Connect to OpenVPN Access Server?
-
Has anyone here been able to get pfSense to connect to an OpenVPN Access Server and actually pass any traffic? I've managed to enter the data from the config file into the pfSense UI, and it connects successfully, but any devices I try end up with no connectivity. Using the OpenVPN Connect app on my desktop or phone with the same config works great.
I've set this up the same as any other OpenVPN provider.
-
Setup the CA and Client certs
-
Enter all the info into the OpenVPN Client screen
-
Create a new interface with IPv4 set to None
-
Add the gateway for the VPN interface to a rule on the LAN interface
If I run a traceroute from the pfSense UI on the VPN interface it correctly goes out the tunnel.
What am I missing here?
-
-
Did you enable manual out bound NAT and add a rule to NAT on the way out of the VPN interface?
-
… No I did not. Thanks. Rookie mistake.
-
What information did you use to connection - I was never able to get this to work.
-
What information did you use to connection - I was never able to get this to work.
-
Log in to the client section of OpenVPN-AS as the user you want to use and download the "Yourself (autologin profile)" file. If you don't have this, log into the admin panel and enable autologin for the user.
-
Open up client.ovpn in notepad or similar.
-
Copy the contents of the <ca></ca>block into a new CA cert in pfSense.
-
Copy the contents of the & blocks into a new cert in pfSense.
-
Create a new OpenVPN Client.
-
Fill out the server and & port as appropriate.
-
Uncheck "Automatically generate a shared TLS key" and copy the contents of the <tls-auth></tls-auth>block into the box that appears.
-
Pick the CA & Cert you created in steps 3 & 4.
-
Set the encryption algorithm to whatever you're using in OpenVPN-AS. The default is BF-CBC unless you changed it.
-
Check the box for Compression if you enabled it in OpenVPN-AS.
-
Save the OpenVPN Client connection and verify that the tunnel comes up.
-
Create a new interface and assign the VPN tunnel to it.
-
Edit the interface, enable it, and make sure that None is set for IPv4 Configuration Type.
-
Add an outbound NAT rule for your new interface.
-
Assign the new gateway to whatever firewall rules you want to force through the VPN tunnel.
-
-
Dude sweet!!
This is where I was having a brainfart ;)
4. Copy the contents of the & blocks into a new cert in pfSense.
I was only putting in the .. I will be testing this tonight and then doing a guide for the docs!! Thanks!!!
-
Sweet bing bang zoom and routing traffic through the vpn.. But kind of eye sore is that its creating a VPNV6 Gateway
I have no desire to route any sort of ipv6 traffic via this vpn connection. On the interface its set for none on ipv6, do you happen to know how to get it not to create this gateway??
-
No, I have no idea how to get rid of it. I've got a bunch of those on my systems.
-
I am having issues connecting to my OpenVPN-AS
I did follow instructions, however it's not working for me, and i am unsure what i am doing wrong.
Error logs shows this:
Nov 8 14:41:24 openvpn[79484]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Nov 8 14:41:24 openvpn[79484]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Nov 8 14:41:24 openvpn[79484]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 8 14:41:24 openvpn[79484]: WARNING: using –pull/--client and --ifconfig together is probably not what you wantPlease advise,
damir -
And without you posting your configuration, either would we ;) Nor even the full log..
So I just fired this up per the instructions in this page, I really should finish that guide I started.. Click click… I tell it not to pull the routes for my testing of this, and if your going to want to do policy based routing, etc. no reason to pull that you default route, etc..
-
I apologize, you are right.
I will get more details tonight - screenshots from both OpenVPN AS and pFsense's OpenVPN Client section.
Big thanks for responding and i apologize again!
P.s.
Thanks for screenshot. -
Configuration / Logs:
OpenVPN-AS Ports settings:
Please advise.
Big thanks!
-
See where you have no compress preference.. But most likely as server is doing compression, see the warning.. That will cause issue.. Set the drop down to do compression like mine enabled with adaptive
-
where exactly should i check if compression is enabled on opevnpn-as?
thanks for support
-
it is see your warning… I would have to log into one of mine and look to where/if you can turn it off.
-
Thank you!
That worked, it connected to OpenVPN-AS.
Would you mind if i ask another question - i am trying to accomplish something and i am not 100% it can be accomplished / done.
Big thanks again!
-
Sure ask away..
-
Thank you!
I have 4 PC's , 2 Laptop's , 2 Smart TV's in my "home network".
I have Wi-Fi R7000 Router in AP mode.
I would like to have only 2 Smart TV's using OpenVPN's AS IP (so, 2 local IPs - i already have those IPs assigned as Static IPs in pfSense).
Is this possible? Would you mind helping with this?
Big thanks,
damir -
Sure this is a simple policy route.. Assign your vpn connection to an interface. Set this up as gateway, then create a rule in your lan that says hey if this IP or IPs going anywhere go out the vpn connection.
I am about ready to leave work, and much easier to setup and show screen shots when home vs remote.. Will post some screen shots how to do when I get home.
-
Big thanks! man, big big thanks!
sorry for bothering you so much, and thank you a lot!