CyberGhost openvpn config files for client get mangled by pfdense web
-
Also if there are errors while connecting your client config, post the errors and the config of cyberghost, then we can help you :)
-
Nothing wrong with hacking for fun. :) But, seriously, I didn't really spend much time in /var/etc/openvpn except to understand what was happening. I've posted the two config files, but I cannot for the life of me get PfSense to create something that works. I change one thing I get one error. I change another, I get another error.
-
@obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:
I change one thing I get one error. I change another, I get another error.
Errors only known to you.......
-
@obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:
Nothing wrong with hacking for fun. :)
Sure, but your hacking is disturbing/interrupting core functionality of your firewall (OpenVPN functionality). If you randomly delete directories or files, that pfSense created, it's no wonder if you have problems afterwards.
@obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:
. I change one thing I get one error. I change another, I get another error.
Then POST that damn errors! How are we to know without a crystal ball what your hacking got you as a result? How do you suppose we should help you if we don't even know what is wrong?
-
I posted them this morning. Unfortunately, Akismet flagged my post as spam and it took me over an hour to figure out what was causing the problem.
Last 50 OpenVPN Log Entries. (Maximum 50) Sep 22 10:05:09 openvpn 33422 MANAGEMENT: CMD 'state 1' Sep 22 10:05:09 openvpn 33422 MANAGEMENT: Client disconnected Sep 22 10:05:49 openvpn 33422 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Sep 22 10:05:49 openvpn 33422 MANAGEMENT: CMD 'state 1' Sep 22 10:05:49 openvpn 33422 MANAGEMENT: Client disconnected Sep 22 10:06:02 openvpn 33422 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 22 10:06:02 openvpn 33422 Re-using SSL/TLS context Sep 22 10:06:02 openvpn 33422 LZO compression initializing Sep 22 10:06:02 openvpn 33422 Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ] Sep 22 10:06:02 openvpn 33422 Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ] Sep 22 10:06:02 openvpn 33422 Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ] Sep 22 10:06:02 openvpn 33422 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client' Sep 22 10:06:02 openvpn 33422 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server' Sep 22 10:06:02 openvpn 33422 TCP/UDP: Preserving recently used remote address: [AF_INET]23.19.68.54:1194 Sep 22 10:06:02 openvpn 33422 Socket Buffers: R=[42080->42080] S=[57344->57344] Sep 22 10:06:02 openvpn 33422 UDPv4 link local (bound): [AF_INET]70.110.22.110:0 Sep 22 10:06:02 openvpn 33422 UDPv4 link remote: [AF_INET]23.19.68.54:1194 Sep 22 10:06:02 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:06:04 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:06:08 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:06:16 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:06:32 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]23.19.68.54:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:07:02 openvpn 33422 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Sep 22 10:07:02 openvpn 33422 [UNDEF] Inactivity timeout (--ping-restart), restarting Sep 22 10:07:02 openvpn 33422 TCP/UDP: Closing socket Sep 22 10:07:02 openvpn 33422 SIGUSR1[soft,ping-restart] received, process restarting Sep 22 10:07:02 openvpn 33422 Restart pause, 80 second(s) Sep 22 10:07:02 openvpn 33422 MANAGEMENT: CMD 'state 1' Sep 22 10:07:02 openvpn 33422 MANAGEMENT: Client disconnected Sep 22 10:08:22 openvpn 33422 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 22 10:08:22 openvpn 33422 Re-using SSL/TLS context Sep 22 10:08:22 openvpn 33422 LZO compression initializing Sep 22 10:08:22 openvpn 33422 Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ] Sep 22 10:08:22 openvpn 33422 Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ] Sep 22 10:08:22 openvpn 33422 Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ] Sep 22 10:08:22 openvpn 33422 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client' Sep 22 10:08:22 openvpn 33422 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server' Sep 22 10:08:22 openvpn 33422 TCP/UDP: Preserving recently used remote address: [AF_INET]193.37.254.120:1194 Sep 22 10:08:22 openvpn 33422 Socket Buffers: R=[42080->42080] S=[57344->57344] Sep 22 10:08:22 openvpn 33422 UDPv4 link local (bound): [AF_INET]70.110.22.110:0 Sep 22 10:08:22 openvpn 33422 UDPv4 link remote: [AF_INET]193.37.254.120:1194 Sep 22 10:08:22 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:08:24 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:08:28 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:08:36 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:08:52 openvpn 33422 UDPv4 WRITE [14] to [AF_INET]193.37.254.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 10:09:22 openvpn 33422 [UNDEF] Inactivity timeout (--ping-restart), restarting Sep 22 10:09:22 openvpn 33422 TCP/UDP: Closing socket Sep 22 10:09:22 openvpn 33422 SIGUSR1[soft,ping-restart] received, process restarting Sep 22 10:09:22 openvpn 33422 Restart pause, 80 second(s)
If you want more logs, please let me know. Thank you for your help.
