OpenVPN Client for VLAN specific routes to Internet
-
@scottlindner
Possibly you're missing an outbound NAT rule for this.
Copy that one you've add recently (copy symbol on the right) and change the source to 127.0.0.0/8. -
@viragomann said in OpenVPN Client for VLAN specific routes to Internet:
127.0.0.0/8
No change in VPN Gateway status.
-
@scottlindner
Hmmm. Maybe there is something wrong with your VPN connection or traffic is blocked elsewhere.Do you have any floating rules?
Reconnect the VPN client and post the OpenVPN log section from there, please.
-
@viragomann said in OpenVPN Client for VLAN specific routes to Internet:
@scottlindner
Hmmm. Maybe there is something wrong with your VPN connection or traffic is blocked elsewhere.Do you have any floating rules?
I do but I don't see how they could cause this.
Reconnect the VPN client and post the OpenVPN log section from there, please.
Check this out. With those rules I setup this morning I tried connecting remotely from work over lunch to get you the screenshots you wanted and although I connected, I couldn't access anything like I usually can. And just now I tried restarting the client and it wouldn't connect. So I tried connecting from my laptop and it wouldn't connect. I disabled the rules we wrote just a bit ago and now everything connects fine.
-
What are my diagnostic options to figure out why traffic on the VPN VLAN isn't making it to the VPN Client gateway?
-
@scottlindner
As I mentioned above, I'd suspect that there is something wrong with the VPN. So check the log for hints. Possibly set the log level to 3 or 4 before connecting.Did you also try a reboot of pfSense? Outbound NAT changes sometimes work need that.
Try different monitoring IPs. Use public IPs that you know they're responding when pinging from WAN.
When you sniff the traffic (packet capture) on the VPN interface, you should see the ICMP packets to the monitoring IP going out there:
<VPN IP> > <monitoring IP> ICMP request.
Ideally you also see respond packets, but obviously there are none.If that's the case, I would assume that there is an issue on the VPN providers side. Which one do you connect to?
Maybe he does not pass any traffic or do not nat it on his internet outbound interface.
You can also try to tear down the client and configure a new one. -
I found this in the logs "AEAD Decrypt error: cipher final failed". In searching online it is a handful of things. I turned up debut even further and I'm not seeing anything yet. It does seem to point to a client misconfiguration but the common themes I'm finding online are for NCP neeeding to be enabled and there is no option for that in the client. It is possible I'm missing a cipher suite but usually TLS errors show exactly what is missing when that happens. Gonna keep turning up the debug log pain.
-
I need to do more testing but I think I got it. It was a cipher suite issue but what confuses me is that the option I added to make it work conflicts with the ovpn client config I use from my laptop. In the Data Encryption Algorithms I have the following:
AES-256-CBC AES-256-GCMWhat got it working was adding this to the custom options in the pfSense OVPN Client:
cipher AES-256-GCMThe ovpn file provided by Ivacy that works on my laptop is:
client dev tun remote de2-ovpn-udp.dns2use.com 53 proto udp nobind persist-key persist-tun tls-auth Wdc.key 1 ca ca.crt cipher AES-256-CBC comp-lzo verb 1 mute 20 float route-method exe route-delay 2 auth-user-pass auth-retry interact explicit-exit-notify 2 ifconfig-nowarn auth-nocacheSo I'm a little confused why this is what it took to get it working. This is now a VPN question and not a firewall/routing question.
I still have testing to do to make sure it all works as I want it to, but the first initial test is working.
Appreciate your help and patience. Might have follow up questions if other things end up not working right.
-
@scottlindner said in OpenVPN Client for VLAN specific routes to Internet:
In the Data Encryption Algorithms I have the following:
AES-256-CBC
AES-256-GCMWhat got it working was adding this to the custom options in the pfSense OVPN Client:
cipher AES-256-GCM
You got the proper settings from the VPN provider. I know, there is not an option to import the config, but for verification you can show the OpenVPN config in pfSense. It is stored in /var/etc/openvpn.
