[FIXED] pfsense 2.0 + openvpn (vypervpn), dont use vypervpn as default gateway?
-
Hello
My vpn works fine but each time I enable it this change my default route/gateway to VyperVPN's. Is it possible to disable this "push route" or force VyperVPN only for some computers on my network ?
exemple : LAN1 > always use WAN and LAN2 > always use VPN
Thanks.
-
no one know ?
I just dont want my VPN to be the route by default. I will do it myself (change default gateway in "Advanced features").
And the log :
Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: Client disconnected
Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: CMD 'status 2'
Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: CMD 'state 1'
Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: Client disconnected
Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: CMD 'status 2'
Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: CMD 'state 1'
Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 25 21:32:23 openvpn[46869]: Initialization Sequence Completed
Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 128.0.0.0 10.15.0.1 128.0.0.0
Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 0.0.0.0 10.15.0.1 128.0.0.0
Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 138.199.67.151 82.244.198.254 255.255.255.255
Oct 25 21:32:23 openvpn[46869]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1570 10.15.0.27 255.255.0.0 init
Oct 25 21:32:23 openvpn[46869]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 10.15.0.0 10.15.0.27 255.255.0.0
Oct 25 21:32:23 openvpn[46869]: /sbin/ifconfig ovpnc1 10.15.0.27 netmask 255.255.0.0 mtu 1500 up
Oct 25 21:32:23 openvpn[46869]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Oct 25 21:32:23 openvpn[46869]: TUN/TAP device /dev/tun1 opened
Oct 25 21:32:23 openvpn[46869]: ROUTE default_gateway=82.244.198.254
Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: route-related options modified
Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: route options modified
Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: –ifconfig/up options modified
Oct 25 21:32:23 openvpn[46869]: Socket Buffers: R=[65536->262144] S=[65536->65536]
Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: –sndbuf/--rcvbuf options modified
Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: explicit notify parm(s) modified
Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: timers and/or timeouts modified
Oct 25 21:32:23 openvpn[46869]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,explicit-exit-notify 5,rcvbuf 262144,route-gateway 10.15.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.15.0.27 255.255.0.0'
Oct 25 21:32:22 openvpn[46869]: SENT CONTROL [eu1.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
Oct 25 21:32:20 openvpn[46869]: [eu1.vpn.giganews.com] Peer Connection Initiated with [AF_INET]138.199.67.151:443
Oct 25 21:32:20 openvpn[46869]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Oct 25 21:32:20 openvpn[46869]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 25 21:32:20 openvpn[46869]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 25 21:32:20 openvpn[46869]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 25 21:32:20 openvpn[46869]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 25 21:32:15 openvpn[46869]: VERIFY OK: depth=0, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
Oct 25 21:32:15 openvpn[46869]: VERIFY X509NAME OK: /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
Oct 25 21:32:15 openvpn[46869]: VERIFY OK: depth=1, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc_CA/emailAddress=admin@goldenfrog.com
Oct 25 21:32:14 openvpn[46869]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Oct 25 21:32:13 openvpn[46869]: TLS: Initial packet from [AF_INET]138.199.67.151:443, sid=0881e814 1231c69f
Oct 25 21:32:13 openvpn[46869]: UDPv4 link remote: [AF_INET]138.199.67.151:443
Oct 25 21:32:13 openvpn[46869]: UDPv4 link local (bound): [AF_INET]EDITED WAN IP
Oct 25 21:32:13 openvpn[45829]: Expected Remote Options hash (VER=V4): '79a26cd9'
Oct 25 21:32:13 openvpn[45829]: Local Options hash (VER=V4): 'fc8ba345'
Oct 25 21:32:13 openvpn[45829]: Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
Oct 25 21:32:13 openvpn[45829]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Oct 25 21:32:13 openvpn[45829]: Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
Oct 25 21:32:13 openvpn[45829]: LZO compression initialized
Oct 25 21:32:13 openvpn[45829]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 25 21:32:13 openvpn[45829]: WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).Thanks.
