NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support



  • A few days ago I got a little pfsense box I built up and running and it's been working great. Though I haven't had much chance to dive into it as I'm stuck on trying to get a VPN up and running.

    I currently have a subscription for ExpressVPN expiring in a few days, but after chatting with their tech support a few times, including their complete unfamiliarity with pfsense, and admitting that their online guide was written by a customer and they have no idea how to help me, I went looking for another provider.

    So I signed up for NordVPN yesterday because it looked like they had a great step by step guide, written for the latest version of pfsense here.

    So I followed the guide, and there were three areas along the way where the output in the guide was not the same as my output. I took screenshots of these discrepancies which I'll go over in a minute.

    But in any event, I contacted NordVPN through their chat help and spent a couple hours with someone who tried in vein to figure out my problem, and in fact managed to invent a new problem that didn't seem to be there before. After I had set it up, I just had server status is "down", but after he had me input a different tls key, I've been getting the "reconnecting-tls-error" message ever since, and we spent most of the time on that chat trying to fix what he broke. We never improved the situation.

    So that brings me here, to see if anyone here can help me get this setup running. I tried at first to look at the pfsense documentation here, but I get lost at the table of contents. I don't know what "Configuring a Site-to-Site PKI (SSL) OpenVPN Instance" means, or any of the rest of it, I'm the kind of guy who needs a bit more hand holding.

    So in any event, you know the error I'm having, here are the steps along the way that weren't what I was expecting.

    1. There is this point in the guide under part 3, VPN > OpenVPN > Clients +Add where I'm to set the Client Certificate, and I should see this;

    Disc1_Guide.PNG

    But what I got was this, with no option for webConfigurator default. I'm not sure why it would expect to find anything here, since nowhere in the guide did we create a certificate, which is something I did create when trying to set up ExpressVPN (which I also didn't get working) The NordVPN tech told me this was fine and to ignore it.

    Disc1_pfsense.PNG

    1. During step 7 of the guide, a similar situation arises where I am to set the SSL/TLS Certificate and I'm supposed to see this;

    Disc2_Guide.PNG

    Instead I see this;

    Disc2_pfsense.PNG

    If I click on the "Create or Import" a certificate link, I'm directed to the Certificates section, where again I've not been directed to create a certificate. The NordVPN tech was unsure about whether or not this was a problem, and we never resolved it.

    1. The last thing was an error I got doing step 8;

    Disc3_guide.PNG

    Error* "Harden DNSSEC Data option can only be enabled if DNSSEC support is enabled"

    Disc3_pfsense.PNG

    At the end of the Chat with the NordVPN tech, I was to be forwarded to another level of tech support help, who would contact me via email. However, almost 24 hours later I've not even gotten an acknowledgement that I exist, outside of the marketing spam I received this morning.

    So anyway here I am, noob looking for some help.


  • LAYER 8 Global Moderator

    What idiot put that guide together... OMG!! No you would NOT be using your web gui self signed cert as your client cert... They should of provided you with 1!! In your download configuration files... Which you would import into the cert manger of pfsense just like you did with the CA cert in the first part of the guide.

    If they are just going to have you use username and password to auth, the the client cert should be set to NONE!!

    none.png



  • @johnpoz

    I was kind of provided with one, I think. But it wasn't in a text file. When I clicked on it, it was trying to install itself, and I really didn't know what to do with it, as it's not explained in the guide, so I ignored it. The only thing in a text file was the tls-key, which is different from the tls key on the guide. Using the tls key on the guide gave me "down" status. using the tls key from the file, which was the same key the tech gave me, results in "reconnecting-tls-error"

    So I did leave the certificate to none, because as I said, I never created a certificate...because the guide never tells you to. You create a CA, but no certificate. I kind of figured Step 2 in the guide would be to create the certificates you need, but instead it jumps right to making the client.



  • @HardRooster They have a cert for each server.

    https://downloads.nordcdn.com/configs/archives/certificates/servers.zip and now by the looks of things a single cert for all.



  • @NogBadTheBad

    6bfad58c-bbc6-4413-815c-ba282b238938-image.png

    I'm not confused about this fact.

    I've downloaded the server keys file, but what I see here are file types that are not text files. So I don't know how I would go about copy/pasting a key from something that isn't a text file. When I open the Security Certificate, it tires to install itself, and nowhere inside the properties or anywhere do I see a text containing the key. Why it is this way, I have no idea.


  • LAYER 8 Global Moderator

    Yeah upon closer inspection they do state
    "Certificate data: (you can get this certificate by downloading our CA and TLS files from here: "

    But they never show you were to use said certs..

    "Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);"

    Which my guess is that is from the dns unbound configuration they have you do...

    Stick by my opening comments ;)

    edit: They are just going to be pem files - open them with your fav text editor... But agree - they should have clear cut instructions!

    crt.png

    There should be clear instructions on how to import those into the pfsense cert manager.

    edit: I think we should be able to send them a bill for how many of their customers end up here...


  • LAYER 8 Rebel Alliance

    Install Notepad++ (it's free) and just right-click open it.

    open_cert1.png

    open_cert2.png

    -Rico


  • LAYER 8 Rebel Alliance

    BTW: Watching this great hangout done by jimp should be helpful for you: https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

    -Rico



  • @johnpoz @NogBadTheBad @Rico

    74fa23c9-8707-4889-be55-eb3a5cbaa3b8-image.png

    OMG, why do they take something that simple and obfuscate it?

