Adding OpenVPN Hosed pfSense Box (help?)
-
Hey all,
so I just built a brand new pfsense router per this thread with the intent of having enough power to saturate OpenVPN at 150mbit full duplex.
The build appears to be working perfectly, until I try to set up my brand new PIA VPN connection per their guide located here.
I am 100% certain I entered everything exactly as directed (I double, triple and quadruouple checked once I had problems).
When I got to step 8: "Ensure that Status shows as "up" before continuing." I started having problems. the OpenVPN service would never come up, despite pressing the start button several times.
I tried rebooting the pfSense box as suggested, and this is when things got really weird. Once it came back up, the web interface was not responsive. It took several tries going in via SSH and choosing option 11 to restart the web configuration interface until I could finally get in. When I did get in I found - among other things - my other services (cron, nut) had failed to start. The pfSense box was also not providing any external internet access, and the OpenVPN service was still down. Before I could troubleshoot any further, the web interface become unresponsive again, and I never got it back up again.
I was able to get the router working again as before by restoring a configuration backup from before adding the OpenVPN connection and cert using option 15 via SSH.
Not being a *nix novice I knew where to find the log file in /var/log/openvpn.log
There isn't much in this file (presumably due to not enabling verbose logging when I set up OpenVPN using the web configurator) but it does contain the following:
[2.3.3-RELEASE][admin@router.localdomain]/var/log: cat openvpn.log Apr 2 15:38:22 router openvpn[8714]: OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017 Apr 2 15:38:22 router openvpn[8714]: library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Apr 2 15:38:22 router openvpn[8714]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible Apr 2 15:38:22 router openvpn[8714]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache. Apr 2 15:38:22 router openvpn[8714]: Exiting due to fatal error Apr 2 15:38:55 router openvpn[9793]: OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017 Apr 2 15:38:55 router openvpn[9793]: library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Apr 2 15:38:55 router openvpn[9793]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible Apr 2 15:38:55 router openvpn[9793]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache. Apr 2 15:38:55 router openvpn[9793]: Exiting due to fatal error Apr 2 15:41:12 router openvpn[15052]: OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017 Apr 2 15:41:12 router openvpn[15052]: library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Apr 2 15:41:12 router openvpn[15052]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible Apr 2 15:47:00 router openvpn[15671]: OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017 Apr 2 15:47:00 router openvpn[15671]: library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Apr 2 15:47:00 router openvpn[15671]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessibleThis isn't particularly helpful to me though. Does this help anyone else understand what went wrong and what I might try to fix it?
I'd go back in and repeat my steps with "verbose logging" enabled, but I figured I'd try in here first, as I already got a tongue lashing for the internet going down for a half an hour the last time.
I'd appreciate any help!
Thanks,
Matt -
Hm, I don't know if it matters but I've always used password files for PIA Clients. That walkthrough has you enter user/pass in the GUI.
Check this thread out, it's old but will show you how to setup the password file, it's quick and easy. Try that (with verbose logging on just in case).
https://forum.pfsense.org/index.php?topic=76015.msg414556#msg414556
-
I'm running a PIA OpenVPN client in pfSense and entering username/password in the GUI works for me.
Oh, I had a couple initial problems in my setup since I wanted to max out the security settings.
1) PIA has two CA certificates, one standard one and one for their max settings. I had to find the correct CA cert on their site (with Los Angeles, CA as the city and state) and import it into the Certificate Manager in order to work.
2) I had to change the server port to 1197 in the GUI. The default 1194 isn't used by PIA for their higher security connections.
-
In case this helps, here are some more GUI settings I'm using:
Peer Certificate Authority: PIA CA (the CA I imported with the Los Angeles, CA location)
Client Certificate: None (Username and/or Password required)
Encryption Algorithm: AES-256-CBC
Auth digest algorithm: SHA256
Hardware Crypto: No Hardware Crypto Acceleration
Compression: Disabled - No Compression
Topology: net30
Disable IPv6 - checked
Custom Options
Advanced Configuration Settings from GUI
remote-cert-tls server
auth-nocache
tls-version-min 1.2
reneg-sec 01 GiB = 1073741824 bytes
reneg-bytes 4294967296
-
I'm running a PIA OpenVPN client in pfSense and entering username/password in the GUI works for me.
