Import Config into pfSense
Posted: Sun Jun 11, 2017 8:17 am
I have a OpenVPN config file that's different from the ones that I have used previously (see below). I'm trying to set this up as a OpenVPN client in pfSense but can't get it to work. I've added the <ca> and Static Key to form the CA Cert. I've added the <cert> and <key> parts to form the client certificate in pfSense. I have set the correct server host IP and server port for UDP in the OpenVPN client settings and pasted the Static Key for TLS authentication. I have set encryption to None and SHA256 for now for testing.
I have tested this VPN connection using the Windows OpenVPN client and it works, but I can't figure it out for pfSense. Any advice would be appreciated! Is there anything I need to do for the RSA signature part and " key-direction 1"?
# Automatically generated OpenVPN client config file
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=firstname.lastname
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=firstname.lastname@x.x.x.x
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=x.x.x.x:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
remote x.x.x.x 443 tcp
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----XXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## XXXXXXXXXXXXXXXXX
## -----END RSA SIGNATURE-----## -----BEGIN CERTIFICATE-----
## XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
## -----END CERTIFICATE-----
I have tested this VPN connection using the Windows OpenVPN client and it works, but I can't figure it out for pfSense. Any advice would be appreciated! Is there anything I need to do for the RSA signature part and " key-direction 1"?
# Automatically generated OpenVPN client config file
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=firstname.lastname
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=firstname.lastname@x.x.x.x
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=x.x.x.x:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
remote x.x.x.x 443 tcp
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
remote x.x.x.x 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----XXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## XXXXXXXXXXXXXXXXX
## -----END RSA SIGNATURE-----## -----BEGIN CERTIFICATE-----
## XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
## -----END CERTIFICATE-----