Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CyberGhost openvpn config files for client get mangled by pfdense web

    OpenVPN
    openvpn config
    7
    22
    6.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • obitoriO
      obitori
      last edited by obitori

      I have the config files for a CyberGhost openvpn VPN and want to configure pfSense to be the client.

      If I unzip them in the pfSense root directory and type:

      openvpn --config openvpn.ovpn

      Everything works and I get a valid tun0 connection. The problem is that when I try to make pfSense the client, the client creation mechanism for pfSense (done via the VPN/OpenVPN web portal page) mangles the config file and the result doesn’t work.

      I have included my pfSense configuration and status, the config file it creates, the original config file, and success creation of a tun0 with openvpn command on the pfSense CLI (which demonstrates original config works). Any help figuring out what I need to change on the pfSense settings would be greatly appreciated.

      PFSENSE SETTINGS AND STATUS PAGES
      pic1.png
      /var/log/openvpn

      Sep 22 08:43:10 
      openvpn 
      33422 
      Restart pause, 10 second(s) 
      Sep 22 08:43:20 
      openvpn 
      33422 
      NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
      Sep 22 08:43:20 
      openvpn 
      33422 
      Re-using SSL/TLS context 
      Sep 22 08:43:20 
      openvpn 
      33422 
      LZO compression initializing 
      Sep 22 08:43:20 
      openvpn 
      33422 
      Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ] 
      Sep 22 08:43:20 
      openvpn 
      33422 
      Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ] 
      Sep 22 08:43:20 
      openvpn 
      33422 
      Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ] 
      Sep 2 08:43:20 
      openvpn 
      33422 
      Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client' 
      Sep 22 08:43:20 
      openvpn 
      33422 
      Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server' 
      Sep 22 08:43:20 
      openvpn 
      33422 
      TCP/UDP: Preserving recently used remote address: [AF_INET]23.19.68.50:1194 
      Sep 22 08:43:20 
      openvpn 
      33422 
      Socket Buffers: R=[42080->42080] S=[57344->57344] 
      Sep 22 08:43:20 
      openvpn 
      33422 
      UDPv4 link local (bound): [AF_INET]70.110.22.110:0 
      Sep 22 08:43:20 
      openvpn 
      33422 
      UDPv4 link remote
      : [AF_INET]23.19.68.50:1194 
      Sep 22 08:43:20 
      openvpn 
      33422 
      UDPv4 WRITE [14] to [AF_INET]23.19.68.50:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 
      Sep 22 08:43:22 
      openvpn 
      33422 
      UDPv4 WRITE [14] to [AF_INET]23.19.68.50:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 
      /VPN/OpenVPN/Clients/Edit
      

      [FYI, AKISMET flagged my original post, so I broke it up into pieces to figure out what was triggering the rejection.]

      obitoriO 1 Reply Last reply Reply Quote 0
      • obitoriO
        obitori @obitori
        last edited by

        @obitori
        /VPN/OpenVPN/Clients/Edit
        pic2.png
        pic3.png
        Custom Options in full as currently contained above:

        resolv-retry infinite 
        redirect-gateway def1
        persist-key
        persist-tun
        cipher AES-256-CBC
        auth SHA256
        explicit-exit-notify 2
        script-security 2
        route-delay 5
        tun-mtu 1500 
        fragment 1300
        mssfix 1200
        verb 6
        comp-lzo
        remote-cert-tls server
        

        pic4.png

        1 Reply Last reply Reply Quote 0
        • obitoriO
          obitori
          last edited by

          The client config file for openvpn that pfSense creates:
          pic5.png
          No joy! :(
          pic5-1.png
          The config file that CyberGhost creates:
          pic6.png
          After I run “openvpn -config openvpn.ovpn” with the CyberGhost OVPN file:

          Of course, this is not the right way to do it, but shows that the basic config file from the VPN provider works.
          pic7.png

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Where did you get the idea you could do that? Take the info from the config and enter it into the client setup gui on pfsense.. There is no import option for a ovpn file at this time.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            obitoriO 1 Reply Last reply Reply Quote 0
            • obitoriO
              obitori
              last edited by

              Here is the output from the openvpn command:

              [2.4.4-RELEASE][root@aquaduct.lake]/root: openvpn --config openvpn.ovpn 
              SNIP
              Sun Sep 22 09:04:21 2019 us=897592 Data Channel: using negotiated cipher 'AES-256-GCM'
              Sun Sep 22 09:04:21 2019 us=897643 Data Channel MTU parms [ L:1557 D:1200 EF:57 EB:407 ET:0 EL:3 ]
              Sun Sep 22 09:04:21 2019 us=897882 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
              Sun Sep 22 09:04:21 2019 us=897913 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
              Sun Sep 22 09:04:21 2019 us=898120 ROUTE_GATEWAY 70.110.22.1/255.255.255.0 IFACE=em0 HWADDR=00:e0:67:0b:8e:34
              Sun Sep 22 09:04:21 2019 us=898622 TUN/TAP device /dev/tun0 opened
              Sun Sep 22 09:04:21 2019 us=898653 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
              Sun Sep 22 09:04:21 2019 us=898692 /sbin/ifconfig tun0 10.246.201.62 10.246.201.61 mtu 1500 netmask 255.255.255.255 up
              Sun Sep 22 09:04:26 2019 us=576540 /sbin/route add -net 208.91.105.229 70.110.22.1 255.255.255.255
              add net 208.91.105.229: gateway 70.110.22.1
              Sun Sep 22 09:04:26 2019 us=578790 /sbin/route add -net 0.0.0.0 10.246.201.61 128.0.0.0
              add net 0.0.0.0: gateway 10.246.201.61
              Sun Sep 22 09:04:26 2019 us=580925 /sbin/route add -net 128.0.0.0 10.246.201.61 128.0.0.0
              add net 128.0.0.0: gateway 10.246.201.61
              Sun Sep 22 09:04:26 2019 us=583120 /sbin/route add -net 10.246.200.1 10.246.201.61 255.255.255.255
              add net 10.246.200.1: gateway 10.246.201.61
              Sun Sep 22 09:04:26 2019 us=585267 Initialization Sequence Completed
              

              Any help greatly appreciated!

              Obitori

              P.S. It turns out that everything gets stored in /var/etc/openvpn and I tried this hack:

              1. Move /var/etc/openvpn to /var/etc/openvpn.old
              2. Populate /var/etc/openvpn with the pristine CyberGhost files (openvpn.ovpn, client.key, client.crt, ca.crt)
              3. Rename openvpn.ovpn to client1.conf [[[the naming convention pfsense uses]]]

              Unfortunately, I could not figure out a way to get pfsense to reread the directory without re-creating the pfsense config files (and stomping on mine.)

              Is there no way to get pfsense to read the pristine client config files and create a virtual adapter for the vpn that openvpn creates?

              1 Reply Last reply Reply Quote 0
              • obitoriO
                obitori @johnpoz
                last edited by

                @johnpoz
                Thanks. Really that is what I spent most of my time trying to do, but the pfSense config file doesn't work no matter what setting changes I make.

                1 Reply Last reply Reply Quote 0
                • JeGrJ
                  JeGr LAYER 8 Moderator
                  last edited by

                  @obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:

                  Unfortunately, I could not figure out a way to get pfsense to reread the directory without re-creating the pfsense config files (and stomping on mine.)

                  That's just nonsense. You don't meddle with a services config directory just to push your VPN config there. It will be overwritten if you create another client too. Just do what @johnpoz already told you. Open the ovpn config file and enter the necessary data into the GUI as a new openvpn client. There is NO import funtion for custom VPN files.

                  @obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:

                  Thanks. Really that is what I spent most of my time trying to do, but the pfSense config file doesn't work no matter what setting changes I make.

                  If it doesn't work compare the two files (the one generated and your Cyberghost thing) and see what you forgot to enter or what was entered wrong. There's no problem in re-creating the most VPN configurations with the WebUI even if some are a bit trial and error because of obsolete or old config settings of the providers.

                  Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                  1 Reply Last reply Reply Quote 0
                  • JeGrJ
                    JeGr LAYER 8 Moderator
                    last edited by

                    Also if there are errors while connecting your client config, post the errors and the config of cyberghost, then we can help you :)

                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    1 Reply Last reply Reply Quote 0
                    • obitoriO
                      obitori
                      last edited by

                      Nothing wrong with hacking for fun. :) But, seriously, I didn't really spend much time in /var/etc/openvpn except to understand what was happening. I've posted the two config files, but I cannot for the life of me get PfSense to create something that works. I change one thing I get one error. I change another, I get another error.

                      PippinP 1 Reply Last reply Reply Quote 0
                      • PippinP
                        Pippin @obitori
                        last edited by

                        @obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:

                        I change one thing I get one error. I change another, I get another error.

                        Errors only known to you.......

                        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                        Halton Arp

                        1 Reply Last reply Reply Quote 0
                        • JeGrJ
                          JeGr LAYER 8 Moderator
                          last edited by

                          @obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:

                          Nothing wrong with hacking for fun. :)

                          Sure, but your hacking is disturbing/interrupting core functionality of your firewall (OpenVPN functionality). If you randomly delete directories or files, that pfSense created, it's no wonder if you have problems afterwards.

                          @obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:

                          . I change one thing I get one error. I change another, I get another error.

                          Then POST that damn errors! How are we to know without a crystal ball what your hacking got you as a result? How do you suppose we should help you if we don't even know what is wrong?

                          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                          obitoriO 1 Reply Last reply Reply Quote 0
                          • obitoriO
                            obitori @JeGr
                            last edited by obitori

                            @JeGr

                            I posted them this morning. Unfortunately, Akismet flagged my post as spam and it took me over an hour to figure out what was causing the problem.

                            Last 50 OpenVPN Log Entries. (Maximum 50)
                            Sep 22 10:05:09 	openvpn 	33422 	MANAGEMENT: CMD 'state 1'
                            Sep 22 10:05:09 	openvpn 	33422 	MANAGEMENT: Client disconnected
                            Sep 22 10:05:49 	openvpn 	33422 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
                            Sep 22 10:05:49 	openvpn 	33422 	MANAGEMENT: CMD 'state 1'
                            Sep 22 10:05:49 	openvpn 	33422 	MANAGEMENT: Client disconnected
                            Sep 22 10:06:02 	openvpn 	33422 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                            Sep 22 10:06:02 	openvpn 	33422 	Re-using SSL/TLS context
                            Sep 22 10:06:02 	openvpn 	33422 	LZO compression initializing
                            Sep 22 10:06:02 	openvpn 	33422 	Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ]
                            Sep 22 10:06:02 	openvpn 	33422 	Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ]
                            Sep 22 10:06:02 	openvpn 	33422 	Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
                            Sep 22 10:06:02 	openvpn 	33422 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
                            Sep 22 10:06:02 	openvpn 	33422 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
                            Sep 22 10:06:02 	openvpn 	33422 	TCP/UDP: Preserving recently used remote address: [AF_INET]23.19.68.54:1194
                            Sep 22 10:06:02 	openvpn 	33422 	Socket Buffers: R=[42080->42080] S=[57344->57344]
                            Sep 22 10:06:02 	openvpn 	33422 	UDPv4 link local (bound): [AF_INET]70.110.22.110:0
                            Sep 22 10:06:02 	openvpn 	33422 	UDPv4 link remote: [AF_INET]23.19.68.54:1194
                            Sep 22 10:06:02 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:06:04 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:06:08 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:06:16 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:06:32 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:07:02 	openvpn 	33422 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
                            Sep 22 10:07:02 	openvpn 	33422 	[UNDEF] Inactivity timeout (--ping-restart), restarting
                            Sep 22 10:07:02 	openvpn 	33422 	TCP/UDP: Closing socket
                            Sep 22 10:07:02 	openvpn 	33422 	SIGUSR1[soft,ping-restart] received, process restarting
                            Sep 22 10:07:02 	openvpn 	33422 	Restart pause, 80 second(s)
                            Sep 22 10:07:02 	openvpn 	33422 	MANAGEMENT: CMD 'state 1'
                            Sep 22 10:07:02 	openvpn 	33422 	MANAGEMENT: Client disconnected
                            Sep 22 10:08:22 	openvpn 	33422 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                            Sep 22 10:08:22 	openvpn 	33422 	Re-using SSL/TLS context
                            Sep 22 10:08:22 	openvpn 	33422 	LZO compression initializing
                            Sep 22 10:08:22 	openvpn 	33422 	Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ]
                            Sep 22 10:08:22 	openvpn 	33422 	Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ]
                            Sep 22 10:08:22 	openvpn 	33422 	Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
                            Sep 22 10:08:22 	openvpn 	33422 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
                            Sep 22 10:08:22 	openvpn 	33422 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
                            Sep 22 10:08:22 	openvpn 	33422 	TCP/UDP: Preserving recently used remote address: [AF_INET]193.37.254.120:1194
                            Sep 22 10:08:22 	openvpn 	33422 	Socket Buffers: R=[42080->42080] S=[57344->57344]
                            Sep 22 10:08:22 	openvpn 	33422 	UDPv4 link local (bound): [AF_INET]70.110.22.110:0
                            Sep 22 10:08:22 	openvpn 	33422 	UDPv4 link remote: [AF_INET]193.37.254.120:1194
                            Sep 22 10:08:22 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:08:24 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:08:28 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:08:36 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:08:52 	openvpn 	33422 	UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                            Sep 22 10:09:22 	openvpn 	33422 	[UNDEF] Inactivity timeout (--ping-restart), restarting
                            Sep 22 10:09:22 	openvpn 	33422 	TCP/UDP: Closing socket
                            Sep 22 10:09:22 	openvpn 	33422 	SIGUSR1[soft,ping-restart] received, process restarting
                            Sep 22 10:09:22 	openvpn 	33422 	Restart pause, 80 second(s) 
                            

                            If you want more logs, please let me know. Thank you for your help.

                            1 Reply Last reply Reply Quote 0
                            • JeGrJ
                              JeGr LAYER 8 Moderator
                              last edited by

                              From what configuration are these logs. What did you setup in the GUI exactly? After you posted about deleting directories, overwriting configs etc. I'm not sure what you are running and where you set it up. So why not starting from scratch: deleting all, creating a fresh new client and try setting it up with the values at hand (from your config on top):

                              • Peer to peer, TLS
                              • UDP on v4
                              • tun
                              • <your WAN interface>
                              • server host: 10-1-us.cg-dialup.net
                              • server port 443 (that is real strange - udp/443 isn't something normally used but maybe CG does it)
                              • no proxy settings
                              • <your description>
                              • <username>
                              • <password>
                              • [ ] do not retry
                              • disable TLS key usage -> [ ] use a TLS key
                              • peer CA: import the ca.crt from CG
                              • peer CRL -> none
                              • client cert: import the client.crt and the client.key
                              • encryption: AES-256-CBC
                              • disable NCP (CG config doesn't include it)
                              • Auth digest: SHA256
                              • leave tunnel network blank (none given in the config)
                              • leave remote network
                              • compression: omit preference (as the CG file has comp-lzo -> that's no that nice because of VORACLE)
                              • topology net30 (I assume from your screenshot when dialed in (.62 -> .61) that they still use net30
                              • leave the rest
                              • set gw creation to v4 only
                              • verbosity level 3

                              try that one and test/log

                              Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                              1 Reply Last reply Reply Quote 1
                              • JeGrJ
                                JeGr LAYER 8 Moderator
                                last edited by

                                Also as I just saw that:

                                https://forum.netgate.com/topic/146714/tunneled-isp-cheat-sheet

                                have a look at the zoomed in graphic as it shows, which settings come from what UI / custom selection box. But not every setting you see in some companies OVPN config you have to recreate as some are simple default OVPN stuff. So try with a minimum and work your way up. :)

                                Also the config shown in the linux shell above has it's default gw set to the OVPN endpoint. I'm not sure you actually want to do that. So keep the option "don't pull routes" in mind.

                                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                1 Reply Last reply Reply Quote 1
                                • obitoriO
                                  obitori
                                  last edited by obitori

                                  @JeGr
                                  Thanks...I was thinking pretty much the same thing. I deleted the VPN config and restarted. I was not able to get any further, but I will delete it again and retry with your suggested settings. I was able to figure out a few things. pfSense wants the local, not the nobind setting, so I dropped that and the ping settings (which kick up another error). I also clicked on the don't add routes option. That's been reported for other VPNs to cause problems.

                                  I will give your link a look and try again...

                                  Thanks,

                                  obitori

                                  obitoriO 1 Reply Last reply Reply Quote 0
                                  • obitoriO
                                    obitori @obitori
                                    last edited by

                                    @JeGr

                                    So, I tried exactly your posted values. Again, I had to remove the ping statements from the advanced config settings pasted into the pfsense web page. They conflict with --keepalive.

                                    Sep 22 22:18:10 aquaduct openvpn[83949]: Options error: --keepalive conflicts with --ping, --ping-exit, or --ping-restart.  If you use --keepalive, you don't need any of the other --ping directives.
                                    

                                    Next, the logs complained that --local and --nobind were in conflict. It appears that --local is a non-optional setting in pfSense, so I had no choice but to remove --nobind from the list of advanced configs.

                                    Sep 22 22:21:01 aquaduct openvpn[53522]: Options error: --local and --nobind don't make sense when used together
                                    

                                    That left me with:

                                    resolv-retry infinite 
                                    redirect-gateway def1
                                    persist-key
                                    persist-tun
                                    explicit-exit-notify 2
                                    script-security 2
                                    remote-cert-tls server
                                    route-delay 5
                                    tun-mtu 1500 
                                    fragment 1300
                                    mssfix 1200
                                    

                                    I tried clicking on "Don't pull routes" and when that did not work, added, "Don't add or remove routes automatically". I turned the latter off after trying once. The variations on routes doesn't seem to change anything.

                                    Here is my recent logs:

                                    Sep 22 20:14:59 aquaduct openvpn[15203]: SIGTERM received, sending exit notification to peer
                                    Sep 22 20:15:01 aquaduct openvpn[15203]: TCP/UDP: Closing socket
                                    Sep 22 20:15:01 aquaduct openvpn[15203]: SIGTERM[soft,exit-with-notification] received, process exiting
                                    Sep 22 20:15:10 aquaduct openvpn[59750]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
                                    Sep 22 20:15:10 aquaduct openvpn[59750]: Current Parameter Settings:
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   config = '/var/etc/openvpn/client1.conf'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   mode = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   show_ciphers = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   show_digests = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   show_engines = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   genkey = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   key_pass_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   show_tls_ciphers = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   connect_retry_max = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]: Connection profiles [0]:
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   proto = udp4
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   local = '70.110.22.110'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   local_port = '0'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote = '10-1-us.cg-dialup.net'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_port = '1194'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_float = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   bind_defined = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   bind_local = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   bind_ipv6_only = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   connect_retry_seconds = 5
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   connect_timeout = 120
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   socks_proxy_server = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   socks_proxy_port = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tun_mtu = 1500
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tun_mtu_defined = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   link_mtu = 1500
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   link_mtu_defined = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tun_mtu_extra = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tun_mtu_extra_defined = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   mtu_discover_type = -1
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   fragment = 1300
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   mssfix = 1200
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   explicit_exit_notification = 2
                                    Sep 22 20:15:10 aquaduct openvpn[59750]: Connection profiles END
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_random = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ipchange = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   dev = 'ovpnc1'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   dev_type = 'tun'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   dev_node = '/dev/tun1'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   lladdr = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   topology = 1
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_local = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_remote_netmask = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_noexec = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_nowarn = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_ipv6_local = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_ipv6_netbits = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_ipv6_remote = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   shaper = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   mtu_test = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   mlock = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   keepalive_ping = 10
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   keepalive_timeout = 60
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   inactivity_timeout = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ping_send_timeout = 10
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ping_rec_timeout = 60
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ping_rec_timeout_action = 2
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ping_timer_remote = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remap_sigusr1 = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   persist_tun = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   persist_local_ip = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   persist_remote_ip = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   persist_key = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   passtos = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   resolve_retry_seconds = 1000000000
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   resolve_in_advance = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   username = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   groupname = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   chroot_dir = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   cd_dir = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   writepid = '/var/run/openvpn_client1.pid'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   up_script = '/usr/local/sbin/ovpn-linkup'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   down_script = '/usr/local/sbin/ovpn-linkdown'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   down_pre = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   up_restart = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   up_delay = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   daemon = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   inetd = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   log = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   suppress_timestamps = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   machine_readable_output = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   nice = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   verbosity = 6
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   mute = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   gremlin = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   status_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   status_file_version = 1
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   status_file_update_freq = 60
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   occ = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   rcvbuf = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   sndbuf = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   sockflags = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   fast_io = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   comp.alg = 2
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   comp.flags = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   route_script = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   route_default_gateway = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   route_default_metric = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   route_noexec = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   route_delay = 5
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   route_delay_window = 30
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   route_delay_defined = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   route_nopull = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   route_gateway_via_dhcp = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   allow_pull_fqdn = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   [redirect_default_gateway local=0]
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   management_addr = '/var/etc/openvpn/client1.sock'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   management_port = 'unix'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   management_user_pass = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   management_log_history_cache = 250
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   management_echo_buffer_size = 100
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   management_write_peer_info_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   management_client_user = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   management_client_group = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   management_flags = 256
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   shared_secret_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   key_direction = not set
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ciphername = 'AES-256-CBC'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ncp_enabled = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   authname = 'SHA256'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   prng_hash = 'SHA1'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   prng_nonce_secret_len = 16
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   keysize = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   engine = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   replay = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   mute_replay_warnings = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   replay_window = 64
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   replay_time = 15
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   packet_id_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   use_iv = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   test_crypto = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tls_server = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tls_client = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   key_method = 2
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ca_file = '/var/etc/openvpn/client1.ca'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ca_path = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   dh_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   cert_file = '/var/etc/openvpn/client1.cert'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   extra_certs_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   priv_key_file = '/var/etc/openvpn/client1.key'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   pkcs12_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   cipher_list = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tls_cert_profile = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tls_verify = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tls_export_cert = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   verify_x509_type = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   verify_x509_name = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   crl_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ns_cert_type = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 65535
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_ku[i] = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   remote_cert_eku = 'TLS Web Server Authentication'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ssl_flags = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tls_timeout = 2
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   renegotiate_bytes = -1
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   renegotiate_packets = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   renegotiate_seconds = 3600
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   handshake_window = 60
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   transition_window = 3600
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   single_session = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   push_peer_info = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tls_exit = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tls_auth_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tls_crypt_file = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   server_network = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   server_netmask = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   server_network_ipv6 = ::
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   server_netbits_ipv6 = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   server_bridge_ip = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   server_bridge_netmask = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   server_bridge_pool_start = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   server_bridge_pool_end = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_pool_defined = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_pool_start = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_pool_end = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_pool_netmask = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_pool_persist_filename = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_pool_persist_refresh_freq = 600
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_ipv6_pool_defined = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_ipv6_pool_base = ::
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ifconfig_ipv6_pool_netbits = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   n_bcast_buf = 256
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tcp_queue_limit = 64
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   real_hash_size = 256
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   virtual_hash_size = 256
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   client_connect_script = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   learn_address_script = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   client_disconnect_script = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   client_config_dir = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   ccd_exclusive = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   tmp_dir = '/tmp'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   push_ifconfig_defined = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   push_ifconfig_local = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   push_ifconfig_remote_netmask = 0.0.0.0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   push_ifconfig_ipv6_defined = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   push_ifconfig_ipv6_local = ::/0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   push_ifconfig_ipv6_remote = ::
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   enable_c2c = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   duplicate_cn = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   cf_max = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   cf_per = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   max_clients = 1024
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   max_routes_per_client = 256
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   auth_user_pass_verify_script = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   auth_user_pass_verify_script_via_file = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   auth_token_generate = DISABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   auth_token_lifetime = 0
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   port_share_host = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   port_share_port = '[UNDEF]'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   client = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   pull = ENABLED
                                    Sep 22 20:15:10 aquaduct openvpn[59750]:   auth_user_pass_file = '/var/etc/openvpn/client1.up'
                                    Sep 22 20:15:10 aquaduct openvpn[59750]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct  3 2018
                                    Sep 22 20:15:10 aquaduct openvpn[59750]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: LZO compression initializing
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ]
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ]
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.91.105.226:1194
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: Socket Buffers: R=[42080->42080] S=[57344->57344]
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: UDPv4 link local (bound): [AF_INET]70.110.22.110:0
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: UDPv4 link remote: [AF_INET]208.91.105.226:1194
                                    Sep 22 20:15:10 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                                    Sep 22 20:15:12 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                                    Sep 22 20:15:15 aquaduct openvpn[60033]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
                                    Sep 22 20:15:15 aquaduct openvpn[60033]: MANAGEMENT: CMD 'state 1'
                                    Sep 22 20:15:15 aquaduct openvpn[60033]: MANAGEMENT: Client disconnected
                                    Sep 22 20:15:16 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                                    Sep 22 20:15:24 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                                    Sep 22 20:15:41 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
                                    Sep 22 20:16:11 aquaduct openvpn[60033]: [UNDEF] Inactivity timeout (--ping-restart), restarting
                                    Sep 22 20:16:11 aquaduct openvpn[60033]: TCP/UDP: Closing socket
                                    Sep 22 20:16:11 aquaduct openvpn[60033]: SIGUSR1[soft,ping-restart] received, process restarting
                                    Sep 22 20:16:11 aquaduct openvpn[60033]: Restart pause, 10 second(s)
                                    Sep 22 20:16:21 aquaduct openvpn[60033]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                                    Sep 22 20:16:21 aquaduct openvpn[60033]: Re-using SSL/TLS context
                                    Sep 22 20:16:21 aquaduct openvpn[60033]: LZO compression initializing
                                    Sep 22 20:16:21 aquaduct openvpn[60033]: Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ]
                                    Sep 22 20:16:21 aquaduct openvpn[60033]: Data Channel MTU parCLOG
                                    
                                    obitoriO 1 Reply Last reply Reply Quote 0
                                    • obitoriO
                                      obitori @obitori
                                      last edited by

                                      Here is another try (logs):

                                      Sep 22 22:52:26 	openvpn 	3946 	auth_user_pass_verify_script_via_file = DISABLED
                                      Sep 22 22:52:26 	openvpn 	3946 	auth_token_generate = DISABLED
                                      Sep 22 22:52:26 	openvpn 	3946 	auth_token_lifetime = 0
                                      Sep 22 22:52:26 	openvpn 	3946 	port_share_host = '[UNDEF]'
                                      Sep 22 22:52:26 	openvpn 	3946 	port_share_port = '[UNDEF]'
                                      Sep 22 22:52:26 	openvpn 	3946 	client = ENABLED
                                      Sep 22 22:52:26 	openvpn 	3946 	pull = ENABLED
                                      Sep 22 22:52:26 	openvpn 	3946 	auth_user_pass_file = '/var/etc/openvpn/client1.up'
                                      Sep 22 22:52:26 	openvpn 	3946 	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
                                      Sep 22 22:52:26 	openvpn 	3946 	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
                                      Sep 22 22:52:26 	openvpn 	3960 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
                                      Sep 22 22:52:26 	openvpn 	3960 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                                      Sep 22 22:52:26 	openvpn 	3960 	LZO compression initializing
                                      Sep 22 22:52:26 	openvpn 	3960 	Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ]
                                      Sep 22 22:52:26 	openvpn 	3960 	Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ]
                                      Sep 22 22:52:26 	openvpn 	3960 	Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
                                      Sep 22 22:52:26 	openvpn 	3960 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
                                      Sep 22 22:52:26 	openvpn 	3960 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
                                      Sep 22 22:52:26 	openvpn 	3960 	TCP/UDP: Preserving recently used remote address: [AF_INET]207.244.84.139:1194
                                      Sep 22 22:52:26 	openvpn 	3960 	Socket Buffers: R=[42080->42080] S=[57344->57344]
                                      Sep 22 22:52:26 	openvpn 	3960 	UDPv4 link local (bound): [AF_INET]70.110.22.110:0
                                      Sep 22 22:52:26 	openvpn 	3960 	UDPv4 link remote: [AF_INET]207.244.84.139:1194
                                      Sep 22 22:52:31 	openvpn 	3960 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
                                      Sep 22 22:52:31 	openvpn 	3960 	MANAGEMENT: CMD 'state 1'
                                      Sep 22 22:52:31 	openvpn 	3960 	MANAGEMENT: Client disconnected
                                      Sep 22 22:52:36 	openvpn 	3960 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
                                      Sep 22 22:52:36 	openvpn 	3960 	MANAGEMENT: CMD 'state 1'
                                      Sep 22 22:52:36 	openvpn 	3960 	MANAGEMENT: Client disconnected
                                      Sep 22 22:53:13 	openvpn 	3960 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
                                      Sep 22 22:53:13 	openvpn 	3960 	MANAGEMENT: CMD 'state 1'
                                      Sep 22 22:53:13 	openvpn 	3960 	MANAGEMENT: Client disconnected
                                      Sep 22 22:53:26 	openvpn 	3960 	[UNDEF] Inactivity timeout (--ping-restart), restarting
                                      Sep 22 22:53:26 	openvpn 	3960 	TCP/UDP: Closing socket
                                      Sep 22 22:53:26 	openvpn 	3960 	SIGUSR1[soft,ping-restart] received, process restarting
                                      Sep 22 22:53:26 	openvpn 	3960 	Restart pause, 10 second(s)
                                      Sep 22 22:53:36 	openvpn 	3960 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
                                      Sep 22 22:53:36 	openvpn 	3960 	Re-using SSL/TLS context
                                      Sep 22 22:53:36 	openvpn 	3960 	LZO compression initializing
                                      Sep 22 22:53:36 	openvpn 	3960 	Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ]
                                      Sep 22 22:53:36 	openvpn 	3960 	Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ]
                                      Sep 22 22:53:36 	openvpn 	3960 	Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
                                      Sep 22 22:53:36 	openvpn 	3960 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
                                      Sep 22 22:53:36 	openvpn 	3960 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
                                      Sep 22 22:53:36 	openvpn 	3960 	TCP/UDP: Preserving recently used remote address: [AF_INET]173.234.153.186:1194
                                      Sep 22 22:53:36 	openvpn 	3960 	Socket Buffers: R=[42080->42080] S=[57344->57344]
                                      Sep 22 22:53:36 	openvpn 	3960 	UDPv4 link local (bound): [AF_INET]70.110.22.110:0
                                      Sep 22 22:53:36 	openvpn 	3960 	UDPv4 link remote: [AF_INET]173.234.153.186:1194
                                      Sep 22 22:53:49 	openvpn 	3960 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
                                      Sep 22 22:53:49 	openvpn 	3960 	MANAGEMENT: CMD 'state 1'
                                      Sep 22 22:53:49 	openvpn 	3960 	MANAGEMENT: Client disconnected 
                                      
