How to create an OpenVPN client to StrongVPN

dalesd

Thanks so much for this guide.

The VPN provider I'm using has instructions for running on pFsense, but this guide is much better. 
Their instructions got the VPN running, but no traffic was passing. This guide showed me the firewall rules I needed to get things really working.

Also, pfSense running on an old HP7900 SFF pc is easily handling my 50/25 Mb/s connection.  I gotta thank the hardware forum for that recommendation.

tjabas

@dalesd:

Thanks so much for this guide.

The VPN provider I'm using has instructions for running on pFsense, but this guide is much better. 
Their instructions got the VPN running, but no traffic was passing. This guide showed me the firewall rules I needed to get things really working.

Also, pfSense running on an old HP7900 SFF pc is easily handling my 50/25 Mb/s connection.  I gotta thank the hardware forum for that recommendation.

may i ask the name of the provider you mentioned?
just cuorious if that provider is cheaper.

tjabas

i Think that i have managed to get strongvpn up and running, but i cant get any internet access, i can ping to different sites from the router but i cant get any internet access to my computers.

if i look at the logs it seems like the vpn is up and running,

please help!

tjabas

no im finally up and running, but the speed tests is not good, i have a 100mb line down, and with openvpn i get only 1mb down, and that sucks, but i have changed location on the strongvpn webbpage, but what do i have to change in my settings in pfsense to get the new location to work?
i tried to change just the ip number but it didnt work.

please help

richardkingsley

For different location / server you need to redo the process again with the new certificate details as each of the servers have a different cert / key. Once you have got it working once it only takes a few minutes.

I am finding that the strongvpn connection very slow and am looking for alternatives

Richard

tjabas

@richardkingsley:

For different location / server you need to redo the process again with the new certificate details as each of the servers have a different cert / key. Once you have got it working once it only takes a few minutes.

I am finding that the strongvpn connection very slow and am looking for alternatives

Richard

thank you, yes im also looking for alternatives, anyone who has any suggestions?

max.i

anyone made this work recently? I'm running 2.1 release from Sep 11 2013 - the virtual machine.

I've disabled every other package I had (dansguardian/squid) and ensured the configuration was exactly as specified. The VPN shows as up, and I can ping the remote addresses but cannot access anything on the internet.

Thanks!

Fevan

Hi got some questions regarding this guide and other variations of other peoples guides.

1. Is Monitor IP and 208.67.222.222 important ?  I did not understand what graph displays and load balancer meant and was not comfortable with using an OpenDNS US based server.

2. I noticed in a few other peoples guides with strong vpn and other providers they are always adding other firewall rules ie ones for Wan and even strong or their VPN, yet this guide only states you need to add firewall rules for LAN only. The guys that did WAN and VPN firewall rules said otherwise it did not work….

3. Has any Pfsense+VPN user noticed if they leave there pfsense on 24/7 sometimes it looses connection ?

as in overnight or after 24 or 48hrs ?  I have this issue where the following morning if I switch on the PC webpages are not loading, if I wait 3-4 mins it then "jump" starts and works again, I believe the issue is since I leave my pfsense pc switched on 24/7. Rebooting the pfsense box sometimes restarts quicker or sometimes still have to wait 3-4 mins for it to magically come on. My gut tells me the handshake is lost once connection is idle for more then few hours?

any answers to the above are weclome thanks

powerextreme

I am working on this setup. I have gotten to step 10. So far I am able to get the OpenVPN client up and running. I have noticed at this point internet connectivity goes down. DNS still works but can't ping to IP's on the Internet.

I know I am only at step 10 but just curious as to what happened when I started the OpenVPN client service.

Anyone got any ideas?

dawilder

Hi everyone.  Total NOOB here.

I've been trying to get a StrongVPN client set up on pfSense latest version (2.1.3).

