Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN and 1.0-BETA1

    Scheduled Pinned Locked Moved
    pfSense Packages
    9
    87
    60.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Numbski
      last edited by

      Well this sucks.  Even with the patch above, we have a problem with not having root permissions and adding/removing route information:

      Mar 23 03:40:04 openvpn[9162]: event_wait : Interrupted system call (code=4)
      Mar 23 03:40:04 openvpn[9162]: event_wait : Interrupted system call (code=4)
      Mar 23 03:40:04 openvpn[9162]: ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
      Mar 23 03:40:04 openvpn[9162]: ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
      Mar 23 03:40:04 openvpn[9162]: SIGTERM[hard,] received, process exiting
      Mar 23 03:40:04 openvpn[9162]: SIGTERM[hard,] received, process exiting

      This came up after a rules reload.  Grr…..

      EDIT: Scratch that.  I failed to copy a file correctly.  All is well with the above patches, save for route-up statements.  Any suggestions on how to get those working would be much appreciated!

      1 Reply Last reply Reply Quote 0
      • N
        Numbski
        last edited by

        Just poking my head in to say that the above patches are indeed stable.  I've been running on them for 5 days, reboots included, without issue.

        I've been putting my brain to the task of getting the route-up statements to run with escalated privs, without success.  Perhaps we add form fields in the setup pages for adding additional routes and create and tear down routes outside of OpenVPN, but one would think you could do this without re-inventing the wheel, no?

        1 Reply Last reply Reply Quote 0
        • N
          Numbski
          last edited by

          …and I think I've found my issue. --route-up isn't the command I want.  From the OpenVPN 2.1 man pages:

          
--route network/IP [netmask] [gateway] [metric]
    Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.

    This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space.

    netmask default -- 255.255.255.255

    gateway default -- taken from --route-gateway or the second parameter to --ifconfig when --dev tun is specified.

    The default can be specified by leaving an option blank or setting it to "default".

    The network and gateway parameters can also be specified as a DNS or /etc/hosts file resolvable name, or as one of three special keywords:

    vpn_gateway -- The remote VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).

    net_gateway -- The pre-existing IP default gateway, read from the routing table (not supported on all OSes).

    remote_host -- The --remote address if OpenVPN is being run in client mode, and is undefined in server mode.

          So I've been using the wrong command altogether. On both sides.  D'oh. :\

          So I'll give this a whirl and see how it goes.

          1 Reply Last reply Reply Quote 0
          • N
            Numbski
            last edited by

            That did it.  Man I'm an idiot. :P

            It would probably behoove us to provide an interface for adding additonal routes on a per-tunnel basis from the OpenVPN config pages.

            One little request to the more php-literate amongst us…would it be possible to use the Description field as the name that appears in the firewall rules and elsewhere in the interface as opposed to TUN0, or TAP0, etc?  My clients are used to being able to name tunnels (from my dirty hack back at christmas) and like the ability to do that.  Just wondering. ;)

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              Note as of April 8th snapshots OpenVPN has been replaced with a completely rewritten version done by Fernando Lemos.

              Please test!

              1 Reply Last reply Reply Quote 0
              • D
                drakkan
                last edited by

                @sullrich:

                Note as of April 8th snapshots OpenVPN has been replaced with a completely rewritten version done by Fernando Lemos.

                Please test!

                I successfully configured a site to site vpn using openvpn pfsense was the "client" and was a natted box,

                here are my notes:

                VPN->OPENVPN-Client

                Chose UDP as protocol and select the appropriate value for remote server and remote port

                choose PKI as authentication method and past ca certficate and client certificate and key

                select lzo-compression

                and add the following to the custom options:

                dev tun; ifconfig 10.1.0.2 10.1.0.1; tls-client; user nobody; group nobody; persist-tun; persist-key; verb 3

                on the other box (linux in my case) I have the following config file:

                dev tun
                ifconfig 10.1.0.1 10.1.0.2
                up /etc/openvpn/office.up
                tls-server
                dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
                ca /usr/share/openvpn/easy-rsa/keys/ca.crt
                cert /usr/share/openvpn/easy-rsa/keys/server.crt
                key /usr/share/openvpn/easy-rsa/keys/server.key
                push "route 192.168.66.0 255.255.255.0"
                port 1194
                user nobody
                group nogroup
                chroot /etc/openvpn/chroot
                comp-lzo
                ping 15
                ping-restart 45
                ping-timer-rem
                persist-tun
                persist-key
                verb 3

                in office.up I setup routing

                You need a firewall rule to allow vpn traffic, I add a new interface called and assigned tun0 to it, you can give an arbitrary ip address, the right ip address will be assigned when openvpn come up and finally add a pass all rule on this new interfaces,

                reboot pfsense box and it works!

                I'm not sure if the way I choiche to allow vpn traffic is the best one, however it works for me. Do you think there are alternative/best way to allow vpn traffic?

                If I setup another pfsense box and configure a cluster, I have to disable openvpn tunnel on the backup node, would be useful a way to have failover also for openvpn,

                thanks for pfsense,

                regards
                drakkan

                1 Reply Last reply Reply Quote 0
                • A
                  Always
                  last edited by

                  That's great drakan, I'm gonna try it out now. Tried it on friday and the firewall hang. I needed to restore to factory defaults because webconfigurator wasn't reachable through any of the interfaces.

                  Thanks again for your tests.

                  BTW: what version where you running? RC1a?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post