How to create an OpenVPN client to StrongVPN

powerextreme

I am working on this setup. I have gotten to step 10. So far I am able to get the OpenVPN client up and running. I have noticed at this point internet connectivity goes down. DNS still works but can't ping to IP's on the Internet.

I know I am only at step 10 but just curious as to what happened when I started the OpenVPN client service.

Anyone got any ideas?

dawilder

Hi everyone.  Total NOOB here.

I've been trying to get a StrongVPN client set up on pfSense latest version (2.1.3).

I tried the initial tutorial by ericab, who started this thread, as well as the tutorial in the link by pkwong.  However, after a certain point, the screenshots start to differ slightly (in terms of the options) and I can't figure out what I'm doing wrong.  Also, on my machine, it seems to distinguish between IPv4 and IPv6 LANs.  Not sure if that is part of my problem.  That's above my head at this point.  I'm reeeaaaly clueless about this stuff, so your guys hand-holding is really appreciated.

I was able to load all the certificate information and get a positive indication of connection under system logs.  One other thing I noticed,  when I set up the certificate, I did not get an "in-use" indication within the GUI, like you see for the other one that was already there.  Could that be part of the problem?

If there is an updated tutorial, or if it's known that a StrongVPN Client will not work with the latest version of pfSense, I'd greatly appreciate the help.

Thanks!
DW

tucansam

What alternative(s) to StrongVPN have you folks found?  I was looking at privateinternetaccess but, like others, the tutorials I find online are for older versions, and as this will be my first time doing something like this, I'm going to need a lot of help.

panz

@tucansam:

What alternative(s) to StrongVPN have you folks found?  I was looking at privateinternetaccess but, like others, the tutorials I find online are for older versions, and as this will be my first time doing something like this, I'm going to need a lot of help.

AirVPN works beautifully.

cralesich

Hello,
I can not get openvpn working with strongvpn… No Internet access.

I have squid installed also... I also have my lan ip range set as 10.10.10.1 with the DHCP range of 10.10.10.5-254

I need a config and im willing to pay for it via paypal if need be. $20 USD

I need the following ports forwarded 53-80-25-443-110-2525 to 25 - 587 all tcp/udp

Here is the version of pfsense I am running - pfSense-memstick-2.1.3-RELEASE-amd64-20140501-1552

Thanks in advance for any help.

toyotahead

Perhaps as a newbie to pfSense myself I have miss-understood something concerning the outbound NAT manual / rules.

I have configured as per the guide with only 1 exception. The encryption algorithm i had to employ was: AES-128-CBC (128bit) Going with this algorithm not only allowed my openvpn to establish but also become viable to send / receive data over.

My problem is just like everyone else who has posted on this topic. ALL traffic is routed through the vpn across all the networks attached. (currently 7 different subnets NAT'ing)

So if I have read correctly, it sounds like the magic I need to employ happens at the NAT-Outbound-Manual Mappings. If so how do I specify these mappings? When I select manual mappings a number of rules are automaticly generated for all the attached subnets as well as 1 for 127.0.0.0. How and where do I specify to allow only select IP's or policy based exceptions to utilize the VPN while still allowing all regular NAT connections to traverse my regular WAN connection?

Finally, I see that this has been asked in the past but further clarification would be great. Why in the routing section is there the ability to specify a default gateway (typically for the regular WAN) if this does not work? Is this a possible bug?

My installation is:

2.1.4-RELEASE (i386)
built on Fri Jun 20 12:59:29 EDT 2014
FreeBSD 8.3-RELEASE-p16

And it is installed on a watchguard firebox 1250e. Not the nano but full install headless on a hard drive.
Thanks in advance for your help!

toyotahead

I have since doubled up all my manual outbound nat rules to allow NAT to the VPN interface. Then went back to the LAN firewall rule and pointed gateway at my WAN interface. At first the results were good, I was getting my local WAN ip showing up in whatsmyip.com, however after a few minutes and refreshing the page a few times, I see that I am again being directed out the VPN interface….  I am seriously stumped and baffled by this behaviour.....

When my only LAN rules looks like:
IPv4 * * * * * WAN_DHCP none

I traceroute and see:
traceroute whatismyip.com
traceroute to whatismyip.com (141.101.120.14), 30 hops max, 60 byte packets
1  192.168.69.1 (192.168.69.1)  0.633 ms  0.619 ms  0.602 ms
2  11.5.192.1 (11.5.192.1)  8.321 ms  12.384 ms  12.460 ms
3  rd1cs-tge1-3-1.ok.shawcable.net (64.59.168.201)  14.144 ms  14.223 ms  14.223 ms
4  rc2wh-tge0-4-0-17.vc.shawcable.net (66.163.76.26)  18.394 ms  18.384 ms *
5  rc6wt-pos0-8-1-0.wa.shawcable.net (66.163.76.130)  22.334 ms  22.406 ms  22.489 ms
6  rc5wt-tge0-10-0-10.wa.shawcable.net (66.163.68.65)  22.489 ms  22.774 ms  22.766 ms
7  six.as13335.com (206.81.81.10)  64.549 ms  35.806 ms  35.852 ms
8  141.101.120.14 (141.101.120.14)  32.500 ms  32.527 ms  32.688 ms

Hop 1 is my local ISP modem/router
Hop 2 I suspect is my ISP internal network
Hop 3 is my ISP's external addy....
etc...

Clearly going through my WAN....

And if i modify my only LAN rule to look like:
IPv4 * * * * * STRONGVPN_VPNV4 none

traceroute whatismyip.com
traceroute to whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets
1  10.8.1.57 (10.8.1.57)  50.940 ms  50.930 ms  55.953 ms
2  10G-207-gtwy.reliablehosting.com (207.204.224.1)  57.507 ms  57.593 ms  57.581 ms
3  10ge2-1.sfo4.reliablehosting.com (216.131.94.241)  63.508 ms  63.632 ms  63.806 ms
4  218.188.105.25 (218.188.105.25)  65.886 ms  65.965 ms  65.952 ms
5  218.189.5.179 (218.189.5.179)  66.017 ms 218.189.5.170 (218.189.5.170)  66.083 ms 218.189.5.147 (218.189.5.147)  66.070 ms
6  d1-21-224-143-118-on-nets.com (118.143.224.21)  229.354 ms d1-13-224-143-118-on-nets.com (118.143.224.13)  214.237 ms d1-9-224-143-118-on-nets.com (118.143.224.9)  225.046 ms
7  d1-46-238-143-118-on-nets.com (118.143.238.46)  212.912 ms 218.189.5.14 (218.189.5.14)  219.428 ms  225.311 ms
8  103.22.203.26 (103.22.203.26)  220.888 ms  214.069 ms  220.438 ms
9  141.101.120.15 (141.101.120.15)  226.410 ms  219.705 ms  226.477 ms

What gives????

edit:
I should also mention that I am using squid. Dunno if that makes a difference or not. I just thought it might have bearing as my trace route packets seem to be routed properly but not the web requests....

toyotahead

ok… a bit closer possibly....

I have uninstalled squid2, and squidguard2.

From a LAN client ip, i can traceroute google.ca and hit my regular WAN gateway. As well http requests are being NAT'd throu regular WAN gateway. This is expected and correct.

However if i ssh into pfsense and traceroute google.ca, it still goes out via the vpn gateway....

Thoughts?

toyotahead

Maybe a bit more clarification as to what I am trying to achieve…

I am trying to get the pfsense box as well as all traffic generated on the lan subnets to still NAT to the shaw gateway. Only select ip's or layer7 detected protocols etc to be NAT'd out the VPN.

I believe that has to do with getting the pfsense box itself to use the default shaw gateway rather than the vpn gateway. Oddly enough in the routing section of pfsense when you specify multiple gateways, there is a box labelled default gateway. I have this set to the shaw gateway. Unfortunately this directive doesn’t seem to be adhered to....?

toyotahead

Just a thought… Why is there a 0.0.0.0/1 to 10.8.1.61 ahead of the default gateway line?

This is with the openvpn activated:
Diagnostics: Routing tables

IPv4
Destination Gateway Flags Refs Use Mtu Netif Expire
0.0.0.0/1 10.8.1.61 UGS 0 41 1500 ovpnc1 =>
default 192.168.69.1 UGS 0 1097 1500 sk0
10.8.1.57/32 10.8.1.61 UGS 0 0 1500 ovpnc1
10.8.1.61 link#14 UH 0 0 1500 ovpnc1
10.8.1.62 link#14 UHS 0 0 16384 lo0
50.66.76.1 192.168.69.1 UGHS 0 1685 1500 sk0
127.0.0.1 link#12 UH 0 51040 16384 lo0
128.0.0.0/1 10.8.1.61 UGS 0 22210 1500 ovpnc1
172.16.50.0/24 link#6 U 0 5891 1500 sk1
172.16.50.1 link#6 UHS 0 0 16384 lo0
172.16.75.0/24 link#1 U 0 0 1500 msk0
172.16.75.1 link#1 UHS 0 0 16384 lo0
172.16.100.0/24 link#7 U 0 0 1500 sk2
172.16.100.1 link#7 UHS 0 0 16384 lo0
172.16.150.0/24 link#8 U 0 0 1500 sk3
172.16.150.1 link#8 UHS 0 0 16384 lo0
172.16.200.0/24 link#3 U 0 0 1500 msk2
172.16.200.1 link#3 UHS 0 41 16384 lo0
172.16.201.0/24 link#13 U 0 0 1500 msk3_vlan201
172.16.201.1 link#13 UHS 0 0 16384 lo0
192.168.69.0/24 link#5 U 0 0 1500 sk0
192.168.69.14 link#5 UHS 0 0 16384 lo0
207.204.245.40/32 192.168.69.1 UGS 0 1784 1500 sk0
208.67.222.222 10.8.1.61 UGHS 0 1611 1500 ovpnc1

This is with the openvpn deactivated:
Diagnostics: Routing tables
IPv4
Destination Gateway Flags Refs Use Mtu Netif Expire
default 192.168.69.1 UGS 0 1200 1500 sk0
50.66.76.1 192.168.69.1 UGHS 0 3803 1500 sk0
127.0.0.1 link#12 UH 0 115900 16384 lo0
172.16.50.0/24 link#6 U 0 17932 1500 sk1
172.16.50.1 link#6 UHS 0 0 16384 lo0
172.16.75.0/24 link#1 U 0 0 1500 msk0
172.16.75.1 link#1 UHS 0 0 16384 lo0
172.16.100.0/24 link#7 U 0 0 1500 sk2
172.16.100.1 link#7 UHS 0 0 16384 lo0
172.16.150.0/24 link#8 U 0 0 1500 sk3
172.16.150.1 link#8 UHS 0 0 16384 lo0
172.16.200.0/24 link#3 U 0 0 1500 msk2
172.16.200.1 link#3 UHS 0 50 16384 lo0
172.16.201.0/24 link#13 U 0 0 1500 msk3_vlan201
172.16.201.1 link#13 UHS 0 0 16384 lo0
192.168.69.0/24 link#5 U 0 2 1500 sk0
192.168.69.14 link#5 UHS 0 0 16384 lo0

My gut is telling me this is the error I have been trying to track down. If this is so then how am i going to be able to amend this seemingly automaticly generated routing table? I have my NAT Outbound NAT rules set to manual at present.

toyotahead

My openvpn config diagnostic output:

