Need Help getting VPN software throw network



  • Hi All,

    i have been at this for days and crashed the firewall twice and for the life of be i can not get my girlfriends VPN software throw my pfsense server, I have tried there openVPN setup but only can get UDP to work and then it will not let traffic throw. So I have opened up and linked subnets but there is something I'm not doing right.  :-[

    Can anyone point me to a tut or post on the forums to help me out.

    Fail error i get if i set her VPN up on PC windows, here software comes up with error codes ii asked them what they meant basicly the same as the pic below.
    [img]http://i380.photobucket.com/albums/oo241/SprinterOz/VPN-Fail.jpg

    This is my network layout if that help any

    Thanks for your time


  • Rebel Alliance Global Moderator

    There is no network layout below.  And what VPN software is she running?  What is the vpn protocol, is it ssl based, ipsec, l2tp, pptp, what?

    I run multiple vpns through pfsense, openvpn and work which is l2tp based.  With zero having to be done on pfsense for these to work.. Are you running any sort of packages like snort or proxy that could interfere with your traffic.  Have you modified the default lan rules which are any any.  Or seems like you might have multiple network segments - so what are the rules on that interface.  Guessing she is connected to your network via wifi??  Are you using a captive portal? etc. etc..  Without details its impossible to try and help you other than point to PEBKAC as your problem.. Which most likely is it anyway ;)

    So she is using openvpn.. That will work out of the box for sure.. Be it udp or tcp unless you have modified the default any any rules.  So what is the log of her connection?  Example..

    here is a openvpn connection to one of my vps through pfsense

    
    Fri Feb 10 07:35:19 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
    Fri Feb 10 07:35:19 2017 Windows version 6.2 (Windows 8 or greater) 64bit
    Fri Feb 10 07:35:19 2017 library versions: OpenSSL 1.0.2i  22 Sep 2016, LZO 2.09
    Enter Management Password:
    Fri Feb 10 07:35:19 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25345
    Fri Feb 10 07:35:19 2017 Need hold release from management interface, waiting...
    Fri Feb 10 07:35:19 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25345
    Fri Feb 10 07:35:19 2017 MANAGEMENT: CMD 'state on'
    Fri Feb 10 07:35:19 2017 MANAGEMENT: CMD 'log all on'
    Fri Feb 10 07:35:19 2017 MANAGEMENT: CMD 'hold off'
    Fri Feb 10 07:35:19 2017 MANAGEMENT: CMD 'hold release'
    Fri Feb 10 07:35:19 2017 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Fri Feb 10 07:35:19 2017 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Fri Feb 10 07:35:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]104.244.[snipped]:1194
    Fri Feb 10 07:35:19 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Fri Feb 10 07:35:19 2017 UDP link local: (not bound)
    Fri Feb 10 07:35:19 2017 UDP link remote: [AF_INET]104.244.72.65:1194
    Fri Feb 10 07:35:19 2017 MANAGEMENT: >STATE:1486733719,WAIT,,,,,,
    Fri Feb 10 07:35:19 2017 MANAGEMENT: >STATE:1486733719,AUTH,,,,,,
    Fri Feb 10 07:35:19 2017 TLS: Initial packet from [AF_INET]104.244.[snipped]:1194, sid=b5e6641a d6c29ac2
    Fri Feb 10 07:35:20 2017 VERIFY OK: depth=1, CN=OpenVPN CA
    Fri Feb 10 07:35:20 2017 VERIFY OK: nsCertType=SERVER
    Fri Feb 10 07:35:20 2017 VERIFY OK: depth=0, CN=OpenVPN Server