I tried the initial tutorial by ericab, who started this thread, as well as the tutorial in the link by pkwong.  However, after a certain point, the screenshots start to differ slightly (in terms of the options) and I can't figure out what I'm doing wrong.  Also, on my machine, it seems to distinguish between IPv4 and IPv6 LANs.  Not sure if that is part of my problem.  That's above my head at this point.  I'm reeeaaaly clueless about this stuff, so your guys hand-holding is really appreciated.

I was able to load all the certificate information and get a positive indication of connection under system logs.  One other thing I noticed,  when I set up the certificate, I did not get an "in-use" indication within the GUI, like you see for the other one that was already there.  Could that be part of the problem?

If there is an updated tutorial, or if it's known that a StrongVPN Client will not work with the latest version of pfSense, I'd greatly appreciate the help.

Thanks!
DW

tucansam

What alternative(s) to StrongVPN have you folks found?  I was looking at privateinternetaccess but, like others, the tutorials I find online are for older versions, and as this will be my first time doing something like this, I'm going to need a lot of help.

panz

@tucansam:

What alternative(s) to StrongVPN have you folks found?  I was looking at privateinternetaccess but, like others, the tutorials I find online are for older versions, and as this will be my first time doing something like this, I'm going to need a lot of help.

AirVPN works beautifully.

cralesich

Hello,
I can not get openvpn working with strongvpn… No Internet access.

I have squid installed also... I also have my lan ip range set as 10.10.10.1 with the DHCP range of 10.10.10.5-254

I need a config and im willing to pay for it via paypal if need be. $20 USD

I need the following ports forwarded 53-80-25-443-110-2525 to 25 - 587 all tcp/udp

Here is the version of pfsense I am running - pfSense-memstick-2.1.3-RELEASE-amd64-20140501-1552

Thanks in advance for any help.

toyotahead

Perhaps as a newbie to pfSense myself I have miss-understood something concerning the outbound NAT manual / rules.

I have configured as per the guide with only 1 exception. The encryption algorithm i had to employ was: AES-128-CBC (128bit) Going with this algorithm not only allowed my openvpn to establish but also become viable to send / receive data over.

My problem is just like everyone else who has posted on this topic. ALL traffic is routed through the vpn across all the networks attached. (currently 7 different subnets NAT'ing)

So if I have read correctly, it sounds like the magic I need to employ happens at the NAT-Outbound-Manual Mappings. If so how do I specify these mappings? When I select manual mappings a number of rules are automaticly generated for all the attached subnets as well as 1 for 127.0.0.0. How and where do I specify to allow only select IP's or policy based exceptions to utilize the VPN while still allowing all regular NAT connections to traverse my regular WAN connection?

Finally, I see that this has been asked in the past but further clarification would be great. Why in the routing section is there the ability to specify a default gateway (typically for the regular WAN) if this does not work? Is this a possible bug?

My installation is:

2.1.4-RELEASE (i386)
built on Fri Jun 20 12:59:29 EDT 2014
FreeBSD 8.3-RELEASE-p16

And it is installed on a watchguard firebox 1250e. Not the nano but full install headless on a hard drive.
Thanks in advance for your help!

toyotahead

I have since doubled up all my manual outbound nat rules to allow NAT to the VPN interface. Then went back to the LAN firewall rule and pointed gateway at my WAN interface. At first the results were good, I was getting my local WAN ip showing up in whatsmyip.com, however after a few minutes and refreshing the page a few times, I see that I am again being directed out the VPN interface….  I am seriously stumped and baffled by this behaviour.....

