OpenVPN Having Trouble with VPN Gateway (Revised)
-
Have I discovered a bug, or do I have a setting configured incorrectly? The Virtual Address is 10.69.10.6, but for some reason the status screen is showning 10.69.10.5, and the gateway is 10.69.10.1 as can be seen from this traceroute:
Which status screen do you mean?
10.69.10.6 is your virtual address in the VPN tunnel, 10.69.10.5 is the server side address, which is used as gateway by pfSense. The server uses a net30 topology, so there are only two devices in the tunnel subnet.
10.69.10.1 is the next hop, the vpn servers IP.10.69.10.1 will response to pings and could be used for monitoring here instead of 10.69.10.5, but since the tunnel subnet changes on every connecting, that's no option.
So to get rid of the offline (shown) gateway, you can either disable gateway monitoring or monitor another IP which only can be reached via the vpn.
-
Which status screen do you mean?
The gateways panel on the Home/Dashboard screen.
10.69.10.6 is your virtual address in the VPN tunnel, 10.69.10.5 is the server side address, which is used as gateway by pfSense. The server uses a net30 topology, so there are only two devices in the tunnel subnet.
According to the documentation provided by the VPN provider the Topology should be configured as "Subnet - One IP address per client in a common sub-net", which is how I have the client configured. It seems that pfSense is treating the interface like it iis net30.
That looks like a bug to me – if not, tell me what I'm missing.
As an aside, I did change the configuration to use the net30 topology, and it refused to connect.
10.69.10.1 will response to pings and could be used for monitoring here instead of 10.69.10.5, but since the tunnel subnet changes on every connecting, that's no option.
So to get rid of the offline (shown) gateway, you can either disable gateway monitoring or monitor another IP which only can be reached via the vpn.
Just wondering if there is any way to script this part of the setup? (I would rather not disable the monitoring if possible.)
-
As mentioned, 10.69.10.5 is your gateway here when using VPN.
The client side topology setting will not take effect, since the network topology is specified by the server.
That looks like a bug to me – if not, tell me what I'm missing.
What? That the gateway doesn't respond to pings?
10.69.10.1 will response to pings and could be used for monitoring here instead of 10.69.10.5, but since the tunnel subnet changes on every connecting, that's no option.
So to get rid of the offline (shown) gateway, you can either disable gateway monitoring or monitor another IP which only can be reached via the vpn.
Just wondering if there is any way to script this part of the setup? (I would rather not disable the monitoring if possible.)
Of course you can script that if you want. You can find the server IP in the vpn client log file behind the "PUSH" command - 'route 10.69.10.1'.
But I think, it will be much easier to change monitor-IP to e.g. 8.8.8.8 (Google) and set a static route for that IP to use the vpn gateway.
-
Please help me out a bit as to how you came to that conclusion.
As mentioned, 10.69.10.5 is your gateway here when using VPN.
The client side topology setting will not take effect, since the network topology is specified by the server.
The information that I have from the provider is that I receive a single IP address in a common subnet. (Likely a private VLAN)
My probing of the connections seems to agree with the provider's assertion.The gateway 10.69.10.1 is the gateway from the private subnet to the internet, but my gateway to that private subnet is 10.69.10.6 (the interface address). in order to reach 10.69.10.1.
i.e. With the source address set to the interface on the ping tool on the Diagnostic menu, I can ping 10.69.10.6, 10.69.10.1 and internet addresses, but not 10.69.10.5! (Hope I explaned that properly.) I don't understand where 10.69.10.5 is coming from as it doesn't show up in a traceroute, and won't respond to a ping.That looks like a bug to me – if not, tell me what I'm missing.
What? That the gateway doesn't respond to pings?
If 10.69.10.5 is actually the gateway, it does NOT respond to a ping! I don't believe that pfSense has identified the gateway correctly. My gateway is 10.69.10.6 NOT 10.69.10.5. Once I exit through 10.69.10.6, I'm on 10.69.10.1/24, the gateway from that network is 10.69.10.1. In short the VPN works a lot like my cable internet (except modem/hardware) - I get a single IP which leads to a private network, and that network has a gateway to the internet.
