OpenVPN in PFSense on Amazon EC2



  • Anyone have any luck using openVPN with pfsense installed in AmazonEC2?  My server is the NetGate certified pfsense appliance in Amazon EC2 and the client is a linux-based cellular modem. I am trying to connect equipment behind the client device to servers behind the pfsense virtual appliance in amazon but not having any luck establishing a connection.  I have a similar configuration working with the same client but using a physical pfsense server on a time warner cable connection with dyndns so i do not believe the client device is the problem.  The only difference in the amazon cloud that i can see are the CA, certs, and the local ip.  Both server and client configs were generated using the wizard and client export features in pfsense.  The server status does not show any clients connected.  Thanks in advance for any advice!

    Here is the current server config (generated with pfsense web gui, i just copied and pasted from /var/etc/openvpn/server1.conf):

    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 172.31.1.6
    tls-server
    server 192.168.13.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1196
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route 172.31.2.0 255.255.255.0"
    push "redirect-gateway def1"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float
    push "route 192.168.0.0 255.255.255.0"
    route 192.168.0.0 255.255.255.0

    Here is the client config (generated with client export utility) 
    #note: i changed local from the pfsense wan ip of 172.31.1.6 (which the export utility assigned) to the public elastic ip assigned to the pfsense wan interface

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.xxx.xxx 1196 udp
    ns-cert-type server

    <ca>–---BEGIN CERTIFICATE-----

    i am using inline certs and keys

    -----END CERTIFICATE-----</ca>
    <cert>-----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----</cert>
    <key>-----BEGIN PRIVATE KEY-----

    -----END PRIVATE KEY-----</key>
    <tls-auth>#

    2048 bit OpenVPN static key

    -----BEGIN OpenVPN Static key V1-----

    -----END OpenVPN Static key V1-----</tls-auth>
    key-direction 1

    here is the client log file:

    Sep 24 22:01:37 openvpn[4490]: OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Jul  1 2013
    Sep 24 22:01:37 openvpn[4490]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
    Sep 24 22:01:37 openvpn[4490]: Control Channel Authentication: tls-auth using INLINE static key file
    Sep 24 22:01:37 openvpn[4491]: UDPv4 link local (bound): [undef]:1194
    Sep 24 22:01:37 openvpn[4491]: UDPv4 link remote: 154.68.112.209:1196
    Sep 24 22:01:37 openvpn:  succeeded
    Sep 24 22:01:38 openvpn[4491]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
    Sep 24 22:02:37 openvpn[4491]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sep 24 22:02:37 openvpn[4491]: TLS Error: TLS handshake failed
    Sep 24 22:02:37 openvpn[4491]: SIGUSR1[soft,tls-error] received, process restarting
    Sep 24 22:02:39 openvpn[4491]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
    Sep 24 22:02:39 openvpn[4491]: Re-using SSL/TLS context
    Sep 24 22:02:39 openvpn[4491]: UDPv4 link local (bound): [undef]:1194
    Sep 24 22:02:39 openvpn[4491]: UDPv4 link remote: 154.68.112.209:1196
    Sep 24 22:02:40 openvpn[4491]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)



  • Maybe you only have to allow traffic on the right ports on the EC2 instance… :P