Configuring VPN win7 clients with pfsense



  • Hi, i hope to find what i want here please guys that's important for me…

    i followed this guide http://www.apollon-domain.co.uk/?p=433

    but with win7 clients this what i got :

    Tue Jan 22 20:20:59 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011 
    Tue Jan 22 20:21:07 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 
    Tue Jan 22 20:21:07 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
    Tue Jan 22 20:21:08 2013 Control Channel Authentication: using 'pfsense-udp-1195-user_vpn-tls.key' as a OpenVPN static key file 
    Tue Jan 22 20:21:08 2013 LZO compression initialized 
    Tue Jan 22 20:21:08 2013 UDPv4 link local (bound): [undef]:1194 
    Tue Jan 22 20:21:08 2013 UDPv4 link remote: 192.168.x.x:1195 
    Tue Jan 22 20:22:08 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
    Tue Jan 22 20:22:08 2013 TLS Error: TLS handshake failed 
    Tue Jan 22 20:22:08 2013 SIGUSR1[soft,tls-error] received, process restarting 
    Tue Jan 22 20:22:10 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 
    Tue Jan 22 20:22:10 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
    Tue Jan 22 20:22:10 2013 Re-using SSL/TLS context 
    Tue Jan 22 20:22:10 2013 LZO compression initialized 
    Tue Jan 22 20:22:10 2013 UDPv4 link local (bound): [undef]:1194 
    Tue Jan 22 20:22:10 2013 UDPv4 link remote: 192.168.x.x:1195 
    Tue Jan 22 20:23:10 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
    Tue Jan 22 20:23:10 2013 TLS Error: TLS handshake failed 
    Tue Jan 22 20:23:10 2013 SIGUSR1[soft,tls-error] received, process restarting 
    Tue Jan 22 20:23:12 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 
    Tue Jan 22 20:23:12 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
    Tue Jan 22 20:23:12 2013 Re-using SSL/TLS context 
    Tue Jan 22 20:23:12 2013 LZO compression initialized 
    Tue Jan 22 20:23:12 2013 UDPv4 link local (bound): [undef]:1194 
    Tue Jan 22 20:23:12 2013 UDPv4 link remote: 192.168.x.x:1195
    


  • This seems wrong:

    UDPv4 link remote: 192.168.x.x:1195
    

    I guess that your OpenVPN server is listening on port 1195.
    Assuming you are doing this on the real internet (not just in a test lab environment), the remote should be the public ip address of your pfSense where the OpenVPN server is listening.



  • @phil.davis:

    This seems wrong:

    UDPv4 link remote: 192.168.x.x:1195
    

    I guess that your OpenVPN server is listening on port 1195.
    Assuming you are doing this on the real internet (not just in a test lab environment), the remote should be the public ip address of your pfSense where the OpenVPN server is listening.

    Hi…i replace with my public ip but also no luck...this what i got :

    Sat Jan 26 21:43:21 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
    Sat Jan 26 21:43:43 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Sat Jan 26 21:43:43 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sat Jan 26 21:43:44 2013 Control Channel Authentication: using 'pfsense-udp-1195-vpn-tls.key' as a OpenVPN static key file
    Sat Jan 26 21:43:44 2013 LZO compression initialized
    Sat Jan 26 21:43:44 2013 UDPv4 link local (bound): [undef]:1194
    Sat Jan 26 21:43:44 2013 UDPv4 link remote: 212.118.x.x:1195
    Sat Jan 26 21:44:44 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sat Jan 26 21:44:44 2013 TLS Error: TLS handshake failed
    Sat Jan 26 21:44:44 2013 SIGUSR1[soft,tls-error] received, process restarting
    Sat Jan 26 21:44:46 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Sat Jan 26 21:44:46 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sat Jan 26 21:44:46 2013 Re-using SSL/TLS context
    Sat Jan 26 21:44:46 2013 LZO compression initialized
    Sat Jan 26 21:44:46 2013 UDPv4 link local (bound): [undef]:1194
    Sat Jan 26 21:44:46 2013 UDPv4 link remote: 212.118.x.x:1195
    Sat Jan 26 21:45:46 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sat Jan 26 21:45:46 2013 TLS Error: TLS handshake failed
    Sat Jan 26 21:45:46 2013 SIGUSR1[soft,tls-error] received, process restarting
    Sat Jan 26 21:45:48 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Sat Jan 26 21:45:48 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sat Jan 26 21:45:48 2013 Re-using SSL/TLS context
    Sat Jan 26 21:45:48 2013 LZO compression initialized
    Sat Jan 26 21:45:48 2013 UDPv4 link local (bound): [undef]:1194
    Sat Jan 26 21:45:48 2013 UDPv4 link remote: 212.118.x.x:1195
    


  • Are you using the "OpenVPN client export" package? If you are, the remote IP should be determined from the listening interface. Is your OpenVPN server listening on the correct interface?



