OpenVPN in PFSense on Amazon EC2
-
Anyone have any luck using openVPN with pfsense installed in AmazonEC2? My server is the NetGate certified pfsense appliance in Amazon EC2 and the client is a linux-based cellular modem. I am trying to connect equipment behind the client device to servers behind the pfsense virtual appliance in amazon but not having any luck establishing a connection. I have a similar configuration working with the same client but using a physical pfsense server on a time warner cable connection with dyndns so i do not believe the client device is the problem. The only difference in the amazon cloud that i can see are the CA, certs, and the local ip. Both server and client configs were generated using the wizard and client export features in pfsense. The server status does not show any clients connected. Thanks in advance for any advice!
Here is the current server config (generated with pfsense web gui, i just copied and pasted from /var/etc/openvpn/server1.conf):
dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 172.31.1.6
tls-server
server 192.168.13.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1196
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 172.31.2.0 255.255.255.0"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
push "route 192.168.0.0 255.255.255.0"
route 192.168.0.0 255.255.255.0Here is the client config (generated with client export utility)
#note: i changed local from the pfsense wan ip of 172.31.1.6 (which the export utility assigned) to the public elastic ip assigned to the pfsense wan interfacedev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1196 udp
ns-cert-type server<ca>–---BEGIN CERTIFICATE-----
i am using inline certs and keys
-----END CERTIFICATE-----</ca>
<cert>-----BEGIN CERTIFICATE----------END CERTIFICATE-----</cert>
<key>-----BEGIN PRIVATE KEY----------END PRIVATE KEY-----</key>
<tls-auth>#2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----</tls-auth>
key-direction 1here is the client log file:
Sep 24 22:01:37 openvpn[4490]: OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Jul 1 2013
Sep 24 22:01:37 openvpn[4490]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Sep 24 22:01:37 openvpn[4490]: Control Channel Authentication: tls-auth using INLINE static key file
Sep 24 22:01:37 openvpn[4491]: UDPv4 link local (bound): [undef]:1194
Sep 24 22:01:37 openvpn[4491]: UDPv4 link remote: 154.68.112.209:1196
Sep 24 22:01:37 openvpn: succeeded
Sep 24 22:01:38 openvpn[4491]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Sep 24 22:02:37 openvpn[4491]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 24 22:02:37 openvpn[4491]: TLS Error: TLS handshake failed
Sep 24 22:02:37 openvpn[4491]: SIGUSR1[soft,tls-error] received, process restarting
Sep 24 22:02:39 openvpn[4491]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Sep 24 22:02:39 openvpn[4491]: Re-using SSL/TLS context
Sep 24 22:02:39 openvpn[4491]: UDPv4 link local (bound): [undef]:1194
Sep 24 22:02:39 openvpn[4491]: UDPv4 link remote: 154.68.112.209:1196
Sep 24 22:02:40 openvpn[4491]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) -
Maybe you only have to allow traffic on the right ports on the EC2 instance… :P