    Fri Feb 10 07:35:20 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Fri Feb 10 07:35:20 2017 [OpenVPN Server] Peer Connection Initiated with [AF_INET]104.244.[snipped]:1194
    Fri Feb 10 07:35:21 2017 MANAGEMENT: >STATE:1486733721,GET_CONFIG,,,,,,
    Fri Feb 10 07:35:21 2017 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
    Fri Feb 10 07:35:22 2017 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 107.189.0.68,dhcp-option DNS 107.189.0.69,register-dns,block-ipv6,ifconfig 172.27.232.2 255.255.248.0'
    Fri Feb 10 07:35:22 2017 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection>blocks 
    Fri Feb 10 07:35:22 2017 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.4.0)
    Fri Feb 10 07:35:22 2017 OPTIONS IMPORT: timers and/or timeouts modified
    Fri Feb 10 07:35:22 2017 OPTIONS IMPORT: explicit notify parm(s) modified
    Fri Feb 10 07:35:22 2017 OPTIONS IMPORT: compression parms modified
    Fri Feb 10 07:35:22 2017 OPTIONS IMPORT: --ifconfig/up options modified
    Fri Feb 10 07:35:22 2017 OPTIONS IMPORT: route options modified
    Fri Feb 10 07:35:22 2017 OPTIONS IMPORT: route-related options modified
    Fri Feb 10 07:35:22 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Fri Feb 10 07:35:22 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Fri Feb 10 07:35:22 2017 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Fri Feb 10 07:35:22 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Fri Feb 10 07:35:22 2017 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Fri Feb 10 07:35:22 2017 interactive service msg_channel=448
    Fri Feb 10 07:35:22 2017 ROUTE_GATEWAY 192.168.9.253/255.255.255.0 I=13 HWADDR=18:03:73:b1:0d:d3
    Fri Feb 10 07:35:22 2017 open_tun
    Fri Feb 10 07:35:22 2017 TAP-WIN32 device [Ethernet] opened: \\.\Global\{DBD8F68C-3D77-4181-93AC-8D04B4647278}.tap
    Fri Feb 10 07:35:22 2017 TAP-Windows Driver Version 9.21 
    Fri Feb 10 07:35:22 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 172.27.232.0/172.27.232.2/255.255.248.0 [SUCCEEDED]
    Fri Feb 10 07:35:22 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.27.232.2/255.255.248.0 on interface {DBD8F68C-3D77-4181-93AC-8D04B4647278} [DHCP-serv: 172.27.239.254, lease-time: 31536000]
    Fri Feb 10 07:35:22 2017 Successful ARP Flush on interface [15] {DBD8F68C-3D77-4181-93AC-8D04B4647278}
    Fri Feb 10 07:35:22 2017 TAP: DHCP address released
    Fri Feb 10 07:35:25 2017 TAP: DHCP address renewal succeeded
    Fri Feb 10 07:35:25 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Fri Feb 10 07:35:25 2017 MANAGEMENT: >STATE:1486733725,ASSIGN_IP,,172.27.232.2,,,,
    Fri Feb 10 07:35:30 2017 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
    Fri Feb 10 07:35:30 2017 ROUTE remote_host is NOT LOCAL
    Fri Feb 10 07:35:30 2017 C:\Windows\system32\route.exe ADD 104.244[snipped] MASK 255.255.255.255 192.168.9.253
    Fri Feb 10 07:35:30 2017 Route addition via service succeeded
    Fri Feb 10 07:35:30 2017 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.27.232.1
    Fri Feb 10 07:35:30 2017 Route addition via service succeeded
    Fri Feb 10 07:35:30 2017 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.27.232.1
    Fri Feb 10 07:35:30 2017 Route addition via service succeeded
    Fri Feb 10 07:35:30 2017 Initialization Sequence Completed
    Fri Feb 10 07:35:30 2017 Register_dns request sent to the service
    Fri Feb 10 07:35:30 2017 MANAGEMENT: >STATE:1486733730,CONNECTED,SUCCESS,172.27.232.2,104.244.[snipped],1194,,</connection> 
    