  • Maybe your pfSense interface (WAN) that the OpenVPN server is listening on, is actually a private network behind an ISP modem/router (that is not in bridge mode). In that case, you need to have the front-end modem/router port forward port 1195 to your pfSense. Or perhaps you have your OpenVPN server listening on LAN, rather than WAN.
    It will be easier to help if you give an overview of your network setup, since, from the client config you gave, it seems that your OpenVPN server is ending up listening on a private IP address.



  • @bardelot:

    Are you using the "OpenVPN client export" package? If you are, the remote IP should be determined from the listening interface. Is your OpenVPN server listening on the correct interface?

    Hi…i followed this guide : http://www.apollon-domain.co.uk/?p=433



  • Guys…just i want to mention a note:

    i have changed pfsense' port from 1195 to 1194 after that just i want to connect  Immediately this message appears :

    failed to connect to your network
    

    or something like that .

    and when i go back to my settings what i got you know (that bad message) .

    i think that will be useful .



  • It will be easier to help if you give an overview of your network setup

    Please tell us:
    What is your LAN interface IP and network mask (e.g. 192.168.1.1/24)?
    What is your WAN interface IP and network mask? (Put some xxx in part of it, if it is a public IP)
    Do you have a static or dynamic public IP address?
    What other interfaces do you have on you have on your pfSense? (Maybe none)
    What interface is the OpenVPN server listening on?
    What sort of internet connection do you have? (e.g. cable modem in bridge mode, separate ADSL router not bridged, gets out via some other router,…)
    Then we can help sort out why the client cannot reach the server.



  • @phil.davis:

    It will be easier to help if you give an overview of your network setup

    Please tell us:
    What is your LAN interface IP and network mask (e.g. 192.168.1.1/24)?

    192.168.1.254/24

    What is your WAN interface IP and network mask?

    192.168.2.5 , network mask : 255.255.255.0

    Do you have a static or dynamic public IP address?

    Dynamic .

    What other interfaces do you have on you have on your pfSense?

    192.168.5.5

    What interface is the OpenVPN server listening on?

    192.168.2.5

    What sort of internet connection do you have?

    DSL modem .



  • You need to
    a) get the client to be able to find your public IP
    b) have the client connect requests on the public IP forwarded to your pfSense WAN IP.
    For (a) - register at one of the dynamic DNS providers, so you have a name (like mysite.dyndns-ip.com) that can always translate to your IP. Setup a Dynamic DNS entry in your pfSense so that the name gets kept up-to-date with your IP. Normally pfSense only checks/updates this once a day. You can adjust that daily job with the Cron package - http://forum.pfsense.org/index.php/topic,58085.msg310861.html#msg310861
    For (b) - configure your DSL modem to forward your VPN listening port numbers (1194, 1195 whatever) to your WAN IP 192.168.2.5
    (If you can't do this on the modem, then you will need to sort out how to put it in bridge mode, and get the real public IP onto your pfSense WAN port…)

    Then make your OpenVPN client config specify the remote server using the dynamic DNS name.



  • @phil.davis:

    You need to
    a) get the client to be able to find your public IP
    b) have the client connect requests on the public IP forwarded to your pfSense WAN IP.
    For (a) - register at one of the dynamic DNS providers, so you have a name (like mysite.dyndns-ip.com) that can always translate to your IP. Setup a Dynamic DNS entry in your pfSense so that the name gets kept up-to-date with your IP. Normally pfSense only checks/updates this once a day. You can adjust that daily job with the Cron package - http://forum.pfsense.org/index.php/topic,58085.msg310861.html#msg310861
    For (b) - configure your DSL modem to forward your VPN listening port numbers (1194, 1195 whatever) to your WAN IP 192.168.2.5
    (If you can't do this on the modem, then you will need to sort out how to put it in bridge mode, and get the real public IP onto your pfSense WAN port…)

    Then make your OpenVPN client config specify the remote server using the dynamic DNS name.

    Hi…but why my guide did't mention any thing about what you said to me ?

    Also is there a alternative for dynamic DNS ?

    thank you .



  • @Raafat:

    Hi…but why my guide did't mention any thing about what you said to me ?

