OpenVPN/pfSense

From Secure Computing Wiki
Revision as of 12:20, 19 May 2012 by Tom (Talk | contribs) (how to obtain the openvpn configuration file.)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

pfSense supports OpenVPN both as a client and server. It performs some black magic behind the scenes to generate OpenVPN configurations based on the options set in the web UI, resulting in a non-standard setup, as it pertains to the file structure.

Obtaining the configuration

pfSense allows multiple OpenVPN configurations to be created, both servers and clients. The best way to read the generated config files is by using the SSH interface to pfSense. Once connected to SSH, enter option 8 on the menu to access the command line.

*** Welcome to pfSense 2.0.1-RELEASE-nanobsd (i386) on atom ***

  WAN (wan)                 -> rl0        -> 10.2.2.2 
  LAN (lan)                 -> rl1        -> 10.1.1.1 

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Disable Secure Shell (sshd)
 7) Ping host                         

Enter an option: 8

To find out what OpenVPN instances are running on the host, and the relevant config file names, use ps.

[2.0.1-RELEASE][admin@atom.example.org]/conf(11): ps auxww | grep openvpn
root   18235  0.0  1.5  5116  3448  ??  Ss    7:38AM   0:00.02 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf

In this case, there is only one OpenVPN instance running, and we know that the configuration file location is /var/etc/openvpn/server1.conf. We can now cat the configuration file to obtain the real OpenVPN config for troubleshooting.

[2.0.1-RELEASE][admin@atom.example.org]/conf(12): cat /var/etc/openvpn/server1.conf
dev ovpns1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.2.2.2
tls-server
server 10.1.1.128 255.255.255.192
client-config-dir /var/etc/openvpn-csc
ifconfig 10.1.1.129 10.1.1.130
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 10.1.1.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify 
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo