Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn access server, community version - client login from pfsense?

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      So I have a couple of lowend vps, and can install the openvpn as package, and click click can get an openvpn client running on windows working by just download loading the autologin profile for the user.  This works for what I need them for, since really only need the vpn connection when the pipe to EU using comcast during primetime blows chunks.. So route my traffic through a lowend vps on my client and get the bandwidth I need to my server in NL.  But would be nice to setup the connection in pfsense and be able to route just traffic through it based upon destination IP.. Then prob just leave it on all the time, etc.

      So here is what the the .ovpn file looks like

      
       Automatically generated OpenVPN client config file
      # Generated on Fri Feb 21 00:58:19 2014 by <snipped># Note: this config file contains inline private keys
      #       and therefore should be kept confidential!
      # Note: this configuration is user-locked to the username below
      # OVPN_ACCESS_SERVER_USERNAME=username
      # Define the profile name of this particular configuration file
      # OVPN_ACCESS_SERVER_PROFILE=username@<snipped>.192/AUTOLOGIN
      # OVPN_ACCESS_SERVER_AUTOLOGIN=1
      # OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
      # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
      # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
      # OVPN_ACCESS_SERVER_WSHOST=<snipped>.192:443
      # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
      # -----BEGIN CERTIFICATE-----
      # MIIB/TCCAWagAwIBAgIEUwbqczANBgkqhkiG9w0BAQUFADA6MTgwNgYDVQQDEy9P
       <snipped># 9+raOGdiw4kk6AoJrnY8aYNROP3g2c5GwBFVMb/maUER
      # -----END CERTIFICATE-----
      # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
      # OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
      # OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
      setenv FORWARD_COMPATIBLE 1
      client
      server-poll-timeout 4
      nobind
      remote <snipped>.192 1194 udp
      remote <snipped>.192 443 tcp
      
      dev-type tun
      ns-cert-type server
      reneg-sec 604800
      sndbuf 100000
      rcvbuf 100000
      # NOTE: LZO commands are pushed by the Access Server at connect time.
      # NOTE: The below line doesn't disable LZO.
      comp-lzo no
      verb 3
      setenv PUSH_PEER_INFO
      
       <ca>-----BEGIN CERTIFICATE-----
      MIIBszCCARygAwIBAgIEUwbqbjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
       <snipped>3MRKc/K/qw==
      -----END CERTIFICATE-----</snipped></ca> 
      
       <cert>-----BEGIN CERTIFICATE-----
      MIIBxzCCATCgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpPcGVu
       <snipped>AN2Mg+B/TeDbM8fwA31m0jJaN1ld/zNwfRmC
      -----END CERTIFICATE-----</snipped></cert> 
      
       <key>-----BEGIN PRIVATE KEY-----
      MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAOooZQQ+FFQpCCUg
       <snipped>vyK/Lobsgan6
      -----END PRIVATE KEY-----</snipped></key> 
      
      key-direction 1
       <tls-auth>#
      # 2048 bit OpenVPN static key (Server Agent)
      #
      -----BEGIN OpenVPN Static key V1-----
      c974f3939fa1d32b26434a0b9aa6fed7
       <snipped>7b15ea4ff1697e7b19cd67990c949c15
      -----END OpenVPN Static key V1-----</snipped></tls-auth> 
      
      ## -----BEGIN RSA SIGNATURE-----
      ## DIGEST:sha256
      ## GekWFUES54lwhLZdaCRBAoJUbj3aObD3YaG7d6JtDnd1fYC8oM
       <snipped>## 8dT4a0Lw41YUvdJJL2iyM=
      ## -----END RSA SIGNATURE-----
      ## -----BEGIN CERTIFICATE-----
      ## MIIB5jCCAU+gAwIBAgIEUwbqdDANBgkqhkiG9w0BAQUFADA6MTgwNgYDVQQDEy9P
       <snipped>## S2Umksxn/4HTuQ==
      ## -----END CERTIFICATE-----
      ## -----BEGIN CERTIFICATE-----
      ## MIIB/TCCAWagAwIBAgIEUwbqczANBgkqhkiG9w0BAQUFADA6MTgwNgYDVQQDEy9P
       <snipped>## 9+raOGdiw4kk6AoJrnY8aYNROP3g2c5GwBFVMb/maUER
      ## -----END CERTIFICATE-----</snipped></snipped></snipped></snipped></snipped></snipped></snipped></snipped></snipped> 
      