Jul 24 17:08:05 openvpn[63624]: LZO compression initialized
Jul 24 17:08:05 openvpn[63624]: Control Channel MTU parms [ L:1562 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jul 24 17:08:05 openvpn[63624]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 24 17:08:05 openvpn[63624]: Data Channel MTU parms [ L:1562 D:1450 EF:62 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 24 17:08:05 openvpn[63624]: Fragmentation MTU parms [ L:1562 D:1300 EF:61 EB:135 ET:1 EL:0 AF:3/1 ]
Jul 24 17:08:05 openvpn[63624]: Local Options String: 'V4,dev-type tun,link-mtu 1562,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jul 24 17:08:05 openvpn[63624]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1562,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jul 24 17:08:05 openvpn[63624]: Local Options hash (VER=V4): '84ab6e17'
Jul 24 17:08:05 openvpn[63624]: Expected Remote Options hash (VER=V4): '6a64613d'
Jul 24 17:08:05 openvpn[63624]: UDPv4 link local (bound): [AF_INET]192.168.69.14
Jul 24 17:08:05 openvpn[63624]: UDPv4 link remote: [AF_INET]207.204.245.40:4672
Jul 24 17:08:05 openvpn[63624]: TLS: Initial packet from [AF_INET]207.204.245.40:4672, sid=bf5e0c09 180c3de9
Jul 24 17:08:05 openvpn[63624]: VERIFY OK: depth=1, C=US, ST=CA, L=San-Francisco, O=reliablehosting.com, CN=ovpn039, emailAddress=techies@reliablehosting.com
Jul 24 17:08:05 openvpn[63624]: VERIFY OK: depth=0, C=US, ST=CA, L=San-Francisco, O=reliablehosting.com, CN=vpn28, emailAddress=techies@reliablehosting.com
Jul 24 17:08:06 openvpn[63624]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 24 17:08:06 openvpn[63624]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 24 17:08:06 openvpn[63624]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 24 17:08:06 openvpn[63624]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 24 17:08:06 openvpn[63624]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jul 24 17:08:06 openvpn[63624]: [vpn28] Peer Connection Initiated with [AF_INET]207.204.245.40:4672
Jul 24 17:08:08 openvpn[63624]: SENT CONTROL [vpn28]: 'PUSH_REQUEST' (status=1)
Jul 24 17:08:08 openvpn[63624]: PUSH: Received control message: 'PUSH_REPLY,ping 1,ping-restart 60,route-delay 2,route-metric 1,dhcp-option DNS 207.204.224.10,dhcp-option DNS 68.68.32.123,route 10.8.1.57,topology net30,ifconfig 10.8.1.62 10.8.1.61'
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: –ifconfig/up options modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: route options modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: route-related options modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Jul 24 17:08:08 openvpn[63624]: ROUTE_GATEWAY 192.168.69.1
Jul 24 17:08:08 openvpn[63624]: TUN/TAP device ovpnc1 exists previously, keep at program end
Jul 24 17:08:08 openvpn[63624]: TUN/TAP device /dev/tun1 opened
Jul 24 17:08:08 openvpn[63624]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jul 24 17:08:08 openvpn[63624]: /sbin/ifconfig ovpnc1 10.8.1.62 10.8.1.61 mtu 1500 netmask 255.255.255.255 up
Jul 24 17:08:08 openvpn[63624]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1562 10.8.1.62 10.8.1.61 init
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 207.204.245.40 192.168.69.1 255.255.255.255
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 0.0.0.0 10.8.1.61 128.0.0.0
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 128.0.0.0 10.8.1.61 128.0.0.0
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 10.8.1.57 10.8.1.61 255.255.255.255
Jul 24 17:08:10 openvpn[63624]: Initialization Sequence Completed
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: CMD 'state 1'
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: CMD 'status 2'
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: Client disconnected
Jul 24 17:15:46 openvpn[63624]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 24 17:15:46 openvpn[63624]: MANAGEMENT: CMD 'state 1'
Jul 24 17:15:46 openvpn[63624]: MANAGEMENT: CMD 'status 2'
Jul 24 17:15:47 openvpn[63624]: MANAGEMENT: Client disconnected
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: CMD 'state 1'
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: CMD 'status 2'
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: Client disconnected

Is there a way to make it so that when the vpn establishes that this route is not done?

toyotahead

SOLVED

Ok in the advanced config section of the openvpn client just DONT add the "redirect-gateway def1;" This effectively will override the route table with a blanket forward all traffic out the vpn tunnel.

NOW you are able to specify in your firewall rules which filtered matches you want to go out the VPN tunnel via the advanced features - gateway - and select the gateway of the vpn.

CHEERS EVERYONE. I see this has been a brutally long thread and many times this very question on how to selectively push traffic though the tunnel has been asked with no definitive solution. I am glad to have been able to contribute. :)

thermo

@toyotahead:

SOLVED
Ok in the advanced config section of the openvpn client just DONT add the "redirect-gateway def1;" This effectively will override the route table with a blanket forward all traffic out the vpn tunnel.

The server by default will send this to the client…
Anyway, to prevent all traffic being routed through a vpn connection by default, you just need to add "route-nopull;" to the advanced section, then do your individual routing on your firewall rules.

clevoir

I have had some problems setting up AirVPN on a new pfSense box, as posted elsewhere

I stumbled on this post, and despite following the instructions in detail, I simply cannot get a reliable internet connection. At the end of the guide I am able to confirm that I am using the AirVPN IP address instead of my own, but get a very slow internet connection, with most pages timing out.

I have tried a number of different servers, all using the UDP straight proticol, but all have the effect.

Following another guide I am using remote-cert-tls server;verb 3;explicit-exit-notify 5;key-direction 1;auth SHA1;keysize 256;key-method 2;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;persist-tun; persist-key in the advanced configuration of the OpenVPN client. I have tried omitting the persist-key option as suggested but this makes on efferct

This is a typical OpenVPN log:-

Dec 7 17:18:12 openvpn[24752]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Dec 7 17:18:12 openvpn[24752]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Dec 7 17:18:12 openvpn[24752]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 7 17:18:12 openvpn[24752]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Dec 7 17:18:12 openvpn[24752]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:12 openvpn[24752]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:12 openvpn[24752]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Dec 7 17:18:12 openvpn[25084]: UDPv4 link local (bound): [AF_INET]192.168.1.250
Dec 7 17:18:12 openvpn[25084]: UDPv4 link remote: [AF_INET]95.211.138.7:443
Dec 7 17:18:12 openvpn[25084]: TLS: Initial packet from [AF_INET]95.211.138.7:443, sid=6fa95ce8 b20f1f7b
Dec 7 17:18:12 openvpn[25084]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 7 17:18:12 openvpn[25084]: Validating certificate key usage
Dec 7 17:18:12 openvpn[25084]: ++ Certificate has key usage 00a0, expects 00a0
Dec 7 17:18:12 openvpn[25084]: VERIFY KU OK
Dec 7 17:18:12 openvpn[25084]: Validating certificate extended key usage
Dec 7 17:18:12 openvpn[25084]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 7 17:18:12 openvpn[25084]: VERIFY EKU OK
Dec 7 17:18:12 openvpn[25084]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 7 17:18:20 openvpn[25084]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Dec 7 17:18:20 openvpn[25084]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Dec 7 17:18:20 openvpn[25084]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 17:18:20 openvpn[25084]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:20 openvpn[25084]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 17:18:20 openvpn[25084]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:20 openvpn[25084]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Dec 7 17:18:20 openvpn[25084]: [server] Peer Connection Initiated with [AF_INET]95.211.138.7:443
Dec 7 17:18:22 openvpn[25084]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 7 17:18:23 openvpn[25084]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.23.110 10.4.23.109'
Dec 7 17:18:23 openvpn[25084]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 7 17:18:23 openvpn[25084]: OPTIONS IMPORT: –ifconfig/up options modified
Dec 7 17:18:23 openvpn[25084]: OPTIONS IMPORT: route options modified
Dec 7 17:18:23 openvpn[25084]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Dec 7 17:18:23 openvpn[25084]: ROUTE_GATEWAY 192.168.1.1
Dec 7 17:18:23 openvpn[25084]: TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 7 17:18:23 openvpn[25084]: TUN/TAP device /dev/tun1 opened
Dec 7 17:18:23 openvpn[25084]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 7 17:18:23 openvpn[25084]: /sbin/ifconfig ovpnc1 10.4.23.110 10.4.23.109 mtu 1500 netmask 255.255.255.255 up
Dec 7 17:18:23 openvpn[25084]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1557 10.4.23.110 10.4.23.109 init
Dec 7 17:18:23 openvpn[25084]: /sbin/route add -net 95.211.138.7 192.168.1.1 255.255.255.255
Dec 7 17:18:23 openvpn[25084]: /sbin/route add -net 0.0.0.0 10.4.23.109 128.0.0.0
Dec 7 17:18:23 openvpn[25084]: /sbin/route add -net 128.0.0.0 10.4.23.109 128.0.0.0
Dec 7 17:18:23 openvpn[25084]: /sbin/route add -net 10.4.0.1 10.4.23.109 255.255.255.255
Dec 7 17:18:23 openvpn[25084]: Initialization Sequence Completed