  • @johnpoz:

    There is no network layout below.  And what VPN software is she running?  What is the vpn protocol, is it ssl based, ipsec, l2tp, pptp, what?

    Thanks for your reply its called pureVPN.
    In the software it has: Automatic, PPTP, L2TP, SSTP, IKEV, TCP, UDP, StealthVPN.

    Image of network link is here: http://i380.photobucket.com/albums/oo241/SprinterOz/pfsense_on_NBN_Australia.jpg


  • Rebel Alliance Global Moderator

    While I can get to i380.photobucket.com that image is not working..

    your going to need to post the log of the connection attempts as well - see the log of my openvpn connection I just made through pfsense.



  • Sorry the image don't work for you funny thing is i can see it oh well…

    Feb 10 21:43:54	openvpn	10454	Connection reset, restarting [0]
    Feb 10 21:43:54	openvpn	10454	SIGUSR1[soft,connection-reset] received, process restarting
    Feb 10 21:43:59	openvpn	10454	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 10 21:43:59	openvpn	10454	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 10 21:43:59	openvpn	10454	Attempting to establish TCP connection with [AF_INET]188.72.101.126:80 [nonblock]
    Feb 10 21:44:00	openvpn	10454	TCP connection established with [AF_INET]188.72.101.126:80
    Feb 10 21:44:00	openvpn	10454	TCPv4_CLIENT link local (bound): [AF_INET]XX.XX.XX.XX
    Feb 10 21:44:00	openvpn	10454	TCPv4_CLIENT link remote: [AF_INET]188.72.101.126:80
    Feb 10 21:44:00	openvpn	10454	Connection reset, restarting [0]
    Feb 10 21:44:00	openvpn	10454	SIGUSR1[soft,connection-reset] received, process restarting
    Feb 10 21:44:05	openvpn	10454	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 10 21:44:05	openvpn	10454	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 10 21:44:05	openvpn	10454	Attempting to establish TCP connection with [AF_INET]188.72.101.126:80 [nonblock]
    Feb 10 21:44:06	openvpn	10454	TCP connection established with [AF_INET]188.72.101.126:80
    Feb 10 21:44:06	openvpn	10454	TCPv4_CLIENT link local (bound): [AF_INET]XX.XX.XX.XX
    Feb 10 21:44:06	openvpn	10454	TCPv4_CLIENT link remote: [AF_INET]188.72.101.126:80
    Feb 10 21:44:07	openvpn	10454	Connection reset, restarting [0]
    Feb 10 21:44:07	openvpn	10454	SIGUSR1[soft,connection-reset] received, process restarting
    Feb 10 21:44:12	openvpn	10454	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 10 21:44:12	openvpn	10454	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 10 21:44:12	openvpn	10454	Attempting to establish TCP connection with [AF_INET]188.72.101.126:80 [nonblock]
    Feb 10 21:44:13	openvpn	10454	TCP connection established with [AF_INET]188.72.101.126:80
    Feb 10 21:44:13	openvpn	10454	TCPv4_CLIENT link local (bound): [AF_INET]XX.XX.XX.XX
    Feb 10 21:44:13	openvpn	10454	TCPv4_CLIENT link remote: [AF_INET]188.72.101.126:80
    Feb 10 21:44:13	openvpn	10454	Connection reset, restarting [0]
    Feb 10 21:44:13	openvpn	10454	SIGUSR1[soft,connection-reset] received, process restarting
    Feb 10 21:44:18	openvpn	10454	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 10 21:44:18	openvpn	10454	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 10 21:44:18	openvpn	10454	Attempting to establish TCP connection with [AF_INET]188.72.101.126:80 [nonblock]
    Feb 10 21:44:19	openvpn	10454	TCP connection established with [AF_INET]188.72.101.126:80
    Feb 10 21:44:19	openvpn	10454	TCPv4_CLIENT link local (bound): [AF_INET]XX.XX.XX.XX
    Feb 10 21:44:19	openvpn	10454	TCPv4_CLIENT link remote: [AF_INET]188.72.101.126:80
    Feb 10 21:44:20	openvpn	10454	Connection reset, restarting [0]
    Feb 10 21:44:20	openvpn	10454	SIGUSR1[soft,connection-reset] received, process restarting
    Feb 10 21:44:25	openvpn	10454	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 10 21:44:25	openvpn	10454	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 10 21:44:25	openvpn	10454	Attempting to establish TCP connection with [AF_INET]188.72.101.126:80 [nonblock]
    Feb 10 21:44:26	openvpn	10454	TCP connection established with [AF_INET]188.72.101.126:80
    Feb 10 21:44:26	openvpn	10454	TCPv4_CLIENT link local (bound): [AF_INET]XX.XX.XX.XX
    Feb 10 21:44:26	openvpn	10454	TCPv4_CLIENT link remote: [AF_INET]188.72.101.126:80
    Feb 10 21:44:26	openvpn	10454	Connection reset, restarting [0]
    Feb 10 21:44:26	openvpn	10454	SIGUSR1[soft,connection-reset] received, process restarting
    Feb 10 21:44:28	openvpn	10454	SIGTERM[hard,init_instance] received, process exiting
    Feb 10 21:44:42	openvpn	65388	event_wait : Interrupted system call (code=4)
    Feb 10 21:44:42	openvpn	65388	/sbin/route delete -net 179.61.246.3 61.69.91.85 255.255.255.255
    Feb 10 21:44:42	openvpn	65388	/sbin/route delete -net 0.0.0.0 179.61.246.129 128.0.0.0
    Feb 10 21:44:42	openvpn	65388	/sbin/route delete -net 128.0.0.0 179.61.246.129 128.0.0.0
    Feb 10 21:44:42	openvpn	65388	Closing TUN/TAP interface
    Feb 10 21:44:42	openvpn	65388	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1558 179.61.246.132 255.255.255.192 init
    Feb 10 21:44:42	openvpn	65388	SIGTERM[hard,] received, process exiting
    

    I changed my static ip to XX.XX.XX.XX

    That is from when i tried to get TCP and UDP setup on openVPN but only UDP would show up stream green arrow but TCP would not connect. Also little long the UDP connected it would not let traffic throw the network

    @johnpoz:

    Without details its impossible to try and help you other than point to PEBKAC as your problem.. Which most likely is it anyway ;)

    LOL your most likely right there  :P
    As for other setting,  I will set it up to what ever works… if you know of a way to do this, that would be great, but I'm still learning pfsense and I have a lot to learn.

    Only other settings I have done is with pfBlockerNG https://forum.pfsense.org/index.php?topic=124997.msg690735#msg690735
    Tut I did to set it up openVPN https://support.purevpn.com/pfsense-openvpn-configuration-guide But really this is no good to me as the Netflix she wants to watch will only work throw the software they provide, so openVPN is not my goal here its just to let the software throw. I have disabled pfBlockerNG but that did not let the software VPN  throw.