-
From what configuration are these logs. What did you setup in the GUI exactly? After you posted about deleting directories, overwriting configs etc. I'm not sure what you are running and where you set it up. So why not starting from scratch: deleting all, creating a fresh new client and try setting it up with the values at hand (from your config on top):
- Peer to peer, TLS
- UDP on v4
- tun
- <your WAN interface>
- server host: 10-1-us.cg-dialup.net
- server port 443 (that is real strange - udp/443 isn't something normally used but maybe CG does it)
- no proxy settings
- <your description>
- <username>
- <password>
- [ ] do not retry
- disable TLS key usage -> [ ] use a TLS key
- peer CA: import the ca.crt from CG
- peer CRL -> none
- client cert: import the client.crt and the client.key
- encryption: AES-256-CBC
- disable NCP (CG config doesn't include it)
- Auth digest: SHA256
- leave tunnel network blank (none given in the config)
- leave remote network
- compression: omit preference (as the CG file has comp-lzo -> that's no that nice because of VORACLE)
- topology net30 (I assume from your screenshot when dialed in (.62 -> .61) that they still use net30
- leave the rest
- set gw creation to v4 only
- verbosity level 3
try that one and test/log
-
Also as I just saw that:
https://forum.netgate.com/topic/146714/tunneled-isp-cheat-sheet
have a look at the zoomed in graphic as it shows, which settings come from what UI / custom selection box. But not every setting you see in some companies OVPN config you have to recreate as some are simple default OVPN stuff. So try with a minimum and work your way up. :)
Also the config shown in the linux shell above has it's default gw set to the OVPN endpoint. I'm not sure you actually want to do that. So keep the option "don't pull routes" in mind.
-
@JeGr
Thanks...I was thinking pretty much the same thing. I deleted the VPN config and restarted. I was not able to get any further, but I will delete it again and retry with your suggested settings. I was able to figure out a few things. pfSense wants the local, not the nobind setting, so I dropped that and the ping settings (which kick up another error). I also clicked on the don't add routes option. That's been reported for other VPNs to cause problems.I will give your link a look and try again...
Thanks,
obitori
-
So, I tried exactly your posted values. Again, I had to remove the ping statements from the advanced config settings pasted into the pfsense web page. They conflict with --keepalive.
Sep 22 22:18:10 aquaduct openvpn[83949]: Options error: --keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.
Next, the logs complained that --local and --nobind were in conflict. It appears that --local is a non-optional setting in pfSense, so I had no choice but to remove --nobind from the list of advanced configs.
Sep 22 22:21:01 aquaduct openvpn[53522]: Options error: --local and --nobind don't make sense when used together
That left me with:
resolv-retry infinite redirect-gateway def1 persist-key persist-tun explicit-exit-notify 2 script-security 2 remote-cert-tls server route-delay 5 tun-mtu 1500 fragment 1300 mssfix 1200
I tried clicking on "Don't pull routes" and when that did not work, added, "Don't add or remove routes automatically". I turned the latter off after trying once. The variations on routes doesn't seem to change anything.
Here is my recent logs:
Sep 22 20:14:59 aquaduct openvpn[15203]: SIGTERM received, sending exit notification to peer Sep 22 20:15:01 aquaduct openvpn[15203]: TCP/UDP: Closing socket Sep 22 20:15:01 aquaduct openvpn[15203]: SIGTERM[soft,exit-with-notification] received, process exiting Sep 22 20:15:10 aquaduct openvpn[59750]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible Sep 22 20:15:10 aquaduct openvpn[59750]: Current Parameter Settings: Sep 22 20:15:10 aquaduct openvpn[59750]: config = '/var/etc/openvpn/client1.conf' Sep 22 20:15:10 aquaduct openvpn[59750]: mode = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: show_ciphers = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: show_digests = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: show_engines = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: genkey = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: key_pass_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: show_tls_ciphers = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: connect_retry_max = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: Connection profiles [0]: Sep 22 20:15:10 aquaduct openvpn[59750]: proto = udp4 Sep 22 20:15:10 aquaduct openvpn[59750]: local = '70.110.22.110' Sep 22 20:15:10 aquaduct openvpn[59750]: local_port = '0' Sep 22 20:15:10 aquaduct openvpn[59750]: remote = '10-1-us.cg-dialup.net' Sep 22 20:15:10 aquaduct openvpn[59750]: remote_port = '1194' Sep 22 20:15:10 aquaduct openvpn[59750]: remote_float = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: bind_defined = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: bind_local = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: bind_ipv6_only = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: connect_retry_seconds = 5 Sep 22 20:15:10 aquaduct openvpn[59750]: connect_timeout = 120 Sep 22 20:15:10 aquaduct openvpn[59750]: socks_proxy_server = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: socks_proxy_port = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: tun_mtu = 1500 Sep 22 20:15:10 aquaduct openvpn[59750]: tun_mtu_defined = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: link_mtu = 1500 Sep 22 20:15:10 aquaduct openvpn[59750]: link_mtu_defined = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: tun_mtu_extra = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: tun_mtu_extra_defined = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: mtu_discover_type = -1 Sep 22 20:15:10 aquaduct openvpn[59750]: fragment = 1300 Sep 22 20:15:10 aquaduct openvpn[59750]: mssfix = 1200 Sep 22 20:15:10 aquaduct openvpn[59750]: explicit_exit_notification = 2 Sep 22 20:15:10 aquaduct openvpn[59750]: Connection profiles END Sep 22 20:15:10 aquaduct openvpn[59750]: remote_random = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: ipchange = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: dev = 'ovpnc1' Sep 22 20:15:10 aquaduct openvpn[59750]: dev_type = 'tun' Sep 22 20:15:10 aquaduct openvpn[59750]: dev_node = '/dev/tun1' Sep 22 20:15:10 aquaduct openvpn[59750]: lladdr = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: topology = 1 Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_local = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_remote_netmask = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_noexec = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_nowarn = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_ipv6_local = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_ipv6_netbits = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_ipv6_remote = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: shaper = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: mtu_test = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: mlock = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: keepalive_ping = 10 Sep 22 20:15:10 aquaduct openvpn[59750]: keepalive_timeout = 60 Sep 22 20:15:10 aquaduct openvpn[59750]: inactivity_timeout = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: ping_send_timeout = 10 Sep 22 20:15:10 aquaduct openvpn[59750]: ping_rec_timeout = 60 Sep 22 20:15:10 aquaduct openvpn[59750]: ping_rec_timeout_action = 2 Sep 22 20:15:10 aquaduct openvpn[59750]: ping_timer_remote = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: remap_sigusr1 = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: persist_tun = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: persist_local_ip = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: persist_remote_ip = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: persist_key = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: passtos = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: resolve_retry_seconds = 1000000000 Sep 22 20:15:10 aquaduct openvpn[59750]: resolve_in_advance = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: username = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: groupname = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: chroot_dir = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: cd_dir = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: writepid = '/var/run/openvpn_client1.pid' Sep 22 20:15:10 aquaduct openvpn[59750]: up_script = '/usr/local/sbin/ovpn-linkup' Sep 22 20:15:10 aquaduct openvpn[59750]: down_script = '/usr/local/sbin/ovpn-linkdown' Sep 22 20:15:10 aquaduct openvpn[59750]: down_pre = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: up_restart = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: up_delay = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: daemon = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: inetd = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: log = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: suppress_timestamps = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: machine_readable_output = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: nice = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: verbosity = 6 Sep 22 20:15:10 aquaduct openvpn[59750]: mute = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: gremlin = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: status_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: status_file_version = 1 Sep 22 20:15:10 aquaduct openvpn[59750]: status_file_update_freq = 60 Sep 22 20:15:10 aquaduct openvpn[59750]: occ = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: rcvbuf = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: sndbuf = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: sockflags = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: fast_io = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: comp.alg = 2 Sep 22 20:15:10 aquaduct openvpn[59750]: comp.flags = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: route_script = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: route_default_gateway = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: route_default_metric = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: route_noexec = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: route_delay = 5 Sep 22 20:15:10 aquaduct openvpn[59750]: route_delay_window = 30 Sep 22 20:15:10 aquaduct openvpn[59750]: route_delay_defined = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: route_nopull = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: route_gateway_via_dhcp = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: allow_pull_fqdn = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: [redirect_default_gateway local=0] Sep 22 20:15:10 aquaduct openvpn[59750]: management_addr = '/var/etc/openvpn/client1.sock' Sep 22 20:15:10 aquaduct openvpn[59750]: management_port = 'unix' Sep 22 20:15:10 aquaduct openvpn[59750]: management_user_pass = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: management_log_history_cache = 250 Sep 22 20:15:10 aquaduct openvpn[59750]: management_echo_buffer_size = 100 Sep 22 20:15:10 aquaduct openvpn[59750]: management_write_peer_info_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: management_client_user = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: management_client_group = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: management_flags = 256 Sep 22 20:15:10 aquaduct openvpn[59750]: shared_secret_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: key_direction = not set Sep 22 20:15:10 aquaduct openvpn[59750]: ciphername = 'AES-256-CBC' Sep 22 20:15:10 aquaduct openvpn[59750]: ncp_enabled = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: ncp_ciphers = 'AES-256-GCM:AES-128-GCM' Sep 22 20:15:10 aquaduct openvpn[59750]: authname = 'SHA256' Sep 22 20:15:10 aquaduct openvpn[59750]: prng_hash = 'SHA1' Sep 22 20:15:10 aquaduct openvpn[59750]: prng_nonce_secret_len = 16 Sep 22 20:15:10 aquaduct openvpn[59750]: keysize = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: engine = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: replay = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: mute_replay_warnings = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: replay_window = 64 Sep 22 20:15:10 aquaduct openvpn[59750]: replay_time = 15 Sep 22 20:15:10 aquaduct openvpn[59750]: packet_id_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: use_iv = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: test_crypto = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: tls_server = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: tls_client = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: key_method = 2 Sep 22 20:15:10 aquaduct openvpn[59750]: ca_file = '/var/etc/openvpn/client1.ca' Sep 22 20:15:10 aquaduct openvpn[59750]: ca_path = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: dh_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: cert_file = '/var/etc/openvpn/client1.cert' Sep 22 20:15:10 aquaduct openvpn[59750]: extra_certs_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: priv_key_file = '/var/etc/openvpn/client1.key' Sep 22 20:15:10 aquaduct openvpn[59750]: pkcs12_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: cipher_list = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: tls_cert_profile = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: tls_verify = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: tls_export_cert = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: verify_x509_type = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: verify_x509_name = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: crl_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: ns_cert_type = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 65535 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_ku[i] = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: remote_cert_eku = 'TLS Web Server Authentication' Sep 22 20:15:10 aquaduct openvpn[59750]: ssl_flags = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: tls_timeout = 2 Sep 22 20:15:10 aquaduct openvpn[59750]: renegotiate_bytes = -1 Sep 22 20:15:10 aquaduct openvpn[59750]: renegotiate_packets = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: renegotiate_seconds = 3600 Sep 22 20:15:10 aquaduct openvpn[59750]: handshake_window = 60 Sep 22 20:15:10 aquaduct openvpn[59750]: transition_window = 3600 Sep 22 20:15:10 aquaduct openvpn[59750]: single_session = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: push_peer_info = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: tls_exit = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: tls_auth_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: tls_crypt_file = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: server_network = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: server_netmask = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: server_network_ipv6 = :: Sep 22 20:15:10 aquaduct openvpn[59750]: server_netbits_ipv6 = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: server_bridge_ip = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: server_bridge_netmask = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: server_bridge_pool_start = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: server_bridge_pool_end = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_pool_defined = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_pool_start = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_pool_end = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_pool_netmask = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_pool_persist_filename = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_pool_persist_refresh_freq = 600 Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_ipv6_pool_defined = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_ipv6_pool_base = :: Sep 22 20:15:10 aquaduct openvpn[59750]: ifconfig_ipv6_pool_netbits = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: n_bcast_buf = 256 Sep 22 20:15:10 aquaduct openvpn[59750]: tcp_queue_limit = 64 Sep 22 20:15:10 aquaduct openvpn[59750]: real_hash_size = 256 Sep 22 20:15:10 aquaduct openvpn[59750]: virtual_hash_size = 256 Sep 22 20:15:10 aquaduct openvpn[59750]: client_connect_script = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: learn_address_script = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: client_disconnect_script = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: client_config_dir = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: ccd_exclusive = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: tmp_dir = '/tmp' Sep 22 20:15:10 aquaduct openvpn[59750]: push_ifconfig_defined = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: push_ifconfig_local = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: push_ifconfig_remote_netmask = 0.0.0.0 Sep 22 20:15:10 aquaduct openvpn[59750]: push_ifconfig_ipv6_defined = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: push_ifconfig_ipv6_local = ::/0 Sep 22 20:15:10 aquaduct openvpn[59750]: push_ifconfig_ipv6_remote = :: Sep 22 20:15:10 aquaduct openvpn[59750]: enable_c2c = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: duplicate_cn = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: cf_max = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: cf_per = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: max_clients = 1024 Sep 22 20:15:10 aquaduct openvpn[59750]: max_routes_per_client = 256 Sep 22 20:15:10 aquaduct openvpn[59750]: auth_user_pass_verify_script = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: auth_user_pass_verify_script_via_file = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: auth_token_generate = DISABLED Sep 22 20:15:10 aquaduct openvpn[59750]: auth_token_lifetime = 0 Sep 22 20:15:10 aquaduct openvpn[59750]: port_share_host = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: port_share_port = '[UNDEF]' Sep 22 20:15:10 aquaduct openvpn[59750]: client = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: pull = ENABLED Sep 22 20:15:10 aquaduct openvpn[59750]: auth_user_pass_file = '/var/etc/openvpn/client1.up' Sep 22 20:15:10 aquaduct openvpn[59750]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018 Sep 22 20:15:10 aquaduct openvpn[59750]: library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10 Sep 22 20:15:10 aquaduct openvpn[60033]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Sep 22 20:15:10 aquaduct openvpn[60033]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 22 20:15:10 aquaduct openvpn[60033]: LZO compression initializing Sep 22 20:15:10 aquaduct openvpn[60033]: Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ] Sep 22 20:15:10 aquaduct openvpn[60033]: Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ] Sep 22 20:15:10 aquaduct openvpn[60033]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ] Sep 22 20:15:10 aquaduct openvpn[60033]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client' Sep 22 20:15:10 aquaduct openvpn[60033]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server' Sep 22 20:15:10 aquaduct openvpn[60033]: TCP/UDP: Preserving recently used remote address: [AF_INET]208.91.105.226:1194 Sep 22 20:15:10 aquaduct openvpn[60033]: Socket Buffers: R=[42080->42080] S=[57344->57344] Sep 22 20:15:10 aquaduct openvpn[60033]: UDPv4 link local (bound): [AF_INET]70.110.22.110:0 Sep 22 20:15:10 aquaduct openvpn[60033]: UDPv4 link remote: [AF_INET]208.91.105.226:1194 Sep 22 20:15:10 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 20:15:12 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 20:15:15 aquaduct openvpn[60033]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Sep 22 20:15:15 aquaduct openvpn[60033]: MANAGEMENT: CMD 'state 1' Sep 22 20:15:15 aquaduct openvpn[60033]: MANAGEMENT: Client disconnected Sep 22 20:15:16 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 20:15:24 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 20:15:41 aquaduct openvpn[60033]: UDPv4 WRITE [14] to [AF_INET]208.91.105.226:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Sep 22 20:16:11 aquaduct openvpn[60033]: [UNDEF] Inactivity timeout (--ping-restart), restarting Sep 22 20:16:11 aquaduct openvpn[60033]: TCP/UDP: Closing socket Sep 22 20:16:11 aquaduct openvpn[60033]: SIGUSR1[soft,ping-restart] received, process restarting Sep 22 20:16:11 aquaduct openvpn[60033]: Restart pause, 10 second(s) Sep 22 20:16:21 aquaduct openvpn[60033]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 22 20:16:21 aquaduct openvpn[60033]: Re-using SSL/TLS context Sep 22 20:16:21 aquaduct openvpn[60033]: LZO compression initializing Sep 22 20:16:21 aquaduct openvpn[60033]: Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ] Sep 22 20:16:21 aquaduct openvpn[60033]: Data Channel MTU parCLOG
-
Here is another try (logs):
Sep 22 22:52:26 openvpn 3946 auth_user_pass_verify_script_via_file = DISABLED Sep 22 22:52:26 openvpn 3946 auth_token_generate = DISABLED Sep 22 22:52:26 openvpn 3946 auth_token_lifetime = 0 Sep 22 22:52:26 openvpn 3946 port_share_host = '[UNDEF]' Sep 22 22:52:26 openvpn 3946 port_share_port = '[UNDEF]' Sep 22 22:52:26 openvpn 3946 client = ENABLED Sep 22 22:52:26 openvpn 3946 pull = ENABLED Sep 22 22:52:26 openvpn 3946 auth_user_pass_file = '/var/etc/openvpn/client1.up' Sep 22 22:52:26 openvpn 3946 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018 Sep 22 22:52:26 openvpn 3946 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10 Sep 22 22:52:26 openvpn 3960 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Sep 22 22:52:26 openvpn 3960 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 22 22:52:26 openvpn 3960 LZO compression initializing Sep 22 22:52:26 openvpn 3960 Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ] Sep 22 22:52:26 openvpn 3960 Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ] Sep 22 22:52:26 openvpn 3960 Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ] Sep 22 22:52:26 openvpn 3960 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client' Sep 22 22:52:26 openvpn 3960 