When my only LAN rules looks like:
IPv4 * * * * * WAN_DHCP none

I traceroute and see:
traceroute whatismyip.com
traceroute to whatismyip.com (141.101.120.14), 30 hops max, 60 byte packets
1  192.168.69.1 (192.168.69.1)  0.633 ms  0.619 ms  0.602 ms
2  11.5.192.1 (11.5.192.1)  8.321 ms  12.384 ms  12.460 ms
3  rd1cs-tge1-3-1.ok.shawcable.net (64.59.168.201)  14.144 ms  14.223 ms  14.223 ms
4  rc2wh-tge0-4-0-17.vc.shawcable.net (66.163.76.26)  18.394 ms  18.384 ms *
5  rc6wt-pos0-8-1-0.wa.shawcable.net (66.163.76.130)  22.334 ms  22.406 ms  22.489 ms
6  rc5wt-tge0-10-0-10.wa.shawcable.net (66.163.68.65)  22.489 ms  22.774 ms  22.766 ms
7  six.as13335.com (206.81.81.10)  64.549 ms  35.806 ms  35.852 ms
8  141.101.120.14 (141.101.120.14)  32.500 ms  32.527 ms  32.688 ms

Hop 1 is my local ISP modem/router
Hop 2 I suspect is my ISP internal network
Hop 3 is my ISP's external addy....
etc...

Clearly going through my WAN....

And if i modify my only LAN rule to look like:
IPv4 * * * * * STRONGVPN_VPNV4 none

traceroute whatismyip.com
traceroute to whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets
1  10.8.1.57 (10.8.1.57)  50.940 ms  50.930 ms  55.953 ms
2  10G-207-gtwy.reliablehosting.com (207.204.224.1)  57.507 ms  57.593 ms  57.581 ms
3  10ge2-1.sfo4.reliablehosting.com (216.131.94.241)  63.508 ms  63.632 ms  63.806 ms
4  218.188.105.25 (218.188.105.25)  65.886 ms  65.965 ms  65.952 ms
5  218.189.5.179 (218.189.5.179)  66.017 ms 218.189.5.170 (218.189.5.170)  66.083 ms 218.189.5.147 (218.189.5.147)  66.070 ms
6  d1-21-224-143-118-on-nets.com (118.143.224.21)  229.354 ms d1-13-224-143-118-on-nets.com (118.143.224.13)  214.237 ms d1-9-224-143-118-on-nets.com (118.143.224.9)  225.046 ms
7  d1-46-238-143-118-on-nets.com (118.143.238.46)  212.912 ms 218.189.5.14 (218.189.5.14)  219.428 ms  225.311 ms
8  103.22.203.26 (103.22.203.26)  220.888 ms  214.069 ms  220.438 ms
9  141.101.120.15 (141.101.120.15)  226.410 ms  219.705 ms  226.477 ms

What gives????

edit:
I should also mention that I am using squid. Dunno if that makes a difference or not. I just thought it might have bearing as my trace route packets seem to be routed properly but not the web requests....

toyotahead

ok… a bit closer possibly....

I have uninstalled squid2, and squidguard2.

From a LAN client ip, i can traceroute google.ca and hit my regular WAN gateway. As well http requests are being NAT'd throu regular WAN gateway. This is expected and correct.

However if i ssh into pfsense and traceroute google.ca, it still goes out via the vpn gateway....

Thoughts?

toyotahead

Maybe a bit more clarification as to what I am trying to achieve…

I am trying to get the pfsense box as well as all traffic generated on the lan subnets to still NAT to the shaw gateway. Only select ip's or layer7 detected protocols etc to be NAT'd out the VPN.

I believe that has to do with getting the pfsense box itself to use the default shaw gateway rather than the vpn gateway. Oddly enough in the routing section of pfsense when you specify multiple gateways, there is a box labelled default gateway. I have this set to the shaw gateway. Unfortunately this directive doesn’t seem to be adhered to....?

toyotahead

Just a thought… Why is there a 0.0.0.0/1 to 10.8.1.61 ahead of the default gateway line?

