I’ve been forced to work from home for a few weeks, and I’m trying to set up a site to site VPN with my pfSense as the server.
I set pfSense openVPN to use a preshared key and exported a .ovpn file with the settings. The file imports fine but when I try to connect the ar750s errors about TLS, username, secret.
The psk I made as a 256bit key if this matters.
What I’m guessing is that I need to set up my server to use the TLS settings and certificates instead of using the preshared key. Is this correct?
Asking this vs. just trying it because my access to work is on a limited basis so I want to try and get my info together before I go back to work. Running the latest stable of pfSense and just updated my ar750s last night.
so you tried the client .ovpn file on an ar750s. got some tls errors. It sounds like a new setup so can you test the client .ovpn file on another client machine like android,windows,linux for just to make sure it is a working and functioning ovpn client file
I do have some connection issues I need to work out, so I’m hoping this is the reason. I set up another pfsense machine at home, and it is only getting partial connection. I think at the college’s firewall, they only forward TCP traffic to me. I know I set the server for UDP traffic so need to fix that. Planning to work on that tomorrow. Once I get both pfsense machines talking to each other, I can get back to testing with the ar750s. The little router uses much less power, so it is my preferred device if I can get things working.
That is the error I’m getting. I did have a tunnel up earlier today with pfsense on both ends after changing to tcp.
Here is the config file that I’m trying to use:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
pull
resolv-retry infinite
proto tcp-client
remote xxxx.yyyy.edu 8003
ifconfig 172.16.0.2 172.16.0.1
keepalive 10 60
ping-timer-rem
(secret)
2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
BIG LONG KEY
-----END OpenVPN Static key V1-----
(/secret)
Hmmm… Looks like the preformatted function didn’t work right, hope this comes out OK. I’m failing massively at formatting that config file for the screen. There are a bunch of hash marks after the secret (which I also had to change to ( )) and before the Begin key that I had to take out.
More details are that this is connected to another router at the house then to cable modem. At work it is pfsense to network with port 8003 from campus firewall forwarded back to my pfsense. Again I did have a tunnel up with pfsense to pfsense earlier. It looks like I’m not going to be able to use the static shared key for this, that it requires a tls certificate to make this device work. Maybe I’ll have to reconfigure my server and try again.
Other than the editing to remove the personal info and to remove what the forum thinks is formatting, that’s straight out of the export tool in pfsense for a shared key VPN.
okay so is it the same as /etc/openvpn/ovpn0/EMCfirewall-TCP4-8004-config.ovpn
your file you posted looks like pre-import settings.
location above is post import “actual settings being used on your connection” that is giving you the output screen you are posting in this forum and giving you the errors you qre questioning. they are prolly the same but you just have to check and start from there.
@Greg_E
Is it possible to draw a map of your network connection, and provide a copy of your VPN configuration, I can help you test, you can contact me via email, my email address: guilin.wang@gl-inet.com
Once I figure out what I’ve done wrong, I can send you the info. My pfsense to pfsense tunnel is still not working, no gateways on either end but the tunnel is up. Once I fix that so it works, I’ll come back to trying the AR750S. For the time being, I have Teamviewer installed so I can get to both ends easily.
I’m also still allowed to go to my office as needed and live close enough that it is easy. But I want to tackle this problem, even just for my own satisfaction.
I gave up on this. I got pfsense to connect to each other, had an odd “bug” that was stopping it. When I chose 172.16.0.0/16 for the tunnel network it was causing the gateways to fail. Changed to 172.16.0.0/24 and suddenly the gateways popped up and I could get into my network.
I did try the ar750s again and edited the config file to us – in front of the secret and /secret parts of the key. My errors went away but still no connection. It probably still has something to do with the tunnel network because there us no where in the config file or the GUI to specify the subnet.
Also I abandoned this because it wanted to send all traffic through the VPN which would have been a lot slower for general internet. pfSense allows general traffic to bypass the tunnel, and only the required traffic passes through the tunnel. So I just set the ar750s to be an access point for now. I’ll dig into things when I have more time and see if I can get things working. The ar750s is much more power efficient than the little computer I have running pfsense.
Yesterday after spending a day I set up a VPN connection between my pfsense (2.3.5) and ar750s so I can help you with that. As you probably noticed when you import ovpn file the wizard adds incorrect options into the file - that is why you are getting the meaningless error "–secret vs " and manual file modification is required.
