How to create an OpenVPN client to StrongVPN

thermo

@toyotahead:

SOLVED
Ok in the advanced config section of the openvpn client just DONT add the "redirect-gateway def1;" This effectively will override the route table with a blanket forward all traffic out the vpn tunnel.

The server by default will send this to the client…
Anyway, to prevent all traffic being routed through a vpn connection by default, you just need to add "route-nopull;" to the advanced section, then do your individual routing on your firewall rules.

clevoir

I have had some problems setting up AirVPN on a new pfSense box, as posted elsewhere

I stumbled on this post, and despite following the instructions in detail, I simply cannot get a reliable internet connection. At the end of the guide I am able to confirm that I am using the AirVPN IP address instead of my own, but get a very slow internet connection, with most pages timing out.

I have tried a number of different servers, all using the UDP straight proticol, but all have the effect.

Following another guide I am using remote-cert-tls server;verb 3;explicit-exit-notify 5;key-direction 1;auth SHA1;keysize 256;key-method 2;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;persist-tun; persist-key in the advanced configuration of the OpenVPN client. I have tried omitting the persist-key option as suggested but this makes on efferct

This is a typical OpenVPN log:-

Dec 7 17:18:12 openvpn[24752]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Dec 7 17:18:12 openvpn[24752]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Dec 7 17:18:12 openvpn[24752]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 7 17:18:12 openvpn[24752]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Dec 7 17:18:12 openvpn[24752]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:12 openvpn[24752]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:12 openvpn[24752]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Dec 7 17:18:12 openvpn[25084]: UDPv4 link local (bound): [AF_INET]192.168.1.250
Dec 7 17:18:12 openvpn[25084]: UDPv4 link remote: [AF_INET]95.211.138.7:443
Dec 7 17:18:12 openvpn[25084]: TLS: Initial packet from [AF_INET]95.211.138.7:443, sid=6fa95ce8 b20f1f7b
Dec 7 17:18:12 openvpn[25084]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 7 17:18:12 openvpn[25084]: Validating certificate key usage
Dec 7 17:18:12 openvpn[25084]: ++ Certificate has key usage 00a0, expects 00a0
Dec 7 17:18:12 openvpn[25084]: VERIFY KU OK
Dec 7 17:18:12 openvpn[25084]: Validating certificate extended key usage
Dec 7 17:18:12 openvpn[25084]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 7 17:18:12 openvpn[25084]: VERIFY EKU OK
Dec 7 17:18:12 openvpn[25084]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 7 17:18:20 openvpn[25084]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Dec 7 17:18:20 openvpn[25084]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Dec 7 17:18:20 openvpn[25084]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 17:18:20 openvpn[25084]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:20 openvpn[25084]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 17:18:20 openvpn[25084]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:20 openvpn[25084]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Dec 7 17:18:20 openvpn[25084]: [server] Peer Connection Initiated with [AF_INET]95.211.138.7:443
Dec 7 17:18:22 openvpn[25084]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 7 17:18:23 openvpn[25084]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.23.110 10.4.23.109'
Dec 7 17:18:23 openvpn[25084]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 7 17:18:23 openvpn[25084]: OPTIONS IMPORT: –ifconfig/up options modified
Dec 7 17:18:23 openvpn[25084]: OPTIONS IMPORT: route options modified
Dec 7 17:18:23 openvpn[25084]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Dec 7 17:18:23 openvpn[25084]: ROUTE_GATEWAY 192.168.1.1
Dec 7 17:18:23 openvpn[25084]: TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 7 17:18:23 openvpn[25084]: TUN/TAP device /dev/tun1 opened
Dec 7 17:18:23 openvpn[25084]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 7 17:18:23 openvpn[25084]: /sbin/ifconfig ovpnc1 10.4.23.110 10.4.23.109 mtu 1500 netmask 255.255.255.255 up
Dec 7 17:18:23 openvpn[25084]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1557 10.4.23.110 10.4.23.109 init
Dec 7 17:18:23 openvpn[25084]: /sbin/route add -net 95.211.138.7 192.168.1.1 255.255.255.255
Dec 7 17:18:23 openvpn[25084]: /sbin/route add -net 0.0.0.0 10.4.23.109 128.0.0.0
Dec 7 17:18:23 openvpn[25084]: /sbin/route add -net 128.0.0.0 10.4.23.109 128.0.0.0
Dec 7 17:18:23 openvpn[25084]: /sbin/route add -net 10.4.0.1 10.4.23.109 255.255.255.255
Dec 7 17:18:23 openvpn[25084]: Initialization Sequence Completed

