How to create an OpenVPN client to StrongVPN

acids7n

@AuZZZie:

@acids7n:

@AuZZZie:

Add another one to the list. I've gone over my config 100 times and it is correct. There is something up here.. I have the exact same symptoms as described.

Also using the 2.0 Official release.

I too have followed the guide to a T. And my problem is exactly the same. It connects in the logs. I get a strong vpn private ip. I can ping it from my pc. But I cannot surf or ping out beyond. I turn it off and everything works. I am only routing one ip logitech revue box rather than whole subnet. And I've made all the nat changes and aon etc.
PS first post. First time user of pfsense or any other linux router distribution. Loving this (pfsense)

EDIT***
well i added the option comp-lzo to the end of the long string of options in (vpn/openvpn/client/advanced configuration)
verb 5;tun-mtu 1500;fragment 1300;keysize 128;redirect-gateway def1;persist-key;comp-lzo

and now it all works great, hope that helps

Thanks for posting mate. I'll give it a shot.. Can you clarify your other settings.

Are you using Manual NAT?
Is your VPN interface on DHCP or None?

Manual (aon)
And VPN is on none now (i tried dhcp before also and even though it showed as up it actually wasn't) but it works on none for me.

I'm too much of a newbie to really give you advice but your screen shots look like mine, i got the comp-lzo thing from looking at the system logs it showed up as warning, so i did a search on it and found another user on this forum with a different issue who put that option in and it worked for them. so maybe the logs hold the answer….

AuZZZie

Still no success. I'm starting to wonder if something is different in the NanoBSD version that I'm using. It makes no sense that others have it working with the exact same config.

AuZZZie

So I restored to factory defaults.. Did everything the exact same and what do you know, it's working..  ???

Except now, despite the VPN route not being set as default and the ACL rules being in the correct order it routes EVERYTHING over the tunnel while it is connected. It completely ignores any of the PBR rules.

Losing faith in pfSense.

AuZZZie

VICTORY!!!

I don't know what is happening on the backend but this is what I determined. I had everything correct from the get go. The problem is I also have some IPSEC tunnels.

I blew away my config back to factory defaults and tried it again. Still couldn't get it to work. So I reset to factory defaults again, this time I created the OpenVPN client tunnel BEFORE my IPSEC tunnels. All of a sudden everything works nicely.

For whatever reason if I have my IPSEC tunnels created first I have issues. Makes no sense to me but I'm glad I've finally got it working.

acids7n

i too turned rules/settings/interfaces on and off multiple times, and the lzo compression was the last setting for me, glad us newbies got it to work, now if i can get the right firewall rule to route all netflix/hulu traffic through the vpn…

AuZZZie

@acids7n:

i too turned rules/settings/interfaces on and off multiple times, and the lzo compression was the last setting for me, glad us newbies got it to work, now if i can get the right firewall rule to route all netflix/hulu traffic through the vpn…

I haven't had a lot of luck routing JUST Netflix/Vudu etc traffic. I route based on source IP as I haven't managed to find definitive subnets for the Netflix content delivery system.

It works for my main devices, would be nice to route based on destination though.

madbouy

Thanks for the excellent article. I am now able to route AStrill Openvpn through my pfsense using your guide as a base. Excellent work. Thanks again.

wanie

Hi,

thanks for the howto.
I have configuratet all your steps correctly, but i'm using pp instead of strongvpn.
The VPN tunnel is working, but firewall is blocking my traffic.
AON is active.
I called the Interface "PP_CZ" and can see in the firewall log, that all traffic to the web is blocked.
I was allready trying with play arround the firewall rule, but no luck. :-(

Have anyone some advice?
If any screenshot are helpful, pleas let me know what you have to see.

regards,
wanie

singerie

is the how to still accurate ? i had some issue too. vpn is comming up, put i can't pass any traffic.

ericab

singerie,

i haven't tunnel traffic through a VPN for a time now, so i'm not sure how accurate it is anymore, but i don't see any reason why it wouldn't be;

are you sure you've added the proper firewall rules for routing traffic through the gateway ?

Arisian

@ericab

It's me again :)

I hate to harp on this, but I'm still trying to get it to work with TCP rather than UDP since it's just a bit faster with strongVPN.

