OpenVPN and TorGuard
-
I am using Pfsense 2.3.4.
I configured openvpn as mentioned here
https://torguard.net…yarticle&id=208The only difference I did was enabled TLS authentication and copied the key in zip file I received. If I dont select TLS it wont connect, also I have changed encryption to AES and hash to SHA256 in VPN config as in the client file. If I configure SHA1 it wont work. I am using UDP tunnel files.
THe intial certification configuration is exactly the same mentioned in the article.I have sucessfully configured NAT and I can see the default route too but the problem is VPN is up but send receive bytes are 3-4 KB all the time. I cannot access the internet using it, I think there is some mistake in the configuration
Here are the logs from verb 3 configuartion
Oct 21 09:31:36 openvpn 53208 Restart pause, 5 second(s)
Oct 21 09:31:41 openvpn 53208 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 21 09:31:41 openvpn 53208 Socket Buffers: R=[65228->65228] S=[65228->65228]
Oct 21 09:31:41 openvpn 53208 Attempting to establish TCP connection with [AF_INET]195.154.209.57:1912 [nonblock]
Oct 21 09:31:42 openvpn 53208 TCP connection established with [AF_INET]195.154.209.57:1912
Oct 21 09:31:42 openvpn 53208 Socket flags: TCP_NODELAY=1 succeeded
Oct 21 09:31:42 openvpn 53208 TCPv4_CLIENT link local (bound): [AF_INET]192.168.2.66
Oct 21 09:31:42 openvpn 53208 TCPv4_CLIENT link remote: [AF_INET]195.154.209.57:1912
Oct 21 09:31:42 openvpn 53208 TLS: Initial packet from [AF_INET]195.154.209.57:1912, sid=7dfe3564 874ca556
Oct 21 09:31:42 openvpn 53208 VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
Oct 21 09:31:42 openvpn 53208 Validating certificate key usage
Oct 21 09:31:42 openvpn 53208 ++ Certificate has key usage 00a0, expects 00a0
Oct 21 09:31:42 openvpn 53208 VERIFY KU OK
Oct 21 09:31:42 openvpn 53208 Validating certificate extended key usage
Oct 21 09:31:42 openvpn 53208 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 21 09:31:42 openvpn 53208 VERIFY EKU OK
Oct 21 09:31:42 openvpn 53208 VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
Oct 21 09:31:42 openvpn 53208 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1571', remote='link-mtu 1572'
Oct 21 09:31:42 openvpn 53208 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Oct 21 09:31:42 openvpn 53208 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Oct 21 09:31:42 openvpn 53208 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 21 09:31:42 openvpn 53208 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Oct 21 09:31:42 openvpn 53208 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 21 09:31:42 openvpn 53208 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Oct 21 09:31:42 openvpn 53208 [TG-OVPN-CA] Peer Connection Initiated with [AF_INET]195.154.209.57:1912
Oct 21 09:31:44 openvpn 53208 SENT CONTROL [TG-OVPN-CA]: 'PUSH_REQUEST' (status=1)
Oct 21 09:31:44 openvpn 53208 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,route 10.34.0.1,topology net30,ping 5,ping-restart 30,socket-flags TCP_NODELAY,ifconfig 10.34.0.10 10.34.0.9,peer-id 0'
Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: timers and/or timeouts modified
Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: –socket-flags option modified
Oct 21 09:31:44 openvpn 53208 Socket flags: TCP_NODELAY=1 succeeded
Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: --ifconfig/up options modified
Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: route options modified
Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: peer-id set
Oct 21 09:31:44 openvpn 53208 OPTIONS IMPORT: adjusting link_mtu to 1574
Oct 21 09:31:44 openvpn 53208 Preserving previous TUN/TAP instance: ovpnc1
Oct 21 09:31:44 openvpn 53208 Initialization Sequence Completed
Oct 21 09:32:40 openvpn 53208 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 21 09:32:40 openvpn 53208 MANAGEMENT: CMD 'state 1'
Oct 21 09:32:40 openvpn 53208 MANAGEMENT: CMD 'status 2'
