pfsense 2.0.1 OpenVPN Configuration Guide

Looks like something is still blocking it.

logs_zps4c6792d6.jpg
 
What I dont see in that screenshot is something reaching your WAN on destination port 1194 for your openvpn (assuming default port).

What I do find even more weird is that all the source ports coming from your work's connection are all the same. I dont even recgonize those destination ports as typical programs. I think thats an entire different issue.

Anyway, check out your state table and do the same thing. Filter by IP of your job's WAN. Also what about OpenVPN's status page under Status ---->OpenVPN
 
Interesting.

Came in to work today and tried it again and it worked perfectly. Nothing was changed on the config side.

Above settings that I posted worked for me, so if someone google's this thread that'd be a good place to start I suppose.
 
Sorry for the meaningless bump, but I just HAD to register/post to thank you for this. I've been banging my head all night and a good part of today against this problem, then found your post.

My application is that I switched a new piece of hardware into the gateway role, but wanted to keep my Pfsense box on the network as an openVPN server.

Thanks again, jadams!
 
No problem at all. This thread as seen alot of action lately. When I search "openvpn pfsense" on google its now the first hit. It was the 3rd or 4th for awhile. Everyone who found this guide and used it contributed to it reaching the top of google search for this.

What this means is that I should edit the guide to include screenshots. And to also use the reserved posts spots for some other scenarios.
 
This is a great guide and i've gone over it a few times. It really hits the main point and makes a lot of sense. What is confusing me is the end.

When you go export everything, what comes in the zip are 3 files (.opvn, .p12, and .key). This seems to not work with the client that i'm trying to get to work which is openvpn on Fedora or CentOS. The config.conf is looking for 3 files.

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

So i must be missing something small that is preventing me from moving forward. I'm wondering if I need to export the ca.crt and the client.crt from the User Manager, and the .key included with the export?

I'd love a little bit of clarity on this so I can finish this up with the means of totally eliminating Windows once and for all!! I only use Windows to connect to our MS VPN (Blah).

Thanks
 
I dont have much, but what I get when running openvpn on Fedora is this...

TLS Error: TLS Key negotiation failed to occur within 60 seconds (check your network connectivity).
TLS Error: TLS handshake failed

Now i have researched this and found what the errors could be...
Perimeter firewall on server network filtering...I dont think so.
A software firewall running... no we have sonicwall, but this firewall hits the public directly as our exchange gateway
NAT doesn't port forward....

I followed the directions exactly, so i'm not sure what to check for further troubleshooting
 
Handshake not happening in 60 seconds indicates a firewall problem. Is pfsense your edge device? Sounds like it isnt.

Check the firewall logs for something thats blocking it. As well as the state table. Simply filter/search for port 1194. It will be in the destination side of the logs.
 
Last edited:
Also something we learned as I just helped a friend set up his own.. Make sure you reboot the pfsense box after you get everything set up. I don't know if the interface bridge wants to work unless you do that. We had no luck and then a reboot solved all the issues and it started working.
 
So after a little of research, the pfsense is a gateway. I turned -v up to 4 on fedora openvpn client, and that did not help much. I'm looking in the logs on the pfsense and don't even see it getting there. I'm guess i'm fairly lost :-(
 
I did and i checked the firewall. I have a rule not only allowing traffic in, but logging it. NADDA
 
What on the firewall did you check?

Specifically check Status-----> System Logs ----> Firewall.

Look for something on port 1194 in the destination column. From there you can use the easy allow function.
 
When doing the openvpn setup it did make it's own rule in the firewall. I set that to logging and I dont see much when looking at the logging. I'm going to reboot the box as suggested earlier, but this is very weird. It's like being 100% in the dark.
 
When doing the openvpn setup it did make it's own rule in the firewall. I set that to logging and I dont see much when looking at the logging. I'm going to reboot the box as suggested earlier, but this is very weird. It's like being 100% in the dark.

