Setting up OpenVPN



  • Hi everyone

    As I have in mind to use pfsense on my server I tried to set up what I want at home in a vm.

    The plan is that I'll have an ESXi5 server with multiple vm's (linux, windows) but only one public IP. For this I want to have a router-vm (pfsense) which forwards the traffic to another vm where an nginx will do the reverse proxies. The other vm's will all have a private ip (10.0.0.2, 10.0.0.3, and so on).

    I created a vm with ESXi5 and installed pfsense on a vm in it with following settings:

    em0: WAN 192.168.1.20 / 24
    em1: LAN 10.0.0.1 / 8

    The second VM has the IP 10.0.0.2 and everything is working. I can administrate pfsense from the second vm and also browsing the net (NAT) is working.

    My network at home has following IP settings:
    router: 192.168.1.1
    subnet mask: 255.255.255.0

    This is what at the moment is working, but now I need a VPN so I could administrate the servers without vmware's vsphere client.

    For this I want to use OpenVPN. Because I'm not familiar with any vpn I followed the steps of this tutorial: http://blog.stefcho.eu/?p=492
    I created everything described in it, but with different IP's:
    Tunnel Network: 10.0.8.0/24
    Local Network: 10.0.0.0/8

    The wizard automatically created a WAN rule with UDP for port 1194.

    I used the client export which exports all the needed files (cert, key,…)

    If I now try to connect I get an error:

    ERROR:TLS error! See log for details

    Sun Oct 21 17:00:58 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sun Oct 21 17:00:58 2012 TLS Error: TLS handshake failed
    Sun Oct 21 17:00:58 2012 TCP/UDP: Closing socket
    Sun Oct 21 17:00:58 2012 SIGUSR1[soft,tls-error] received, process restarting
    Sun Oct 21 17:00:58 2012 Restart pause, 2 second(s)

    Timeout[Maybe your cetificates are not valid. Please check if it is revoked], restart pause will be ignored! Shuting down OpenVPN …

    Has anyone an idea what I am doing wrong?

    Thanks in advance :)


  • LAYER 8 Global Moderator

    Tunnel Network: 10.0.8.0/24
    Local Network: 10.0.0.0/8

    Your tunnel network is inside your local network - not going to work that way.  Why would you need a /8 as your local network??  Its a few Vms at most right, not 10's of thousands of IPs

    Also your pfsense wan is clearly behind a NAT already - why?

    I'm same setup as yours vs running 5.1 esxi since it came out recent.  Using pfsense as gateway/firewall for my vms as well as physical network.  I use openvpn to access my network from outside.

    My local network 192.168.1.0/24 - this is both physical and vms, 2 vswitches in esxi - one connected to interface 1 of esxi host which connects to my 1 of my lan physical switches - pfsense lan on this vswitch, other vms all on this vswitch.  Other is connected to interface 2 on esxi host which is connected to my cable modem and pfsense wan interface.  24.13.x.x address

    My tunnel network is 10.0.200.0/24 btw



  • Hi

    pfsense is behind a NAT because I'm testing it locally at home before deploying to the server ;-)

    I also just used the /8 for testing, could also be /24, but makes no difference, right?

    So what do I need as tunnel network? 192.168.1.20?
    You said my tunnel network is local, but your 10.0.200.0/24 is also local.


  • LAYER 8 Global Moderator

    Your tunnel network is INSIDE your local network.

    10.0.8.0/24 is PART of 10.0.0.0/8

    "So what do I need as tunnel network? 192.168.1.20?"

    What???  do you not understand network segments?  Do you understand what /24 or /8 is saying?  CIDR?



  • I'm still learning that stuff. This is not a big part of my education as software developer…
    But yeah, I know what /24 /8 is, but I'm not very familiar what that tunnel/local network stuff is.

    I know that I have to learn a bit more, but with a bit more help it would be easier ;-)

    The description of "local network" says "This is the network that will be accessible from the endpoint. ..." so I thought if I assign /8 then everything (my vm's) would be accessible.
    So If I make the local network to 10.0.200.0/24 it should work?



  • Ok, next try:

    tunnel network: 10.0.7.192/26
    local network: 10.0.8.192/26

    These are now 2 different networks not contained in each other.
    Am I still getting something wrong?


  • LAYER 8 Global Moderator

    What is your local network?  Mine is 192.168.1.0/24  What is yours??  Is it really 10.0.8.192/26 ??

    What are the IPs addresses of your vms?  What is the LAN IP / Network of pfsense?  Did you change it from

    LAN 10.0.0.1 / 8

    If not your tunnel still falls into it.



  • The local network at home is 192.168.1.0/24.
    The local network for the vm's is 10.0.0.1/8.

    I think it's getting clearer. You mean the local network in OpenVPN has to be the same like the lokal network for pfsense?

    So I would need to change the local networks to 10.0.1.0/24 and the tunnel to 10.0.200.0/24?



  • All your networks need to have different subnet address ranges (not overlapping). Even the remote network that the Road Warrior is connected to should have a different subnet,

    Home LAN subnet: 192.168.1.0/24
    Servers at home subnet: 10.0.1.0/24
    OpenVPN tunnel: 10.0.200.0/24

    That will work fine. Your router's server LAN address could be 10.0.1.1 and servers can then be 10.0.1.2, 10.0.1.3 etc.
    When the tunnel establishes, its ends will be given addresses like 10.0.200.1, 10.0.200.2 (maybe 10.0.200.5 and 10.0.200.6 will appear actually, OpenVPN will take care of allocating those itself as Road Warrior/s connect).

    If you also want to allow Road Warriors to connect to Home LAN in future, then you might find that a Road Warrior will often be on a WiFi net somewhere that already uses 192.168.1.0/24 (that is a popular default). You could change Home LAN to something less popular - 192.168.n.0/24 where n is a random number up to 255, or some 10.n.n.0/24 network.



  • Hi

    Thanks for helping, but this still doesn't work. I have now all networks configured like in your example.
    Here the screenshots:

    WAN:

    LAN:

    OpenVPN:

    Is this even correct configured in the tunnel settings?

    If I try to connect to pfsense (192.168.1.20), there's nothing visible in the status page of OpenVPN and the client aborts with the same error like in the first post.


  • LAYER 8 Global Moderator

    where are you trying to connect from?



  • I'm trying to connect from my PC 192.168.1.8.


  • LAYER 8 Global Moderator

    can you ping pfsense wan IP?  allow for it in wan rules on pfsense.

    Looks like you don't have connectivity even.  Sniff on pfsense wan – do you see the packets?



  • Yes, I can ping pfsense and also establish a connection with telnet when I changed to TCP (just for testing).

    I could get it running now with disabling "TLS Authentication" but still with a server certificate. Maybe something is wrong with the certificate…
    I also had to set the "Local Network" to 10.0.1.0/24 so I could access the VM's.


  • LAYER 8 Global Moderator

    did you run through the wizard - this should of walked through creating the certs.

    I sniff on pfsense to see if you see the udp packets - there might be something weird going on their with the vswitch?  Are you in promiscuous mode.



  • I created the certs but independent from the wizard. Maybe there went something wrong…
    I will try it the next few days again and notify about the result.


Log in to reply