I suspect that this part of the log
Oct 18 15:49:54 openvpn 38153 Initialization Sequence Completed Oct 18 15:49:54 openvpn 38153 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1570 10.69.10.6 10.69.10.5 init Oct 18 15:49:54 openvpn 38153 /sbin/ifconfig ovpnc1 10.69.10.6 10.69.10.5 mtu 1500 netmask 255.255.255.255 up Oct 18 15:49:54 openvpn 38153 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Oct 18 15:49:54 openvpn 38153 TUN/TAP device /dev/tun1 opened Oct 18 15:49:54 openvpn 38153 TUN/TAP device ovpnc1 exists previously, keep at program end Oct 18 15:49:54 openvpn 38153 OPTIONS IMPORT: --ifconfig/up options modified Oct 18 15:49:54 openvpn 38153 OPTIONS IMPORT: LZO parms modified Oct 18 15:49:54 openvpn 38153 OPTIONS IMPORT: timers and/or timeouts modified Oct 18 15:49:54 openvpn 38153 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) Oct 18 15:49:54 openvpn 38153 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Oct 18 15:49:54 openvpn 38153 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Oct 18 15:49:54 openvpn 38153 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Oct 18 15:49:54 openvpn 38153 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.69.10.1,topology net30,ifconfig 10.69.10.6 10.69.10.5,auth-token cWH8XGbkmA2cWXnJyKr8NSALW56rxCiyjYXcyOLZ5ok=' Oct 18 15:49:54 openvpn 38153 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef] Oct 18 15:49:54 openvpn 38153 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=e5576ed7 8ca7bbd4, stored-sid=00000000 00000000, stored-ip=[undef] Oct 18 15:49:54 openvpn 38153 TLS: tls_process: timeout set to 57 Oct 18 15:49:54 openvpn 38153 ACK reliable_send_timeout 604800 [5]might contain the reason, but I don't know what messages are as a result of server and what messages are as a result of my client.
If I understand things correctly, the ACK/TLS/TLS are just at the end of the key exchange process and acknowledge the presence of a secure tunnel.
Thanks in advance for any comments/suggestions/solutions.
-
Dude, the behaviour was already described above: https://forum.pfsense.org/index.php?topic=138316.msg756666#msg756666
Again, it looks like this:
you | tunnel | server your virt. IP | | servers virt. IP in subnet server IP 10.69.10.6 ---|---------------------|--- 10.69.10.5 -------------------- 10.69.10.1The vpn server provide a /30 subnet. It has 4 IP addresses:
10.69.10.4 …....... network address
10.69.10.5 .......... servers virt. IP in the subnet
10.69.10.6 .......... your virtual IP in the subnet
10.69.10.7 .......... broadcast address10.69.10.6 is your virtual IP in the tunnel, of course you can ping it!
The virt. tunnel address of the server doesn't response to pings. That's a normal behaviour in OpenVPN. But you can ping the servers address: 10.69.10.110.69.10.1 is not in your subnet, but OpenVPN sets a route to it using the gateway 10.69.10.5 (Yes, the server virtual IP is your gateway).
Check the routing table to review. Diagnostic > routes
You can only use IP addresses as gateways which are directly connected to pfSense. 10.69.10.5 is (virtual), 10.69.10.1 is not.The line
Oct 18 15:49:54 openvpn 38153 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.69.10.1,topology net30,ifconfig 10.69.10.6 10.69.10.5,auth-token cWH8XGbkmA2cWXnJyKr8NSALW56rxCiyjYXcyOLZ5ok='is what you get from the server. It contains the interface configuration, compression mode, DNS and routes.
You might have set a high Verbosity level in the client config, there's very much noise in the log.
-
Deleted & reposted below with Verbosity reduced and appropriate changes
-
Your Verbosity level is too high, set it to 4.
-
Thanks for taking the time to make that so clear, even though you described it, I didnt get it.
It's sometimes difficult to know what you don't know and distinguish it from things that you think you know but just aren't so.
What was confusing me was these setup instructions https://www.privateinternetaccess.com/pages/client-support/pfsense, and that the Topologiy setting shows 'Subnet - One IP address per client in a common sub-net' in the provided example. What's the difference between this setting and 'net30 -Isolated /30 network per client'? The topology you described looks more like the /30 than One IP address per client to me.
When I change the setting to 'net30 -Isolated /30 network per client', the log looks like this.
Oct 20 15:39:59 openvpn 53417 MANAGEMENT: Client disconnected Oct 20 15:39:59 openvpn 53417 MANAGEMENT: CMD 'status 2' Oct 20 15:39:59 openvpn 53417 MANAGEMENT: CMD 'state 1' Oct 20 15:39:59 openvpn 53417 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Oct 20 15:39:56 openvpn 53417 Initialization Sequence Completed Oct 20 15:39:56 openvpn 53417 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1570 10.8.10.10 10.8.10.9 init Oct 20 15:39:56 openvpn 53417 /sbin/ifconfig ovpnc1 10.8.10.10 10.8.10.9 mtu 1500 netmask 255.255.255.255 up Oct 20 15:39:56 openvpn 53417 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Oct 20 15:39:56 openvpn 53417 TUN/TAP device /dev/tun1 opened Oct 20 15:39:56 openvpn 53417 TUN/TAP device ovpnc1 exists previously, keep at program end Oct 20 15:39:56 openvpn 53417 OPTIONS IMPORT: --ifconfig/up options modified Oct 20 15:39:56 openvpn 53417 OPTIONS IMPORT: LZO parms modified Oct 20 15:39:56 openvpn 53417 OPTIONS IMPORT: timers and/or timeouts modified Oct 20 15:39:56 openvpn 53417 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) Oct 20 15:39:56 openvpn 53417 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Oct 20 15:39:56 openvpn 53417 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Oct 20 15:39:56 openvpn 53417 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Oct 20 15:39:56 openvpn 53417 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.8.10.1,topology net30,ifconfig 10.8.10.10 10.8.10.9,auth-token /9q33gukKF57s9njKLNkDUHrt6LMQ+vRHjYh2Wr++MQ=' Oct 20 15:39:56 openvpn 53417 SENT CONTROL [c76d465f591f9ff1adf44a1f4d7c7d9b]: 'PUSH_REQUEST' (status=1) Oct 20 15:39:54 openvpn 53417 [c76d465f591f9ff1adf44a1f4d7c7d9b] Peer Connection Initiated with [AF_INET]172.98.67.67:1197 Oct 20 15:39:54 openvpn 53417 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Oct 20 15:39:54 openvpn 53417 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 20 15:39:54 openvpn 53417 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Oct 20 15:39:54 openvpn 53417 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 20 15:39:54 openvpn 53417 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Oct 20 15:39:54 openvpn 53417 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128' Oct 20 15:39:54 openvpn 53417 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1' Oct 20 15:39:54 openvpn 53417 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC' Oct 20 15:39:54 openvpn 53417 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542' Oct 20 15:39:54 openvpn 53417 VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=c76d465f591f9ff1adf44a1f4d7c7d9b, name=c76d465f591f9ff1adf44a1f4d7c7d9b Oct 20 15:39:54 openvpn 53417 VERIFY EKU OK Oct 20 15:39:54 openvpn 53417 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Oct 20 15:39:54 openvpn 53417 Validating certificate extended key usage Oct 20 15:39:54 openvpn 53417 VERIFY KU OK Oct 20 15:39:54 openvpn 53417 ++ Certificate has key usage 00a0, expects 00a0 Oct 20 15:39:54 openvpn 53417 Validating certificate key usage Oct 20 15:39:54 openvpn 53417 VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com Oct 20 15:39:54 openvpn 53417 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Oct 20 15:39:54 openvpn 53417 TLS: Initial packet from [AF_INET]172.98.67.67:1197, sid=e1e50acc 434d35d6 Oct 20 15:39:54 openvpn 53417 UDPv4 link remote: [AF_INET]172.98.67.67:1197 Oct 20 15:39:54 openvpn 53417 UDPv4 link local (bound): [AF_INET]192.168.0.15 Oct 20 15:39:54 openvpn 53417 Expected Remote Options hash (VER=V4): '79a26cd9' Oct 20 15:39:54 openvpn 53417 Local Options hash (VER=V4): 'fc8ba345' Oct 20 15:39:54 openvpn 53417 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server' Oct 20 15:39:54 openvpn 53417 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client' Oct 20 15:39:54 openvpn 53417 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ] Oct 20 15:39:53 openvpn 53417 Socket Buffers: R=[42080->42080] S=[57344->57344] Oct 20 15:39:53 openvpn 53417 Control Channel MTU parms [ L:1570 D:1212 EF:38 EB:0 ET:0 EL:3 ] Oct 20 15:39:53 openvpn 53417 LZO compression initialized Oct 20 15:39:53 openvpn 53417 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 20 15:39:53 openvpn 53417 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Oct 20 15:39:53 openvpn 52592 WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible Oct 20 15:39:53 openvpn 52592 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10 Oct 20 15:39:53 openvpn 52592 OpenVPN 2.3.17 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 26 2017 Oct 20 15:39:53 openvpn 52592 auth_user_pass_file = '/var/etc/openvpn/client1.up' Oct 20 15:39:53 openvpn 52592 pull = ENABLED Oct 20 15:39:53 openvpn 52592 client = ENABLED Oct 20 15:39:53 openvpn 52592 port_share_port = 0 Oct 20 15:39:53 openvpn 52592 port_share_host = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 auth_user_pass_verify_script_via_file = DISABLED Oct 20 15:39:53 openvpn 52592 auth_user_pass_verify_script = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 max_routes_per_client = 256 Oct 20 15:39:53 openvpn 52592 max_clients = 1024 Oct 20 15:39:53 openvpn 52592 cf_per = 0 Oct 20 15:39:53 openvpn 52592 cf_max = 0 Oct 20 15:39:53 openvpn 52592 duplicate_cn = DISABLED Oct 20 15:39:53 openvpn 52592 enable_c2c = DISABLED Oct 20 15:39:53 openvpn 52592 push_ifconfig_ipv6_remote = :: Oct 20 15:39:53 openvpn 52592 push_ifconfig_ipv6_local = ::/0 Oct 20 15:39:53 openvpn 52592 push_ifconfig_ipv6_defined = DISABLED Oct 20 15:39:53 openvpn 52592 push_ifconfig_remote_netmask = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 push_ifconfig_local = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 push_ifconfig_defined = DISABLED Oct 20 15:39:53 openvpn 52592 tmp_dir = '/tmp' Oct 20 15:39:53 openvpn 52592 ccd_exclusive = DISABLED Oct 20 15:39:53 openvpn 52592 client_config_dir = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 client_disconnect_script = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 learn_address_script = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 client_connect_script = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 virtual_hash_size = 256 Oct 20 15:39:53 openvpn 52592 real_hash_size = 256 Oct 20 15:39:53 openvpn 52592 tcp_queue_limit = 64 Oct 20 15:39:53 openvpn 52592 n_bcast_buf = 256 Oct 20 15:39:53 openvpn 52592 ifconfig_ipv6_pool_netbits = 0 Oct 20 15:39:53 openvpn 52592 ifconfig_ipv6_pool_base = :: Oct 20 15:39:53 openvpn 52592 ifconfig_ipv6_pool_defined = DISABLED Oct 20 15:39:53 openvpn 52592 ifconfig_pool_persist_refresh_freq = 600 Oct 20 15:39:53 openvpn 52592 ifconfig_pool_persist_filename = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 ifconfig_pool_netmask = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 ifconfig_pool_end = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 ifconfig_pool_start = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 ifconfig_pool_defined = DISABLED Oct 20 15:39:53 openvpn 52592 server_bridge_pool_end = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 server_bridge_pool_start = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 server_bridge_netmask = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 server_bridge_ip = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 server_netbits_ipv6 = 0 Oct 20 15:39:53 openvpn 52592 server_network_ipv6 = :: Oct 20 15:39:53 openvpn 52592 server_netmask = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 server_network = 0.0.0.0 Oct 20 15:39:53 openvpn 52592 tls_auth_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 tls_exit = DISABLED Oct 20 15:39:53 openvpn 52592 push_peer_info = DISABLED Oct 20 15:39:53 openvpn 52592 single_session = DISABLED Oct 20 15:39:53 openvpn 