Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Howto Circumvent Double NAT

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • TheMetManT
      TheMetMan
      last edited by TheMetMan

      Is there some way to circumvent being Double NATted.
      I think this is why my VPN Client will NOT stay connected for some reason.
      My pfSense Router on my SG-3100 is behind my ISP's router which cannot be put into Bridged Mode.
      I have put my router in the DMZ of the ISP Router, but no different.

      Oct 15 07:11:52 	openvpn 	92912 	MANAGEMENT: Client disconnected
Oct 15 07:11:52 	openvpn 	92912 	MANAGEMENT: CMD 'state 1'
Oct 15 07:11:52 	openvpn 	92912 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 15 07:11:47 	openvpn 	92912 	UDPv4 link remote: [AF_INET]185.103.96.130:443
Oct 15 07:11:47 	openvpn 	92912 	UDPv4 link local (bound): [AF_INET]192.168.1.14:0
Oct 15 07:11:47 	openvpn 	92912 	Socket Buffers: R=[42080->524288] S=[57344->524288]
Oct 15 07:11:47 	openvpn 	92912 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Oct 15 07:11:47 	openvpn 	92912 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 15 07:11:47 	openvpn 	92912 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 15 07:11:47 	openvpn 	92912 	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Oct 15 07:11:47 	openvpn 	92912 	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Oct 15 07:11:47 	openvpn 	92912 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 15 07:11:47 	openvpn 	92912 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 15 07:11:47 	openvpn 	92912 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 15 07:11:47 	openvpn 	92912 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 15 07:11:47 	openvpn 	92912 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 15 07:11:47 	openvpn 	92912 	mlockall call succeeded
Oct 15 07:11:47 	openvpn 	92912 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Oct 15 07:11:47 	openvpn 	92895 	library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Oct 15 07:11:47 	openvpn 	92895 	OpenVPN 2.4.9 armv6-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020

      I have no firewall rules for OpenVPN.
      Is there some clever routing or NATting I can do to overcome this?
      I can connect using OpenVPN from my phone, no problem.
      This is very frustrating!

      1 Reply Last reply Reply Quote 0
      • P
        pwood999
        last edited by

        I use OpenVPN with Double NAT with no issues. Port 1194 is forwarded through my ISP router to PfSense, and then forwarded in PF to the OpenVPN interface.

        1 Reply Last reply Reply Quote 0
        • TheMetManT
          TheMetMan
          last edited by

          My problem is in the reverse, I am trying to connect to a VPN outside my system, and no matter what I do I see the connection happen then it gets dropped as per the top of the Log above.
          I even tried setting up a Hybrid Outbound NAT to and from the pfSense Router and the VPN , but no good. The normal outbound NAT is for my VLANs

          1 Reply Last reply Reply Quote 0
          • P
            pwood999
            last edited by

            Check if the ISP router has outbound vpn options. Many do to force ports rather than use random during key exchange

            1 Reply Last reply Reply Quote 0
            • P
              pwood999
              last edited by

              Also if you can access the server collect both client & server logs with increased debug enabled.

              Try server connection with client on the ISP router LAN.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                So your running UDP over 443?

                This is a vps, dedicated box of yours I take it - and your trying to run what openvpn-as on it? Which assume from the use of the aes-256-cbc.. Also why would you not have compression off?

                As already mentioned logs from the server could help... Also up your verbosity..

                Double nat, even triple nat or quadruple would not have issues on you creating a vpn outbound..

                BTW if this is pfsense connecting as client, then its only single nat, the device in front of pfsense natting. If it was a client behind pfsense trying to connect, then it would be a double nat.. pfsense natting your clients IP to its wan, and then your router in front of pfsense natting pfsense wan IP to your public IP.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • TheMetManT
                  TheMetMan
                  last edited by

                  @pwood999 The ISP Router so locked down I can pretty much do nothing.
                  I have got OpenVPN on my phone which connects to AirVPN from behind my router, no problem, so why will the router not connect?
                  @johnpoz I must apologise I showed wrong log. I am trying to connect to AirVPN, but tried another outfit with the same result, no connection with same error. There is no compression on AirVPN config.
                  I am using an SG-3100 Router to manage my network inside my ISP's Router.
                  I have upped the Verbosity to 5. here is the complete log from starting the OpenVPN Server:

