Cannot create VPN client
-
I'm trying to set up an openvpn client. And I got the openvpn config file from my VPN provider. It works on other devices, but when I set all the options in pfsense for some reason the tunnel link never goes up. I have other openvpn clients set up from the same VPN provider, with the exact same settings. And I was troubleshooting for a while, I don't see any reason why it shouldn't work. I set the verbosity to max, here's the log output:
UDPv4 link remote: [AF_INET]45.41.180.48:1195
Aug 27 05:49:42 openvpn 15718 UDPv4 link local (bound): [AF_INET]192.168.2.2:0
Aug 27 05:49:42 openvpn 15718 Socket Buffers: R=[42080->524288] S=[57344->524288]
Aug 27 05:49:42 openvpn 15718 TCP/UDP: Preserving recently used remote address: [AF_INET]45.41.180.48:1195
Aug 27 05:49:42 openvpn 15718 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 27 05:49:42 openvpn 15718 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 27 05:49:42 openvpn 15718 Initializing OpenSSL support for engine 'rdrand'
Aug 27 05:49:42 openvpn 15718 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 27 05:49:42 openvpn 15718 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Aug 27 05:49:42 openvpn 15718 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client6.sock
Aug 27 05:49:42 openvpn 15534 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Aug 27 05:49:42 openvpn 15534 OpenVPN 2.4.8 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Dec 17 2019
Aug 27 05:49:42 openvpn 15534 WARNING: file '/var/etc/openvpn/client6.up' is group or others accessible
Aug 27 05:49:41 openvpn 69798 SIGTERM[hard,] received, process exiting
Aug 27 05:49:41 openvpn 69798 event_wait : Interrupted system call (code=4)How can I troubleshoot this?
-
I don't know what else I can do to troubleshoot. Anyone that can help me with this?
-
Which VPN provider is it? Do they only provide *.ovpn files and not instructions for setting up various routers like pfSense? Have you turned the log level in the client (at the bottom of the config page) all the way up to make sure you're seeing everything that's happening on a failed connection attempt?
-
@TheNarc It's expressVPN and yes, I followed their guide for pfsense 2.4. I turned up the verbosity to max(11), there's no further output. I did a packet capture, and I can see some traffic to the VPN server, but when I restart the daemon, there's no connection attempt.
-
I see the:
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
From your logs. Just to confirm, the guide you followed is this one, right?
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/It specifies, among other steps, providing the following custom options that include remote-cert-tls:
fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;remote-cert-tls server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288
Do you have those custom options, and everything else specified in the guide? I'm not an expert on VPN client config, although I have run with Nord clients for a long time without issue. You may also want to post screen shots of your entire client configuration.