OpenVPN "Connected" but not routing..

profIT · Jun 13, 2018, 2:45 AM

Have just set up my first OpenVPN tunnel, and the following is the log i get:

Tue Jun 12 18:58:36 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Tue Jun 12 18:58:36 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jun 12 18:58:36 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Tue Jun 12 18:58:42 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.x.xxx:1194
Tue Jun 12 18:58:42 2018 UDP link local (bound): [AF_INET][undef]:1194
Tue Jun 12 18:58:42 2018 UDP link remote: [AF_INET]xxx.xxx.x.xxx
Tue Jun 12 18:58:42 2018 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.x.xxx:1194 [0]
Tue Jun 12 18:58:42 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jun 12 18:58:43 2018 [VPNApp] Peer Connection Initiated with [AF_INET]xxx.xxx.x.xxx:1194
Tue Jun 12 18:58:44 2018 open_tun
Tue Jun 12 18:58:44 2018 TAP-WIN32 device [Ethernet 2] opened: \.\Global{20F6A07A-780E-44C4-A1AE-C59DEF38DDCC}.tap
Tue Jun 12 18:58:44 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.8.0/10.0.8.2/255.255.255.0 [SUCCEEDED]
Tue Jun 12 18:58:44 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.2/255.255.255.0 on interface {20F6A07A-780E-44C4-A1AE-C59DEF38DDCC} [DHCP-serv: 10.0.8.254, lease-time: 31536000]
Tue Jun 12 18:58:44 2018 Successful ARP Flush on interface [15] {20F6A07A-780E-44C4-A1AE-C59DEF38DDCC}
Tue Jun 12 18:58:44 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jun 12 18:58:49 2018 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=15]
Tue Jun 12 18:58:49 2018 Initialization Sequence Completed

It shows up as "Connected", but it really isn't? The following line concerns me:

Tue Jun 12 18:58:49 2018 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=15]

How can i fix this? subnet issue?

marvosa · Jun 13, 2018, 4:16 AM

Would need more info to advise on routing. Post your server1.conf.

Also, it looks like you may have a cert issue.

profIT · Jun 13, 2018, 4:32 AM

If that's something from the pfSense GUI or Console, then I will get to you with that soon. Also, I'm assigning the specific user SSL certs + the group certs... It tells me connected, but I stay on my physical local network...

Thanks for the reply, will get back to you soon with more details...

profIT · Jun 13, 2018, 5:03 PM

dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.x.xxx 1194 udp
verify-x509-name "VPNApp" name
auth-user-pass
pkcs12 pfSense-UDP4-1194-ryany.p12
tls-auth pfSense-UDP4-1194-ryany-tls.key 1
remote-cert-tls server

marvosa · Jun 13, 2018, 5:30 PM

That looks like the client config, we need the server config.

Your server1.conf is here:

/var/etc/openvpn

You can get there via the shell or Diagnostics -> Edit File

profIT · Jun 13, 2018, 5:33 PM

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local xxx.xxx.x.xxx
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user TG9jYWwgRGF0YWJhc2U= false server1 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPNApp' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 32
push "route 192.168.1.1 255.255.255.0"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet

profIT · Jun 19, 2018, 5:59 PM

Still haven't gotten OpenVPN to work properly.. Don't know whats wrong, I've tried various forms of certs, and still nothing.

profIT · Jun 20, 2018, 2:40 AM

This is what i still get on the gui, but im not really VPNd in...

login-to-view

House Of Cards · Jul 10, 2018, 12:37 AM

This post is deleted!

profIT · Jul 10, 2018, 12:50 AM

@wormuths Yes I did. Its most likely a WAN rule
issue for you too, as that's the first barrier OpenVPN encounters.

login-to-view

Also make sure your rules include TCP/UDP and not just one or the other (unless you want it like that)

Something so simple, but some OpenVPN "Experts" couldn't even tell me what was wrong

Let me know how it goes.

House Of Cards · Jul 10, 2018, 1:09 AM

Nope. LOL

I created that rule, but same thing. Still shows my real IP. In all the tutorials I followed, once OpenVPN was set up, people couldn't browse until they went in and copied the NAT rules for the OpenVPN interface.

I didn't have that problem. I can browse even without creating the NAT outbound rules, but creating them makes no difference either. This is insanely frustrating.

profIT · Jul 10, 2018, 1:16 AM

@wormuths Make sure you OpenVPN setup has this ticked off

login-to-view

Also are you bridging the connections or is it going to be on a separate subnet like 10.0.8.0?

House Of Cards · Jul 10, 2018, 1:27 AM

Sorry. Where is that setting?

This is a relatively new setup, but I have 4 interfaces besides WAN. I just have default pass rules set up for each right now so everything talks internally, and can get online. My goal is to set up specific pass rules after some testing period to ensure everything works first. It's a learning experience, so I'm just not locked down right now in the onset. Allowing all outbound, but nothing coming in except Plex is set up through NAT and works. No other incoming allowed.

The only incoming rule for WAN right now is the NAT rule for Plex. I set up the OpenVPN with the hopes of getting that part functioning, and then I'll disable the default "allow all" internal rules and start specifically specifying what can connect to each other.

Right now, all works, it just won't pass traffic through the VPN...

profIT · Jul 10, 2018, 1:32 AM

@wormuths VPN/OpenVPN/Servers (There should be only one listed)/Edit
Also take a look at the type of Protocol, and keep it consistent on all your rules.
Also are you using SSL/TLS?
You may need to re-export the client file and try again after changing some settings.

House Of Cards · Jul 10, 2018, 1:34 AM

I don't have a server setup. All the tutorials had me setup a client.

House Of Cards · Jul 10, 2018, 1:36 AM

TLS

House Of Cards · Jul 10, 2018, 1:40 AM

Did exactly this... If it helps?

https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

profIT · Jul 10, 2018, 1:44 AM

@wormuths The tutorials are bad. Go to wizard under VPN/OpenVPN and set up a server. And then recreate your clients with user certs AND then the server certs. This is SSL/TLS authentication, its how I have it set up. It may get confusing, but there is not a tutorial about this one.

I'd try to help you remotely, if you're up for it.

House Of Cards · Jul 10, 2018, 1:46 AM

Okay. I appreciate the help. I'll run through trying to go the wizard route tomorrow and post back how it works out.

Long workday today, time to crash!!

TTYL, and thanks!

House Of Cards · Jul 11, 2018, 1:24 AM

Okay, so I don't know if some setting got "stuck" and corrected when I was clicking around, but it came up and is working now...

Thanks for the help!!