OpenVPN needs to be restarted at pfsense reboot



  • Hi,

    I got nordvpn working fine as openvpn cllient after I emailed them about an updated guide.
    Only issue I have is after a reboot I have to restart openvpn to get connectable even though it says its connected in openvpn stats.

    Any idea why? or How to make openvpn restart itself after bootup is complete?

    edit: just want to add I have "Skip rules when gateway is down" enabled under System/Advanced/Miscellaneous



  • I see that with my current provider but if I refresh the page it is actually connected?

    Could you share what they gave you?  I tried to work with them during the entire trial period and my speeds were horrible using openvpn on pfsense and using their proprietary software



  • 1. In order to setup pfSense 2.4.1 with OpenVPN please access your pfSense via browser. Then navigate to System -> Cert. Manager -> CAs. And select +Add.

    You should see this screen:

    2. We will configure our pfSense to connect to NL120 server. Press on “+ Add” button. Then fill the fields out like this:

    Descriptive Name: NordVPN_NL120_CA
    Method: Import an existing Certificate Authority
    Certificate data: (you can get this certificate by downloading our CA and TLS files from here:  https://downloads.nordcdn.com/configs/archives/certificates/servers.zip

    –---BEGIN CERTIFICATE-----
    MIIEyjCCA7KgAwIBAgIJAO6JioltoPZUMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
    VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
    Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwxMjAubm9yZHZw
    bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
    ZHZwbi5jb20wHhcNMTcxMDI2MDk1MzIwWhcNMjcxMDI0MDk1MzIwWjCBnjELMAkG
    A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
    B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEW5sMTIwLm5vcmR2
    cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
    cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2m1YMMaT
    i78Whnb5bQ1WGVBzEQrvwfXLwTBaIJ3WcoyOdzweqt/85YaP4gIBefoiqKyCXja0
    Zuh9AKxt/LBkH11GDxLpNzMzRgd9j7zHExJd2k7AGfuGFWF6A5lCEN+82mS+xOqu
    Zmzfu/c2uyLGOWsb6DkAEQmx+qLZ2j2JtdFotinRqluPkG5mjU3BUCR4iwty8XI8
    R7sGOLqkH2wY0pM06ywgedTC0M7Bfl0G2W18UNUJY8/1/P4u90ZGWpmmzgh7DeYi
    r9nqIzOlqMkBZ+AKxoZ8O6m1MqZ3UsFXFouoAAgiJBxmN9eY0kbKCLzPb6jzbHCa
    LKqr9s6HI3k8jwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFCVsAOOJHCM7mbeVJr6L
    SRf1WCCuMIHTBgNVHSMEgcswgciAFCVsAOOJHCM7mbeVJr6LSRf1WCCuoYGkpIGh
    MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
    MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwx
    MjAubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
    EGNlcnRAbm9yZHZwbi5jb22CCQDuiYqJbaD2VDAMBgNVHRMEBTADAQH/MA0GCSqG
    SIb3DQEBCwUAA4IBAQBGsb6q917R1JkszsWD5QxQWO2A++r1OA8rgoyYe9yENVeL
    y3W387gOvXN6XHTN8LEJ2UGlvykp5PYcfLGu6j34f20rw02NzOlljF1377OLcxSg
    nXYkd3xKdM3gVSjV6v1OgBmlgpXasjhNN3K9n0lvkSVZK2hEz/LuDkU1i9BAKtO2
    FPfXjuIsx6yC+9CeLN+N8+el6GGI9c0zp3t0ZYW1abSNN6rRccFz+ww/84c9gojR
    xVVn2vcs6K6zPXoi/yUZwgcM5k7B7/TN7uHCd5X1QOKOCbLz+6gdUzYcos2rZjC9
    jqFj3HJ/vLv7lVdX16Hg3ruF+npFwFZ/jTgTGK0S
    -----END CERTIFICATE-----

    Press “Save“

    3. Then navigate to VPN -> OpenVPN -> Clients and press “+Add”

    Fill in the fields:

    Disable this client: leave unchecked.
    Server mode: Peer to Peer (SSL/TLS);
    Protocol: UDP on IPv4 only (you can also use TCP);
    Device mode: tun – Layer 3 Tunnel Mode;
    Interface: WAN;
    Local port: leave blank;
    Server host or address: nl120.nordvpn.com;
    Server port: 1194 (use 443 if you use TCP);
    Proxy host or address: leave blank;
    Proxy port: leave blank;
    Proxy authentication extra options:
    Authentication method: None;
    Server host name resolution: check Infinitely resolve server;
    Description: Any name you like.We will use NordVPN_NL120.

