Setup & Configuration Of OpenVPN On Pfsense 2.0 For Road Warrior

[AMD_Gamer]

I see a lot of people asking about setting up a VPN with pfSense here on the forum but there are never any good guides. Today i found two excellent new guides that explain the entire setup process using the new OpenVPN features of pfSense 2.0. It is really simple and most of the work you had to do before is done automatically with pfSense 2.0 and you just export the configuration file from pfSense and place it in your OpenVPN client configuration directory and you are all set.

Setup & Configuration Of OpenVPN On Pfsense 2.0 RC3: http://www.apollon-domain.co.uk/?p=433

pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication: http://blog.stefcho.eu/?p=492

Using your OpenVPN Road Warrior setup as a Secure Relay: http://blog.stefcho.eu/?p=956

With the recent release of Pfsense 2.0 there has been a significant number of improvements to the OpenVPN component. In previous versions of Pfsense, the client, CA and server certificates had to be created on a client machine and then copied across to the relevant configuration panes in OpenVPN. The client configuration was not bundled as a package for download directly from the Pfsense web GUI, and instead resided on the workstation where the certificates were originally created. For subsequent OpenVPN clients to be created the process would have to be re-run each time on the same client machine.

This process is now covered by the Pfsense 2.0 web GUI. The full list of OpenVPN changes are as follows:-

OpenVPN wizard guides through making a CA/Cert and OpenVPN server, sets up firewall rules, and so on. Greatly simplifies the process of creating a remote access OpenVPN server.
OpenVPN filtering – an OpenVPN rules tab is available, so OpenVPN interfaces don’t have to be assigned to perform filtering.
OpenVPN client export package – provides a bundled Windows installer with certificates, Viscosity export, and export of a zip file containing the user’s certificate and configuration files.
OpenVPN status page with connected client list — can also kill client connections
User authentication and certificate management
RADIUS and LDAP authentication support

I set this up today with my box and tested it out and it works amazingly well. I can now connect to my home network with my laptop wherever I am and use it to route all my internet traffic through it for those times you are in a public place.

 

[AMD_Gamer]

Here is a good IPsec guide http://dekapitein.vorkbaard.nl/tech...ling-in-pfsense-2-0-release-for-road-warriors

I also found a nice comparison of all the different VPN technologies http://www.ivpn.net/pptp-vs-l2tp-vs-openvpn.php

 

[jadams]

I posted an awesome youtube video of pfsense openvpn road warrior a few months ago ill see if i can dig it up.

We should get a sticky thread for pfsense how-to's and junk.

 

[jadams]

http://hardforum.com/showthread.php?t=1626279&highlight=pfsense

Just make sure to mute the video

 

[AMD_Gamer]

http://hardforum.com/showthread.php?t=1626279&highlight=pfsense

Just make sure to mute the video

Why do you do the add new certificate for the client in the wizard?? i just chose the one i created in the drop down menu?

Following this guide http://www.apollon-domain.co.uk/?p=433 you do not create the certificate from the wizard?

 

[AMD_Gamer]

I am following this guide for IPsec http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 but my HTC EVO 4G does not have the "Advanced IPsec VPN" under the VPN options?

 

[diizzy]

Have in mind that IPSec is very troublesome if you're behind NAT
//Danne

 

[AMD_Gamer]

Have in mind that IPSec is very troublesome if you're behind NAT
//Danne

Is it? but I am going from my Android to the pfSense box itself? I don't think it does any nat traversal except for the ISP which would be Sprint in this case.

I would just use the OpneVPN client but you need to root your phone for it.

Makings rules etc is still troublesome?

 

[jadams]

I could have swore I saw OpenVPN apps in the Android market. They too require root.

 

[Cerulean]

Subscribed. This thread is a treasure chest.

 

[mmmmmdonuts]

Great thread. I am having some error messages when it connects to the client. What I am trying to do is connect to the local network and I think thats causing me some problems. Lets say my router IP is 192.168.1.1 and my DCHP server is serving 192.168.1.200-192.168.1.240, what addresses should I put in for Tunnel Network and Local Network on this screen?