                  Oct 16 05:45:09 	openvpn 	99960 	MANAGEMENT: Client disconnected
Oct 16 05:45:09 	openvpn 	99960 	MANAGEMENT: CMD 'state 1'
Oct 16 05:45:09 	openvpn 	99960 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 16 05:45:04 	openvpn 	99960 	UDPv4 link remote: [AF_INET]185.103.96.130:443
Oct 16 05:45:04 	openvpn 	99960 	UDPv4 link local (bound): [AF_INET]192.168.1.14:0
Oct 16 05:45:04 	openvpn 	99960 	Socket Buffers: R=[42080->524288] S=[57344->524288]
Oct 16 05:45:04 	openvpn 	99960 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Oct 16 05:45:04 	openvpn 	99960 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 16 05:45:04 	openvpn 	99960 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 16 05:45:04 	openvpn 	99960 	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Oct 16 05:45:04 	openvpn 	99960 	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Oct 16 05:45:04 	openvpn 	99960 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 16 05:45:04 	openvpn 	99960 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 16 05:45:04 	openvpn 	99960 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 16 05:45:04 	openvpn 	99960 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 16 05:45:04 	openvpn 	99960 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 16 05:45:04 	openvpn 	99960 	mlockall call succeeded
Oct 16 05:45:04 	openvpn 	99960 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Oct 16 05:45:04 	openvpn 	99816 	library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Oct 16 05:45:04 	openvpn 	99816 	OpenVPN 2.4.9 armv6-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020
Oct 16 05:45:04 	openvpn 	99816 	auth_user_pass_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	pull = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	client = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	port_share_port = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	port_share_host = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	auth_token_lifetime = 0
Oct 16 05:45:04 	openvpn 	99816 	auth_token_generate = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	auth_user_pass_verify_script_via_file = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	auth_user_pass_verify_script = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	max_routes_per_client = 256
Oct 16 05:45:04 	openvpn 	99816 	max_clients = 1024
Oct 16 05:45:04 	openvpn 	99816 	cf_per = 0
Oct 16 05:45:04 	openvpn 	99816 	cf_max = 0
Oct 16 05:45:04 	openvpn 	99816 	duplicate_cn = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	enable_c2c = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	push_ifconfig_ipv6_remote = ::
Oct 16 05:45:04 	openvpn 	99816 	push_ifconfig_ipv6_local = ::/0
Oct 16 05:45:04 	openvpn 	99816 	push_ifconfig_ipv6_defined = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	push_ifconfig_remote_netmask = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	push_ifconfig_local = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	push_ifconfig_defined = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	tmp_dir = '/tmp'
Oct 16 05:45:04 	openvpn 	99816 	ccd_exclusive = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	client_config_dir = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	client_disconnect_script = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	learn_address_script = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	client_connect_script = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	virtual_hash_size = 256
Oct 16 05:45:04 	openvpn 	99816 	real_hash_size = 256
Oct 16 05:45:04 	openvpn 	99816 	tcp_queue_limit = 64
Oct 16 05:45:04 	openvpn 	99816 	n_bcast_buf = 256
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_ipv6_pool_netbits = 0
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_ipv6_pool_base = ::
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_ipv6_pool_defined = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_pool_persist_refresh_freq = 600
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_pool_persist_filename = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_pool_netmask = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_pool_end = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_pool_start = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_pool_defined = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	server_bridge_pool_end = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	server_bridge_pool_start = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	server_bridge_netmask = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	server_bridge_ip = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	server_netbits_ipv6 = 0
Oct 16 05:45:04 	openvpn 	99816 	server_network_ipv6 = ::
Oct 16 05:45:04 	openvpn 	99816 	server_netmask = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	server_network = 0.0.0.0
Oct 16 05:45:04 	openvpn 	99816 	tls_crypt_file = '/var/etc/openvpn/client1.tls-crypt'