52592 transition_window = 3600 Oct 20 15:39:53 openvpn 52592 handshake_window = 60 Oct 20 15:39:53 openvpn 52592 renegotiate_seconds = 0 Oct 20 15:39:53 openvpn 52592 renegotiate_packets = 0 Oct 20 15:39:53 openvpn 52592 renegotiate_bytes = -1 Oct 20 15:39:53 openvpn 52592 tls_timeout = 2 Oct 20 15:39:53 openvpn 52592 ssl_flags = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_eku = 'TLS Web Server Authentication' Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 0 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 136 Oct 20 15:39:53 openvpn 52592 remote_cert_ku[i] = 160 Oct 20 15:39:53 openvpn 52592 ns_cert_type = 0 Oct 20 15:39:53 openvpn 52592 crl_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 verify_x509_name = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 verify_x509_type = 0 Oct 20 15:39:53 openvpn 52592 tls_export_cert = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 tls_verify = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 cipher_list = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 pkcs12_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 priv_key_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 extra_certs_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 cert_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 dh_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 ca_path = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 ca_file = '/var/etc/openvpn/client1.ca' Oct 20 15:39:53 openvpn 52592 key_method = 2 Oct 20 15:39:53 openvpn 52592 tls_client = ENABLED Oct 20 15:39:53 openvpn 52592 tls_server = DISABLED Oct 20 15:39:53 openvpn 52592 test_crypto = DISABLED Oct 20 15:39:53 openvpn 52592 use_iv = ENABLED Oct 20 15:39:53 openvpn 52592 packet_id_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 replay_time = 15 Oct 20 15:39:53 openvpn 52592 replay_window = 64 Oct 20 15:39:53 openvpn 52592 mute_replay_warnings = DISABLED Oct 20 15:39:53 openvpn 52592 replay = ENABLED Oct 20 15:39:53 openvpn 52592 engine = DISABLED Oct 20 15:39:53 openvpn 52592 keysize = 0 Oct 20 15:39:53 openvpn 52592 prng_nonce_secret_len = 16 Oct 20 15:39:53 openvpn 52592 prng_hash = 'SHA1' Oct 20 15:39:53 openvpn 52592 authname = 'SHA256' Oct 20 15:39:53 openvpn 52592 authname_defined = ENABLED Oct 20 15:39:53 openvpn 52592 ciphername = 'AES-256-CBC' Oct 20 15:39:53 openvpn 52592 ciphername_defined = ENABLED Oct 20 15:39:53 openvpn 52592 key_direction = 0 Oct 20 15:39:53 openvpn 52592 shared_secret_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 management_flags = 256 Oct 20 15:39:53 openvpn 52592 management_client_group = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 management_client_user = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 management_write_peer_info_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 management_echo_buffer_size = 100 Oct 20 15:39:53 openvpn 52592 management_log_history_cache = 250 Oct 20 15:39:53 openvpn 52592 management_user_pass = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 management_port = 0 Oct 20 15:39:53 openvpn 52592 management_addr = '/var/etc/openvpn/client1.sock' Oct 20 15:39:53 openvpn 52592 allow_pull_fqdn = DISABLED Oct 20 15:39:53 openvpn 52592 max_routes = 100 Oct 20 15:39:53 openvpn 52592 route_gateway_via_dhcp = DISABLED Oct 20 15:39:53 openvpn 52592 route_nopull = ENABLED Oct 20 15:39:53 openvpn 52592 route_delay_defined = DISABLED Oct 20 15:39:53 openvpn 52592 route_delay_window = 30 Oct 20 15:39:53 openvpn 52592 route_delay = 0 Oct 20 15:39:53 openvpn 52592 route_noexec = ENABLED Oct 20 15:39:53 openvpn 52592 route_default_metric = 0 Oct 20 15:39:53 openvpn 52592 route_default_gateway = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 route_script = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 lzo = 7 Oct 20 15:39:53 openvpn 52592 fast_io = DISABLED Oct 20 15:39:53 openvpn 52592 sockflags = 0 Oct 20 15:39:53 openvpn 52592 