OpenVPN Not Connecting - Unable To Contact Daemon

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope
Looks well though. Never met this issue.

Seems that there is something wrong with the password file.
Check if the username and password are written correctly into the file.
It should be stored in /var/etc/openvpn/client1/up.

Curious, I just browsed to the location as per below

I do not have an "Up" directory. It is possibly worth mentioning that the CA and CSC folders are empty, unless Pfsense hides files which is unlikely. Could you show me what is in your "UP" folder as I may have to manually create it and its contents with respects to the username/password.

Many thanks,
P

viragomann

@panzerscope
"up" is an ASCII file. It just contains the username in the first row and the password in the second.

You can try to create it. But possibly it gets overwritten by the GUI. In this case, maybe a write protection can help. There was already a thread regarding this in the past, as far as I can remember.

However, were the other files created in the client1 folder?
Mine looks like this:

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope
"up" is an ASCII file. It just contains the username in the first row and the password in the second.

You can try to create it. But possibly it gets overwritten by the GUI. In this case, maybe a write protection can help. There was already a thread regarding this in the past, as far as I can remember.

However, were the other files created in the client1 folder?
Mine looks like this:

Ok so after wiping the slate clean and starting again, I am now seeing more files in the aforementioned directory, so that is good

I looked in the "UP" File and it had my username noted on line 1, but no password. So I popped the password in on line 2 and saved. Tried reconnecting and still get the same error in my OpenVPN system logs. What I am going to do is remove the password from the UP file so that it is as originally configured and speak with PureVPN as I believe they offer remote assistance and may also be able to lend a hand.

Any more ideas welcome though as it "should" be working as far as I can see.

panzerscope

I fixed it.

So I noticed that when going back to the UP file, the password has been removed, likely by the GUI (even though I did not access the VPN settings). The password was definitely in there as I had checked after I made the initial edit. This lead me to believe that when you initially save the config via the GUI, it commits the username to the "UP" file but not the password. So I went back into the client config and re-entered the password into the password field via the GUI, saved and voila, VPN connection success and the password is not committed to the UP file.

Seems like something is a little buggy as I would not expect to have to edit the config after the initial save to input the password so that it sticks.

viragomann

@panzerscope
In addition to the username and password in the up file, you can try to enter "akspass" into the advanced options box.

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope
In addition to the username and password in the up file, you can try to enter "akspass" into the advanced options box.

Thanks, I will give that a go if I have issues down the road.

So, I noticed something. When I have the VPN connected, even though my machines are not running through the VPN (Nothing is at the moment) I noticed the internet drops out with the classic "DNS Probe" error in the browser. As soon as I disconnect the VPN, The internet functions normally. I would not expect that to happen as the WAN interface should not be affected by the OpenVPN interface.

Any ideas ?

viragomann

@panzerscope
Most VPN provider push the default route to the clients. Hence any traffic, which is not policy-routed to the WAN gateway goes out over the VPN.
This naturally also concerns DNS requests from pfSense itself.

Check Status > gateways, to see which is the default.

If you don't want OpenVPN to set the default route to this VPN provider, go into the settings and check "Don't pull routes".
Then you can policy route desired traffic to the VPN gateway. Remember also to route DNS request from concerned machines over the VPN to avoid DNS leaks.

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope
Most VPN provider push the default route to the clients. Hence any traffic, which is not policy-routed to the WAN gateway goes out over the VPN.
This naturally also concerns DNS requests from pfSense itself.

Check Status > gateways, to see which is the default.

If you don't want OpenVPN to set the default route to this VPN provider, go into the settings and check "Don't pull routes".
Then you can policy route desired traffic to the VPN gateway. Remember also to route DNS request from concerned machines over the VPN to avoid DNS leaks.

