Howto Circumvent Double NAT
-
Is there some way to circumvent being Double NATted.
I think this is why my VPN Client will NOT stay connected for some reason.
My pfSense Router on my SG-3100 is behind my ISP's router which cannot be put into Bridged Mode.
I have put my router in the DMZ of the ISP Router, but no different.Oct 15 07:11:52 openvpn 92912 MANAGEMENT: Client disconnected Oct 15 07:11:52 openvpn 92912 MANAGEMENT: CMD 'state 1' Oct 15 07:11:52 openvpn 92912 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Oct 15 07:11:47 openvpn 92912 UDPv4 link remote: [AF_INET]185.103.96.130:443 Oct 15 07:11:47 openvpn 92912 UDPv4 link local (bound): [AF_INET]192.168.1.14:0 Oct 15 07:11:47 openvpn 92912 Socket Buffers: R=[42080->524288] S=[57344->524288] Oct 15 07:11:47 openvpn 92912 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443 Oct 15 07:11:47 openvpn 92912 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server' Oct 15 07:11:47 openvpn 92912 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client' Oct 15 07:11:47 openvpn 92912 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Oct 15 07:11:47 openvpn 92912 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ] Oct 15 07:11:47 openvpn 92912 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 15 07:11:47 openvpn 92912 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 15 07:11:47 openvpn 92912 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 15 07:11:47 openvpn 92912 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 15 07:11:47 openvpn 92912 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 15 07:11:47 openvpn 92912 mlockall call succeeded Oct 15 07:11:47 openvpn 92912 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Oct 15 07:11:47 openvpn 92895 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10 Oct 15 07:11:47 openvpn 92895 OpenVPN 2.4.9 armv6-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020
I have no firewall rules for OpenVPN.
Is there some clever routing or NATting I can do to overcome this?
I can connect using OpenVPN from my phone, no problem.
This is very frustrating! -
I use OpenVPN with Double NAT with no issues. Port 1194 is forwarded through my ISP router to PfSense, and then forwarded in PF to the OpenVPN interface.
-
My problem is in the reverse, I am trying to connect to a VPN outside my system, and no matter what I do I see the connection happen then it gets dropped as per the top of the Log above.
I even tried setting up a Hybrid Outbound NAT to and from the pfSense Router and the VPN , but no good. The normal outbound NAT is for my VLANs -
Check if the ISP router has outbound vpn options. Many do to force ports rather than use random during key exchange
-
Also if you can access the server collect both client & server logs with increased debug enabled.
Try server connection with client on the ISP router LAN.
-
So your running UDP over 443?
This is a vps, dedicated box of yours I take it - and your trying to run what openvpn-as on it? Which assume from the use of the aes-256-cbc.. Also why would you not have compression off?
As already mentioned logs from the server could help... Also up your verbosity..
Double nat, even triple nat or quadruple would not have issues on you creating a vpn outbound..
BTW if this is pfsense connecting as client, then its only single nat, the device in front of pfsense natting. If it was a client behind pfsense trying to connect, then it would be a double nat.. pfsense natting your clients IP to its wan, and then your router in front of pfsense natting pfsense wan IP to your public IP.
-
@pwood999 The ISP Router so locked down I can pretty much do nothing.
I have got OpenVPN on my phone which connects to AirVPN from behind my router, no problem, so why will the router not connect?
@johnpoz I must apologise I showed wrong log. I am trying to connect to AirVPN, but tried another outfit with the same result, no connection with same error. There is no compression on AirVPN config.
I am using an SG-3100 Router to manage my network inside my ISP's Router.