You still havent (or at least said you have) done what I told you to do for 3 straight posts now. Check the firewall log under Status ---> System Logs ---> Firewall and look for something in the destination column that is connecting on port 1194. Do this while the client is trying to connect.
 
If there is nothing there, then the client isnt even getting to pfsense's wan.
 
I got problem when trying to initiate 2 connections at the same time. Both will grab the same IP thus make the connection timeout. Already enabled the bridge dhcp.

Any idea why?
 
Two different clients attempt to connect and they both grab the same IP?

What does Status ---> OpenVPN say?

Is an internal server doing the DHCP, or are you specifying the range in the OpenVPN config?

You mentioned this happens when they connect at the same time. What if they dont connect at the same time?
 
Two different clients attempt to connect and they both grab the same IP?

What does Status ---> OpenVPN say?

Is an internal server doing the DHCP, or are you specifying the range in the OpenVPN config?

You mentioned this happens when they connect at the same time. What if they dont connect at the same time?

I specified the range in the OpenVPN config, did not enabled the DCHP server. If not connect at the same time, the connection is working fine.

From the logs, I can see both clients are grabbing the same LAN IP. That's why it cause the timeout. I already set a range 10.1.1.10 - 10.1.1.20. But it will always grab the first IP 10.1.1.10 for both client.
 
That is definitely odd man. Are these two clients using the same client certs?
 

There is a check box in the server config to allow multiple connections for this. Is that checked?

I've never done it. I always have every device use its own set of certs. If that check box is ticked or if ticking it doesn't help then id make a 2nd set of client certs.
 
this guide seems to be good for making an openvpn server out of pfsense too... i want to do that as well, does anybody know how many openvpn users this can handle? i like to install openvpn client as a service makes it easier for the users...

i would virtualize pfsense and just use a single nic.... i would forward openvpn port to that box...
 
this guide seems to be good for making an openvpn server out of pfsense too... i want to do that as well, does anybody know how many openvpn users this can handle? i like to install openvpn client as a service makes it easier for the users...

i would virtualize pfsense and just use a single nic.... i would forward openvpn port to that box...

My experience is that anything pfsense does is limited by hardware. How many users it can sustain will probably be directly related to clock speed of the processor. Keeping in mind that pfsense and openvpn are single threaded so the faster the clock speed tue better.

There was a thread about amonth back where I tested throughput on pfsense with site to site VPN virtualized on 2.66ghz xeons in hyperv. It didn't perform as well as id liked. I'm unsure if that was due to the virtualization. I'll try to find the thread.
 
Thanks for this awesome guide. I have been using TUN for a while but this works better for me since remote clients will be in the same subnet as my home network.

Everything is working properly except DNS name resolution. I can ping or RDP to my Windows servers and PCs using the using their IP addresses but I can't when I use their computer names. The OpenVPN clients are getting the proper IP address with the correct default gateway, dhcp, and dns address which is the pfsense server. Any way to fix this issue and use the computer names instead of their IP address?
 
Have you done typical DNS troubleshooting? nslookup? telnet to port 53 of the dns server? Are you sure your remote clients are actually able to reach the DNS server?

I dont see why the openvpn server would pick on only dns.
 
Here is my nslookup sample from a laptop with OpenVPN connected to my pfsense router. It looks like DNS is working.

Code:
C:\Users\Frank>nslookup
Default Server:  pfsense.ad.home.lan
Address:  192.168.1.21

> frank-haf
Server:  pfsense.ad.home.lan
Address:  192.168.1.21

Name:    frank-haf.ad.home.lan
Address:  192.168.1.13

> acer-pc
Server:  pfsense.ad.home.lan
Address:  192.168.1.21

Name:    acer-pc.ad.home.lan
Address:  192.168.1.12

I don't know how to telnet to port 53 to my pfsense router. I tried telnet 192.168.1.21 53 but I only get a black screen command prompt.

I also added the OpenVPN interface in the pfsense DNS forwarder settings which did not help.
 
That's really odd man. DNS is working according to the nslookup. Your telnet did too. The black screen on the command prompt is what you want to see. Means it connected.