Obviously the server doesn't support NCP. So you have to disable "Data Encryption Negotiation" and select the proper cipher at "Fallback Data Encryption Algorithm".
Then it doesn't matter, what you have in "Data Encryption Algorithms".Anyway, fine that you got it sorted now.
Edit:
"Data Encryption Negotiation" doesn't really need to be disabled, but the selection at "Fallback Data Encryption Algorithm" must match to the cipher which is used by the other side. -
I will check into that tonight. Thank you!
Although I didn't get the proper config from the provider. The proper config didn't work. I had to use a different cipher suite than the provider config specified. It doesn't make sense, but I was able to manually set what works. I might check with Ivacy why that is.
I want multiple connections for switching convenience. I quickly tried setting that up and both clients are stuck in pending. I haven't done any searching yet but I'm guessing this isn't uncommon of an issue and am hoping it is trivial to resolve. Ivacy supports 5 concurrent connections. I only want two so this should work.
When I get the stuff sorted out that you just mentioned, I'll post back. Mostly so others struggling with this have at least a snapshot of what worked for someone at one point in time.
-
@scottlindner
I see.Ivacy supports 5 concurrent connections. I only want two so this should work.
Two on pfSense? Or one and another one on the laptop?
-
@viragomann said in OpenVPN Client for VLAN specific routes to Internet:
@scottlindner
I see.Ivacy supports 5 concurrent connections. I only want two so this should work.
Two on pfSense? Or one and another one on the laptop?
Two on pfSense so I have WiFi SSIDs for each. Easy switching for client computers.
-
@scottlindner
Multiple connections to a single VPN providers often fails, because the server gives you identical gateway IPs. Hence pfSense is not able to route to both.So it depends on the provider if this will succeed.
-
@viragomann said in OpenVPN Client for VLAN specific routes to Internet:
@scottlindner
Multiple connections to a single VPN providers often fails, because the server gives you identical gateway IPs. Hence pfSense is not able to route to both.So it depends on the provider if this will succeed.
I'm using different hosts so the IPs will be in different locations. The first one I'm using is on Frankfort Germany for NHL and the second is in Salt Lake City so my boys can do gaming together when the game doesn't support multiple consoles from the same IP.
-
@scottlindner said in OpenVPN Client for VLAN specific routes to Internet:
I'm using different hosts so the IPs will be in different locations
You could run into conflicts anyway, since VPN providers often use the same configuration on their server, even in different locations.
But maybe yours doesn't and multiple connections are working well. I just wanted to depose a warning.
-
@viragomann said in OpenVPN Client for VLAN specific routes to Internet:
@scottlindner said in OpenVPN Client for VLAN specific routes to Internet:
I'm using different hosts so the IPs will be in different locations
You could run into conflicts anyway, since VPN providers often use the same configuration on their server, even in different locations.
But maybe yours doesn't and multiple connections are working well. I just wanted to depose a warning.
I confirmed with Ivacy that it usually will not work to have multiple connections from the same host and if it does work it likely will be unstable. It isn't a limitation from home network, but the host itself. So maybe I run a few more instances on an RPi with docker (a container per connection for host isolation) and roll that way.
Appreciate the help. This is all working well now. Thank you! And if I do end up using an RPi with docker for multiple connections I'll share how that works out.
-
I want to post the critical take away I learned from this discussion for others searching in the future. I did find other discussions but they were very detailed and specigfic to the person's situation very much like this one is, so it is hard to know what are the specifc parts from the ones that apply to everyone. So here just to call it out, the key takeaway that taught me what I needed is.
Check the gateway status (Status -> Gateways) for the VPN Client interface. That will tell you if you have a client configuration problem or not. I ultimately did but the Status -> OpenVPN page indicated it was fine and it actually wasn't.
-
S scottlindner referenced this topic on