• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Trying to setup OpenVPN to HotspotShield but won't connect

OpenVPN
3
10
1.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    gerrit700
    last edited by Jan 31, 2022, 10:31 PM

    Hi, I'm trying to setup an OpenVPN connection with HotspotShield VPN but it won't connect.

    login-to-view

    Below you'll find my network situation with an explaination what's working and what not in this topic. From pfsense I can ping to the VPN server from HotspotShield and I can setup a VPN connection from a test VM in the same network as pfsense.

    login-to-view

    Below the logging:
    Jan 31 20:59:57 openvpn 26641 Restart pause, 300 second(s)
    Jan 31 20:59:57 openvpn 26641 SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 20:59:57 openvpn 26641 TCP/UDP: Closing socket
    Jan 31 20:59:57 openvpn 26641 [island-school.us] Inactivity timeout (--ping-restart), restarting
    Jan 31 20:58:57 openvpn 26641 VERIFY OK: depth=0, CN=island-school.us
    Jan 31 20:58:57 openvpn 26641 VERIFY EKU OK
    Jan 31 20:58:57 openvpn 26641 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Jan 31 20:58:57 openvpn 26641 Validating certificate extended key usage
    Jan 31 20:58:57 openvpn 26641 VERIFY KU OK
    Jan 31 20:58:57 openvpn 26641 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
    Jan 31 20:58:57 openvpn 26641 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
    Jan 31 20:58:57 openvpn 26641 VERIFY WARNING: depth=2, unable to get certificate CRL: C=US, O=Internet Security Research Group, CN=ISRG Root X1
    Jan 31 20:58:57 openvpn 26641 VERIFY WARNING: depth=1, unable to get certificate CRL: C=US, O=Let's Encrypt, CN=R3
    Jan 31 20:58:57 openvpn 26641 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=island-school.us
    Jan 31 20:58:57 openvpn 26641 TLS: Initial packet from [AF_INET]185.94.188.148:8041, sid=e147d894 f36192da
    Jan 31 20:58:57 openvpn 26641 UDPv4 link remote: [AF_INET]185.94.188.148:8041
    Jan 31 20:58:57 openvpn 26641 UDPv4 link local (bound): [AF_INET]10.0.0.8:0
    Jan 31 20:58:57 openvpn 26641 Socket Buffers: R=[42080->42080] S=[57344->57344]
    Jan 31 20:58:57 openvpn 26641 TCP/UDP: Preserving recently used remote address: [AF_INET]185.94.188.148:8041
    Jan 31 20:58:57 openvpn 26641 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
    Jan 31 20:58:57 openvpn 26641 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
    Jan 31 20:58:57 openvpn 26641 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
    Jan 31 20:58:57 openvpn 26641 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
    Jan 31 20:58:57 openvpn 26641 Re-using SSL/TLS context
    Jan 31 20:58:57 openvpn 26641 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

    Below added some screenshots from the firewall and NAT rules and the VPN settings.

    Firewall rules
    login-to-view

    NAT rule
    login-to-view

    VPN config
    login-to-view
    login-to-view
    login-to-view
    login-to-view
    login-to-view

    Offcourse I've checked much topics here at Netgate and other fora but I didn't found the solution.

    V 1 Reply Last reply Feb 1, 2022, 10:14 AM Reply Quote 0
    • V
      viragomann @gerrit700
      last edited by Feb 1, 2022, 10:14 AM

      @gerrit700
      The log should show some more lines of the connection establishment.

      What is the goal of this VPN? Accessing the remote site or passing the upstream traffic over it?

      What do you intend with the stated advanced options. "persist-key" and "persist-tun" are used by default anyway. Why "reneg-sec 0"?

      Consider that you policy routing LAN rule does pass any traffic from LAN devices to the OpenVPN server. Hence accessing local addresses is not possible with this. Consider that if the LAN devices are set to use a local DNS, they will fail.

      G 2 Replies Last reply Feb 1, 2022, 11:33 AM Reply Quote 1
      • G
        gerrit700 @viragomann
        last edited by Feb 1, 2022, 11:33 AM

        Hi @viragomann ,

        Thanks for your answer.

        "The log should show some more lines of the connection establishment."

        I've the verbosity level at 4 so if you want more logging, I can set it higher and post that here.

        What is the goal of this VPN? Accessing the remote site or passing the upstream traffic over it?

