Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BUG: Pfsense 2.4 and OpenVPN 2.4 Client to PIA

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 9.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      AnthonyW
      last edited by

      Well I'm stuck. Is anyone else having issues connecting to PIA using 2.4?

      I'm running into a couple of problems.

      First, it very rarely, sometimes connects successfully, no matter which region I use.
      If I reboot or restart the OpenVPN service after its connected, the tunnel will try to reconnect but always fails with reconnecting; auth-failure

      I tried the OpenVPN client on other machines and I can connect with no issue using the PIA profiles.
      I've verified the user name and password is correct.  I've set it in the GUI and checked the file /var/etc/openvpn config files to validate.

      I've tried both 128 and 256 ciphers, with the same result.
      I've completely deleted all config, interfaces and gateways and started from scratch.
      Looked through as many articles and the forums for possible configuration examples, tried many different options with no luck.

      : cat client1.conf
      dev ovpnc1
      verb 5
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_client1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp4
      cipher AES-128-CBC
      auth SHA1
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 24.XX.XX.XX ###Omitted my Public IP
      tls-client
      client
      lport 0
      management /var/etc/openvpn/client1.sock unix
      remote ca-toronto.privateinternetaccess.com 1198
      auth-user-pass /var/etc/openvpn/client1.up
      auth-retry nointeract
      ca /var/etc/openvpn/client1.ca
      ncp-disable
      compress lzo
      resolv-retry infinite
      route-nopull
      persist-key
      tls-client
      remote-cert-tls server
      comp-lzo
      reneg-sec 0
      auth-nocache

      1 Reply Last reply Reply Quote 0
      • A Offline
        AnthonyW
        last edited by

        First, I apologize for the brevity of my first post, I should have include some more detail.

        So after banging my head against the wall for a couple days on this one, and also opening a ticket up with PIA (Which I've never heard back on)
        I believe we have a bug with the OpenVPN client caching passwords.
        I've got my tunnel up and working now, and coming back up through reboots.

        I found two forums posts on the  OpenVPN forums that pointed me in that direction.

        save password does not work #161.
        https://github.com/OpenVPN/openvpn-gui/issues/161

        and

        Pressing reconnect fails to reconnect with auth failure #885
        https://community.openvpn.net/openvpn/ticket/885

        I had to add both of these to the client config to avoid the issue of "reconnecting; auth-failure" and "ping-restart"

        Check this box
        Authentication Retry Do not retry connection when authentication fails
        When enabled, the OpenVPN process will exit if it receives an authentication failure message. The default behavior is to retry.

        Add this to custom options.
        auth-nocache;

        The connection instantly comes up for me now.

        Also note you may have to reboot atleast in my case I did

        This is what my config looks like now. It obviously may need tweeking, but anyone having this issue with authentication can atleast use this as a baseline.

        dev ovpnc1
        verb 5
        dev-type tun
        dev-node /dev/tun1
        writepid /var/run/openvpn_client1.pid
        #user nobody
        #group nobody
        script-security 3
        daemon
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
        proto udp4
        cipher AES-256-CBC
        auth SHA256
        up /usr/local/sbin/ovpn-linkup
        down /usr/local/sbin/ovpn-linkdown
        local X.X.X.X #I removed my IP INFO here
        tls-client
        client
        lport 0
        management /var/etc/openvpn/client1.sock unix
        remote ca-toronto.privateinternetaccess.com 1197
        auth-user-pass /var/etc/openvpn/client1.up
        ca /var/etc/openvpn/client1.ca
        cert /var/etc/openvpn/client1.cert
        key /var/etc/openvpn/client1.key
        ncp-disable
        compress lzo
        resolv-retry infinite
        route-nopull
        remote-cert-tls server
        auth-nocache

        1 Reply Last reply Reply Quote 0
        • A Offline
          AnthonyW
          last edited by

          The one other thing I've found that is weird is that I'm using an a firewall rule with an alias to send traffic for certain IP's to the tunnels gateway.
          After a reboot or if the tunnel is restarted. I need to "save" the rule again for it to start being used. Which looks like it reloads the filter.

          Any suggestions of anything else I could or should be doing in order for that to happen automatically after the VPN gateway comes up?

          Screenshot of the rule in question is attached.

          ![Screen Shot 2017-10-27 at 12.20.16 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-27 at 12.20.16 PM.png)
          ![Screen Shot 2017-10-27 at 12.20.16 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-27 at 12.20.16 PM.png_thumb)

          1 Reply Last reply Reply Quote 0
          • B Offline
            bcruze
            last edited by

            I connect by ip… no issues whatsoever

            I just renewed yesterday and it still works flawlessly

            Sg 2220 with 256 but encryption

            Edit: I also have aes-ni acceleration enabled

            1 Reply Last reply Reply Quote 0
            • A Offline
              AnthonyW
              last edited by

              Thanks for the response. I checked this boxed with seems to have solved by above problem.
              "Skip rules when gateway is down" under advanced settings.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.