OpenVPN and TorGuard



  • I am using Pfsense 2.3.4.

    I configured openvpn as mentioned here
    https://torguard.net…yarticle&id=208

    The only difference I did was enabled TLS authentication and copied the key in zip file I received. If I dont select TLS it wont connect, also I have changed encryption to AES and hash to SHA256 in VPN config as in the client file. If I configure SHA1 it wont work. I am using UDP tunnel files.
    THe intial certification configuration is exactly the same mentioned in the article.

    I have sucessfully configured NAT and I can see the default route too but the problem is VPN is up but send receive bytes are 3-4 KB all the time. I cannot access the internet using it, I think there is some mistake in the configuration

    Here are the logs from verb 3 configuartion

    Oct 21 09:31:36 openvpn 53208 Restart pause, 5 second(s)
    Oct 21 09:31:41 openvpn 53208 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 21 09:31:41 openvpn 53208 Socket Buffers: R=[65228->65228] S=[65228->65228]
    Oct 21 09:31:41 openvpn 53208 Attempting to establish TCP connection with [AF_INET]195.154.209.57:1912 [nonblock]
    Oct 21 09:31:42 openvpn 53208 TCP connection established with [AF_INET]195.154.209.57:1912
    Oct 21 09:31:42 openvpn 53208 Socket flags: TCP_NODELAY=1 succeeded
    Oct 21 09:31:42 openvpn 53208 TCPv4_CLIENT link local (bound): [AF_INET]192.168.2.66
    Oct 21 09:31:42 openvpn 53208 TCPv4_CLIENT link remote: [AF_INET]195.154.209.57:1912
    Oct 21 09:31:42 openvpn 53208 TLS: Initial packet from [AF_INET]195.154.209.57:1912, sid=7dfe3564 874ca556
    Oct 21 09:31:42 openvpn 53208 VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
    Oct 21 09:31:42 openvpn 53208 Validating certificate key usage
    Oct 21 09:31:42 openvpn 53208 ++ Certificate has key usage 00a0, expects 00a0
    Oct 21 09:31:42 openvpn 53208 VERIFY KU OK
    Oct 21 09:31:42 openvpn 53208 Validating certificate extended key usage
    Oct 21 09:31:42 openvpn 53208 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Oct 21 09:31:42 openvpn 53208 VERIFY EKU OK
    Oct 21 09:31:42 openvpn 53208 VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
    Oct 21 09:31:42 openvpn 53208 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1571', remote='link-mtu 1572'
    Oct 21 09:31:42 openvpn 53208 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Oct 21 09:31:42 openvpn 53208 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Oct 21 09:31:42 openvpn 53208 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Oct 21 09:31:42 openvpn 53208 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Oct 21 09:31:42 openvpn 53208 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Oct 21 09:31:42 openvpn 53208 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Oct 21 09:31:42 openvpn 53208 [TG-OVPN-CA] Peer Connection Initiated with [AF_INET]195.154.209.57:1912
    Oct 21 09:31:44 openvpn 53208 SENT CONTROL [TG-OVPN-CA]: 'PUSH_REQUEST' (status=1)
    Oct 21 09:31:44 openvpn 53208 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,route 10.34.0.1,topology net30,ping 5,ping-restart 30,socket-flags TCP_NODELAY,ifconfig 10.34.0.10 10.34.0.9,peer-id 0'
    Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: timers and/or timeouts modified
    Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: –socket-flags option modified
    Oct 21 09:31:44 openvpn 53208 Socket flags: TCP_NODELAY=1 succeeded
    Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: --ifconfig/up options modified
    Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: route options modified
    Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: peer-id set
    Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: adjusting link_mtu to 1574
    Oct 21 09:31:44 openvpn 53208 Preserving previous TUN/TAP instance: ovpnc1
    Oct 21 09:31:44 openvpn 53208 Initialization Sequence Completed
    Oct 21 09:32:40 openvpn 53208 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Oct 21 09:32:40 openvpn 53208 MANAGEMENT: CMD 'state 1'
    Oct 21 09:32:40 openvpn 53208 MANAGEMENT: CMD 'status 2'
    Oct 21 09:32:40 openvpn 53208 MANAGEMENT: Client disconnected
    Oct 21 09:32:43 openvpn 53208 Connection reset, restarting [0]