Sometimes I get Client disconnected as below:-

Dec 7 10:50:34 openvpn[95554]: ROUTE_GATEWAY 192.168.1.1
Dec 7 10:50:34 openvpn[95554]: TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 7 10:50:34 openvpn[95554]: TUN/TAP device /dev/tun1 opened
Dec 7 10:50:34 openvpn[95554]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 7 10:50:34 openvpn[95554]: /sbin/ifconfig ovpnc1 10.4.51.250 10.4.51.249 mtu 1500 netmask 255.255.255.255 up
Dec 7 10:50:34 openvpn[95554]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1557 10.4.51.250 10.4.51.249 init
Dec 7 10:50:34 openvpn[95554]: /sbin/route add -net 95.211.186.93 192.168.1.1 255.255.255.255
Dec 7 10:50:34 openvpn[95554]: /sbin/route add -net 0.0.0.0 10.4.51.249 128.0.0.0
Dec 7 10:50:34 openvpn[95554]: /sbin/route add -net 128.0.0.0 10.4.51.249 128.0.0.0
Dec 7 10:50:34 openvpn[95554]: /sbin/route add -net 10.4.0.1 10.4.51.249 255.255.255.255
Dec 7 10:50:34 openvpn[95554]: Initialization Sequence Completed
Dec 7 10:51:34 openvpn[95554]: [server] Inactivity timeout (–ping-restart), restarting
Dec 7 10:51:34 openvpn[95554]: SIGUSR1[soft,ping-restart] received, process restarting
Dec 7 10:51:34 openvpn[95554]: Restart pause, 2 second(s)
Dec 7 10:51:36 openvpn[95554]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 7 10:51:36 openvpn[95554]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Dec 7 10:51:36 openvpn[95554]: UDPv4 link local (bound): [AF_INET]192.168.1.250
Dec 7 10:51:36 openvpn[95554]: UDPv4 link remote: [AF_INET]95.211.186.93:443
Dec 7 10:51:36 openvpn[95554]: TLS: Initial packet from [AF_INET]95.211.186.93:443, sid=72e60795 f425b2a5
Dec 7 10:51:36 openvpn[95554]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 7 10:51:36 openvpn[95554]: Validating certificate key usage
Dec 7 10:51:36 openvpn[95554]: ++ Certificate has key usage 00a0, expects 00a0
Dec 7 10:51:36 openvpn[95554]: VERIFY KU OK
Dec 7 10:51:36 openvpn[95554]: Validating certificate extended key usage
Dec 7 10:51:36 openvpn[95554]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 7 10:51:36 openvpn[95554]: VERIFY EKU OK
Dec 7 10:51:36 openvpn[95554]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 7 10:51:41 openvpn[95554]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 10:51:41 openvpn[95554]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 10:51:41 openvpn[95554]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 10:51:41 openvpn[95554]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 10:51:41 openvpn[95554]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Dec 7 10:51:41 openvpn[95554]: [server] Peer Connection Initiated with [AF_INET]95.211.186.93:443
Dec 7 10:51:43 openvpn[95554]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 7 10:51:43 openvpn[95554]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.51.250 10.4.51.249'
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: LZO parms modified
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: –ifconfig/up options modified
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: route options modified
Dec 7 10:51:43 openvpn[95554]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Dec 7 10:51:43 openvpn[95554]: Preserving previous TUN/TAP instance: ovpnc1
Dec 7 10:51:43 openvpn[95554]: Initialization Sequence Completed
Dec 7 10:58:46 openvpn[95554]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 7 10:58:46 openvpn[95554]: MANAGEMENT: CMD 'state 1'
Dec 7 10:58:46 openvpn[95554]: MANAGEMENT: CMD 'status 2'
Dec 7 10:58:46 openvpn[95554]: MANAGEMENT: Client disconnected
Dec 7 11:42:42 openvpn[95554]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 7 11:42:42 openvpn[95554]: MANAGEMENT: CMD 'state 1'
Dec 7 11:42:42 openvpn[95554]: MANAGEMENT: CMD 'status 2'
Dec 7 11:42:42 openvpn[95554]: MANAGEMENT: Client disconnected

A connection is alway made with AirVPN and their gateway is always green after a number of seconds, see attachments

I can not us the monitor IP address as stated in the guide, bit have used 10.4.0.1 (which is an AirVPN address given in another setup guide) or google's 8.8.8.8

The OpenVPN connection is clearly been made and a gateway to AirVPN is being set up, I am at a complete loss as to why I can't get an internet connection.