So I checked the Gateways and my defaults are correct as below

I also checked the VPN client config and pulling DNS is already disabled as per:

I noted my internet connection died out again when enabling the VPN, so something is still up.

viragomann

@panzerscope said in OpenVPN Not Connecting - Unable To Contact Daemon:

So I checked the Gateways and my defaults are correct as below

Was the VPN client enabled, when you checked this?

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope said in OpenVPN Not Connecting - Unable To Contact Daemon:

So I checked the Gateways and my defaults are correct as below

Was the VPN client enabled, when you checked this?

Hey again,

So after some additional reading and messing around, I think I am almost there. The reason for the DNS issues was that I was not indicating which gateways particular rules are using. I made the mistake of leaving these on "Default". So that issue is now solved.

The one I face now is my firewall rules. I either end up with all my devices going over VPN WAN or all of them going over my WAN. I followed this guide (although old got me where I needed to be mostly) https://pixelsandwidgets.com/2014/10/setup-pfsense-openvpn-client-specific-devices/

My rules for Interfaces are currently setup as below

VPNWAN

OpenVPN

LAN

Now, the key as to whether I end up with all devices going through VPN WAN or WAN is based on whether or not I have the below LAN rule enabled.

So far as I was concerned, based on the ordering of my rules with the above being enabled, my configuration should put my VALAK Server & Valak Server Apps devices through VPN WAN and the rest of my devices on my LAN through the standard WAN.

Any ideas where I have gone wrong ?

Many thanks as always.
P

viragomann

@panzerscope
Remember the path of DNS resolution. Which DNS server do your local devices use?

Policy routing rules direct any matching traffic to the stated gateway. This means, if your device is configured to use a local DNS, e.g. pfSense, it would not be able to access the DNS server, because your rule pass any traffic to the VPN or WAN gateway.
If your devices use a public DNS and your route it over the VPN, you have to ensure, that the DNS is responding if the requests come from the VPN provider.

To resolve this issue, you have to add rules above of the policy routing for exception-traffic.
E.g. for allowing DNS to pfSense: source = LAN subnets, destination = LAN address, dest. port = 53

Aside from this, best practice to handle DNS traffic is to port forward it.
E.g. to avoid DNS leaks on devices going over VPN, these should use the VPN providers DNS or at all the DNS should go over the VPN.
So add a port forwarding rule on the LAN: source = your VPN devices alias, dest = any, dest port = 53, redirect target = desired DNS server, port = 53.

BTW: firewall pass rules on the VPN interface allow traffic coming in from the VPN. You might want traffic let in later, when your provider forward it to you, but not "any"! This is dangerous.

And a gateway in a rule on the OpenVPN makes no sense at all.

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope
Remember the path of DNS resolution. Which DNS server do your local devices use?

Policy routing rules direct any matching traffic to the stated gateway. This means, if your device is configured to use a local DNS, e.g. pfSense, it would not be able to access the DNS server, because your rule pass any traffic to the VPN or WAN gateway.
If your devices use a public DNS and your route it over the VPN, you have to ensure, that the DNS is responding if the requests come from the VPN provider.

To resolve this issue, you have to add rules above of the policy routing for exception-traffic.
E.g. for allowing DNS to pfSense: source = LAN subnets, destination = LAN address, dest. port = 53

Aside from this, best practice to handle DNS traffic is to port forward it.
E.g. to avoid DNS leaks on devices going over VPN, these should use the VPN providers DNS or at all the DNS should go over the VPN.
So add a port forwarding rule on the LAN: source = your VPN devices alias, dest = any, dest port = 53, redirect target = desired DNS server, port = 53.

BTW: firewall pass rules on the VPN interface allow traffic coming in from the VPN. You might want traffic let in later, when your provider forward it to you, but not "any"! This is dangerous.

And a gateway in a rule on the OpenVPN makes no sense at all.

Thanks for the info.

I use remote DNS, namely cloudflare @ 1.1.1.1 on my PfSense config for resolution. I have configured it on my VPN Client that it pulls the VPN DNS, to avoid any leaks for any devices going out over the VPN. This should be all I need to do correct?

