I really like pfsense it makes a really good firewall, router, vpn connector – alone or together. The web interface is intuitive and the first-run wizard “just works”. I am using it to run an OpenVPN VPN.

OpenVPN comes with a feature called “TLS Auth”: which basically uses TLS to encrypt the SSL handshake between client and server. Ok that wasn’t basic: makes saying hello safe. However the pfsense GUI for configuring an OpenVPN server does not, yet, support tls-auth. As documented in the previous link you can add custom configuration options and manually create the file until v1.3 is released.

Here’s the point: The pfsense + openvpn boot scripts will write the OpenVPN configuration files and security certificates to: /var/etc/openvpn_serverX.* (X being the instance number). So for consistency you might be inclined to create your tls-auth file as /var/etc/openvpn_serverX.tls.

DON’T!

The /var/etc folder gets cleared on reboot. Which is a feature of pfsense’s PHP init scripts + in hind sight sensible.

So today’s lesson is: When manually specifying tls-auth support for OpenVPN on pfsense-1.2.X put the tls-auth file in /etc/openvpn_serverX.tls so that it is persistent.

I spent a few hours this afternoon upgrading some of the work firewalls, which run pfSesne, from v1.2 to v1.2.1. Which was released a few days ago. Here are my notes and warnings after following the Install and Upgrade documentation.

In theory, the upgrade is meant to be fairly straight forward. You can try to do an online upgrade. However there are documented issues with that. The other option is to reinstall, which in this case means: reflash the CF cards. So long as you have a config backup then you can simply restore your settings and off you go. All in all:

1. Download the new image file
2. Stick the CF card in your CF card adapter
3. zcat pfsense.img.gz | dd of=/dev/XYZ bs=16k
4. Stick the CF card back in the firewall
5. Boot and restore the config

Gotcha #1: The new image does not have any network setup by default. In theory, once again, you should have a serial cable (DSUB 9) that you use to access the serial console of your firewall. Configure a LAN interface address, then use the web interface to restore the config file. Unfortunately I did not have a serial cable; we’ll leave why out of it. I dealt with this by building a config file within the embedded image before writing to the CF card. You’ll need QEMU to do this. Note these steps derived from the Mac_OS_X_together_with_qemu section of the Install documentation.

# Unzip the embedded image and start it with QEMU;
# - Two NICs LAN / WAN
# - The qemu command is all one line
gunzip pfsense.img.gz
qemu -hda pfsense.img -net nic,vlan=0 -net nic,vlan=1 -serial telnet::7890,server,nowait
# Now open a terminal and fake a serial console with telnet
telnet localhost 7890
# You'll need to configure your network devices during boot.
# I used generic settings so I could flash the image to multiple cards
# When you reach the main menu push 8 for a shell
mount -u /cf
cd /conf
vi config.xml
# Check the interfaces are configured properly then
exit
# Choose option 6 to halt the emulated machine.
# Write the updated image to your CF card
dd if=pfsense.img of=/dev/XYZ bs=16k

QEMU is available for most major incarnations of most operating systems. The above are fairly Linux specific but should be easy enough to translate; dd is a physical disk dump program.

Gotcha #2: Bogon Networks! Are updated by a cron script on the 1st of each month at 3:01AM. Unfortunately the default list includes IP’s assigned by Optus Wireless Broadband – which means if I’m using one of Works USB modems I can’t access the servers. That’s bad!. Really the bogon list should be updated during the setup wizard if you turn bogon filtering on. See this pfSense forum topic for how to manually update your bogon filter.

Gotcha #3: Your backup config file DOES NOT contain certain settings. OpenVPN configurations for example. Make sure you have a copy of any custom settings not contained in the backup config file; otherwise be prepared to reconfigure.

And that’s all.