Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Client for VLAN specific routes to Internet

    OpenVPN
    2
    32
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scottlindner @scottlindner
      last edited by

      @scottlindner

      I found this in the logs "AEAD Decrypt error: cipher final failed". In searching online it is a handful of things. I turned up debut even further and I'm not seeing anything yet. It does seem to point to a client misconfiguration but the common themes I'm finding online are for NCP neeeding to be enabled and there is no option for that in the client. It is possible I'm missing a cipher suite but usually TLS errors show exactly what is missing when that happens. Gonna keep turning up the debug log pain.

      1 Reply Last reply Reply Quote 0
      • S
        scottlindner @viragomann
        last edited by

        @viragomann

        I need to do more testing but I think I got it. It was a cipher suite issue but what confuses me is that the option I added to make it work conflicts with the ovpn client config I use from my laptop. In the Data Encryption Algorithms I have the following:

        AES-256-CBC
AES-256-GCM

        What got it working was adding this to the custom options in the pfSense OVPN Client:

        cipher AES-256-GCM

        The ovpn file provided by Ivacy that works on my laptop is:

        client

dev tun
remote de2-ovpn-udp.dns2use.com 53
proto udp
nobind
persist-key
persist-tun
tls-auth Wdc.key 1
ca ca.crt
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
float
route-method exe
route-delay 2
auth-user-pass
auth-retry interact
explicit-exit-notify 2
ifconfig-nowarn
auth-nocache

        So I'm a little confused why this is what it took to get it working. This is now a VPN question and not a firewall/routing question.

        I still have testing to do to make sure it all works as I want it to, but the first initial test is working.

        Appreciate your help and patience. Might have follow up questions if other things end up not working right.

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @scottlindner
          last edited by viragomann

          @scottlindner said in OpenVPN Client for VLAN specific routes to Internet:

          In the Data Encryption Algorithms I have the following:

          AES-256-CBC
          AES-256-GCM

          What got it working was adding this to the custom options in the pfSense OVPN Client:

          cipher AES-256-GCM

          You got the proper settings from the VPN provider. I know, there is not an option to import the config, but for verification you can show the OpenVPN config in pfSense. It is stored in /var/etc/openvpn.

          Obviously the server doesn't support NCP. So you have to disable "Data Encryption Negotiation" and select the proper cipher at "Fallback Data Encryption Algorithm".
          Then it doesn't matter, what you have in "Data Encryption Algorithms".

          Anyway, fine that you got it sorted now.

          Edit:
          "Data Encryption Negotiation" doesn't really need to be disabled, but the selection at "Fallback Data Encryption Algorithm" must match to the cipher which is used by the other side.

          S 1 Reply Last reply Reply Quote 0
          • S
            scottlindner @viragomann
            last edited by scottlindner

            @viragomann

            I will check into that tonight. Thank you!

            Although I didn't get the proper config from the provider. The proper config didn't work. I had to use a different cipher suite than the provider config specified. It doesn't make sense, but I was able to manually set what works. I might check with Ivacy why that is.

            I want multiple connections for switching convenience. I quickly tried setting that up and both clients are stuck in pending. I haven't done any searching yet but I'm guessing this isn't uncommon of an issue and am hoping it is trivial to resolve. Ivacy supports 5 concurrent connections. I only want two so this should work.

            When I get the stuff sorted out that you just mentioned, I'll post back. Mostly so others struggling with this have at least a snapshot of what worked for someone at one point in time.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @scottlindner
              last edited by

              @scottlindner
              I see.

              Ivacy supports 5 concurrent connections. I only want two so this should work.

              Two on pfSense? Or one and another one on the laptop?

              S 1 Reply Last reply Reply Quote 0
              • S
                scottlindner @viragomann
                last edited by scottlindner

                @viragomann said in OpenVPN Client for VLAN specific routes to Internet:

                @scottlindner
                I see.

                Ivacy supports 5 concurrent connections. I only want two so this should work.

                Two on pfSense? Or one and another one on the laptop?

                Two on pfSense so I have WiFi SSIDs for each. Easy switching for client computers.

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @scottlindner
                  last edited by

                  @scottlindner
                  Multiple connections to a single VPN providers often fails, because the server gives you identical gateway IPs. Hence pfSense is not able to route to both.

                  So it depends on the provider if this will succeed.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    scottlindner @viragomann
                    last edited by

                    @viragomann said in OpenVPN Client for VLAN specific routes to Internet:

                    @scottlindner
                    Multiple connections to a single VPN providers often fails, because the server gives you identical gateway IPs. Hence pfSense is not able to route to both.

                    So it depends on the provider if this will succeed.

                    I'm using different hosts so the IPs will be in different locations. The first one I'm using is on Frankfort Germany for NHL and the second is in Salt Lake City so my boys can do gaming together when the game doesn't support multiple consoles from the same IP.

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @scottlindner
                      last edited by

                      @scottlindner said in OpenVPN Client for VLAN specific routes to Internet:

                      I'm using different hosts so the IPs will be in different locations

                      You could run into conflicts anyway, since VPN providers often use the same configuration on their server, even in different locations.

                      But maybe yours doesn't and multiple connections are working well. I just wanted to depose a warning.

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        scottlindner @viragomann
                        last edited by

                        @viragomann said in OpenVPN Client for VLAN specific routes to Internet:

                        @scottlindner said in OpenVPN Client for VLAN specific routes to Internet:

                        I'm using different hosts so the IPs will be in different locations

                        You could run into conflicts anyway, since VPN providers often use the same configuration on their server, even in different locations.

                        But maybe yours doesn't and multiple connections are working well. I just wanted to depose a warning.

                        I confirmed with Ivacy that it usually will not work to have multiple connections from the same host and if it does work it likely will be unstable. It isn't a limitation from home network, but the host itself. So maybe I run a few more instances on an RPi with docker (a container per connection for host isolation) and roll that way.

                        Appreciate the help. This is all working well now. Thank you! And if I do end up using an RPi with docker for multiple connections I'll share how that works out.

                        1 Reply Last reply Reply Quote 0
                        • S
                          scottlindner
                          last edited by

                          I want to post the critical take away I learned from this discussion for others searching in the future. I did find other discussions but they were very detailed and specigfic to the person's situation very much like this one is, so it is hard to know what are the specifc parts from the ones that apply to everyone. So here just to call it out, the key takeaway that taught me what I needed is.

                          Check the gateway status (Status -> Gateways) for the VPN Client interface. That will tell you if you have a client configuration problem or not. I ultimately did but the Status -> OpenVPN page indicated it was fine and it actually wasn't.

                          1 Reply Last reply Reply Quote 0
                          • S scottlindner referenced this topic on
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.