I did wonder whether to try different ports rather than 443 UDP straight, but thought that I would post here first

I would be very grateful of some assistance, I have hit a brick wall and just don't kno where to turn next

I am running Snort, Squid and ClamAV as well, if this makes any difference

Also I am currently using the same subnet for WAN and LAN, could this be the cause of my problem?


sysfu

What happens when you connect to the AirVPN account using an OpenVPN client on your computer? Do the problems go away?

clevoir

Yes when I use AirVPN's own client software I get no problems at all using the same servers and UDP 443 port that I have tried to set up my pF=fSense box with

As such I can't see it is a problem at their end, more the pfSense setup?

At the time of this problem I was using the same subnet for WAN and LAN, and wonder if it might be part of the problem?

I now have WAN and LAN on seperate subnets now, and will try again

sysfu

Yes, typically the IP address assigned to each interface must be on a different network or subnet. That's how the router is able to determine which interface the packet should be forwarded to. If both interfaces are on the same network, it doesn't know how to decide between the two.

Think if you were tasked with delivering a package to an office to a person there named "Charlie". When you get to the office, you find out where are two people named "Charlie".

How would you be able to decide definitively on which desk the package should ultimately go? You wouldn't without more info.

clevoir

I have just found that AirVPN block all conections on UDP ports where a proxy is used. as I am using Snort, Squid and Clam AV I guess that this will be why I can't get a connection as I was uisng UDP port 443

I am to try agian using TCP ports but appreciate that the connection speed might be slower

clevoir

This morning I tried again using AirVPn TCP 443 and 80 settings and still can't get an internet connection.

Log is:-

Dec 14 10:11:50 openvpn[11670]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Dec 14 10:11:50 openvpn[11670]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 14 10:11:50 openvpn[11670]: /sbin/ifconfig ovpnc1 10.5.14.90 10.5.14.89 mtu 1500 netmask 255.255.255.255 up
Dec 14 10:11:50 openvpn[11670]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1559 10.5.14.90 10.5.14.89 init
Dec 14 10:11:50 openvpn[11670]: /sbin/route add -net 37.48.81.11 192.168.2.1 255.255.255.255
Dec 14 10:11:50 openvpn[11670]: /sbin/route add -net 0.0.0.0 10.5.14.89 128.0.0.0
Dec 14 10:11:50 openvpn[11670]: /sbin/route add -net 128.0.0.0 10.5.14.89 128.0.0.0
Dec 14 10:11:50 openvpn[11670]: /sbin/route add -net 10.5.0.1 10.5.14.89 255.255.255.255
Dec 14 10:11:50 openvpn[11670]: Initialization Sequence Completed
Dec 14 10:13:52 openvpn[11670]: Connection reset, restarting [0]
Dec 14 10:13:52 openvpn[11670]: SIGUSR1[soft,connection-reset] received, process restarting
Dec 14 10:13:52 openvpn[11670]: Restart pause, 5 second(s)
Dec 14 10:13:57 openvpn[11670]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 14 10:13:57 openvpn[11670]: Socket Buffers: R=[65228->65536] S=[65228->65536]
Dec 14 10:13:57 openvpn[11670]: Attempting to establish TCP connection with [AF_INET]37.48.81.11:443 [nonblock]
Dec 14 10:13:58 openvpn[11670]: TCP connection established with [AF_INET]37.48.81.11:443
Dec 14 10:13:58 openvpn[11670]: TCPv4_CLIENT link local (bound): [AF_INET]192.168.2.200
Dec 14 10:13:58 openvpn[11670]: TCPv4_CLIENT link remote: [AF_INET]37.48.81.11:443
Dec 14 10:13:58 openvpn[11670]: TLS: Initial packet from [AF_INET]37.48.81.11:443, sid=7f752825 a08fa24f
Dec 14 10:13:58 openvpn[11670]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 14 10:13:58 openvpn[11670]: Validating certificate key usage
Dec 14 10:13:58 openvpn[11670]: ++ Certificate has key usage 00a0, expects 00a0
Dec 14 10:13:58 openvpn[11670]: VERIFY KU OK
Dec 14 10:13:58 openvpn[11670]: Validating certificate extended key usage
Dec 14 10:13:58 openvpn[11670]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 14 10:13:58 openvpn[11670]: VERIFY EKU OK
Dec 14 10:13:58 openvpn[11670]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 14 10:14:02 openvpn[11670]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 14 10:14:02 openvpn[11670]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 14 10:14:02 openvpn[11670]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 14 10:14:02 openvpn[11670]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 14 10:14:02 openvpn[11670]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Dec 14 10:14:02 openvpn[11670]: [server] Peer Connection Initiated with [AF_INET]37.48.81.11:443
Dec 14 10:14:04 openvpn[11670]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 14 10:14:04 openvpn[11670]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.5.0.1,comp-lzo no,route 10.5.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.5.14.90 10.5.14.89'
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: LZO parms modified
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: –ifconfig/up options modified
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: route options modified
Dec 14 10:14:04 openvpn[11670]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Dec 14 10:14:04 openvpn[11670]: Preserving previous TUN/TAP instance: ovpnc1
Dec 14 10:14:04 openvpn[11670]: Initialization Sequence Completed
Dec 14 10:16:19 openvpn[11670]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 14 10:16:19 openvpn[11670]: MANAGEMENT: CMD 'state 1'
Dec 14 10:16:19 openvpn[11670]: MANAGEMENT: CMD 'status 2'
Dec 14 10:16:19 openvpn[11670]: MANAGEMENT: Client disconnected
Dec 14 10:26:19 openvpn[11670]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 14 10:26:19 openvpn[11670]: MANAGEMENT: CMD 'state 1'
Dec 14 10:26:19 openvpn[11670]: MANAGEMENT: CMD 'status 2'
Dec 14 10:26:19 openvpn[11670]: MANAGEMENT: Client disconnected

