Right config with HMA openVpn config

smalldragoon

@viragomann
Hi Again ;-) , found 2 things :

1 - port have changes ( now use 8080 for TCP and 553 for UDP )
2 - TCP config is not working as UDP works

I trying now to redirect all traffic from only 1 IP from my LAN, following this French tutorial, but for now, I have weird behavior ( ping works but as soon as I do something else, I have nothing, and ping stops working )

ref : [https://vdupain.github.io/network/2013/09/24/configurer-un-client-openvpn-vers-hidemyass-hma-sous-pfsense/](link url)

But this is another topic, will create a new thread if I still get stucked. I'm cleaning all my tests now ;-) ... to restart on clean basis

Here are the VPN logs

Aug 10 21:56:09 	openvpn 	49089 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Aug 10 21:56:02 	openvpn 	49089 	Initialization Sequence Completed
Aug 10 21:56:02 	openvpn 	49089 	/usr/local/sbin/ovpn-linkup ovpnc2 1500 1625 100.120.23.60 255.255.254.0 init
Aug 10 21:56:02 	openvpn 	49089 	/sbin/ifconfig ovpnc2 inet6 -ifdisabled
Aug 10 21:56:01 	openvpn 	49089 	/sbin/ifconfig ovpnc2 inet6 2001:db8:123::2/64 mtu 1500 up
Aug 10 21:56:01 	openvpn 	49089 	/sbin/route add -net 100.120.22.0 100.120.22.1 255.255.254.0
Aug 10 21:56:01 	openvpn 	49089 	/sbin/ifconfig ovpnc2 100.120.23.60 100.120.22.1 mtu 1500 netmask 255.255.254.0 up
Aug 10 21:56:01 	openvpn 	49089 	TUN/TAP device /dev/tun2 opened
Aug 10 21:56:01 	openvpn 	49089 	TUN/TAP device ovpnc2 exists previously, keep at program end
Aug 10 21:56:00 	openvpn 	49089 	/usr/local/sbin/ovpn-linkdown ovpnc2 1500 1625 100.120.48.147 255.255.254.0 init
Aug 10 21:56:00 	openvpn 	49089 	Closing TUN/TAP interface
Aug 10 21:56:00 	openvpn 	49089 	NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Aug 10 21:56:00 	openvpn 	49089 	Preserving previous TUN/TAP instance: ovpnc2
Aug 10 21:56:00 	openvpn 	49089 	Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 10 21:56:00 	openvpn 	49089 	Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 10 21:56:00 	openvpn 	49089 	Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 10 21:56:00 	openvpn 	49089 	Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 10 21:56:00 	openvpn 	49089 	Using peer cipher 'AES-256-CBC'
Aug 10 21:56:00 	openvpn 	49089 	OPTIONS IMPORT: adjusting link_mtu to 1625
Aug 10 21:56:00 	openvpn 	49089 	OPTIONS IMPORT: peer-id set
Aug 10 21:56:00 	openvpn 	49089 	OPTIONS IMPORT: route-related options modified
Aug 10 21:56:00 	openvpn 	49089 	OPTIONS IMPORT: --ifconfig/up options modified
Aug 10 21:56:00 	openvpn 	49089 	Socket Buffers: R=[196608->196608] S=[196608->196608]
Aug 10 21:56:00 	openvpn 	49089 	OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Aug 10 21:56:00 	openvpn 	49089 	OPTIONS IMPORT: compression parms modified
Aug 10 21:56:00 	openvpn 	49089 	OPTIONS IMPORT: explicit notify parm(s) modified
Aug 10 21:56:00 	openvpn 	49089 	OPTIONS IMPORT: timers and/or timeouts modified
Aug 10 21:56:00 	openvpn 	49089 	Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Aug 10 21:56:00 	openvpn 	49089 	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Aug 10 21:56:00 	openvpn 	49089 	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Aug 10 21:56:00 	openvpn 	49089 	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Aug 10 21:56:00 	openvpn 	49089 	PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 100.120.22.1,redirect-gateway def1,ping 9,ping-restart 30,explicit-exit-notify 1,sndbuf 196608,rcvbuf 196608,route-gateway 100.120.22.1,topology subnet,redirect-gateway def1,ifconfig-ipv6 2001:db8:123::2/64 2001:db8:123::1,route-ipv6 2000::/3 2001:db8:123::1,explicit-exit-notify 2,compress,ifconfig 100.120.23.60 255.255.254.0,peer-id 15'
Aug 10 21:56:00 	openvpn 	49089 	SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Aug 10 21:55:59 	openvpn 	49089 	[server] Peer Connection Initiated with [AF_INET]5.62.20.34:553
Aug 10 21:55:59 	openvpn 	49089 	Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug 10 21:55:59 	openvpn 	49089 	WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Aug 10 21:55:59 	openvpn 	49089 	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1558'
Aug 10 21:55:59 	openvpn 	49089 	VERIFY OK: depth=0, C=UK, ST=London, L=London, O=Privax Ltd, OU=HMA Pro VPN, CN=server, emailAddress=info@privax.com
Aug 10 21:55:59 	openvpn 	49089 	VERIFY OK: nsCertType=SERVER
Aug 10 21:55:59 	openvpn 	49089 	VERIFY OK: depth=1, C=UK, ST=London, L=London, O=Privax Ltd, OU=HMA Pro VPN, CN=hidemyass.com, emailAddress=info@privax.com
Aug 10 21:55:59 	openvpn 	49089 	VERIFY WARNING: depth=1, unable to get certificate CRL: C=UK, ST=London, L=London, O=Privax Ltd, OU=HMA Pro VPN, CN=hidemyass.com, emailAddress=info@privax.com
Aug 10 21:55:59 	openvpn 	49089 	VERIFY WARNING: depth=0, unable to get certificate CRL: C=UK, ST=London, L=London, O=Privax Ltd, OU=HMA Pro VPN, CN=server, emailAddress=info@privax.com
Aug 10 21:55:59 	openvpn 	49089 	TLS: Initial packet from [AF_INET]5.62.20.34:553, sid=8110a782 31a7c483
Aug 10 21:55:59 	openvpn 	49089 	UDPv4 link remote: [AF_INET]5.62.20.34:553
Aug 10 21:55:59 	openvpn 	49089 	UDPv4 link local (bound): [AF_INET]:0
Aug 10 21:55:59 	openvpn 	49089 	Socket Buffers: R=[42080->196608] S=[57344->196608]
Aug 10 21:55:59 	openvpn 	49089 	TCP/UDP: Preserving recently used remote address: [AF_INET]5.62.20.34:553
Aug 10 21:55:59 	openvpn 	49089 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 10 21:55:59 	openvpn 	49089 	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Aug 10 21:55:49 	openvpn 	49089 	Restart pause, 10 second(s)

