Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Desktop Client with pfsense

    Scheduled Pinned Locked Moved OpenVPN
    25 Posts 5 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      atlmcw
      last edited by

      None of the default Client Export config files will work with the OpenVPN Desktop client for Windows. With a couple of modifications the OpenVPN Connect (iOS/Android) files can be used.

      • Add "dev tun" &ย  "dev-type tun" to the file

      • Remove "lport 0" from file

      Sample:

      dev tun
      dev-type tun

      persist-tun
      persist-key
      cipher BF-CBC
      auth SHA1
      tls-client
      client
      remote 1.1.1.1 1194 udp
      lport 0
      verify-x509-name "pfVPN Server Cert" name
      auth-user-pass
      ns-cert-type server
      comp-lzo

      <ca>โ€“---BEGIN CERTIFICATE-----</ca>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Which exact version of the Windows client?

        They all work with the normal ones (-I003) but the new tap driver packages (-I603) do need other changes that aren't accounted for yet.

        I had another report that for those all that was needed was to remove persist-tun

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          so new version out

          https://openvpn.net/index.php/open-source/downloads.html
          This release fixes a serious interoperability issue with OpenVPN and the tap-windows6 driver. In addition a fair number of other bug fixes and small enhancements are included.

          Maybe this fixes the problem and can use the i686 versions?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Perhaps. It's on my todo list to test the new ones (spotted them last week) and get them into the export package.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              I will test it on my work box on Monday - pretty much vpn into pfsense every day all day, so should know fairly quickly if any issues with it.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                So updated my install, and updated the tap.. And not seeing any issues with quick testing.ย  I can ping into my networks on the other side of the connection, and RDP'd to a box and looks like all is working.ย  Will try UDP when I get a chance, this is via a tcp connection off a proxy - bouncing off a proxy with udp has issues.ย  Have to change my connection to get a direct out where I can use udp.

                Mon Nov 03 09:21:42 2014 OpenVPN 2.3.5 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
                Mon Nov 03 09:21:42 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05

                Mon Nov 03 09:21:55 2014 TAP-WIN32 device [vpn] opened: \.\Global{5A2F7EEA-6ED4-4F64-84E8-6A9A17179285}.tap
                Mon Nov 03 09:21:55 2014 TAP-Windows Driver Version 9.21

                using my config from before.. And it has

                persist-tun

                in it.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  @jimp - when you are updating OpenVPN client version, can you also look at OpenVPN Manager. The client export package has 0.0.3.6 in it and 0.0.3.8 has been out for a while. If nothing else, having 0.0.3.8 will stop it from telling users there is an update available when it starts :)

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    @phil.davis:

                    @jimp - when you are updating OpenVPN client version, can you also look at OpenVPN Manager. The client export package has 0.0.3.6 in it and 0.0.3.8 has been out for a while. If nothing else, having 0.0.3.8 will stop it from telling users there is an update available when it starts :)

                    I've looked and unless they fixed it up since I looked last, it was a mess. The executables changed, documentation was completely incorrect for how the new install switches worked, files were missing from the .zip, among other issues. I never was able to get it to work. I didn't do the original integration of that Manager program and I'm not likely to update it unless it's a "drop-in" replacement which it clearly isn't, unfortunately. Search around a bit and you'll find the previous thread I talked about that in. IIRC the maintainer of the program mentioned working on a fix but I'm not sure if it ever materialized.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      I just use the gui that comes with the setup from openvpn, don't have any problems with it. Your talking about this manager?

                      https://github.com/jochenwierum/openvpn-manager

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Yes, that one. It's an optional checkbox choice in the export package.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Easy solution - remove the checkbox ;) hehehe

                          It has not been updated in what 1.5 years?ย  New in 0.0.3.8 (28.04.2013)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            OpenVPN Manager appears to work for those who use it now, so we can leave well enough alone, but it is worrying that it hasn't been updated in quite some time.

                            It's more of a service manager though so as long as OpenVPN's API or commands don't change (much) it probably won't have issues even if it's a bit old.

                            I'm mostly worried about the new OpenVPN exe installers (both the normal and -I6xx varieties). I have some VMs to test with but little time.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • P
                              phil.davis
                              last edited by

                              No worries - leave OpenVPN Manager alone. 0.0.3.6 works well for me on Windows 7 and 8. It helps unpriv users start their OpenVPN road warrior connections/s.
                              If needed, I can test all that easily with any new version of OpenVPN itself and verify that it still works.

                              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                There is many ways to skin that cat, I would think using what clearly is an outdated 3rd party manager would be on the bottom of the list ;)

                                So 3.6 came out what 2.5 years ago when openvpn was what alpha1 of 2.3 line?

                                The gui that comes with openvpn can control the service as well, and you can just give the service the right to be started from non admin user with SubInAcl.exe /service โ€“ think by default the gui logs to restricted folder, you can move the log file, etc.

                                You can do a /savecred for the shortcut, there are ways to have a scheduled task run.. Like 4 different ways off the top of my head to get around user not having admin rights, so easier than others for sure.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  The newest -I6xx installer worked fine for me without having to adjust the config. The previous behavior must have been due to the bugs they fixed.

                                  Expect a new rev of the export package soon with both sets of clients.

                                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    Update is pending now, it'll sync in the next 15 mins or so, give or take. I added the new installers as an additional choice and shuffled a few things around name-wise. Let me know if anything weird happens.

                                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kejianshi
                                      last edited by

                                      Is there a reason why someone should immediately replace a currently installed older client?ย  Anything very important in the new client?

                                      1 Reply Last reply Reply Quote 0
                                      • jimpJ
                                        jimp Rebel Alliance Developer Netgate
                                        last edited by

                                        Well, you should move to OpenVPN 2.3.5 since it's got a more recent OpenSSL, but as for the -I0xx vs -I6xx, that's less clear.

                                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kejianshi
                                          last edited by

                                          Cool - I will do that now.

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            kejianshi
                                            last edited by

                                            Worksโ€ฆ

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.