Jump to content
Not connected, Your IP: 3.81.97.37

Recommended Posts

I’m trying to figure out how to get pfsense to work with an SSL Tunnel.

 

I’ve tried to work from various post both on this forum and other sites by installing the Stunnel package on pfsense but a successful connection has eluded me.

 

I’ve been trying to get this to work:

 

https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/page-11?do=findComment&comment=56602

 

However when I get to:

 

The command syntax:

stunnel /root/*insert the name of your config file here*.ssl  ( then click on the button called "EXECUTE" ) ( each time pfsense is rebooted you need to re-enter this command )
openvpn /root/*insert the name of your config file here*.ovpn  ( then click on the button called "EXECUTE" ).

 

This happens:

 

[ ] Clients allowed=84010
[.] stunnel 5.42 on amd64-portbld-freebsd11.1 platform
[.] Compiled/running with OpenSSL 1.0.2m-freebsd 2 Nov 2017
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI
[ ] errno: (* __error())
[.] Reading configuration from file /root/AirVPN_NL-Alblasserdam_Alphirk_SSL-443.ssl
[.] UTF-8 byte order mark not detected
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing service [openvpn]
[ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2
[ ] TLS options: 0x03000004 (+0x03000000, -0x00000000)
[ ] No certificate or private key specified
[!] error queue: B084002: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
[!] error queue: 2006D080: error:2006D080:BIO routines:BIO_new_file:no such file
[!] SSL_CTX_load_verify_locations: 2001002: error:02001002:system library:fopen:No such file or directory
[!] Service [openvpn]: Failed to initialize TLS context

 

Along with this:

 

[ ] Clients allowed=84010
[.] stunnel 5.42 on amd64-portbld-freebsd11.1 platform
[.] Compiled/running with OpenSSL 1.0.2m-freebsd 2 Nov 2017
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI
[ ] errno: (* __error())
[.] Reading configuration from file /root/AirVPN_NL-Alblasserdam_Alphirk_SSL-443.ovpn
[.] UTF-8 byte order mark not detected
[!] /root/AirVPN_NL-Alblasserdam_Alphirk_SSL-443.ovpn:7: "client": No '=' found

 

Anyone know what I'm doing wrong?

Share this post


Link to post

I’m trying to figure out how to get pfsense to work with an SSL Tunnel.

 

However when I get to:

 

The command syntax:

stunnel /root/*insert the name of your config file here*.ssl  ( then click on the button called "EXECUTE" ) ( each time pfsense is rebooted you need to re-enter this command )

openvpn /root/*insert the name of your config file here*.ovpn  ( then click on the button called "EXECUTE" ).

 

 

I don't see this anywhere in my instructions.

Share this post


Link to post

Sorry, been looking at so many sites and posts, pasted the wrong one. I meant this one:

https://airvpn.org/topic/13572-request-for-a-tutorial-on-setting-up-ssl-tunnel-on-pfsense/

 

With your post I got as far as:

 

Look via your web GUI of the pfsense machine at Status>system logs to see that stunnel is running properly.

 

I see nothing in system logs.

run stunnel without using screen just to see it in the shell then.

Share this post


Link to post

 Didn’t realise the screen command was doing anything. I just entered the command and then got taken back to a prompt. I think I get it now, its running in the background. Just assumed i’d get an acknowledgement the command had worked first. Can also see stunnel in logs now.

 

New problem I'm having is setting up the client.

 

This is what I've got in status logs:

 

Feb 25 00:54:23

openvpn

7161

Restart pause, 5 second(s)

Feb 25 00:54:23

openvpn

7161

SIGUSR1[soft,connection-reset] received, process restarting

Feb 25 00:54:23

openvpn

7161

Connection reset, restarting [0]

Feb 25 00:54:23

openvpn

7161

TCP_CLIENT link remote: [AF_INET]127.0.0.1:1413

Feb 25 00:54:23

openvpn

7161

TCP_CLIENT link local (bound): [AF_INET]127.0.0.1:0

Feb 25 00:54:23

openvpn

7161

TCP connection established with [AF_INET]127.0.0.1:1413

Feb 25 00:54:22

openvpn

7161

Attempting to establish TCP connection with [AF_INET]127.0.0.1:1413 [nonblock]

Feb 25 00:54:22

openvpn

7161

Socket Buffers: R=[65228->65228] S=[65228->65228]

Feb 25 00:54:22

openvpn

7161

TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1413

Feb 25 00:54:22

openvpn

7161

NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Feb 25 00:54:17

openvpn

7161

Restart pause, 5 second(s)

Feb 25 00:54:17

openvpn

7161

SIGUSR1[soft,connection-reset] received, process restarting

Feb 25 00:54:17

openvpn

7161

Connection reset, restarting [0]

Feb 25 00:54:17

openvpn

7161

TCP_CLIENT link remote: [AF_INET]127.0.0.1:1413

Feb 25 00:54:17

openvpn

7161

TCP_CLIENT link local (bound): [AF_INET]127.0.0.1:0

Feb 25 00:54:17

openvpn

7161

TCP connection established with [AF_INET]127.0.0.1:1413

Feb 25 00:54:16

openvpn

7161

Attempting to establish TCP connection with [AF_INET]127.0.0.1:1413 [nonblock]

