• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Connect to OpenVPN Access Server?

Scheduled Pinned Locked Moved OpenVPN
46 Posts 5 Posters 16.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jasonlitka
    last edited by Apr 6, 2014, 2:35 PM

    Has anyone here been able to get pfSense to connect to an OpenVPN Access Server and actually pass any traffic?  I've managed to enter the data from the config file into the pfSense UI, and it connects successfully, but any devices I try end up with no connectivity.  Using the OpenVPN Connect app on my desktop or phone with the same config works great.

    I've set this up the same as any other OpenVPN provider.

    • Setup the CA and Client certs

    • Enter all the info into the OpenVPN Client screen

    • Create a new interface with IPv4 set to None

    • Add the gateway for the VPN interface to a rule on the LAN interface

    If I run a traceroute from the pfSense UI on the VPN interface it correctly goes out the tunnel.

    What am I missing here?

    I can break anything.

    1 Reply Last reply Reply Quote 0
    • P
      phil.davis
      last edited by Apr 6, 2014, 3:10 PM

      Did you enable manual out bound NAT and add a rule to NAT on the way out of the VPN interface?

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • J
        jasonlitka
        last edited by Apr 6, 2014, 4:55 PM

        … No I did not.  Thanks.  Rookie mistake.

        I can break anything.

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Apr 7, 2014, 9:18 PM

          What information did you use to connection - I was never able to get this to work.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • J
            jasonlitka
            last edited by Apr 7, 2014, 9:40 PM

            @johnpoz:

            What information did you use to connection - I was never able to get this to work.

            • Log in to the client section of OpenVPN-AS as the user you want to use and download the "Yourself (autologin profile)" file.  If you don't have this, log into the admin panel and enable autologin for the user.

            • Open up client.ovpn in notepad or similar.

            • Copy the contents of the <ca></ca>block into a new CA cert in pfSense.

            • Copy the contents of the & blocks into a new cert in pfSense.

            • Create a new OpenVPN Client.

            • Fill out the server and & port as appropriate.

            • Uncheck "Automatically generate a shared TLS key" and copy the contents of the <tls-auth></tls-auth>block into the box that appears.

            • Pick the CA & Cert you created in steps 3 & 4.

            • Set the encryption algorithm to whatever you're using in OpenVPN-AS.  The default is BF-CBC unless you changed it.

            • Check the box for Compression if you enabled it in OpenVPN-AS.

            • Save the OpenVPN Client connection and verify that the tunnel comes up.

            • Create a new interface and assign the VPN tunnel to it.

            • Edit the interface, enable it, and make sure that None is set for IPv4 Configuration Type.

            • Add an outbound NAT rule for your new interface.

            • Assign the new gateway to whatever firewall rules you want to force through the VPN tunnel.

            I can break anything.

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Apr 8, 2014, 4:19 PM

              Dude sweet!!

              This is where I was having a brainfart ;)

              4. Copy the contents of the & blocks into a new cert in pfSense.

              I was only putting in the .. I will be testing this tonight and then doing a guide for the docs!!  Thanks!!!

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Apr 9, 2014, 1:12 AM

                Sweet bing bang zoom and routing traffic through the vpn.. But kind of eye sore is that its creating a VPNV6 Gateway

                I have no desire to route any sort of ipv6 traffic via this vpn connection.  On the interface its set for none on ipv6, do you happen to know how to get it not to create this gateway??

                gatewayipv6.png
                gatewayipv6.png_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • J
                  jasonlitka
                  last edited by Apr 9, 2014, 1:23 AM

                  No, I have no idea how to get rid of it. I've got a bunch of those on my systems.

                  I can break anything.

                  1 Reply Last reply Reply Quote 0
                  • D
                    damir
                    last edited by Nov 8, 2015, 7:48 PM

                    I am having issues connecting to my OpenVPN-AS

                    I did follow instructions, however it's not working for me, and i am unsure what i am doing wrong.

                    Error logs shows this:

                    Nov 8 14:41:24 openvpn[79484]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
                    Nov 8 14:41:24 openvpn[79484]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                    Nov 8 14:41:24 openvpn[79484]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
                    Nov 8 14:41:24 openvpn[79484]: WARNING: using –pull/--client and --ifconfig together is probably not what you want

                    Please advise,
                    damir

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by Nov 9, 2015, 6:55 AM

                      And without you posting your configuration, either would we ;) Nor even the full log..

                      So I just fired this up per the instructions in this page, I really should finish that guide I started..  Click click…  I tell it not to pull the routes for my testing of this, and if your going to want to do policy based routing, etc.  no reason to pull that you default route, etc..

                      openvpnasclient.png_thumb
                      openvpnasclient.png

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • D
                        damir
                        last edited by Nov 9, 2015, 5:16 PM

                        I apologize, you are right.

                        I will get more details tonight - screenshots from both OpenVPN AS and pFsense's OpenVPN Client section.

                        Big thanks for responding and i apologize again!

                        P.s.
                        Thanks for screenshot.

                        1 Reply Last reply Reply Quote 0
                        • D
                          damir
                          last edited by Nov 9, 2015, 5:45 PM

                          Configuration / Logs:

                          OpenVPN-AS Ports settings:

                          Please advise.

                          Big thanks!

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by Nov 9, 2015, 9:45 PM

                            See where you have no compress preference.. But most likely as server is doing compression, see the warning.. That will cause issue..  Set the drop down to do compression like mine enabled with adaptive

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • D
                              damir
                              last edited by Nov 9, 2015, 9:56 PM

                              where exactly should i check if compression is enabled on opevnpn-as?

                              thanks for support

                              1 Reply Last reply Reply Quote 0
                              • J
                                johnpoz LAYER 8 Global Moderator
                                last edited by Nov 9, 2015, 10:05 PM Nov 9, 2015, 10:01 PM

                                it is see your warning… I would have to log into one of mine and look to where/if you can turn it off.

                                error.png
                                error.png_thumb
                                compression.png
                                compression.png_thumb

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                1 Reply Last reply Reply Quote 0
                                • D
                                  damir
                                  last edited by Nov 9, 2015, 10:25 PM

                                  Thank you!

                                  That worked, it connected to OpenVPN-AS.

                                  Would you mind if i ask another question - i am trying to accomplish something and i am not 100% it can be accomplished / done.

                                  Big thanks again!

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by Nov 9, 2015, 10:42 PM

                                    Sure ask away..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      damir
                                      last edited by Nov 9, 2015, 10:50 PM

                                      Thank you!

                                      I have 4 PC's , 2 Laptop's , 2 Smart TV's in my  "home network".

                                      I have Wi-Fi R7000 Router in AP mode.

                                      I would like to have only 2 Smart TV's using OpenVPN's AS IP (so, 2 local IPs - i already have those IPs assigned as Static IPs in pfSense).

                                      Is this possible? Would you mind helping with this?

                                      Big thanks,
                                      damir

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by Nov 9, 2015, 10:55 PM

                                        Sure this is a simple policy route.. Assign your vpn connection to an interface.  Set this up as gateway, then create a rule in your lan that says hey if this IP or IPs going anywhere go out the vpn connection.

                                        I am about ready to leave work, and much easier to setup and show screen shots when home vs remote..  Will post some screen shots how to do when I get home.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          damir
                                          last edited by Nov 9, 2015, 10:58 PM

                                          Big thanks! man, big big thanks!

                                          sorry for bothering you so much, and thank you a lot!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            [[user:consent.lead]]
                                            [[user:consent.not_received]]