Hello- I'm having a problem with the OpenVPN configuration. Each time I attempt to set up OpenVPN on pfsense, I no longer can ping 8.8.8.8.
Here's what I did. I imported the pfsense certificate authority certificate and key (ca.crt & ca.key) into the Cert Manager CA Authority tab from our older Linux-based router which used easyrsa to generate those certificates/keys. Then I went to the client certificate tab and imported Firewall.crt & Firewall.key from our Linux-based router to a 'Firewall' certificate entry. I also imported a client certificate and key into a new client certificate entry called DougSampson. I went to the OpenVPN configuration and imported the contents of the ta.key into the TLS-Authentication box. For the Peer Certificate Authority I chose the Firewall Certificate Authority certificate (ca.crt in this case) and for the Peer Certificate Revocation List I chose the Firewall Certificate Authority entry (we didn't employ a CRL list on our Linux-based router). For the Server Certificate, I chose the Firewall server certificate (in this case, the Firewall.crt) for the Server Certificate box. I chose 1024 bits for the DH Parameter Length. We had a dh1024.pem file from our Linux-based router but didn't know where to put it- there's no box for selecting the dh1024.pem file. It currently sits in the /root/easyrsa4pfsense/keys folder. POSTSCRIPT: I now notice 'dh /etc/dh-parameters.1024' in server1.conf. Should I replace the contents of that file with the contents from the /root/easyrsa4pfsense/keys/dh1024.pem? The contents of server1.conf is as follows: dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 69.xxx.xxx.xxx tls-server server 10.0.8.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 5 push "route 192.168.101.0 255.255.255.0" push "dhcp-option DOMAIN dawnsign.com" push "dhcp-option DNS 192.168.101.1" push "dhcp-option DNS 192.168.101.4" push "dhcp-option DNS 192.168.101.7" push "dhcp-option DNS 192.168.101.254" push "dhcp-option NTP 192.168.101.254" push "dhcp-option NTP 192.168.101.4" push "dhcp-option WINS 192.168.101.4" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 crl-verify /var/etc/openvpn/server1.crl-verify tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo passtos persist-remote-ip float push "route 192.168.102.0 255.255.255.0" Content of client.ovpn: client dev tun proto udp remote 69.xxx.xxx.xxx 1194 resolve-retry infinite nobind persist-key persist-tun ca ca.crt cert DougSampson.crt key DougSampson.key tls-auth ta.key 1 comp-lzo verb 3 The client config file worked just fine with our existing Linux-based router running OpenVPN. Now when I try to connect, it fails with a TLS handshake error. Here is what the openvpn.log spits out: Feb 28 10:07:05 pfsense openvpn[11729]: event_wait : Interrupted system call (code=4) Feb 28 10:07:05 pfsense openvpn[11729]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1542 10.0.8.1 10.0.8.2 init Feb 28 10:07:05 pfsense openvpn[11729]: SIGTERM[hard,] received, process exiting Feb 28 10:07:05 pfsense openvpn[48656]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 6 2012 Feb 28 10:07:05 pfsense openvpn[48656]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 28 10:07:05 pfsense openvpn[48656]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Feb 28 10:07:05 pfsense openvpn[48656]: TUN/TAP device /dev/tun1 opened Feb 28 10:07:05 pfsense openvpn[48656]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Feb 28 10:07:05 pfsense openvpn[48656]: /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up Feb 28 10:07:05 pfsense openvpn[48656]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1542 10.0.8.1 10.0.8.2 init Feb 28 10:07:05 pfsense openvpn[50174]: UDPv4 link local (bound): [AF_INET]69.xxx.xxx.xxx:1194 Feb 28 10:07:05 pfsense openvpn[50174]: UDPv4 link remote: [undef] Feb 28 10:07:05 pfsense openvpn[50174]: Initialization Sequence Completed Feb 28 10:08:06 pfsense openvpn[50174]: <OVPN client IP Addr>:51681 Re-using SSL/TLS context Feb 28 10:08:06 pfsense openvpn[50174]: <OVPN client IP Addr>:51681 LZO compression initialized Feb 28 10:09:06 pfsense openvpn[50174]: <OVPN client IP Addr>:51681 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Feb 28 10:09:06 pfsense openvpn[50174]: <OVPN client IP Addr>:51681 TLS Error: TLS handshake failed Moreover, the pfsense server stops being able to ping! After rebooting, I'm unable to ping at all. It looks like there is a misconfiguration error somewhere in there and I cannot figure it out. Can anyone spot any errors? I notice that in the server1.conf file, the cipher is specified but it is not specified in the client config file. Is this an error? Are there any other errors? ~Doug _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