Feb 25 00:54:16

openvpn

7161

Socket Buffers: R=[65228->65228] S=[65228->65228]

Feb 25 00:54:16

openvpn

7161

TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1413

Feb 25 00:54:16

openvpn

7161

Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication

Feb 25 00:54:16

openvpn

7161

Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication

Feb 25 00:54:16

openvpn

7161

Initializing OpenSSL support for engine 'cryptodev'

Feb 25 00:54:16

openvpn

7161

NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Feb 25 00:54:16

openvpn

7161

MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock

Feb 25 00:54:16

openvpn

6896

library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10

Feb 25 00:54:16

openvpn

6896

OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [sSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017

Feb 25 00:54:16

openvpn

72132

SIGTERM[hard,init_instance] received, process exiting

Feb 25 00:54:05

openvpn

72132

Restart pause, 40 second(s)

Feb 25 00:54:05

openvpn

72132

SIGUSR1[soft,connection-reset] received, process restarting

Feb 25 00:54:05

openvpn

72132

TCP/UDP: Closing socket

Feb 25 00:54:05

openvpn

72132

Connection reset, restarting [0]

Feb 25 00:54:05

openvpn

72132

WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

 

Share this post


Link to post

well if you're using pfsense 2.4.2 things might be different from those instructions. for example, now stunnel can be installed via the package manager in pfsense. if you've installed the freebsd 10 version of stunnel that might cause problems in pfsense 2.4.2 which is based on freebsd 11.  just a guess.

Share this post


Link to post

Yeah looking at instructions for old versions makes things a lot more confusing. I installed stunnel from the package manager though so I don't think its that.

What's frustrating is if I run the .ovpn from shell it seems to connect ok. Or at least it ends with: Initialization Sequence Completed. I just then cant translate that into a working client in the GUI doing the same thing.

Are the certs the same?

Do I need to use the stunnel.crt for the CA cert under the cert manager instead of the normal ca.crt or something?

Share this post


Link to post

Yeah looking at instructions for old versions makes things a lot more confusing. I installed stunnel from the package manager though so I don't think its that.

What's frustrating is if I run the .ovpn from shell it seems to connect ok. Or at least it ends with: Initialization Sequence Completed. I just then cant translate that into a working client in the GUI doing the same thing.

Are the certs the same?

Do I need to use the stunnel.crt for the CA cert under the cert manager instead of the normal ca.crt or something?

 

ca.crt is always the same.  it sounds to me like you're not configuring the GUI correctly.

Share this post


Link to post

 

Indeed I had not. Just figured out what was tripping me up. I hadn’t selected SHA1. Was using SHA256. Clients working now.

 

New problem: You wouldn’t happen to know how I make it so the screen/stunnel automaticity runs upon reboot would you?

Share this post


Link to post

Indeed I had not. Just figured out what was tripping me up. I hadn’t selected SHA1. Was using SHA256. Clients working now.

 

New problem: You wouldn’t happen to know how I make it so the screen/stunnel automaticity runs upon reboot would you?

 

I'm sure there's a way but I wouldn't know how to do it.  Glad you have it working!

Share this post


Link to post

Any chance you could post some screen shots of your pfsense stunned options?

 

I am struggling with this as well.

 

Many thanks

Share this post


Link to post

Any chance you could post some screen shots of your pfsense stunned options?

 

I am struggling with this as well.

 

Many thanks

 

 

I don't use stunnel but had originally set it up just to say I could.

 

Now my first question to you is why do you want stunnel?  If you're needing SSL tunnel for something you might get what you want just using the new tls-crypt option.

Share this post


Link to post
On 6/10/2018 at 4:37 PM, go558a83nk said:

 

 

I don't use stunnel but had originally set it up just to say I could.

 

Now my first question to you is why do you want stunnel?  If you're needing SSL tunnel for something you might get what you want just using the new tls-crypt option.

Did you mean TLS Key Usage Mode: TLS Encryption and Authentication mode in VPN Client of pfsense?
Will it hide a traffic from DPI of ISP similar way as stunnel via SSL does?
And does AirVPN permit such a connection to their servers?

Thanks!

Share this post


Link to post
7 hours ago, Survival said:
Did you mean TLS Key Usage Mode: TLS Encryption and Authentication mode in VPN Client of pfsense?
Will it hide a traffic from DPI of ISP similar way as stunnel via SSL does?
And does AirVPN permit such a connection to their servers?

Thanks!

Yes
Some people find it works in places where only SSL would work previously.
Yes.  You must connect to entry IP 3 or 4, use SHA512 for auth digest, and of course use the TLS encryption and auth setting for the TLS key

Share this post


Link to post
On 2/12/2020 at 8:23 AM, go558a83nk said:

Yes
Some people find it works in places where only SSL would work previously.
Yes.  You must connect to entry IP 3 or 4, use SHA512 for auth digest, and of course use the TLS encryption and auth setting for the TLS key
Great! Thanks! Will try it out later.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...