• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Connect to OpenVPN Access Server?

Scheduled Pinned Locked Moved OpenVPN
46 Posts 5 Posters 17.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jasonlitka
    last edited by Apr 9, 2014, 1:23 AM

    No, I have no idea how to get rid of it. I've got a bunch of those on my systems.

    I can break anything.

    1 Reply Last reply Reply Quote 0
    • D
      damir
      last edited by Nov 8, 2015, 7:48 PM

      I am having issues connecting to my OpenVPN-AS

      I did follow instructions, however it's not working for me, and i am unsure what i am doing wrong.

      Error logs shows this:

      Nov 8 14:41:24 openvpn[79484]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
      Nov 8 14:41:24 openvpn[79484]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Nov 8 14:41:24 openvpn[79484]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Nov 8 14:41:24 openvpn[79484]: WARNING: using –pull/--client and --ifconfig together is probably not what you want

      Please advise,
      damir

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Nov 9, 2015, 6:55 AM

        And without you posting your configuration, either would we ;) Nor even the full log..

        So I just fired this up per the instructions in this page, I really should finish that guide I started..  Click click…  I tell it not to pull the routes for my testing of this, and if your going to want to do policy based routing, etc.  no reason to pull that you default route, etc..

        openvpnasclient.png_thumb
        openvpnasclient.png

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          damir
          last edited by Nov 9, 2015, 5:16 PM

          I apologize, you are right.

          I will get more details tonight - screenshots from both OpenVPN AS and pFsense's OpenVPN Client section.

          Big thanks for responding and i apologize again!

          P.s.
          Thanks for screenshot.

          1 Reply Last reply Reply Quote 0
          • D
            damir
            last edited by Nov 9, 2015, 5:45 PM

            Configuration / Logs:

            OpenVPN-AS Ports settings:

            Please advise.

            Big thanks!

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Nov 9, 2015, 9:45 PM

              See where you have no compress preference.. But most likely as server is doing compression, see the warning.. That will cause issue..  Set the drop down to do compression like mine enabled with adaptive

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                damir
                last edited by Nov 9, 2015, 9:56 PM

                where exactly should i check if compression is enabled on opevnpn-as?

                thanks for support

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Nov 9, 2015, 10:05 PM Nov 9, 2015, 10:01 PM

                  it is see your warning… I would have to log into one of mine and look to where/if you can turn it off.

                  error.png
                  error.png_thumb
                  compression.png
                  compression.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • D
                    damir
                    last edited by Nov 9, 2015, 10:25 PM

                    Thank you!

                    That worked, it connected to OpenVPN-AS.

                    Would you mind if i ask another question - i am trying to accomplish something and i am not 100% it can be accomplished / done.

                    Big thanks again!

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by Nov 9, 2015, 10:42 PM

                      Sure ask away..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • D
                        damir
                        last edited by Nov 9, 2015, 10:50 PM

                        Thank you!

                        I have 4 PC's , 2 Laptop's , 2 Smart TV's in my  "home network".

                        I have Wi-Fi R7000 Router in AP mode.

                        I would like to have only 2 Smart TV's using OpenVPN's AS IP (so, 2 local IPs - i already have those IPs assigned as Static IPs in pfSense).

                        Is this possible? Would you mind helping with this?

                        Big thanks,
                        damir

                        1 Reply Last reply Reply Quote 0
                        • J
                          johnpoz LAYER 8 Global Moderator
                          last edited by Nov 9, 2015, 10:55 PM

                          Sure this is a simple policy route.. Assign your vpn connection to an interface.  Set this up as gateway, then create a rule in your lan that says hey if this IP or IPs going anywhere go out the vpn connection.

                          I am about ready to leave work, and much easier to setup and show screen shots when home vs remote..  Will post some screen shots how to do when I get home.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • D
                            damir
                            last edited by Nov 9, 2015, 10:58 PM

                            Big thanks! man, big big thanks!

                            sorry for bothering you so much, and thank you a lot!

                            1 Reply Last reply Reply Quote 0
                            • J
                              johnpoz LAYER 8 Global Moderator
                              last edited by Nov 10, 2015, 1:54 PM

                              Ok here you go..  So make you assign your vpnclient to an interface - don't give it an IP, then create a gateway using that interface (do not set it default).  You can disable the _v6 interface it creates.

                              Make sure you have a nat to this interface in your outbound nats to your network range.

                              Then create a rule that says hey your source IP or IPs when NOT going to your local networks.. That is what the ! is in the rule and I use an alias that has my local networks in it and tell it to use the gateway.. Now when that source IP or IPs is going to anything other than your local networks that rule will trigger and send that traffic down your vpn client tunnel.  See attached images - so my normal workstation has my normal 24. IP on public - but when I use a vm that is 192.168.9.230 it goes down the tunnel.

                              Make sure you devices you want to go down the tunnel use the dns you want to use and you should be set.  Also you might want to make sure you don't get any routes from the vpn client connection, see my above post showing my client config - see how I have checked block routes checked..  You don't want pfsense getting routes you may not want.. you just want to send the traffic down the tunnel based on your policy.  Quite often openvpnas is set to default route.. So pfsense could get a default route pointing down the tunnel, etc..

                              interface.png
                              interface.png_thumb
                              gatewayvpn.png
                              gatewayvpn.png_thumb
                              vpnnat.png
                              vpnnat.png_thumb
                              routingrule.png
                              routingrule.png_thumb
                              differentpublics.png
                              differentpublics.png_thumb

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • D
                                damir
                                last edited by Nov 10, 2015, 2:50 PM

                                Big thanks!

                                I am having issues figuring out how to set getway for firewall rule on specific IP

                                I go to:
                                https://192.168.1.1/firewall_rules.php?if=lan

                                it looks like:

                                when i go to edit it, it looks like:

                                i think i am on correct page?

                                sorry for bothering you so much with this.

                                thanks

                                1 Reply Last reply Reply Quote 0
                                • J
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by Nov 10, 2015, 3:00 PM

                                  Yeah that looks like firewall rule page.. And you need to move this rule above the default rules..  Where are all your advanced settings??  You set the gateway in the advanced section

                                  advsect.png
                                  advsect.png_thumb

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    damir
                                    last edited by Nov 10, 2015, 3:19 PM

                                    i am completely dumb.  :o

                                    I "think" i did everything as you said, and i rebooted pfSense right now.

                                    The output was, every single device was receiving OpenVPN's IP  :-\

                                    Here is the full setup:

                                    Interface setup:

                                    Firewall Outbound:

                                    Firewall Rules:

                                    What am i missing?

                                    Thanks

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by Nov 10, 2015, 3:27 PM Nov 10, 2015, 3:23 PM

                                      No idea what you expect to happen with ! any as a destination.

                                      Some VPN providers push a default gateway. You have to check don't pull routes in the client config to have policy routing control on the client side.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by Nov 10, 2015, 3:25 PM

                                        well !* is not valid.. You need t create a alias for your local networks, or at min use ! lan net..  So where were your advanced settings in the previous post.. Seems you have gateway set now.  And you prob don't want that rule only tcp… How are you going to do dns for example which is udp through that link?

                                        Did you block getting routes from from the vpn client.. It can over write you default route and send everything through that tunnel..

                                        vpnclientnopull.png
                                        vpnclientnopull.png_thumb

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          damir
                                          last edited by Nov 10, 2015, 3:40 PM

                                          Yes, i did set that option.

                                          Alias:

                                          Firewall now:

                                          Advanced:

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received