Hello-
I'm having a problem with the OpenVPN configuration. Each time I attempt to set
up OpenVPN on pfsense, I no longer can ping 8.8.8.8.
Here's what I did.
I imported the pfsense certificate authority certificate and key (ca.crt
ca.key) into the Cert Manager CA Authority tab from our older Linux-based
router which used easyrsa to generate those certificates/keys. Then I went to
the client certificate tab and imported Firewall.crt Firewall.key from our
Linux-based router to a 'Firewall' certificate entry. I also imported a client
certificate and key into a new client certificate entry called DougSampson.
I went to the OpenVPN configuration and imported the contents of the ta.key
into the TLS-Authentication box. For the Peer Certificate Authority I chose the
Firewall Certificate Authority certificate (ca.crt in this case) and for the
Peer Certificate Revocation List I chose the Firewall Certificate Authority
entry (we didn't employ a CRL list on our Linux-based router). For the Server
Certificate, I chose the Firewall server certificate (in this case, the
Firewall.crt) for the Server Certificate box. I chose 1024 bits for the DH
Parameter Length. We had a dh1024.pem file from our Linux-based router but
didn't know where to put it- there's no box for selecting the dh1024.pem file.
It currently sits in the /root/easyrsa4pfsense/keys folder. POSTSCRIPT: I now
notice 'dh /etc/dh-parameters.1024' in server1.conf. Should I replace the
contents of that file with the contents from the
/root/easyrsa4pfsense/keys/dh1024.pem?
The contents of server1.conf is as follows:
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 69.xxx.xxx.xxx
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 5
push route 192.168.101.0 255.255.255.0
push dhcp-option DOMAIN dawnsign.com
push dhcp-option DNS 192.168.101.1
push dhcp-option DNS 192.168.101.4
push dhcp-option DNS 192.168.101.7
push dhcp-option DNS 192.168.101.254
push dhcp-option NTP 192.168.101.254
push dhcp-option NTP 192.168.101.4
push dhcp-option WINS 192.168.101.4
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
passtos
persist-remote-ip
float
push route 192.168.102.0 255.255.255.0
Content of client.ovpn:
client
dev tun
proto udp
remote 69.xxx.xxx.xxx 1194
resolve-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert DougSampson.crt
key DougSampson.key
tls-auth ta.key 1
comp-lzo
verb 3
The client config file worked just fine with our existing Linux-based router
running OpenVPN.
Now when I try to connect, it fails with a TLS handshake error. Here is what
the openvpn.log spits out:
Feb 28 10:07:05 pfsense openvpn[11729]: event_wait : Interrupted system call
(code=4)
Feb 28 10:07:05 pfsense openvpn[11729]: /usr/local/sbin/ovpn-linkdown ovpns1
1500 1542 10.0.8.1 10.0.8.2 init
Feb 28 10:07:05 pfsense openvpn[11729]: SIGTERM[hard,] received, process exiting
Feb 28 10:07:05 pfsense openvpn[48656]: OpenVPN 2.2.0 i386-portbld-freebsd8.1
[SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)]
built on Aug 6 2012
Feb 28 10:07:05 pfsense openvpn[48656]: NOTE: the current --script-security
setting may allow this configuration to call user-defined scripts
Feb 28 10:07:05 pfsense openvpn[48656]: Control Channel Authentication: using
'/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 28 10:07:05 pfsense openvpn[48656]: TUN/TAP device /dev/tun1 opened
Feb 28 10:07:05 pfsense openvpn[48656]: do_ifconfig, tt-ipv6=0,
tt-did_ifconfig_ipv6_setup=0
Feb 28 10:07:05 pfsense openvpn[48656]: /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2
mtu 1500 netmask 255.255.255.255 up
Feb 28 10:07:05 pfsense openvpn[48656]: /usr/local/sbin/ovpn-linkup ovpns1 1500
1542 10.0.8.1 10.0.8.2 init
Feb 28 10:07:05 pfsense openvpn[50174]: UDPv4 link local (bound):
[AF_INET]69.xxx.xxx.xxx:1194
Feb 28 10:07:05 pfsense openvpn[50174]: UDPv4 link remote: [undef]
Feb 28 10:07:05 pfsense openvpn[50174]: Initialization Sequence Completed
Feb 28 10:08:06 pfsense openvpn[50174]: OVPN client IP Addr:51681 Re-using
SSL/TLS context
Feb 28 10:08:06 pfsense openvpn[50174]: OVPN client IP Addr:51681 LZO
compression initialized
Feb 28 10:09:06 pfsense openvpn[50174]: OVPN client IP Addr:51681 TLS Error:
TLS key negotiation failed to occur within 60 seconds (check your network
connectivity)
Feb 28 10:09:06 pfsense openvpn[50174]: OVPN client IP Addr:51681 TLS Error:
TLS handshake