        Passing the upstream traffic. It will be a test network for scambaiting and I want to prevent that they can see my own IP-address when they get me.

        What do you intend with the stated advanced options. "persist-key" and "persist-tun" are used by default anyway. Why "reneg-sec 0"?

        I've watched this video from NetworkChuck and here he is instructing how you set it up with PrivateInternetAccess. He copies this info from the .ovpn file into the VPN settings.
        https://youtu.be/lUzSsX4T4WQ?t=1282

        I tried it also without these custom options but no luck.

        Consider that you policy routing LAN rule does pass any traffic from LAN devices to the OpenVPN server. Hence accessing local addresses is not possible with this. Consider that if the LAN devices are set to use a local DNS, they will fail.

        The local addresses can connect to eachother because they're in the same network. Only through internet the traffic goes through the VPN.

        In pfSense I've set de DNS tot 1.1.1.1 and 8.8.8.8 and for the clients 10.40.0.1, pfSense itself.

        1 Reply Last reply Reply Quote 0
        • G
          gerrit700 @viragomann
          last edited by Feb 1, 2022, 11:39 AM

          Hi @viragomann ,

          I've just removed the custom options but still no luck.

          V 1 Reply Last reply Feb 1, 2022, 12:16 PM Reply Quote 0
          • V
            viragomann @gerrit700
            last edited by Feb 1, 2022, 12:16 PM

            @gerrit700
            No, don't need a higher log level. But the link connection seems not to have finished in the shown section.

            Doesn't the server require a client cert?

            In pfSense I've set de DNS tot 1.1.1.1 and 8.8.8.8 and for the clients 10.40.0.1, pfSense itself.

            So when the connection is up, the LAN devices won't be able to resolve host names.

            G 1 Reply Last reply Feb 1, 2022, 12:55 PM Reply Quote 0
            • B
              bcruze
              last edited by bcruze Feb 1, 2022, 12:18 PM Feb 1, 2022, 12:17 PM

              the directions say to use 256cbc
              you do not have that added to be utilized

              compression. you may have to try some of the less secure methods... they are not clear on that...

              G 1 Reply Last reply Feb 1, 2022, 1:14 PM Reply Quote 0
              • G
                gerrit700 @viragomann
                last edited by gerrit700 Feb 1, 2022, 12:57 PM Feb 1, 2022, 12:55 PM

                @viragomann

                Doesn't the server require a client cert?

                I don't know, I cannot find some usable info from HotspotShield. They provide only a .opvn file.

                So when the connection is up, the LAN devices won't be able to resolve host names.

                Okay, so I need to override 10.40.0.1 to 1.1.1.1 and 8.8.8.8 in de DHCP scope so the clients get these DNS servers?

                V 1 Reply Last reply Feb 1, 2022, 1:21 PM Reply Quote 0
                • G
                  gerrit700 @bcruze
                  last edited by Feb 1, 2022, 1:14 PM

                  Hi @bcruze,

                  the directions say to use 256cbc
                  you do not have that added to be utilized

                  I've added 256cbc

                  New logging after this change:

