Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Client Cannot Connect to AirVPN

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 353 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • TheMetManT Offline
      TheMetMan
      last edited by

      I am using pfSense 2.4.5 in a Netgate SG-3100 Router.
      I have the WAN connected to my ISP's Router, so it is on a 192.xxx.x.x address with Block Private and Bogon Networks Unchecked. My LAN is on a 10.xxx.xxx.xxx network and VLAN20 on 10.xxx.20.xxx
      I have followed the installation instruction from here to setup an AirVPN Connection, and also looked at the pfSense 2.3 instructions here. I have also read the posts on this forum relating to AirVPN Problems, but cannot get the VPN to connect.
      Here is the Log Output:

      Oct 3 12:13:08 	openvpn 	25566 	MANAGEMENT: Client disconnected
Oct 3 12:13:08 	openvpn 	25566 	MANAGEMENT: CMD 'state 1'
Oct 3 12:13:08 	openvpn 	25566 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Oct 3 12:12:39 	openvpn 	25566 	UDPv4 link remote: [AF_INET]185.103.96.130:443
Oct 3 12:12:39 	openvpn 	25566 	UDPv4 link local (bound): [AF_INET]192.xxx.x.xxx:0
Oct 3 12:12:39 	openvpn 	25566 	Socket Buffers: R=[42080->2097152] S=[57344->2097152]
Oct 3 12:12:39 	openvpn 	25566 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Oct 3 12:12:39 	openvpn 	25566 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 3 12:12:39 	openvpn 	25566 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 3 12:12:39 	openvpn 	25566 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 3 12:12:39 	openvpn 	25566 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 3 12:12:39 	openvpn 	25566 	Initializing OpenSSL support for engine 'cryptodev'
Oct 3 12:12:39 	openvpn 	25566 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 3 12:12:39 	openvpn 	25566 	mlockall call succeeded
Oct 3 12:12:39 	openvpn 	25566 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
Oct 3 12:12:39 	openvpn 	25449 	library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Oct 3 12:12:39 	openvpn 	25449 	OpenVPN 2.4.9 armv6-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020

      I even tried a different AirVPN Server also in the UK, but same error.
      I have the NAT -> Outbound from my VLAN20 to the VPN_WAN Interface which uses the WAN and VLAN20 to WAN also as per the instructions above. However this is no use if the OpenVPN Clinet will not connect.
      The VPN_WAN Gateway is enabled.
      Firewall Rules for this Gateway are to Block all IPv4 and IPV6 as per the instructions.
      I have rebooted the Router a couple of times too.
      Any help much appreciated!

      TheMetManT 1 Reply Last reply Reply Quote 0
      • TheMetManT Offline
        TheMetMan @TheMetMan
        last edited by

        Here is some more information which might help.
        My Router is behind my ISP's Router, so I suppose is 'double NATed'?? If that helps.
        I have opened The Firewall on the LAN to everything to do with the AirVPN Server address.
        This is the config the server is using:

        dev ovpnc1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.153
engine cryptodev
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote xxx.xxx.xxx.xxx 443 udp4
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
tls-crypt /var/etc/openvpn/client1.tls-crypt 
ncp-ciphers AES-256-GCM:AES-256-CBC
comp-lzo no
resolv-retry infinite
route-noexec
fast-io
explicit-exit-notify 5
sndbuf 262144
rcvbuf 262144
client
 persist-key
 persist-tun
 remote-cert-tls server
 prng sha256 64
 mlock
 auth-nocache

        and here is the info from the ovpn file with the keys in:

        dev tun
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
rcvbuf 262144
sndbuf 262144
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1

        and the Log Output. The only thing I can spot is this Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key when the Encryption Algorithm is AES-256-CBC (256bit key, 128 bit block)
        Also the instructions tell you to use Allowed NCP Encryption Algorithms: AES-256-GCM but the above is using AES-256-CBC, I have tried with both, but no good.

         Oct 4 15:34:09 	openvpn 	41002 	MANAGEMENT: Client disconnected
Oct 4 15:34:09 	openvpn 	41002 	MANAGEMENT: CMD 'state 1'
Oct 4 15:34:09 	openvpn 	41002 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 4 15:34:04 	openvpn 	41002 	UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Oct 4 15:34:04 	openvpn 	41002 	UDPv4 link local (bound): [AF_INET]192.168.1.153:0
Oct 4 15:34:04 	openvpn 	41002 	Socket Buffers: R=[42080->262144] S=[57344->262144]
Oct 4 15:34:04 	openvpn 	41002 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Oct 4 15:34:04 	openvpn 	41002 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 4 15:34:04 	openvpn 	41002 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 4 15:34:04 	openvpn 	41002 	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Oct 4 15:34:04 	openvpn 	41002 	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Oct 4 15:34:04 	openvpn 	41002 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 4 15:34:04 	openvpn 	41002 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 4 15:34:04 	openvpn 	41002 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 4 15:34:04 	openvpn 	41002 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 4 15:34:04 	openvpn 	41002 	Initializing OpenSSL support for engine 'cryptodev'
Oct 4 15:34:04 	openvpn 	41002 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 4 15:34:04 	openvpn 	41002 	mlockall call succeeded
Oct 4 15:34:04 	openvpn 	41002 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Oct 4 15:34:04 	openvpn 	40744 	library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Oct 4 15:34:04 	openvpn 	40744 	OpenVPN 2.4.9 armv6-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020

        Hopefully this additional infomation might jog a memory somewhere.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.