OpenVPN Gateway Not "UP"
-
Having issues with getting my VPN working. Here is the error i'm seeing in the System Logs for Gateways:
Nov 15 12:38:38 apinger: SIGHUP received, reloading configuration. Nov 15 12:38:48 apinger: ALARM: OPT1_VPNV4(10.146.1.5) *** down *** Nov 15 12:40:12 apinger: SIGHUP received, reloading configuration. Nov 15 12:40:12 apinger: alarm canceled (config reload): OPT1_VPNV4(10.146.1.5) *** down *** Nov 15 12:40:22 apinger: ALARM: OPT1_VPNV4(10.111.1.5) *** down *** Nov 15 12:54:17 apinger: SIGHUP received, reloading configuration. Nov 15 12:54:17 apinger: alarm canceled (config reload): OPT1_VPNV4(10.111.1.5) *** down *** Nov 15 12:54:27 apinger: ALARM: OPT1_VPNV4(10.177.1.5) *** down *** Nov 15 13:01:08 apinger: SIGHUP received, reloading configuration. Nov 15 13:01:08 apinger: alarm canceled (config reload): OPT1_VPNV4(10.177.1.5) *** down *** Nov 15 13:01:18 apinger: ALARM: OPT1_VPNV4(10.175.1.9) *** down ***
But, when checking the OpenVPN status i am greeted with this:
PIA OpenVPN UDP up Sun Nov 16 8:18:03 2014 10.117.1.10 198.23.103.68
Here is the log from OpenVPN as well:
Nov 16 08:01:53 openvpn[80721]: Initialization Sequence Completed Nov 16 08:04:23 openvpn[80721]: event_wait : Interrupted system call (code=4) Nov 16 08:04:23 openvpn[80721]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 10.129.1.6 10.129.1.5 init Nov 16 08:04:23 openvpn[80721]: SIGTERM[hard,] received, process exiting Nov 16 08:04:24 openvpn[41960]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014 Nov 16 08:04:24 openvpn[41960]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 16 08:04:24 openvpn[41960]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 16 08:04:24 openvpn[42222]: UDPv4 link local (bound): [AF_INET]104.172.13.57 Nov 16 08:04:24 openvpn[42222]: UDPv4 link remote: [AF_INET]50.23.113.206:1194 Nov 16 08:04:24 openvpn[42222]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Nov 16 08:04:24 openvpn[42222]: [Private Internet Access] Peer Connection Initiated with [AF_INET]50.23.113.206:1194 Nov 16 08:04:26 openvpn[42222]: TUN/TAP device ovpnc1 exists previously, keep at program end Nov 16 08:04:26 openvpn[42222]: TUN/TAP device /dev/tun1 opened Nov 16 08:04:26 openvpn[42222]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Nov 16 08:04:26 openvpn[42222]: /sbin/ifconfig ovpnc1 10.105.1.6 10.105.1.5 mtu 1500 netmask 255.255.255.255 up Nov 16 08:04:26 openvpn[42222]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.105.1.6 10.105.1.5 init Nov 16 08:04:26 openvpn[42222]: Initialization Sequence Completed Nov 16 08:04:30 openvpn[42222]: event_wait : Interrupted system call (code=4) Nov 16 08:04:30 openvpn[42222]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 10.105.1.6 10.105.1.5 init Nov 16 08:04:30 openvpn[42222]: SIGTERM[hard,] received, process exiting Nov 16 08:04:31 openvpn[69358]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014 Nov 16 08:04:31 openvpn[69358]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 16 08:04:31 openvpn[69358]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 16 08:04:31 openvpn[69537]: UDPv4 link local (bound): [AF_INET]104.172.13.57 Nov 16 08:04:31 openvpn[69537]: UDPv4 link remote: [AF_INET]50.23.115.87:1194 Nov 16 08:04:31 openvpn[69537]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Nov 16 08:04:31 openvpn[69537]: [Private Internet Access] Peer Connection Initiated with [AF_INET]50.23.115.87:1194 Nov 16 08:04:33 openvpn[69537]: TUN/TAP device ovpnc1 exists previously, keep at program end Nov 16 08:04:33 openvpn[69537]: TUN/TAP device /dev/tun1 opened Nov 16 08:04:33 openvpn[69537]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Nov 16 08:04:33 openvpn[69537]: /sbin/ifconfig ovpnc1 10.109.1.6 10.109.1.5 mtu 1500 netmask 255.255.255.255 up Nov 16 08:04:33 openvpn[69537]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.109.1.6 10.109.1.5 init Nov 16 08:04:33 openvpn[69537]: Initialization Sequence Completed Nov 16 08:13:46 openvpn[69537]: event_wait : Interrupted system call (code=4) Nov 16 08:13:46 openvpn[69537]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 10.109.1.6 10.109.1.5 init Nov 16 08:13:46 openvpn[69537]: SIGTERM[hard,] received, process exiting Nov 16 08:18:00 openvpn[31287]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014 Nov 16 08:18:00 openvpn[31287]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 16 08:18:00 openvpn[31287]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 16 08:18:00 openvpn[32085]: UDPv4 link local (bound): [AF_INET]104.172.13.57 Nov 16 08:18:00 openvpn[32085]: UDPv4 link remote: [AF_INET]198.23.103.68:1194 Nov 16 08:18:00 openvpn[32085]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Nov 16 08:18:01 openvpn[32085]: [Private Internet Access] Peer Connection Initiated with [AF_INET]198.23.103.68:1194 Nov 16 08:18:03 openvpn[32085]: TUN/TAP device ovpnc1 exists previously, keep at program end Nov 16 08:18:03 openvpn[32085]: TUN/TAP device /dev/tun1 opened Nov 16 08:18:03 openvpn[32085]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16) Nov 16 08:18:03 openvpn[32085]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Nov 16 08:18:03 openvpn[32085]: /sbin/ifconfig ovpnc1 10.117.1.10 10.117.1.9 mtu 1500 netmask 255.255.255.255 up Nov 16 08:18:03 openvpn[32085]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.117.1.10 10.117.1.9 init Nov 16 08:18:03 openvpn[32085]: Initialization Sequence Completed
Please help!!!
-
Bump…
-
Anyone?!
-
No one has experienced this before or has any insight?!
-
I don't think remote OpenVPN interfaces are pingable. I think the reason is they are actually serviced by the OpenVPN process so there's not a full stack (including ICMP) bound to them. Something like that.
You can change the monitor IP to something at the remote site that will respond to ping.
-
Use a monitor IP that'll actually reply to pings (System>Routing, edit the gateway), the gateway IP of an OpenVPN connection from a provider possibly won't reply to pings.
-
Part of the reason nobody responded is because it takes time and it gets pretty tedious answering the same questions over and over again when things like this exist:
https://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses
Not bagging on you personally, just putting it out there.
-
And, FWIW, if you really want to ping the tunnel address on a site-to-site, just set the tunnel network on the server to a /30 then push an ifconfig to the client:
Tunnel Network: 10.26.254.0/30 (Server will use first address).
In the server's advanced config:
push "ifconfig 10.26.254.2 10.26.254.1";
I tried to do it in the client specific overrides but I couldn't get it to take. I might have something screwed up with the CN or something and it's not matching. Seems like it should work in either place.
This also worked specifying the /30 on both server and client as the tunnel network but I like to keep as much config centralized as I can.
-
Thanks for your responses. I should have been more clear in my original post, so i didn't waste any of your time.
The Gateway does show down all the time, due to the pinging you both were talking about. I don't mind that, if it should still work in that state though i will look into your suggestions.
The real issue i'm facing is that when i turn on the OpenVPN i'm not getting internet access via any of my machines. I followed several guides to set up rules to route specific traffic through the VPN which hasn't worked. In fact when OpenVPN is turned on ALL of my machines behind pfsense lose internet connectivity. I've set a rule that resolves all of the other traffic, but it still looks like anything routed through the OPT1_VPNV4 Gateway has issues. The rule seems fine to me. Below are the rules in place:
IPv4 * 192.168.1.62 * * * OPT1_VPNV4 none PIA_VPN_Rule IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule IPv4 * LAN net * * * GW_WAN none Default allow LAN to any rule
Could this be a result of something i missed in the OpenVPN setup?
-
That has nothing to do with the GW being down.
Your rules are wrong. The VPN is probably pushing you a default route (Most VPN providers do this, pfSense does it if you check "Redirect gateway" in the server config.) The way to stop it is by using route-nopull; in the PIA client config. You will then have to policy route the desired traffic to PIA.
You'll need to post specifics. Both of your config and the desired behavior.
-
That has nothing to do with the GW being down.
Your rules are wrong. The VPN is probably pushing you a default route (Most VPN providers do this, pfSense does it if you check "Redirect gateway" in the server config.) The way to stop it is by using route-nopull; in the PIA client config. You will then have to policy route the desired traffic to PIA.
You'll need to post specifics. Both of your config and the desired behavior.
I did try to do the route-nopull that was mentioned in another post that you were helping in. Do you know what the rule would have to be for it to work with the route-nopull?
I followed all of the instructions that are posted in this post: https://forum.pfsense.org/index.php?topic=72902.msg397636#msg397636
I am looking to do what that post was out to do, route all traffic from 192.168.1.62 to the VPN, but ALL other traffic goes through the WAN.
-
You need to get the tunnel working and add route-nopull;
You need a firewall rule on LAN with a source address of 192.168.1.62 destination any with gateway set to the VPN.
You need manual outbound NAT that matches 192.168.1.62 on your VPN interface.
That's pretty much it.
Reference the diagram in the footer and the attached firewall rule and NAT entry from pfSense A.
![Screen Shot 2014-11-22 at 12.11.12 PM.png](/public/imported_attachments/1/Screen Shot 2014-11-22 at 12.11.12 PM.png)
![Screen Shot 2014-11-22 at 12.11.12 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-22 at 12.11.12 PM.png_thumb)
![Screen Shot 2014-11-22 at 12.13.53 PM.png](/public/imported_attachments/1/Screen Shot 2014-11-22 at 12.13.53 PM.png)
![Screen Shot 2014-11-22 at 12.13.53 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-22 at 12.13.53 PM.png_thumb) -
You need to get the tunnel working and add route-nopull;
You need a firewall rule on LAN with a source address of 192.168.1.62 destination any with gateway set to the VPN.
You need manual outbound NAT that matches 192.168.1.62 on your VPN interface.
That's pretty much it.
Reference the diagram in the footer and the attached firewall rule and NAT entry from pfSense A.
Thanks for taking the time to help me out Derelict.
I have tried those rules as well as other similar ones and still haven't been able to get my connection out via the VPN. Just testing right now I applied the FW rule on LAN w my source IP and gateway set to the OPT1_VPNV4 and added the NAT rule. I am still getting the External WAN IP. Attaching more screenshots of my settings
![FW Rule.PNG](/public/imported_attachments/1/FW Rule.PNG)
![FW Rule.PNG_thumb](/public/imported_attachments/1/FW Rule.PNG_thumb) -
Why are you posting a NAT port forward? You want an entry in outbound NAT.
-
Why are you posting a NAT port forward? You want an entry in outbound NAT.
That rule is in Outbound, check the attached.
-
Then it should be working. Are you sure the tunnel is up and can pass traffic?
ETA: And please delete or disable that OPT1 port forward rule.
-
Then it should be working. Are you sure the tunnel is up and can pass traffic?
ETA: And please delete or disable that OPT1 port forward rule.