viragomann

@smalldragoon
So the client is already up as shown in the screen.
Also the log lookw well, but there won't no traffic pass the tunnel, since you might have set route-nopull.

BTW: the log shows your public IP. Should hide it.

smalldragoon

@viragomann
Well, in the tutorial, it says to put this option as HMA use the replace gateway .
I have create a rule, in Lan which says

SRC : 1 IP address
port all
Dest ALL
and in advanced, I changed the GW , to the GW created by VPN.
If I reboot the PFsense, it works for ping, then .. if I do anything else, everythins stops working ( including ping )

viragomann

@smalldragoon
Yeah, route-nopull is the correct setting to avoid get pushed the default route and do policy routing instead.

Consider that the policy routing rule does not allow any internal traffic from the source IP, cause it directs any packet to the VPN gateway. This also applies for DNS.

Hence you have either use a public DNS on the concerned device or maybe redirect DNS on pfSense to a public server and direct this one over the VPN (both helps to avoide DNS leaking), or you add an additional firewall rule above of the policy to allow internal access (without the gateway stated).

smalldragoon

@viragomann
Well, maybe I'm missing something
I did this anyway, with the hidden IP being my LAN computer IP

Resolution works ( as per the rules created using normal GW ) , but nothing else ....

viragomann

@smalldragoon
Interestingly both rules don't show any traffic.
Could it be that there is another rule matching the traffic from the client before? Maybe a floating rule or one on an interface group which LAN is belonging to.

To analyze I'd enable logging in the rule and add a proper description. So you can see in the firewall log, if the rules are applied.

smalldragoon

@viragomann
Well, no groups of rules, my setup is pretty basic :

I have this setup for the HMA interface ?

smalldragoon

@viragomann seems that the rules a default rule is triggered ? I don't have one ...

viragomann

@smalldragoon said in Right config with HMA openVpn config:

I have this setup for the HMA interface ?

This rule only allows incoming traffic on the VPN. You do not need any rule here for outgoing connections.
The same is true for the OpenVPN tab.

No idea why you traffic doesn't flow. Could be due to wrong settings in the OpenVPN client.
The tutorials you quoted are very old. The shown Advanced settings are deprecated and shouldn't be use anymore. Most of them can be set in the GUI nowadays or are default values.
You shouldn't use the showed settings. Simply follow the specifications of the provider and set it in the GUI. Only set / change options which are mentioned in the guidelines.

viragomann

@smalldragoon
One thought came up: Did you add an outbound NAT rule for the VPN?

smalldragoon

@viragomann
Well no, was not mentionned in the Tutorial and I assume it is the HMA server wich is doing the NAT at the end ?
they say here to change to manual outbound NAT, AON but that's all :

viragomann

@smalldragoon said in Right config with HMA openVpn config:

was not mentionned in the Tutorial and I assume it is the HMA server wich is doing the NAT at the end ?

