How to create an OpenVPN client to StrongVPN

cmb

@Arisian:

I have success setting up UDP connections and in the past have not been able to get the TCP protocol to work - however, yesterday after coming back home I decided to give it a try.  Low and behold I got a TCP connection to work - at at twice the speed I was getting before through my strongvpn connection!

That's atypical, I suspect the "Great Firewall of China" or your ISP was throttling your UDP. UDP is a faster and better tunneling protocol.

@Arisian:

However, this morning I noticed that it was all down - I tried changing servers and messing with some of the config, but I'm at a loss now.  Really not wanting to go back to UDP after tasting the fruits of the TCP connection.  It seems to connect and then immediately lose, or reset, the connection!  Arrggh!

Any suggestions?

Does StrongVPN offer any other TCP ports? I suspect you're almost certainly again getting hit by China's screwing with Internet traffic. That or it's a StrongVPN issue, but I suspect that's less likely.

ericab

@Arisian

im going to agree with cmb on this one.
if this was an issue on strongVPN's side, i can grantee you we would see more posts like yours in this thread.
its safe to say that strongVPN has been blacklisted.

although somewhat unrelated, it reminds me of an article i recently read.
its worth a read.

https://threatpost.com/en_us/blogs/how-great-firewall-china-blocks-tor-010912

Arisian

hey guys - thanks for the replies.  I'm actually switching back over to UDP.

I have 4 strongvpn pptp accounts that work and the udp w/ encryption settings also (used to) work.

I'm trying to set up one that has no encryption and compression.  I literally just want the fastest openvpn connection I can get going out through that NIC.  I don't care if the Chinese government know that I just wanted season two of Arrested Development.

Speed is key here.

Anyways, I switched it over to UDP on port 4672 and now I'm getting this error, despite me using the newest config files and the correct ta.key.  I've tried it on many other ports and servers as well - same story.

** its also worth noting that pfsense is freaking on on me when I try and view the openvpn logs…  really wish I could just put this issue to bed.  You can see my previous posts.  Ive been working on this for a really long time! haha. Beyond that I talked to strongvpn tech and they said this setting works on linux and windows so its 'Obviously a pfsense problem'

That's a great read on TOR.  The manpower behind their great firewall is amazing.  I wonder if the handshake between the strongvpn and my pfsense box needs to be encrypted beyond what it is now.  Admittedly, I'm speaking in language that is over my head I feel...

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx.xxx.xxx.xx:4672

after this just for kicks I removed the requirement to authenticate tls packets (check box and the contents of ta.key).  It will connect but then obviously struggles to read any information after that.  See the error below:

Jan 15 20:22:55 openvpn[52891]: UDPv4 link remote: [AF_INET]72.28.97.218:1193
Jan 15 20:22:55 openvpn[52891]: TLS: Initial packet from [AF_INET]72.28.97.218:1193, sid=7ae608c2 3414a02c
Jan 15 20:22:57 openvpn[52891]: VERIFY OK: depth=1, /C=US/ST=CA/L=San-Francisco/O=reliablehosting.com/CN=ovpn089/emailAddress=techies@reliablehosting.com
Jan 15 20:22:57 openvpn[52891]: VERIFY OK: depth=0, /C=US/ST=CA/L=San-Francisco/O=reliablehosting.com/CN=vpn-tx2/emailAddress=techies@reliablehosting.com
Jan 15 20:22:59 openvpn[52891]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1530', remote='link-mtu 1510'
Jan 15 20:22:59 openvpn[52891]: WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
Jan 15 20:22:59 openvpn[52891]: WARNING: 'keydir' is present in remote config but missing in local config, remote='keydir 0'
Jan 15 20:22:59 openvpn[52891]: WARNING: 'tls-auth' is present in remote config but missing in local config, remote='tls-auth'
Jan 15 20:22:59 openvpn[52891]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 15 20:22:59 openvpn[52891]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 15 20:22:59 openvpn[52891]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan 15 20:22:59 openvpn[52891]: [vpn-tx2] Peer Connection Initiated with [AF_INET]72.28.97.218:1193
Jan 15 20:23:01 openvpn[52891]: SENT CONTROL [vpn-tx2]: 'PUSH_REQUEST' (status=1)
Jan 15 20:23:01 openvpn[52891]: PUSH: Received control message: 'PUSH_REPLY,route-delay 2,route-metric 1,dhcp-option DNS 216.131.94.5,dhcp-option DNS 216.131.95.20,route 10.8.2.201,topology net30,ping 10,ping-restart 60,ifconfig 10.8.2.206 10.8.2.205'
Jan 15 20:23:01 openvpn[52891]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 15 20:23:01 openvpn[52891]: OPTIONS IMPORT: –ifconfig/up options modified
Jan 15 20:23:01 openvpn[52891]: OPTIONS IMPORT: route options modified
Jan 15 20:23:01 openvpn[52891]: NOTE: –mute triggered...
Jan 15 20:23:01 openvpn[52891]: 2 variation(s) on previous 5 message(s) suppressed by –mute
Jan 15 20:23:01 openvpn[52891]: Preserving previous TUN/TAP instance: ovpnc1
Jan 15 20:23:01 openvpn[52891]: Initialization Sequence Completed
Jan 15 20:23:12 openvpn[52891]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 15 20:23:22 openvpn[52891]: Authenticate/Decrypt packet error: packet HMAC authentication failed

Any other thoughts?  I'm pretty desperate to get this working since it's the only real option for watching tv since I live in China.

@ericab:

@Arisian

im going to agree with cmb on this one.
if this was an issue on strongVPN's side, i can grantee you we would see more posts like yours in this thread.
its safe to say that strongVPN has been blacklisted.

although somewhat unrelated, it reminds me of an article i recently read.
its worth a read.

https://threatpost.com/en_us/blogs/how-great-firewall-china-blocks-tor-010912

Arisian

I just wanted to say that I got this issue fixed.

It's late at night where I live so I'll post exactly what I did to fix it come tomorrow.

Thanks again for all of your fantastic help!

cheers,
Brian

ericab

@Arisian

i'm glad you've gotten it fixed. i'm really curious how you did it
and this will be great information for anyone else who is having this problem

Arisian

Gentlemen -

Firstly, this problem probably only exists for a small portion of the population.  As I've mentioned in the past, I live in China running a photography tourism company.  One of the stresses of living overseas is that relaxing is extremely difficult since everything is foreign - for me relaxing means being able to sit infront of my tv and use all the web apps and programs that I have - appleTV, xbox, Plex Server, etc.

I'm basically trying to skirt a few things - first, applications such as hulu and netflix require your IP to be in a country that is supported.  No one supports China, so I was basically trying to get one NIC to be on a VPN full time with as little security as possible and as fast as possible for streaming purposes.

Why use pfsense?  Why not use one of the vpn enables routers that so many VPN providers are offering now?  Simply put - my pfsense box has much more processing power which equates to a faster VPN connection.  Beyond that, pfsense is much more configurable, elegant, and the support network is much greater.

Now - on to the solution…

What I have set up is this - openVPN setup using UDP on port 1193.  No encryption.  compressed LZO packets.

The issue was that it was having a problem verifying the LZO packets on the initial handshake.  When I removed the ta.key in the TLS authentication option, it connected but wouldn't pass traffic and would freak out.

The solution was to use the following advanced settings and make sure the ta.key (TLS auth) were enabled and in place:

verb 4; mute 5;tun-mtu 1500;route-method exe;route-delay 2;explicit-exit-notify 2;fragment 1300;mssfix 1450; auth none; cipher none; persist-key; persist-tun; comp-lzo adaptive; redirect-gateway def1;

Specifically auth non; cipher none.

I guarantee there is a better way to do this, but this is what I have now and it's working extremely well.  In fact, I'm actually able to stream over the VPN nic at 300-400kbps or 2- 3 mbps - which is fantastic since my max line speed is 600kbps.  I know that sounds dumb, but now my netflix and appleTV work like a champ - thus allowing me to not have to watch sh.tty chinese television!

Thanks again for this thread - feel free to add to what I've done… it's not very sexy, was a simple solution that I was overlooking!

Cheers,
Brian

2CaP

Folks,

I too have been having issues with this… Last time I try to help out a buddy with an easy project to get him US TV. I have many hours into this now.

I follow the guide to the letter (which btw I have basically memorized due to the number of times that I have done this).

My VPN connects w/o an issue. However I cannot pass traffic. In the 2.01 & 2.0 Releases I cant pass traffic or ping. In 2.0 RC3 in can ping but not pass traffic.

I have tried everything I can think of to make this work along with the suggestions from the forum.

Today I started to look for another firewall product to suit my needs as a result of my frustration.

I decided that I would take one last crack at it with RC1 using the guide & an exact replica of the setup I was trying to get working above.

I don't why but it works. It connected & is passing traffic as well speak.

I did read that there were some changes to the Cert Manager on 2.0.1 & I am not sure but it may be the culprit here also I do have this working on a 2.0 release as well using PPPoE not DHCP. However the speed seems slow.  I don't know why RC1 works nut, I am happy it does & wont be upgrading that box for the time being at least.

pkwong

I followed your tutorial to a tee and it didn't work.  StrongVPN's tech support wasn't much of a help.  After much experimentation, I got it working.  I made a step by step post on it: http://www.swimminginthought.com/2012/02/15/netflix-and-isp-throttling-bypassed-by-vpn-solved/

Something must have changed in 2.0.1

deadnull

For people having problems passing traffic from Lan to VPN make sure you have NAT rules in place for the VPN gateway as well as firewall rules. This should fix any non routing related traffic problems just recreate the default Wan>NAT rules for your VPN>NAT connection.

