d4rk5oul 1 Posted ... I’m trying to figure out how to get pfsense to work with an SSL Tunnel. I’ve tried to work from various post both on this forum and other sites by installing the Stunnel package on pfsense but a successful connection has eluded me. I’ve been trying to get this to work: https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/page-11?do=findComment&comment=56602 However when I get to: The command syntax:stunnel /root/*insert the name of your config file here*.ssl ( then click on the button called "EXECUTE" ) ( each time pfsense is rebooted you need to re-enter this command )openvpn /root/*insert the name of your config file here*.ovpn ( then click on the button called "EXECUTE" ). This happens: [ ] Clients allowed=84010[.] stunnel 5.42 on amd64-portbld-freebsd11.1 platform[.] Compiled/running with OpenSSL 1.0.2m-freebsd 2 Nov 2017[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI[ ] errno: (* __error())[.] Reading configuration from file /root/AirVPN_NL-Alblasserdam_Alphirk_SSL-443.ssl[.] UTF-8 byte order mark not detected[ ] Compression disabled[ ] PRNG seeded successfully[ ] Initializing service [openvpn][ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2[ ] TLS options: 0x03000004 (+0x03000000, -0x00000000)[ ] No certificate or private key specified[!] error queue: B084002: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib[!] error queue: 2006D080: error:2006D080:BIO routines:BIO_new_file:no such file[!] SSL_CTX_load_verify_locations: 2001002: error:02001002:system library:fopen:No such file or directory[!] Service [openvpn]: Failed to initialize TLS context Along with this: [ ] Clients allowed=84010[.] stunnel 5.42 on amd64-portbld-freebsd11.1 platform[.] Compiled/running with OpenSSL 1.0.2m-freebsd 2 Nov 2017[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI[ ] errno: (* __error())[.] Reading configuration from file /root/AirVPN_NL-Alblasserdam_Alphirk_SSL-443.ovpn[.] UTF-8 byte order mark not detected[!] /root/AirVPN_NL-Alblasserdam_Alphirk_SSL-443.ovpn:7: "client": No '=' found Anyone know what I'm doing wrong? Quote Share this post Link to post
go558a83nk 364 Posted ... I’m trying to figure out how to get pfsense to work with an SSL Tunnel. However when I get to: The command syntax: stunnel /root/*insert the name of your config file here*.ssl ( then click on the button called "EXECUTE" ) ( each time pfsense is rebooted you need to re-enter this command ) openvpn /root/*insert the name of your config file here*.ovpn ( then click on the button called "EXECUTE" ). I don't see this anywhere in my instructions. Quote Share this post Link to post
d4rk5oul 1 Posted ... Sorry, been looking at so many sites and posts, pasted the wrong one. I meant this one:https://airvpn.org/topic/13572-request-for-a-tutorial-on-setting-up-ssl-tunnel-on-pfsense/ With your post I got as far as: Look via your web GUI of the pfsense machine at Status>system logs to see that stunnel is running properly. I see nothing in system logs. Quote Share this post Link to post
go558a83nk 364 Posted ... Sorry, been looking at so many sites and posts, pasted the wrong one. I meant this one: https://airvpn.org/topic/13572-request-for-a-tutorial-on-setting-up-ssl-tunnel-on-pfsense/ With your post I got as far as: Look via your web GUI of the pfsense machine at Status>system logs to see that stunnel is running properly. I see nothing in system logs.run stunnel without using screen just to see it in the shell then. Quote Share this post Link to post
d4rk5oul 1 Posted ... Didn’t realise the screen command was doing anything. I just entered the command and then got taken back to a prompt. I think I get it now, its running in the background. Just assumed i’d get an acknowledgement the command had worked first. Can also see stunnel in logs now. New problem I'm having is setting up the client. This is what I've got in status logs: Feb 25 00:54:23 openvpn 7161 Restart pause, 5 second(s) Feb 25 00:54:23 openvpn 7161 SIGUSR1[soft,connection-reset] received, process restarting Feb 25 00:54:23 openvpn 7161 Connection reset, restarting [0] Feb 25 00:54:23 openvpn 7161 TCP_CLIENT link remote: [AF_INET]127.0.0.1:1413 Feb 25 00:54:23 openvpn 7161 TCP_CLIENT link local (bound): [AF_INET]127.0.0.1:0 Feb 25 00:54:23 openvpn 7161 TCP connection established with [AF_INET]127.0.0.1:1413 Feb 25 00:54:22 openvpn 7161 Attempting to establish TCP connection with [AF_INET]127.0.0.1:1413 [nonblock] Feb 25 00:54:22 openvpn 7161 Socket Buffers: R=[65228->65228] S=[65228->65228] Feb 25 00:54:22 openvpn 7161 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1413 Feb 25 00:54:22 openvpn 7161 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 25 00:54:17 openvpn 7161 Restart pause, 5 second(s) Feb 25 00:54:17 openvpn 7161 SIGUSR1[soft,connection-reset] received, process restarting Feb 25 00:54:17 openvpn 7161 Connection reset, restarting [0] Feb 25 00:54:17 openvpn 7161 TCP_CLIENT link remote: [AF_INET]127.0.0.1:1413 Feb 25 00:54:17 openvpn 7161 TCP_CLIENT link local (bound): [AF_INET]127.0.0.1:0 Feb 25 00:54:17 openvpn 7161 TCP connection established with [AF_INET]127.0.0.1:1413 Feb 25 00:54:16 openvpn 7161 Attempting to establish TCP connection with [AF_INET]127.0.0.1:1413 [nonblock] Feb 25 00:54:16 openvpn 7161 Socket Buffers: R=[65228->65228] S=[65228->65228] Feb 25 00:54:16 openvpn 7161 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1413 Feb 25 00:54:16 openvpn 7161 