[Solved] OpenVPN/ExpressVPN cannot connect

CosmoNerd

I configured pfSense based on the StrongVPN guide https://forum.pfsense.org/index.php?topic=29944.0

but the connection yet doesn't work; IFCONFIG fails /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up as last command in the log

Log:

Last 50 OpenVPN log entries
Jul 4 14:17:24	openvpn[31627]: Exiting due to fatal error
Jul 4 14:17:24	openvpn[31627]: FreeBSD ifconfig failed: external program exited with error status: 1
Jul 4 14:17:24	openvpn[31627]: /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
Jul 4 14:17:24	openvpn[31627]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jul 4 14:17:24	openvpn[31627]: TUN/TAP device /dev/tun2 opened
Jul 4 14:17:24	openvpn[31627]: ROUTE_GATEWAY 67.177.168.1
Jul 4 14:17:24	openvpn[31627]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 4 14:17:24	openvpn[31627]: OPTIONS IMPORT: route options modified
Jul 4 14:17:24	openvpn[31627]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 4 14:17:24	openvpn[31627]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 4 14:17:24	openvpn[31627]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.110 10.10.0.109'
Jul 4 14:17:24	openvpn[31627]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jul 4 14:17:22	openvpn[31627]: [server] Peer Connection Initiated with [AF_INET]67.212.xx.xx:1194
Jul 4 14:17:22	openvpn[31627]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jul 4 14:17:22	openvpn[31627]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 4 14:17:22	openvpn[31627]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 4 14:17:22	openvpn[31627]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 4 14:17:22	openvpn[31627]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 4 14:17:22	openvpn[31627]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Jul 4 14:17:22	openvpn[31627]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1546'
Jul 4 14:17:21	openvpn[31627]: VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Jul 4 14:17:21	openvpn[31627]: VERIFY X509NAME OK: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Jul 4 14:17:21	openvpn[31627]: VERIFY OK: nsCertType=SERVER
Jul 4 14:17:21	openvpn[31627]: VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Jul 4 14:17:21	openvpn[31627]: TLS: Initial packet from [AF_INET]67.212.xx.xx:1194, sid=9f36d269 ceb731b0
Jul 4 14:17:21	openvpn[31627]: UDPv4 link remote: [AF_INET]67.212.xx.xx:1194
Jul 4 14:17:21	openvpn[31627]: UDPv4 link local (bound): [AF_INET]67.177.170.202
Jul 4 14:17:17	openvpn[91655]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 4 14:17:17	openvpn[91655]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 4 14:17:17	openvpn[91655]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 4 14:17:17	openvpn[91655]: Control Channel Authentication: using '/var/etc/openvpn/client2.tls-auth' as a OpenVPN static key file
Jul 4 14:17:17	openvpn[91655]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 4 14:17:17	openvpn[91655]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
Jul 4 14:17:17	openvpn[91655]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Mar 27 2014
Jul 4 14:17:17	openvpn[91655]: DEPRECATED OPTION: --tls-remote, please update your configuration
Jul 4 14:10:11	openvpn[55966]: Exiting due to fatal error
Jul 4 14:10:11	openvpn[55966]: FreeBSD ifconfig failed: external program exited with error status: 1
Jul 4 14:10:11	openvpn[55966]: /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
Jul 4 14:10:11	openvpn[55966]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jul 4 14:10:11	openvpn[55966]: TUN/TAP device /dev/tun2 opened
Jul 4 14:10:11	openvpn[55966]: ROUTE_GATEWAY 67.177.168.1
Jul 4 14:10:11	openvpn[55966]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 4 14:10:11	openvpn[55966]: OPTIONS IMPORT: route options modified
Jul 4 14:10:11	openvpn[55966]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 4 14:10:11	openvpn[55966]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 4 14:10:11	openvpn[55966]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.110 10.10.0.109'
Jul 4 14:10:11	openvpn[55966]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jul 4 14:10:09	openvpn[55966]: [server] Peer Connection Initiated with [AF_INET]67.212.xx.xx:1194
Jul 4 14:10:09	openvpn[55966]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jul 4 14:10:09	openvpn[55966]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Troubleshooting based on

• https://forum.pfsense.org/index.php?topic=72299.msg395636#msg395636
  https://forum.pfsense.org/index.php?topic=35815.0

didn't change anything.

OpenVPN client config:

verb 3
dev tun
fast-io
#proto tcp-client
persist-key
persist-tun
replay-persist cur-replay-protection.cache
remote canada-cluster.expressnetwork.net 1194
remote canada-cluster2.expressnetwork.net 1194
remote canada-cluster3.expressnetwork.net 1194
remote canada-cluster4.expressnetwork.net 1194
remote-random
pull

Use compression

comp-lzo

Strong encryption

tls-client
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
tls-auth /etc/ssl/ExpressVPN/ta.key 1
cert /etc/ssl/ExpressVPN/client.crt
key /etc/ssl/ExpressVPN/client.key
ca /etc/ssl/ExpressVPN/ca.crt

Routing tables:

default 67.xxx.xxx.x UGS 0 106334 1500 em1
67.xxx.xxx.0/22 link#2 U 0 2406 1500 em1
c-67-xxx-xxx-xxx.hsd1.tn.comcast.net link#2 UHS 0 0 16384 lo0
cdns01.comcast.net 00:0c:29:e5:xx:xx UHS 0 1478 1500 em1
cdns02.comcast.net 00:0c:29:e5:xx:xx UHS 0 1477 1500 em1
localhost link#7 UH 0 171 16384 lo0
192.168.1.0 link#1 U 0 479391 1500 em0
gateway.home link#1 UHS 0 0 16384 lo0

nation Gateway Flags Refs Use Mtu Netif Expire
localhost localhost UH 0 0 16384 lo0
fe80::%em0 link#1 U 0 124 1500 em0
fe80::1:1%em0 link#1 UHS 0 0 16384 lo0
fe80::%em1 link#2 U 0 451 1500 em1
fe80::1:1%em1 link#2 UHS 0 0 16384 lo0
fe80::%em2 link#3 U 0 0 1500 em2
fe80::20c:29ff:fee5:f11d%em2 link#3 UHS 0 0 16384 lo0
fe80::%lo0 link#7 U 0 0 16384 lo0
fe80::1%lo0 link#7 UHS 0 0 16384 lo0
ff01::%em0 fe80::1:1%em0 U 0 0 1500 em0
ff01::%em1 fe80::1:1%em1 U 0 0 1500 em1
ff01::%em2 fe80::20c:29ff:fee5:f11d%em2 U 0 0 1500 em2
ff01::%lo0 localhost U 0 0 16384 lo0
ff02::%em0 fe80::1:1%em0 U 0 0 1500 em0
ff02::%em1 fe80::1:1%em1 U 0 0 1500 em1
ff02::%em2 fe80::20c:29ff:fee5:f11d%em2 U 0 0 1500 em2
ff02::%lo0 localhost U 0 0 16384 lo0

Any thoughts?

Thanks!

CosmoNerd

Update … fixed, by altering the OpenVPN client config to

fast-io; persist-key;replay-persist cur-replay-protection.cache; remote-random; pull; verb 5; key-direction 1;route-method exe; route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;
persist-tun;keepalive 10 120;

keepalive 10 120 was the actual differentiator that made it work.