      I have tried creating the certs individual certs via instructions here, and using them http://docs.openvpn.net/administration-guide/cli-command-line-interface/extracting-separate-certificate-files-for-a-user/

      -rw-r–r-- 1 root root  652 Feb 23 12:40 ca.crt
      -rw-r--r-- 1 root root  676 Feb 23 12:40 client.crt
      -rw------- 1 root root  916 Feb 23 12:40 client.key
      -rw-r--r-- 1 root root 3927 Feb 23 12:40 client.ovpn
      -rw------- 1 root root  651 Feb 23 12:40 ta.key

      that ovpn looks a bit different

      
      # Automatically generated OpenVPN client config file                  
      # Generated on Sun Feb 23 12:40:33 2014 by username                     
      # Note: this configuration is user-locked to the username below       
      # OVPN_ACCESS_SERVER_USERNAME=username                                
      # Define the profile name of this particular configuration file       
      # OVPN_ACCESS_SERVER_PROFILE=username@<snipped>.192/AUTOLOGIN         
      # OVPN_ACCESS_SERVER_AUTOLOGIN=1                                      
      # OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True 
      # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True   
      # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True  
      # OVPN_ACCESS_SERVER_WSHOST=<snipped>.192:443      
      # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START            
      # -----BEGIN CERTIFICATE-----                                         
      # MIIB9zCCAWCgAwIBAgIEUGlF3TANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxP    
      <snipped># WP1puOJyk4uKumLuCzE5hY/qvJjJRudT4VVQ                                
      # -----END CERTIFICATE-----                                           
      # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP                               
      # OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1                              
      # OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.          
      setenv FORWARD_COMPATIBLE 1                                           
      client                                                                
      server-poll-timeout 4                                                 
      nobind                                                                
      remote <snipped>.192 1194 udp                                        
      
      remote <snipped>.192 443 tcp                                         
      
      dev-type tun                                                          
      ns-cert-type server                                                   
      reneg-sec 604800                                                      
      sndbuf 100000                                                         
      rcvbuf 100000                                                         
      # NOTE: LZO commands are pushed by the Access Server at connect time. 
      # NOTE: The below line doesn't disable LZO.                           
      comp-lzo no                                                           
      verb 3                                                                
      setenv PUSH_PEER_INFO                                                 
      
      ca ca.crt                                                             
      cert client.crt                                                       
      key client.key                                                        
      tls-auth ta.key 1                                                     
      ## -----BEGIN RSA SIGNATURE-----                                      
      ## DIGEST:sha256                                                      
      ## WpS5pQ41YOLfWiiDMOOM4JrY7W5+vWu4lLEh/ccvAuvZ2F6E9l                 
      <snipped>## YFRwcscBqHKB7mHyysZKI=                                             
      ## -----END RSA SIGNATURE-----                                        
      ## -----BEGIN CERTIFICATE-----                                        
      ## MIIB4DCCAUmgAwIBAgIEUGlF3jANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxP   
       <snipped>## hEhDoQ==                                                           
      ## -----END CERTIFICATE-----                                          
      ## -----BEGIN CERTIFICATE-----                                        
      ## MIIB9zCCAWCgAwIBAgIEUGlF3TANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxP   
       <snipped>## WP1puOJyk4uKumLuCzE5hY/qvJjJRudT4VVQ                               
      ## -----END CERTIFICATE-----</snipped></snipped></snipped></snipped></snipped></snipped></snipped></snipped> 
      

      Gone through the pinned how tos, and just doesn't really line up and can not get it working.  If someone can point me to how you use an autologin profile - or the name profile to the openvpn access server.

      https://openvpn.net/index.php/access-server/overview.html

      You have full control over the server side..  You can download different profiles, etc.  If someone can point me in the right direction to get this connected I will be very happy to put together a full howto, etc with pretty pictures, etc. etc.

      Lowend vps make for great vpn exits, for $15 a year you can get 500GB transfer a month, etc.

      running
      2.1.1-PRERELEASE (i386)
      built on Thu Feb 13 13:59:46 EST 2014
      FreeBSD 8.3-RELEASE-p14

      openvpn_as.png
      openvpn_as.png_thumb
      profiles.png
      profiles.png_thumb

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.