NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support

HardRooster

A few days ago I got a little pfsense box I built up and running and it's been working great. Though I haven't had much chance to dive into it as I'm stuck on trying to get a VPN up and running.

I currently have a subscription for ExpressVPN expiring in a few days, but after chatting with their tech support a few times, including their complete unfamiliarity with pfsense, and admitting that their online guide was written by a customer and they have no idea how to help me, I went looking for another provider.

So I signed up for NordVPN yesterday because it looked like they had a great step by step guide, written for the latest version of pfsense here.

So I followed the guide, and there were three areas along the way where the output in the guide was not the same as my output. I took screenshots of these discrepancies which I'll go over in a minute.

But in any event, I contacted NordVPN through their chat help and spent a couple hours with someone who tried in vein to figure out my problem, and in fact managed to invent a new problem that didn't seem to be there before. After I had set it up, I just had server status is "down", but after he had me input a different tls key, I've been getting the "reconnecting-tls-error" message ever since, and we spent most of the time on that chat trying to fix what he broke. We never improved the situation.

So that brings me here, to see if anyone here can help me get this setup running. I tried at first to look at the pfsense documentation here, but I get lost at the table of contents. I don't know what "Configuring a Site-to-Site PKI (SSL) OpenVPN Instance" means, or any of the rest of it, I'm the kind of guy who needs a bit more hand holding.

So in any event, you know the error I'm having, here are the steps along the way that weren't what I was expecting.

There is this point in the guide under part 3, VPN > OpenVPN > Clients +Add where I'm to set the Client Certificate, and I should see this;

But what I got was this, with no option for webConfigurator default. I'm not sure why it would expect to find anything here, since nowhere in the guide did we create a certificate, which is something I did create when trying to set up ExpressVPN (which I also didn't get working) The NordVPN tech told me this was fine and to ignore it.

During step 7 of the guide, a similar situation arises where I am to set the SSL/TLS Certificate and I'm supposed to see this;

Instead I see this;

If I click on the "Create or Import" a certificate link, I'm directed to the Certificates section, where again I've not been directed to create a certificate. The NordVPN tech was unsure about whether or not this was a problem, and we never resolved it.

The last thing was an error I got doing step 8;

Error* "Harden DNSSEC Data option can only be enabled if DNSSEC support is enabled"

At the end of the Chat with the NordVPN tech, I was to be forwarded to another level of tech support help, who would contact me via email. However, almost 24 hours later I've not even gotten an acknowledgement that I exist, outside of the marketing spam I received this morning.

So anyway here I am, noob looking for some help.

johnpoz

What idiot put that guide together... OMG!! No you would NOT be using your web gui self signed cert as your client cert... They should of provided you with 1!! In your download configuration files... Which you would import into the cert manger of pfsense just like you did with the CA cert in the first part of the guide.

If they are just going to have you use username and password to auth, the the client cert should be set to NONE!!

HardRooster

@johnpoz

I was kind of provided with one, I think. But it wasn't in a text file. When I clicked on it, it was trying to install itself, and I really didn't know what to do with it, as it's not explained in the guide, so I ignored it. The only thing in a text file was the tls-key, which is different from the tls key on the guide. Using the tls key on the guide gave me "down" status. using the tls key from the file, which was the same key the tech gave me, results in "reconnecting-tls-error"

So I did leave the certificate to none, because as I said, I never created a certificate...because the guide never tells you to. You create a CA, but no certificate. I kind of figured Step 2 in the guide would be to create the certificates you need, but instead it jumps right to making the client.

NogBadTheBad

@HardRooster They have a cert for each server.

https://downloads.nordcdn.com/configs/archives/certificates/servers.zip and now by the looks of things a single cert for all.

HardRooster

@NogBadTheBad

I'm not confused about this fact.

I've downloaded the server keys file, but what I see here are file types that are not text files. So I don't know how I would go about copy/pasting a key from something that isn't a text file. When I open the Security Certificate, it tires to install itself, and nowhere inside the properties or anywhere do I see a text containing the key. Why it is this way, I have no idea.

johnpoz

Yeah upon closer inspection they do state
"Certificate data: (you can get this certificate by downloading our CA and TLS files from here: "

But they never show you were to use said certs..

"Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);"

Which my guess is that is from the dns unbound configuration they have you do...

Stick by my opening comments ;)

edit: They are just going to be pem files - open them with your fav text editor... But agree - they should have clear cut instructions!

There should be clear instructions on how to import those into the pfsense cert manager.

edit: I think we should be able to send them a bill for how many of their customers end up here...

Rico

Install Notepad++ (it's free) and just right-click open it.

-Rico

Rico

BTW: Watching this great hangout done by jimp should be helpful for you: https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

-Rico

HardRooster

@johnpoz @NogBadTheBad @Rico

OMG, why do they take something that simple and obfuscate it?

And why can't the tech guy figure this out. I mean I shared with him all the same information I shared here, and he said "It's fine".

Anyway, /RantOff

Thank you so much for the help, you fixed in a few posts what I spent hours yesterday with tech support trying to do.

johnpoz

@HardRooster said in NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support:

you fixed in a few posts what I spent hours yesterday with tech support trying to do.

I stick with my original comment ;)

Why anyone gives them money I have no idea...

NogBadTheBad

@HardRooster said in NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support:

@johnpoz @NogBadTheBad @Rico

OMG, why do they take something that simple and obfuscate it?

And why can't the tech guy figure this out. I mean I shared with him all the same information I shared here, and he said "It's fine".

Anyway, /RantOff

Thank you so much for the help, you fixed in a few posts what I spent hours yesterday with tech support trying to do.

Not really sure why their Tech people couldn't sort it, it is documented:-

https://support.nordvpn.com/1089079142

HardRooster

@johnpoz

Who would you recommend for a VPN provider then?

HardRooster

Update: NordVPN did finally get back to me with a support email. I tired out their solution, and it worked as well as the solution posted here.

So, in all better than ExpressVPN, as at least they know what pfsense is and how to support it, even if their chat helper wasn't that helpful, someone there at least knew how to fix my problem, even if it took 24 hours or so.

johnpoz

@HardRooster said in NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support:

and it worked as well as the solution posted here.

And what was their solution?

I wouldn't recommend a "vpn"... Its just snake oil you sell to the suckers... If you want to circumvent some geo restriction thats your own business... That is not security.. And its not privacy... If you you believe your isp is spying on you, or manipulating your traffic - 1st thing would be to change isp... But you could always just fire up a vps somewhere for a fraction of the cost of these vpn services and tunnel your traffic there, etc. etc.

HardRooster

@johnpoz

Thank you for contacting us via live chat.

Based on the screenshot, it seems that the CA certificate you used is incorrect/outdated. We started to use the same TLS key and CA cert for all of our servers as opposed to using different ones for each server. Perhaps our tutorial needs to be updated as well.

Please go to the System / Certificate Manager / CAs and press Edit on the certificate you imported.

Change the Certificate data field with this certificate instead:

-----BEGIN CERTIFICATE-----

Lots of certificate numbers in here, deleted so as not to spam the crap out of this reply.

-----END CERTIFICATE-----

After that, save and apply the settings and check if the issue persists.

Let us know how it goes.

johnpoz

So he made no mention of the client cert? The CA cert is given right on that page, along with the tls.

NogBadTheBad

Looks like they have updated the OpenVPN files to use the same certs but not the pfsense documentation:-

https://nordvpn.com/ovpn/

NogBadTheBad

@NogBadTheBad said in NordVPN status is "down" and/or "reconnecting-tls-error" after following online guide/chat tech support:

Think the following needs to be used:-

-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----

NogBadTheBad

Yup the above is correct, I now have 1 CA and 3 different OpenVPN connections.

Screenshot 2019-06-05 at 22.14.00.png

Screenshot 2019-06-05 at 22.13.27.png

HardRooster

Ok, so I may be straying now into "start a new topic" territory, but I can't see any of the other computers on my network. Is this something to do with routing, and I just need to read more of the manual and figure out how to configure pfsense to do what I want?

I have a server, my workstation (over ethernet) and my laptop via wifi that I'd like to communicate with each-other. Mainly I want to file share off the server, so I can just quickly jump from working on my workstation to my laptop seamlessly, while keeping files stored in RAID on the server.