Might not be the best tutorials.
However, the screen shows two HMA rules.

Anyway, it will not work without that.

But switch the Outbound NAT into the hybrid mode and save it.
Then add a rule:
interface: <your VPN interface>
Source: LAN, or only the IPs (alias) you need
dest.: any
translation: interface address

smalldragoon

@viragomann
switch to hybrid , done
Created as 1st rule :

Where the hidden value is my LAN computer for tests
Still nothing :(

viragomann

@smalldragoon
Try a simple ping to a public IP like 8.8.8.8 on the client, while taking a packet capture on the VPN interface to see, what's going on.

smalldragoon

@viragomann
Hi, I rechecked evrything and followed one of your advice, to check VPN .. found that ( 2 first line , other to give conext ):

Aug 13 14:51:30 	openvpn 	72184 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Aug 13 14:51:21 	openvpn 	72184 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Aug 13 14:51:18 	openvpn 	72184 	MANAGEMENT: Client disconnected
Aug 13 14:51:18 	openvpn 	72184 	MANAGEMENT: CMD 'status 2'
Aug 13 14:51:18 	openvpn 	72184 	MANAGEMENT: CMD 'state 1'
Aug 13 14:51:18 	openvpn 	72184 	MANAGEMENT: Client connected from /var/etc/openvpn/client2/sock
Aug 13 14:51:13 	openvpn 	72184 	Initialization Sequence Completed
Aug 13 14:51:13 	openvpn 	72184 	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 13 14:51:13 	openvpn 	72184 	/usr/local/sbin/ovpn-linkup ovpnc2 1500 1624 100.120.41.81 255.255.255.0 init
Aug 13 14:51:13 	openvpn 	72184 	/sbin/ifconfig ovpnc2 inet6 -ifdisabled
Aug 13 14:51:12 	openvpn 	72184 	/sbin/ifconfig ovpnc2 inet6 2001:db8:123::2/64 mtu 1500 up
Aug 13 14:51:12 	openvpn 	72184 	/sbin/route add -net 100.120.41.0 100.120.41.1 255.255.255.0
Aug 13 14:51:12 	openvpn 	72184 	/sbin/ifconfig ovpnc2 100.120.41.81 100.120.41.1 mtu 1500 netmask 255.255.255.0 up
Aug 13 14:51:12 	openvpn 	72184 	TUN/TAP device /dev/tun2 opened
Aug 13 14:51:12 	openvpn 	72184 	TUN/TAP device ovpnc2 exists previously, keep at program end
Aug 13 14:51:12 	openvpn 	72184 	Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 13 14:51:12 	openvpn 	72184 	Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 13 14:51:12 	openvpn 	72184 	Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 13 14:51:12 	openvpn 	72184 	Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 13 14:51:12 	openvpn 	72184 	Using peer cipher 'AES-256-CBC'
Aug 13 14:51:12 	openvpn 	72184 	OPTIONS IMPORT: adjusting link_mtu to 1624
Aug 13 14:51:12 	openvpn 	72184 	OPTIONS IMPORT: peer-id set
Aug 13 14:51:12 	openvpn 	72184 	OPTIONS IMPORT: route-related options modified

searched on google, seams related to TLS auth, which is not and must not be activated ... any insight ?
Thx

viragomann

@smalldragoon
Possibly something wrong in the client configuration.

I already already advised to take the providers requirements for reference and set up all in the GUI instead obeying these age-old tutorials.
Since I whether know these nor your current configuration, I cannot contribute.

smalldragoon

@viragomann
Sorry, I though I would have said.
Provider is not advising really anything.
Ihave the .opvn files , that's all .
That's why I tried other sources

viragomann

@smalldragoon said in Right config with HMA openVpn config:

Ihave the .opvn files , that's all .

That may be all you need to configure the OpenVPN client accordingly.
If it uses TLS and there are certs inside, you have to extract them and import it in pfSense.

smalldragoon

@viragomann , first, thanks again for your help and support on this.
for all and benefit of the forum :

Took me a long time to figure out , as there was several issues ,
I bypass all tests done going to outcome
1 - my hardware was not strong enough : changes where not applied properly all the time - > this is why I had non consistent behaviors ( I set manually the "Firewall Maximum Table Entries", so apparently no error, but all changes were not applied)
Solution to this 1st point : ordered a new box ( that's why it took some time to get it from china ... )

2 - I had duplicate ranges in my IP's ( the one assigned by VPN was another one as well on another link of my FW )

Having solved these 2, I have the VPN connection created, stable with a GW defined.
In the meantime, I have in the new box a wifi connection, that I 'm gonna use as fail-over solution. I will be able to make tests unlink from the VPN, and see if now I encounter the same problems

Thanks