Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn configuration file

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tv.andrey
      last edited by

      Hello friends! :)

      I am newcomer to pfsense and I do not know how to configure with the configuration file in the bottom of this message.
      The opnevpn client for WIndows works correctly with this settings.
      Please help me to set up connection.
      And where is server certificate I meant the begin and end.

      Andrew

      client
      dev tap
      remote xxxxxxxxx 993
      proto tcp-client
      remote-cert-tls server
      auth-user-pass
      tls-client
      pull
      persist-key
      resolv-retry infinite
      reneg-sec 0
      verb 3
      script-security 2 system
      auth-nocache
      route-delay 2
      redirect-gateway def1

      <ca>–---BEGIN CERTIFICATE-----
      MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
      A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
      b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
      MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
      YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
      aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
      jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
      xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
      1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
      snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
      U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
      9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
      BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
      AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
      yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
      38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
      AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
      DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
      HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
      -----END CERTIFICATE-----

      -----BEGIN CERTIFICATE-----
      MIIELzCCAxegAwIBAgILBAAAAAABL07hNwIwDQYJKoZIhvcNAQEFBQAwVzELMAkG
      A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
      b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
      MDBaFw0yMjA0MTMxMDAwMDBaMC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQD
      ExBBbHBoYVNTTCBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
      AQEAw/BliN8b3caChy/JC7pUxmM/RnWsSxQfmHKLHBD/CalSbi9l32WEP1+Bstjx
      T9fwWrvJr9Ax3SZGKpme2KmjtrgHxMlx95WE79LqH1Sg5b7kQSFWMRBkfR5jjpxx
      XDygLt5n3MiaIPB1yLC2J4Hrlw3uIkWlwi80J+zgWRJRsx4F5Tgg0mlZelkXvhpL
      OQgSeTObZGj+WIHdiAxqulm0ryRPYeDK/Bda0jxyq6dMt7nqLeP0P5miTcgdWPh/
      UzWO1yKIt2F2CBMTaWawV1kTMQpwgiuT1/biQBXQHQFyxxNYalrsGYkWPODIjYYq
      +jfwNTLd7OX+gI73BWe0i0J1NQIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEG
      MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBTqGVXwDg0yxh90M7eOZhpM
      EjEeMEUGA1UdIAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3
      dy5hbHBoYXNzbC5jb20vcmVwb3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0
      cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8w
      LQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAf
      BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUFAAOC
      AQEABjBCm89JAn6J6fWDWj0C87yyRt5KUO65mpBz2qBcJsqCrA6ts5T6KC6y5kk/
      UHcOlS9o82U8nxTyaGCStvwEDfakGKFpYA3jnWhbvJ4LOFmNIdoj+pmKCbkfpy61
      VWxH50Hs5uJ/r1VEOeCsdO5l0/qrUUgw8T53be3kD0CY7kd/jbZYJ82Sb2AjzAKb
      WSh4olGd0Eqc5ZNemI/L7z/K/uCvpMlbbkBYpZItvV1lVcW/fARB2aS1gOmUYAIQ
      OGoICNdTHC2Tr8kTe9RsxDrE+4CsuzpOVHrNTrM+7fH8EU6f9fMUvLmxMc72qi+l
      +MPpZqmyIJ3E+LgDYqeF0RhjWw==
      -----END CERTIFICATE-----</ca>

      1 Reply Last reply Reply Quote 0
      • E
        ega
        last edited by

        Here is the how to

        https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

        I cant configure TAP device on OpenVPN server, it says a "Exiting due to fatal error" and the service doesn´t run.

        I´m running pfsense 2.2.4, and I´ve read that there is not the best option for work with ovpn (here is the topic https://forum.pfsense.org/index.php?topic=99536.0), I´ll try with 2.1.5 to compare the performance and check if this particular situation with TAP device doesn´t exist in that version

        I´ve implemented a OpenVPN server, TUN device, TCP protocol, and roadwarrior clients, so I can access LAN resources (shared directories, mapping hosts by IP address), with no problem, and of course can ping any device on the LAN, this cover my need.

        Of course, by my client I can access local resources, but it can´t be done backward (local client cant ping vpn client)

        Regards.-

        Si compartes dinero queda la mitad, si compartes conocimiento queda el doble.-

        1 Reply Last reply Reply Quote 0
        • T
          tv.andrey
          last edited by

          ok, I will try to understand

          but where is the certificate(key) of server in my configuration file?
          is there here or not
          I misunderstood.
          In previous  topic I meant when pfsense connects as a client to another server.
          On the one side is Linux based Opnevpn server on the other side pfsense.
          if I understand pfsense rules correctly it is not remote access to openvpn service

          1 Reply Last reply Reply Quote 0
          • E
            ega
            last edited by

            Ok understood your situation, you want to configure pfsense like a client, I have not done this before

            Im not a experienced user, these instructions are what I would do, follow these steps on your own risk  :o :o :o

            Looking on my pfsense, I found an option to import certificates, I think that you must identificate the "Certificate data" and "Private key data", those are the name of the fields on "Import an existing certificate" on System>Certificate Manager>Certificate tab

            I put your information on this fields and thats generated a certificate with this information

            OU=Root CA, O=GlobalSign nv-sa, CN=GlobalSign Root CA, C=BE
            Valid From: Tue, 01 Sep 1998 12:00:00 +0000
            Valid Until: Fri, 28 Jan 2028 12:00:00 +0000

            If the certificate has been imported correctly, then you must configure the client, go to VPN>OpenVPN>Client tab, click on add (+) and set the parameters of the server, and select the recently imported certificate as "Client certificate"

            Keep me posted if that works

            Greetings and successes

            Si compartes dinero queda la mitad, si compartes conocimiento queda el doble.-

            1 Reply Last reply Reply Quote 0
            • T
              tv.andrey
              last edited by

              ok, thank you for support.

              Where  can I get server certificate, information,which I posted two days ago is only all what I have.
              I have to connect to another vpn server which supports  other company  I do not have any access to server.
              I have asked support to provide me keys and so on but  unfortunatelly I have not answer still now.
              Where can I find certificate of server in configuration file?
              How can you extract this information

              @@@
              OU=Root CA, O=GlobalSign nv-sa, CN=GlobalSign Root CA, C=BE
                  Valid From:  Tue, 01 Sep 1998 12:00:00 +0000
                  Valid Until:  Fri, 28 Jan 2028 12:00:00 +0000 @@@ ?

              from my file?

              In my opinion there are two certificate because there two @end@ and @finish@.

              sorry for dummy question  :)

              andrew

              1 Reply Last reply Reply Quote 0
              • E
                ega
                last edited by

                You cant get server certificate unless you have a server, this is not your case, you must have a client certificate

                Do you have a pfsense installed? did you understand what I said on previous post?

                Si compartes dinero queda la mitad, si compartes conocimiento queda el doble.-

                1 Reply Last reply Reply Quote 0
                • E
                  ega
                  last edited by

                  The first begin and end is for the "Certificate data", the second is for "Private Key" both are necessary for import a valid certificate.

                  That´s how I got the info of Certificate 8)

                  Si compartes dinero queda la mitad, si compartes conocimiento queda el doble.-

                  1 Reply Last reply Reply Quote 0
                  • T
                    tv.andrey
                    last edited by

                    thanks

                    now I wll test

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.