PIA OpenVPN Unable to Contact Daemon (Solution?)
-
I started with pFsense 2.2.4. PIA was configured using guide posted author's website and on this forum. OpenVPN issues began after upgrading to 2.3.1 from 2.3. Client was not running when viewed from Dashboard yet PIA service was running. It was a lesson in futility using GUI to restart service. Rebooting pFsense and resetting cable modem (several times :() did not resolve issue. I searched and found the following links:
https://forum.pfsense.org/index.php?topic=80348.msg438242#msg438242
https://forum.pfsense.org/index.php?topic=69366I logged into GUI, Diagnostics=>Command Prompt, Execute Shell Command
ps auxww | grep openvpn
Click on 'Execute' and the result
root 92027 12.4 0.1 21624 5904 - Ss 2:37PM 45:00.97 /usr/local/sbin/openvpn --config /var/etc/openvpn/client1.conf root 65280 0.0 0.0 17000 2512 - S 8:40PM 0:00.00 sh -c ps auxww | grep openvpn 2>&1 root 65643 0.0 0.0 18740 2252 - S 8:40PM 0:00.00 grep openvpn
Another Execute Shell Command to kill process (first number)
kill -9 92027
Goto VPN=>OpenVPN=>Clients, click on bar graph (related status), and Restart service (arrow). Websites were either slow or timed out yet OpenVPN service was up.
Reviewing OpenVPN log
May 30 00:48:32 openvpn 33558 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1570' May 30 00:48:32 openvpn 33558 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Reviewing OpenVPN client settings (VPNOpen=>VPN=>Clients=>Edit) the following changes were made:
Tunnel Settings=>Compression changed to Disabled - No Compression from 'No Preference' (original pFsense PIA guide has checked, Compress tunnel packets using the LZO algorithm)
Advanced Configuration=>Verbosity level changed to 3 (recommended) from default
No warnings about link-mtu and comp-lzo in either OpenVPN or System log. Most websites load faster however some continue to lag. If settings are incorrect or should be changed then please post response.
-
My solution was reset to factory defaults and properly configure PIA. I initially configured PIA on 2.2.4. Encryption was changed to AES-256-CBC from AES-128-CBC when it was available. I noticed differences in internet access after upgrading to 2.3.1_x from 2.3. PIA appeared to be functional but upgrade exposed deficiencies :(
OP hasn't updated guide however it is helpful.
The 'Create Password File' section is unnecessary because username and password are in OpenVPN->Client section, User Authentication Settings.
Server Port = 1196 not 1194 because I'm using AES-128-CBC(128-bit) not BF-CBC(128-bit) encryption. Auth digest algorithm is SHA1(160-bit) not SHA(160-bit).
Compression is 'Enabled with Adaptive Compression'. I previously had enabled 'No Preference'.
I verified service was functioning from Status->System Logs->OpenVPN.
Jun 2 06:47:14 openvpn 86098 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016 Jun 2 06:47:14 openvpn 86098 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Jun 2 06:47:14 openvpn 86098 WARNING: file '/etc/openvpn-password.txt' is group or others accessible Jun 2 06:47:14 openvpn 86873 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Jun 2 06:47:14 openvpn 86873 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jun 2 06:47:14 openvpn 86873 Initializing OpenSSL support for engine 'cryptodev' Jun 2 06:47:14 openvpn 86873 LZO compression initialized Jun 2 06:47:14 openvpn 86873 Control Channel MTU parms [ L:1558 D:1212 EF:38 EB:0 ET:0 EL:3 ] Jun 2 06:47:14 openvpn 86873 Socket Buffers: R=[42080->42080] S=[57344->57344] Jun 2 06:47:15 openvpn 86873 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ] Jun 2 06:47:15 openvpn 86873 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Jun 2 06:47:15 openvpn 86873 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Jun 2 06:47:15 openvpn 86873 Local Options hash (VER=V4): '66096c33' Jun 2 06:47:15 openvpn 86873 Expected Remote Options hash (VER=V4): '691e95c7' Jun 2 06:47:15 openvpn 86873 UDPv4 link local (bound): [AF_INET]76.94.96.149 Jun 2 06:47:15 openvpn 86873 UDPv4 link remote: [AF_INET]198.8.80.48:1196 Jun 2 06:47:15 openvpn 86873 TLS: Initial packet from [AF_INET]198.8.80.48:1196, sid=78bfb619 f2a4da17 Jun 2 06:47:15 openvpn 86873 