Yes, noted regarding the Pass Rule on the VPN Interface, this is setup as I will be port forwarding traffic through the VPN for Plex reasons, 32400 specifically. I had just not locked this down yet and was trying a pass all.

The issue I am facing is per my last post where disabling or enabling the Lan Subnet rule (as per the last screenshot) will either force all my clients over VPN, or none of them.

viragomann

@panzerscope said in OpenVPN Not Connecting - Unable To Contact Daemon:

I use remote DNS, namely cloudflare @ 1.1.1.1 on my PfSense config for resolution.

The question is, which DNS the concerned devices are using.

I have configured it on my VPN Client that it pulls the VPN DNS, to avoid any leaks for any devices going out over the VPN

The screenshot above is showing something different.
Anyway, this setting affects pfSense only.

So which DNS server is configured on the devices??

Do you forward DNS?

Still waiting for a screenshot of the gateway statues, when the VPN is connected.

So I checked the Gateways and my defaults are correct as below

Was the VPN client enabled, when you checked this?

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope said in OpenVPN Not Connecting - Unable To Contact Daemon:

I use remote DNS, namely cloudflare @ 1.1.1.1 on my PfSense config for resolution.

The question is, which DNS the concerned devices are using.

I have configured it on my VPN Client that it pulls the VPN DNS, to avoid any leaks for any devices going out over the VPN

The screenshot above is showing something different.
Anyway, this setting affects pfSense only.

So which DNS server is configured on the devices??

Do you forward DNS?

Still waiting for a screenshot of the gateway statues, when the VPN is connected.

So I checked the Gateways and my defaults are correct as below

Was the VPN client enabled, when you checked this?

The devices on my network are set to either Auto/192.168.1.1 which either way will get the DNS from PfSense which is currently configured on PfSense to look remotely at 1.1.1.1.

DNS Forwarding is not enabled on my PfSense.

Here is the screenshot of the Gateway Status when VPN is enabled and connected :

Many thanks !

viragomann

@panzerscope said in OpenVPN Not Connecting - Unable To Contact Daemon:

The devices on my network are set to either Auto/192.168.1.1 which either way will get the DNS from PfSense

So they try to request pfSense. But the LAN ruleset does not allow this, as long as the is no floating rule passing it, as I tried hard to explain above.

which is currently configured on PfSense to look remotely at 1.1.1.1.

What pfSense does on its own, is another part.
In fact it passes out requests to the default gateway, which is WAN according to gateway status.

DNS Forwarding is not enabled on my PfSense.

I also tried to explain the benefit of this and behavior and drawback without.

The issue I am facing is per my last post where disabling or enabling the Lan Subnet rule (as per the last screenshot) will either force all my clients over VPN, or none of them.

From your rules and gateway status I have no idea why this should be the case, if it's not on DNS.
In which case is the traffic passing over the VPN?
Ans as you said any, I assume, this concerns any LAN device.

From one of the devices included in the VPN alias try to simply ping 1.1.1.1 and 8.8.8.8 in both cases, VPN connected and disconnected.
What do you get?

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope said in OpenVPN Not Connecting - Unable To Contact Daemon:

The devices on my network are set to either Auto/192.168.1.1 which either way will get the DNS from PfSense

So they try to request pfSense. But the LAN ruleset does not allow this, as long as the is no floating rule passing it, as I tried hard to explain above.

which is currently configured on PfSense to look remotely at 1.1.1.1.

What pfSense does on its own, is another part.
In fact it passes out requests to the default gateway, which is WAN according to gateway status.

DNS Forwarding is not enabled on my PfSense.

I also tried to explain the benefit of this and behavior and drawback without.

The issue I am facing is per my last post where disabling or enabling the Lan Subnet rule (as per the last screenshot) will either force all my clients over VPN, or none of them.

From your rules and gateway status I have no idea why this should be the case, if it's not on DNS.
In which case is the traffic passing over the VPN?
Ans as you said any, I assume, this concerns any LAN device.

