> Hello- > > I'm having a problem with the OpenVPN configuration. Each time I attempt > to set up OpenVPN on pfsense, I no longer can ping 8.8.8.8. > > Here's what I did. > > I imported the pfsense certificate authority certificate and key (ca.crt & > ca.key) into the Cert Manager CA Authority tab from our older Linux-based > router which used easyrsa to generate those certificates/keys. Then I went > to the client certificate tab and imported Firewall.crt & Firewall.key > from our Linux-based router to a 'Firewall' certificate entry. I also > imported a client certificate and key into a new client certificate entry > called DougSampson. > > I went to the OpenVPN configuration and imported the contents of the > ta.key into the TLS-Authentication box. For the Peer Certificate Authority > I chose the Firewall Certificate Authority certificate (ca.crt in this > case) and for the Peer Certificate Revocation List I chose the Firewall > Certificate Authority entry (we didn't employ a CRL list on our Linux- > based router). For the Server Certificate, I chose the Firewall server > certificate (in this case, the Firewall.crt) for the Server Certificate > box. I chose 1024 bits for the DH Parameter Length. We had a dh1024.pem > file from our Linux-based router but didn't know where to put it- there's > no box for selecting the dh1024.pem file. It currently sits in the > /root/easyrsa4pfsense/keys folder. POSTSCRIPT: I now notice 'dh /etc/dh- > parameters.1024' in server1.conf. Should I replace the contents of that > file with the contents from the /root/easyrsa4pfsense/keys/dh1024.pem? > > The contents of server1.conf is as follows: > > dev ovpns1 > dev-type tun > dev-node /dev/tun1 > writepid /var/run/openvpn_server1.pid > #user nobody > #group nobody > script-security 3 > daemon > keepalive 10 60 > ping-timer-rem > persist-tun > persist-key > proto udp > cipher BF-CBC > up /usr/local/sbin/ovpn-linkup > down /usr/local/sbin/ovpn-linkdown > local 69.xxx.xxx.xxx > tls-server > server 10.0.8.0 255.255.255.0 > client-config-dir /var/etc/openvpn-csc > tls-verify /var/etc/openvpn/server1.tls-verify.php > lport 1194 > management /var/etc/openvpn/server1.sock unix > max-clients 5 > push "route 192.168.101.0 255.255.255.0" > push "dhcp-option DOMAIN dawnsign.com" > push "dhcp-option DNS 192.168.101.1" > push "dhcp-option DNS 192.168.101.4" > push "dhcp-option DNS 192.168.101.7" > push "dhcp-option DNS 192.168.101.254" > push "dhcp-option NTP 192.168.101.254" > push "dhcp-option NTP 192.168.101.4" > push "dhcp-option WINS 192.168.101.4" > client-to-client > ca /var/etc/openvpn/server1.ca > cert /var/etc/openvpn/server1.cert > key /var/etc/openvpn/server1.key > dh /etc/dh-parameters.1024 > crl-verify /var/etc/openvpn/server1.crl-verify > tls-auth /var/etc/openvpn/server1.tls-auth 0 > comp-lzo > passtos > persist-remote-ip > float > push "route 192.168.102.0 255.255.255.0" > > Content of client.ovpn: > > client > dev tun > proto udp > remote 69.xxx.xxx.xxx 1194 > resolve-retry infinite > nobind > persist-key > persist-tun > ca ca.crt > cert DougSampson.crt > key DougSampson.key > tls-auth ta.key 1 > comp-lzo > verb 3 > > The client config file worked just fine with our existing Linux-based > router running OpenVPN. > > Now when I try to connect, it fails with a TLS handshake error. Here is > what the openvpn.log spits out: > > Feb 28 10:07:05 pfsense openvpn[11729]: event_wait : Interrupted system > call (code=4) > Feb 28 10:07:05 pfsense openvpn[11729]: /usr/local/sbin/ovpn-linkdown > ovpns1 1500 1542 10.0.8.1 10.0.8.2 init > Feb 28 10:07:05 pfsense openvpn[11729]: SIGTERM[hard,] received, process > exiting > Feb 28 10:07:05 pfsense openvpn[48656]: OpenVPN 2.2.0 i386-portbld- > freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424- > 2 (2.2RC2)] built on Aug 6 2012 > Feb 28 10:07:05 pfsense openvpn[48656]: NOTE: the current --script- > security setting may allow this configuration to call user-defined scripts > Feb 28 10:07:05 pfsense openvpn[48656]: Control Channel Authentication: > using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file > Feb 28 10:07:05 pfsense openvpn[48656]: TUN/TAP device /dev/tun1 opened > Feb 28 10:07:05 pfsense openvpn[48656]: do_ifconfig, tt->ipv6=0, tt- > >did_ifconfig_ipv6_setup=0 > Feb 28 10:07:05 pfsense openvpn[48656]: /sbin/ifconfig ovpns1 10.0.8.1 > 10.0.8.2 mtu 1500 netmask 255.255.255.255 up > Feb 28 10:07:05 pfsense openvpn[48656]: /usr/local/sbin/ovpn-linkup ovpns1 > 1500 1542 10.0.8.1 10.0.8.2 init > Feb 28 10:07:05 pfsense openvpn[50174]: UDPv4 link local (bound): > [AF_INET]69.xxx.xxx.xxx:1194 > Feb 28 10:07:05 pfsense openvpn[50174]: UDPv4 link remote: [undef] > Feb 28 10:07:05 pfsense openvpn[50174]: Initialization Sequence Completed > Feb 28 10:08:06 pfsense openvpn[50174]: <OVPN client IP Addr>:51681 Re- > using SSL/TLS context > Feb 28 10:08:06 pfsense openvpn[50174]: <OVPN client IP Addr>:51681 LZO > compression initialized > Feb 28 10:09:06 pfsense openvpn[50174]: <OVPN client IP Addr>:51681 TLS > Error: TLS key negotiation failed to occur within 60 seconds (check your > network connectivity) > Feb 28 10:09:06 pfsense openvpn[50174]: <OVPN client IP Addr>:51681 TLS > Error: TLS handshake failed > > Moreover, the pfsense server stops being able to ping! After rebooting, > I'm unable to ping at all. > > > It looks like there is a misconfiguration error somewhere in there and I > cannot figure it out. Can anyone spot any errors? I notice that in the > server1.conf file, the cipher is specified but it is not specified in the > client config file. Is this an error? Are there any other errors? > > ~Doug
When I create an OpenVPN server from scratch using new certificates/keys created using the Certificate manager, I'm able to create a working OpenVPN configuration. It looks like my easyrsa importation scheme leaves something to be desired! _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
