Hi pfSense lovers,
I am quite new in the pfSense world but this past two weeks I have been
working hard with it. We have plan to change our actual firewall and we
are doing some test with pfSense in a machine working in our internal
network. I have managed to configure almost everything I needed:
Internet conection, DHCP, VLANs, Captive Portal and so on; but openVPN
configuration is driving me crazy.
I am trying to configure a Remote Access (road warrior) connection with
pfSense working as openVPN server. I have followed several tutorials,
the book one and this one I found in the forums [1] among others, and I
allways get the same error when I try to connect with the server.
This is the configuration right now.
WAN --> Firewall (not pfSense) --> Firewall (pfSense 2.0-RC3) --> LAN
(where I am right now)
I am trying to connect from a remote machine, using vncviewer, with
Debian GNU/Linux 5.0 (certificates, user and configuration following
[1]), with the following config file (exported with "OpenVPN Client
Export Utility"):
"""
dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote 192.168.1.35 1194
auth-user-pass
pkcs12 pfsense-udp-1194.p12
tls-auth pfsense-udp-1194-tls.key 1
comp-lzo
"""
and the error is:
"""
$ openvpn pfsense-udp-1194.ovpn
Wed Aug 3 11:57:18 2011 OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2]
[EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011
Enter Auth Username:vpnuser
Enter Auth Password:
Wed Aug 3 11:57:21 2011 IMPORTANT: OpenVPN's default port number is now
1194, based on an official port number assignment by IANA. OpenVPN
2.0-beta16 and earlier used 5000 as the default port.
Wed Aug 3 11:57:21 2011 WARNING: No server certificate verification
method has been enabled. See http://openvpn.net/howto.html#mitm for
more info.
Wed Aug 3 11:57:21 2011 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executables
Wed Aug 3 11:57:21 2011 WARNING: file 'pfsense-udp-1194.p12' is group
or others accessible
Wed Aug 3 11:57:21 2011 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus
omitted>
Wed Aug 3 11:57:21 2011 WARNING: file 'pfsense-udp-1194-tls.key' is
group or others accessible
Wed Aug 3 11:57:21 2011 Control Channel Authentication: using
'pfsense-udp-1194-tls.key' as a OpenVPN static key file
Wed Aug 3 11:57:21 2011 LZO compression initialized
Wed Aug 3 11:57:21 2011 UDPv4 link local (bound): [undef]:1194
Wed Aug 3 11:57:21 2011 UDPv4 link remote: 212.XXX.4.XXX:1194 ##This is
our public IP
Wed Aug 3 11:58:21 2011 TLS Error: TLS key negotiation failed to occur
within 60 seconds (check your network connectivity)
Wed Aug 3 11:58:21 2011 TLS Error: TLS handshake failed
Wed Aug 3 11:58:21 2011 SIGUSR1[soft,tls-error] received, process
restarting
"""
In the states table I can see:
udp 192.168.1.35:1194 <- 194.YYY.252.YYY:1194 NO_TRAFFIC:SINGLE
Some extra details:
- pfSense LAN is 172.16.0.1/24
- pfSense WAN is 192.168.1.35
- The first firewall is redirecting port 1194 for TCP/UDP to pfSense
192.168.1.35:1194
- The local network to connect to is 172.16.0.1/24
- The tunnel network is 172.16.1.1/24
- Firewall:Rules:WAN -> UDP * * * 1194(openVPN) * none
- Firewall:Rules:LAN -> * * * * * * none
- Firewall:Rules:openVPN -> * * * * * * none
- No extra NAT rules added.
After 2 days dealing with this, I still have no clue about what to do.
Any suggestion?
I tried to give all relevant info, I hope it's fine.
Thank you all for reading and excuse my poor english
Regards
[1] http://forum.pfsense.org/index.php/topic,39481.0.html
--
Alberto Villegas Erce
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