Note: I have noticed that the VPN needs to be restarted manually for some rules to take effect.

mohanrao83

i m using same but still not working myt open vpn and site to site vpn any step by step idea

@ericab:

StrongVPN HowTo.
– For pfSense version 2.0 (beta & RC)

Once you have completed this tutorial, you will have a pfSense box that automatically connects to StrongVPN, and routes all traffic from your LAN,
through the vpn gateway.

---

–-Section 1---

Step 1:

download the StrongVPN greeting file.

once extracted you are presented with these files:

Step 2:

from the pfSense interface, navigate to the dropdown menus:  System –-> Cert Manager

Step 3:

click the plus button as seen here:
to create a new certificate authority

Step 4:

enter a descriptive name for the new CA,
and ensure that "Import an existing certificate authority" is selected

Step 5:

go to the directory containing the files as seen in the first screenshot in this tutorial
open the file called "ca.crt" in notepad, and copy and paste the EXACT contents of it into the first box.
click SAVE. (the second box will remain empty, don't worry)

Step 6:

click on the "Certificates" tab:

click on the plus button:

Step 7:

ensure that "Import an existing certificate" is selected, and enter a descriptive name
go to the directory containing the files as seen in the first screenshot in this tutorial and open the file called "ovpn059.crt"
NOTE: depending on the server you have selected upon purchase, your client cert may have a number other then '059', so do not fret.
open in notepad, and copy and paste the contents of it into the first box.
open "ovpn059.key" (again, note that the number '059' will probably be different) and copy/paste the contents into the second box ('Private key data')

Step 8:

navigate to the system dropdown menus: VPN –-> OpenVPN

click the Client tab:

Step 9:

for this step; please just duplicate what you see in this screenshot, on your box.

-Note: In the "Cryptographic Settings" section, copy and paste the contents of the "ta.key" file into "TLS Authentication"
see here:

-Note 2: for ease, here are the "advanced configuration" options you can copy and paste: (remember to keep the trailing ; in place.) –->

verb 5;tun-mtu 1500;fragment 1300;keysize 128;redirect-gateway def1;persist-key;

now, Click Save

Step 10:

navigate to the system dropdown menus Status –-> System Logs, and click on the OpenVPN tab.
if the last thing you see in this log is "Initialization Sequence Completed" you are connected to StrongVPN; but, you are not done yet, as none of your traffic is traversing this line.

move on to section 2

–-Section 2---

Step 1:

navigate to the system dropdown menus Interfaces –--> (assign)

click the plus button:

-Note in the previous screenshot you will notice a StrongVPN interface. you will NOT have that on your box yet, so dont worry.

Step 2:

after clicking on the plus button pfSense will tell you it has successfully added a new interface. the network port name will most likley be named

"ovpnc1". ensure that the new interface is selected as "ovpnc1" (it could be ovpnc2, ovpnc3, etc… depends if you have other ovpn interfaces or not)

Step 3:

navigate to the system dropdown menus Interfaces –-> OPT1 (or whatever your new interface from the previous step is)
Enable the interface.
Enter a Description --> "StrongVPN"
"Type" ---> none
leave everything else alone
click Save.

Step 4:

navigate to the system dropdown menus System –-> Routing

click the plus button:

ensure the Interface selected is the new one we have just assigned to the vpn client; should be "OPT1"
Enter the gateway name.
for "Gateway", enter "dynamic"
do NOT click "Default gateway"
for monitor IP, enter 208.67.222.222 (or whater will respond to ICMP)(208.67.222.222 is openDNS fyi)
leave "Advanced" alone
enter a description for "Description"
click save

Step 5:

navigate to the system dropdown menus Firewall –-> Rules
click on the LAN tab.

Step 6:

create a new rule that looks like this:

Action: PASS
–
Interface: LAN
Protocol: ANY
Source: LAN Subnet
Destination: ANY
–
Description: LAN to Internet force through VPN

IMPORTANT: scroll down to "Gateway" under the "Advanced features" of the rule.
Set gateway to your VPN interface.

it should look something like this:

click save.

the rule should look like this:

at this point, i would give the box a reboot (possibly an unnecessary step)
if this isnt an option, disable the VPN client, wait a minute and then go ahead and re-enable it.