Adanced Configurations in OpenVPN client are

remote-cert-tls server;verb 3;key-direction 1;auth SHA1;keysize 256;key-method 2;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;persist-tun; persist-key

Firewire NAT Outgoing rules have been set to Manual Outbound NAT rule generations, but no addtional rules have been set up.

LAN Firewire rules are set as:-

Action=Pass

Interface=LAN

TCP/IP Version=IP4v

Proticol=any

Source=LAN net

Destrination=any

Gateway = AirVPN gateway (Dynamic)

Note that I have edited the Default allow LAN to any rule settings to the above

Dashboard Settings show an AirVPN connection 10.5.14.90 in green

AirVPN Gateway settings show gateway 10.5.14.89 Monitor 10.4.0.1. in green

q54e3w

Im not sure its related but a couple of things worth checking.

Check WAN interface is set to Active but type = none and LAN is set yo your subnet of choice.
Do not set your WAN address to a private range, i.e 192.168.x.x.
Also I noticed your routing screenshot doesn't show a default route, this should be WAN_DHCP.
Ive attached a shot of my NAT rules too, hopefully these don't add to your confusion as I have a lot more interfaces as well as some VPN_LAN -> non VPN output rules but you'll get the idea if you take the time to read it.
AirVPN works fine with UDP and proxies like squid etc so suspect you have a weird config somewhere back up the chain, moving to TCP isn't going to help I suspect.

Take your time, go through the AirVPN guide step by step and verify at each stage you are seeing the expected behaviors, i.e can you Ping / DNS lookup at the interim stages.


clevoir

I got it working now, I was missing an Outgoing NAT rule for the VPN gateway

Thanks for you help

JohnGalt1717

Hi all, I've read this entire thread and I think I have a handle on it, but I always get this in the logs:

May 14 12:30:18 openvpn[96614]: Local Options hash (VER=V4): '6088b372'
May 14 12:30:18 openvpn[96614]: Expected Remote Options hash (VER=V4): '0b6efc44'
May 14 12:30:18 openvpn[96614]: UDPv4 link local (bound): [AF_INET]192.168.3.3:50211
May 14 12:30:18 openvpn[96614]: UDPv4 link remote: [AF_INET]173.195.6.142:4672

192.168.3.3 is the IP of my WAN because I have to be behind their stupid LTE router.

I have no problems with accessing the internet from clients and I've followed the instructions to the letter. I'm using 2.2 RELEASE of pfsense.

Any ideas why it's just hanging there? It never connects.

Thanks!

MozOz

Hi
I cannot find the StrongVPN greeting file

Moz

fahad Ahmed

Please can you help me how to make VPN between two sites?

guybrush2k4

Hi guys,
Lately I had some time to think. and finally I bought a pc-based firewall (Attom d525 and 6 gigabit inter ports)
so I'm back with the idea of a serious router firewall using pfsense.

but no sure if this would be posible.

