PIA OpenVPN Unable to Contact Daemon (Solution?)

Blade Runner

I started with pFsense 2.2.4. PIA was configured using guide posted author's website and on this forum. OpenVPN issues began after upgrading to 2.3.1 from 2.3. Client was not running when viewed from Dashboard yet PIA service was running. It was a lesson in futility using GUI to restart service. Rebooting pFsense and resetting cable modem (several times :() did not resolve issue. I searched and found the following links:

https://forum.pfsense.org/index.php?topic=80348.msg438242#msg438242
https://forum.pfsense.org/index.php?topic=69366

I logged into GUI, Diagnostics=>Command Prompt, Execute Shell Command

ps auxww | grep openvpn

Click on 'Execute' and the result

root    92027  12.4  0.1  21624  5904  -  Ss    2:37PM   45:00.97 /usr/local/sbin/openvpn --config /var/etc/openvpn/client1.conf
root    65280   0.0  0.0  17000  2512  -  S     8:40PM    0:00.00 sh -c ps auxww | grep openvpn 2>&1
root    65643   0.0  0.0  18740  2252  -  S     8:40PM    0:00.00 grep openvpn

Another Execute Shell Command to kill process (first number)

kill -9 92027

Goto VPN=>OpenVPN=>Clients, click on bar graph (related status), and Restart service (arrow). Websites were either slow or timed out yet OpenVPN service was up.

Reviewing OpenVPN log

May 30 00:48:32	openvpn	33558	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1570'
May 30 00:48:32	openvpn	33558	WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Reviewing OpenVPN client settings (VPNOpen=>VPN=>Clients=>Edit) the following changes were made:

Tunnel Settings=>Compression changed to Disabled - No Compression from 'No Preference' (original pFsense PIA guide has checked, Compress tunnel packets using the LZO algorithm)

Advanced Configuration=>Verbosity level changed to 3 (recommended) from default

No warnings about link-mtu and comp-lzo in either OpenVPN or System log. Most websites load faster however some continue to lag. If settings are incorrect or should be changed then please post response.

Blade Runner

My solution was reset to factory defaults and properly configure PIA. I initially configured PIA on 2.2.4. Encryption was changed to AES-256-CBC from AES-128-CBC when it was available. I noticed differences in internet access after upgrading to 2.3.1_x from 2.3. PIA appeared to be functional but upgrade exposed deficiencies :(

OP hasn't updated guide however it is helpful.

The 'Create Password File' section is unnecessary because username and password are in OpenVPN->Client section, User Authentication Settings.

Server Port = 1196 not 1194 because I'm using AES-128-CBC(128-bit) not BF-CBC(128-bit) encryption. Auth digest algorithm is SHA1(160-bit) not SHA(160-bit).

Compression is 'Enabled with Adaptive Compression'. I previously had enabled 'No Preference'.

I verified service was functioning from Status->System Logs->OpenVPN.