But honestly I don’t think it’s worth it especially if you are going to use it for work. The max speed over OpenVPN tunnel I have seen was about 12Mpbs up/down, the wifi 5GHz stuck at 54Mbps link speed, the latest firmware causes constant disconnects of wifi 5 Ghz clients (I saw another thread discussing this problem, so I had to switch back from 3.101 to 3.025), the SSH/FTP clients constantly disconnect and it creates real royal pain … In my case I redirect DNS requests to pfsense using “dhcp-option DNS” option, the VPN does not work after restart - i.e. the tunnel is set but DNS is not therefore there is no doman name resolution for VPN clients - to make it work one has to restart VPN tunnel manually after reboot. I wanted to install the latest stable release of OpenWrt (not 4MB version) - does not seem to be a simple process (the forum contains questions regarding this subject but not answers)
I periodically see in the log different error messages saying that openvpn daemon crashed - all this makes me think that I cannot rely on this small and cute device for anything serious. But I do like the fact that it has GPIO support and I can carry it in my pocket (I saw several reviews were people mentioned that as the primary advantage on this device - hello, guys this is a router and it should be reviewed as it) - may be I can use it to control my electronic cat feeder (at the moment it uses ATTINY85 + ESP8266), although it would be a very expensive alternative - I just bought it in Canada for 109$. Other than that this is a toy which can be easily outperformed by a much cheaper Raspberry Pi - just saying.
PS: the message was edited - spelling corrections.
I don’t think I’ve seen the disconnects on 5ghz, but I have had a few rdp sessions drop and restart which makes me think maybe I have seen the problem. Ad far as speed, I knew it was going to be very limited, I only have around 6mbps upload. I did transfer one file from home to work, only 30MB and it took forever, but that was probably my upload speed.
I have an old Buffalo access point that I may put back into service. The only reason I bought this ar750s was to route from my Cisco lab to my home network, but with this work from home stuff, had to press that rack into service doing other things? With the pfsense box at home, don’t really need this other device right now.
I just upgraded the firmware from 3.025 to 3.1.0 and the situation was greatly improved - the link rate for 5HGz radio now can go up to advertised 433 Mbps, the 5HGz radio works more stable i.e. I don’t see that frequent disconnects. I am bit reluctant to upgrade to the latest 3.1.0.1 because the is a topic on the forum discussing the 5HGz radio related problems in the 3.1.0.1
I have a question about max transmit power of the device - I see that it can go up to 1000 mW i.e.30 dBm for higher frequencies ( 5HGz, channels 149 and up). How realistic is this and are those just meaningless numbers and the driver somehow limits the actual output to something more realistic?
I understand that when we speak about 30 dBm then we should keep in mind that 30 dBm is the combination of the device output + antenna attenuation. But even then this si very high for such small device. Unfortunately my SDR cannot go that high (5 GHz) to evaluate the realistic transmit power of the device but may be someone has already done this evaluation?
None of the routers will go higher than the FCC max, which is something like 120mW (20dBm) if i >remember correctly.
It seems to be very true at least in this particular case (unless I am seriously mistaken).
I began to monitor the power consumption of the device while changing transmit power in GL Web interface and OpenWrt Advanced section (I tried to reboot the router after each change). First of all those transmit power levels shown the GL Web interface and OpenWrt Advanced section don’t always match (can be 0 dBm (10mW) in the OpwnWrt options and “High” in the the GL Web, secondly the power consumption of the device with both radios on ( OpenVpn (AES128) , idles around 460-550 mA.
2.4GHz is WAN (OpenVpn cleint is on), a wired client is connected to LAN, another wireless client is connected to 5GHz. When the wireless or wired client runs speedtest the current consumption jumps to 700-740 mA.
Changing transmit power for 5Ghz client from 10 to 1000 mW (reboot, restart) does not change the total current consumption of the device meaning that most likely the output transmission power is locked to a certain value. I wonder why is that since for example in Canada you legally can go as high as 1000 mW for certain Wifi channels. I have seen on Amazon Alpha USB powered wireless adapters also mentioning 1, 2W output levels - are those numbers are also totally meaningless in real world applications? On the other hand, realistically speaking, how it is to possible to power a radio transmitting 2 Watts with 5V / 0.5A?