Connect to OpenVPN Access Server?

jasonlitka

No, I have no idea how to get rid of it. I've got a bunch of those on my systems.

damir

I am having issues connecting to my OpenVPN-AS

I did follow instructions, however it's not working for me, and i am unsure what i am doing wrong.

Error logs shows this:

Nov 8 14:41:24 openvpn[79484]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Nov 8 14:41:24 openvpn[79484]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Nov 8 14:41:24 openvpn[79484]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 8 14:41:24 openvpn[79484]: WARNING: using –pull/--client and --ifconfig together is probably not what you want

Please advise,
damir

johnpoz

And without you posting your configuration, either would we ;) Nor even the full log..

So I just fired this up per the instructions in this page, I really should finish that guide I started..  Click click…  I tell it not to pull the routes for my testing of this, and if your going to want to do policy based routing, etc.  no reason to pull that you default route, etc..

damir

I apologize, you are right.

I will get more details tonight - screenshots from both OpenVPN AS and pFsense's OpenVPN Client section.

Big thanks for responding and i apologize again!

P.s.
Thanks for screenshot.

damir

Configuration / Logs:

OpenVPN-AS Ports settings:

Please advise.

Big thanks!

johnpoz

See where you have no compress preference.. But most likely as server is doing compression, see the warning.. That will cause issue..  Set the drop down to do compression like mine enabled with adaptive

damir

where exactly should i check if compression is enabled on opevnpn-as?

thanks for support

johnpoz

it is see your warning… I would have to log into one of mine and look to where/if you can turn it off.

damir

Thank you!

That worked, it connected to OpenVPN-AS.

Would you mind if i ask another question - i am trying to accomplish something and i am not 100% it can be accomplished / done.

Big thanks again!

johnpoz

Sure ask away..

damir

Thank you!

I have 4 PC's , 2 Laptop's , 2 Smart TV's in my  "home network".

I have Wi-Fi R7000 Router in AP mode.

I would like to have only 2 Smart TV's using OpenVPN's AS IP (so, 2 local IPs - i already have those IPs assigned as Static IPs in pfSense).

Is this possible? Would you mind helping with this?

Big thanks,
damir

johnpoz

Sure this is a simple policy route.. Assign your vpn connection to an interface.  Set this up as gateway, then create a rule in your lan that says hey if this IP or IPs going anywhere go out the vpn connection.

I am about ready to leave work, and much easier to setup and show screen shots when home vs remote..  Will post some screen shots how to do when I get home.

damir

Big thanks! man, big big thanks!

sorry for bothering you so much, and thank you a lot!

johnpoz

Ok here you go..  So make you assign your vpnclient to an interface - don't give it an IP, then create a gateway using that interface (do not set it default).  You can disable the _v6 interface it creates.

Make sure you have a nat to this interface in your outbound nats to your network range.

Then create a rule that says hey your source IP or IPs when NOT going to your local networks.. That is what the ! is in the rule and I use an alias that has my local networks in it and tell it to use the gateway.. Now when that source IP or IPs is going to anything other than your local networks that rule will trigger and send that traffic down your vpn client tunnel.  See attached images - so my normal workstation has my normal 24. IP on public - but when I use a vm that is 192.168.9.230 it goes down the tunnel.

Make sure you devices you want to go down the tunnel use the dns you want to use and you should be set.  Also you might want to make sure you don't get any routes from the vpn client connection, see my above post showing my client config - see how I have checked block routes checked..  You don't want pfsense getting routes you may not want.. you just want to send the traffic down the tunnel based on your policy.  Quite often openvpnas is set to default route.. So pfsense could get a default route pointing down the tunnel, etc..

damir

Big thanks!

I am having issues figuring out how to set getway for firewall rule on specific IP

I go to:
https://192.168.1.1/firewall_rules.php?if=lan

it looks like:

when i go to edit it, it looks like:

i think i am on correct page?

sorry for bothering you so much with this.

thanks

johnpoz

Yeah that looks like firewall rule page.. And you need to move this rule above the default rules..  Where are all your advanced settings??  You set the gateway in the advanced section

damir

i am completely dumb.  :o

I "think" i did everything as you said, and i rebooted pfSense right now.

The output was, every single device was receiving OpenVPN's IP  :-\

Here is the full setup:

Interface setup:

Firewall Outbound:

Firewall Rules:

What am i missing?

Thanks

Derelict

No idea what you expect to happen with ! any as a destination.

Some VPN providers push a default gateway. You have to check don't pull routes in the client config to have policy routing control on the client side.

johnpoz

well !* is not valid.. You need t create a alias for your local networks, or at min use ! lan net..  So where were your advanced settings in the previous post.. Seems you have gateway set now.  And you prob don't want that rule only tcp… How are you going to do dns for example which is udp through that link?

Did you block getting routes from from the vpn client.. It can over write you default route and send everything through that tunnel..

damir

Yes, i did set that option.

Alias:

Firewall now:

Advanced: