Openvpn access server, community version - client login from pfsense?

johnpoz · Feb 23, 2014, 8:07 PM

So I have a couple of lowend vps, and can install the openvpn as package, and click click can get an openvpn client running on windows working by just download loading the autologin profile for the user. This works for what I need them for, since really only need the vpn connection when the pipe to EU using comcast during primetime blows chunks.. So route my traffic through a lowend vps on my client and get the bandwidth I need to my server in NL. But would be nice to setup the connection in pfsense and be able to route just traffic through it based upon destination IP.. Then prob just leave it on all the time, etc.

So here is what the the .ovpn file looks like


 Automatically generated OpenVPN client config file
# Generated on Fri Feb 21 00:58:19 2014 by <snipped># Note: this config file contains inline private keys
#       and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=username
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=username@<snipped>.192/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=<snipped>.192:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# MIIB/TCCAWagAwIBAgIEUwbqczANBgkqhkiG9w0BAQUFADA6MTgwNgYDVQQDEy9P
 <snipped># 9+raOGdiw4kk6AoJrnY8aYNROP3g2c5GwBFVMb/maUER
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote <snipped>.192 1194 udp
remote <snipped>.192 443 tcp

dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

 <ca>-----BEGIN CERTIFICATE-----
MIIBszCCARygAwIBAgIEUwbqbjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
 <snipped>3MRKc/K/qw==
-----END CERTIFICATE-----</snipped></ca> 

 <cert>-----BEGIN CERTIFICATE-----
MIIBxzCCATCgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpPcGVu
 <snipped>AN2Mg+B/TeDbM8fwA31m0jJaN1ld/zNwfRmC
-----END CERTIFICATE-----</snipped></cert> 

 <key>-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAOooZQQ+FFQpCCUg
 <snipped>vyK/Lobsgan6
-----END PRIVATE KEY-----</snipped></key> 

key-direction 1
 <tls-auth>#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
c974f3939fa1d32b26434a0b9aa6fed7
 <snipped>7b15ea4ff1697e7b19cd67990c949c15
-----END OpenVPN Static key V1-----</snipped></tls-auth> 

## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## GekWFUES54lwhLZdaCRBAoJUbj3aObD3YaG7d6JtDnd1fYC8oM
 <snipped>## 8dT4a0Lw41YUvdJJL2iyM=
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## MIIB5jCCAU+gAwIBAgIEUwbqdDANBgkqhkiG9w0BAQUFADA6MTgwNgYDVQQDEy9P
 <snipped>## S2Umksxn/4HTuQ==
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## MIIB/TCCAWagAwIBAgIEUwbqczANBgkqhkiG9w0BAQUFADA6MTgwNgYDVQQDEy9P
 <snipped>## 9+raOGdiw4kk6AoJrnY8aYNROP3g2c5GwBFVMb/maUER
## -----END CERTIFICATE-----</snipped></snipped></snipped></snipped></snipped></snipped></snipped></snipped></snipped>

I have tried creating the certs individual certs via instructions here, and using them http://docs.openvpn.net/administration-guide/cli-command-line-interface/extracting-separate-certificate-files-for-a-user/

-rw-r–r-- 1 root root 652 Feb 23 12:40 ca.crt
-rw-r--r-- 1 root root 676 Feb 23 12:40 client.crt
-rw------- 1 root root 916 Feb 23 12:40 client.key
-rw-r--r-- 1 root root 3927 Feb 23 12:40 client.ovpn
-rw------- 1 root root 651 Feb 23 12:40 ta.key

that ovpn looks a bit different


# Automatically generated OpenVPN client config file                  
# Generated on Sun Feb 23 12:40:33 2014 by username                     
# Note: this configuration is user-locked to the username below       
# OVPN_ACCESS_SERVER_USERNAME=username                                
# Define the profile name of this particular configuration file       
# OVPN_ACCESS_SERVER_PROFILE=username@<snipped>.192/AUTOLOGIN         
# OVPN_ACCESS_SERVER_AUTOLOGIN=1                                      
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True 
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True   
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True  
# OVPN_ACCESS_SERVER_WSHOST=<snipped>.192:443      
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START            
# -----BEGIN CERTIFICATE-----                                         
# MIIB9zCCAWCgAwIBAgIEUGlF3TANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxP    
<snipped># WP1puOJyk4uKumLuCzE5hY/qvJjJRudT4VVQ                                
# -----END CERTIFICATE-----                                           
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP                               
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1                              
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.          
setenv FORWARD_COMPATIBLE 1                                           
client                                                                
server-poll-timeout 4                                                 
nobind                                                                
remote <snipped>.192 1194 udp                                        

remote <snipped>.192 443 tcp                                         

dev-type tun                                                          
ns-cert-type server                                                   
reneg-sec 604800                                                      
sndbuf 100000                                                         
rcvbuf 100000                                                         
# NOTE: LZO commands are pushed by the Access Server at connect time. 
# NOTE: The below line doesn't disable LZO.                           
comp-lzo no                                                           
verb 3                                                                
setenv PUSH_PEER_INFO                                                 

ca ca.crt                                                             
cert client.crt                                                       
key client.key                                                        
tls-auth ta.key 1                                                     
## -----BEGIN RSA SIGNATURE-----                                      
## DIGEST:sha256                                                      
## WpS5pQ41YOLfWiiDMOOM4JrY7W5+vWu4lLEh/ccvAuvZ2F6E9l                 
<snipped>## YFRwcscBqHKB7mHyysZKI=                                             
## -----END RSA SIGNATURE-----                                        
## -----BEGIN CERTIFICATE-----                                        
## MIIB4DCCAUmgAwIBAgIEUGlF3jANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxP   
 <snipped>## hEhDoQ==                                                           
## -----END CERTIFICATE-----                                          
## -----BEGIN CERTIFICATE-----                                        
## MIIB9zCCAWCgAwIBAgIEUGlF3TANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxP   
 <snipped>## WP1puOJyk4uKumLuCzE5hY/qvJjJRudT4VVQ                               
## -----END CERTIFICATE-----</snipped></snipped></snipped></snipped></snipped></snipped></snipped></snipped>

Gone through the pinned how tos, and just doesn't really line up and can not get it working. If someone can point me to how you use an autologin profile - or the name profile to the openvpn access server.

https://openvpn.net/index.php/access-server/overview.html

You have full control over the server side.. You can download different profiles, etc. If someone can point me in the right direction to get this connected I will be very happy to put together a full howto, etc with pretty pictures, etc. etc.

Lowend vps make for great vpn exits, for $15 a year you can get 500GB transfer a month, etc.

running
2.1.1-PRERELEASE (i386)
built on Thu Feb 13 13:59:46 EST 2014
FreeBSD 8.3-RELEASE-p14