Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configuring VPN win7 clients with pfsense

    Scheduled Pinned Locked Moved OpenVPN
    61 Posts 5 Posters 18.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LeCygne
      last edited by

      Hi, i hope to find what i want here please guys that's important for me…

      i followed this guide http://www.apollon-domain.co.uk/?p=433

      but with win7 clients this what i got :

      Tue Jan 22 20:20:59 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011 
      Tue Jan 22 20:21:07 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 
      Tue Jan 22 20:21:07 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
      Tue Jan 22 20:21:08 2013 Control Channel Authentication: using 'pfsense-udp-1195-user_vpn-tls.key' as a OpenVPN static key file 
      Tue Jan 22 20:21:08 2013 LZO compression initialized 
      Tue Jan 22 20:21:08 2013 UDPv4 link local (bound): [undef]:1194 
      Tue Jan 22 20:21:08 2013 UDPv4 link remote: 192.168.x.x:1195 
      Tue Jan 22 20:22:08 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
      Tue Jan 22 20:22:08 2013 TLS Error: TLS handshake failed 
      Tue Jan 22 20:22:08 2013 SIGUSR1[soft,tls-error] received, process restarting 
      Tue Jan 22 20:22:10 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 
      Tue Jan 22 20:22:10 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
      Tue Jan 22 20:22:10 2013 Re-using SSL/TLS context 
      Tue Jan 22 20:22:10 2013 LZO compression initialized 
      Tue Jan 22 20:22:10 2013 UDPv4 link local (bound): [undef]:1194 
      Tue Jan 22 20:22:10 2013 UDPv4 link remote: 192.168.x.x:1195 
      Tue Jan 22 20:23:10 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
      Tue Jan 22 20:23:10 2013 TLS Error: TLS handshake failed 
      Tue Jan 22 20:23:10 2013 SIGUSR1[soft,tls-error] received, process restarting 
      Tue Jan 22 20:23:12 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 
      Tue Jan 22 20:23:12 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
      Tue Jan 22 20:23:12 2013 Re-using SSL/TLS context 
      Tue Jan 22 20:23:12 2013 LZO compression initialized 
      Tue Jan 22 20:23:12 2013 UDPv4 link local (bound): [undef]:1194 
      Tue Jan 22 20:23:12 2013 UDPv4 link remote: 192.168.x.x:1195
      
      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        This seems wrong:

        UDPv4 link remote: 192.168.x.x:1195
        

        I guess that your OpenVPN server is listening on port 1195.
        Assuming you are doing this on the real internet (not just in a test lab environment), the remote should be the public ip address of your pfSense where the OpenVPN server is listening.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • L
          LeCygne
          last edited by

          @phil.davis:

          This seems wrong:

          UDPv4 link remote: 192.168.x.x:1195
          

          I guess that your OpenVPN server is listening on port 1195.
          Assuming you are doing this on the real internet (not just in a test lab environment), the remote should be the public ip address of your pfSense where the OpenVPN server is listening.

          Hi…i replace with my public ip but also no luck...this what i got :

          Sat Jan 26 21:43:21 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
          Sat Jan 26 21:43:43 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
          Sat Jan 26 21:43:43 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
          Sat Jan 26 21:43:44 2013 Control Channel Authentication: using 'pfsense-udp-1195-vpn-tls.key' as a OpenVPN static key file
          Sat Jan 26 21:43:44 2013 LZO compression initialized
          Sat Jan 26 21:43:44 2013 UDPv4 link local (bound): [undef]:1194
          Sat Jan 26 21:43:44 2013 UDPv4 link remote: 212.118.x.x:1195
          Sat Jan 26 21:44:44 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
          Sat Jan 26 21:44:44 2013 TLS Error: TLS handshake failed
          Sat Jan 26 21:44:44 2013 SIGUSR1[soft,tls-error] received, process restarting
          Sat Jan 26 21:44:46 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
          Sat Jan 26 21:44:46 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
          Sat Jan 26 21:44:46 2013 Re-using SSL/TLS context
          Sat Jan 26 21:44:46 2013 LZO compression initialized
          Sat Jan 26 21:44:46 2013 UDPv4 link local (bound): [undef]:1194
          Sat Jan 26 21:44:46 2013 UDPv4 link remote: 212.118.x.x:1195
          Sat Jan 26 21:45:46 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
          Sat Jan 26 21:45:46 2013 TLS Error: TLS handshake failed
          Sat Jan 26 21:45:46 2013 SIGUSR1[soft,tls-error] received, process restarting
          Sat Jan 26 21:45:48 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
          Sat Jan 26 21:45:48 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
          Sat Jan 26 21:45:48 2013 Re-using SSL/TLS context
          Sat Jan 26 21:45:48 2013 LZO compression initialized
          Sat Jan 26 21:45:48 2013 UDPv4 link local (bound): [undef]:1194
          Sat Jan 26 21:45:48 2013 UDPv4 link remote: 212.118.x.x:1195
          
