How to create an OpenVPN client to StrongVPN
-
Brian;
during the negotiation process you and the server decide what methods are acceptable.
since the whole point of using StrongVPN (openvpn) is to encrypt your traffic over an insecure public internet, your going to be stuck with an encrypted payload.what would be the reason you'd want to use "very little encryption" ?
there are of course proven weak algorithms, but its still encrypted and protected from a casual viewing from a packet dump if this is what youd want to accomplish (monitoring employees/family members).
are you worried about CPU usage of the encryption process or…? maybe your on a high bandwidth link and your PC cant cope with the load ?
in either of those cases your solution is a hardware upgrade. -
Totally understand w/ the encryption point. StrongVPN's service does include a port 443/8080 non compressed, non encrypted option which should be the fastest. Of course, they are using a TCP option, which might not be as fast. The only point for me is to skirt around the geoip issues that come w/ using services like Xbox Live, Hulu & Netflix, which is the main point of my entertainment center.
The rest of the house is on a highly encrypted line that I use for work. These superfluous (xbox, etc) items simply need to be the fastest they possible can. Unfortunately Im on a really crappy chinese connection that maxes out at 600 kb/sec and generally runs in the 400-500kb / sec range, which, despite how it may sound, is extremely fast for where I live (Think middle of nowheresville China).
I'm running my pfsense on a 2.4ghz intel box.
-
This guide is great. Easy to follow. everything you want in a guide.
However I cant get the connection to establish properly. I have this config in place on a 2.0 RC2 box.
I have worked with IPSec in the past but, an relatively new to open VPN.
MY reason to implement this is to circumvent geo tagging / the anonymity they provide. I have tested Private Internet Access (User/Pass Auth) access via my PC's & it works great at that level. I haven't tried to implement it on the 2.0 RC2 box.
I decided to go with Strong VPN on the 2.0 RC2 box due to the great detail in the guide & the great feedback it has recieved.
BTW - This is a fresh install with no additional packages, firewall rules or other vpns running.
Here is my log…
Jun 14 08:13:55 openvpn[42636]: Restart pause, 2 second(s)
Jun 14 08:13:57 openvpn[42636]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 14 08:13:57 openvpn[42636]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 14 08:13:57 openvpn[42636]: Re-using SSL/TLS context
Jun 14 08:13:57 openvpn[42636]: Control Channel MTU parms [ L:1545 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jun 14 08:13:57 openvpn[42636]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jun 14 08:13:57 openvpn[42636]: Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:4 ET:0 EL:0 ]
Jun 14 08:13:57 openvpn[42636]: Fragmentation MTU parms [ L:1545 D:1300 EF:45 EB:4 ET:0 EL:0 ]
Jun 14 08:13:57 openvpn[42636]: Local Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jun 14 08:13:57 openvpn[42636]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jun 14 08:13:57 openvpn[42636]: Local Options hash (VER=V4): '885414e3'
Jun 14 08:13:57 openvpn[42636]: Expected Remote Options hash (VER=V4): '8bcc3b84'
Jun 14 08:13:57 openvpn[42636]: UDPv4 link local (bound): [AF_INET]myip:50211
Jun 14 08:13:57 openvpn[42636]: UDPv4 link remote: [AF_INET]strongvpnip:4672
Jun 14 08:14:57 openvpn[42636]: [UNDEF] Inactivity timeout (–ping-restart), restarting
Jun 14 08:14:57 openvpn[42636]: TCP/UDP: Closing sockeThanks in advance for your Replies…
2CaP
-
hi 2CaP;
2 things:
what is the build date of your 2.0 RC2
also, will you paste your "Advanced Configuration" options here ? (the very bottom of the OpenVPN Client page).
-
;D
Update on my previous post–--
I couldnt get that build of pfsense to work as expected. Checked everything I could think of DNS, NAT etc nothing would work.
I rebuild the box on to the latest stable release & got everything to work great for about 24hours (until appox 4:30 EST) when the speeds dropped from 5-6 Mbps to 100 - 200 kbits on the server that I was on. I tested my connection via my default gateway & all was fine 5-6Mbps.
On the suggestion of the StrongVPN folks I swapped servers - no change. they then suggested it was the firewall of my ISP throttling the speeds. I use a VPN connection everyday & haven't experience any kind of speed throttling to that extent.
I decided that I would try to rebuild the pfsense box to the most current snap shot using the guide provided to the letter. I changed the server as well in an effort to start completely from scratch. I have successfully as of a few minutes ago confirmed that everything is working.
The wierdness has started again however. The speed has dropped to about 400 kbits as of approx 4:30pm while streaming from hulu & to add to it when I try to login to netfl*x It says that it isnt available in my country. I am logging in via the US.
I have saved my configs & will continue to work on it but, any suggestions are welcome.