Sometimes I get Client disconnected as below:-

Dec 7 10:50:34 openvpn[95554]: ROUTE_GATEWAY 192.168.1.1
Dec 7 10:50:34 openvpn[95554]: TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 7 10:50:34 openvpn[95554]: TUN/TAP device /dev/tun1 opened
Dec 7 10:50:34 openvpn[95554]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 7 10:50:34 openvpn[95554]: /sbin/ifconfig ovpnc1 10.4.51.250 10.4.51.249 mtu 1500 netmask 255.255.255.255 up
Dec 7 10:50:34 openvpn[95554]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1557 10.4.51.250 10.4.51.249 init
Dec 7 10:50:34 openvpn[95554]: /sbin/route add -net 95.211.186.93 192.168.1.1 255.255.255.255
Dec 7 10:50:34 openvpn[95554]: /sbin/route add -net 0.0.0.0 10.4.51.249 128.0.0.0
Dec 7 10:50:34 openvpn[95554]: /sbin/route add -net 128.0.0.0 10.4.51.249 128.0.0.0
Dec 7 10:50:34 openvpn[95554]: /sbin/route add -net 10.4.0.1 10.4.51.249 255.255.255.255
Dec 7 10:50:34 openvpn[95554]: Initialization Sequence Completed
Dec 7 10:51:34 openvpn[95554]: [server] Inactivity timeout (–ping-restart), restarting
Dec 7 10:51:34 openvpn[95554]: SIGUSR1[soft,ping-restart] received, process restarting
Dec 7 10:51:34 openvpn[95554]: Restart pause, 2 second(s)
Dec 7 10:51:36 openvpn[95554]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 7 10:51:36 openvpn[95554]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Dec 7 10:51:36 openvpn[95554]: UDPv4 link local (bound): [AF_INET]192.168.1.250
Dec 7 10:51:36 openvpn[95554]: UDPv4 link remote: [AF_INET]95.211.186.93:443
Dec 7 10:51:36 openvpn[95554]: TLS: Initial packet from [AF_INET]95.211.186.93:443, sid=72e60795 f425b2a5
Dec 7 10:51:36 openvpn[95554]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 7 10:51:36 openvpn[95554]: Validating certificate key usage
Dec 7 10:51:36 openvpn[95554]: ++ Certificate has key usage 00a0, expects 00a0
Dec 7 10:51:36 openvpn[95554]: VERIFY KU OK
Dec 7 10:51:36 openvpn[95554]: Validating certificate extended key usage
Dec 7 10:51:36 openvpn[95554]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 7 10:51:36 openvpn[95554]: VERIFY EKU OK
Dec 7 10:51:36 openvpn[95554]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 7 10:51:41 openvpn[95554]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 10:51:41 openvpn[95554]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 10:51:41 openvpn[95554]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 10:51:41 openvpn[95554]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 10:51:41 openvpn[95554]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Dec 7 10:51:41 openvpn[95554]: [server] Peer Connection Initiated with [AF_INET]95.211.186.93:443
Dec 7 10:51:43 openvpn[95554]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 7 10:51:43 openvpn[95554]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.51.250 10.4.51.249'
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: LZO parms modified
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: –ifconfig/up options modified
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: route options modified
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Dec 7 10:51:43 openvpn[95554]: Preserving previous TUN/TAP instance: ovpnc1
Dec 7 10:51:43 openvpn[95554]: Initialization Sequence Completed
Dec 7 10:58:46 openvpn[95554]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 7 10:58:46 openvpn[95554]: MANAGEMENT: CMD 'state 1'
Dec 7 10:58:46 openvpn[95554]: MANAGEMENT: CMD 'status 2'
Dec 7 10:58:46 openvpn[95554]: MANAGEMENT: Client disconnected
Dec 7 11:42:42 openvpn[95554]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 7 11:42:42 openvpn[95554]: MANAGEMENT: CMD 'state 1'
Dec 7 11:42:42 openvpn[95554]: MANAGEMENT: CMD 'status 2'
Dec 7 11:42:42 openvpn[95554]: MANAGEMENT: Client disconnected