Oct 21 09:32:40 openvpn 53208 MANAGEMENT: Client disconnected
Oct 21 09:32:43 openvpn 53208 Connection reset, restarting [0]
Oct 21 09:32:43 openvpn 53208 SIGUSR1[soft,connection-reset] received, process restarting
Oct 21 09:32:43 openvpn 53208 Restart pause, 5 second(s)
Oct 21 09:32:48 openvpn 53208 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 21 09:32:48 openvpn 53208 Socket Buffers: R=[65228->65228] S=[65228->65228]
Oct 21 09:32:48 openvpn 53208 Attempting to establish TCP connection with [AF_INET]195.154.209.57:1912 [nonblock]
Oct 21 09:32:49 openvpn 53208 TCP connection established with [AF_INET]195.154.209.57:1912
Oct 21 09:32:49 openvpn 53208 Socket flags: TCP_NODELAY=1 succeeded
Oct 21 09:32:49 openvpn 53208 TCPv4_CLIENT link local (bound): [AF_INET]192.168.2.66
Oct 21 09:32:49 openvpn 53208 TCPv4_CLIENT link remote: [AF_INET]195.154.209.57:1912
Oct 21 09:32:49 openvpn 53208 TLS: Initial packet from [AF_INET]195.154.209.57:1912, sid=e7b2957d a044c05b
Oct 21 09:32:50 openvpn 53208 VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
Oct 21 09:32:50 openvpn 53208 Validating certificate key usage
Oct 21 09:32:50 openvpn 53208 ++ Certificate has key usage 00a0, expects 00a0
Oct 21 09:32:50 openvpn 53208 VERIFY KU OK
Oct 21 09:32:50 openvpn 53208 Validating certificate extended key usage
Oct 21 09:32:50 openvpn 53208 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 21 09:32:50 openvpn 53208 VERIFY EKU OK
Oct 21 09:32:50 openvpn 53208 VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=TorGuard, OU=VPN, CN=TG-OVPN-CA, name=TorGuard, emailAddress=sysadmin@torguard.net
Oct 21 09:32:50 openvpn 53208 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1571', remote='link-mtu 1572'
Oct 21 09:32:50 openvpn 53208 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Oct 21 09:32:50 openvpn 53208 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Oct 21 09:32:50 openvpn 53208 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 21 09:32:50 openvpn 53208 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Oct 21 09:32:50 openvpn 53208 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 21 09:32:50 openvpn 53208 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Oct 21 09:32:50 openvpn 53208 [TG-OVPN-CA] Peer Connection Initiated with [AF_INET]195.154.209.57:1912
Oct 21 09:32:52 openvpn 53208 SENT CONTROL [TG-OVPN-CA]: 'PUSH_REQUEST' (status=1)
Oct 21 09:32:52 openvpn 53208 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,route 10.34.0.1,topology net30,ping 5,ping-restart 30,socket-flags TCP_NODELAY,ifconfig 10.34.0.10 10.34.0.9,peer-id 0'
Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: timers and/or timeouts modified
Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: –socket-flags option modified
Oct 21 09:32:52 openvpn 53208 Socket flags: TCP_NODELAY=1 succeeded
Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: --ifconfig/up options modified
Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: route options modified
Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: peer-id set
Oct 21 09:32:52 openvpn 53208 OPTIONS IMPORT: adjusting link_mtu to 1574
Oct 21 09:32:52 openvpn 53208 Preserving previous TUN/TAP instance: ovpnc1
Oct 21 09:32:52 openvpn 53208 Initialization Sequence CompletedRoute table after connection:
[2.3.4-RELEASE][admin@pfSense.localdomain]/root: netstat -r
Routing tablesInternet:
Destination Gateway Flags Netif Expire
0.0.0.0/1 10.34.0.5 UGS ovpnc1
default mynetwork UGS le1
10.34.0.1/32 10.34.0.5 UGS ovpnc1
10.34.0.5 link#7 UH ovpnc1
10.34.0.6 link#7 UHS lo0
dns.usa1.torguard. 10.34.0.5 UGHS ovpnc1
dns.usa2.torguard. 10.34.0.5 UGHS ovpnc1
localhost link#6 UH lo0
128.0.0.0/1 10.34.0.5 UGS ovpnc1
185.25.21.161/32 mynetwork UGS le1
192.168.1.0 link#1 U le0
pfSense link#1 UHS lo0
192.168.2.0 link#2 U le1
mynetwork 00:0c:29:1f:f5:78 UHS le1
192.168.2.66 link#2 UHS lo0
195.154.204.10/32 mynetwork UGS le1