    USER AUTHENTICATION SETTINGS

    User name: Your NordVPN username
    Password: Your NordVPN password in both fields.
    Authentication Retry: leave unchecked
    CRYPTOGRAPHIC SETTINGS
    TLS Authentication: Check
    Automatically generate a shared TLS authentication key: Uncheck

    -----BEGIN OpenVPN Static key V1-----
    004853a6d6a156c71bfa3d08332ad880
    f2fb8cfc15bf15634f6b3e76f457aa05
    9fec5ac90277c6b51d38cbb56d783506
    cc5a8d04948b15b04dbe015bf3507de0
    13539e63812685af4ea779d352f45921
    7b94ba7f06fd5c5bdd5c5a6b39d86669
    763faa1a63453c07871d1e9be348520c
    01b7de80eaa9e423a215954409cc490f
    f9704c91e1776892454f96d253bf5517
    36c85335ab3e4998c9c6dc182ff261ef
    f628d9994ae86773d5756b96dee9ede5
    2f00f03f544b644fa99767e74023e365
    35f5b094268385fb131fc828d2d51ec1
    340b739a91a729f7ca89c818add53f66
    63e30cdb599b75a16196c9444afe8923
    13d3a5c8da74ce7368b92b6bdeebe089
    -----END OpenVPN Static key V1-----

    Peer certificate authority: NordVPN_NL120_CA;
    Peer Certificate Revocation list: do not define.
    Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
    Encryption Algorithm: AES-256-GCM
    Enable NCP: Check.
    NCP Algorithms: AES-256-GCM and AES-256-CBC.
    Auth digest algorithm: SHA512 (512-bit)
    Hardware Crypto: No hardware crypto acceleration.

    TUNNEL SETTINGS

    IPv4 tunnel network: leave blank;
    IPv6 tunnel network: leave blank;
    IPv4 remote network/s: leave blank;
    IPv6 remote network/s: leave blank;
    Limit outgoing bandwidth: leave blank;
    Compression: LZO Compression [Legacy style,comp-lzo yes];
    Topology: Subnet – One IP address per client in a common subnet
    Type-of-service: leave unchecked;
    Disable IPv6: check Don’t forward IPv6 traffic;
    Don’t pull routes: check;
    Don’t add/remove routes: leave unchecked.

    ADVANCED CONFIGURATIONS

    Custom Options:

    tls-client;
    remote-random;
    tun-mtu 1500;
    tun-mtu-extra 32;
    mssfix 1450;
    persist-key;
    persist-tun;
    reneg-sec 0;
    remote-cert-tls server;
    auth-retry nointeract;

    UDP FAST I/O: leave unchecked.
    Send/Receive Buffer: Default
    Verbosity level: 3 (recommended);

    5. Navigate to Interfaces -> Interface Assignments and Add NordVPN NL120 interface.

    6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

    Enable: check
    Description: NordVPN
    IPv4 Configuration Type: DHCP
    IPv6 Configuration Type: None
    Mac Address: leave blank
    MTU: leave blank
    MSS: leave blankDo not change anything else. Just scroll down to the bottom and press “Save”

    7. Navigate to Services -> DNS Resolver -> General Settings

    Enable: check
    Listen port: leave what it already is
    Network Interfaces: All
    Outgoing Network Interfaces: NordVPN
    System Domains Local Zone Type: Transparent
    DNSSEC: uncheck
    DNS Query Forwarding: check
    DHCP Registration: check
    Static DHCP: check
    Save

    8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:

    Hide Identity: check
    Hide Version: check
    Prefetch Support: check
    Prefetch DNS Key Support: check
    Save

    9. Navigate to Firewall -> NAT -> Outbound and select “Manual Outbound NAT rule generation.”. Press “Save“. Then four rules will appear. Leave the 127.0.0.0 rules untouched and edit both rules which have your Network address as a source specified.
    9.1. Change the Interface to NordVPN;
    9.2. Click Save. At the end it should look like this:

    10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule:10.1. Press on Show Advanced Options;
    10.2. Change Gateway to NordVPN;
    10.3. Click Save.

    At the end it should look like this:

    11. Go to System -> General Setup and fill in:

    DNS Server 1: 162.242.211.137 ; none
    DNS Server 2: 78.46.223.24 ; NordVPN_DHCP-…
    Save

    12. Now you can navigate to Status -> OpenVPN and it should state that the service is “up”

    13. You can also check the connection log file under Status -> System Logs -> OpenVPN:



    ![unnamed (1).png](/public/imported_attachments/1/unnamed (1).png)
    ![unnamed (1).png_thumb](/public/imported_attachments/1/unnamed (1).png_thumb)
    ![unnamed (2).png](/public/imported_attachments/1/unnamed (2).png)
    ![unnamed (2).png_thumb](/public/imported_attachments/1/unnamed (2).png_thumb)
    ![unnamed (3).png](/public/imported_attachments/1/unnamed (3).png)
    ![unnamed (3).png_thumb](/public/imported_attachments/1/unnamed (3).png_thumb)
    ![unnamed (4).png](/public/imported_attachments/1/unnamed (4).png)
    ![unnamed (4).png_thumb](/public/imported_attachments/1/unnamed (4).png_thumb)
    ![unnamed (5).png](/public/imported_attachments/1/unnamed (5).png)
    ![unnamed (5).png_thumb](/public/imported_attachments/1/unnamed (5).png_thumb)
    ![unnamed (6).png](/public/imported_attachments/1/unnamed (6).png)
    ![unnamed (6).png_thumb](/public/imported_attachments/1/unnamed (6).png_thumb)
    ![unnamed (7).png](/public/imported_attachments/1/unnamed (7).png)
    ![unnamed (7).png_thumb](/public/imported_attachments/1/unnamed (7).png_thumb)
    ![unnamed (8).png](/public/imported_attachments/1/unnamed (8).png)
    ![unnamed (8).png_thumb](/public/imported_attachments/1/unnamed (8).png_thumb)
    ![unnamed (9).png](/public/imported_attachments/1/unnamed (9).png)
    ![unnamed (9).png_thumb](/public/imported_attachments/1/unnamed (9).png_thumb)
    ![unnamed (10).png](/public/imported_attachments/1/unnamed (10).png)
    ![unnamed (10).png_thumb](/public/imported_attachments/1/unnamed (10).png_thumb)
    ![unnamed (11).png](/public/imported_attachments/1/unnamed (11).png)
    ![unnamed (11).png_thumb](/public/imported_attachments/1/unnamed (11).png_thumb)
    ![unnamed (12).png](/public/imported_attachments/1/unnamed (12).png)
    ![unnamed (12).png_thumb](/public/imported_attachments/1/unnamed (12).png_thumb)
    ![unnamed (13).png](/public/imported_attachments/1/unnamed (13).png)
    ![unnamed (13).png_thumb](/public/imported_attachments/1/unnamed (13).png_thumb)
    ![unnamed (14).png](/public/imported_attachments/1/unnamed (14).png)
    ![unnamed (14).png_thumb](/public/imported_attachments/1/unnamed (14).png_thumb)



  • One thing i'll say is that Encryption Algorithm should be AES-256-CBC (it will produce whole bunch of errors if not set)
    and keep the logging to default or it will spam the logs every 5 minutes.

    They did say the guide is in beta and not for public.



  • to best honest that looks the exact same as my setup when i tried their service.

    several steps different that other providers that i could not understand.    my service would work.  but on a 100Mb download i could not get above 25Mb

    the ONLY thing i could come up with was their super high level encryption…

    if i reboot my pfsense my connection starts on startup.  here are my custom options you may try adding them to see if it starts... sorry i am not an openvpn expert hopefully someone else can chime in:

    remote-cert-tls server;
    reneg-sec 0;
    resolv-retry infinite;
    persist-key;
    persist-tun;
    cipher aes-256-cbc;
    auth sha256;
    tls-client;
    pull-filter ignore "auth-token"



  • Still no luck.

    I do get following errors when connecting:

    Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    
    


  • I also get following error message on first connection try after reboot (when connection fails):

    ioctl(TUNSIFMODE): Device busy (errno=16)
    

    but the error disappears when I restart openvpn (and the connection works)



  • I run NordVPN clients too ad don't have this problem.  Some notes on your configuration (and I realize I may be repeating some points already brought up by other posters):

    • In your client config, use the raw IP of the server instead of its hostname.  So instead of nl120.nordvpn.com, put 109.236.87.76.  Since you're routing DNS queries through your VPN, you have a chicken-and-egg problem.  You can't perform DNS queries until your VPN tunnel is up, but you can't bring your VPN tunnel up until you can resolve nl120.nordvpn.com.  Using the raw IP works around this.