          1 Reply Last reply Reply Quote 0
          • B
            bardelot
            last edited by

            Are you using the "OpenVPN client export" package? If you are, the remote IP should be determined from the listening interface. Is your OpenVPN server listening on the correct interface?

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              Maybe your pfSense interface (WAN) that the OpenVPN server is listening on, is actually a private network behind an ISP modem/router (that is not in bridge mode). In that case, you need to have the front-end modem/router port forward port 1195 to your pfSense. Or perhaps you have your OpenVPN server listening on LAN, rather than WAN.
              It will be easier to help if you give an overview of your network setup, since, from the client config you gave, it seems that your OpenVPN server is ending up listening on a private IP address.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • L
                LeCygne
                last edited by

                @bardelot:

                Are you using the "OpenVPN client export" package? If you are, the remote IP should be determined from the listening interface. Is your OpenVPN server listening on the correct interface?

                Hi…i followed this guide : http://www.apollon-domain.co.uk/?p=433

                1 Reply Last reply Reply Quote 0
                • L
                  LeCygne
                  last edited by

                  Guys…just i want to mention a note:

                  i have changed pfsense' port from 1195 to 1194 after that just i want to connect  Immediately this message appears :

                  failed to connect to your network
                  

                  or something like that .

                  and when i go back to my settings what i got you know (that bad message) .

                  i think that will be useful .

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by

                    It will be easier to help if you give an overview of your network setup

                    Please tell us:
                    What is your LAN interface IP and network mask (e.g. 192.168.1.1/24)?
                    What is your WAN interface IP and network mask? (Put some xxx in part of it, if it is a public IP)
                    Do you have a static or dynamic public IP address?
                    What other interfaces do you have on you have on your pfSense? (Maybe none)
                    What interface is the OpenVPN server listening on?
                    What sort of internet connection do you have? (e.g. cable modem in bridge mode, separate ADSL router not bridged, gets out via some other router,…)
                    Then we can help sort out why the client cannot reach the server.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • L
                      LeCygne
                      last edited by

                      @phil.davis:

                      It will be easier to help if you give an overview of your network setup

                      Please tell us:
                      What is your LAN interface IP and network mask (e.g. 192.168.1.1/24)?

                      192.168.1.254/24

                      What is your WAN interface IP and network mask?

                      192.168.2.5 , network mask : 255.255.255.0

                      Do you have a static or dynamic public IP address?

                      Dynamic .

                      What other interfaces do you have on you have on your pfSense?

                      192.168.5.5

                      What interface is the OpenVPN server listening on?

                      192.168.2.5

                      What sort of internet connection do you have?

                      DSL modem .

                      1 Reply Last reply Reply Quote 0
                      • P
                        phil.davis
                        last edited by

                        You need to
                        a) get the client to be able to find your public IP
                        b) have the client connect requests on the public IP forwarded to your pfSense WAN IP.
                        For (a) - register at one of the dynamic DNS providers, so you have a name (like mysite.dyndns-ip.com) that can always translate to your IP. Setup a Dynamic DNS entry in your pfSense so that the name gets kept up-to-date with your IP. Normally pfSense only checks/updates this once a day. You can adjust that daily job with the Cron package - http://forum.pfsense.org/index.php/topic,58085.msg310861.html#msg310861
                        For (b) - configure your DSL modem to forward your VPN listening port numbers (1194, 1195 whatever) to your WAN IP 192.168.2.5
                        (If you can't do this on the modem, then you will need to sort out how to put it in bridge mode, and get the real public IP onto your pfSense WAN port…)

                        Then make your OpenVPN client config specify the remote server using the dynamic DNS name.