There is something else weird going on that I dint think is pfsense/openvpn related.
 
Hi!

Great guide, thanks!

I have a setup that looks like this:

internet ---- gateway ---- pfsense 2.1RC w extIP/24 ---- internal net with 192.168.7.0/24

On the internal net 1 have a number of devices including computers, CUPS-printers, WLAN-access points, LAN-scanners etc and everything is working (internet access, access to FW, internal name resolution etc).

The problem I am having is that when I connect through the OpenVPN setup I cannot access anything but the internal devices, i.e. I can ssh into 192.168.7.101, I can get to the management IF of .80 etc but I cannot access the pfsense gateway at 192.168.7.1 at all! No DNS, no internet access, no logging into the pfsense management GUI etc etc.

My client that logs in is running Linux Mint 14 and this is the output from
Code:
netstat -nr
when I am connected by OpenVPN from my extIP2:

Code:
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.7.1     0.0.0.0         UG        0 0          0 tap0
extIP2          192.168.X.1    255.255.255.255 UGH       0 0          0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 wlan0
192.168.7.0     0.0.0.0         255.255.255.0   U         0 0          0 tap0
192.168.X.0    0.0.0.0         255.255.255.0   U         0 0          0 wlan0

and when I am disconnected:

Code:
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.X.1    0.0.0.0         UG        0 0          0 wlan0
192.168.X.0    0.0.0.0         255.255.255.0   U         0 0          0 wlan0

What is the line:
Code:
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 wlan0
that I get when connected? Where does it come from?

What additional info would be needed for anyone of you to help me troubleshoot this??

Cheers!
FreddyAV
 
After I did pfsense update to 2.1.1-RELEASE it will connect to the OpenVPN server but there is no access to the LAN
 
After I did pfsense update to 2.1.1-RELEASE it will connect to the OpenVPN server but there is no access to the LAN

I'm having the same issue after updating to 2.1.1...it will connect but it doesn't get an IP address and then it disconnects. pfSense shows the VPN interface is down, but I don't remember if it was always down.
 
Thanks, you're right. It turns out the opvns1 "network port" somehow got removed in the upgrade and so the VPN interface defaulted to em0 (LAN for me). I recreated the OpenVPN configuration and I got the opvns1 network port back. I'll have to test tomorrow when I'm out of the house to see if it works again.
 
These steps are fantastic! I tried them, but it didn't work :( pfSense 2.3.2-RELEASE-p1 (amd64) on a NetGate SG 4860.

So, I opened a support ticket with NetGate.

Their response was that this is an insecure method. "First option I would not consider because it is not secure - letting vpn users in servers subnet may lead to security problems like ip spoofing, arp poisoining... "

Good grief!

I've got a Cisco ASA set on 192.168.10.1 and a pfSense box I set on 192.168.10.254, as a DHCP server as well. The idea was for redundancy, but of course if I VPN in, I can only access any PC's that the pfSense machine has given DHCP addresses to (ironically, the CIsco is faster usually) and the static IP servers in the system. The goal of course is for OpenVPN users on the pfSense box to access the entire network.

I figured the bridge would work great, give VPN users a 192.168.10.X address. Netgate apparently considers the entire reason we bought the pfSense box to be beside the point, so we may be returning it on Monday. LOL.

Symptoms: I could get it to work with these excellent instructions, but still had the same problem that I could only access servers that were using the pfSense DHCP server. None of the other devices were contactable. This makes no sense to me. I can post more detailed logs. I'll give it a go yet again.

NetGate recommended that I setup a route in the Cisco machine to say 172.16.0.1 and set that up as my VPN IP. I'd prefer not to make changes to the Cisco machine; it's handled by another vendor and they don't know we're replacing them.

One question: on this step:

Create your Interface and Bridge:
1) Interfaces ---> (assign)
2) add an interface by pressing the "+" button
3) in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
I actually have THREE interfaces. There's an OpenVPN interface, there's a tap1 interface, and a tap2 interface. I assume I assign the OpenVPN interface? What do I do with tap1 and tap2 (and why are there two?)

