Configuring VPN win7 clients with pfsense

LeCygne

Hi, i hope to find what i want here please guys that's important for me…

i followed this guide http://www.apollon-domain.co.uk/?p=433

but with win7 clients this what i got :

Tue Jan 22 20:20:59 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011 
Tue Jan 22 20:21:07 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 
Tue Jan 22 20:21:07 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
Tue Jan 22 20:21:08 2013 Control Channel Authentication: using 'pfsense-udp-1195-user_vpn-tls.key' as a OpenVPN static key file 
Tue Jan 22 20:21:08 2013 LZO compression initialized 
Tue Jan 22 20:21:08 2013 UDPv4 link local (bound): [undef]:1194 
Tue Jan 22 20:21:08 2013 UDPv4 link remote: 192.168.x.x:1195 
Tue Jan 22 20:22:08 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
Tue Jan 22 20:22:08 2013 TLS Error: TLS handshake failed 
Tue Jan 22 20:22:08 2013 SIGUSR1[soft,tls-error] received, process restarting 
Tue Jan 22 20:22:10 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 
Tue Jan 22 20:22:10 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
Tue Jan 22 20:22:10 2013 Re-using SSL/TLS context 
Tue Jan 22 20:22:10 2013 LZO compression initialized 
Tue Jan 22 20:22:10 2013 UDPv4 link local (bound): [undef]:1194 
Tue Jan 22 20:22:10 2013 UDPv4 link remote: 192.168.x.x:1195 
Tue Jan 22 20:23:10 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
Tue Jan 22 20:23:10 2013 TLS Error: TLS handshake failed 
Tue Jan 22 20:23:10 2013 SIGUSR1[soft,tls-error] received, process restarting 
Tue Jan 22 20:23:12 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 
Tue Jan 22 20:23:12 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
Tue Jan 22 20:23:12 2013 Re-using SSL/TLS context 
Tue Jan 22 20:23:12 2013 LZO compression initialized 
Tue Jan 22 20:23:12 2013 UDPv4 link local (bound): [undef]:1194 
Tue Jan 22 20:23:12 2013 UDPv4 link remote: 192.168.x.x:1195

phil.davis

This seems wrong:

UDPv4 link remote: 192.168.x.x:1195

I guess that your OpenVPN server is listening on port 1195.
Assuming you are doing this on the real internet (not just in a test lab environment), the remote should be the public ip address of your pfSense where the OpenVPN server is listening.

LeCygne

@phil.davis:

This seems wrong:

UDPv4 link remote: 192.168.x.x:1195

I guess that your OpenVPN server is listening on port 1195.
Assuming you are doing this on the real internet (not just in a test lab environment), the remote should be the public ip address of your pfSense where the OpenVPN server is listening.

Hi…i replace with my public ip but also no luck...this what i got :

Sat Jan 26 21:43:21 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Sat Jan 26 21:43:43 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sat Jan 26 21:43:43 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jan 26 21:43:44 2013 Control Channel Authentication: using 'pfsense-udp-1195-vpn-tls.key' as a OpenVPN static key file
Sat Jan 26 21:43:44 2013 LZO compression initialized
Sat Jan 26 21:43:44 2013 UDPv4 link local (bound): [undef]:1194
Sat Jan 26 21:43:44 2013 UDPv4 link remote: 212.118.x.x:1195
Sat Jan 26 21:44:44 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 26 21:44:44 2013 TLS Error: TLS handshake failed
Sat Jan 26 21:44:44 2013 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 26 21:44:46 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sat Jan 26 21:44:46 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jan 26 21:44:46 2013 Re-using SSL/TLS context
Sat Jan 26 21:44:46 2013 LZO compression initialized
Sat Jan 26 21:44:46 2013 UDPv4 link local (bound): [undef]:1194
Sat Jan 26 21:44:46 2013 UDPv4 link remote: 212.118.x.x:1195
Sat Jan 26 21:45:46 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 26 21:45:46 2013 TLS Error: TLS handshake failed
Sat Jan 26 21:45:46 2013 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 26 21:45:48 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sat Jan 26 21:45:48 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jan 26 21:45:48 2013 Re-using SSL/TLS context
Sat Jan 26 21:45:48 2013 LZO compression initialized
Sat Jan 26 21:45:48 2013 UDPv4 link local (bound): [undef]:1194
Sat Jan 26 21:45:48 2013 UDPv4 link remote: 212.118.x.x:1195

bardelot

Are you using the "OpenVPN client export" package? If you are, the remote IP should be determined from the listening interface. Is your OpenVPN server listening on the correct interface?

phil.davis

Maybe your pfSense interface (WAN) that the OpenVPN server is listening on, is actually a private network behind an ISP modem/router (that is not in bridge mode). In that case, you need to have the front-end modem/router port forward port 1195 to your pfSense. Or perhaps you have your OpenVPN server listening on LAN, rather than WAN.
It will be easier to help if you give an overview of your network setup, since, from the client config you gave, it seems that your OpenVPN server is ending up listening on a private IP address.

LeCygne

@bardelot:

Are you using the "OpenVPN client export" package? If you are, the remote IP should be determined from the listening interface. Is your OpenVPN server listening on the correct interface?

