Switch from OpenVPN Access Server to pfsense
-
I have tried now for almost 2 days to get Openvpn to work. If anyone can help me, I would be very thankful. English is not my native language please excuse the spelling errors.
The situation is the following:
I had a OpenVPN Access Server on site A and a client on site B. The modem on site a had a route, so that all 192.168.1.0/24 traffic was redirected to site B.
The client on site B was a Windows machine with OpenVpnConnect and the modem on Site B had a route so that all 10.13.2.0/24 traffic was routed to site A.Then the following happened: Our modem on Site B (btw a Linksys 1900ACS) crashed about 3-4 times a day. After a lot of frustrating problems, I decided to switch to pfsense for my modem. I am very happy about that decision.
Now I would like to also use my pfsense for openvpn. But it just won’t work.
Here are my old settings I had on the Openvpn Access Server:Server Network Settings: Hostname or IP Address: “staticIPfromSiteA”
VPN Mode: Layer 3
VPN Settings: Dynamic IP Address Network 172.27.224.0 Routing: Yes, using NAT
Should client Internet traffic be routed through the VPN? Yes Should clients be allowed to access network services on the VPN gateway IP address? Yes DNS Settings: Have clients use the same DNS servers as the Access Server host
A also had a single user and installed VPN on site B by open the webpage an install everything automatically.Now I try to do the same thing on PfSense:
Under user manager I create a user. Installed the package OpenVPN Client Export Utility. Start the OpenVPN wizard. Create a new CA. Create a servercert. Tunnel Network: 10.0.8.0/24. Redirect Gateway true. Local Network: 10.13.2.0/24 (My network on Site A). Everything else I leave blank or default. Next site I allow to create firewall and openvpn rule. Firewall rules seem fine. Now I go to client export but can’t find any install packages. Go to user manager and add a user certificate to my openvpn user. Choose an existing certificate (CA). User has now Name: servercert CA: CA. Now I can see a client install package. I install it and run it as admin. Disconnect my LAN cable from Site A and use the integrated simcard of my laptop. I get this error:Sat Apr 02 16:26:55 2016 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015
Sat Apr 02 16:26:55 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Management Password:
Sat Apr 02 16:27:00 2016 Control Channel Authentication: using 'pfSense-udp-1194VpnUser-tls.key' as a OpenVPN static key file
Sat Apr 02 16:27:00 2016 UDPv4 link local (bound): [undef]
Sat Apr 02 16:27:00 2016 UDPv4 link remote: [AF_INET]mystaticip:1194
Sat Apr 02 16:27:00 2016 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Sat Apr 02 16:28:00 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 02 16:28:00 2016 TLS Error: TLS handshake failed
Sat Apr 02 16:28:00 2016 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr 02 16:28:02 2016 UDPv4 link local (bound): [undef]
Sat Apr 02 16:28:02 2016 UDPv4 link remote: [AF_INET]mystaticip:1194
Sat Apr 02 16:28:06 2016 SIGTERM[hard,] received, process exitingReinstall OpenVPN and delete the config files. Get the same error again.
I am starting to freak out because the hardest part (routing traffic from A to B) is yet to come :D
Any help would be very much appreciated.
Btw: If I buy pfsense gold, does AutoConfigBackup also saves Certificates and OpenVPN Settings? I guess so but I couldn’t find anything online. -
where in your setup did you open up 1194 UDP on your wan?
Is pfsense behind a NAT?? Or does it have this snipped:1194 address on its wan?
To me this you never connected at all
TLS key negotiation failed to occur within 60 seconds (check your network connectivity)I can not even ping that IP..
-
UDP opened in the wizard.
Pfsense is not behind a NAT.Just for basic understanding, is what i want even possible with pfsense and openvpn?
Site A Site B
pfsense running openvpn –------- fiberopticonverter with static ip ---------- internet --------- modem on site B ------ Windows client running openvpn connect 192.168.1.10
On site A route all traffic for 192.168.1.0 to the connected client from site B
On site B route all traffic for 10.13.2.0 through the connected windows client. -
What site to site vpn, yeah.. What remote access to, yeah.. I am not aware of anything you could do with AS or CE that you can not do with the openvpn on pfsense. Is just openvpn with a pfsense gui to help you configure it..
You want a windows client behind a nat to run all traffic for that site to your pfsense site? That is not an optimal setup, you would have to create routes on all hosts in site B to use that windows client as gateway to your network in site A.. But sure it can be done.
Why would you be using limited connect client?? Why not just setup site to site vpn to the router at site B?