A connection is alway made with AirVPN and their gateway is always green after a number of seconds, see attachments

I can not us the monitor IP address as stated in the guide, bit have used 10.4.0.1 (which is an AirVPN address given in another setup guide) or google's 8.8.8.8

The OpenVPN connection is clearly been made and a gateway to AirVPN is being set up, I am at a complete loss as to why I can't get an internet connection.

I did wonder whether to try different ports rather than 443 UDP straight, but thought that I would post here first

I would be very grateful of some assistance, I have hit a brick wall and just don't kno where to turn next

I am running Snort, Squid and ClamAV as well, if this makes any difference

Also I am currently using the same subnet for WAN and LAN, could this be the cause of my problem?


sysfu

What happens when you connect to the AirVPN account using an OpenVPN client on your computer? Do the problems go away?

clevoir

Yes when I use AirVPN's own client software I get no problems at all using the same servers and UDP 443 port that I have tried to set up my pF=fSense box with

As such I can't see it is a problem at their end, more the pfSense setup?

At the time of this problem I was using the same subnet for WAN and LAN, and wonder if it might be part of the problem?

I now have WAN and LAN on seperate subnets now, and will try again

sysfu

Yes, typically the IP address assigned to each interface must be on a different network or subnet. That's how the router is able to determine which interface the packet should be forwarded to. If both interfaces are on the same network, it doesn't know how to decide between the two.

Think if you were tasked with delivering a package to an office to a person there named "Charlie". When you get to the office, you find out where are two people named "Charlie".

How would you be able to decide definitively on which desk the package should ultimately go? You wouldn't without more info.

clevoir

I have just found that AirVPN block all conections on UDP ports where a proxy is used. as I am using Snort, Squid and Clam AV I guess that this will be why I can't get a connection as I was uisng UDP port 443

I am to try agian using TCP ports but appreciate that the connection speed might be slower

clevoir

This morning I tried again using AirVPn TCP 443 and 80 settings and still can't get an internet connection.

