trying to get viscosity to connect to pfsense openvpn server.
i have viscosity clients running happily with freebsd openvpn server(s).
i am trying to add or move to pfsense servers. i want to keep the
cllient cert structure because of pola. i also want to keep using the
same certs on multiple servers scattered around the world.
as far as i know, there are the following certs/keys. names vary widely
(presumably to reach the level of name confusion provided by IPsec), so
i will try to define and use some unambiguous terms.
RootCA Key - my root CA with which the web site EE TLS cert is signed
RootCA Cert - the public key by which one can verify these certs
TLS EE Cert - EE cert for the pfsense web site, signed by RootCA key
TLS EE Key - EE cert's private key
[ the RootCA and TLS EE cert/key are not used by OpenVPN , but only by
the pfSense web configurator for TLS on 443. ]
OpenVPN CA Key - private key which signs end user OpenVPN Client Certs
OpenVPN CA Cert - public key by which one can verify OpenVPN Client Certs
OpenVPN Client Key - client's private key
OpenVPN Client Cert - client's cert signed by OpenVPN CA Key
OpenVPN Server Key - private key for OpenVPN TLS auth and crypt
OpenVPN Server Cert - public key for OpenVPN TLS auth and crypt
the freebsd openvpn servers are configured with
ca ca.crt # the OpenVPN CA Cert
cert server.crt # the OpenVPN Server Cert
key server.key # the OpenVPN Server Key
a viscosity client is configured with
CA: OpenVPN CA Cert (authenticates server)
Cert: OpenVPN Client Cert (authenticates client to server)
Key: OpenVPN Client Key (proves client owns OpenVPN Client Cert)
the pfSense OpenVPN server asks me to fill in:
TLS Authentication: some "static key" only ghu knows what/why
Peer Certificate Authority: OpenVPN Key/Cert? (but this is a server,
no peers)
Server Certificate: is this the OpenVPN Server Cert?
the pfsense server is configured to use BF-CBC, the default for openvpn,
i believe, and the default for viscosity. changing pfSense config to
pfSense default, AES-128 has same result.
can someone with pfSense fu tell me what to plug into the pfSense
OpenVPN config? thanks!
randy
viscosity log (in jst)
Jan 18 17:34:26: Viscosity Mac 1.5.3 (1255)
Jan 18 17:34:26: Viscosity OpenVPN Engine Started
Jan 18 17:34:26: Running on Mac OS X 10.10.1
Jan 18 17:34:26: ---------
Jan 18 17:34:26: Checking reachability status of connection...
Jan 18 17:34:26: Connection is reachable. Starting connection attempt.
Jan 18 17:34:26: OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO]
[PKCS11] [MH] [IPv6] built on Dec 3 2014
Jan 18 17:34:26: library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
and then it just stops, icon goes back from orange to red
pfSense openvpn log (in gmt)
Jan 18 08:34:02 openvpn[24832]: event_wait : Interrupted system call
(code=4)
Jan 18 08:34:02 openvpn[24832]: /usr/local/sbin/ovpn-linkdown ovpns1
1500 1541 10.0.1.1 10.0.1.2 init
Jan 18 08:34:02 openvpn[24832]: SIGTERM[hard,] received, process exiting
Jan 18 08:34:02 openvpn[82359]: OpenVPN 2.3.3 i386-portbld-freebsd8.3
[SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Jan 18 08:34:02 openvpn[82359]: NOTE: the current --script-security
setting may allow this configuration to call user-defined scripts
Jan 18 08:34:03 openvpn[82359]: Control Channel Authentication: using
'/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Jan 18 08:34:03 openvpn[82359]: TUN/TAP device ovpns1 exists
previously, keep at program end
Jan 18 08:34:03 openvpn[82359]: TUN/TAP device /dev/tun1 opened
Jan 18 08:34:03 openvpn[82359]: do_ifconfig, tt->ipv6=1,
tt->did_ifconfig_ipv6_setup=0
Jan 18 08:34:03 openvpn[82359]: /sbin/ifconfig ovpns1 10.0.1.1 10.0.1.2
mtu 1500 netmask 255.255.255.255 up
Jan 18 08:34:03 openvpn[82359]: /usr/local/sbin/ovpn-linkup ovpns1 1500
1541 10.0.1.1 10.0.1.2 init
Jan 18 08:34:03 openvpn[83545]: UDPv4 link local (bound):
[AF_INET]210.130.165.143:80
Jan 18 08:34:03 openvpn[83545]: UDPv4 link remote: [undef]
Jan 18 08:34:03 openvpn[83545]: Initialization Sequence Completed
i.e. nothing.
-30-
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