                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                        1 Reply Last reply Reply Quote 0
                        • L
                          LeCygne
                          last edited by

                          @phil.davis:

                          You need to
                          a) get the client to be able to find your public IP
                          b) have the client connect requests on the public IP forwarded to your pfSense WAN IP.
                          For (a) - register at one of the dynamic DNS providers, so you have a name (like mysite.dyndns-ip.com) that can always translate to your IP. Setup a Dynamic DNS entry in your pfSense so that the name gets kept up-to-date with your IP. Normally pfSense only checks/updates this once a day. You can adjust that daily job with the Cron package - http://forum.pfsense.org/index.php/topic,58085.msg310861.html#msg310861
                          For (b) - configure your DSL modem to forward your VPN listening port numbers (1194, 1195 whatever) to your WAN IP 192.168.2.5
                          (If you can't do this on the modem, then you will need to sort out how to put it in bridge mode, and get the real public IP onto your pfSense WAN port…)

                          Then make your OpenVPN client config specify the remote server using the dynamic DNS name.

                          Hi…but why my guide did't mention any thing about what you said to me ?

                          Also is there a alternative for dynamic DNS ?

                          thank you .

                          1 Reply Last reply Reply Quote 0
                          • B
                            bardelot
                            last edited by

                            @Raafat:

                            Hi…but why my guide did't mention any thing about what you said to me ?

                            Because you have a "Double NAT" (two devices doing NAT). This is not recommended.

                            @Raafat:

                            Also is there a alternative for dynamic DNS ?

                            Getting a static IP from your provider.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              "Hi…but why my guide did't mention any thing about what you said to me ?"

                              Because the GUIDE assumes your pfsense WAN is on the public internet and not behind another router doing NAT.

                              As already mentioned you could setup this device in front of pfsense that is giving it its 192.168.2.5 and port forward the port your using for openvpn.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • L
                                LeCygne
                                last edited by

                                Hi guys…assuming i have a static public ip how will they change your guides .

                                thank you .

                                1 Reply Last reply Reply Quote 0
                                • B
                                  bardelot
                                  last edited by

                                  Getting a static IP only fixes problem a) (dynamic IP) you'd still have to do what phil.davis has posted above for problem b) (Double NAT).

                                  The dynamic IP part is even described in the guide you used. So you're only left with either port forwarding or bridging which you have to do on your DSL modem.

                                  1 Reply Last reply Reply Quote 0
                                  • L
                                    LeCygne
                                    last edited by

                                    @bardelot:

                                    Getting a static IP only fixes problem a) (dynamic IP) you'd still have to do what phil.davis has posted above for problem b) (Double NAT).

                                    The dynamic IP part is even described in the guide you used. So you're only left with either port forwarding or bridging which you have to do on your DSL modem.

                                    Hi…can i disable my modem' NAT ?

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      And which gateway do you have?  I wish the terms would be used correctly, a "modem" does not do NAT..  If it a combo device of a modem and router (can do nat) then its a GATEWAY..  If does not have a modem then its just a router, etc.

                                      If you tell use what is the model number of your "modem" and who your carrier is then we can look up if you can put the device in bridge mode – turn off nat..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        LeCygne
                                        last edited by

                                        @johnpoz:

                                        a "modem" does not do NAT..

                                        Hi…below what i have :

                                        http://www.huaweidevice.com/br/productFeatures.do?pinfoId=660&directoryId=2663&treeId=663

                                        but the last version (it's a router ).

                                        thank you .

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          If its a modem and a router then its a gatway!

                                          What is the model number – the HG510?  I show an a model, a v model, just the 510...  If your on the 520 there there even more model versions.  Its real hard -- look on the device!!!  What does it say for the model number?

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • L
                                            LeCygne
                                            last edited by

                                            @johnpoz:

                                            What does it say for the model number?

                                            HG655b

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.