From one of the devices included in the VPN alias try to simply ping 1.1.1.1 and 8.8.8.8 in both cases, VPN connected and disconnected.
What do you get?

Ok, so I went back and added the rule you suggested on LAN tab regarding DNS as seen below.

Look ok to you ?

I re-read your responses, but I cannot see anything mentioning the setup of any DNS Forwarding.

Yes all my LAN devices will use the VPN, assuming I have disabled the following rule.

I can ping 1.1.1.1 or 8.8.8.8 from any device on my network whether its running over the connected VPN or over standard WAN.

viragomann

@panzerscope said in OpenVPN Not Connecting - Unable To Contact Daemon:

Ok, so I went back and added the rule you suggested on LAN tab regarding DNS as seen below.
Look ok to you ?

No, the protocol has to be "TCP/UDP" for DNS.
And this assumes, that the devices really use pfSense.

My suggestion is to combine this with two port forwarding rules. One for the devices, which should go over VPN. This avoid DNS leaking, as mentioned multiple times. And a second for the rest.

This are port forwarding rule to redirect DNS and NTP to pfSense:

You have to ensure the "localhost" is added to the listening interfaces in the DNS Resolver settings.

AND to the VPN add a similar rule ABOVE of this one, but set the source to the VPN devices alias and the destination to 1.1.1.1 for Cloudflare (assumes, that Cloudflare allows access from the VPN provider) or better enter the DNS of the VPN provider.

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope said in OpenVPN Not Connecting - Unable To Contact Daemon:

Ok, so I went back and added the rule you suggested on LAN tab regarding DNS as seen below.
Look ok to you ?

No, the protocol has to be "TCP/UDP" for DNS.
And this assumes, that the devices really use pfSense.

My suggestion is to combine this with two port forwarding rules. One for the devices, which should go over VPN. This avoid DNS leaking, as mentioned multiple times. And a second for the rest.

This are port forwarding rule to redirect DNS and NTP to pfSense:

You have to ensure the "localhost" is added to the listening interfaces in the DNS Resolver settings.

AND to the VPN add a similar rule ABOVE of this one, but set the source to the VPN devices alias and the destination to 1.1.1.1 for Cloudflare (assumes, that Cloudflare allows access from the VPN provider) or better enter the DNS of the VPN provider.

No problem, I can give that ago.

Looking at the screenshot provided, how are you getting the Interface to show as "Internal" ? and how are you getting the Source Address to show as RFC1918, Did you setup an Alias ?

Or do I just follow this article : https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

viragomann

@panzerscope
"Internal" is an interface group, which includes my internal interfaces.

RFC1918 is an alias for private network ranges (RFC 1918).

So these rules are applied to all internal interface and only to private source IPs (no forwarded traffic).

The RFC1918 alias is also good to use in policy routing rules. With this you can apply the rule to none-RFC1918 only ("invert. match" checked).
So the rule is not applied to traffic for local destinations.

Or do I just follow this article : https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

Yes, I know this suggestion. It does pretty the same, except DNS request to the pfSense LAN address are not forwarded to localhost. But I don't see an advantage of this.

panzerscope

@viragomann said in OpenVPN Not Connecting - Unable To Contact Daemon:

@panzerscope
"Internal" is an interface group, which includes my internal interfaces.

RFC1918 is an alias for private network ranges (RFC 1918).

So these rules are applied to all internal interface and only to private source IPs (no forwarded traffic).

The RFC1918 alias is also good to use in policy routing rules. With this you can apply the rule to none-RFC1918 only ("invert. match" checked).
So the rule is not applied to traffic for local destinations.

Thanks.

So to make sure I am setting this up, as I have not setup "Internal" group for my interfaces, can I just set the Source address to "LAN Address" ? I will setup an alias for RFC1918 but what IP's should this be covering ?

I did check this article : https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html

I cannot add these to an Alias as I get an error: