The configuration your trying to use in pfsense is TLS Authentication, which is a static (shared) TLS key.
In the Server Mode box, you need to select SSL/TLS or SSL/TLS User authentication. You will need to configure your CA and Openvpn server keys under the System->Cert Manager settings. On 1/18/2015 2:47 AM, Randy Bush wrote: > trying to get viscosity to connect to pfsense openvpn server. > > i have viscosity clients running happily with freebsd openvpn server(s). > i am trying to add or move to pfsense servers. i want to keep the > cllient cert structure because of pola. i also want to keep using the > same certs on multiple servers scattered around the world. > > as far as i know, there are the following certs/keys. names vary widely > (presumably to reach the level of name confusion provided by IPsec), so > i will try to define and use some unambiguous terms. > > RootCA Key - my root CA with which the web site EE TLS cert is signed > RootCA Cert - the public key by which one can verify these certs > > TLS EE Cert - EE cert for the pfsense web site, signed by RootCA key > TLS EE Key - EE cert's private key > > [ the RootCA and TLS EE cert/key are not used by OpenVPN , but only by > the pfSense web configurator for TLS on 443. ] > > OpenVPN CA Key - private key which signs end user OpenVPN Client Certs > OpenVPN CA Cert - public key by which one can verify OpenVPN Client Certs > > OpenVPN Client Key - client's private key > OpenVPN Client Cert - client's cert signed by OpenVPN CA Key > > OpenVPN Server Key - private key for OpenVPN TLS auth and crypt > OpenVPN Server Cert - public key for OpenVPN TLS auth and crypt > > the freebsd openvpn servers are configured with > ca ca.crt # the OpenVPN CA Cert > cert server.crt # the OpenVPN Server Cert > key server.key # the OpenVPN Server Key > > a viscosity client is configured with > CA: OpenVPN CA Cert (authenticates server) > Cert: OpenVPN Client Cert (authenticates client to server) > Key: OpenVPN Client Key (proves client owns OpenVPN Client Cert) > > the pfSense OpenVPN server asks me to fill in: > TLS Authentication: some "static key" only ghu knows what/why > Peer Certificate Authority: OpenVPN Key/Cert? (but this is a server, > no peers) > Server Certificate: is this the OpenVPN Server Cert? > > the pfsense server is configured to use BF-CBC, the default for openvpn, > i believe, and the default for viscosity. changing pfSense config to > pfSense default, AES-128 has same result. > > can someone with pfSense fu tell me what to plug into the pfSense > OpenVPN config? thanks! > > randy > > > viscosity log (in jst) > > Jan 18 17:34:26: Viscosity Mac 1.5.3 (1255) > Jan 18 17:34:26: Viscosity OpenVPN Engine Started > Jan 18 17:34:26: Running on Mac OS X 10.10.1 > Jan 18 17:34:26: --------- > Jan 18 17:34:26: Checking reachability status of connection... > Jan 18 17:34:26: Connection is reachable. Starting connection attempt. > Jan 18 17:34:26: OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] > [PKCS11] [MH] [IPv6] built on Dec 3 2014 > Jan 18 17:34:26: library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08 > > and then it just stops, icon goes back from orange to red > > pfSense openvpn log (in gmt) > > Jan 18 08:34:02 openvpn[24832]: event_wait : Interrupted system call > (code=4) > Jan 18 08:34:02 openvpn[24832]: /usr/local/sbin/ovpn-linkdown ovpns1 > 1500 1541 10.0.1.1 10.0.1.2 init > Jan 18 08:34:02 openvpn[24832]: SIGTERM[hard,] received, process exiting > Jan 18 08:34:02 openvpn[82359]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 > [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014 > Jan 18 08:34:02 openvpn[82359]: NOTE: the current --script-security > setting may allow this configuration to call user-defined scripts > Jan 18 08:34:03 openvpn[82359]: Control Channel Authentication: using > '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file > Jan 18 08:34:03 openvpn[82359]: TUN/TAP device ovpns1 exists > previously, keep at program end > Jan 18 08:34:03 openvpn[82359]: TUN/TAP device /dev/tun1 opened > Jan 18 08:34:03 openvpn[82359]: do_ifconfig, tt->ipv6=1, > tt->did_ifconfig_ipv6_setup=0 > Jan 18 08:34:03 openvpn[82359]: /sbin/ifconfig ovpns1 10.0.1.1 10.0.1.2 > mtu 1500 netmask 255.255.255.255 up > Jan 18 08:34:03 openvpn[82359]: /usr/local/sbin/ovpn-linkup ovpns1 1500 > 1541 10.0.1.1 10.0.1.2 init > Jan 18 08:34:03 openvpn[83545]: UDPv4 link local (bound): > [AF_INET]210.130.165.143:80 > Jan 18 08:34:03 openvpn[83545]: UDPv4 link remote: [undef] > Jan 18 08:34:03 openvpn[83545]: Initialization Sequence Completed > > i.e. nothing. > > -30- > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