    Because you have a "Double NAT" (two devices doing NAT). This is not recommended.

    @Raafat:

    Also is there a alternative for dynamic DNS ?

    Getting a static IP from your provider.


  • LAYER 8 Global Moderator

    "Hi…but why my guide did't mention any thing about what you said to me ?"

    Because the GUIDE assumes your pfsense WAN is on the public internet and not behind another router doing NAT.

    As already mentioned you could setup this device in front of pfsense that is giving it its 192.168.2.5 and port forward the port your using for openvpn.



  • Hi guys…assuming i have a static public ip how will they change your guides .

    thank you .



  • Getting a static IP only fixes problem a) (dynamic IP) you'd still have to do what phil.davis has posted above for problem b) (Double NAT).

    The dynamic IP part is even described in the guide you used. So you're only left with either port forwarding or bridging which you have to do on your DSL modem.



  • @bardelot:

    Getting a static IP only fixes problem a) (dynamic IP) you'd still have to do what phil.davis has posted above for problem b) (Double NAT).

    The dynamic IP part is even described in the guide you used. So you're only left with either port forwarding or bridging which you have to do on your DSL modem.

    Hi…can i disable my modem' NAT ?


  • LAYER 8 Global Moderator

    And which gateway do you have?  I wish the terms would be used correctly, a "modem" does not do NAT..  If it a combo device of a modem and router (can do nat) then its a GATEWAY..  If does not have a modem then its just a router, etc.

    If you tell use what is the model number of your "modem" and who your carrier is then we can look up if you can put the device in bridge mode – turn off nat..



  • @johnpoz:

    a "modem" does not do NAT..

    Hi…below what i have :

    http://www.huaweidevice.com/br/productFeatures.do?pinfoId=660&directoryId=2663&treeId=663

    but the last version (it's a router ).

    thank you .


  • LAYER 8 Global Moderator

    If its a modem and a router then its a gatway!

    What is the model number – the HG510?  I show an a model, a v model, just the 510...  If your on the 520 there there even more model versions.  Its real hard -- look on the device!!!  What does it say for the model number?



  • @johnpoz:

    What does it say for the model number?

    HG655b


  • LAYER 8 Global Moderator

    Well that is sure not the last one one the url you sent ;)

    Simple google found this
    Youtube Video

    and this
    https://luciancovaci.wordpress.com/2012/07/19/adsl-romtelecom-configurare-in-bridge/

    And from the manual
    Says to adjust the connection type to bridge in drop down combo box..  So clearly it supports it - I would highly suggest you just contact your isp and them them you want to put it in bridge mode and they can walk you through the steps.



  • @johnpoz:

    Well that is sure not the last one one the url you sent ;)

    Simple google found this
    Youtube Video

    and this
    https://luciancovaci.wordpress.com/2012/07/19/adsl-romtelecom-configurare-in-bridge/

    And from the manual
    Says to adjust the connection type to bridge in drop down combo box..  So clearly it supports it - I would highly suggest you just contact your isp and them them you want to put it in bridge mode and they can walk you through the steps.

    thank you man

    now all thing go correctlly but how will i make a VPN client a part of my network,meaning sees all people on my network ?



  • Guys help me…this is the last step of our topic .

    i'm waiting you .

    thank you .



  • I havent been able to get OpenVPN using TAP to work either as you can see from my post here http://forum.pfsense.org/index.php/topic,58724.0.html

    I have got TUN working though, I can ping the pfsense firewall, ping other devices on the network and can even remote access onto my Win7 desktop and SSH to my linux servers from inside the lan.

    It might pay to use TUN for now as I have seen some comments on this board that 2.0.x has some issues which might be affecting the TAP/Bridge mode, but these should be resolved when 2.1 is released. Alternatively you could try a beta of 2.1 if you fancy the risk.



  • Guys…i'm waiting you .


  • LAYER 8 Global Moderator

    Waiting for what?

    So now your pfsense has public IP on its wan?  Then run through the openvpn wizard and your done.. Not sure what else you think you need to do?

    What is not working now?



  • @johnpoz:

    Waiting for what?

    So now your pfsense has public IP on its wan?  Then run through the openvpn wizard and your done.. Not sure what else you think you need to do?

    What is not working now?

    I'm waiting for this :i could see any device on my network (servers,printers,etc) .


  • LAYER 8 Global Moderator

    Yeah once you vpn in, depending on what firewall rules you put in place you can access anything you want on your network.  I vpn into my home network pretty much every day.  I am on now - yes I can print to my printer if I want, I can remote desktop to any box on my network, I can access my file shares, etc. etc. etc.