Jun 2 06:47:14	openvpn	86098	OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Jun 2 06:47:14	openvpn	86098	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Jun 2 06:47:14	openvpn	86098	WARNING: file '/etc/openvpn-password.txt' is group or others accessible
Jun 2 06:47:14	openvpn	86873	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jun 2 06:47:14	openvpn	86873	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 2 06:47:14	openvpn	86873	Initializing OpenSSL support for engine 'cryptodev'
Jun 2 06:47:14	openvpn	86873	LZO compression initialized
Jun 2 06:47:14	openvpn	86873	Control Channel MTU parms [ L:1558 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jun 2 06:47:14	openvpn	86873	Socket Buffers: R=[42080->42080] S=[57344->57344]
Jun 2 06:47:15	openvpn	86873	Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Jun 2 06:47:15	openvpn	86873	Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Jun 2 06:47:15	openvpn	86873	Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Jun 2 06:47:15	openvpn	86873	Local Options hash (VER=V4): '66096c33'
Jun 2 06:47:15	openvpn	86873	Expected Remote Options hash (VER=V4): '691e95c7'
Jun 2 06:47:15	openvpn	86873	UDPv4 link local (bound): [AF_INET]76.94.96.149
Jun 2 06:47:15	openvpn	86873	UDPv4 link remote: [AF_INET]198.8.80.48:1196
Jun 2 06:47:15	openvpn	86873	TLS: Initial packet from [AF_INET]198.8.80.48:1196, sid=78bfb619 f2a4da17
Jun 2 06:47:15	openvpn	86873	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 2 06:47:15	openvpn	86873	VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Jun 2 06:47:15	openvpn	86873	Validating certificate key usage
Jun 2 06:47:15	openvpn	86873	++ Certificate has key usage 00a0, expects 00a0
Jun 2 06:47:15	openvpn	86873	VERIFY KU OK
Jun 2 06:47:15	openvpn	86873	Validating certificate extended key usage
Jun 2 06:47:15	openvpn	86873	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 2 06:47:15	openvpn	86873	VERIFY EKU OK
Jun 2 06:47:15	openvpn	86873	VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jun 2 06:47:15	openvpn	86873	Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 2 06:47:15	openvpn	86873	Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 2 06:47:15	openvpn	86873	Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 2 06:47:15	openvpn	86873	Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 2 06:47:15	openvpn	86873	Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jun 2 06:47:15	openvpn	86873	[Private Internet Access] Peer Connection Initiated with [AF_INET]198.8.80.48:1196
Jun 2 06:47:17	openvpn	86873	SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
Jun 2 06:47:17	openvpn	86873	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.100.4.1,topology net30,ifconfig 10.100.4.6 10.100.4.5'
Jun 2 06:47:17	openvpn	86873	OPTIONS IMPORT: timers and/or timeouts modified
Jun 2 06:47:17	openvpn	86873	OPTIONS IMPORT: LZO parms modified
Jun 2 06:47:17	openvpn	86873	OPTIONS IMPORT: --ifconfig/up options modified
Jun 2 06:47:17	openvpn	86873	OPTIONS IMPORT: route options modified
Jun 2 06:47:17	openvpn	86873	OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jun 2 06:47:17	openvpn	86873	ROUTE_GATEWAY xxx.xxx.xxx.xxx
Jun 2 06:47:17	openvpn	86873	TUN/TAP device ovpnc1 exists previously, keep at program end
Jun 2 06:47:17	openvpn	86873	TUN/TAP device /dev/tun1 opened
Jun 2 06:47:17	openvpn	86873	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jun 2 06:47:17	openvpn	86873	/sbin/ifconfig ovpnc1 10.100.4.6 10.100.4.5 mtu 1500 netmask 255.255.255.255 up
Jun 2 06:47:17	openvpn	86873	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.100.4.6 10.100.4.5 init
Jun 2 06:47:17	openvpn	86873	/sbin/route add -net 198.8.80.48 xxx.xxx.xxx.xxx 255.255.255.255
Jun 2 06:47:17	openvpn	86873	/sbin/route add -net 0.0.0.0 10.100.4.5 128.0.0.0
Jun 2 06:47:17	openvpn	86873	/sbin/route add -net 128.0.0.0 10.100.4.5 128.0.0.0
Jun 2 06:47:17	openvpn	86873	/sbin/route add -net 10.100.4.1 10.100.4.5 255.255.255.255
Jun 2 06:47:17	openvpn	86873	Initialization Sequence Completed

The following error message will occasionally appear

Jun 2 05:53:47	openvpn	6863	PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_00000000000000000000000000000000000000000000000000000000000000] 0:9741 0:9740 t=1464872027[0] r=[-1,64,15,1,1] sl=[51,64,64,528]
Jun 2 05:54:29	openvpn	6863	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jun 2 05:54:29	openvpn	6863	MANAGEMENT: CMD 'state 1'
Jun 2 05:54:29	openvpn	6863	MANAGEMENT: CMD 'status 2'
Jun 2 05:54:29	openvpn	6863	MANAGEMENT: Client disconnected

This error is prompted by network congestion and latency when using UDP. Packets are either dropped or received by the server in the wrong order. Issue could be resolved switching to TCP but it's slower than UDP.

I highly recommend troubleshooting without either distractions or time constraints. I should have heeded my own advice because it was trial and more error.

Blade Runner

My solution was 1) reinstall pfSense 2.24, 2) observe browsing and website response, 3) allow program to download and install current version. Repeat Step 2. Install security update 2.3.1_1. Repeat Step 2. PIA was configured per guide and modified instructions. Repeat Step 2.

I can't describe it yet browsing 'feels' normal before upgrade to 2.3.

Initial upgrade to 2.3.1 from 2.2.6 failed. IIRC it required 3 attempts. I didn't realize it but there were big changes to 2.3 from 2.2.x.

IMO OpenVPN issues were triggered by incremental updates did not properly address PHP.

Suggest reinstalling previous pfSense without configuring OpenVPN. Allow program to download and install current version, install security update(s), and configure OpenVPN.

Hope this helps.