BUG: Pfsense 2.4 and OpenVPN 2.4 Client to PIA
-
Well I'm stuck. Is anyone else having issues connecting to PIA using 2.4?
I'm running into a couple of problems.
First, it very rarely, sometimes connects successfully, no matter which region I use.
If I reboot or restart the OpenVPN service after its connected, the tunnel will try to reconnect but always fails with reconnecting; auth-failureI tried the OpenVPN client on other machines and I can connect with no issue using the PIA profiles.
I've verified the user name and password is correct. I've set it in the GUI and checked the file /var/etc/openvpn config files to validate.I've tried both 128 and 256 ciphers, with the same result.
I've completely deleted all config, interfaces and gateways and started from scratch.
Looked through as many articles and the forums for possible configuration examples, tried many different options with no luck.: cat client1.conf
dev ovpnc1
verb 5
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.XX.XX.XX ###Omitted my Public IP
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote ca-toronto.privateinternetaccess.com 1198
auth-user-pass /var/etc/openvpn/client1.up
auth-retry nointeract
ca /var/etc/openvpn/client1.ca
ncp-disable
compress lzo
resolv-retry infinite
route-nopull
persist-key
tls-client
remote-cert-tls server
comp-lzo
reneg-sec 0
auth-nocache -
First, I apologize for the brevity of my first post, I should have include some more detail.
So after banging my head against the wall for a couple days on this one, and also opening a ticket up with PIA (Which I've never heard back on)
I believe we have a bug with the OpenVPN client caching passwords.
I've got my tunnel up and working now, and coming back up through reboots.I found two forums posts on the OpenVPN forums that pointed me in that direction.
save password does not work #161.
https://github.com/OpenVPN/openvpn-gui/issues/161and
Pressing reconnect fails to reconnect with auth failure #885
https://community.openvpn.net/openvpn/ticket/885I had to add both of these to the client config to avoid the issue of "reconnecting; auth-failure" and "ping-restart"
Check this box
Authentication Retry Do not retry connection when authentication fails
When enabled, the OpenVPN process will exit if it receives an authentication failure message. The default behavior is to retry.Add this to custom options.
auth-nocache;The connection instantly comes up for me now.
Also note you may have to reboot atleast in my case I did
This is what my config looks like now. It obviously may need tweeking, but anyone having this issue with authentication can atleast use this as a baseline.
dev ovpnc1
verb 5
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local X.X.X.X #I removed my IP INFO here
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote ca-toronto.privateinternetaccess.com 1197
auth-user-pass /var/etc/openvpn/client1.up
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
ncp-disable
compress lzo
resolv-retry infinite
route-nopull
remote-cert-tls server
auth-nocache -
The one other thing I've found that is weird is that I'm using an a firewall rule with an alias to send traffic for certain IP's to the tunnels gateway.
After a reboot or if the tunnel is restarted. I need to "save" the rule again for it to start being used. Which looks like it reloads the filter.Any suggestions of anything else I could or should be doing in order for that to happen automatically after the VPN gateway comes up?
Screenshot of the rule in question is attached.
![Screen Shot 2017-10-27 at 12.20.16 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-27 at 12.20.16 PM.png)
![Screen Shot 2017-10-27 at 12.20.16 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-27 at 12.20.16 PM.png_thumb) -
I connect by ip… no issues whatsoever
I just renewed yesterday and it still works flawlessly
Sg 2220 with 256 but encryption
Edit: I also have aes-ni acceleration enabled
-
Thanks for the response. I checked this boxed with seems to have solved by above problem.
"Skip rules when gateway is down" under advanced settings.