    D:>net view \storage.local.lan
    Shared resources at \storage.local.lan

    My storage server

    Share name  Type  Used as  Comment

    –-----------------------------------------------------------------------------
    J          Disk
    Media      Disk
    Molly      Disk
    temp        Disk
    The command completed successfully.

    Thats my NAS on my home network, while I am here at work.



  • @johnpoz:

    Yeah once you vpn in, depending on what firewall rules you put in place you can access anything you want on your network.  I vpn into my home network pretty much every day.  I am on now - yes I can print to my printer if I want, I can remote desktop to any box on my network, I can access my file shares, etc. etc. etc.

    D:>net view \storage.local.lan
    Shared resources at \storage.local.lan

    My storage server

    Share name  Type  Used as  Comment

    –-----------------------------------------------------------------------------
    J           Disk
    Media       Disk
    Molly       Disk
    temp        Disk
    The command completed successfully.

    Thats my NAS on my home network, while I am here at work.

    So tell me what are rules will i use ?

    thank you .


  • LAYER 8 Global Moderator

    You wouldn't use any rules really unless you want to limit or block something - wizard should create the default rule

    IPv4 * * * * * * none   OpenVPN pfsense wizard

    The above is what I have in my openvpn tab



  • @johnpoz:

    You wouldn't use any rules really unless you want to limit or block something - wizard should create the default rule

    IPv4 * * * * * * none   OpenVPN pfsense wizard

    The above is what I have in my openvpn tab

    What is subnet' ip address are you using and for vpn' clients ?


  • LAYER 8 Global Moderator

    You can use whatever you want.. I use 2 different ones for tcp or udp connections I use

    NO TCP / 443 10.0.200.0/24 pfsense tcp
    NO UDP / 1194 10.0.8.0/24 pfsense udp

    Just use something that is unlikely to conflict with the network segment connecting to you.



  • @johnpoz:

    You can use whatever you want.. I use 2 different ones for tcp or udp connections I use

    NO TCP / 443 10.0.200.0/24 pfsense tcp
    NO UDP / 1194 10.0.8.0/24 pfsense udp

    Just use something that is unlikely to conflict with the network segment connecting to you.

    So why i could not see any device on my network also i can't ping any device except my pfsense ?

    i have a rule like your rule on my WAN and LAN


  • LAYER 8 Global Moderator

    Are we to just guess your setup?  For all I know you have host firewalls blocking ping.  What does could not see mean?  Are you talking like a windows browse list - thats not going to happen over different segments and a nat.  You could run a wins server if you want to have browselists across segments.

    For all we know you have 192.168.1.0/24 on your pfsense lan side and remote network is also 192.168.1.0/24 – are you sending your route, is the client getting the route?

    Post up your openvpn config, did you do a traceroute from the client that could not ping your pfsense box?  Is he sending the traffic down the tunnel?



  • @johnpoz:

    Are we to just guess your setup?  For all I know you have host firewalls blocking ping.  What does could not see mean?  Are you talking like a windows browse list - thats not going to happen over different segments and a nat.  You could run a wins server if you want to have browselists across segments.

    For all we know you have 192.168.1.0/24 on your pfsense lan side and remote network is also 192.168.1.0/24 – are you sending your route, is the client getting the route?

    Post up your openvpn config, did you do a traceroute from the client that could not ping your pfsense box?  Is he sending the traffic down the tunnel?

    tunnel network : 192.168.10.0/24
    my lan:192.168.1.0/24

    after connecting to my network i got 192.168.10.6 (windows told me that )

    after that i can ping only pfsense box

    tell me exactly what are you looking about openvpn confi because there are many fields with vpn confi .

    Also about i could't see any device i mean at least i ping them (my devices:pritner,computers,servers)
    and sharing files .

    i hope what i told you to be helpful .

    thank you .


  • LAYER 8 Global Moderator

    And where are you connecting from?  What is that network?

    Post up output of route print after you connect.

    Do a traceroute to the IP your trying to ping.

    So what if there are multiple fields, here attached is mine.. And then the client config from client export.  Just snipped out part of public IP for privacy.

    dev tun
    persist-tun
    persist-key
    cipher BF-CBC
    tls-client
    client
    resolv-retry infinite
    remote 24.13.xx.xx 443 tcp
    tls-remote pfsense-openvpn
    pkcs12 pfsense-TCP-443-johnpoz.p12
    tls-auth pfsense-TCP-443-johnpoz-tls.key 1
    ns-cert-type server
    comp-lzo




  • @johnpoz:

    And where are you connecting from?  What is that network?