Oh, I had a couple initial problems in my setup since I wanted to max out the security settings.
1) PIA has two CA certificates, one standard one and one for their max settings. I had to find the correct CA cert on their site (with Los Angeles, CA as the city and state) and import it into the Certificate Manager in order to work.
2) I had to change the server port to 1197 in the GUI. The default 1194 isn't used by PIA for their higher security connections.
could you be less helpful plzzzz
-
I'm running a PIA OpenVPN client in pfSense and entering username/password in the GUI works for me.
Oh, I had a couple initial problems in my setup since I wanted to max out the security settings.
1) PIA has two CA certificates, one standard one and one for their max settings. I had to find the correct CA cert on their site (with Los Angeles, CA as the city and state) and import it into the Certificate Manager in order to work.
2) I had to change the server port to 1197 in the GUI. The default 1194 isn't used by PIA for their higher security connections.
In case this helps, here are some more GUI settings I'm using:
Peer Certificate Authority: PIA CA (the CA I imported with the Los Angeles, CA location)
Client Certificate: None (Username and/or Password required)
Encryption Algorithm: AES-256-CBC
Auth digest algorithm: SHA256
Hardware Crypto: No Hardware Crypto Acceleration
Compression: Disabled - No Compression
Topology: net30
Disable IPv6 - checked
Custom Options
remote-cert-tls server
auth-nocache
tls-version-min 1.2Thank you for this.
I am about to try it again, hopefully this will do the trick.
How come you are not using any crypto acceleration? I figured that would be absolutely crucial in order to get good VPN performance?
Also, Where did you find your cert? The guide on their page links just one cert, but you are suggesting that there are separate certs for each server?
Thanks,
Matt -
Thank you for this.
I am about to try it again, hopefully this will do the trick.
How come you are not using any crypto acceleration? I figured that would be absolutely crucial in order to get good VPN performance?
I'd read some things that crypto acceleration in OpenVPN is automatic and that the "crypto acceleration" drop-down is legacy or doesn't apply to modern CPUs. If that's off, then let me know.
Also, Where did you find your cert? The guide on their page links just one cert, but you are suggesting that there are separate certs for each server?
Thanks,
MattFrom the "Advanced OpenVPN SSL Usage Guides" section on Client Support Area, the very last line says " OpenVPN Configuration Files (Recommended Default) OpenVPN Configuration Files (Strong)". Each one links to a .zip file with all the .ovpn config files for all the servers. (You can ignore all the .ovpn files. All you care about is the CA certificate and the .pem file with the Certificate Revocation List, which you can optionally set up yourself in pfSense.) The regular zip file has the 2048-bit RSA CA certificate that you use with port 1198/udp, and the "strong" zip file has the 4096-bit RSA CA certificate that you would use with port 1197/udp.
So it's not one CA certificate for each server but rather you choose whether to use the 4096-bit cert on port 1197 or the 2048-bit cert on port 1198 for all servers. I just thought, "Hey, why not?" and went with the stronger cert.
By the way, I added the "reneg-sec 0" directive in the custom settings. Otherwise it'll drive you nuts and reconnect every 3600 seconds (1 hour). The 0 disables the timer. I'm using the "reneg-bytes 4294967296" directive so the VPN will reconnect after every 4 GiB just to get a fresh set of session keys – overkill and optional. I'm just doing it to prevent any unknown attacks on TLS.
-
I finally got it working.
I used a combination of the old "password file" guide, Finger79's settings above, and the packaged ovpn file for the NYC Server, and finally got everything working.
(Note, didn't use the OVPN vile, but used the certs it came packaged with.)
I'd read some things that crypto acceleration in OpenVPN is automatic and that the "crypto acceleration" drop-down is legacy or doesn't apply to modern CPUs. If that's off, then let me know.
In retrospect this makes a lot of sense. I tried with it both off and on, and didn't find it made any difference in CPU load during bandwidth tests.