I have tried random IPs for the first tunnel and can have it connect but when I try entering my local IP LAN, say in this case 192.168.1.1/24 or 192.168.1.200/24 I get these errors:

Fri Oct 14 18:26:04 2011 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011
Fri Oct 14 18:26:15 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Oct 14 18:26:15 2011 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri Oct 14 18:26:15 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Oct 14 18:26:15 2011 Control Channel Authentication: using 'pfSense-udp-1194-tls.key' as a OpenVPN static key file
Fri Oct 14 18:26:15 2011 LZO compression initialized
Fri Oct 14 18:26:15 2011 UDPv4 link local (bound): [undef]:1194
Fri Oct 14 18:26:15 2011 UDPv4 link remote: 67.242.83.174:1194
Fri Oct 14 18:26:15 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Oct 14 18:26:15 2011 [rappr] Peer Connection Initiated with 67.242.83.174:1194
Fri Oct 14 18:26:17 2011 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Oct 14 18:26:17 2011 open_tun, tt->ipv6=0
Fri Oct 14 18:26:17 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{D937E320-6408-404E-B4D9-7720F35A3C57}.tap
Fri Oct 14 18:26:17 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.60.6/255.255.255.252 on interface {D937E320-6408-404E-B4D9-7720F35A3C57} [DHCP-serv: 192.168.60.5, lease-time: 31536000]
Fri Oct 14 18:26:22 2011 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
Fri Oct 14 18:26:22 2011 Warning: address 192.168.1.210 is not a network address in relation to netmask 255.255.255.0
Fri Oct 14 18:26:22 2011 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=17]
Fri Oct 14 18:26:22 2011 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri Oct 14 18:26:22 2011 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Oct 14 18:26:22 2011 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=17]
Fri Oct 14 18:26:22 2011 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri Oct 14 18:26:22 2011 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Oct 14 18:26:22 2011 Initialization Sequence Completed

Any suggestions?

 

[AMD_Gamer]

RUN as Administrator!

I had the same problem.

The tunnel address should be anything other then your lan subnet.

 

[jadams]

Subscribed. This thread is a treasure chest.

We need a sticky that replaces the *nix distro thread with a pfsense/untangle thread.

 

[jadams]

Great thread. I am having some error messages when it connects to the client. What I am trying to do is connect to the local network and I think thats causing me some problems. Lets say my router IP is 192.168.1.1 and my DCHP server is serving 192.168.1.200-192.168.1.240, what addresses should I put in for Tunnel Network and Local Network on this screen?

I have tried random IPs for the first tunnel and can have it connect but when I try entering my local IP LAN, say in this case 192.168.1.1/24 or 192.168.1.200/24 I get these errors:

Fri Oct 14 18:26:04 2011 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011
Fri Oct 14 18:26:15 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Oct 14 18:26:15 2011 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri Oct 14 18:26:15 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Oct 14 18:26:15 2011 Control Channel Authentication: using 'pfSense-udp-1194-tls.key' as a OpenVPN static key file
Fri Oct 14 18:26:15 2011 LZO compression initialized
Fri Oct 14 18:26:15 2011 UDPv4 link local (bound): [undef]:1194
Fri Oct 14 18:26:15 2011 UDPv4 link remote: 67.242.83.174:1194
Fri Oct 14 18:26:15 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Oct 14 18:26:15 2011 [rappr] Peer Connection Initiated with 67.242.83.174:1194
Fri Oct 14 18:26:17 2011 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Oct 14 18:26:17 2011 open_tun, tt->ipv6=0
Fri Oct 14 18:26:17 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{D937E320-6408-404E-B4D9-7720F35A3C57}.tap
Fri Oct 14 18:26:17 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.60.6/255.255.255.252 on interface {D937E320-6408-404E-B4D9-7720F35A3C57} [DHCP-serv: 192.168.60.5, lease-time: 31536000]
Fri Oct 14 18:26:22 2011 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
Fri Oct 14 18:26:22 2011 Warning: address 192.168.1.210 is not a network address in relation to netmask 255.255.255.0
Fri Oct 14 18:26:22 2011 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=17]
Fri Oct 14 18:26:22 2011 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri Oct 14 18:26:22 2011 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Oct 14 18:26:22 2011 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=17]
Fri Oct 14 18:26:22 2011 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri Oct 14 18:26:22 2011 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri Oct 14 18:26:22 2011 Initialization Sequence Completed

Any suggestions?

You're trying to get remote clients to pick up an address on your local LAN subnet? You have to set device mode from "tun" to "tap".

Whats odd though is that it still require you to specify a tunnel network. One would assume that if you are FORCED to specify a tunnel network (even though you're doing tap/bridged mode) you would put in the subnet of your local lan.

When I asked about it on the pfsense forums I was instructed to read the guide; only to find the guide doesnt answer that question I havent tried it yet myself. Give it a shot. Let us know how it works.

 

[AMD_Gamer]

The route addition/route add errors are from not running as Admin.