Log is:-

Dec 14 10:11:50 openvpn[11670]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Dec 14 10:11:50 openvpn[11670]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 14 10:11:50 openvpn[11670]: /sbin/ifconfig ovpnc1 10.5.14.90 10.5.14.89 mtu 1500 netmask 255.255.255.255 up
Dec 14 10:11:50 openvpn[11670]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1559 10.5.14.90 10.5.14.89 init
Dec 14 10:11:50 openvpn[11670]: /sbin/route add -net 37.48.81.11 192.168.2.1 255.255.255.255
Dec 14 10:11:50 openvpn[11670]: /sbin/route add -net 0.0.0.0 10.5.14.89 128.0.0.0
Dec 14 10:11:50 openvpn[11670]: /sbin/route add -net 128.0.0.0 10.5.14.89 128.0.0.0
Dec 14 10:11:50 openvpn[11670]: /sbin/route add -net 10.5.0.1 10.5.14.89 255.255.255.255
Dec 14 10:11:50 openvpn[11670]: Initialization Sequence Completed
Dec 14 10:13:52 openvpn[11670]: Connection reset, restarting [0]
Dec 14 10:13:52 openvpn[11670]: SIGUSR1[soft,connection-reset] received, process restarting
Dec 14 10:13:52 openvpn[11670]: Restart pause, 5 second(s)
Dec 14 10:13:57 openvpn[11670]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 14 10:13:57 openvpn[11670]: Socket Buffers: R=[65228->65536] S=[65228->65536]
Dec 14 10:13:57 openvpn[11670]: Attempting to establish TCP connection with [AF_INET]37.48.81.11:443 [nonblock]
Dec 14 10:13:58 openvpn[11670]: TCP connection established with [AF_INET]37.48.81.11:443
Dec 14 10:13:58 openvpn[11670]: TCPv4_CLIENT link local (bound): [AF_INET]192.168.2.200
Dec 14 10:13:58 openvpn[11670]: TCPv4_CLIENT link remote: [AF_INET]37.48.81.11:443
Dec 14 10:13:58 openvpn[11670]: TLS: Initial packet from [AF_INET]37.48.81.11:443, sid=7f752825 a08fa24f
Dec 14 10:13:58 openvpn[11670]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 14 10:13:58 openvpn[11670]: Validating certificate key usage
Dec 14 10:13:58 openvpn[11670]: ++ Certificate has key usage 00a0, expects 00a0
Dec 14 10:13:58 openvpn[11670]: VERIFY KU OK
Dec 14 10:13:58 openvpn[11670]: Validating certificate extended key usage
Dec 14 10:13:58 openvpn[11670]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 14 10:13:58 openvpn[11670]: VERIFY EKU OK
Dec 14 10:13:58 openvpn[11670]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 14 10:14:02 openvpn[11670]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 14 10:14:02 openvpn[11670]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 14 10:14:02 openvpn[11670]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 14 10:14:02 openvpn[11670]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 14 10:14:02 openvpn[11670]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Dec 14 10:14:02 openvpn[11670]: [server] Peer Connection Initiated with [AF_INET]37.48.81.11:443
Dec 14 10:14:04 openvpn[11670]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 14 10:14:04 openvpn[11670]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.5.0.1,comp-lzo no,route 10.5.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.5.14.90 10.5.14.89'
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: LZO parms modified
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: –ifconfig/up options modified
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: route options modified
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Dec 14 10:14:04 openvpn[11670]: Preserving previous TUN/TAP instance: ovpnc1
Dec 14 10:14:04 openvpn[11670]: Initialization Sequence Completed
Dec 14 10:16:19 openvpn[11670]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 14 10:16:19 openvpn[11670]: MANAGEMENT: CMD 'state 1'
Dec 14 10:16:19 openvpn[11670]: MANAGEMENT: CMD 'status 2'
Dec 14 10:16:19 openvpn[11670]: MANAGEMENT: Client disconnected
Dec 14 10:26:19 openvpn[11670]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 14 10:26:19 openvpn[11670]: MANAGEMENT: CMD 'state 1'
Dec 14 10:26:19 openvpn[11670]: MANAGEMENT: CMD 'status 2'
Dec 14 10:26:19 openvpn[11670]: MANAGEMENT: Client disconnected

Adanced Configurations in OpenVPN client are

remote-cert-tls server;verb 3;key-direction 1;auth SHA1;keysize 256;key-method 2;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;persist-tun; persist-key

Firewire NAT Outgoing rules have been set to Manual Outbound NAT rule generations, but no addtional rules have been set up.

LAN Firewire rules are set as:-

Action=Pass

Interface=LAN

TCP/IP Version=IP4v

Proticol=any

Source=LAN net

Destrination=any

Gateway = AirVPN gateway (Dynamic)

Note that I have edited the Default allow LAN to any rule settings to the above

Dashboard Settings show an AirVPN connection 10.5.14.90 in green

AirVPN Gateway settings show gateway 10.5.14.89 Monitor 10.4.0.1. in green

q54e3w

Im not sure its related but a couple of things worth checking.

Check WAN interface is set to Active but type = none and LAN is set yo your subnet of choice.
Do not set your WAN address to a private range, i.e 192.168.x.x.
Also I noticed your routing screenshot doesn't show a default route, this should be WAN_DHCP.
Ive attached a shot of my NAT rules too, hopefully these don't add to your confusion as I have a lot more interfaces as well as some VPN_LAN -> non VPN output rules but you'll get the idea if you take the time to read it.
AirVPN works fine with UDP and proxies like squid etc so suspect you have a weird config somewhere back up the chain, moving to TCP isn't going to help I suspect.

Take your time, go through the AirVPN guide step by step and verify at each stage you are seeing the expected behaviors, i.e can you Ping / DNS lookup at the interim stages.