This is with the openvpn activated:
Diagnostics: Routing tables

IPv4
Destination Gateway Flags Refs Use Mtu Netif Expire
0.0.0.0/1 10.8.1.61 UGS 0 41 1500 ovpnc1 =>
default 192.168.69.1 UGS 0 1097 1500 sk0
10.8.1.57/32 10.8.1.61 UGS 0 0 1500 ovpnc1
10.8.1.61 link#14 UH 0 0 1500 ovpnc1
10.8.1.62 link#14 UHS 0 0 16384 lo0
50.66.76.1 192.168.69.1 UGHS 0 1685 1500 sk0
127.0.0.1 link#12 UH 0 51040 16384 lo0
128.0.0.0/1 10.8.1.61 UGS 0 22210 1500 ovpnc1
172.16.50.0/24 link#6 U 0 5891 1500 sk1
172.16.50.1 link#6 UHS 0 0 16384 lo0
172.16.75.0/24 link#1 U 0 0 1500 msk0
172.16.75.1 link#1 UHS 0 0 16384 lo0
172.16.100.0/24 link#7 U 0 0 1500 sk2
172.16.100.1 link#7 UHS 0 0 16384 lo0
172.16.150.0/24 link#8 U 0 0 1500 sk3
172.16.150.1 link#8 UHS 0 0 16384 lo0
172.16.200.0/24 link#3 U 0 0 1500 msk2
172.16.200.1 link#3 UHS 0 41 16384 lo0
172.16.201.0/24 link#13 U 0 0 1500 msk3_vlan201
172.16.201.1 link#13 UHS 0 0 16384 lo0
192.168.69.0/24 link#5 U 0 0 1500 sk0
192.168.69.14 link#5 UHS 0 0 16384 lo0
207.204.245.40/32 192.168.69.1 UGS 0 1784 1500 sk0
208.67.222.222 10.8.1.61 UGHS 0 1611 1500 ovpnc1

This is with the openvpn deactivated:
Diagnostics: Routing tables
IPv4
Destination Gateway Flags Refs Use Mtu Netif Expire
default 192.168.69.1 UGS 0 1200 1500 sk0
50.66.76.1 192.168.69.1 UGHS 0 3803 1500 sk0
127.0.0.1 link#12 UH 0 115900 16384 lo0
172.16.50.0/24 link#6 U 0 17932 1500 sk1
172.16.50.1 link#6 UHS 0 0 16384 lo0
172.16.75.0/24 link#1 U 0 0 1500 msk0
172.16.75.1 link#1 UHS 0 0 16384 lo0
172.16.100.0/24 link#7 U 0 0 1500 sk2
172.16.100.1 link#7 UHS 0 0 16384 lo0
172.16.150.0/24 link#8 U 0 0 1500 sk3
172.16.150.1 link#8 UHS 0 0 16384 lo0
172.16.200.0/24 link#3 U 0 0 1500 msk2
172.16.200.1 link#3 UHS 0 50 16384 lo0
172.16.201.0/24 link#13 U 0 0 1500 msk3_vlan201
172.16.201.1 link#13 UHS 0 0 16384 lo0
192.168.69.0/24 link#5 U 0 2 1500 sk0
192.168.69.14 link#5 UHS 0 0 16384 lo0

My gut is telling me this is the error I have been trying to track down. If this is so then how am i going to be able to amend this seemingly automaticly generated routing table? I have my NAT Outbound NAT rules set to manual at present.

toyotahead

My openvpn config diagnostic output:

Jul 24 17:08:05 openvpn[63624]: LZO compression initialized
Jul 24 17:08:05 openvpn[63624]: Control Channel MTU parms [ L:1562 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jul 24 17:08:05 openvpn[63624]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 24 17:08:05 openvpn[63624]: Data Channel MTU parms [ L:1562 D:1450 EF:62 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 24 17:08:05 openvpn[63624]: Fragmentation MTU parms [ L:1562 D:1300 EF:61 EB:135 ET:1 EL:0 AF:3/1 ]
Jul 24 17:08:05 openvpn[63624]: Local Options String: 'V4,dev-type tun,link-mtu 1562,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jul 24 17:08:05 openvpn[63624]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1562,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jul 24 17:08:05 openvpn[63624]: Local Options hash (VER=V4): '84ab6e17'
Jul 24 17:08:05 openvpn[63624]: Expected Remote Options hash (VER=V4): '6a64613d'
Jul 24 17:08:05 openvpn[63624]: UDPv4 link local (bound): [AF_INET]192.168.69.14
Jul 24 17:08:05 openvpn[63624]: UDPv4 link remote: [AF_INET]207.204.245.40:4672
Jul 24 17:08:05 openvpn[63624]: TLS: Initial packet from [AF_INET]207.204.245.40:4672, sid=bf5e0c09 180c3de9
Jul 24 17:08:05 openvpn[63624]: VERIFY OK: depth=1, C=US, ST=CA, L=San-Francisco, O=reliablehosting.com, CN=ovpn039, emailAddress=techies@reliablehosting.com
Jul 24 17:08:05 openvpn[63624]: VERIFY OK: depth=0, C=US, ST=CA, L=San-Francisco, O=reliablehosting.com, CN=vpn28, emailAddress=techies@reliablehosting.com
Jul 24 17:08:06 openvpn[63624]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 24 17:08:06 openvpn[63624]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 24 17:08:06 openvpn[63624]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 24 17:08:06 openvpn[63624]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 24 17:08:06 openvpn[63624]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jul 24 17:08:06 openvpn[63624]: [vpn28] Peer Connection Initiated with [AF_INET]207.204.245.40:4672
Jul 24 17:08:08 openvpn[63624]: SENT CONTROL [vpn28]: 'PUSH_REQUEST' (status=1)
Jul 24 17:08:08 openvpn[63624]: PUSH: Received control message: 'PUSH_REPLY,ping 1,ping-restart 60,route-delay 2,route-metric 1,dhcp-option DNS 207.204.224.10,dhcp-option DNS 68.68.32.123,route 10.8.1.57,topology net30,ifconfig 10.8.1.62 10.8.1.61'
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: –ifconfig/up options modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: route options modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: route-related options modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Jul 24 17:08:08 openvpn[63624]: ROUTE_GATEWAY 192.168.69.1
Jul 24 17:08:08 openvpn[63624]: TUN/TAP device ovpnc1 exists previously, keep at program end
Jul 24 17:08:08 openvpn[63624]: TUN/TAP device /dev/tun1 opened
Jul 24 17:08:08 openvpn[63624]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jul 24 17:08:08 openvpn[63624]: /sbin/ifconfig ovpnc1 10.8.1.62 10.8.1.61 mtu 1500 netmask 255.255.255.255 up
Jul 24 17:08:08 openvpn[63624]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1562 10.8.1.62 10.8.1.61 init
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 207.204.245.40 192.168.69.1 255.255.255.255
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 0.0.0.0 10.8.1.61 128.0.0.0
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 128.0.0.0 10.8.1.61 128.0.0.0
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 10.8.1.57 10.8.1.61 255.255.255.255
Jul 24 17:08:10 openvpn[63624]: Initialization Sequence Completed
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: CMD 'state 1'
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: CMD 'status 2'
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: Client disconnected
Jul 24 17:15:46 openvpn[63624]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 24 17:15:46 openvpn[63624]: MANAGEMENT: CMD 'state 1'
Jul 24 17:15:46 openvpn[63624]: MANAGEMENT: CMD 'status 2'
Jul 24 17:15:47 openvpn[63624]: MANAGEMENT: Client disconnected
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: CMD 'state 1'
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: CMD 'status 2'
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: Client disconnected

Is there a way to make it so that when the vpn establishes that this route is not done?

toyotahead

SOLVED

Ok in the advanced config section of the openvpn client just DONT add the "redirect-gateway def1;" This effectively will override the route table with a blanket forward all traffic out the vpn tunnel.

NOW you are able to specify in your firewall rules which filtered matches you want to go out the VPN tunnel via the advanced features - gateway - and select the gateway of the vpn.

CHEERS EVERYONE. I see this has been a brutally long thread and many times this very question on how to selectively push traffic though the tunnel has been asked with no definitive solution. I am glad to have been able to contribute. :)