How to create an OpenVPN client to BTguard



  • Hi All,

    Here is a short tutorial for getting BTguard to work a a open-vpn Client under PFsense.

    **Credit for most of this goes to, rwijbenga and his post:
    http://forum.pfsense.org/index.php/topic,35292.0.html

    And, ericab and his post:

    http://forum.pfsense.org/index.php/topic,29944.0.html**
    First you need to download a configuration file from:

    https://btguard.com/vpn_openvpn_linux.php

    You will need the btguard.ca.crt file.

    Open the: "btguard.ca.crt" file, and copy the contents to your clipboard.

    Open your Pfsense interface and navigate to: System, certmanager.

    Add a new CA cert, and paste the contents of your clipboard there.

    Because BTguard needs a user name and password we have to create them for use with Pfsense.

    Navigate to diagnostics, edit file.

    Paste the following line into the "Save / Load from path:" form

    /cf/conf/Btgd.pas

    Then in the box below, first type in your BTguard user name. And one line under it your password. So you have 2 lines now.

    USERNAME
    PASSWORD

    Press save!

    Navigate to: VPN, OpenVPN, client.

    Create a new client.

    Put in all the info like in the pictures below, change the server name for the server you are going to use from BTguard.


    The client certificate is not used, so you can select the default info there.

    And put this in the advanced field:

    verb 3
    mute 3
    auth-user-pass /cf/conf/Btgd.pas
    mute-replay-warnings
    float
    reneg-sec 0

    Press save, and the client should connect to BTguard.

    navigate to the system drop-down menus Status –-> System Logs, and click on the OpenVPN tab.
    if the last thing you see in this log is "Initialization Sequence Completed" you are connected to BTguard; but, you are not done yet, as none of your traffic is traversing this line.

    Navigate to the system drop-down menus Interfaces ----> (assign)

    click the plus button.

    after clicking on the plus button pfSense will tell you it has successfully added a new interface. the network port name will most likely be named "ovpnc1". ensure that the new interface is selected as "ovpnc1" (it could be ovpnc2, ovpnc3, etc... depends if you have other ovpn interfaces or not)

    navigate to the system drop-down menus Interfaces ---> OPT1 (or whatever your new interface from the previous step is)
    Enable the interface.
    Enter a Description --> "BTguardVPN"
    "Type" ---> none
    leave everything else alone
    click Save.

    navigate to the system drop-down menus System ---> Routing

    click the plus button:

    ensure the Interface selected is the new one we have just assigned to the vpn client; should be "OPT1"
    Enter the gateway name.
    for "Gateway", enter "dynamic"
    do NOT click "Default gateway"
    for monitor IP, enter 208.67.222.222 (or whater will respond to ICMP)(208.67.222.222 is openDNS fyi)
    leave "Advanced" alone
    enter a description for "Description"
    click save

    navigate to the system dropdown menus Firewall ---> Rules
    click on the LAN tab.

    create a new rule that looks like this:

    Action: PASS

    Interface: LAN
    Protocol: ANY
    Source: LAN Subnet
    Destination: ANY

    Description: force LAN thru VPN

    IMPORTANT: scroll down to "Gateway" under the "Advanced features" of the rule.
    Set gateway to your VPN interface.

    Now, navigate to the system drop-down menus Firewall --->NAT
    Click the outbound tab.
    And set it to manual. You should not have to make any changes, but it
    was the only way I get it to work for me. It should look like this.

    At this point, i would give the box a reboot (possibly an unnecessary step),
    if this is not an option, disable the VPN client, wait a minute and then go ahead and re-enable it.

    CHECK OpenVPN syslog for errors !

    navigate to "http://www.whatismyip.com/" and your public facing IP will be one of BTguard's IP's.

    you're done !

    Again thanks to rwijbenga and ericab.



  • This was a great tutorial, and I was up and running in about 5 minutes by following the directions exactly. Thanks!

    On a side note, BTGuard speeds leave much to be desired. Very, very slow. Usually I get 75-100Mbps without them, and about 5-10Mbps with. Hardware is not the issue, I can only assume it is the service. 90% reduction in bandwidth made it, ultimately, unsuitable for what I was looking for.



  • I am trying to set up a connection to btguard with pfsense.  I can connect under windows, so my account is working ok. I set up everything and this is what I see in my log:
    anyone know where the problem is?  I see the warning about no server certificate verification enabled, but I have imported BTGuard's CA and selected it for this open vpn connection.

