OpenVPN Desktop Client with pfsense



  • None of the default Client Export config files will work with the OpenVPN Desktop client for Windows. With a couple of modifications the OpenVPN Connect (iOS/Android) files can be used.

    • Add "dev tun" &  "dev-type tun" to the file

    • Remove "lport 0" from file

    Sample:

    dev tun
    dev-type tun

    persist-tun
    persist-key
    cipher BF-CBC
    auth SHA1
    tls-client
    client
    remote 1.1.1.1 1194 udp
    lport 0
    verify-x509-name "pfVPN Server Cert" name
    auth-user-pass
    ns-cert-type server
    comp-lzo

    <ca>–---BEGIN CERTIFICATE-----</ca>


  • Rebel Alliance Developer Netgate

    Which exact version of the Windows client?

    They all work with the normal ones (-I003) but the new tap driver packages (-I603) do need other changes that aren't accounted for yet.

    I had another report that for those all that was needed was to remove persist-tun


  • LAYER 8 Global Moderator

    so new version out

    https://openvpn.net/index.php/open-source/downloads.html
    This release fixes a serious interoperability issue with OpenVPN and the tap-windows6 driver. In addition a fair number of other bug fixes and small enhancements are included.

    Maybe this fixes the problem and can use the i686 versions?


  • Rebel Alliance Developer Netgate

    Perhaps. It's on my todo list to test the new ones (spotted them last week) and get them into the export package.


  • LAYER 8 Global Moderator

    I will test it on my work box on Monday - pretty much vpn into pfsense every day all day, so should know fairly quickly if any issues with it.


  • LAYER 8 Global Moderator

    So updated my install, and updated the tap.. And not seeing any issues with quick testing.  I can ping into my networks on the other side of the connection, and RDP'd to a box and looks like all is working.  Will try UDP when I get a chance, this is via a tcp connection off a proxy - bouncing off a proxy with udp has issues.  Have to change my connection to get a direct out where I can use udp.

    Mon Nov 03 09:21:42 2014 OpenVPN 2.3.5 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
    Mon Nov 03 09:21:42 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05

    Mon Nov 03 09:21:55 2014 TAP-WIN32 device [vpn] opened: \.\Global{5A2F7EEA-6ED4-4F64-84E8-6A9A17179285}.tap
    Mon Nov 03 09:21:55 2014 TAP-Windows Driver Version 9.21

    using my config from before.. And it has

    persist-tun

    in it.



  • @jimp - when you are updating OpenVPN client version, can you also look at OpenVPN Manager. The client export package has 0.0.3.6 in it and 0.0.3.8 has been out for a while. If nothing else, having 0.0.3.8 will stop it from telling users there is an update available when it starts :)


  • Rebel Alliance Developer Netgate

    @phil.davis:

    @jimp - when you are updating OpenVPN client version, can you also look at OpenVPN Manager. The client export package has 0.0.3.6 in it and 0.0.3.8 has been out for a while. If nothing else, having 0.0.3.8 will stop it from telling users there is an update available when it starts :)

    I've looked and unless they fixed it up since I looked last, it was a mess. The executables changed, documentation was completely incorrect for how the new install switches worked, files were missing from the .zip, among other issues. I never was able to get it to work. I didn't do the original integration of that Manager program and I'm not likely to update it unless it's a "drop-in" replacement which it clearly isn't, unfortunately. Search around a bit and you'll find the previous thread I talked about that in. IIRC the maintainer of the program mentioned working on a fix but I'm not sure if it ever materialized.


  • LAYER 8 Global Moderator

    I just use the gui that comes with the setup from openvpn, don't have any problems with it. Your talking about this manager?

    https://github.com/jochenwierum/openvpn-manager


  • Rebel Alliance Developer Netgate

    Yes, that one. It's an optional checkbox choice in the export package.


  • LAYER 8 Global Moderator

    Easy solution - remove the checkbox ;) hehehe

    It has not been updated in what 1.5 years?  New in 0.0.3.8 (28.04.2013)


  • Rebel Alliance Developer Netgate

    OpenVPN Manager appears to work for those who use it now, so we can leave well enough alone, but it is worrying that it hasn't been updated in quite some time.

    It's more of a service manager though so as long as OpenVPN's API or commands don't change (much) it probably won't have issues even if it's a bit old.

    I'm mostly worried about the new OpenVPN exe installers (both the normal and -I6xx varieties). I have some VMs to test with but little time.



  • No worries - leave OpenVPN Manager alone. 0.0.3.6 works well for me on Windows 7 and 8. It helps unpriv users start their OpenVPN road warrior connections/s.
    If needed, I can test all that easily with any new version of OpenVPN itself and verify that it still works.


  • LAYER 8 Global Moderator

    There is many ways to skin that cat, I would think using what clearly is an outdated 3rd party manager would be on the bottom of the list ;)

    So 3.6 came out what 2.5 years ago when openvpn was what alpha1 of 2.3 line?

    The gui that comes with openvpn can control the service as well, and you can just give the service the right to be started from non admin user with SubInAcl.exe /service – think by default the gui logs to restricted folder, you can move the log file, etc.

    You can do a /savecred for the shortcut, there are ways to have a scheduled task run.. Like 4 different ways off the top of my head to get around user not having admin rights, so easier than others for sure.


  • Rebel Alliance Developer Netgate

    The newest -I6xx installer worked fine for me without having to adjust the config. The previous behavior must have been due to the bugs they fixed.

    Expect a new rev of the export package soon with both sets of clients.


  • Rebel Alliance Developer Netgate

    Update is pending now, it'll sync in the next 15 mins or so, give or take. I added the new installers as an additional choice and shuffled a few things around name-wise. Let me know if anything weird happens.



  • Is there a reason why someone should immediately replace a currently installed older client?  Anything very important in the new client?


  • Rebel Alliance Developer Netgate

    Well, you should move to OpenVPN 2.3.5 since it's got a more recent OpenSSL, but as for the -I0xx vs -I6xx, that's less clear.



  • Cool - I will do that now.



  • Works…


  • LAYER 8 Global Moderator

    How much older was your client?

    One thing I did notice is when I just ran the update exe in the 686 line the tap driver did not actually update on its own, I had to go and run the actual tap installer to get to .21 vs .9



  • Not much at all.

    My experience has been that these installers NEVER update the TAP unless you do a complete uninstall/reinstall.

    Otherwise, it will just update profiles.


  • LAYER 8 Global Moderator

    So you were on the previous version 2.3.4?  I hate when people say stuff like that - because its subjective.. Like when you ask what version of ios or firmware, bios they are on and they say the latest and then when you go and check you find they are 3+ revs behind.. Current my ASS ;)



  • Its no more than a couple months ago that this computer had a reinstall of openvpn.  I didn't make a note of its version before I uninstalled and reinstalled today.



  • The new OpenVPN 2.3.5-I601, with OpenVPN Manager 0.0.3.6, is working fine for me on Windows 8.1


Log in to reply