Openvpn access server, community version - client login from pfsense?


  • Rebel Alliance Global Moderator

    So I have a couple of lowend vps, and can install the openvpn as package, and click click can get an openvpn client running on windows working by just download loading the autologin profile for the user.  This works for what I need them for, since really only need the vpn connection when the pipe to EU using comcast during primetime blows chunks.. So route my traffic through a lowend vps on my client and get the bandwidth I need to my server in NL.  But would be nice to setup the connection in pfsense and be able to route just traffic through it based upon destination IP.. Then prob just leave it on all the time, etc.

    So here is what the the .ovpn file looks like

    
     Automatically generated OpenVPN client config file
    # Generated on Fri Feb 21 00:58:19 2014 by <snipped># Note: this config file contains inline private keys
    #       and therefore should be kept confidential!
    # Note: this configuration is user-locked to the username below
    # OVPN_ACCESS_SERVER_USERNAME=username
    # Define the profile name of this particular configuration file
    # OVPN_ACCESS_SERVER_PROFILE=username@<snipped>.192/AUTOLOGIN
    # OVPN_ACCESS_SERVER_AUTOLOGIN=1
    # OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
    # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
    # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
    # OVPN_ACCESS_SERVER_WSHOST=<snipped>.192:443
    # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
    # -----BEGIN CERTIFICATE-----
    # MIIB/TCCAWagAwIBAgIEUwbqczANBgkqhkiG9w0BAQUFADA6MTgwNgYDVQQDEy9P
     <snipped># 9+raOGdiw4kk6AoJrnY8aYNROP3g2c5GwBFVMb/maUER
    # -----END CERTIFICATE-----
    # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
    # OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
    # OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
    setenv FORWARD_COMPATIBLE 1
    client
    server-poll-timeout 4
    nobind
    remote <snipped>.192 1194 udp
    remote <snipped>.192 443 tcp
    
    dev-type tun
    ns-cert-type server
    reneg-sec 604800
    sndbuf 100000
    rcvbuf 100000
    # NOTE: LZO commands are pushed by the Access Server at connect time.
    # NOTE: The below line doesn't disable LZO.
    comp-lzo no
    verb 3
    setenv PUSH_PEER_INFO
    
     <ca>-----BEGIN CERTIFICATE-----
    MIIBszCCARygAwIBAgIEUwbqbjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
     <snipped>3MRKc/K/qw==
    -----END CERTIFICATE-----</snipped></ca> 
    
     <cert>-----BEGIN CERTIFICATE-----
    MIIBxzCCATCgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpPcGVu
     <snipped>AN2Mg+B/TeDbM8fwA31m0jJaN1ld/zNwfRmC
    -----END CERTIFICATE-----</snipped></cert> 
    
     <key>-----BEGIN PRIVATE KEY-----
    MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAOooZQQ+FFQpCCUg
     <snipped>vyK/Lobsgan6
    -----END PRIVATE KEY-----</snipped></key> 
    
    key-direction 1
     <tls-auth>#
    # 2048 bit OpenVPN static key (Server Agent)
    #
    -----BEGIN OpenVPN Static key V1-----
    c974f3939fa1d32b26434a0b9aa6fed7
     <snipped>7b15ea4ff1697e7b19cd67990c949c15
    -----END OpenVPN Static key V1-----</snipped></tls-auth> 
    
    ## -----BEGIN RSA SIGNATURE-----
    ## DIGEST:sha256
    ## GekWFUES54lwhLZdaCRBAoJUbj3aObD3YaG7d6JtDnd1fYC8oM
     <snipped>## 8dT4a0Lw41YUvdJJL2iyM=
    ## -----END RSA SIGNATURE-----
    ## -----BEGIN CERTIFICATE-----
    ## MIIB5jCCAU+gAwIBAgIEUwbqdDANBgkqhkiG9w0BAQUFADA6MTgwNgYDVQQDEy9P
     <snipped>## S2Umksxn/4HTuQ==
    ## -----END CERTIFICATE-----
    ## -----BEGIN CERTIFICATE-----
    ## MIIB/TCCAWagAwIBAgIEUwbqczANBgkqhkiG9w0BAQUFADA6MTgwNgYDVQQDEy9P
     <snipped>## 9+raOGdiw4kk6AoJrnY8aYNROP3g2c5GwBFVMb/maUER
    ## -----END CERTIFICATE-----</snipped></snipped></snipped></snipped></snipped></snipped></snipped></snipped></snipped> 
    