    • Encryption algorithm needs to be AES-256-CBC, and uncheck the "Enable NCP" option.

    • Compression should be Adaptive LZO

    • My custom options (for UDP) are:  tls-client;remote-random;auth-nocache;remote-cert-tls server;tun-mtu 1500;tun-mtu-extra 32;mssfix 1450;persist-key;persist-tun;reneg-sec 0;auth-retry nointeract;pull-filter ignore "redirect-gateway";pull-filter ignore "dhcp-option"

    • I have "Use fast I/O operations" checked and buffer size set to 512KB (again, for UDP)

    A few other comments:

    • I find that, on a reboot, unbound consistently comes up before my VPN clients.  And when this happens, unbound reverts to its defaults of using all interfaces for outgoing queries.  So you can end up in a situation where you think all your DNS queries are being routed through your VPN, but they're really not.  Right now, I know of no automatic workaround for this, so I just remember to manually restart unbound after a reboot.

    • I also notice that on a reboot, gateway monitoring will frequently indicate that my VPN clients are down even though they're not.  I don't know why this is, but if I just edit the settings for one of my VPN client gateways and then save and apply without making any changes, the system seems to re-spawn the dpinger instances responsible for the monitoring and everything is happy.



  • @TheNarc:

    I run NordVPN clients too ad don't have this problem.  Some notes on your configuration (and I realize I may be repeating some points already brought up by other posters):

    • In your client config, use the raw IP of the server instead of its hostname.  So instead of nl120.nordvpn.com, put 109.236.87.76.  Since you're routing DNS queries through your VPN, you have a chicken-and-egg problem.  You can't perform DNS queries until your VPN tunnel is up, but you can't bring your VPN tunnel up until you can resolve nl120.nordvpn.com.  Using the raw IP works around this.

    • Encryption algorithm needs to be AES-256-CBC, and uncheck the "Enable NCP" option.

    • Compression should be Adaptive LZO

    • My custom options (for UDP) are:  tls-client;remote-random;auth-nocache;remote-cert-tls server;tun-mtu 1500;tun-mtu-extra 32;mssfix 1450;persist-key;persist-tun;reneg-sec 0;auth-retry nointeract;pull-filter ignore "redirect-gateway";pull-filter ignore "dhcp-option"

    • I have "Use fast I/O operations" checked and buffer size set to 512KB (again, for UDP)

    A few other comments:

    • I find that, on a reboot, unbound consistently comes up before my VPN clients.  And when this happens, unbound reverts to its defaults of using all interfaces for outgoing queries.  So you can end up in a situation where you think all your DNS queries are being routed through your VPN, but they're really not.  Right now, I know of no automatic workaround for this, so I just remember to manually restart unbound after a reboot.

    • I also notice that on a reboot, gateway monitoring will frequently indicate that my VPN clients are down even though they're not.  I don't know why this is, but if I just edit the settings for one of my VPN client gateways and then save and apply without making any changes, the system seems to re-spawn the dpinger instances responsible for the monitoring and everything is happy.

    You sir are a life saver. Thank you for the help!



  • No problem, I hope it works for you.  I realize that I should have also noted that I use policy routing (i.e. assign traffic to either go through the VPN or not using firewall rules).  I think I assumed that you were doing this too, but if you're not and don't have your VPN client gateway set as the default gateway, then traffic won't go through the VPN unless you make firewall rules assigning it to.  If that's not clear, let me know and I can provide some examples.  Also, if you haven't already, using the "NO_WAN_EGRESS" packet matching/marking strategy is a great way to prevent traffic from unknowingly bypassing your VPN if it goes down:  https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN



  • for stopping traffic from leaving vpn, I have "Skip rules when gateway is down" checked under System/Advanced/Miscellaneous but I have seen the NO_WAN_EGRESS method before. But my method is not as fine grained as NO_WAN_EGRESS method where you can deny specific hosts on the network. I also have like 5 vlans and only 2 of those vlans have their traffic going out over vpn, so I think that works well enough for me.

    I am not sure what you mean by policy routing. Please elaborate. I used your settings and the network seems to be behind vpn.



  • Okay, well it sounds like you're set.  Policy routing is just using firewall rules to assign certain traffic to certain gateways and other traffic to other gateways (at least that's my high level understanding of it).  The alternative would be to be to assign traffic to gateways via static routes.  In any case, if you're set up with VLANs I trust you know what you're doing :)


Log in to reply