Again, this is literally only for my AppleTV and xbox.  I live in far western China and would really like to watch netflix, hulu, etc on my tv.

I have success setting up UDP connections and in the past have not been able to get the TCP protocol to work - however, yesterday after coming back home I decided to give it a try.  Low and behold I got a TCP connection to work - at at twice the speed I was getting before through my strongvpn connection!

However, this morning I noticed that it was all down - I tried changing servers and messing with some of the config, but I'm at a loss now.  Really not wanting to go back to UDP after tasting the fruits of the TCP connection.  It seems to connect and then immediately lose, or reset, the connection!  Arrggh!

Any suggestions?

Jan 15 09:02:55 openvpn[6790]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 15 09:02:55 openvpn[6790]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jan 15 09:02:55 openvpn[6790]: Re-using SSL/TLS context
Jan 15 09:02:55 openvpn[6790]: LZO compression initialized
Jan 15 09:02:55 openvpn[6790]: Control Channel MTU parms [ L:1528 D:168 EF:68 EB:0 ET:0 EL:0 ]
Jan 15 09:02:55 openvpn[6790]: Socket Buffers: R=[65228->65536] S=[65228->65536]
Jan 15 09:02:55 openvpn[6790]: Data Channel MTU parms [ L:1528 D:1450 EF:28 EB:135 ET:0 EL:0 AF:14/28 ]
Jan 15 09:02:55 openvpn[6790]: Local Options String: 'V4,dev-type tun,link-mtu 1528,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher [null-cipher],auth SHA1,keysize 0,tls-auth,key-method 2,tls-client'
Jan 15 09:02:55 openvpn[6790]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1528,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher [null-cipher],auth SHA1,keysize 0,tls-auth,key-method 2,tls-server'
Jan 15 09:02:55 openvpn[6790]: Local Options hash (VER=V4): 'ab7819be'
Jan 15 09:02:55 openvpn[6790]: Expected Remote Options hash (VER=V4): '9e38dab6'
Jan 15 09:02:55 openvpn[6790]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xx:443 [nonblock]
Jan 15 09:02:56 openvpn[6790]: TCP connection established with [AF_INET]xxx.xxx.xxx.xx:443
Jan 15 09:02:56 openvpn[6790]: TCPv4_CLIENT link local (bound): [AF_INET]xxx.xxx.xxx.x:50211
Jan 15 09:02:56 openvpn[6790]: TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xx:443
Jan 15 09:02:56 openvpn[6790]: Connection reset, restarting [0]
Jan 15 09:02:56 openvpn[6790]: TCP/UDP: Closing socket
Jan 15 09:02:56 openvpn[6790]: SIGUSR1[soft,connection-reset] received, process restarting
Jan 15 09:02:56 openvpn[6790]: Restart pause, 5 second(s)

cmb

@Arisian:

I have success setting up UDP connections and in the past have not been able to get the TCP protocol to work - however, yesterday after coming back home I decided to give it a try.  Low and behold I got a TCP connection to work - at at twice the speed I was getting before through my strongvpn connection!

That's atypical, I suspect the "Great Firewall of China" or your ISP was throttling your UDP. UDP is a faster and better tunneling protocol.

@Arisian:

However, this morning I noticed that it was all down - I tried changing servers and messing with some of the config, but I'm at a loss now.  Really not wanting to go back to UDP after tasting the fruits of the TCP connection.  It seems to connect and then immediately lose, or reset, the connection!  Arrggh!

Any suggestions?

Does StrongVPN offer any other TCP ports? I suspect you're almost certainly again getting hit by China's screwing with Internet traffic. That or it's a StrongVPN issue, but I suspect that's less likely.

ericab

@Arisian

im going to agree with cmb on this one.
if this was an issue on strongVPN's side, i can grantee you we would see more posts like yours in this thread.
its safe to say that strongVPN has been blacklisted.

although somewhat unrelated, it reminds me of an article i recently read.
its worth a read.

https://threatpost.com/en_us/blogs/how-great-firewall-china-blocks-tor-010912

Arisian

hey guys - thanks for the replies.  I'm actually switching back over to UDP.

I have 4 strongvpn pptp accounts that work and the udp w/ encryption settings also (used to) work.