    I have tried creating the certs individual certs via instructions here, and using them http://docs.openvpn.net/administration-guide/cli-command-line-interface/extracting-separate-certificate-files-for-a-user/

    -rw-r–r-- 1 root root  652 Feb 23 12:40 ca.crt
    -rw-r--r-- 1 root root  676 Feb 23 12:40 client.crt
    -rw------- 1 root root  916 Feb 23 12:40 client.key
    -rw-r--r-- 1 root root 3927 Feb 23 12:40 client.ovpn
    -rw------- 1 root root  651 Feb 23 12:40 ta.key

    that ovpn looks a bit different

    
    # Automatically generated OpenVPN client config file                  
    # Generated on Sun Feb 23 12:40:33 2014 by username                     
    # Note: this configuration is user-locked to the username below       
    # OVPN_ACCESS_SERVER_USERNAME=username                                
    # Define the profile name of this particular configuration file       
    # OVPN_ACCESS_SERVER_PROFILE=username@<snipped>.192/AUTOLOGIN         
    # OVPN_ACCESS_SERVER_AUTOLOGIN=1                                      
    # OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True 
    # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True   
    # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True  
    # OVPN_ACCESS_SERVER_WSHOST=<snipped>.192:443      
    # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START            
    # -----BEGIN CERTIFICATE-----                                         
    # MIIB9zCCAWCgAwIBAgIEUGlF3TANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxP    
    <snipped># WP1puOJyk4uKumLuCzE5hY/qvJjJRudT4VVQ                                
    # -----END CERTIFICATE-----                                           
    # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP                               
    # OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1                              
    # OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.          
    setenv FORWARD_COMPATIBLE 1                                           
    client                                                                
    server-poll-timeout 4                                                 
    nobind                                                                
    remote <snipped>.192 1194 udp                                        
    
    remote <snipped>.192 443 tcp                                         
    
    dev-type tun                                                          
    ns-cert-type server                                                   
    reneg-sec 604800                                                      
    sndbuf 100000                                                         
    rcvbuf 100000                                                         
    # NOTE: LZO commands are pushed by the Access Server at connect time. 
    # NOTE: The below line doesn't disable LZO.                           
    comp-lzo no                                                           
    verb 3                                                                
    setenv PUSH_PEER_INFO                                                 
    
    ca ca.crt                                                             
    cert client.crt                                                       
    key client.key                                                        
    tls-auth ta.key 1                                                     
    ## -----BEGIN RSA SIGNATURE-----                                      
    ## DIGEST:sha256                                                      
    ## WpS5pQ41YOLfWiiDMOOM4JrY7W5+vWu4lLEh/ccvAuvZ2F6E9l                 
    <snipped>## YFRwcscBqHKB7mHyysZKI=                                             
    ## -----END RSA SIGNATURE-----                                        
    ## -----BEGIN CERTIFICATE-----                                        
    ## MIIB4DCCAUmgAwIBAgIEUGlF3jANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxP   
     <snipped>## hEhDoQ==                                                           
    ## -----END CERTIFICATE-----                                          
    ## -----BEGIN CERTIFICATE-----                                        
    ## MIIB9zCCAWCgAwIBAgIEUGlF3TANBgkqhkiG9w0BAQUFADA3MTUwMwYDVQQDEyxP   
     <snipped>## WP1puOJyk4uKumLuCzE5hY/qvJjJRudT4VVQ                               
    ## -----END CERTIFICATE-----</snipped></snipped></snipped></snipped></snipped></snipped></snipped></snipped> 
    

    Gone through the pinned how tos, and just doesn't really line up and can not get it working.  If someone can point me to how you use an autologin profile - or the name profile to the openvpn access server.

    https://openvpn.net/index.php/access-server/overview.html

    You have full control over the server side..  You can download different profiles, etc.  If someone can point me in the right direction to get this connected I will be very happy to put together a full howto, etc with pretty pictures, etc. etc.

    Lowend vps make for great vpn exits, for $15 a year you can get 500GB transfer a month, etc.

    running
    2.1.1-PRERELEASE (i386)
    built on Thu Feb 13 13:59:46 EST 2014
    FreeBSD 8.3-RELEASE-p14