BUG: Pfsense 2.4 and OpenVPN 2.4 Client to PIA



  • Well I'm stuck. Is anyone else having issues connecting to PIA using 2.4?

    I'm running into a couple of problems.

    First, it very rarely, sometimes connects successfully, no matter which region I use.
    If I reboot or restart the OpenVPN service after its connected, the tunnel will try to reconnect but always fails with reconnecting; auth-failure

    I tried the OpenVPN client on other machines and I can connect with no issue using the PIA profiles.
    I've verified the user name and password is correct.  I've set it in the GUI and checked the file /var/etc/openvpn config files to validate.

    I've tried both 128 and 256 ciphers, with the same result.
    I've completely deleted all config, interfaces and gateways and started from scratch.
    Looked through as many articles and the forums for possible configuration examples, tried many different options with no luck.

    : cat client1.conf
    dev ovpnc1
    verb 5
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 24.XX.XX.XX ###Omitted my Public IP
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote ca-toronto.privateinternetaccess.com 1198
    auth-user-pass /var/etc/openvpn/client1.up
    auth-retry nointeract
    ca /var/etc/openvpn/client1.ca
    ncp-disable
    compress lzo
    resolv-retry infinite
    route-nopull
    persist-key
    tls-client
    remote-cert-tls server
    comp-lzo
    reneg-sec 0
    auth-nocache



  • First, I apologize for the brevity of my first post, I should have include some more detail.

    So after banging my head against the wall for a couple days on this one, and also opening a ticket up with PIA (Which I've never heard back on)
    I believe we have a bug with the OpenVPN client caching passwords.
    I've got my tunnel up and working now, and coming back up through reboots.

    I found two forums posts on the  OpenVPN forums that pointed me in that direction.

    save password does not work #161.
    https://github.com/OpenVPN/openvpn-gui/issues/161

    and

    Pressing reconnect fails to reconnect with auth failure #885
    https://community.openvpn.net/openvpn/ticket/885

    I had to add both of these to the client config to avoid the issue of "reconnecting; auth-failure" and "ping-restart"

    Check this box
    Authentication Retry Do not retry connection when authentication fails
    When enabled, the OpenVPN process will exit if it receives an authentication failure message. The default behavior is to retry.

    Add this to custom options.
    auth-nocache;

    The connection instantly comes up for me now.

    Also note you may have to reboot atleast in my case I did

    This is what my config looks like now. It obviously may need tweeking, but anyone having this issue with authentication can atleast use this as a baseline.

    dev ovpnc1
    verb 5
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local X.X.X.X #I removed my IP INFO here
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote ca-toronto.privateinternetaccess.com 1197
    auth-user-pass /var/etc/openvpn/client1.up
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    ncp-disable
    compress lzo
    resolv-retry infinite
    route-nopull
    remote-cert-tls server
    auth-nocache



  • The one other thing I've found that is weird is that I'm using an a firewall rule with an alias to send traffic for certain IP's to the tunnels gateway.
    After a reboot or if the tunnel is restarted. I need to "save" the rule again for it to start being used. Which looks like it reloads the filter.

    Any suggestions of anything else I could or should be doing in order for that to happen automatically after the VPN gateway comes up?

    Screenshot of the rule in question is attached.

    ![Screen Shot 2017-10-27 at 12.20.16 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-27 at 12.20.16 PM.png)
    ![Screen Shot 2017-10-27 at 12.20.16 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-27 at 12.20.16 PM.png_thumb)



  • I connect by ip… no issues whatsoever

    I just renewed yesterday and it still works flawlessly

    Sg 2220 with 256 but encryption

    Edit: I also have aes-ni acceleration enabled



  • Thanks for the response. I checked this boxed with seems to have solved by above problem.
    "Skip rules when gateway is down" under advanced settings.


Log in to reply