If I change the OpenVPN from tap to tun, the tap1 and tap2 interfaces don't disappear. Do I have cruft in the system?

Thanks, sorry for the long post!

== John ==
 
These steps are fantastic! I tried them, but it didn't work :( pfSense 2.3.2-RELEASE-p1 (amd64) on a NetGate SG 4860.

So, I opened a support ticket with NetGate.

Their response was that this is an insecure method. "First option I would not consider because it is not secure - letting vpn users in servers subnet may lead to security problems like ip spoofing, arp poisoining... "

Good grief!

I've got a Cisco ASA set on 192.168.10.1 and a pfSense box I set on 192.168.10.254, as a DHCP server as well. The idea was for redundancy, but of course if I VPN in, I can only access any PC's that the pfSense machine has given DHCP addresses to (ironically, the CIsco is faster usually) and the static IP servers in the system. The goal of course is for OpenVPN users on the pfSense box to access the entire network.

I figured the bridge would work great, give VPN users a 192.168.10.X address. Netgate apparently considers the entire reason we bought the pfSense box to be beside the point, so we may be returning it on Monday. LOL.

Symptoms: I could get it to work with these excellent instructions, but still had the same problem that I could only access servers that were using the pfSense DHCP server. None of the other devices were contactable. This makes no sense to me. I can post more detailed logs. I'll give it a go yet again.

NetGate recommended that I setup a route in the Cisco machine to say 172.16.0.1 and set that up as my VPN IP. I'd prefer not to make changes to the Cisco machine; it's handled by another vendor and they don't know we're replacing them.

One question: on this step:

Create your Interface and Bridge:
1) Interfaces ---> (assign)
2) add an interface by pressing the "+" button
3) in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
I actually have THREE interfaces. There's an OpenVPN interface, there's a tap1 interface, and a tap2 interface. I assume I assign the OpenVPN interface? What do I do with tap1 and tap2 (and why are there two?)

If I change the OpenVPN from tap to tun, the tap1 and tap2 interfaces don't disappear. Do I have cruft in the system?

Thanks, sorry for the long post!

== John ==

Is pfsense able to talk to the servers?

When you say contactable, do you mean by DNS name or IP?
 
pfSense can ping everything in the local LAN.

OpenVPN clients can only ping devices in the LAN that have a default gateway OF the pfSense box.

EDIT:

Ok, I setup everything again (changed too many things last night).

With the original configuration, I get a DHCP address in the clients, the first IP in the range, but I can ping nothing, Packets get routed to my non-VPN gateway.

My route print looks correct:

192.168.0.111 is my offsite IP; GW is 0.1

192.168.10.X is the remote (office) LAN. 10.32 is the first IP in the DHCP range the OpenVPN serves up. 192.168.10.254 is the PFSense box. 192.168.10.1 is the Cisco.

Can't ping anything on the office LAN.

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.111 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.111 266
192.168.0.111 255.255.255.255 On-link 192.168.0.111 266
192.168.0.255 255.255.255.255 On-link 192.168.0.111 266
192.168.10.0 255.255.255.0 On-link 192.168.10.32 276
192.168.10.0 255.255.255.0 192.168.10.254 192.168.10.32 20
192.168.10.32 255.255.255.255 On-link 192.168.10.32 276
192.168.10.255 255.255.255.255 On-link 192.168.10.32 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.111 293
224.0.0.0 240.0.0.0 On-link 192.168.10.32 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.111 266
255.255.255.255 255.255.255.255 On-link 192.168.10.32 276


[C:\]ping 192.168.10.254

Pinging 192.168.10.254 with 32 bytes of data:
Reply from 66.xx.xx.xx: TTL expired in transit.
Reply from 66.xx.xx.xx: TTL expired in transit.

(66.xx is my home router's ISP).
 
Last edited:
Back
Top