                                      1 Reply Last reply Reply Quote 0
                                      • JeGrJ
                                        JeGr LAYER 8 Moderator
                                        last edited by

                                        @obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:

                                        Again, I had to remove the ping statements from the advanced config settings pasted into the pfsense web page. They conflict with --keepalive.

                                        I did't say anything about advanced / custom options. Why are you so insistent to put them there? Just try it with less and only add what's necessary in the configuration when you're told so by the error logs. Also you tried setting "don't pull routes" but set redirect-gateway def1. That's just plain stupid as the latter one will setup your default GW to the VPN tunnel while your checkbox will try to avoid that. Just stop adding stuff in the custom options because "it says so".

                                        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                        obitoriO 1 Reply Last reply Reply Quote 1
                                        • obitoriO
                                          obitori @JeGr
                                          last edited by

                                          @JeGr

                                          FYI, I tried a "plain" pfSense config and then sequentially pasted in "advanced configs" to see the result. I basically got the same errors and no combination of pfSense and "advanced config options" worked. I had to leave for international travel, so have to push this off for now.

                                          If you have any additional ideas on how to proceed, please let me know. I will tackle this again next week.

                                          1 Reply Last reply Reply Quote 0
                                          • Antonio76A
                                            Antonio76
                                            last edited by

                                            Hi All ,

                                            Here in 2020 same issue and this was my fix : compression: omit preference .
                                            Works with PfBlocker unbound too .

                                            Thanks @JeGr

                                            Peer to peer, TLS
                                            UDP on v4
                                            tun
                                            <your WAN interface>
                                            server host: Your Server
                                            server port 443 (that is real strange - udp/443 isn't something normally used but maybe CG does it)
                                            no proxy settings
                                            <your description>
                                            <username>
                                            <password>

                                            do not retry

                                            use a TLS key

                                            peer CA: import the ca.crt from CG
                                            peer CRL -> none
                                            client cert: import the client.crt and the client.key
                                            encryption: AES-256-CBC
                                            disable NCP (CG config doesn't include it)
                                            Auth digest: SHA256
                                            leave tunnel network blank (none given in the config)
                                            leave remote network
                                            compression: omit preference (as the CG file has comp-lzo -> that's no that nice because of VORACLE)
                                            topology net30 (I assume from your screenshot when dialed in (.62 -> .61) that they still use net30
                                            leave the rest
                                            set gw creation to v4 only
                                            verbosity level 3

                                            H 1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.