FANTASTIC VIDEO for Road Warrior VPN with local user database pf2.0

jaredadams

http://www.youtube.com/watch?v=odjviG-KDq8

There arent many guides for pfsense 2.0 let alone a video.

This video shows step by step how to setup Road Warrior VPN and authentication vs a local user database.

Now that I've been turned onto the local user database I like this method much better.  Seems much easier to manage users.

One question…. I would like to elimiate the user login and start openvpn as a service.  Is this possible?

Metu69salemi

do you mean in clients? if so read this

jaredadams

When a client uses the gui to connect they are prompted to enter a username and password.  Can the config file be edited to supply this information automatically so that a user is not prompted for it.

I'd like t to run as a service.  Just start up and run.  No intervention by our "intelligent" users.

Metu69salemi

That link had also info of run as service oportunity

jaredadams

@Metu69salemi:

That link had also info of run as service oportunity

Where did you see this?

After I completed the video and successfully login using the OpenVPN gui I tried to run it as a service.  It was a no go.  I believe its because I'm not entering the username and password.  As its running as a service its not prompting me for one.

Can the username and password information be included in the config file (the .ovpn file)?

Metu69salemi

A lot of quoting from openvpn sites

Running OpenVPN as a Windows Service

When OpenVPN runs as a service it will start a separate OpenVPN process for each configuration file it finds in the \Program Files\OpenVPN\config directory and will output a logfile of the same name to the \Program Files\OpenVPN\log directory.

When installed as a service, OpenVPN will default to manual start mode. You can go to the "Services" control panel in Control Panel -> Administrative Tools to start the service or to set it to Automatic Start mode.

A sample config file has been provided in \Program Files\OpenVPN\config\sample.ovpn.txt which can be adapted to your needs.
Service Notes:

    When you install OpenVPN as a service, you are actually installing openvpnserv.exe which is a service wrapper for OpenVPN, i.e. it reads the config file directory and starts up a separate OpenVPN process for each config file. openvpnserv.exe performs the same function under windows as the /etc/init.d/openvpn startup script does under linux.
    When you stop the OpenVPN service, it will send a terminate signal to all OpenVPN processes which were started by it.
    If the OpenVPN service wrapper (openvpnserv.exe) encounters fatal errors, it will write them to the windows event log, which can be viewed in Control Panel -> Administrative Tools -> Event Viewer -> Application Log.
    If the OpenVPN processes themselves encounter errors, they will write them to their respective log files in the log file directory.
    There is a one-to-one correspondence between an OpenVPN process, an OpenVPN config file, an OpenVPN log file, and a TAP-Win32 adapter which represents an endpoint of a VPN tunnel.
    OpenVPN tunnels are point-to-point in their simplest form, but can be made point-to-multi-point through the use of bridging or routing (see below).
    Multiple OpenVPN processes can run concurrently, each on a different TAP-Win32 adapter.
    openvpn.exe gets all configuration information from its config file, not from the registry.
    The openvpnserv.exe program (the service wrapper) gets several string parameters from the registry which can be modified by the user. If you change any of these parameters, you should be able to upgrade OpenVPN to a new version without the installer overwriting your changes:

    HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN

    config_dir
        configuration file directory to scan, defaults to "\Program Files\OpenVPN\config"
    config_ext
        file extension on configuration files, defaults to "ovpn"
    exe_path
        path to openvpn.exe, defaults to "\Program Files\OpenVPN\bin\openvpn.exe"
    log_dir
        log file directory, defaults to "\Program Files\OpenVPN\log"
    log_append
        if set to "1", multiple instantiations of an OpenVPN process will append onto the same log file, if set to "0" (default), each new instantiation will truncate the previous log file
    priority
        the windows priority class for each instantiated OpenVPN process, can be one of:
            "IDLE_PRIORITY_CLASS"
            "BELOW_NORMAL_PRIORITY_CLASS"
            "NORMAL_PRIORITY_CLASS" (default)
            "ABOVE_NORMAL_PRIORITY_CLASS"
            "HIGH_PRIORITY_CLASS"

Nachtfalke

@jaredadams:

@Metu69salemi:

That link had also info of run as service oportunity

(…)

Can the username and password information be included in the config file (the .ovpn file)?