Oct 16 05:45:04 	openvpn 	99816 	tls_auth_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	tls_exit = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	push_peer_info = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	single_session = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	transition_window = 3600
Oct 16 05:45:04 	openvpn 	99816 	handshake_window = 60
Oct 16 05:45:04 	openvpn 	99816 	renegotiate_seconds = 3600
Oct 16 05:45:04 	openvpn 	99816 	renegotiate_packets = 0
Oct 16 05:45:04 	openvpn 	99816 	renegotiate_bytes = -1
Oct 16 05:45:04 	openvpn 	99816 	tls_timeout = 2
Oct 16 05:45:04 	openvpn 	99816 	ssl_flags = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_eku = 'TLS Web Server Authentication'
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 0
Oct 16 05:45:04 	openvpn 	99816 	remote_cert_ku[i] = 65535
Oct 16 05:45:04 	openvpn 	99816 	ns_cert_type = 0
Oct 16 05:45:04 	openvpn 	99816 	crl_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	verify_x509_name = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	verify_x509_type = 0
Oct 16 05:45:04 	openvpn 	99816 	tls_export_cert = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	tls_verify = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	tls_cert_profile = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	cipher_list_tls13 = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	cipher_list = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	pkcs12_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	priv_key_file = '/var/etc/openvpn/client1.key'
Oct 16 05:45:04 	openvpn 	99816 	extra_certs_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	cert_file = '/var/etc/openvpn/client1.cert'
Oct 16 05:45:04 	openvpn 	99816 	dh_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	ca_path = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	ca_file = '/var/etc/openvpn/client1.ca'
Oct 16 05:45:04 	openvpn 	99816 	key_method = 2
Oct 16 05:45:04 	openvpn 	99816 	tls_client = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	tls_server = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	test_crypto = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	use_iv = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	packet_id_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	replay_time = 15
Oct 16 05:45:04 	openvpn 	99816 	replay_window = 64
Oct 16 05:45:04 	openvpn 	99816 	mute_replay_warnings = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	replay = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	engine = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	keysize = 0
Oct 16 05:45:04 	openvpn 	99816 	prng_nonce_secret_len = 64
Oct 16 05:45:04 	openvpn 	99816 	prng_hash = 'sha256'
Oct 16 05:45:04 	openvpn 	99816 	authname = 'SHA512'
Oct 16 05:45:04 	openvpn 	99816 	ncp_ciphers = 'AES-128-GCM'
Oct 16 05:45:04 	openvpn 	99816 	ncp_enabled = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	ciphername = 'AES-256-CBC'
Oct 16 05:45:04 	openvpn 	99816 	key_direction = not set
Oct 16 05:45:04 	openvpn 	99816 	shared_secret_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	management_flags = 256
Oct 16 05:45:04 	openvpn 	99816 	management_client_group = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	management_client_user = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	management_write_peer_info_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	management_echo_buffer_size = 100
Oct 16 05:45:04 	openvpn 	99816 	management_log_history_cache = 250
Oct 16 05:45:04 	openvpn 	99816 	management_user_pass = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	management_port = 'unix'
Oct 16 05:45:04 	openvpn 	99816 	management_addr = '/var/etc/openvpn/client1.sock'
Oct 16 05:45:04 	openvpn 	99816 	allow_pull_fqdn = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	route_gateway_via_dhcp = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	route_nopull = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	route_delay_defined = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	route_delay_window = 30
Oct 16 05:45:04 	openvpn 	99816 	route_delay = 0
Oct 16 05:45:04 	openvpn 	99816 	route_noexec = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	route_default_metric = 0
Oct 16 05:45:04 	openvpn 	99816 	route_default_gateway = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	route_script = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	comp.flags = 0
Oct 16 05:45:04 	openvpn 	99816 	comp.alg = 1
Oct 16 05:45:04 	openvpn 	99816 	fast_io = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	sockflags = 0
Oct 16 05:45:04 	openvpn 	99816 	sndbuf = 524288
Oct 16 05:45:04 	openvpn 	99816 	rcvbuf = 524288
Oct 16 05:45:04 	openvpn 	99816 	occ = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	status_file_update_freq = 60
Oct 16 05:45:04 	openvpn 	99816 	status_file_version = 1
Oct 16 05:45:04 	openvpn 	99816 	status_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	gremlin = 0
Oct 16 05:45:04 	openvpn 	99816 	mute = 0
Oct 16 05:45:04 	openvpn 	99816 	verbosity = 5
Oct 16 05:45:04 	openvpn 	99816 	nice = 0