Hi…i followed this guide : http://www.apollon-domain.co.uk/?p=433

LeCygne

Guys…just i want to mention a note:

i have changed pfsense' port from 1195 to 1194 after that just i want to connect  Immediately this message appears :

failed to connect to your network

or something like that .

and when i go back to my settings what i got you know (that bad message) .

i think that will be useful .

phil.davis

It will be easier to help if you give an overview of your network setup

Please tell us:
What is your LAN interface IP and network mask (e.g. 192.168.1.1/24)?
What is your WAN interface IP and network mask? (Put some xxx in part of it, if it is a public IP)
Do you have a static or dynamic public IP address?
What other interfaces do you have on you have on your pfSense? (Maybe none)
What interface is the OpenVPN server listening on?
What sort of internet connection do you have? (e.g. cable modem in bridge mode, separate ADSL router not bridged, gets out via some other router,…)
Then we can help sort out why the client cannot reach the server.

LeCygne

@phil.davis:

It will be easier to help if you give an overview of your network setup

Please tell us:
What is your LAN interface IP and network mask (e.g. 192.168.1.1/24)?

192.168.1.254/24

What is your WAN interface IP and network mask?

192.168.2.5 , network mask : 255.255.255.0

Do you have a static or dynamic public IP address?

Dynamic .

What other interfaces do you have on you have on your pfSense?

192.168.5.5

What interface is the OpenVPN server listening on?

192.168.2.5

What sort of internet connection do you have?

DSL modem .

phil.davis

You need to
a) get the client to be able to find your public IP
b) have the client connect requests on the public IP forwarded to your pfSense WAN IP.
For (a) - register at one of the dynamic DNS providers, so you have a name (like mysite.dyndns-ip.com) that can always translate to your IP. Setup a Dynamic DNS entry in your pfSense so that the name gets kept up-to-date with your IP. Normally pfSense only checks/updates this once a day. You can adjust that daily job with the Cron package - http://forum.pfsense.org/index.php/topic,58085.msg310861.html#msg310861
For (b) - configure your DSL modem to forward your VPN listening port numbers (1194, 1195 whatever) to your WAN IP 192.168.2.5
(If you can't do this on the modem, then you will need to sort out how to put it in bridge mode, and get the real public IP onto your pfSense WAN port…)

Then make your OpenVPN client config specify the remote server using the dynamic DNS name.

LeCygne

@phil.davis:

You need to
a) get the client to be able to find your public IP
b) have the client connect requests on the public IP forwarded to your pfSense WAN IP.
For (a) - register at one of the dynamic DNS providers, so you have a name (like mysite.dyndns-ip.com) that can always translate to your IP. Setup a Dynamic DNS entry in your pfSense so that the name gets kept up-to-date with your IP. Normally pfSense only checks/updates this once a day. You can adjust that daily job with the Cron package - http://forum.pfsense.org/index.php/topic,58085.msg310861.html#msg310861
For (b) - configure your DSL modem to forward your VPN listening port numbers (1194, 1195 whatever) to your WAN IP 192.168.2.5
(If you can't do this on the modem, then you will need to sort out how to put it in bridge mode, and get the real public IP onto your pfSense WAN port…)

Then make your OpenVPN client config specify the remote server using the dynamic DNS name.

Hi…but why my guide did't mention any thing about what you said to me ?

Also is there a alternative for dynamic DNS ?

thank you .

bardelot

@Raafat:

Hi…but why my guide did't mention any thing about what you said to me ?

Because you have a "Double NAT" (two devices doing NAT). This is not recommended.

@Raafat:

Also is there a alternative for dynamic DNS ?

Getting a static IP from your provider.

johnpoz

"Hi…but why my guide did't mention any thing about what you said to me ?"

Because the GUIDE assumes your pfsense WAN is on the public internet and not behind another router doing NAT.

As already mentioned you could setup this device in front of pfsense that is giving it its 192.168.2.5 and port forward the port your using for openvpn.

LeCygne

Hi guys…assuming i have a static public ip how will they change your guides .

thank you .

bardelot

Getting a static IP only fixes problem a) (dynamic IP) you'd still have to do what phil.davis has posted above for problem b) (Double NAT).

The dynamic IP part is even described in the guide you used. So you're only left with either port forwarding or bridging which you have to do on your DSL modem.

LeCygne

@bardelot:

Getting a static IP only fixes problem a) (dynamic IP) you'd still have to do what phil.davis has posted above for problem b) (Double NAT).

The dynamic IP part is even described in the guide you used. So you're only left with either port forwarding or bridging which you have to do on your DSL modem.

Hi…can i disable my modem' NAT ?

johnpoz

And which gateway do you have?  I wish the terms would be used correctly, a "modem" does not do NAT..  If it a combo device of a modem and router (can do nat) then its a GATEWAY..  If does not have a modem then its just a router, etc.

If you tell use what is the model number of your "modem" and who your carrier is then we can look up if you can put the device in bridge mode – turn off nat..

LeCygne

@johnpoz:

a "modem" does not do NAT..

Hi…below what i have :

http://www.huaweidevice.com/br/productFeatures.do?pinfoId=660&directoryId=2663&treeId=663

but the last version (it's a router ).

thank you .

johnpoz

If its a modem and a router then its a gatway!

What is the model number – the HG510?  I show an a model, a v model, just the 510...  If your on the 520 there there even more model versions.  Its real hard -- look on the device!!!  What does it say for the model number?

LeCygne

@johnpoz:

What does it say for the model number?

HG655b