-05-28 06:53:17 *Tunnelblick: Attempting connection with home; Set nameserver = 1; monitoring connection
      2011-05-28 06:53:17 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start home.conf 1338 1 0 0 0 49
      2011-05-28 06:53:17 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2] [PKCS11] built on Mar  1 2011
      2011-05-28 06:53:17 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338
      2011-05-28 06:53:17 Need hold release from management interface, waiting…
      2011-05-28 06:53:17 MANAGEMENT: Client connected from 127.0.0.1:1338
      2011-05-28 06:53:17 MANAGEMENT: CMD 'pid'
      2011-05-28 06:53:17 MANAGEMENT: CMD 'state on'
      2011-05-28 06:53:17 MANAGEMENT: CMD 'state'
      2011-05-28 06:53:17 MANAGEMENT: CMD 'hold release'
      2011-05-28 06:53:17 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      2011-05-28 06:53:17 LZO compression initialized
      2011-05-28 06:53:17 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
      2011-05-28 06:53:17 Socket Buffers: R=[42080->65536] S=[9216->65536]
      2011-05-28 06:53:17 MANAGEMENT: >STATE:1306579997,RESOLVE,,,
      2011-05-28 06:53:17 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
      2011-05-28 06:53:17 Local Options hash (VER=V4): '41690919'
      2011-05-28 06:53:17 Expected Remote Options hash (VER=V4): '530fdded'
      2011-05-28 06:53:17 UDPv4 link local: [undef]
      2011-05-28 06:53:17 UDPv4 link remote: 209.6.51.199:1194
      2011-05-28 06:53:17 MANAGEMENT: >STATE:1306579997,WAIT,,,
      2011-05-28 06:53:17 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn –cd /Users/davidfic/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/davidfic/Library/Application Support/Tunnelblick/Configurations/home.conf --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Sdavidfic-SLibrary-SApplication Support-STunnelblick-SConfigurations-Shome.conf.1_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d --up-restart

      My latest attempt was using the OpenVPN wizard to create the VPN so the firewall rules should be set up correctly. Like I said, my macbook can use TunnelBlick to connect to another VPN so I know at least the macbooks keys are good.

      I'm at a total loss of what to do next. any advice would be much appreciated.

      Thanks

      Is there any other info that I would need to provide to help diagnosis the problem?
      Here is the contents of the openvpn.log file

      May 28 17:22:23 router openvpn[1856]: OpenVPN 2.1_rc20 i386-portbld-freebsd8.0 [SSL] [LZO2] built on Mar 31 2010
      May 28 17:22:23 router openvpn[1856]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      May 28 17:22:23 router openvpn[1856]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
      May 28 17:22:23 router openvpn[1856]: TUN/TAP device /dev/tun1 opened
      May 28 17:22:23 router openvpn[1856]: /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
      May 28 17:22:23 router openvpn[1856]: /etc/rc.filter_configure ovpns1 1500 1541 10.0.8.1 10.0.8.2 init
      May 28 17:22:25 router openvpn[5617]: UDPv4 link local (bound): 209.6.51.199:1194
      May 28 17:22:25 router openvpn[5617]: UDPv4 link remote: [undef]
      May 28 17:22:25 router openvpn[5617]: Initialization Sequence Completed
      May 28 17:22:40 router openvpn[5617]: TLS Error: cannot locate HMAC in incoming packet from 192.168.2.199:62332
      May 28 17:23:10 router last message repeated 4 times
      May 28 17:23:40 router openvpn[5617]: TLS Error: cannot locate HMAC in incoming packet from 192.168.2.199:55424
      May 28 17:24:11 router last message repeated 4 times

      Also I noticed in system.log this line

      May 28 06:24:07 router php: /wizard.php: The command '/sbin/ifconfig ovpns1' returned exit code '1', the output was 'ifconfig: interface ovpns1 does not exist'

      I currently only have 2 interfaces setup, WAN and LAN, but  I noticed that when I started setting up the 3rd interface ovpns1 was an option. I didn't see anything in the docs about needing another interface for this. What does that line refer to?

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        you are running a beta dating more then a year old …. if you want the developers to help you out then you should update to one of the latests snapshots

        1 Reply Last reply Reply Quote 0
        • D
          davidfic
          last edited by

          Would you recommend upgrading from my current beta release to the RC1 release or do a full re-install?

          1 Reply Last reply Reply Quote 0
          • AhnHELA
            AhnHEL
            last edited by

            Check your tls-auth key on both server and client.

            And yes you can upgrade directly to RC2 from http://snapshots.pfsense.org/

            AhnHEL (Angel)

            1 Reply Last reply Reply Quote 0
            • D
              davidfic
              last edited by

              The reason I asked about the upgrade is that all the options for the GUI don't allow me to auto-upgrade so I wasn't sure if it was advisable to go from 2.0 beta to RC1.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                It should be safe to update.

                From then you might have to do a console update by URL. I'm not sure if Auto Update was fixed yet then or not, and I think even the manual update in the GUI had a couple issues.

                After you upgrade, edit/save your gateway entries, and it should be OK at that point.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.