OpenVPN Desktop Client with pfsense
-
None of the default Client Export config files will work with the OpenVPN Desktop client for Windows. With a couple of modifications the OpenVPN Connect (iOS/Android) files can be used.
-
Add "dev tun" & "dev-type tun" to the file
-
Remove "lport 0" from file
Sample:
dev tun
dev-type tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
remote 1.1.1.1 1194 udp
lport 0
verify-x509-name "pfVPN Server Cert" name
auth-user-pass
ns-cert-type server
comp-lzo<ca>–---BEGIN CERTIFICATE-----</ca>
-
-
Which exact version of the Windows client?
They all work with the normal ones (-I003) but the new tap driver packages (-I603) do need other changes that aren't accounted for yet.
I had another report that for those all that was needed was to remove persist-tun
-
so new version out
https://openvpn.net/index.php/open-source/downloads.html
This release fixes a serious interoperability issue with OpenVPN and the tap-windows6 driver. In addition a fair number of other bug fixes and small enhancements are included.Maybe this fixes the problem and can use the i686 versions?
-
Perhaps. It's on my todo list to test the new ones (spotted them last week) and get them into the export package.
-
I will test it on my work box on Monday - pretty much vpn into pfsense every day all day, so should know fairly quickly if any issues with it.
-
So updated my install, and updated the tap.. And not seeing any issues with quick testing. I can ping into my networks on the other side of the connection, and RDP'd to a box and looks like all is working. Will try UDP when I get a chance, this is via a tcp connection off a proxy - bouncing off a proxy with udp has issues. Have to change my connection to get a direct out where I can use udp.
Mon Nov 03 09:21:42 2014 OpenVPN 2.3.5 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
Mon Nov 03 09:21:42 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05Mon Nov 03 09:21:55 2014 TAP-WIN32 device [vpn] opened: \.\Global{5A2F7EEA-6ED4-4F64-84E8-6A9A17179285}.tap
Mon Nov 03 09:21:55 2014 TAP-Windows Driver Version 9.21using my config from before.. And it has
persist-tun
in it.
-
@jimp - when you are updating OpenVPN client version, can you also look at OpenVPN Manager. The client export package has 0.0.3.6 in it and 0.0.3.8 has been out for a while. If nothing else, having 0.0.3.8 will stop it from telling users there is an update available when it starts :)
-
@jimp - when you are updating OpenVPN client version, can you also look at OpenVPN Manager. The client export package has 0.0.3.6 in it and 0.0.3.8 has been out for a while. If nothing else, having 0.0.3.8 will stop it from telling users there is an update available when it starts :)
I've looked and unless they fixed it up since I looked last, it was a mess. The executables changed, documentation was completely incorrect for how the new install switches worked, files were missing from the .zip, among other issues. I never was able to get it to work. I didn't do the original integration of that Manager program and I'm not likely to update it unless it's a "drop-in" replacement which it clearly isn't, unfortunately. Search around a bit and you'll find the previous thread I talked about that in. IIRC the maintainer of the program mentioned working on a fix but I'm not sure if it ever materialized.
-
I just use the gui that comes with the setup from openvpn, don't have any problems with it. Your talking about this manager?
-
Yes, that one. It's an optional checkbox choice in the export package.
-
Easy solution - remove the checkbox ;) hehehe
It has not been updated in what 1.5 years? New in 0.0.3.8 (28.04.2013)
-
OpenVPN Manager appears to work for those who use it now, so we can leave well enough alone, but it is worrying that it hasn't been updated in quite some time.
It's more of a service manager though so as long as OpenVPN's API or commands don't change (much) it probably won't have issues even if it's a bit old.
I'm mostly worried about the new OpenVPN exe installers (both the normal and -I6xx varieties). I have some VMs to test with but little time.
-
No worries - leave OpenVPN Manager alone. 0.0.3.6 works well for me on Windows 7 and 8. It helps unpriv users start their OpenVPN road warrior connections/s.
If needed, I can test all that easily with any new version of OpenVPN itself and verify that it still works.
-
There is many ways to skin that cat, I would think using what clearly is an outdated 3rd party manager would be on the bottom of the list ;)
So 3.6 came out what 2.5 years ago when openvpn was what alpha1 of 2.3 line?
The gui that comes with openvpn can control the service as well, and you can just give the service the right to be started from non admin user with SubInAcl.exe /service – think by default the gui logs to restricted folder, you can move the log file, etc.
You can do a /savecred for the shortcut, there are ways to have a scheduled task run.. Like 4 different ways off the top of my head to get around user not having admin rights, so easier than others for sure.
-
The newest -I6xx installer worked fine for me without having to adjust the config. The previous behavior must have been due to the bugs they fixed.
Expect a new rev of the export package soon with both sets of clients.
-
Update is pending now, it'll sync in the next 15 mins or so, give or take. I added the new installers as an additional choice and shuffled a few things around name-wise. Let me know if anything weird happens.
-
Is there a reason why someone should immediately replace a currently installed older client? Anything very important in the new client?
-
Well, you should move to OpenVPN 2.3.5 since it's got a more recent OpenSSL, but as for the -I0xx vs -I6xx, that's less clear.
-
Cool - I will do that now.
-
Works…
-
How much older was your client?
One thing I did notice is when I just ran the update exe in the 686 line the tap driver did not actually update on its own, I had to go and run the actual tap installer to get to .21 vs .9
-
Not much at all.
My experience has been that these installers NEVER update the TAP unless you do a complete uninstall/reinstall.
Otherwise, it will just update profiles.
-
So you were on the previous version 2.3.4? I hate when people say stuff like that - because its subjective.. Like when you ask what version of ios or firmware, bios they are on and they say the latest and then when you go and check you find they are 3+ revs behind.. Current my ASS ;)
-
Its no more than a couple months ago that this computer had a reinstall of openvpn. I didn't make a note of its version before I uninstalled and reinstalled today.
-
The new OpenVPN 2.3.5-I601, with OpenVPN Manager 0.0.3.6, is working fine for me on Windows 8.1