Thanks Again for the guide...
-
I have tried disabling the OpnVPN connection via & going with a Local connection OpnVPN on my PC with the same speed results.
Should I try other UDP port i.e: 1194 etc? or switch to a TCP config as StrongVPN suggests.
-
Just another update…. I have done some research and found that the ISP is throttling speeds for vpn connections that are outside the ports 1701-1723.
I changed my port to within that range & the speed came right back.
Now I have to figure out this issue with Netflix...
-
;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D
Issue Solved!
I swapped from US Based Server to one another US Based server & that has fixed the Netflix Issue.
thanks again for the guide!
-
I have had netflix operating through StrongVPN for a few months. Netflix works great on my laptops, however through my WDTV Live Plus I often get the messages that "movie not available at this time please try a different one or try again later"
Sometimes it will start playing if I try 3 times, sometimes it never does. Some movies play on the first try.
It is quite frustrating and was just wondering if there is a setting in pfsense that would help with this sensitivity on this particular embedded device. I think I recall reading somewhere about a setting for HTTP resume, but have no idea.
Any similar experience would be appreciated
Edit: I never did get a solution to this until I switch providers from Rogers to Teksavvy (a third party ISP that leases Rogers lines) and now Netflix works perfectly. Go figure, I wondering what they are doing to make it difficult for the embedded device. In any event, it works perfect now and I haven't changed anything else.
-
I have an issue with this how to. i'm not sure if it's a bug in pfsense…
i get this error when i try to enable the strongvpn interface :
The following input errors were detected:
The DHCP Server is active on this interface and it can be used only with a static IP configuration. Please disable the DHCP Server service on this interface first, then change the interface configuration.
I have nothing configured in the dhcp server for this interface....
Any idea ?
-
I have an issue with this how to. i'm not sure if it's a bug in pfsense…
i get this error when i try to enable the strongvpn interface :
The following input errors were detected:
The DHCP Server is active on this interface and it can be used only with a static IP configuration. Please disable the DHCP Server service on this interface first, then change the interface configuration.
I have nothing configured in the dhcp server for this interface....
You did at one point and probably deleted the interface without disabling that is my suspicion. Backup your config, manually edit it out, and restore.
-
@cmb:
You did at one point and probably deleted the interface without disabling that is my suspicion. Backup your config, manually edit it out, and restore.
Glad i didn't factory default ! that was the case. I deleted the entry for this interface, now everything is working.
Should i fill a bug ?
-
Does this configuration guard against DNS leaking?
-
Hope someone can help me with my issue.
I'm trying to make one of my clients (Logitech Revue) to use a StrongVPN connection, but seem to fail. I have used the guide to configure the VPN connection successfully, but I'm guessing I fail somewhere in setting up the routing.
I have created a firewall rule for the client, that under advanced settings uses the VPN gateway defined as per the guide. Still, if I check with a site like whatsmyip.org, I still have my regular IP showing.
I have setup AON according to a post in this thread, but it doesn't seem to help.
Do I have to use virtual IP's or is there something else I can check on? Any help is appreciated.
-
Bergling;
snap a photo of the settings you've set for that client. -
Hi,
These are the settings for firewall on LAN:
I'm trying it out on my phone first, hence the setting for Nexus being the one with the VPN GW.
Here are my gateways settings:
and Outbound NAT routing:
When setting the outbound NAT rules, there is another selectable interface, OpenVPN, should this be set instead of the VPN interface? Or both maybe?
Any more settings I should check?
-
everything there looks fine to me from what see there….instead of using an alias, try the devices IP.
the other openvpn interface is for the vpn server. -
I tried using the IP, but no luck.
Any other suggestions? Could it be DNS settings that need to be configured?
Do I need to set up any rules for the VPN interface in the firewall? To allow incoming traffic on the VPN interface?
Any help is appreciated.
edit: If I try with one of my PC:s or my entire network, are there any diagnostics tools I can try to get more info?
-
edit: If I try with one of my PC:s or my entire network, are there any diagnostics tools I can try to get more info?
not really because we already know where the problem is.
the OpenVPN 'interface' you see on the firewalls rule screen is for the server portion of openvpn. that wont have any effect on this issue.
im not completely sure what the issue is, maybe someone else will jump in here.btw, what build are you running ? whats it dated ?
-
The build is 2.0-RC3 (i386)
built on Tue Jun 21 16:50:25 EDT 2011I don't know if it will help, but here are the route table:
The 148.160.. range is my WAN ip/gateway
Can I do something from my pfsense box if I SSH into it? Like pinging or perform dns lookups to try to resolve it?
edit: Just tried to do a traceroute in the pfsense shell by using SSH. But I'm unable to find any route!
On a client PC connected to the pfsense box, traceroute works perfectly. Seems strange…