I want to configure OpenVpn in pfsense to connect in a private network inside a virtual server, I follow some instructions, and read a lot, and I have the same problem, that's what I did:
- generate CA certificate
- generate Server certificate
- create user and generate a certificate to this user
- configure the outbound in nat to the vpn network(10.0.0.0/24) then apply the wizard
- the install create to rules in the firewall yo allow vpn
- install the openvpn export plugin and download the config
- I tried with viscosity, openvpn client and tunnelblick
Now the problem in the client it's with handshake but I think the problem it's in the pfsense firewall, the rule to control the vpn port is 0/0 even if I try to connect.
If I scan the port with nmap I take this:
1194/tcp filtered openvpn
1194/udp open|filtered openvpn
Any ideas?
Well the openvpn.log show me this
Dec 21 13:50:55 Firewall openvpn[6124]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016
Dec 21 13:50:55 Firewall openvpn[6124]: library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Dec 21 13:50:55 Firewall openvpn[6222]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Dec 21 13:50:55 Firewall openvpn[6222]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 21 13:50:55 Firewall openvpn[6222]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Dec 21 13:50:55 Firewall openvpn[6222]: TUN/TAP device ovpns1 exists previously, keep at program end
Dec 21 13:50:55 Firewall openvpn[6222]: TUN/TAP device /dev/tun1 opened
Dec 21 13:50:55 Firewall openvpn[6222]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Dec 21 13:50:55 Firewall openvpn[6222]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 21 13:50:55 Firewall openvpn[6222]: /sbin/ifconfig ovpns1 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.0 up
Dec 21 13:50:55 Firewall openvpn[6222]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 10.0.0.1 255.255.255.0 init
Dec 21 13:50:55 Firewall openvpn[6222]: UDPv4 link local (bound): [AF_INET]XX.XXX.XXX.XXX:1194
Dec 21 13:50:55 Firewall openvpn[6222]: UDPv4 link remote: [undef]
Dec 21 13:50:55 Firewall openvpn[6222]: Initialization Sequence Completed
You can see a warning but I don't understand what's mea, the other log the file filter.log show a lot of information but I grep by vpn, 1194, and I get nothing, what exactly I'm looking for? sorry for this but it's my first try with vpn and I'm not sure what to do.
After try:
tcpdump -n -e -ttt -i pflog0
I get nothing after 15 mins, trying the openvpn client:
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
But if a make a port scan with nmap I take this:
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
00:00:00.000000 rule 5..16777216/0(match): block in on vmx0: IP8 bad-len 0
00:00:00.002001 rule 5..16777216/0(match): block in on vmx0: IP1 bad-len 0
00:01:09.092480 rule 5..16777216/0(match): block in on vmx0: IP10 bad-len 0
00:00:00.001754 rule 5..16777216/0(match): block in on vmx0: IP12 bad-len 0
8 packets captured
8 packets received by filter
0 packets dropped by kernel
The firewall doesn't receive any packet in the 1194 port where is listening openvpn server, some way to test the port? or some way to send package to the 1194 port and see if is working?
Well I checked the configuration, and I think it's ok, this is:
dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local XXX.XXX.XXX.XXX #public ip
tls-server
server 10.0.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Server_CRT' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
topology subnet
If a execute sockstat | grep 1194 works like working:
root openvpn 84783 6 udp4 XXX.XXX.XXX.XXX:1194 *:*
I think we are go on, now in the openvpn log when I try to connect a client I see this:
Jan 14 22:30:16 Firewall openvpn[73374]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jan 14 22:30:16 Firewall openvpn[73374]: MANAGEMENT: CMD 'status 2'
Jan 14 22:30:17 Firewall openvpn[73374]: MULTI: REAP range 176 -> 192
Jan 14 22:30:17 Firewall openvpn[73374]: MANAGEMENT: CMD 'quit'
Jan 14 22:30:17 Firewall openvpn[73374]: MANAGEMENT: Client disconnected
And in the client I see this:
Jan 14 22:31:14: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Jan 14 22:32:14: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 14 22:32:14: TLS Error: TLS handshake failed
Jan 14 22:32:14: SIGUSR1[soft,tls-error] received, process restarting
Jan 14 22:32:15: UDPv4 link local (bound): [undef]
Jan 14 22:32:15: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