1 I can't remove my provider router (because I was not able to replace it with pfsense due to the TV packages)
so I have my router forwarding everything to the pfsesnse box and that normally works.
2 the question is now i'm thinking on getting  an vpn to access streaming services from abroad. (using openvpn)
do you think it would be posible with to have the pfsense box with the vpn open 24x7 and to have all the pc on the same network but only for certain ips modify the output to internet to use the vpn the rest of the ips going throught the standard gateway? (no vpn)
so they have access to my servers in the local network but internet they have different accesses.

At the moment I'm just thinking but That can be a nice setup.

Regards.
Guybrush2k4

peterbuttler

OpenVPN is the most secure VPN protocol use for highly encrypted data transfer but it slightly impacts on the internet speed because of encryption but it always hide your data successfully.

Here is an official guide about how to setup OpenVPN https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150/howto-connect-client-configuration.html

mcarson75

I'm having some trouble with setting up StrongVPN on pfSense.  The tunnel is connects successfully and the gateway is up, but I can not get traffic to go through it.  My intent is to only have traffic from a single interface routed through it with policy based routing.  I have two other OpenVPN site-to-site tunnels up and working with policy based routing on the router, so I have been able to successfully do something similar before.  I just can't get this to work.  I think I probably have an error in my NAT settings.  On my other two clients I defined the tunnel subnet (10.0.3.1/24 and 10.0.12.1/24) in the OpenVPN settings, and these were automatically added in Outbound NAT.  The StrongVPN gateway is dynamic so nothing is added in NAT.  The tunnel comes up with an address of 10.8.2.118 with a gateway of 10.8.2.117, so I have tried adding 10.8.2.0/24 in Outbound NAT with translation to the WAN address (as the automatic rules were created for the other tunnels) and also tried adding NAT from my local subnet translated to my tunnel interface, but neither makes a difference.  I get internet access but through my default gateway (as verified with whatsmyip.org).  My setup is below.  Any help would be appreciated!  I have tried to follow this thread as best I can but some of the images are now gone and most of the setup is for older versions of pfSense.  I did try changing to AON on NAT but this didn't make any difference either.

pfSense 2.3.4-RELEASE

OpenVPN advanced settings

NAT Settings

Gateway Status

Firewall Rules

leonardpin

Thank you, @ericab.

I have been trying to solve my connection problems for days.

You helped me a lot.

P.S. none of your images appeared to me. I could not see any of them.

ctyokley

Just for an FYI, i have found the following Custom Options work the best with strong vpn:

verb 4;tun-mtu 1500;fragment 1390;mssfix 1390;keysize 128;key-direction 1;persist-tun;persist-key;route-delay 2;explicit-exit-notify 2;comp-lzo yes;

leonardpin

@ctyokley:

Just for an FYI, i have found the following Custom Options work the best with strong vpn:

verb 4;tun-mtu 1500;fragment 1390;mssfix 1390;keysize 128;key-direction 1;persist-tun;persist-key;route-delay 2;explicit-exit-notify 2;comp-lzo yes;

@ctyokley,

Those are OpenVPN parameters. Could you explain each one individually?

Why do these work best with StrongVPN?

aagaag

I am still fighting with StrongVPN. I have managed to get the tunnel up, inasmuch as I received the message: "Initialization Sequence Completed". I have read that this means that the handshake between VPN server and client is  OK. Immediately thereafter, however, the VPN bombs.

Here is a log transcript. Might a good soul tell me what I am doing that is wrong? Thanks in advance! (Note that the newest entry is on the top.)

Apr 14 20:07:01 openvpn 56391 SIGTERM[soft,exit-with-notification] received, process exiting
Apr 14 20:07:01 openvpn 56391 /usr/local/sbin/ovpn-linkdown ovpnc2 1500 1546 10.8.0.86 10.8.0.85 init
Apr 14 20:07:01 openvpn 56391 Closing TUN/TAP interface
Apr 14 20:07:01 openvpn 56391 /sbin/route delete -net 10.8.0.81 10.8.0.85 255.255.255.255
Apr 14 20:07:01 openvpn 56391 TCP/UDP: Closing socket
Apr 14 20:06:59 openvpn 56391 SIGTERM received, sending exit notification to peer
Apr 14 20:06:59 openvpn 56391 event_wait : Interrupted system call (code=4)
Apr 14 20:06:56 openvpn 56391 Authenticate/Decrypt packet error: cipher final failed
Apr 14 20:06:47 openvpn 56391 Authenticate/Decrypt packet error: cipher final failed
Apr 14 20:06:37 openvpn 56391 Authenticate/Decrypt packet error: cipher final failed
Apr 14 20:06:36 openvpn 56391 Initialization Sequence Completed