If the username/password is in the config file I do not see any additional security. So you could just use certificates. This is less to configure on server and client site and if you want to stop a client by connecting to your server, just revoke the certificate.

Sorry for not answering you question with the user/pw in config file.

jaredadams

@Metu69salemi:

A lot of quoting from openvpn sites

Running OpenVPN as a Windows Service

When OpenVPN runs as a service it will start a separate OpenVPN process for each configuration file it finds in the \Program Files\OpenVPN\config directory and will output a logfile of the same name to the \Program Files\OpenVPN\log directory.

When installed as a service, OpenVPN will default to manual start mode. You can go to the "Services" control panel in Control Panel -> Administrative Tools to start the service or to set it to Automatic Start mode.

A sample config file has been provided in \Program Files\OpenVPN\config\sample.ovpn.txt which can be adapted to your needs.
Service Notes:

    When you install OpenVPN as a service, you are actually installing openvpnserv.exe which is a service wrapper for OpenVPN, i.e. it reads the config file directory and starts up a separate OpenVPN process for each config file. openvpnserv.exe performs the same function under windows as the /etc/init.d/openvpn startup script does under linux.
    When you stop the OpenVPN service, it will send a terminate signal to all OpenVPN processes which were started by it.
    If the OpenVPN service wrapper (openvpnserv.exe) encounters fatal errors, it will write them to the windows event log, which can be viewed in Control Panel -> Administrative Tools -> Event Viewer -> Application Log.
    If the OpenVPN processes themselves encounter errors, they will write them to their respective log files in the log file directory.
    There is a one-to-one correspondence between an OpenVPN process, an OpenVPN config file, an OpenVPN log file, and a TAP-Win32 adapter which represents an endpoint of a VPN tunnel.
    OpenVPN tunnels are point-to-point in their simplest form, but can be made point-to-multi-point through the use of bridging or routing (see below).
    Multiple OpenVPN processes can run concurrently, each on a different TAP-Win32 adapter.
    openvpn.exe gets all configuration information from its config file, not from the registry.
    The openvpnserv.exe program (the service wrapper) gets several string parameters from the registry which can be modified by the user. If you change any of these parameters, you should be able to upgrade OpenVPN to a new version without the installer overwriting your changes:

    HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN

    config_dir
        configuration file directory to scan, defaults to "\Program Files\OpenVPN\config"
    config_ext
        file extension on configuration files, defaults to "ovpn"
    exe_path
        path to openvpn.exe, defaults to "\Program Files\OpenVPN\bin\openvpn.exe"
    log_dir
        log file directory, defaults to "\Program Files\OpenVPN\log"
    log_append
        if set to "1", multiple instantiations of an OpenVPN process will append onto the same log file, if set to "0" (default), each new instantiation will truncate the previous log file
    priority
        the windows priority class for each instantiated OpenVPN process, can be one of:
            "IDLE_PRIORITY_CLASS"
            "BELOW_NORMAL_PRIORITY_CLASS"
            "NORMAL_PRIORITY_CLASS" (default)
            "ABOVE_NORMAL_PRIORITY_CLASS"
            "HIGH_PRIORITY_CLASS"

I read that.

I know how to start it as a service.

When I start the service it does not connect.

I assume this is because it does not prompt for a un/pw when one is needed to connect

I would like to know if this information can be included in the config file.

Am I being unclear with my question?

jaredadams

@Nachtfalke:

@jaredadams:

@Metu69salemi:

That link had also info of run as service oportunity

(…)

Can the username and password information be included in the config file (the .ovpn file)?

If the username/password is in the config file I do not see any additional security. So you could just use certificates. This is less to configure on server and client site and if you want to stop a client by connecting to your server, just revoke the certificate.

Sorry for not answering you question with the user/pw in config file.

If a client's machine was ever comprimised I could easily disable the user in pfsense.  I'm not worried about that additional level of security.

Is there really nobody who knows if the un/pw can be inserted into the config file and its syntax to do so?

Metu69salemi

Use this link, there should be the first hit that defines everything for you