Cryptostorm connection error



  • For over 2 years I have an successful connection to the Cryptostorm VPN network. Recently I noticed my VPN wasn't working anymore. I did upgrade from 2.4.3 to 2.4.4 a few days before I noticed it was no longer working. So for now I blame the upgrade.

    I spent a few hours on it. I even deleted all CA, gateway and VPN configs and re-added but the same error remains:

    Oct 10 20:17:28 	openvpn 	66603 	Exiting due to fatal error
    Oct 10 20:17:28 	openvpn 	66603 	FreeBSD ifconfig failed: external program exited with error status: 1
    Oct 10 20:17:28 	openvpn 	66603 	/sbin/ifconfig tun 10.66.2.242 10.66.2.1 mtu 1500 netmask 255.255.255.0 up 
    

    VPN settings
    alt text

    Gateway settings
    alt text

    I did also try with an monitoring IP and monitoring disabled.

    Full error log: https://pastebin.com/bxRP1GNk

    netstat -rn

    Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            192.168.1.1        UGS        igb0
    8.8.8.8            192.168.1.1        UGHS       igb0
    10.0.0.0/16        link#3             U          igb2
    10.0.0.2           link#3             UHS         lo0
    10.1.0.0/24        10.0.0.2           UGS        igb2
    10.10.10.1         link#3             UHS         lo0
    10.10.10.1/32      link#3             U          igb2
    127.0.0.1          link#5             UH          lo0
    192.168.0.0/16     link#1             U          igb0
    192.168.1.14       link#1             UHS         lo0
    
    Internet6:
    Destination                       Gateway                       Flags     Netif Expire
    ::1                               link#5                        UH          lo0
    fe80::%igb0/64                    link#1                        U          igb0
    fe80::20d:b9ff:fe43:3f30%igb0     link#1                        UHS         lo0
    fe80::%igb2/64                    link#3                        U          igb2
    fe80::20d:b9ff:fe43:3f32%igb2     link#3                        UHS         lo0
    fe80::%lo0/64                     link#5                        U           lo0
    fe80::1%lo0                       link#5                        UHS         lo0
    

    ifconfig -a on pastebin, as this is considered spam by Askimet?!

    Cryptostorm ovpn file on Github.

    This is the only VPN client I have, no VPN servers. I do have an IPSEC tunnel with IP's in 10.1.0.0/24. My LAN is located in 10.0.0.0/16. I'm no network guru but I think that those don't overlap with "/sbin/ifconfig tun 10.66.2.242 10.66.2.1 mtu 1500 netmask 255.255.255.0 up"

    There is an bug report and a topic with the same error, but that is caused by the monitoring ip on the OpenVPN interface.

    https://redmine.pfsense.org/issues/8142
    https://forum.pfsense.org/index.php?topic=138608.msg764734#msg764734

    Can someone please help me out?


  • Rebel Alliance Global Moderator

    So your using the OLD RSA configs, but your using 5060 isn't that port reserved for ECC configs?

    https://cryptostorm.is/configs/rsa/
    If necessary, you can change the port in these configs to anything from 1 to 29999,
    excluding ports 5060, 5061, and 5062. Those three are reserved for the ecc configs,

    And your gui setup is saying to use your web gui cert??



  • My bad. I linked to the RSA configs because I tried them both, I edited the link. My current setup is based on the ecc settings.

    The client certificate is not needed by Cryptostorm, pfsense demands it, you cannot leave it blank. Other option is to specify password/username. But then the error remains the same:

    Oct 14 16:45:06 	openvpn 	15297 	Exiting due to fatal error
    Oct 14 16:45:06 	openvpn 	15297 	FreeBSD ifconfig failed: external program exited with error status: 1
    Oct 14 16:45:06 	openvpn 	15297 	/sbin/ifconfig tun 10.66.2.90 10.66.2.1 mtu 1500 netmask 255.255.255.0 up 
    

    Do you have any other suggestions?



  • Issue has been resolved. Because of "dev tun;" in the custom options the interface wasn't coming up. I removed it and everything works as wanted.


  • Rebel Alliance Global Moderator

    Also if your not going to use the client cert you should just set it to none ;)

    0_1539529958703_noclientcert.png



  • The following input errors were detected:

    If no Client Certificate is selected, a username and/or password must be entered.
    

    pfSense doesn't allow me to.