    Post up output of route print after you connect.

    Do a traceroute to the IP your trying to ping.

    So what if there are multiple fields, here attached is mine.. And then the client config from client export.  Just snipped out part of public IP for privacy.

    dev tun
    persist-tun
    persist-key
    cipher BF-CBC
    tls-client
    client
    resolv-retry infinite
    remote 24.13.xx.xx 443 tcp
    tls-remote pfsense-openvpn
    pkcs12 pfsense-TCP-443-johnpoz.p12
    tls-auth pfsense-TCP-443-johnpoz-tls.key 1
    ns-cert-type server
    comp-lzo




    after connecting to my pfsense this is what i got :

    
    Sun Feb 17 20:45:14 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
    Sun Feb 17 20:45:17 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Sun Feb 17 20:45:17 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sun Feb 17 20:45:17 2013 Control Channel Authentication: using 'pfsense-udp-1195-internal-ca-tls.key' as a OpenVPN static key file
    Sun Feb 17 20:45:17 2013 LZO compression initialized
    Sun Feb 17 20:45:17 2013 UDPv4 link local (bound): [undef]:1194
    Sun Feb 17 20:45:17 2013 UDPv4 link remote: 37.xxx.xxx.xxx:1195
    Sun Feb 17 20:45:17 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sun Feb 17 20:45:20 2013 [internal-ca] Peer Connection Initiated with 37.xxx.xxx.xxx:1195
    Sun Feb 17 20:45:23 2013 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{BFEE7338-93E9-47C0-8501-430F8AC797C1}.tap
    Sun Feb 17 20:45:23 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {BFEE7338-93E9-47C0-8501-430F8AC797C1} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
    Sun Feb 17 20:45:23 2013 Successful ARP Flush on interface [23] {BFEE7338-93E9-47C0-8501-430F8AC797C1}
    Sun Feb 17 20:45:28 2013 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
    Sun Feb 17 20:45:28 2013 Initialization Sequence Completed
    
    

    after pinging 192.168.1.1 :

    reqeust timed out
    

    Also :

    Tracing route to 192.168.1.1 over a maximum of 30 hops
    
      1    55 ms    55 ms    53 ms  192.168.200.1
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.
      4     *        *
    
    

    thank you .



  • Also :

    dev tun
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    tls-client
    client
    resolv-retry infinite
    remote 37.xxx.xxx.xxx 1195
    tls-remote internal-ca
    auth-user-pass
    pkcs12 pfsense-udp-1195-internal-ca.p12
    tls-auth pfsense-udp-1195-internal-ca-tls.key 1
    comp-lzo
    
    

  • LAYER 8 Global Moderator

    And what part do you not understand about this???

    WARNING: potential route subnet conflict between **local LAN [192.168.1.0[/b]/255.255.255.0] and **remote VPN [192.168.1.0[/b]/255.255.255.0]

    Your networks on both sides are the SAME!!!!  NOT going to work!!

    You have

    192.168.1.0/24 –- tunnel --- 192.168.1.0/24

    Does not work like that..  Even if client that is directly connected to the tunnel sends his traffic down the tunnel.  And a client on the vpn side sees the traffic - its going to be from a 192.168.1.0 address, never going to send it back to pfsense because that is the vpn boxes LOCAL network, no need to talk to pfsense.

    You need this

    192.168.A.0/24 –- tunnel --- 192.168.B.0/24

    You can not have the same network on both sides of a tunnel and expect it to work without doing some fancy NATing of the connection..  If your remote network is 192.168.1.0, make your local network 192.168.72.0/24 or something - that is unlikely to be used anywhere that would be remote into your network.****


  • LAYER 8 Global Moderator

    Hmm also, so your pfsense box default gateway for clients on vpn side?  If so then road warrior that uses the tunnel IP as its source should be able to talk to clients on the vpn side even with a dupe IP.

    Site to site would be a major issue! But if the box on the vpn side is not using pfsense as default gateway - then again your not going to be able to talk..

    So I notice you point dns to 192.168.1.1, but in your address bar your access pfsense at 192.168.1.254..  So this box your trying to talk to at 192.168.1.1 in your traceroute - is his default gateway off 192.168.1.0/24 the pfsense box at 192.168.1.254?

    What is this 192.168.1.1 box?  What is his default gateway?


Log in to reply