How can i verify that the tunnel is up and passing traffic? In Status –> OpenVPN i get this:
Name ▾ Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Rcvd
PIA OpenVPN UDP up Sat Nov 22 12:29:20 2014 10.135.1.6 198.23.103.66 1150724 655697I don't see a port forward rule for anything, which rule are you referencing to? I only posted two rules:
Firewall Rules and NAT Outbound.
-
Then it should be working. Are you sure the tunnel is up and can pass traffic?
ETA: And please delete or disable that OPT1 port forward rule.
How can i verify that the tunnel is up and passing traffic? In Status –> OpenVPN i get this:
Name ▾ Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Rcvd
PIA OpenVPN UDP up Sat Nov 22 12:29:20 2014 10.135.1.6 198.23.103.66 1150724 655697Sure looks like it's up. It should be working. When you try to go to a site using host 192.168.1.62 what happens? If you are trying to connect to something using host 192.168.1.62 and you look at diagnostics->States and filter on 192.168.1.62 what do you see?
If you use diagnostics->ping to host 8.8.8.8 IPv4 Source Address: OPT1 what happens?
I don't see a port forward rule for anything, which rule are you referencing to? I only posted two rules:
Firewall Rules and NAT Outbound.
Yeah. Sorry. I was confused. Nevermind.
-
Then it should be working. Are you sure the tunnel is up and can pass traffic?
ETA: And please delete or disable that OPT1 port forward rule.
How can i verify that the tunnel is up and passing traffic? In Status –> OpenVPN i get this:
Name ▾ Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Rcvd
PIA OpenVPN UDP up Sat Nov 22 12:29:20 2014 10.135.1.6 198.23.103.66 1150724 655697Sure looks like it's up. It should be working. When you try to go to a site using host 192.168.1.62 what happens? If you are trying to connect to something using host 192.168.1.62 and you look at diagnostics->States and filter on 192.168.1.62 what do you see?
If you use diagnostics->ping to host 8.8.8.8 IPv4 Source Address: OPT1 what happens?
I don't see a port forward rule for anything, which rule are you referencing to? I only posted two rules:
Firewall Rules and NAT Outbound.
Yeah. Sorry. I was confused. Nevermind.
My 192.168.1.62 machine still just goes straight to the internet through the WAN IP, thats what i see from that box. It's a standalone linux box, so I can't really hit a website, but when i do the following here is the output:
lastb0isct@miniserver:~$ curl http://ipecho.net/plain; echo 104.172.13.57
The OpenVPN IP is displayed on the main page and that is not the IP listed there.
Here's what i see in the Show States area:tcp 109.201.152.249:1080 <- 192.168.1.62:40313 ESTABLISHED:ESTABLISHED tcp 192.168.1.62:40313 -> 104.172.13.57:48640 -> 109.201.152.249:1080 ESTABLISHED:ESTABLISHED tcp 127.0.0.1:3128 <- 146.255.36.1:80 <- 192.168.1.62:44660 FIN_WAIT_2:FIN_WAIT_2
When doing the ping from diagnostics page:
PING 8.8.8.8 (8.8.8.8) from 10.135.1.6: 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=47 time=50.542 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=47 time=41.516 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=47 time=41.277 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 41.277/44.445/50.542/4.312 ms
It makes it through. I do notice that the Pin gis coming from 10.135.1.6, but in the Gateways page the IP of the OPT1 device is 10.135.1.5:
OPT1_VPNV4 OPT1 10.135.1.5 10.135.1.5 Interface OPT1_VPNV4 Gateway
I think that might be normal behavior, just wanted to point it out.
-
Yeah. ping reports from as the source address, which is your end of the tunnel. 10.135.1.6 is expected.
See that FW Rules.png screenshot in https://forum.pfsense.org/index.php?topic=84189.msg463104#msg463104
how about a full screenshot. I know it sucks but this should be working and there must be another rule catching the traffic before the VPN rule.