I'm trying to set up one that has no encryption and compression.  I literally just want the fastest openvpn connection I can get going out through that NIC.  I don't care if the Chinese government know that I just wanted season two of Arrested Development.

Speed is key here.

Anyways, I switched it over to UDP on port 4672 and now I'm getting this error, despite me using the newest config files and the correct ta.key.  I've tried it on many other ports and servers as well - same story.

** its also worth noting that pfsense is freaking on on me when I try and view the openvpn logs…  really wish I could just put this issue to bed.  You can see my previous posts.  Ive been working on this for a really long time! haha. Beyond that I talked to strongvpn tech and they said this setting works on linux and windows so its 'Obviously a pfsense problem'

That's a great read on TOR.  The manpower behind their great firewall is amazing.  I wonder if the handshake between the strongvpn and my pfsense box needs to be encrypted beyond what it is now.  Admittedly, I'm speaking in language that is over my head I feel...

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx.xxx.xxx.xx:4672

after this just for kicks I removed the requirement to authenticate tls packets (check box and the contents of ta.key).  It will connect but then obviously struggles to read any information after that.  See the error below:

Jan 15 20:22:55 openvpn[52891]: UDPv4 link remote: [AF_INET]72.28.97.218:1193
Jan 15 20:22:55 openvpn[52891]: TLS: Initial packet from [AF_INET]72.28.97.218:1193, sid=7ae608c2 3414a02c
Jan 15 20:22:57 openvpn[52891]: VERIFY OK: depth=1, /C=US/ST=CA/L=San-Francisco/O=reliablehosting.com/CN=ovpn089/emailAddress=techies@reliablehosting.com
Jan 15 20:22:57 openvpn[52891]: VERIFY OK: depth=0, /C=US/ST=CA/L=San-Francisco/O=reliablehosting.com/CN=vpn-tx2/emailAddress=techies@reliablehosting.com
Jan 15 20:22:59 openvpn[52891]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1530', remote='link-mtu 1510'
Jan 15 20:22:59 openvpn[52891]: WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
Jan 15 20:22:59 openvpn[52891]: WARNING: 'keydir' is present in remote config but missing in local config, remote='keydir 0'
Jan 15 20:22:59 openvpn[52891]: WARNING: 'tls-auth' is present in remote config but missing in local config, remote='tls-auth'
Jan 15 20:22:59 openvpn[52891]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 15 20:22:59 openvpn[52891]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 15 20:22:59 openvpn[52891]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan 15 20:22:59 openvpn[52891]: [vpn-tx2] Peer Connection Initiated with [AF_INET]72.28.97.218:1193
Jan 15 20:23:01 openvpn[52891]: SENT CONTROL [vpn-tx2]: 'PUSH_REQUEST' (status=1)
Jan 15 20:23:01 openvpn[52891]: PUSH: Received control message: 'PUSH_REPLY,route-delay 2,route-metric 1,dhcp-option DNS 216.131.94.5,dhcp-option DNS 216.131.95.20,route 10.8.2.201,topology net30,ping 10,ping-restart 60,ifconfig 10.8.2.206 10.8.2.205'
Jan 15 20:23:01 openvpn[52891]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 15 20:23:01 openvpn[52891]: OPTIONS IMPORT: –ifconfig/up options modified
Jan 15 20:23:01 openvpn[52891]: OPTIONS IMPORT: route options modified
Jan 15 20:23:01 openvpn[52891]: NOTE: –mute triggered...
Jan 15 20:23:01 openvpn[52891]: 2 variation(s) on previous 5 message(s) suppressed by –mute
Jan 15 20:23:01 openvpn[52891]: Preserving previous TUN/TAP instance: ovpnc1
Jan 15 20:23:01 openvpn[52891]: Initialization Sequence Completed
Jan 15 20:23:12 openvpn[52891]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 15 20:23:22 openvpn[52891]: Authenticate/Decrypt packet error: packet HMAC authentication failed

Any other thoughts?  I'm pretty desperate to get this working since it's the only real option for watching tv since I live in China.