    Oct 21 09:32:43 openvpn 53208 SIGUSR1[soft,connection-reset] received, process restarting
    Oct 21 09:32:43 openvpn 53208 Restart pause, 5 second(s)
    Oct 21 09:32:48 openvpn 53208 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Oct 21 09:32:48 openvpn 53208 Socket Buffers: R=[65228->65228] S=[65228->65228]
    Oct 21 09:32:48 openvpn 53208 Attempting to establish TCP connection with [AF_INET]195.154.209.57:1912 [nonblock]
    Oct 21 09:32:49 openvpn 53208 TCP connection established with [AF_INET]195.154.209.57:1912
    Oct 21 09:32:49 openvpn 53208 Socket flags: TCP_NODELAY=1 succeeded
    Oct 21 09:32:49 openvpn 53208 TCPv4_CLIENT link local (bound): [AF_INET]192.168.2.66
    Oct 21 09:32:49 openvpn 53208 TCPv4_CLIENT link remote: [AF_INET]195.154.209.57:1912
    Oct 21 09:32:49 openvpn 53208 TLS: Initial packet from [AF_INET]195.154.209.57:1912, sid=e7b2957d a044c05b
    Oct 21 09:32:50 openvpn 53208 VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
    Oct 21 09:32:50 openvpn 53208 Validating certificate key usage
    Oct 21 09:32:50 openvpn 53208 ++ Certificate has key usage 00a0, expects 00a0
    Oct 21 09:32:50 openvpn 53208 VERIFY KU OK
    Oct 21 09:32:50 openvpn 53208 Validating certificate extended key usage
    Oct 21 09:32:50 openvpn 53208 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Oct 21 09:32:50 openvpn 53208 VERIFY EKU OK
    Oct 21 09:32:50 openvpn 53208 VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
    Oct 21 09:32:50 openvpn 53208 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1571', remote='link-mtu 1572'
    Oct 21 09:32:50 openvpn 53208 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Oct 21 09:32:50 openvpn 53208 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Oct 21 09:32:50 openvpn 53208 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Oct 21 09:32:50 openvpn 53208 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Oct 21 09:32:50 openvpn 53208 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Oct 21 09:32:50 openvpn 53208 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Oct 21 09:32:50 openvpn 53208 [TG-OVPN-CA] Peer Connection Initiated with [AF_INET]195.154.209.57:1912
    Oct 21 09:32:52 openvpn 53208 SENT CONTROL [TG-OVPN-CA]: 'PUSH_REQUEST' (status=1)
    Oct 21 09:32:52 openvpn 53208 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,route 10.34.0.1,topology net30,ping 5,ping-restart 30,socket-flags TCP_NODELAY,ifconfig 10.34.0.10 10.34.0.9,peer-id 0'
    Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: timers and/or timeouts modified
    Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: –socket-flags option modified
    Oct 21 09:32:52 openvpn 53208 Socket flags: TCP_NODELAY=1 succeeded
    Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: --ifconfig/up options modified
    Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: route options modified
    Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: peer-id set
    Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: adjusting link_mtu to 1574
    Oct 21 09:32:52 openvpn 53208 Preserving previous TUN/TAP instance: ovpnc1
    Oct 21 09:32:52 openvpn 53208 Initialization Sequence Completed

    Route table after connection:
    [2.3.4-RELEASE][admin@pfSense.localdomain]/root: netstat -r
    Routing tables

    Internet:
    Destination        Gateway            Flags      Netif Expire
    0.0.0.0/1          10.34.0.5          UGS      ovpnc1
    default            mynetwork          UGS        le1
    10.34.0.1/32      10.34.0.5          UGS      ovpnc1
    10.34.0.5          link#7            UH      ovpnc1
    10.34.0.6          link#7            UHS        lo0
    dns.usa1.torguard. 10.34.0.5          UGHS    ovpnc1
    dns.usa2.torguard. 10.34.0.5          UGHS    ovpnc1
    localhost          link#6            UH          lo0
    128.0.0.0/1        10.34.0.5          UGS      ovpnc1
    185.25.21.161/32  mynetwork          UGS        le1
    192.168.1.0        link#1            U          le0
    pfSense            link#1            UHS        lo0
    192.168.2.0        link#2            U          le1
    mynetwork          00:0c:29:1f:f5:78  UHS        le1
    192.168.2.66      link#2            UHS        lo0
    195.154.204.10/32  mynetwork          UGS        le1


Log in to reply