[Solved] OpenVPN Issues with SlickVPN
-
Hi All,
This is more of a PSA since I've been struggling to get OpenVPN working with SlickVPN (my VPN provider) for the last few days.
The general tutorials out there are still valid, although they use an older version of pfSense (<2.4.4). For SlickVPN, the critical part is to make sure compression is setup right.
Tunnel Settings > Compression: Omit Preference (Use OpenVPN Default).
I was using "No LZO Compression" before, which was wrong.Other settings I have that differ from the PIA config settings:
-
Custom Options
keepalive 10 120;
remote-cert-tls server;
redirect-gateway;
link-mtu 1557; -
Cryptographic Settings
Encryption Algorithm: AES-256-CBC
NCP Algorithms: AES-256-CBC -
CA Cert
https://www.slickvpn.com/tutorials/using-openvpn-with-ubuntu-mint-network-manager/
Once the connection is established, you shouldn't see anything after
Sep 17 02:02:03 pfSense openvpn[63732]: Initialization Sequence Completed
in the OpenVPN logs.During my troubleshooting, I was getting various errors like these after "Initialization Sequence Completed"
- Bad LZO decompression header byte: 42
- event_wait : Interrupted system call (code=4)
- MANAGEMENT: Client disconnected
- TCP/UDP: Closing socket
- TLS Error: TLS handshake failed
- Authenticate/Decrypt packet error: packet HMAC authentication failed
-
-
Sorry to resurrect this thread, but can you share the actual config page for this? I keep getting TLS handshake failed, no matter what I do. Any help is greatly appreciated!
-
I'm on 2.5 (upgraded from working 2.4.5p1) I imported both their CA the client certificate and set
Data Encryption Algorithms to:
Encryption Algorithm: AES-256-CBC
NCP Algorithms: AES-256-CBC
The Fallback Data Encryption Algorithm to:
AES-256-CBC
Auth digest algorithm to:
SHA1 (160-bit)
Allow compression:
Decompress incoming, do not compress outgoing (Asymmetric)
Compression:
Disable Compression [Omit Preference]
Topology:
net30 - Isolated /30 network per client
Ping settings set to:
Inactive:
0
Ping method:
keepalive
Interval:
15
Timeout:
120
Custom options:
remote-cert-tls server;
I do have my default gateway set to my ISP, and I and set rules for the packets I want routed via the tunnel. I also tag the packets and added a floating rule looking for those tagged packets in case the tunnel is down,and drop them, since vpn traffic I want out the tunnel only and never routed via default gateway.