Oct 16 05:45:04 	openvpn 	99816 	machine_readable_output = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	suppress_timestamps = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	log = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	inetd = 0
Oct 16 05:45:04 	openvpn 	99816 	daemon = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	up_delay = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	up_restart = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	down_pre = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	down_script = '/usr/local/sbin/ovpn-linkdown'
Oct 16 05:45:04 	openvpn 	99816 	up_script = '/usr/local/sbin/ovpn-linkup'
Oct 16 05:45:04 	openvpn 	99816 	writepid = '/var/run/openvpn_client1.pid'
Oct 16 05:45:04 	openvpn 	99816 	cd_dir = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	chroot_dir = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	groupname = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	username = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	resolve_in_advance = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	resolve_retry_seconds = 1000000000
Oct 16 05:45:04 	openvpn 	99816 	passtos = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	persist_key = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	persist_remote_ip = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	persist_local_ip = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	persist_tun = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	remap_sigusr1 = 0
Oct 16 05:45:04 	openvpn 	99816 	ping_timer_remote = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	ping_rec_timeout_action = 2
Oct 16 05:45:04 	openvpn 	99816 	ping_rec_timeout = 30
Oct 16 05:45:04 	openvpn 	99816 	ping_send_timeout = 5
Oct 16 05:45:04 	openvpn 	99816 	inactivity_timeout = 0
Oct 16 05:45:04 	openvpn 	99816 	keepalive_timeout = 30
Oct 16 05:45:04 	openvpn 	99816 	keepalive_ping = 5
Oct 16 05:45:04 	openvpn 	99816 	mlock = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	mtu_test = 0
Oct 16 05:45:04 	openvpn 	99816 	shaper = 0
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_ipv6_remote = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_ipv6_netbits = 0
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_ipv6_local = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_nowarn = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_noexec = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_remote_netmask = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	ifconfig_local = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	topology = 1
Oct 16 05:45:04 	openvpn 	99816 	lladdr = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	dev_node = '/dev/tun1'
Oct 16 05:45:04 	openvpn 	99816 	dev_type = 'tun'
Oct 16 05:45:04 	openvpn 	99816 	dev = 'ovpnc1'
Oct 16 05:45:04 	openvpn 	99816 	ipchange = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	remote_random = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	Connection profiles END
Oct 16 05:45:04 	openvpn 	99816 	explicit_exit_notification = 5
Oct 16 05:45:04 	openvpn 	99816 	mssfix = 1450
Oct 16 05:45:04 	openvpn 	99816 	fragment = 0
Oct 16 05:45:04 	openvpn 	99816 	mtu_discover_type = -1
Oct 16 05:45:04 	openvpn 	99816 	tun_mtu_extra_defined = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	tun_mtu_extra = 0
Oct 16 05:45:04 	openvpn 	99816 	link_mtu_defined = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	link_mtu = 1500
Oct 16 05:45:04 	openvpn 	99816 	tun_mtu_defined = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	tun_mtu = 1500
Oct 16 05:45:04 	openvpn 	99816 	socks_proxy_port = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	socks_proxy_server = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	connect_timeout = 120
Oct 16 05:45:04 	openvpn 	99816 	connect_retry_seconds = 5
Oct 16 05:45:04 	openvpn 	99816 	bind_ipv6_only = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	bind_local = ENABLED
Oct 16 05:45:04 	openvpn 	99816 	bind_defined = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	remote_float = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	remote_port = '443'
Oct 16 05:45:04 	openvpn 	99816 	remote = '185.103.96.130'
Oct 16 05:45:04 	openvpn 	99816 	local_port = '0'
Oct 16 05:45:04 	openvpn 	99816 	local = '192.168.1.14'
Oct 16 05:45:04 	openvpn 	99816 	proto = udp4
Oct 16 05:45:04 	openvpn 	99816 	Connection profiles [0]:
Oct 16 05:45:04 	openvpn 	99816 	connect_retry_max = 0
Oct 16 05:45:04 	openvpn 	99816 	show_tls_ciphers = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	key_pass_file = '[UNDEF]'
Oct 16 05:45:04 	openvpn 	99816 	genkey = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	show_engines = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	show_digests = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	show_ciphers = DISABLED
Oct 16 05:45:04 	openvpn 	99816 	mode = 0
Oct 16 05:45:04 	openvpn 	99816 	config = '/var/etc/openvpn/client1.conf'
Oct 16 05:45:04 	openvpn 	99816 	Current Parameter Settings:

                  and then another output when it automatically restarts

                  Oct 16 05:49:25 	openvpn 	99960 	Restart pause, 40 second(s)
Oct 16 05:49:25 	openvpn 	99960 	SIGUSR1[soft,ping-restart] received, process restarting
Oct 16 05:49:25 	openvpn 	99960 	TCP/UDP: Closing socket
Oct 16 05:49:25 	openvpn 	99960 	[UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 16 05:48:55 	openvpn 	99960 	UDPv4 link remote: [AF_INET]185.103.96.130:443
Oct 16 05:48:55 	openvpn 	99960 	UDPv4 link local (bound): [AF_INET]192.168.1.14:0
Oct 16 05:48:55 	openvpn 	99960 	Socket Buffers: R=[42080->524288] S=[57344->524288]
Oct 16 05:48:55 	openvpn 	99960 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Oct 16 05:48:55 	openvpn 	99960 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 16 05:48:55 	openvpn 	99960 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 16 05:48:55 	openvpn 	99960 	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Oct 16 05:48:55 	openvpn 	99960 	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Oct 16 05:48:55 	openvpn 	99960 	Re-using SSL/TLS context
Oct 16 05:48:55 	openvpn 	99960 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

                  Help would be much appreciated.

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • P
                    pwood999
                    last edited by

                    Have you tried the AirVPN community forums ? I suspect you have something missing in the PfSense client settings.

                    If a phone can connect through PF, try a desktop OpenVPN and compare those logs to PF Client.

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @TheMetMan
                      last edited by

                      @TheMetMan said in Howto Circumvent Double NAT:

                      The ISP Router so locked down I can pretty much do nothing.

                      Can the ISP put the modem in bridge mode? Call tech support and ask. I had to do that with the first modem I had.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      TheMetManT 1 Reply Last reply Reply Quote 0
                      • TheMetManT
                        TheMetMan @JKnott
                        last edited by

                        @pwood999 I have tried connecting from my laptop. Set Verbosity to 5:

                        Fri Oct 16 11:51:25 2020 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2020
Fri Oct 16 11:51:25 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Fri Oct 16 11:51:25 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Oct 16 11:51:25 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 16 11:51:25 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 16 11:51:25 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Fri Oct 16 11:51:25 2020 Socket Buffers: R=[212992->524288] S=[212992->524288]
Fri Oct 16 11:51:25 2020 UDP link local: (not bound)
Fri Oct 16 11:51:25 2020 UDP link remote: [AF_INET]185.103.96.130:443
Fri Oct 16 11:52:25 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 16 11:52:25 2020 TLS Error: TLS handshake failed
Fri Oct 16 11:52:25 2020 SIGUSR1[soft,tls-error] received, process restarting
Fri Oct 16 11:52:25 2020 Restart pause, 5 second(s)

                        Nothing in my router logs blocking anything with the address 185.103.96.130
                        So tried this:

                        nc -uvz 185.103.96.130 443

Connection to 185.103.96.130 443 port [udp/https] succeeded!

                        With regards to the pfSense VPN Settings, I have had an exchange of mail with the chap who wrote the AirVPN for pfSense HowTo, sent him all my settings and he can find nothing wrong with them. He thinks it is a Double NAT Problem, and is interested to hear what you experts have to say.

                        @JKnott I have contacted my ISP, and can get the modem changed so it can be put into Bridged Mode.
                        I think this is probably the easiest option.
                        I will report back when it is done for completeness.

                        Unless anyone has any other ideas.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          @TheMetMan said in Howto Circumvent Double NAT:

                          but tried another outfit with the same result,

                          To the same IP?

                          But this
                          [UNDEF] Inactivity timeout (--ping-restart), restarting

                          Says they are not answering ping - and in the guide I looked up in 10 seconds shows it set to 0, or off.. And the default is off I do believe.. Did you set a value there other than 0?

                          I would really suggest you get with their support if your having issues.. Or their community on how to setup pfsense with them..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          TheMetManT 1 Reply Last reply Reply Quote 0
                          • TheMetManT
                            TheMetMan @johnpoz
                            last edited by

                            @johnpoz OK, I will put my problem to them and see what they say.
                            Regards

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.