@ericab:

@Arisian

im going to agree with cmb on this one.
if this was an issue on strongVPN's side, i can grantee you we would see more posts like yours in this thread.
its safe to say that strongVPN has been blacklisted.

although somewhat unrelated, it reminds me of an article i recently read.
its worth a read.

https://threatpost.com/en_us/blogs/how-great-firewall-china-blocks-tor-010912

Arisian

I just wanted to say that I got this issue fixed.

It's late at night where I live so I'll post exactly what I did to fix it come tomorrow.

Thanks again for all of your fantastic help!

cheers,
Brian

ericab

@Arisian

i'm glad you've gotten it fixed. i'm really curious how you did it
and this will be great information for anyone else who is having this problem

Arisian

Gentlemen -

Firstly, this problem probably only exists for a small portion of the population.  As I've mentioned in the past, I live in China running a photography tourism company.  One of the stresses of living overseas is that relaxing is extremely difficult since everything is foreign - for me relaxing means being able to sit infront of my tv and use all the web apps and programs that I have - appleTV, xbox, Plex Server, etc.

I'm basically trying to skirt a few things - first, applications such as hulu and netflix require your IP to be in a country that is supported.  No one supports China, so I was basically trying to get one NIC to be on a VPN full time with as little security as possible and as fast as possible for streaming purposes.

Why use pfsense?  Why not use one of the vpn enables routers that so many VPN providers are offering now?  Simply put - my pfsense box has much more processing power which equates to a faster VPN connection.  Beyond that, pfsense is much more configurable, elegant, and the support network is much greater.

Now - on to the solution…

What I have set up is this - openVPN setup using UDP on port 1193.  No encryption.  compressed LZO packets.

The issue was that it was having a problem verifying the LZO packets on the initial handshake.  When I removed the ta.key in the TLS authentication option, it connected but wouldn't pass traffic and would freak out.

The solution was to use the following advanced settings and make sure the ta.key (TLS auth) were enabled and in place:

verb 4; mute 5;tun-mtu 1500;route-method exe;route-delay 2;explicit-exit-notify 2;fragment 1300;mssfix 1450; auth none; cipher none; persist-key; persist-tun; comp-lzo adaptive; redirect-gateway def1;

Specifically auth non; cipher none.

I guarantee there is a better way to do this, but this is what I have now and it's working extremely well.  In fact, I'm actually able to stream over the VPN nic at 300-400kbps or 2- 3 mbps - which is fantastic since my max line speed is 600kbps.  I know that sounds dumb, but now my netflix and appleTV work like a champ - thus allowing me to not have to watch sh.tty chinese television!

Thanks again for this thread - feel free to add to what I've done… it's not very sexy, was a simple solution that I was overlooking!

Cheers,
Brian

2CaP

Folks,

I too have been having issues with this… Last time I try to help out a buddy with an easy project to get him US TV. I have many hours into this now.

I follow the guide to the letter (which btw I have basically memorized due to the number of times that I have done this).

My VPN connects w/o an issue. However I cannot pass traffic. In the 2.01 & 2.0 Releases I cant pass traffic or ping. In 2.0 RC3 in can ping but not pass traffic.

I have tried everything I can think of to make this work along with the suggestions from the forum.

Today I started to look for another firewall product to suit my needs as a result of my frustration.

I decided that I would take one last crack at it with RC1 using the guide & an exact replica of the setup I was trying to get working above.

I don't why but it works. It connected & is passing traffic as well speak.

I did read that there were some changes to the Cert Manager on 2.0.1 & I am not sure but it may be the culprit here also I do have this working on a 2.0 release as well using PPPoE not DHCP. However the speed seems slow.  I don't know why RC1 works nut, I am happy it does & wont be upgrading that box for the time being at least.

pkwong

I followed your tutorial to a tee and it didn't work.  StrongVPN's tech support wasn't much of a help.  After much experimentation, I got it working.  I made a step by step post on it: http://www.swimminginthought.com/2012/02/15/netflix-and-isp-throttling-bypassed-by-vpn-solved/

Something must have changed in 2.0.1

deadnull

For people having problems passing traffic from Lan to VPN make sure you have NAT rules in place for the VPN gateway as well as firewall rules. This should fix any non routing related traffic problems just recreate the default Wan>NAT rules for your VPN>NAT connection.

Note: I have noticed that the VPN needs to be restarted manually for some rules to take effect.