sndbuf = 0 Oct 20 15:39:53 openvpn 52592 rcvbuf = 0 Oct 20 15:39:53 openvpn 52592 occ = ENABLED Oct 20 15:39:53 openvpn 52592 status_file_update_freq = 60 Oct 20 15:39:53 openvpn 52592 status_file_version = 1 Oct 20 15:39:53 openvpn 52592 status_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 gremlin = 0 Oct 20 15:39:53 openvpn 52592 mute = 0 Oct 20 15:39:53 openvpn 52592 verbosity = 4 Oct 20 15:39:53 openvpn 52592 nice = 0 Oct 20 15:39:53 openvpn 52592 suppress_timestamps = DISABLED Oct 20 15:39:53 openvpn 52592 log = DISABLED Oct 20 15:39:53 openvpn 52592 inetd = 0 Oct 20 15:39:53 openvpn 52592 daemon = ENABLED Oct 20 15:39:53 openvpn 52592 up_delay = DISABLED Oct 20 15:39:53 openvpn 52592 up_restart = DISABLED Oct 20 15:39:53 openvpn 52592 down_pre = DISABLED Oct 20 15:39:53 openvpn 52592 down_script = '/usr/local/sbin/ovpn-linkdown' Oct 20 15:39:53 openvpn 52592 up_script = '/usr/local/sbin/ovpn-linkup' Oct 20 15:39:53 openvpn 52592 writepid = '/var/run/openvpn_client1.pid' Oct 20 15:39:53 openvpn 52592 cd_dir = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 chroot_dir = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 groupname = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 username = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 resolve_retry_seconds = 1000000000 Oct 20 15:39:53 openvpn 52592 passtos = DISABLED Oct 20 15:39:53 openvpn 52592 persist_key = ENABLED Oct 20 15:39:53 openvpn 52592 persist_remote_ip = DISABLED Oct 20 15:39:53 openvpn 52592 persist_local_ip = DISABLED Oct 20 15:39:53 openvpn 52592 persist_tun = ENABLED Oct 20 15:39:53 openvpn 52592 remap_sigusr1 = 0 Oct 20 15:39:53 openvpn 52592 ping_timer_remote = ENABLED Oct 20 15:39:53 openvpn 52592 ping_rec_timeout_action = 2 Oct 20 15:39:53 openvpn 52592 ping_rec_timeout = 60 Oct 20 15:39:53 openvpn 52592 ping_send_timeout = 10 Oct 20 15:39:53 openvpn 52592 inactivity_timeout = 0 Oct 20 15:39:53 openvpn 52592 keepalive_timeout = 60 Oct 20 15:39:53 openvpn 52592 keepalive_ping = 10 Oct 20 15:39:53 openvpn 52592 mlock = DISABLED Oct 20 15:39:53 openvpn 52592 mtu_test = 0 Oct 20 15:39:53 openvpn 52592 shaper = 0 Oct 20 15:39:53 openvpn 52592 ifconfig_ipv6_remote = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 ifconfig_ipv6_netbits = 0 Oct 20 15:39:53 openvpn 52592 ifconfig_ipv6_local = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 ifconfig_nowarn = DISABLED Oct 20 15:39:53 openvpn 52592 ifconfig_noexec = DISABLED Oct 20 15:39:53 openvpn 52592 ifconfig_remote_netmask = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 ifconfig_local = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 tun_ipv6 = DISABLED Oct 20 15:39:53 openvpn 52592 topology = 1 Oct 20 15:39:53 openvpn 52592 lladdr = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 dev_node = '/dev/tun1' Oct 20 15:39:53 openvpn 52592 dev_type = 'tun' Oct 20 15:39:53 openvpn 52592 dev = 'ovpnc1' Oct 20 15:39:53 openvpn 52592 ipchange = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 remote_random = DISABLED Oct 20 15:39:53 openvpn 52592 Connection profiles END Oct 20 15:39:53 openvpn 52592 explicit_exit_notification = 0 Oct 20 15:39:53 openvpn 52592 mssfix = 1450 Oct 20 15:39:53 openvpn 52592 fragment = 0 Oct 20 15:39:53 openvpn 52592 mtu_discover_type = -1 Oct 20 15:39:53 openvpn 52592 tun_mtu_extra_defined = DISABLED Oct 20 15:39:53 openvpn 52592 tun_mtu_extra = 0 Oct 20 15:39:53 openvpn 52592 link_mtu_defined = DISABLED Oct 20 15:39:53 openvpn 52592 link_mtu = 1500 Oct 20 15:39:53 openvpn 52592 tun_mtu_defined = ENABLED Oct 20 15:39:53 openvpn 52592 tun_mtu = 1500 Oct 20 15:39:53 openvpn 52592 socks_proxy_retry = DISABLED Oct 20 15:39:53 openvpn 52592 socks_proxy_port = 0 Oct 20 15:39:53 openvpn 52592 socks_proxy_server = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 connect_retry_max = 0 Oct 20 15:39:53 openvpn 52592 connect_timeout = 10 Oct 20 15:39:53 openvpn 52592 connect_retry_seconds = 5 Oct 20 15:39:53 openvpn 52592 bind_local = ENABLED Oct 20 15:39:53 openvpn 52592 bind_defined = DISABLED Oct 20 15:39:53 openvpn 52592 remote_float = DISABLED Oct 20 15:39:53 openvpn 52592 remote_port = 1197 Oct 20 15:39:53 openvpn 52592 remote = 'xxx.privateinternetaccess.com' Oct 20 15:39:53 openvpn 52592 local_port = 0 Oct 20 15:39:53 openvpn 52592 local = '192.168.0.15' Oct 20 15:39:53 openvpn 52592 proto = udp Oct 20 15:39:53 openvpn 52592 Connection profiles [default]: Oct 20 15:39:53 openvpn 52592 show_tls_ciphers = DISABLED Oct 20 15:39:53 openvpn 52592 key_pass_file = '[UNDEF]' Oct 20 15:39:53 openvpn 52592 genkey = DISABLED Oct 20 15:39:53 openvpn 52592 show_engines = DISABLED Oct 20 15:39:53 openvpn 52592 show_digests = DISABLED Oct 20 15:39:53 openvpn 52592 show_ciphers = DISABLED Oct 20 15:39:53 openvpn 52592 mode = 0 Oct 20 15:39:53 openvpn 52592 config = '/var/etc/openvpn/client1.conf' Oct 20 15:39:53 openvpn 52592 Current Parameter Settings: The way you describe this, it makes me think that this is a normal/expected behavior from OpenVPN. If so, why doesn't the gateway monitor have a setting that can cope with it? Something I'm missing? [/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i] -
https://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses
Set something as the monitor IP address that will actually respond to pings.
-
Has anyone been able to get the Gateway Pinger working with Private Internet Access?
My OpenVPN connection is working fine, the interface seems to be working but I'm having trouble getting the status on the home page to display properly
-
What was confusing me was these setup instructions https://www.privateinternetaccess.com/pages/client-support/pfsense, and that the Topologiy setting shows 'Subnet - One IP address per client in a common sub-net' in the provided example. What's the difference between this setting and 'net30 -Isolated /30 network per client'? The topology you described looks more like the /30 than One IP address per client to me.
A /30 subnet results in one IP per client. See her how I've explained the addresses of such a subnet. There is place for one client only.
The server provides a /30 subnet for each client, already mentioned that.When I change the setting to 'net30 -Isolated /30 network per client', the log looks like this.
The setting will be ignored, since it is given by the server. Already mentioned that here: https://forum.pfsense.org/index.php?topic=138316.msg756795#msg756795
Oct 20 15:39:56 openvpn 53417 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.8.10.1,topology net30,ifconfig 10.8.10.10 10.8.10.9,auth-token /9q33gukKF57s9njKLNkDUHrt6LMQ+vRHjYh2Wr++MQ='
-
https://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses
Set something else as the monitor IP address.
And we don't need multiple threads about the same thing, please.
-
https://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses
Set something else as the monitor IP address.
And we don't need multiple threads about the same thing, please.
I wanted to focus the discussion on the pinger, not OpenVPN.
The place I'm trying to go with this is that based on what I'm learning in this thread it appears that the design of the pinger falls a bit short.
There should be some way to have the option be able to automatically insert x.x.x.1 as the monitor address where x.x.x.y is the dynamic address assigned by the VPN.
If I stick in some external address ( say 8.8.8.8 ) what is the likelihood of a false (i.e reports up when down or down when up) status?
-
dpinger works fine. You are seeing an OpenVPN issue. You have to monitor something that will actually respond to pings.
The gateway address is automatically inserted. There is no mechanism to "automatically" choose something else.
You can place whatever monitor IP address in there you think is better than the gateway address.
This has nothing to do with dpinger.