-
Site B is just a small office with 2 PCs. They need the ISP modem for VoIP so I can't swap it out for a pfsense.
The modem does not support OpenVPN.
As far as I understand, I only have to create the route once on the modem.
Sorry I meant openvpn GUI not openvpn connect :)Here is a picture for better understanding:
-
so your isp router at site B has route client running openvpn client? that is going to cause nothing but problems for sure.. For starters its a hairpin, second its going to be asynchronous… Why would you not just create a host route on the client without openvpn on it to point the 10 network to the client with openvpn on it?
Also with such a small setup, why not just run openvpn client on the 2nd box as well, vs trying to route through a client inside the network??
So what if that isp device does voip... Why can you not just put pfsense behind it for your data network?
-
There are some small network devices on site B that can't run openvpn (no operating system). But I think you are right. I will only run into problems with this setting.
I decided to install a second pfsense behind the ISP modem (image). Thank you very much for your answer.I will try to set it up today with these settings:
Created a CAs on pfsense1 (pfsense1CA). Created server certificate called pfsense1s issuer is pfsense1CA. Created a user called user1 with cerfificate "pfuser1" issuer pfsense1CA
Server Mode: Peer to Peer (SSL/TLS)
TLS Authentication: checked
Key: auto generated
Peer Certificate Authority: pfsense1CA
Server Certificate: pfsense1s
IPv4 Tunnel Network: 10.0.8.0/24
IPv4 Local Networks: 10.13.2.0/24
IPv4 Remote Networks: 192.168.1.0/24Now I want to route some of the local traffic from site A to site B. I do not have a interface under gateways so I go to Interfaces and create a new one by adding the available network port and giving it a name. Do I have to give the interface a static ip or something?
Now I have two gateways (IPV4VPN and 6) and I mark IPV6 as down. Under static routes:
destination networks: 192.168.1.0/24
Gateway: IPV4VPN
Under Openvpn Client Specific Overrides
Common name: pfuser1 IPv4 Remote Networks: 10.13.2.0/24
Not entirely sure why I need this. Is that so I do not need a route on site B because it already knows what addresses are on site A? It is configured in the client settings one site B anyway.Export pfsense1CA and pfuser1. Go back to OpenVPN and copy the TLS Key.
pfsense2 on site B:
Import both crt. Go to OpenVPN clients.
Server host or address: myStaticIpFromSiteA
Server host name resolution: checked
user1 and password (created on pfsense1 under user management)
Uncheck TLS and past the TLS Key copied from pfsense1 earlier.
Peer Certificate authority: pfsense1CA
Client Certificate: pfuser1
IPv4 Tunnel Network: 10.0.8.0/24
IPv4 Remote network: 10.13.2.0/24Hope it will work 8)
-
Yup for sure site to site openvpn using pfsense is pretty straight forward.. This will make your connectivity between your sites much less complex, and don't have to worry about asynchronous routing or host routes once pfsense becomes the gateway of that network, and the vpn connection to your other site.
-
After some problems it works now ;D
I will make a bug report.
Here are the problems I had. Maybe it helps someone else.The configuration is up and running. But I don't get how the routing is done. I have read 3 tutorials and all use a different method. I have not configured any vpn interfaces or static routings.
Tutorial 1: Just fill in all network settings on the server side and on the client side. No client specific overrides or advances settings
Tutorial 2: No settings on the client side (blank network settings) but client specific overrides .
Tutorial 3: No settings on the client side but client specific overrides with blank network settings and iroute in advanced settings.
Problem with setting 1: In system logs I get these two errors:
openvpn 94658 WARNING: using –pull/--client and --ifconfig together is probably not what you want
openvpn 94658 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Problem with setting 2: after enabling the client specific overrides openvpn crashes. PHP Errors:
PHP Stack trace:
PHP 1. {main}() /usr/local/www/vpn_openvpn_csc.php:0
PHP 2. implode() /usr/local/www/vpn_openvpn_csc.php:243
Problem with setting 3: I simply don't get it :) These are just setting I cloud enter above. Why should I use it.
What do you think is the best method of these three? I would like the second method, because I am free to add another branch office anytime I want and just create a new user for that site.Update:
Tutorial 2 works! I deleted the client specific settings and stopped openvpn, created the overrides again and then it did not crash :)
Sent the crash log to the developer. Maybe they can do something with it. -
have no idea what tutorials your using - most of them on the net are crap and or very dated..
-
I forgot to say, that it works now with the config from Tutorial 2.
This is the tutorial from pfsense ;)
https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)