    And why can't the tech guy figure this out. I mean I shared with him all the same information I shared here, and he said "It's fine".

    Anyway, /RantOff

    Thank you so much for the help, you fixed in a few posts what I spent hours yesterday with tech support trying to do.


  • LAYER 8 Global Moderator

    @HardRooster said in NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support:

    you fixed in a few posts what I spent hours yesterday with tech support trying to do.

    I stick with my original comment ;)

    Why anyone gives them money I have no idea...



  • @HardRooster said in NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support:

    @johnpoz @NogBadTheBad @Rico

    74fa23c9-8707-4889-be55-eb3a5cbaa3b8-image.png

    OMG, why do they take something that simple and obfuscate it?

    And why can't the tech guy figure this out. I mean I shared with him all the same information I shared here, and he said "It's fine".

    Anyway, /RantOff

    Thank you so much for the help, you fixed in a few posts what I spent hours yesterday with tech support trying to do.

    Not really sure why their Tech people couldn't sort it, it is documented:-

    https://support.nordvpn.com/1089079142



  • @johnpoz

    Who would you recommend for a VPN provider then?



  • Update: NordVPN did finally get back to me with a support email. I tired out their solution, and it worked as well as the solution posted here.

    So, in all better than ExpressVPN, as at least they know what pfsense is and how to support it, even if their chat helper wasn't that helpful, someone there at least knew how to fix my problem, even if it took 24 hours or so.


  • LAYER 8 Global Moderator

    @HardRooster said in NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support:

    and it worked as well as the solution posted here.

    And what was their solution?

    I wouldn't recommend a "vpn"... Its just snake oil you sell to the suckers... If you want to circumvent some geo restriction thats your own business... That is not security.. And its not privacy... If you you believe your isp is spying on you, or manipulating your traffic - 1st thing would be to change isp... But you could always just fire up a vps somewhere for a fraction of the cost of these vpn services and tunnel your traffic there, etc. etc.



  • @johnpoz

    Thank you for contacting us via live chat.

    Based on the screenshot, it seems that the CA certificate you used is incorrect/outdated. We started to use the same TLS key and CA cert for all of our servers as opposed to using different ones for each server. Perhaps our tutorial needs to be updated as well.

    Please go to the System / Certificate Manager / CAs and press Edit on the certificate you imported.

    Change the Certificate data field with this certificate instead:

    -----BEGIN CERTIFICATE-----

    Lots of certificate numbers in here, deleted so as not to spam the crap out of this reply.

    -----END CERTIFICATE-----

    After that, save and apply the settings and check if the issue persists.

    Let us know how it goes.


  • LAYER 8 Global Moderator

    So he made no mention of the client cert? The CA cert is given right on that page, along with the tls.



  • Looks like they have updated the OpenVPN files to use the same certs but not the pfsense documentation:-

    https://nordvpn.com/ovpn/



  • @NogBadTheBad said in NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support:

    Think the following needs to be used:-

    -----BEGIN CERTIFICATE-----
    MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
    MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
    MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
    BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
    hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
    kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
    XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
    eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
    skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
    MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
    37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
    hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
    Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
    WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
    MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
    LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
    SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
    nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
    k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
    DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
    pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
    k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
    +RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
    NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
    wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
    VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
    PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
    -----END CERTIFICATE-----
    
    -----BEGIN OpenVPN Static key V1-----
    e685bdaf659a25a200e2b9e39e51ff03
    0fc72cf1ce07232bd8b2be5e6c670143
    f51e937e670eee09d4f2ea5a6e4e6996
    5db852c275351b86fc4ca892d78ae002
    d6f70d029bd79c4d1c26cf14e9588033
    cf639f8a74809f29f72b9d58f9b8f5fe
    fc7938eade40e9fed6cb92184abb2cc1
    0eb1a296df243b251df0643d53724cdb
    5a92a1d6cb817804c4a9319b57d53be5
    80815bcfcb2df55018cc83fc43bc7ff8
    2d51f9b88364776ee9d12fc85cc7ea5b
    9741c4f598c485316db066d52db4540e
    212e1518a9bd4828219e24b20d88f598
    a196c9de96012090e333519ae18d3509
    9427e7b372d348d352dc4c85e18cd4b9
    3f8a56ddb2e64eb67adfc9b337157ff4
    -----END OpenVPN Static key V1-----
    


  • Yup the above is correct, I now have 1 CA and 3 different OpenVPN connections.

    Screenshot 2019-06-05 at 22.14.00.png

    Screenshot 2019-06-05 at 22.13.27.png



  • Ok, so I may be straying now into "start a new topic" territory, but I can't see any of the other computers on my network. Is this something to do with routing, and I just need to read more of the manual and figure out how to configure pfsense to do what I want?

    I have a server, my workstation (over ethernet) and my laptop via wifi that I'd like to communicate with each-other. Mainly I want to file share off the server, so I can just quickly jump from working on my workstation to my laptop seamlessly, while keeping files stored in RAID on the server.



  • @HardRooster

    Don't pull routes.

    Screenshot 2019-06-05 at 22.34.22.png



  • @NogBadTheBad

    Excellent! That did it, thank you.


Log in to reply