CHECK OpenVPN syslog for errors !

navigate to "http://www.whatismyip.com/" and your public pacing IP will be one of strongvpn's IP's.

you're done !

edit - November 23 2010
– removed persist-tun, from additional configuration options

edit - March 9 2011
-- from now on, in order for traffic to be routed through the vpn gateway; from the pfSense interface, navigate to the dropdown menus: FIREWALL –> NAT --> OUTBOUND --| enable "Manual Outbound NAT rule generation" and select save.

jetbee0

I had same problem, but I've resolved with following methods.

I changed some client settings:
In VPN –-> OpenVPN  Client settings.

• Check compression.
• Change Advance value to "verb 4; tun-mtu 1500; fragment 1390; keysize 128; redirect-gateway def1; persist-key;"
  note) this value may depend on each servers.
  I checked connection via pinging to obtained remote server gateway ip address.

I created some NAT roles:
In Firewall ---> NAT:

• Check Mode "Manual Outbound NAT rule generation".
• Add 2 Mappings: LAN to WAN and LAN to VPN-OUT.

sysfu

Got this working with AirVPN. All the steps are pretty much the same with the important exception: Make sure to UNcheck the "Enable authentication of TLS packets." box under "Cryptographic Settings". Otherwise you'll get the "WARNING: No server certificate verification method has been enabled" errors in the OpenVPN log and the tunnel will not come up.

Here are options that I used under the VPN => OpenVPN => Client => Advanced configuration box

keysize 256;ns-cert-type server;verb 3;explicit-exit-notify 5;redirect-gateway def1;

pkwong

While I've written a howto on how to implement StrongVPN with Pfsense (that actually works), I thought it would be interesting reading to take a look at Amazon's free tier.  I like StrongVPN, but the reality is why pay for something you can get for free?

Check it out:  http://swimminginthought.com/201204amazons-free-tier-personal-vpn-server/

Getting a VPN for free for one year isn't a bad deal considering you control both ends of the pipe.  You're guaranteed to know whether or not you're having any ports blocked (you choose).  Just a thought.

My posting for employing strongvpn via pfsense is still at: http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/

It works flawlessly by the way.  Over 30+ happy customers that I've personally set up.

yu130960

I have to agree with the previous posts that something is weird.

I was using PFsense and strongvpn for over a year and successfully upgraded to the latest 2.01.

However when I changed servers I did a factory reset and have never been able to get the traffic to pass through again.  It acutally locks up PFsense and it does not pass internet traffic on aspects of the Lan.

I have spent two days trying to figure it out and even did a restore to the old settings and simply changed out the certificates and other server info to address the new open vpn server and it still does not work.

pkwong

Since StrongVPN has changed their set up Again.. Here's the updated link on how to get it working: http://swimminginthought.com/update-strongvpn-pfsense-working-file-config/

Works perfectly.. tested.. etc.

singerie

@pkwong:

Since StrongVPN has changed their set up Again.. Here's the updated link on how to get it working: http://swimminginthought.com/update-strongvpn-pfsense-working-file-config/

Works perfectly.. tested.. etc.

what did they change ?

pkwong

I honestly have no idea.  I found it interesting that they don't support AES encryption in my latest round of helping someone get their vpn up.  So it's basically easy to break via Deep Packet Inspection tech.  Essentially, no security of privacy in my eyes.

singerie

i saw they support AES-256-CBC in their 'ultra-secure config' in their vpn summary pannel.

Also, 1 question.

I managed to have strongvpn to work, but now pfsense in 'unable to check for update' on the dashboard (using beta 2.1).

this is my oopenvpn option : verb 5;tun-mtu 1500; route-delay 2;explicit-exit-notify 2;fragment 1390;key-direction 1;

and i've put 2 manual dns server in the general config, and disabled Allow DNS server list to be overridden by DHCP/PPP on WAN.

but i see ovpn has created a route 0.0.0.0 to strongvpn. Do you guys think it might be my issue ? And i have to manage to remove this route ?

edit : config issue, now working after a reboot :)

pkwong

Just my personal opinion, but I don't see the purpose of charging extra for encryption that works, although, they are a business and AES is 14 levels deep when it comes to AES 128.  So it is more CPU intensive and any business deserves to make money.  I am, however, using an Amazon Free Tier OpenVPN server that does it just fine.  All incoming traffic is free so unless you're doing tons of outbound (even then it's only .12 per Gigabyte), it's still a bargain.

If you take a look at your upstream bandwidth and calculate it out to what you can maximally push over the month, you'll realize it's VERY cheap.

Cheers.

Percy
http://swimminginthought.com/free-server-it/

Valis

@pkwong:

I followed your tutorial to a tee and it didn't work.  StrongVPN's tech support wasn't much of a help.  After much experimentation, I got it working.  I made a step by step post on it: http://www.swimminginthought.com/2012/02/15/netflix-and-isp-throttling-bypassed-by-vpn-solved/

Something must have changed in 2.0.1

Thank you for your detailed tutorial :)