Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Struggling to get OpenVPN working

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      W4RH34D
      last edited by

      Odd my thread isn't here anymore.  Searched for it.

      The update changed something, and I don't remember what I did to fix it.  I thought I'd leave it here to remember for me.

      Did it ever work before? Say before 2.2.5?

      Did you really check your cables?

      1 Reply Last reply Reply Quote 0
      • D
        dhjdhj
        last edited by

        @Derelict

        Below are the logs –- 192.168.1.3 is the WAN address of the SG-2440 (it is connected to a subnet of a Verizon FIOS router). That address is configured as the DMZ for the FIOS router so all connections from the outside world are passed directly to the SG-2440. Yes, I'm using a cellular phone as a hotspot specially to ensure that connections are coming from the outside.

        @W4RH34D
        I only got this router a few days ago, so it's a brand new system for me. According to the dashboard it is running 2.2.6

        Jan 18 13:37:33 pfSense openvpn[76611]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
        Jan 18 13:37:33 pfSense openvpn[76611]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
        Jan 18 13:37:33 pfSense openvpn[76915]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Jan 18 13:37:33 pfSense openvpn[76915]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
        Jan 18 13:37:33 pfSense openvpn[76915]: TUN/TAP device ovpns1 exists previously, keep at program end
        Jan 18 13:37:33 pfSense openvpn[76915]: TUN/TAP device /dev/tun1 opened
        Jan 18 13:37:33 pfSense openvpn[76915]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
        Jan 18 13:37:33 pfSense openvpn[76915]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
        Jan 18 13:37:33 pfSense openvpn[76915]: /sbin/ifconfig ovpns1 192.168.18.1 192.168.18.2 mtu 1500 netmask 255.255.255.255 up
        Jan 18 13:37:33 pfSense openvpn[76915]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 192.168.18.1 192.168.18.2 init
        Jan 18 13:37:33 pfSense openvpn[76915]: UDPv4 link local (bound): [AF_INET]192.168.1.3:1194
        Jan 18 13:37:33 pfSense openvpn[76915]: UDPv4 link remote: [undef]
        Jan 18 13:37:33 pfSense openvpn[76915]: Initialization Sequence Completed
        Jan 18 15:17:27 pfSense openvpn[76915]: event_wait : Interrupted system call (code=4)
        Jan 18 15:17:27 pfSense openvpn[76915]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 192.168.18.1 192.168.18.2 init
        Jan 18 15:17:27 pfSense openvpn[76915]: SIGTERM[hard,] received, process exiting
        Jan 18 15:20:19 pfSense openvpn[94758]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
        Jan 18 15:20:19 pfSense openvpn[94758]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
        Jan 18 15:20:19 pfSense openvpn[94864]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Jan 18 15:20:19 pfSense openvpn[94864]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
        Jan 18 15:20:19 pfSense openvpn[94864]: TUN/TAP device ovpns1 exists previously, keep at program end
        Jan 18 15:20:19 pfSense openvpn[94864]: TUN/TAP device /dev/tun1 opened
        Jan 18 15:20:19 pfSense openvpn[94864]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
        Jan 18 15:20:19 pfSense openvpn[94864]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
        Jan 18 15:20:19 pfSense openvpn[94864]: /sbin/ifconfig ovpns1 10.0.9.1 10.0.9.2 mtu 1500 netmask 255.255.255.255 up
        Jan 18 15:20:19 pfSense openvpn[94864]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.0.9.1 10.0.9.2 init
        Jan 18 15:20:19 pfSense openvpn[94864]: UDPv4 link local (bound): [AF_INET]192.168.1.3:1194
        Jan 18 15:20:19 pfSense openvpn[94864]: UDPv4 link remote: [undef]
        Jan 18 15:20:19 pfSense openvpn[94864]: Initialization Sequence Completed

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          I don't think that shows a connection attempt.

          You exported the config for viscosity using the client export package right?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            I don't see anything connecting either

            ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)

            Looks to be a problem..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              dhjdhj
              last edited by

              Yes, I installed the client export package, created the ovpn files and installed them into OpenVPN client on my Mac and on an iPhone

              I don't believe that Verizon FIOS blocks port 1194. So that's why I don't understand why I'm not seeing anything

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                your not seeing anything because its never trying to connect because it says

                Device busy: Device busy (errno=16)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • D
                  dhjdhj
                  last edited by

                  So then the questions is why? I have Viscosity on a Mac, and the Mac is connected to a hotspot that is outside my LAN (I've checked that with such tools as whatismyip.com, etc)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    dude your openvpn interface is most likely hung.. disable and then enable the interface or reboot ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhjdhj
                      last edited by

                      It's not down –- already tried restarting.

                      Here are the logs from the remote Viscosity client. The last line of that log is the correct IP address of the WAN interface on my firewall so it would seem to have managed to connect through the Verizon router with no problem.
                      It just doesn't go any further.

                      Jan 19 10:31:16: Viscosity Mac 1.5.11 (1314)
                      Jan 19 10:31:16: Viscosity OpenVPN Engine Started
                      Jan 19 10:31:16: Running on Mac OS X 10.11.4
                      Jan 19 10:31:16: ---------
                      Jan 19 10:31:16: Checking reachability status of connection...
                      Jan 19 10:31:16: Connection is reachable. Starting connection attempt.
                      Jan 19 10:31:16: OpenVPN 2.3.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 23 2015
                      Jan 19 10:31:16: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
                      Jan 19 10:31:23: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.NGQTco/ta.key' as a OpenVPN static key file
                      Jan 19 10:31:23: UDPv4 link local (bound): [undef]
                      Jan 19 10:31:23: UDPv4 link remote: [AF_INET]192.168.1.3:1194

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Where is your initial packet?  So for example I just connected..

                        Tue Jan 19 09:41:23 2016 TCPv4_CLIENT link local (bound): [undef]
                        Tue Jan 19 09:41:23 2016 TCPv4_CLIENT link remote: [AF_INET]10.56.226.130:8080
                        Tue Jan 19 09:41:23 2016 MANAGEMENT: >STATE:1453218083,WAIT,,,
                        Tue Jan 19 09:41:23 2016 MANAGEMENT: >STATE:1453218083,AUTH,,,
                        Tue Jan 19 09:41:23 2016 TLS: Initial packet from [AF_INET]10.56.226.130:8080, sid=bd72773b 9ed9bb88

                        I bounce off a proxy here, which is why you see the rfc1918 address and port 8080..  But you should see something sim, do you see the packet leave your machine??  If so then its not getting to your pfsense server..  What is the next few lines in the log say?

                        What is your logging level?  Bump it up to say 4 or so..  In your config its the verb statement on the client.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • D
                          dhjdhj
                          last edited by

                          That's the thing –- the connection seems to be hanging at that point, there are no new lines in the Viscosity log after

                          Jan 19 10:31:23: UDPv4 link remote: [AF_INET]192.168.1.3:1194

                          By the way, I really appreciate the help and feedback from you guys.

                          D

                          1 Reply Last reply Reply Quote 0
                          • D
                            dhjdhj
                            last edited by

                            I figured everything out –- the problem was with the OVPN export part. I needed to change the hostname resolution part because it was defaulting to the WAN IP address but because there is a Verizon Router in front of my pfSense box, that WAN IP address is still an internal subnet address. After I changed the host name resolution to use a name, everything worked fine.

                            Hope this helps anyone else who runs a pfSense behind a Verizon router

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.