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Feb 25 00:54:16 openvpn 7161 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Feb 25 00:54:16 openvpn 7161 Initializing OpenSSL support for engine 'cryptodev' Feb 25 00:54:16 openvpn 7161 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 25 00:54:16 openvpn 7161 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Feb 25 00:54:16 openvpn 6896 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10 Feb 25 00:54:16 openvpn 6896 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [sSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017 Feb 25 00:54:16 openvpn 72132 SIGTERM[hard,init_instance] received, process exiting Feb 25 00:54:05 openvpn 72132 Restart pause, 40 second(s) Feb 25 00:54:05 openvpn 72132 SIGUSR1[soft,connection-reset] received, process restarting Feb 25 00:54:05 openvpn 72132 TCP/UDP: Closing socket Feb 25 00:54:05 openvpn 72132 Connection reset, restarting [0] Feb 25 00:54:05 openvpn 72132 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Quote Share this post Link to post
go558a83nk 364 Posted ... well if you're using pfsense 2.4.2 things might be different from those instructions. for example, now stunnel can be installed via the package manager in pfsense. if you've installed the freebsd 10 version of stunnel that might cause problems in pfsense 2.4.2 which is based on freebsd 11. just a guess. Quote Share this post Link to post
d4rk5oul 1 Posted ... Yeah looking at instructions for old versions makes things a lot more confusing. I installed stunnel from the package manager though so I don't think its that.What's frustrating is if I run the .ovpn from shell it seems to connect ok. Or at least it ends with: Initialization Sequence Completed. I just then cant translate that into a working client in the GUI doing the same thing.Are the certs the same?Do I need to use the stunnel.crt for the CA cert under the cert manager instead of the normal ca.crt or something? Quote Share this post Link to post
go558a83nk 364 Posted ... Yeah looking at instructions for old versions makes things a lot more confusing. I installed stunnel from the package manager though so I don't think its that.What's frustrating is if I run the .ovpn from shell it seems to connect ok. Or at least it ends with: Initialization Sequence Completed. I just then cant translate that into a working client in the GUI doing the same thing.Are the certs the same?Do I need to use the stunnel.crt for the CA cert under the cert manager instead of the normal ca.crt or something? ca.crt is always the same. it sounds to me like you're not configuring the GUI correctly. Quote Share this post Link to post
d4rk5oul 1 Posted ... Indeed I had not. Just figured out what was tripping me up. I hadn’t selected SHA1. Was using SHA256. Clients working now. New problem: You wouldn’t happen to know how I make it so the screen/stunnel automaticity runs upon reboot would you? 1 TDJ211 reacted to this Quote Share this post Link to post
go558a83nk 364 Posted ... Indeed I had not. Just figured out what was tripping me up. I hadn’t selected SHA1. Was using SHA256. Clients working now. New problem: You wouldn’t happen to know how I make it so the screen/stunnel automaticity runs upon reboot would you? I'm sure there's a way but I wouldn't know how to do it. Glad you have it working! Quote Share this post Link to post
awair 0 Posted ... Any chance you could post some screen shots of your pfsense stunned options? I am struggling with this as well. Many thanks Quote Share this post Link to post
go558a83nk 364 Posted ... Any chance you could post some screen shots of your pfsense stunned options? I am struggling with this as well. Many thanks I don't use stunnel but had originally set it up just to say I could. Now my first question to you is why do you want stunnel? If you're needing SSL tunnel for something you might get what you want just using the new tls-crypt option. Quote Share this post Link to post
Survival 0 Posted ... On 6/10/2018 at 4:37 PM, go558a83nk said: I don't use stunnel but had originally set it up just to say I could. Now my first question to you is why do you want stunnel? If you're needing SSL tunnel for something you might get what you want just using the new tls-crypt option. Did you mean TLS Key Usage Mode: TLS Encryption and Authentication mode in VPN Client of pfsense? Will it hide a traffic from DPI of ISP similar way as stunnel via SSL does? And does AirVPN permit such a connection to their servers? Thanks! Quote Share this post Link to post
go558a83nk 364 Posted ... 7 hours ago, Survival said: Did you mean TLS Key Usage Mode: TLS Encryption and Authentication mode in VPN Client of pfsense? Will it hide a traffic from DPI of ISP similar way as stunnel via SSL does? And does AirVPN permit such a connection to their servers? Thanks! Yes Some people find it works in places where only SSL would work previously. Yes. You must connect to entry IP 3 or 4, use SHA512 for auth digest, and of course use the TLS encryption and auth setting for the TLS key 1 Survival reacted to this Quote Share this post Link to post
Survival 0 Posted ... On 2/12/2020 at 8:23 AM, go558a83nk said: Yes Some people find it works in places where only SSL would work previously. Yes. You must connect to entry IP 3 or 4, use SHA512 for auth digest, and of course use the TLS encryption and auth setting for the TLS key Great! Thanks! Will try it out later. Quote Share this post Link to post