  • Rebel Alliance Global Moderator

    Why are you hiding this???

    TCPv4_CLIENT link local (bound): [AF_INET]XX.XX.XX.XX

    is your local IP not rfc1918, ie 192.168.x.x, 10.x.x.x, 172.16-31.x.x ?

    You sure you want to connect to port 80 for your vpn connection?

    TCP connection established with [AF_INET]188.72.101.126:80

    Your connection is being reset.

    
    Feb 10 21:44:00	openvpn	10454	Connection reset, restarting [0]
    Feb 10 21:44:00	openvpn	10454	SIGUSR1[soft,connection-reset] received, process restarting
    
    

    I would think the server is disconnecting you from that error.. You could up the verb level and see if you can glean more info from the connection log.  But UDP would normally be what you want for your vpn connection vs tcp..



  • @johnpoz:

    Why are you hiding this???

    TCPv4_CLIENT link local (bound): [AF_INET]XX.XX.XX.XX

    is your local IP not rfc1918, ie 192.168.x.x, 10.x.x.x, 172.16-31.x.x ?

    You sure you want to connect to port 80 for your vpn connection?

    TCP connection established with [AF_INET]188.72.101.126:80

    Your connection is being reset.

    
    Feb 10 21:44:00	openvpn	10454	Connection reset, restarting [0]
    Feb 10 21:44:00	openvpn	10454	SIGUSR1[soft,connection-reset] received, process restarting
    
    

    I would think the server is disconnecting you from that error.. You could up the verb level and see if you can glean more info from the connection log.  But UDP would normally be what you want for your vpn connection vs tcp..

    No my network is on NBN it has no IP assigned it is fiber to wireless 50/20mb I do not have a single port routor that will do IPv6 at the moment only pfsense allows me to use it.

    image of my network you could not see before to help explain.


  • Galactic Empire

    Is the VPN traffic passing two firewalls, I can see two on the diagram is her device the notebook ?

    It could be a double NAT issue.


  • Rebel Alliance Global Moderator

    "No my network is on NBN it has no IP assigned"

    So your client is getting a public IP?  How exactly is that routing through pfsense?  Your on a transit network, you have pfsense setup as a bridge?



  • @NogBadTheBad:

    Is the VPN traffic passing two firewalls, I can see two on the diagram is her device the notebook ?

    It could be a double NAT issue.

    I have the Dual WAN router static for each WAN nic to the pfsence with DCHP Lan enabled should I disable DHCP on Lan?
    Yeah her pc is the notebook.

    @johnpoz:

    "No my network is on NBN it has no IP assigned"

    So your client is getting a public IP?  How exactly is that routing through pfsense?  Your on a transit network, you have pfsense setup as a bridge?

    Sorry I should of said, it dose not hook up to DHCP auto IP assign. I have to connect by static connections as its a business line. I have my own IP and mask also the NBN termination point is a basic router you could say, it just routes signal to 4 other ports like a switch. Them 3 other ports are enabled Only if I have "more then one internet provider or account with the provider I already have" In total it can have up to 4 different providers and run at 50/20mb each so if I was to have all 4 ports active it would be 200/80mb Max line speed. To obtain this full speed of all 4 ports I would have to use a Load Balance Broadband Router like a TP-Link/ TL-R470T+ to bring it back to one line with all 4 ports on the  NBN termination point in load balance. http://www.tplink.com/ie/products/details/?model=TL-R470T%2B Or I could buy a 4 port pci-e Nic and do it that way, But this is going off topic.

    Fixed NBN wireless explained: http://www.nbnco.com.au/learn-about-the-nbn/network-technology/fixed-wireless-explained.html


  • Galactic Empire

    Some VPN protocols struggle with a double NAT.

    Does it work if you connect the laptop directly to one of the pfSense LAN ports ?

    Wouldn't you just be better off ditching the home WiFi router and routing everything via pfSense, a managed switch and a cheap access-point.

    Also why the two LAN ports out the pfSense router to the WiFi router, what does that give you ?


  • Rebel Alliance Global Moderator

    Ok I figured out why your image wasn't loaded - I was connected to one of my vps via vpn on my workstation, and that was having issues.  I notice when I couldn't get to my local stuff ;)

    Anyway..

    So why and the hell would you have a dual wan router connect to pfsense lan with 2 different connections???  That is ZERO reason to do that… And why would you be using it as a router anyway??  That should just be used as an accesspoint..

    You have a 50/20 internet connection there would be ZERO reason for such a setup.. Turn that router into just an AP connect it with 1 wire to pfsense lan and that should fix whatever issue your having..