    Thanks

    
    Aug 15 14:52:27	openvpn[14999]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 15 14:52:27	openvpn[14999]: Re-using SSL/TLS context
    Aug 15 14:52:27	openvpn[14999]: Control Channel MTU parms [ L:1559 D:168 EF:68 EB:0 ET:0 EL:0 ]
    Aug 15 14:52:27	openvpn[14999]: Socket Buffers: R=[65228->65536] S=[65228->65536]
    Aug 15 14:52:27	openvpn[14999]: RESOLVE: NOTE: vpn.btguard.com resolves to 13 addresses
    Aug 15 14:52:27	openvpn[14999]: Data Channel MTU parms [ L:1559 D:1450 EF:59 EB:4 ET:0 EL:0 ]
    Aug 15 14:52:27	openvpn[14999]: Local Options hash (VER=V4): '7004d33d'
    Aug 15 14:52:27	openvpn[14999]: Expected Remote Options hash (VER=V4): '2f085942'
    Aug 15 14:52:27	openvpn[14999]: Attempting to establish TCP connection with [AF_INET]63.142.161.7:1194 [nonblock]
    Aug 15 14:52:28	openvpn[14999]: TCP connection established with [AF_INET]63.142.161.7:1194
    Aug 15 14:52:28	openvpn[14999]: TCPv4_CLIENT link local (bound): [AF_INET]66.61.115.15
    Aug 15 14:52:28	openvpn[14999]: TCPv4_CLIENT link remote: [AF_INET]63.142.161.7:1194
    Aug 15 14:52:28	openvpn[14999]: Connection reset, restarting [0]
    Aug 15 14:52:28	openvpn[14999]: TCP/UDP: Closing socket
    Aug 15 14:52:28	openvpn[14999]: SIGUSR1[soft,connection-reset] received, process restarting
    Aug 15 14:52:28	openvpn[14999]: Restart pause, 5 second(s)
    Aug 15 14:52:33	openvpn[14999]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 15 14:52:33	openvpn[14999]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 15 14:52:33	openvpn[14999]: Re-using SSL/TLS context
    Aug 15 14:52:33	openvpn[14999]: Control Channel MTU parms [ L:1559 D:168 EF:68 EB:0 ET:0 EL:0 ]
    Aug 15 14:52:33	openvpn[14999]: Socket Buffers: R=[65228->65536] S=[65228->65536]
    Aug 15 14:52:33	openvpn[14999]: RESOLVE: NOTE: vpn.btguard.com resolves to 13 addresses
    Aug 15 14:52:33	openvpn[14999]: Data Channel MTU parms [ L:1559 D:1450 EF:59 EB:4 ET:0 EL:0 ]
    Aug 15 14:52:33	openvpn[14999]: Local Options hash (VER=V4): '7004d33d'
    Aug 15 14:52:33	openvpn[14999]: Expected Remote Options hash (VER=V4): '2f085942'
    Aug 15 14:52:33	openvpn[14999]: Attempting to establish TCP connection with [AF_INET]63.142.161.7:1194 [nonblock]
    Aug 15 14:52:34	openvpn[14999]: TCP connection established with [AF_INET]63.142.161.7:1194
    Aug 15 14:52:34	openvpn[14999]: TCPv4_CLIENT link local (bound): [AF_INET]66.61.115.15
    Aug 15 14:52:34	openvpn[14999]: TCPv4_CLIENT link remote: [AF_INET]63.142.161.7:1194
    Aug 15 14:52:34	openvpn[14999]: Connection reset, restarting [0]
    Aug 15 14:52:34	openvpn[14999]: TCP/UDP: Closing socket
    Aug 15 14:52:34	openvpn[14999]: SIGUSR1[soft,connection-reset] received, process restarting
    Aug 15 14:52:34	openvpn[14999]: Restart pause, 5 second(s)
    Aug 15 14:52:39	openvpn[14999]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 15 14:52:39	openvpn[14999]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 15 14:52:39	openvpn[14999]: Re-using SSL/TLS context
    Aug 15 14:52:39	openvpn[14999]: Control Channel MTU parms [ L:1559 D:168 EF:68 EB:0 ET:0 EL:0 ]
    Aug 15 14:52:39	openvpn[14999]: Socket Buffers: R=[65228->65536] S=[65228->65536]
    Aug 15 14:52:39	openvpn[14999]: RESOLVE: NOTE: vpn.btguard.com resolves to 13 addresses
    Aug 15 14:52:39	openvpn[14999]: Data Channel MTU parms [ L:1559 D:1450 EF:59 EB:4 ET:0 EL:0 ]
    Aug 15 14:52:39	openvpn[14999]: Local Options hash (VER=V4): '7004d33d'
    Aug 15 14:52:39	openvpn[14999]: Expected Remote Options hash (VER=V4): '2f085942'
    Aug 15 14:52:39	openvpn[14999]: Attempting to establish TCP connection with [AF_INET]63.142.161.7:1194 [nonblock]
    Aug 15 14:52:40	openvpn[14999]: TCP connection established with [AF_INET]63.142.161.7:1194
    Aug 15 14:52:40	openvpn[14999]: TCPv4_CLIENT link local (bound): [AF_INET]66.61.115.15
    Aug 15 14:52:40	openvpn[14999]: TCPv4_CLIENT link remote: [AF_INET]63.142.161.7:1194
    Aug 15 14:52:41	openvpn[14999]: Connection reset, restarting [0]
    Aug 15 14:52:41	openvpn[14999]: TCP/UDP: Closing socket
    Aug 15 14:52:41	openvpn[14999]: SIGUSR1[soft,connection-reset] received, process restarting
    Aug 15 14:52:41	openvpn[14999]: Restart pause, 5 second(s)
    
    


  • I actually found the problem I had ticked off Enable authentication of TLS packets. After I unchecked this, it worked.

    Now my problem is a have an ipsec connection to the datacenter at work.  I route 10.X.X.X and 172.X.X.X to that network (for certain ip addresses on my home LAN) and the rest of the traffic to the outside WAN.    When I connect to the open vpn, it disrupts this.  I have not figured out how to route the traffic properly.  I did try to create a new interface and create a LAN rule, but that didn't work.


Log in to reply