I have upped the Verbosity to 5. here is the complete log from starting the OpenVPN Server:Oct 16 05:45:09 openvpn 99960 MANAGEMENT: Client disconnected Oct 16 05:45:09 openvpn 99960 MANAGEMENT: CMD 'state 1' Oct 16 05:45:09 openvpn 99960 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Oct 16 05:45:04 openvpn 99960 UDPv4 link remote: [AF_INET]185.103.96.130:443 Oct 16 05:45:04 openvpn 99960 UDPv4 link local (bound): [AF_INET]192.168.1.14:0 Oct 16 05:45:04 openvpn 99960 Socket Buffers: R=[42080->524288] S=[57344->524288] Oct 16 05:45:04 openvpn 99960 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443 Oct 16 05:45:04 openvpn 99960 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server' Oct 16 05:45:04 openvpn 99960 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client' Oct 16 05:45:04 openvpn 99960 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Oct 16 05:45:04 openvpn 99960 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ] Oct 16 05:45:04 openvpn 99960 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 16 05:45:04 openvpn 99960 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 16 05:45:04 openvpn 99960 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 16 05:45:04 openvpn 99960 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 16 05:45:04 openvpn 99960 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 16 05:45:04 openvpn 99960 mlockall call succeeded Oct 16 05:45:04 openvpn 99960 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Oct 16 05:45:04 openvpn 99816 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10 Oct 16 05:45:04 openvpn 99816 OpenVPN 2.4.9 armv6-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020 Oct 16 05:45:04 openvpn 99816 auth_user_pass_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 pull = ENABLED Oct 16 05:45:04 openvpn 99816 client = ENABLED Oct 16 05:45:04 openvpn 99816 port_share_port = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 port_share_host = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 auth_token_lifetime = 0 Oct 16 05:45:04 openvpn 99816 auth_token_generate = DISABLED Oct 16 05:45:04 openvpn 99816 auth_user_pass_verify_script_via_file = DISABLED Oct 16 05:45:04 openvpn 99816 auth_user_pass_verify_script = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 max_routes_per_client = 256 Oct 16 05:45:04 openvpn 99816 max_clients = 1024 Oct 16 05:45:04 openvpn 99816 cf_per = 0 Oct 16 05:45:04 openvpn 99816 cf_max = 0 Oct 16 05:45:04 openvpn 99816 duplicate_cn = DISABLED Oct 16 05:45:04 openvpn 99816 enable_c2c = DISABLED Oct 16 05:45:04 openvpn 99816 push_ifconfig_ipv6_remote = :: Oct 16 05:45:04 openvpn 99816 push_ifconfig_ipv6_local = ::/0 Oct 16 05:45:04 openvpn 99816 push_ifconfig_ipv6_defined = DISABLED Oct 16 05:45:04 openvpn 99816 push_ifconfig_remote_netmask = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 push_ifconfig_local = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 push_ifconfig_defined = DISABLED Oct 16 05:45:04 openvpn 99816 tmp_dir = '/tmp' Oct 16 05:45:04 openvpn 99816 ccd_exclusive = DISABLED Oct 16 05:45:04 openvpn 99816 client_config_dir = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 client_disconnect_script = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 learn_address_script = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 client_connect_script = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 virtual_hash_size = 256 Oct 16 05:45:04 openvpn 99816 real_hash_size = 256 Oct 16 05:45:04 openvpn 99816 tcp_queue_limit = 64 Oct 16 05:45:04 openvpn 99816 n_bcast_buf = 256 Oct 16 05:45:04 openvpn 99816 ifconfig_ipv6_pool_netbits = 0 Oct 16 05:45:04 openvpn 99816 ifconfig_ipv6_pool_base = :: Oct 16 05:45:04 openvpn 99816 ifconfig_ipv6_pool_defined = DISABLED Oct 16 05:45:04 openvpn 99816 ifconfig_pool_persist_refresh_freq = 600 Oct 16 05:45:04 openvpn 99816 ifconfig_pool_persist_filename = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 ifconfig_pool_netmask = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 ifconfig_pool_end = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 ifconfig_pool_start = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 ifconfig_pool_defined = DISABLED Oct 16 05:45:04 openvpn 99816 server_bridge_pool_end = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 server_bridge_pool_start = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 server_bridge_netmask = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 server_bridge_ip = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 server_netbits_ipv6 = 0 Oct 16 05:45:04 openvpn 99816 server_network_ipv6 = :: Oct 16 05:45:04 openvpn 99816 server_netmask = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 server_network = 0.0.0.0 Oct 16 05:45:04 openvpn 99816 tls_crypt_file = '/var/etc/openvpn/client1.tls-crypt' Oct 16 05:45:04 openvpn 99816 tls_auth_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 tls_exit = DISABLED Oct 16 05:45:04 openvpn 99816 push_peer_info = DISABLED Oct 16 05:45:04 openvpn 99816 single_session = DISABLED Oct 16 05:45:04 openvpn 99816 transition_window = 3600 Oct 16 05:45:04 openvpn 99816 handshake_window = 60 Oct 16 05:45:04 openvpn 99816 renegotiate_seconds = 3600 Oct 16 05:45:04 openvpn 99816 renegotiate_packets = 0 Oct 16 05:45:04 openvpn 99816 renegotiate_bytes = -1 Oct 16 05:45:04 openvpn 99816 tls_timeout = 2 Oct 16 05:45:04 openvpn 99816 ssl_flags = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_eku = 'TLS Web Server Authentication' Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 0 Oct 16 05:45:04 openvpn 99816 remote_cert_ku[i] = 65535 Oct 16 05:45:04 openvpn 99816 ns_cert_type = 0 Oct 16 05:45:04 openvpn 99816 crl_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 verify_x509_name = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 verify_x509_type = 0 Oct 16 05:45:04 openvpn 99816 tls_export_cert = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 tls_verify = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 tls_cert_profile = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 cipher_list_tls13 = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 cipher_list = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 pkcs12_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 priv_key_file = '/var/etc/openvpn/client1.key' Oct 16 05:45:04 openvpn 99816 extra_certs_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 cert_file = '/var/etc/openvpn/client1.cert' Oct 16 05:45:04 openvpn 99816 dh_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 ca_path = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 ca_file = '/var/etc/openvpn/client1.ca' Oct 16 05:45:04 openvpn 99816 key_method = 2 Oct 16 05:45:04 openvpn 99816 tls_client = ENABLED Oct 16 05:45:04 openvpn 99816 tls_server = DISABLED Oct 16 05:45:04 openvpn 99816 test_crypto = DISABLED Oct 16 05:45:04 openvpn 99816 use_iv = ENABLED Oct 16 05:45:04 openvpn 99816 packet_id_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 replay_time = 15 Oct 16 05:45:04 openvpn 99816 replay_window = 64 Oct 16 05:45:04 openvpn 99816 mute_replay_warnings = DISABLED Oct 16 05:45:04 openvpn 99816 replay = ENABLED Oct 16 05:45:04 openvpn 99816 engine = DISABLED Oct 16 05:45:04 openvpn 99816 keysize = 0 Oct 16 05:45:04 openvpn 99816 prng_nonce_secret_len = 64 Oct 16 05:45:04 openvpn 99816 prng_hash = 'sha256' Oct 16 05:45:04 openvpn 99816 authname = 'SHA512' Oct 16 05:45:04 openvpn 99816 ncp_ciphers = 'AES-128-GCM' Oct 16 05:45:04 openvpn 99816 ncp_enabled = ENABLED Oct 16 05:45:04 openvpn 99816 ciphername = 'AES-256-CBC' Oct 16 05:45:04 openvpn 99816 key_direction = not set Oct 16 05:45:04 openvpn 99816 shared_secret_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 management_flags = 256 Oct 16 05:45:04 openvpn 99816 management_client_group = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 management_client_user = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 management_write_peer_info_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 management_echo_buffer_size = 100 Oct 16 05:45:04 openvpn 99816 management_log_history_cache = 250 Oct 16 05:45:04 openvpn 99816 management_user_pass = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 management_port = 'unix' Oct 16 05:45:04 openvpn 99816 management_addr = '/var/etc/openvpn/client1.sock' Oct 16 05:45:04 openvpn 99816 allow_pull_fqdn = DISABLED Oct 16 05:45:04 openvpn 99816 route_gateway_via_dhcp = DISABLED Oct 16 05:45:04 openvpn 99816 route_nopull = DISABLED Oct 16 05:45:04 openvpn 99816 route_delay_defined = DISABLED Oct 16 05:45:04 openvpn 99816 route_delay_window = 30 Oct 16 05:45:04 openvpn 99816 route_delay = 0 Oct 16 05:45:04 openvpn 99816 route_noexec = ENABLED Oct 16 05:45:04 openvpn 99816 route_default_metric = 0 Oct 16 05:45:04 openvpn 99816 route_default_gateway = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 route_script = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 comp.flags = 0 Oct 16 