Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN in PFSense on Amazon EC2

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jason5
      last edited by

      Anyone have any luck using openVPN with pfsense installed in AmazonEC2?  My server is the NetGate certified pfsense appliance in Amazon EC2 and the client is a linux-based cellular modem. I am trying to connect equipment behind the client device to servers behind the pfsense virtual appliance in amazon but not having any luck establishing a connection.  I have a similar configuration working with the same client but using a physical pfsense server on a time warner cable connection with dyndns so i do not believe the client device is the problem.  The only difference in the amazon cloud that i can see are the CA, certs, and the local ip.  Both server and client configs were generated using the wizard and client export features in pfsense.  The server status does not show any clients connected.  Thanks in advance for any advice!

      Here is the current server config (generated with pfsense web gui, i just copied and pasted from /var/etc/openvpn/server1.conf):

      dev ovpns1
      dev-type tun
      tun-ipv6
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 172.31.1.6
      tls-server
      server 192.168.13.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc
      tls-verify /var/etc/openvpn/server1.tls-verify.php
      lport 1196
      management /var/etc/openvpn/server1.sock unix
      max-clients 10
      push "route 172.31.2.0 255.255.255.0"
      push "redirect-gateway def1"
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      persist-remote-ip
      float
      push "route 192.168.0.0 255.255.255.0"
      route 192.168.0.0 255.255.255.0

      Here is the client config (generated with client export utility) 
      #note: i changed local from the pfsense wan ip of 172.31.1.6 (which the export utility assigned) to the public elastic ip assigned to the pfsense wan interface

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote xxx.xxx.xxx.xxx 1196 udp
      ns-cert-type server

      <ca>–---BEGIN CERTIFICATE-----

      i am using inline certs and keys

      -----END CERTIFICATE-----</ca>
      <cert>-----BEGIN CERTIFICATE-----

      -----END CERTIFICATE-----</cert>
      <key>-----BEGIN PRIVATE KEY-----

      -----END PRIVATE KEY-----</key>
      <tls-auth>#

      2048 bit OpenVPN static key

      -----BEGIN OpenVPN Static key V1-----

      -----END OpenVPN Static key V1-----</tls-auth>
      key-direction 1

      here is the client log file:

      Sep 24 22:01:37 openvpn[4490]: OpenVPN 2.1.4 arm-linux [SSL] [LZO2] [EPOLL] built on Jul  1 2013
      Sep 24 22:01:37 openvpn[4490]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
      Sep 24 22:01:37 openvpn[4490]: Control Channel Authentication: tls-auth using INLINE static key file
      Sep 24 22:01:37 openvpn[4491]: UDPv4 link local (bound): [undef]:1194
      Sep 24 22:01:37 openvpn[4491]: UDPv4 link remote: 154.68.112.209:1196
      Sep 24 22:01:37 openvpn:  succeeded
      Sep 24 22:01:38 openvpn[4491]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
      Sep 24 22:02:37 openvpn[4491]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Sep 24 22:02:37 openvpn[4491]: TLS Error: TLS handshake failed
      Sep 24 22:02:37 openvpn[4491]: SIGUSR1[soft,tls-error] received, process restarting
      Sep 24 22:02:39 openvpn[4491]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
      Sep 24 22:02:39 openvpn[4491]: Re-using SSL/TLS context
      Sep 24 22:02:39 openvpn[4491]: UDPv4 link local (bound): [undef]:1194
      Sep 24 22:02:39 openvpn[4491]: UDPv4 link remote: 154.68.112.209:1196
      Sep 24 22:02:40 openvpn[4491]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)

      1 Reply Last reply Reply Quote 0
      • P
        PierMSS
        last edited by

        Maybe you only have to allow traffic on the right ports on the EC2 instance… :P

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.