-
ok I found an easy fix
add route-noexec in openvpn advanced client settings so route table on pfsense will not be changed and your VPN will not always be the default gateway for everything
Quick dirty how to for VyperVPN and pfsense :
- add giganews certificate in cert manager
–---BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv
d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n
LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN
MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS
BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK
Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh
BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7
pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i
qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2
d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP
ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr
QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G
A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM
h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT
C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk
ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG
9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5
8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU
hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI
8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8
8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz
Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ==
-----END CERTIFICATE------ create a file with vypervpn login/password
exemple in /cf/conf/VyprVPN.pas
yourlogin
yourpass- add your client settings in openvpn client
exemple for a 256 bit tunnel on vypervpn europe server
server mode : peer to peer (ssl/tls)
protocol : udp
device mode : tun
interface : WAN
server host : eu1.vpn.giganews.com
server port 443
server host name resolution : CHECK infinitely resolve server
tls authentification : UNCHECK
peer certificate authority : choose the vypervpn CA certificate
encryption algorithm : AES-256-CBC
compression : CHECK compress tunnel packets using the LZO algorithm
advanced : verb 5;auth-user-pass /cf/conf/VyprVPN.pas;tls-remote eu1.vpn.giganews.com;persist-key;persist-tun;persist-remote-ip;auth SHA256;keysize 256;tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA;route-noexec- In interfaces, add your VPN interface (should be named ovpncX), enable it and set type to None.
- In routing you should find this new interface, just edit it and add a monitor IP (208.67.220.220 by exemple)
- In NAT, change Outbound rules to Manual Outbound NAT rule generation and save.
- Now you just need to go in Rules, then change your default gateway to your VPN.
exemple : you can force all HTTP trafic to your VPN gateway and other trafic will always use default gateway (WAN)
-
Hi,
I've been trying to setup VyprVPN via Giganews on my pfSense box and have followed the instructions as above but keep getting the following error in the OpenVPN Syslog
Authenticate/Decrypt packet error: packet HMAC authentication failed.
This happens regardless of which VyprVPN Server I try connect to.
Any ideas?
Thanks
Chris
-
do you have a CA certificate installed for VyprVPN ?
-
Looks like it was a Copy Pasta issue between OS X Chrome and Firefox. When SSHing in and overwriting the file with vi it's connected normally. Thanks to all.
-
ok I found an easy fix
add route-noexec in openvpn advanced client settings so route table on pfsense will not be changed and your VPN will not always be the default gateway for everything
Quick dirty how to for VyperVPN and pfsense :
- add giganews certificate in cert manager
–---BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv
d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n
LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN
MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS
BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK
Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh
BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7
pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i
qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2
d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP
ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr
QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G
A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM
h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT
C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk
ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG
9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5
8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU
hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI
8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8
8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz
Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ==
-----END CERTIFICATE------ create a file with vypervpn login/password
exemple in /cf/conf/VyprVPN.pas
yourlogin
yourpass- add your client settings in openvpn client
exemple for a 256 bit tunnel on vypervpn europe server
server mode : peer to peer (ssl/tls)
protocol : udp
device mode : tun
interface : WAN
server host : eu1.vpn.giganews.com
server port 443
server host name resolution : CHECK infinitely resolve server
tls authentification : UNCHECK
peer certificate authority : choose the vypervpn CA certificate
encryption algorithm : AES-256-CBC
compression : CHECK compress tunnel packets using the LZO algorithm
advanced : verb 5;auth-user-pass /cf/conf/VyprVPN.pas;tls-remote eu1.vpn.giganews.com;persist-key;persist-tun;persist-remote-ip;auth SHA256;keysize 256;tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA;route-noexec- In interfaces, add your VPN interface (should be named ovpncX), enable it and set type to None.
- In routing you should find this new interface, just edit it and add a monitor IP (208.67.220.220 by exemple)
- In NAT, change Outbound rules to Manual Outbound NAT rule generation and save.
- Now you just need to go in Rules, then change your default gateway to your VPN.
exemple : you can force all HTTP trafic to your VPN gateway and other trafic will always use default gateway (WAN)
Thank you very much for your GREAT howto. It works very good but when a disconnect occurs, it always openvpn reconnects too fast. How is the best way to insert a delay not less than 120 seconds (Because the old connection on the remote server is still alive and an error AUTH_FAILED is thrown when the reconnect happens too fast).
Greetings from Germany
Steve
-
I added keepalive 120 240 but still no luck :-( If the connection goes down and a reconnect is done, an error "AUTH_failed" is thrown (Because the old connection still exists on the server of my VPN-Provider) from the Server, it stays down until you manually restart it :-( Is there a way to add (re)connect retries although of the "AUTH_failed" message?