05:45:04 openvpn 99816 comp.alg = 1 Oct 16 05:45:04 openvpn 99816 fast_io = ENABLED Oct 16 05:45:04 openvpn 99816 sockflags = 0 Oct 16 05:45:04 openvpn 99816 sndbuf = 524288 Oct 16 05:45:04 openvpn 99816 rcvbuf = 524288 Oct 16 05:45:04 openvpn 99816 occ = ENABLED Oct 16 05:45:04 openvpn 99816 status_file_update_freq = 60 Oct 16 05:45:04 openvpn 99816 status_file_version = 1 Oct 16 05:45:04 openvpn 99816 status_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 gremlin = 0 Oct 16 05:45:04 openvpn 99816 mute = 0 Oct 16 05:45:04 openvpn 99816 verbosity = 5 Oct 16 05:45:04 openvpn 99816 nice = 0 Oct 16 05:45:04 openvpn 99816 machine_readable_output = DISABLED Oct 16 05:45:04 openvpn 99816 suppress_timestamps = DISABLED Oct 16 05:45:04 openvpn 99816 log = DISABLED Oct 16 05:45:04 openvpn 99816 inetd = 0 Oct 16 05:45:04 openvpn 99816 daemon = ENABLED Oct 16 05:45:04 openvpn 99816 up_delay = DISABLED Oct 16 05:45:04 openvpn 99816 up_restart = DISABLED Oct 16 05:45:04 openvpn 99816 down_pre = DISABLED Oct 16 05:45:04 openvpn 99816 down_script = '/usr/local/sbin/ovpn-linkdown' Oct 16 05:45:04 openvpn 99816 up_script = '/usr/local/sbin/ovpn-linkup' Oct 16 05:45:04 openvpn 99816 writepid = '/var/run/openvpn_client1.pid' Oct 16 05:45:04 openvpn 99816 cd_dir = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 chroot_dir = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 groupname = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 username = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 resolve_in_advance = DISABLED Oct 16 05:45:04 openvpn 99816 resolve_retry_seconds = 1000000000 Oct 16 05:45:04 openvpn 99816 passtos = DISABLED Oct 16 05:45:04 openvpn 99816 persist_key = ENABLED Oct 16 05:45:04 openvpn 99816 persist_remote_ip = DISABLED Oct 16 05:45:04 openvpn 99816 persist_local_ip = DISABLED Oct 16 05:45:04 openvpn 99816 persist_tun = ENABLED Oct 16 05:45:04 openvpn 99816 remap_sigusr1 = 0 Oct 16 05:45:04 openvpn 99816 ping_timer_remote = ENABLED Oct 16 05:45:04 openvpn 99816 ping_rec_timeout_action = 2 Oct 16 05:45:04 openvpn 99816 ping_rec_timeout = 30 Oct 16 05:45:04 openvpn 99816 ping_send_timeout = 5 Oct 16 05:45:04 openvpn 99816 inactivity_timeout = 0 Oct 16 05:45:04 openvpn 99816 keepalive_timeout = 30 Oct 16 05:45:04 openvpn 99816 keepalive_ping = 5 Oct 16 05:45:04 openvpn 99816 mlock = ENABLED Oct 16 05:45:04 openvpn 99816 mtu_test = 0 Oct 16 05:45:04 openvpn 99816 shaper = 0 Oct 16 05:45:04 openvpn 99816 ifconfig_ipv6_remote = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 ifconfig_ipv6_netbits = 0 Oct 16 05:45:04 openvpn 99816 ifconfig_ipv6_local = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 ifconfig_nowarn = DISABLED Oct 16 05:45:04 openvpn 99816 ifconfig_noexec = DISABLED Oct 16 05:45:04 openvpn 99816 ifconfig_remote_netmask = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 ifconfig_local = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 topology = 1 Oct 16 05:45:04 openvpn 99816 lladdr = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 dev_node = '/dev/tun1' Oct 16 05:45:04 openvpn 99816 dev_type = 'tun' Oct 16 05:45:04 openvpn 99816 dev = 'ovpnc1' Oct 16 05:45:04 openvpn 99816 ipchange = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 remote_random = DISABLED Oct 16 05:45:04 openvpn 99816 Connection profiles END Oct 16 05:45:04 openvpn 99816 explicit_exit_notification = 5 Oct 16 05:45:04 openvpn 99816 mssfix = 1450 Oct 16 05:45:04 openvpn 99816 fragment = 0 Oct 16 05:45:04 openvpn 99816 mtu_discover_type = -1 Oct 16 05:45:04 openvpn 99816 tun_mtu_extra_defined = DISABLED Oct 16 05:45:04 openvpn 99816 tun_mtu_extra = 0 Oct 16 05:45:04 openvpn 99816 link_mtu_defined = DISABLED Oct 16 05:45:04 openvpn 99816 link_mtu = 1500 Oct 16 05:45:04 openvpn 99816 tun_mtu_defined = ENABLED Oct 16 05:45:04 openvpn 99816 tun_mtu = 1500 Oct 16 05:45:04 openvpn 99816 socks_proxy_port = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 socks_proxy_server = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 connect_timeout = 120 Oct 16 05:45:04 openvpn 99816 connect_retry_seconds = 5 Oct 16 05:45:04 openvpn 99816 bind_ipv6_only = DISABLED Oct 16 05:45:04 openvpn 99816 bind_local = ENABLED Oct 16 05:45:04 openvpn 99816 bind_defined = DISABLED Oct 16 05:45:04 openvpn 99816 remote_float = DISABLED Oct 16 05:45:04 openvpn 99816 remote_port = '443' Oct 16 05:45:04 openvpn 99816 remote = '185.103.96.130' Oct 16 05:45:04 openvpn 99816 local_port = '0' Oct 16 05:45:04 openvpn 99816 local = '192.168.1.14' Oct 16 05:45:04 openvpn 99816 proto = udp4 Oct 16 05:45:04 openvpn 99816 Connection profiles [0]: Oct 16 05:45:04 openvpn 99816 connect_retry_max = 0 Oct 16 05:45:04 openvpn 99816 show_tls_ciphers = DISABLED Oct 16 05:45:04 openvpn 99816 key_pass_file = '[UNDEF]' Oct 16 05:45:04 openvpn 99816 genkey = DISABLED Oct 16 05:45:04 openvpn 99816 show_engines = DISABLED Oct 16 05:45:04 openvpn 99816 show_digests = DISABLED Oct 16 05:45:04 openvpn 99816 show_ciphers = DISABLED Oct 16 05:45:04 openvpn 99816 mode = 0 Oct 16 05:45:04 openvpn 99816 config = '/var/etc/openvpn/client1.conf' Oct 16 05:45:04 openvpn 99816 Current Parameter Settings:
and then another output when it automatically restarts
Oct 16 05:49:25 openvpn 99960 Restart pause, 40 second(s) Oct 16 05:49:25 openvpn 99960 SIGUSR1[soft,ping-restart] received, process restarting Oct 16 05:49:25 openvpn 99960 TCP/UDP: Closing socket Oct 16 05:49:25 openvpn 99960 [UNDEF] Inactivity timeout (--ping-restart), restarting Oct 16 05:48:55 openvpn 99960 UDPv4 link remote: [AF_INET]185.103.96.130:443 Oct 16 05:48:55 openvpn 99960 UDPv4 link local (bound): [AF_INET]192.168.1.14:0 Oct 16 05:48:55 openvpn 99960 Socket Buffers: R=[42080->524288] S=[57344->524288] Oct 16 05:48:55 openvpn 99960 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443 Oct 16 05:48:55 openvpn 99960 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server' Oct 16 05:48:55 openvpn 99960 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client' Oct 16 05:48:55 openvpn 99960 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Oct 16 05:48:55 openvpn 99960 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ] Oct 16 05:48:55 openvpn 99960 Re-using SSL/TLS context Oct 16 05:48:55 openvpn 99960 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Help would be much appreciated.
-
Have you tried the AirVPN community forums ? I suspect you have something missing in the PfSense client settings.
If a phone can connect through PF, try a desktop OpenVPN and compare those logs to PF Client.
-
@TheMetMan said in Howto Circumvent Double NAT:
The ISP Router so locked down I can pretty much do nothing.
Can the ISP put the modem in bridge mode? Call tech support and ask. I had to do that with the first modem I had.
-
@pwood999 I have tried connecting from my laptop. Set Verbosity to 5:
Fri Oct 16 11:51:25 2020 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2020 Fri Oct 16 11:51:25 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 Fri Oct 16 11:51:25 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Fri Oct 16 11:51:25 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Oct 16 11:51:25 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Oct 16 11:51:25 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443 Fri Oct 16 11:51:25 2020 Socket Buffers: R=[212992->524288] S=[212992->524288] Fri Oct 16 11:51:25 2020 UDP link local: (not bound) Fri Oct 16 11:51:25 2020 UDP link remote: [AF_INET]185.103.96.130:443 Fri Oct 16 11:52:25 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Oct 16 11:52:25 2020 TLS Error: TLS handshake failed Fri Oct 16 11:52:25 2020 SIGUSR1[soft,tls-error] received, process restarting Fri Oct 16 11:52:25 2020 Restart pause, 5 second(s)
Nothing in my router logs blocking anything with the address 185.103.96.130
So tried this:nc -uvz 185.103.96.130 443 Connection to 185.103.96.130 443 port [udp/https] succeeded!
With regards to the pfSense VPN Settings, I have had an exchange of mail with the chap who wrote the AirVPN for pfSense HowTo, sent him all my settings and he can find nothing wrong with them. He thinks it is a Double NAT Problem, and is interested to hear what you experts have to say.
@JKnott I have contacted my ISP, and can get the modem changed so it can be put into Bridged Mode.
I think this is probably the easiest option.
I will report back when it is done for completeness.Unless anyone has any other ideas.
-
@TheMetMan said in Howto Circumvent Double NAT:
but tried another outfit with the same result,
To the same IP?
But this
[UNDEF] Inactivity timeout (--ping-restart), restartingSays they are not answering ping - and in the guide I looked up in 10 seconds shows it set to 0, or off.. And the default is off I do believe.. Did you set a value there other than 0?
I would really suggest you get with their support if your having issues.. Or their community on how to setup pfsense with them..
-
@johnpoz OK, I will put my problem to them and see what they say.
Regards