From Secure Computing Wiki
Jump to navigation Jump to search

pfSense supports OpenVPN both as a client and server. It performs some black magic behind the scenes to generate OpenVPN configurations based on the options set in the web UI, resulting in a non-standard setup, as it pertains to the file structure.

Obtaining the configuration

pfSense allows multiple OpenVPN configurations to be created, both servers and clients. The best way to read the generated config files is by using the SSH interface to pfSense. Once connected to SSH, enter option 8 on the menu to access the command line.

*** Welcome to pfSense 2.0.1-RELEASE-nanobsd (i386) on atom ***

  WAN (wan)                 -> rl0        -> 
  LAN (lan)                 -> rl1        -> 

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Disable Secure Shell (sshd)
 7) Ping host                         

Enter an option: 8

To find out what OpenVPN instances are running on the host, and the relevant config file names, use ps.

[2.0.1-RELEASE][]/conf(11): ps auxww | grep openvpn
root   18235  0.0  1.5  5116  3448  ??  Ss    7:38AM   0:00.02 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf

In this case, there is only one OpenVPN instance running, and we know that the configuration file location is /var/etc/openvpn/server1.conf. We can now cat the configuration file to obtain the real OpenVPN config for troubleshooting.

[2.0.1-RELEASE][]/conf(12): cat /var/etc/openvpn/server1.conf
dev ovpns1
dev-type tap
dev-node /dev/tap1
writepid /var/run/
#user nobody
#group nobody
script-security 3
keepalive 10 60
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route"
ca /var/etc/openvpn/ 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify 
tls-auth /var/etc/openvpn/server1.tls-auth 0