Trying to set up pfSense with OpenVPN and only Tor works
-
edited to add details, clarity, and formatting
pfSense version & info:Version 2.3.2-RELEASE (amd64) built on Tue Jul 19 12:44:43 CDT 2016 FreeBSD 10.3-RELEASE-p5 The system is on the latest version. Platform nanobsd (2g) NanoBSD Boot Slice pfsense0 / da0s1(rw) CPU Type AMD Athlon(tm) II X2 250 Processor 2 CPUs: 1 package(s) x 2 core(s) Uptime 00 Hour 38 Minutes 01 Seconds Current date/time Sun Sep 25 9:19:57 GMT-5 2016 DNS server(s) 209.222.18.218 209.222.18.222 208.67.222.222 208.67.220.220
Topology:
I have a Windows 7 64 bit SP1 laptop connected to a pfSense box with a wired connection. The pfSese box has 2x Intel NICs (one WAN, one LAN). The pfSense box is connected to a SOHO wifi router. It was working fine as a firewall with default settings, and then I started messing with OpenVPN.I'm following the guides from here and on PIA's site, trying to get strong encryption working (tried other flavors too like TCP strong, and UDP 1194 with now unsupported crypto).
Guides:
Configuring pfSense as VPN Client to Private Internet Access
https://forum.pfsense.org/index.php?topic=76015.0OpenVPN Step-by-Step Setup for pfSense aes256/Strong [firewall/router]
https://www.privateinternetaccess.com/forum/discussion/21875I'm not getting errors in the OpenVPN log, so I guess that part's right? I get the following in the log:
Initialization Sequence Completed
Current OpenVPN client parameters:
peer to peer TCP tun us-east.privateinternetaccess.com port 501 infinitely resolve server do not enable auth of TLS packets client cert web configurator AEC-256-CBC SHA256 compression enabled with adaptive auth-user-pass /etc/openvpn-password.txt; verb 5; remote-cert-tls server
/etc/openvpn-password.txt was made in the web UI, and I can read from it after a pfSense reboot, and the password is good.
I currently have the 4096 certificate in as a CA, but I also tried the 2048 one and it's settings. I think the OpenVPN client is working with most of these settings, and my problem is outside of OpenVPN. but I am a n00b at this…This morning, the OpenVPN client (or daemon?) was down. I restarted it and it connected. However, I never seem to get more than a few KiB to transfer.
Almost all traffic is not working. However, pfSense can determine if its up to date, the Tor Browser Bundle can surf the net, and I can resolve DNS names with ping. Nothing else works (but I only tried web browsing by name and IP).
What works:
DNS resolves on my PC (via ping)
DNS resolves in the pfSense GUI
Tor traffic will start to work after things settle, with some settings
Windows thinks there's Internet Access on the adapter (It reaches out to some Microsoft servers to check this)What does not work:
Firefox on my PC (regular Firefox, not TBB/Tor)
Ping resolves the name, but all the pings fail. Tried google.com and duckduckgo.com
Using the OpenVPN client on my PC with proflies set to use TCP and connect by IP address (not name)I think I am overlooking some detail(s), but I don't know what to look for. It seems like DNS is having a problem, so I fiddled with that. I think I put it back to default. It kind of seems like the firewall isn't set up right, but I didn't play with it too much (put it back to default too; except for the new NAT rules for the OpenVPN).
I had a bunch of difficulties the last time I tried this, and I overlooked a checkbox. I knew that going in this time, so I made sure to pay attention to that section ("TLS Authentication" = [uncheck] "Enable authentication of TLS packets.")
What should I look for or do to troubleshoot this?