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Jun 2 06:47:15 openvpn 86873 VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com Jun 2 06:47:15 openvpn 86873 Validating certificate key usage Jun 2 06:47:15 openvpn 86873 ++ Certificate has key usage 00a0, expects 00a0 Jun 2 06:47:15 openvpn 86873 VERIFY KU OK Jun 2 06:47:15 openvpn 86873 Validating certificate extended key usage Jun 2 06:47:15 openvpn 86873 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Jun 2 06:47:15 openvpn 86873 VERIFY EKU OK Jun 2 06:47:15 openvpn 86873 VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com Jun 2 06:47:15 openvpn 86873 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Jun 2 06:47:15 openvpn 86873 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Jun 2 06:47:15 openvpn 86873 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Jun 2 06:47:15 openvpn 86873 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Jun 2 06:47:15 openvpn 86873 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Jun 2 06:47:15 openvpn 86873 [Private Internet Access] Peer Connection Initiated with [AF_INET]198.8.80.48:1196 Jun 2 06:47:17 openvpn 86873 SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1) Jun 2 06:47:17 openvpn 86873 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.100.4.1,topology net30,ifconfig 10.100.4.6 10.100.4.5' Jun 2 06:47:17 openvpn 86873 OPTIONS IMPORT: timers and/or timeouts modified Jun 2 06:47:17 openvpn 86873 OPTIONS IMPORT: LZO parms modified Jun 2 06:47:17 openvpn 86873 OPTIONS IMPORT: --ifconfig/up options modified Jun 2 06:47:17 openvpn 86873 OPTIONS IMPORT: route options modified Jun 2 06:47:17 openvpn 86873 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Jun 2 06:47:17 openvpn 86873 ROUTE_GATEWAY xxx.xxx.xxx.xxx Jun 2 06:47:17 openvpn 86873 TUN/TAP device ovpnc1 exists previously, keep at program end Jun 2 06:47:17 openvpn 86873 TUN/TAP device /dev/tun1 opened Jun 2 06:47:17 openvpn 86873 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Jun 2 06:47:17 openvpn 86873 /sbin/ifconfig ovpnc1 10.100.4.6 10.100.4.5 mtu 1500 netmask 255.255.255.255 up Jun 2 06:47:17 openvpn 86873 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.100.4.6 10.100.4.5 init Jun 2 06:47:17 openvpn 86873 /sbin/route add -net 198.8.80.48 xxx.xxx.xxx.xxx 255.255.255.255 Jun 2 06:47:17 openvpn 86873 /sbin/route add -net 0.0.0.0 10.100.4.5 128.0.0.0 Jun 2 06:47:17 openvpn 86873 /sbin/route add -net 128.0.0.0 10.100.4.5 128.0.0.0 Jun 2 06:47:17 openvpn 86873 /sbin/route add -net 10.100.4.1 10.100.4.5 255.255.255.255 Jun 2 06:47:17 openvpn 86873 Initialization Sequence Completed
The following error message will occasionally appear
Jun 2 05:53:47 openvpn 6863 PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_00000000000000000000000000000000000000000000000000000000000000] 0:9741 0:9740 t=1464872027[0] r=[-1,64,15,1,1] sl=[51,64,64,528] Jun 2 05:54:29 openvpn 6863 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Jun 2 05:54:29 openvpn 6863 MANAGEMENT: CMD 'state 1' Jun 2 05:54:29 openvpn 6863 MANAGEMENT: CMD 'status 2' Jun 2 05:54:29 openvpn 6863 MANAGEMENT: Client disconnected
This error is prompted by network congestion and latency when using UDP. Packets are either dropped or received by the server in the wrong order. Issue could be resolved switching to TCP but it's slower than UDP.
I highly recommend troubleshooting without either distractions or time constraints. I should have heeded my own advice because it was trial and more error.
-
My solution was 1) reinstall pfSense 2.24, 2) observe browsing and website response, 3) allow program to download and install current version. Repeat Step 2. Install security update 2.3.1_1. Repeat Step 2. PIA was configured per guide and modified instructions. Repeat Step 2.
I can't describe it yet browsing 'feels' normal before upgrade to 2.3.
Initial upgrade to 2.3.1 from 2.2.6 failed. IIRC it required 3 attempts. I didn't realize it but there were big changes to 2.3 from 2.2.x.
IMO OpenVPN issues were triggered by incremental updates did not properly address PHP.
Suggest reinstalling previous pfSense without configuring OpenVPN. Allow program to download and install current version, install security update(s), and configure OpenVPN.
Hope this helps.