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server' Sep 22 22:52:26 openvpn 3960 TCP/UDP: Preserving recently used remote address: [AF_INET]207.244.84.139:1194 Sep 22 22:52:26 openvpn 3960 Socket Buffers: R=[42080->42080] S=[57344->57344] Sep 22 22:52:26 openvpn 3960 UDPv4 link local (bound): [AF_INET]70.110.22.110:0 Sep 22 22:52:26 openvpn 3960 UDPv4 link remote: [AF_INET]207.244.84.139:1194 Sep 22 22:52:31 openvpn 3960 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Sep 22 22:52:31 openvpn 3960 MANAGEMENT: CMD 'state 1' Sep 22 22:52:31 openvpn 3960 MANAGEMENT: Client disconnected Sep 22 22:52:36 openvpn 3960 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Sep 22 22:52:36 openvpn 3960 MANAGEMENT: CMD 'state 1' Sep 22 22:52:36 openvpn 3960 MANAGEMENT: Client disconnected Sep 22 22:53:13 openvpn 3960 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Sep 22 22:53:13 openvpn 3960 MANAGEMENT: CMD 'state 1' Sep 22 22:53:13 openvpn 3960 MANAGEMENT: Client disconnected Sep 22 22:53:26 openvpn 3960 [UNDEF] Inactivity timeout (--ping-restart), restarting Sep 22 22:53:26 openvpn 3960 TCP/UDP: Closing socket Sep 22 22:53:26 openvpn 3960 SIGUSR1[soft,ping-restart] received, process restarting Sep 22 22:53:26 openvpn 3960 Restart pause, 10 second(s) Sep 22 22:53:36 openvpn 3960 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 22 22:53:36 openvpn 3960 Re-using SSL/TLS context Sep 22 22:53:36 openvpn 3960 LZO compression initializing Sep 22 22:53:36 openvpn 3960 Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ] Sep 22 22:53:36 openvpn 3960 Data Channel MTU parms [ L:1626 D:1200 EF:126 EB:407 ET:0 EL:3 ] Sep 22 22:53:36 openvpn 3960 Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ] Sep 22 22:53:36 openvpn 3960 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client' Sep 22 22:53:36 openvpn 3960 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server' Sep 22 22:53:36 openvpn 3960 TCP/UDP: Preserving recently used remote address: [AF_INET]173.234.153.186:1194 Sep 22 22:53:36 openvpn 3960 Socket Buffers: R=[42080->42080] S=[57344->57344] Sep 22 22:53:36 openvpn 3960 UDPv4 link local (bound): [AF_INET]70.110.22.110:0 Sep 22 22:53:36 openvpn 3960 UDPv4 link remote: [AF_INET]173.234.153.186:1194 Sep 22 22:53:49 openvpn 3960 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Sep 22 22:53:49 openvpn 3960 MANAGEMENT: CMD 'state 1' Sep 22 22:53:49 openvpn 3960 MANAGEMENT: Client disconnected
-
@obitori said in CyberGhost openvpn config files for client get mangled by pfdense web:
Again, I had to remove the ping statements from the advanced config settings pasted into the pfsense web page. They conflict with --keepalive.
I did't say anything about advanced / custom options. Why are you so insistent to put them there? Just try it with less and only add what's necessary in the configuration when you're told so by the error logs. Also you tried setting "don't pull routes" but set redirect-gateway def1. That's just plain stupid as the latter one will setup your default GW to the VPN tunnel while your checkbox will try to avoid that. Just stop adding stuff in the custom options because "it says so".
-
FYI, I tried a "plain" pfSense config and then sequentially pasted in "advanced configs" to see the result. I basically got the same errors and no combination of pfSense and "advanced config options" worked. I had to leave for international travel, so have to push this off for now.
If you have any additional ideas on how to proceed, please let me know. I will tackle this again next week.
-
Hi All ,
Here in 2020 same issue and this was my fix : compression: omit preference .
Works with PfBlocker unbound too .Thanks @JeGr
Peer to peer, TLS
UDP on v4
tun
<your WAN interface>
server host: Your Server
server port 443 (that is real strange - udp/443 isn't something normally used but maybe CG does it)
no proxy settings
<your description>
<username>
<password>
do not retry
use a TLS key
peer CA: import the ca.crt from CG
peer CRL -> none
client cert: import the client.crt and the client.key
encryption: AES-256-CBC
disable NCP (CG config doesn't include it)
Auth digest: SHA256
leave tunnel network blank (none given in the config)
leave remote network
compression: omit preference (as the CG file has comp-lzo -> that's no that nice because of VORACLE)
topology net30 (I assume from your screenshot when dialed in (.62 -> .61) that they still use net30
leave the rest
set gw creation to v4 only
verbosity level 3 -
@antonio76 This post is old. However, I can't thanks enough that I found solution here!! CyberGhost set VPN port config1194 but they are actual 443. So weird, that they send out something that not match with their server.
-
@huydra I should had TL;DRed the thread... Got bumped up.