NordVPN using OpenVPN not connecting

mradell · Jul 26, 2022, 1:26 AM

Hey all. I'm new to pfsSnse and trying to get my NordVPN working with pfSense 2.6. I followed the directions here (https://support.nordvpn.com/Connectivity/Router/1626958942/pfSense-2-5-Setup-with-NordVPN.htm). After it didn't work the first time I reset back to Factory Default and tried again, no luck. I've tried with 3 different servers, restarted the OpenVPN service, retraced my steps, etc, etc, with no luck. The OpenVPN status is always down.

My outbound topology looks like this:

pfSense (guest VM on ESXi host) -> WAN Interface -> ISP Router (In passthrough) -> Internet

My inbound topology looks like this:

Internet -> ISP Router (in passthrough) -> LAN Interface -> pfSense (guest VM on ESXi host)

I have turned off the firewall on my ISP router. The TPLink router is in AP Mode and just acting as a ethernet switch/wireless AP with no firewall. I also tried disabling the ESXi firewall on my vm host.

A packet capture from pfSense shows the following:

The source IP is my WAN interface. My public IP in this case as my ISP router is in IP Passthrough

OpenVPN logs show me:

Jul 26 01:12:49	openvpn	47018	OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022
Jul 26 01:12:49	openvpn	47018	library versions: OpenSSL 1.1.1l-freebsd 24 Aug 2021, LZO 2.10
Jul 26 01:12:49	openvpn	47023	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1/sock
Jul 26 01:12:49	openvpn	47023	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 26 01:12:49	openvpn	47023	WARNING: experimental option --capath /var/etc/openvpn/client1/ca
Jul 26 01:12:49	openvpn	47023	Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 26 01:12:49	openvpn	47023	Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 26 01:12:49	openvpn	47023	Control Channel MTU parms [ L:1653 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Jul 26 01:12:49	openvpn	47023	Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Jul 26 01:12:49	openvpn	47023	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Jul 26 01:12:49	openvpn	47023	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Jul 26 01:12:49	openvpn	47023	TCP/UDP: Preserving recently used remote address: [AF_INET]92.119.17.78:1194
Jul 26 01:12:49	openvpn	47023	Socket Buffers: R=[42080->42080] S=[57344->57344]
Jul 26 01:12:49	openvpn	47023	UDPv4 link local (bound): [AF_INET]104.52.211.159:0
Jul 26 01:12:49	openvpn	47023	UDPv4 link remote: [AF_INET]92.119.17.78:1194
Jul 26 01:12:54	openvpn	47023	MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jul 26 01:12:54	openvpn	47023	MANAGEMENT: CMD 'state 1'
Jul 26 01:12:54	openvpn	47023	MANAGEMENT: Client disconnected
Jul 26 01:12:55	openvpn	47023	MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jul 26 01:12:55	openvpn	47023	MANAGEMENT: CMD 'state 1'
Jul 26 01:12:55	openvpn	47023	MANAGEMENT: Client disconnected
Jul 26 01:12:55	openvpn	47023	MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jul 26 01:12:55	openvpn	47023	MANAGEMENT: CMD 'state 1'
Jul 26 01:12:55	openvpn	47023	MANAGEMENT: Client disconnected
Jul 26 01:12:56	openvpn	47023	MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jul 26 01:12:56	openvpn	47023	MANAGEMENT: CMD 'state 1'
Jul 26 01:12:56	openvpn	47023	MANAGEMENT: Client disconnected

Not too sure where to go from here. I have Googled a good bit and have not been able to find any solid answers. Any help is appreciated. Thanks.

viragomann · Jul 26, 2022, 10:29 AM

@mradell
Is your pfSense able to reach anything in the internet at all?
For instance, when you ping 8.8.8.8, do you get a response?

mradell · Jul 26, 2022, 11:10 AM

@viragomann

Yes. Ping works when Source address is set to Automatically selected (default), LAN, WAN, and out the NordVPN interface I created following the previous instructions I mentioned.

mradell · Jul 27, 2022, 7:20 AM

So I downloaded the OpenVPN Client for Windows on my PC that's behind pfSense in the LAN. I downloaded the config file for the same server I am trying to connect to in pfSense, same protocol (UDP), and it connects just fine from my PC through pfSense and out the WAN. This leads me to believe I must have something configured incorrectly in pfSense, but I'm really not sure what as I followed the directions provided exactly. I'll play around with some config, but I'm open to suggestions. Thanks.

Bob.Dig · Jul 27, 2022, 8:07 AM

@mradell For a start, post screenshots of everything you have done to configure the vpn service. Is everything else working without the vpn service.

Gertjan · Jul 27, 2022, 7:45 AM

@mradell said in NordVPN using OpenVPN not connecting:

So I downloaded the OpenVPN Client for Windows on my PC that's behind pfSense in the LAN. I downloaded the config file for the same server I am trying to connect to in pfSense, same protocol (UDP), and it connects just fine from my PC through pfSense and out the WAN.

Don't test OpenVPN from behind pfSense on one of it's LAN's. It might work (but who cares) : testing from the outside is far better.
Take any smart 'phone', install the OpenVPN app, like this one. Samsung (android) and other clone phone also have the same app.

If possible, check if the openVPN app you use is based on the same OpenVPN server version that pfSense is using.
22.05 is using OpenVPN 2.5.4 - as does pfSense 2.6.0.
Your client might be using 2.4.x. That can still work, but you need to read about version differences.

Create an OpenVPN client account for your phone.
Now use your phone to test.

mradell · Jul 27, 2022, 10:17 PM

This post is deleted!

mradell · Jul 28, 2022, 6:12 AM

@bob-dig

So I went through the setup a third time and was taking screenshots of each step. As I was adding the OpenVPN client I noticed that I had the wrong 'Auth digest algorithm'...

I corrected this and finished the config...

Now it works...

That's what happens when you just don't pay as close enough attention to detail as you think you did. Thanks everyone for your responses and for trying to help.

Bob.Dig · Jul 28, 2022, 6:12 AM

@mradell said in NordVPN using OpenVPN not connecting:

That's what happens when you just don't pay as close enough attention to detail as you think you did.

Happens to all of us.