3

How do I set up a OpenVPN server on pfsense? I want to be able to VPN in from a labptop when I am on the road. I set up a openvpn server in the openvpn menu. I duplicated that NAT rules for the VPN server. I tried opening the fire wall ports. I also set up the certificates, made a user account (put a certificate on that) as well as turned on the interface. I am thinking my next step has something to do with fixing it so the vpn server process can run but I am not sure why it will not start. I also think my firewall rules should be done better so I don't leave a port wide open but I'm not sure how.

I cleared all the logs and then tried to start up the VPN server. I got this:

Jun 26 00:30:57     openvpn[26660]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jun 26 00:30:57     openvpn[26660]: MANAGEMENT: CMD 'state 1'
Jun 26 00:30:57     openvpn[26660]: MANAGEMENT: Client disconnected
Jun 26 00:30:57     openvpn[34295]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
Jun 26 00:30:57     openvpn[34295]: MANAGEMENT: CMD 'state 1'
Jun 26 00:30:57     openvpn[34295]: MANAGEMENT: CMD 'status 2'
Jun 26 00:30:57     openvpn[34295]: MANAGEMENT: Client disconnected
Jun 26 00:30:57     openvpn[45727]: MANAGEMENT: Client connected from /var/etc/openvpn/client4.sock
Jun 26 00:30:57     openvpn[45727]: MANAGEMENT: CMD 'state 1'
Jun 26 00:30:57     openvpn[45727]: MANAGEMENT: CMD 'status 2'
Jun 26 00:30:57     openvpn[45727]: MANAGEMENT: Client disconnected
Jun 26 00:30:59     openvpn[87234]: Options error: --server directive network/netmask combination is invalid
Jun 26 00:30:59     openvpn[87234]: Use --help for more information.
Jun 26 00:31:10     openvpn[26660]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jun 26 00:31:10     openvpn[26660]: MANAGEMENT: CMD 'state 1'
Jun 26 00:31:10     openvpn[34295]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
Jun 26 00:31:10     openvpn[26660]: MANAGEMENT: Client disconnected
Jun 26 00:31:10     openvpn[34295]: MANAGEMENT: CMD 'state 1'
Jun 26 00:31:10     openvpn[34295]: MANAGEMENT: CMD 'status 2'
Jun 26 00:31:10     openvpn[34295]: MANAGEMENT: Client disconnected
Jun 26 00:31:10     openvpn[45727]: MANAGEMENT: Client connected from /var/etc/openvpn/client4.sock
Jun 26 00:31:10     openvpn[45727]: MANAGEMENT: CMD 'state 1'
Jun 26 00:31:10     openvpn[45727]: MANAGEMENT: CMD 'status 2'
Jun 26 00:31:10     openvpn[45727]: MANAGEMENT: Client disconnected

I have a guess that this has something to do with my "IPv4 Tunnel Network" and "IPv4 Local Network/s"

My IPv4 Tunnel Network is: WAN_ip/24

MY IPv4 Local Network/s is: LAN_ip/24

I am not sure this is what is suppose to be here.

edit: I found two issues. My WAN_ip should not have been my WAN_ip but a made up ip. Also, I was not specifying to for it to get log in account information correctly. I can now connect to the VPN but it gives no internet.

Ryu
  • 41
  • 1
  • 3
  • I set up a openvpn server in the openvpn menu. I duplicated that NAT rules for the VPN server. I tried opening the fire wall ports. The process itself is not running – Ryu Jun 25 '14 at 21:14
  • 1
    OK. I don't know anything about `pfsense`, but those details should definitely be included in your question. The more effort you show trying to solve your problem, the likelier someone will put effort in to help find a solution. – drs Jun 25 '14 at 21:57
  • I forgot to mention that I also set up the certificates, made a user account (put a certificate on that) as well as turned on the interface. I am thinking my next step has something to do with fixing it so the vpn server process can run but I am not sure why it will not start. I also think my firewall rules should be done better so I don't leave a port wide open but I'm not sure how. – Ryu Jun 26 '14 at 00:55
  • You can edit the question using the link just below the question tags. Write all of those details into the question because they're much less noticeable down here in the comments. – drs Jun 26 '14 at 01:02
  • Are there any system logs that you can check that may give a clue about what the problem is? – drs Jun 26 '14 at 01:02
  • Logs are posted above – Ryu Jun 26 '14 at 13:37
  • You've done a nice job improving this question, but I'm out of advice. I'd try to look into what's causing the `options error` in the logs. If you've set up the VPN from a GUI, try Googling that line in the logs. – drs Jun 26 '14 at 14:08
  • Anyone have an idea? – Ryu Jun 27 '14 at 13:12
  • Updated information on the problem – Ryu Jul 01 '14 at 13:14
  • Glad to hear you're making progress. Check your logs again. Did the answer below solve the error reported before? Is VPN service started now? If so 1) accept that answer because it solved the problem reported in this question and 2) create a new question describing the new problem and include updated logs and configurations. – drs Jul 01 '14 at 13:32

1 Answers1

4

I don't know about pfSense, but from the OpenVPN perspective the line of interest here is

Options error: --server directive network/netmask combination is invalid

This means that you've specified a VPN network address and netmask that do not combine. OpenVPN checks the network address to have zeroes where the netmask expects zeroes. E.g. 192.168.1.0 + 255.255.255.0 matches, but 192.168.1.1 + 255.255.255.0 does not match.

In your case, you should select a (private) network segment which is not used in your local network, e.g. 10.0.8.0, for your tunnel network instead of your WAN IP. OpenVPN will assign addresses from that range to connecting clients.

Steffan Karger
  • 241
  • 2
  • 5