                  Feb 1 14:09:13 openvpn 38894 Restart pause, 40 second(s)
                  Feb 1 14:09:13 openvpn 38894 SIGUSR1[soft,ping-restart] received, process restarting
                  Feb 1 14:09:13 openvpn 38894 TCP/UDP: Closing socket
                  Feb 1 14:09:13 openvpn 38894 [island-school.us] Inactivity timeout (--ping-restart), restarting
                  Feb 1 14:08:44 openvpn 38894 UDPv4 WRITE [592] to [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=578
                  Feb 1 14:08:28 openvpn 38894 UDPv4 WRITE [592] to [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=578
                  Feb 1 14:08:19 openvpn 38894 UDPv4 WRITE [592] to [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=578
                  Feb 1 14:08:15 openvpn 38894 UDPv4 WRITE [592] to [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=578
                  Feb 1 14:08:13 openvpn 38894 UDPv4 WRITE [604] to [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ 5 ] pid=2 DATA len=578
                  Feb 1 14:08:13 openvpn 38894 UDPv4 READ [19] from [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ ] pid=5 DATA len=5
                  Feb 1 14:08:13 openvpn 38894 UDPv4 WRITE [22] to [AF_INET]185.94.188.150:8041: P_ACK_V1 kid=0 [ 4 ]
                  Feb 1 14:08:13 openvpn 38894 VERIFY OK: depth=0, CN=island-school.us
                  Feb 1 14:08:13 openvpn 38894 VERIFY EKU OK
                  Feb 1 14:08:13 openvpn 38894 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
                  Feb 1 14:08:13 openvpn 38894 Validating certificate extended key usage
                  Feb 1 14:08:13 openvpn 38894 VERIFY KU OK
                  Feb 1 14:08:13 openvpn 38894 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
                  Feb 1 14:08:13 openvpn 38894 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
                  Feb 1 14:08:13 openvpn 38894 VERIFY WARNING: depth=2, unable to get certificate CRL: C=US, O=Internet Security Research Group, CN=ISRG Root X1
                  Feb 1 14:08:13 openvpn 38894 VERIFY WARNING: depth=1, unable to get certificate CRL: C=US, O=Let's Encrypt, CN=R3
                  Feb 1 14:08:13 openvpn 38894 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=island-school.us
                  Feb 1 14:08:13 openvpn 38894 UDPv4 READ [1188] from [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=1174
                  Feb 1 14:08:13 openvpn 38894 UDPv4 WRITE [22] to [AF_INET]185.94.188.150:8041: P_ACK_V1 kid=0 [ 3 ]
                  Feb 1 14:08:13 openvpn 38894 UDPv4 READ [1188] from [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=1174
                  Feb 1 14:08:13 openvpn 38894 UDPv4 WRITE [22] to [AF_INET]185.94.188.150:8041: P_ACK_V1 kid=0 [ 2 ]
                  Feb 1 14:08:13 openvpn 38894 UDPv4 READ [1188] from [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1174
                  Feb 1 14:08:13 openvpn 38894 UDPv4 WRITE [22] to [AF_INET]185.94.188.150:8041: P_ACK_V1 kid=0 [ 1 ]
                  Feb 1 14:08:13 openvpn 38894 UDPv4 READ [1200] from [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1174
                  Feb 1 14:08:13 openvpn 38894 UDPv4 WRITE [291] to [AF_INET]185.94.188.150:8041: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=277
                  Feb 1 14:08:13 openvpn 38894 UDPv4 WRITE [22] to [AF_INET]185.94.188.150:8041: P_ACK_V1 kid=0 [ 0 ]
                  Feb 1 14:08:13 openvpn 38894 TLS: Initial packet from [AF_INET]185.94.188.150:8041, sid=b9ae7b7b 1188b486
                  Feb 1 14:08:13 openvpn 38894 UDPv4 READ [26] from [AF_INET]185.94.188.150:8041: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
                  Feb 1 14:08:13 openvpn 38894 UDPv4 WRITE [14] to [AF_INET]185.94.188.150:8041: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                  Feb 1 14:08:13 openvpn 38894 UDPv4 link remote: [AF_INET]185.94.188.150:8041
                  Feb 1 14:08:13 openvpn 38894 UDPv4 link local (bound): [AF_INET]10.0.0.8:0
                  Feb 1 14:08:13 openvpn 38894 Socket Buffers: R=[42080->42080] S=[57344->57344]
                  Feb 1 14:08:13 openvpn 38894 TCP/UDP: Preserving recently used remote address: [AF_INET]185.94.188.150:8041
                  Feb 1 14:08:13 openvpn 38894 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
                  Feb 1 14:08:13 openvpn 38894 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
                  Feb 1 14:08:13 openvpn 38894 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
                  Feb 1 14:08:13 openvpn 38894 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
                  Feb 1 14:08:13 openvpn 38894 Re-using SSL/TLS context
                  Feb 1 14:08:13 openvpn 38894 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @gerrit700
                    last edited by Feb 1, 2022, 1:21 PM

                    @gerrit700 said in Trying to setup OpenVPN to HotspotShield but won't connect:

                    They provide only a .opvn file.

                    You should find all settings you need in this file.
                    If the server require a client cert, there will be a link in the file.

                    G 1 Reply Last reply Feb 1, 2022, 1:51 PM Reply Quote 1
                    • G
                      gerrit700 @viragomann
                      last edited by Feb 1, 2022, 1:51 PM

                      Hi @viragomann,

                      You're my hero! I've added the certificate to the certificate manager and selected this certificate in de VPN config and that was the solution.

                      Thank for your help :-)

                      1 Reply Last reply Reply Quote 0
                      3 out of 10
                      • First post
                        3/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.