How to create an OpenVPN client to StrongVPN

mohanrao83 · Feb 27, 2012, 6:58 AM

i m using same but still not working myt open vpn and site to site vpn any step by step idea

StrongVPN HowTo.
– For pfSense version 2.0 (beta & RC)

Once you have completed this tutorial, you will have a pfSense box that automatically connects to StrongVPN, and routes all traffic from your LAN,
through the vpn gateway.

–-Section 1---

Step 1:

download the StrongVPN greeting file.

once extracted you are presented with these files:

Step 2:

from the pfSense interface, navigate to the dropdown menus: System –-> Cert Manager

Step 3:

click the plus button as seen here:
to create a new certificate authority

Step 4:

enter a descriptive name for the new CA,
and ensure that "Import an existing certificate authority" is selected

Step 5:

go to the directory containing the files as seen in the first screenshot in this tutorial
open the file called "ca.crt" in notepad, and copy and paste the EXACT contents of it into the first box.
click SAVE. (the second box will remain empty, don't worry)

Step 6:

click on the "Certificates" tab:

click on the plus button:

Step 7:

ensure that "Import an existing certificate" is selected, and enter a descriptive name
go to the directory containing the files as seen in the first screenshot in this tutorial and open the file called "ovpn059.crt"
NOTE: depending on the server you have selected upon purchase, your client cert may have a number other then '059', so do not fret.
open in notepad, and copy and paste the contents of it into the first box.
open "ovpn059.key" (again, note that the number '059' will probably be different) and copy/paste the contents into the second box ('Private key data')

Step 8:

navigate to the system dropdown menus: VPN –-> OpenVPN

click the Client tab:

Step 9:

for this step; please just duplicate what you see in this screenshot, on your box.

-Note: In the "Cryptographic Settings" section, copy and paste the contents of the "ta.key" file into "TLS Authentication"
see here:

-Note 2: for ease, here are the "advanced configuration" options you can copy and paste: (remember to keep the trailing ; in place.) –->

verb 5;tun-mtu 1500;fragment 1300;keysize 128;redirect-gateway def1;persist-key;

now, Click Save

Step 10:

navigate to the system dropdown menus Status –-> System Logs, and click on the OpenVPN tab.
if the last thing you see in this log is "Initialization Sequence Completed" you are connected to StrongVPN; but, you are not done yet, as none of your traffic is traversing this line.

move on to section 2

–-Section 2---

Step 1:

navigate to the system dropdown menus Interfaces –--> (assign)

click the plus button:

-Note in the previous screenshot you will notice a StrongVPN interface. you will NOT have that on your box yet, so dont worry.

Step 2:

after clicking on the plus button pfSense will tell you it has successfully added a new interface. the network port name will most likley be named

"ovpnc1". ensure that the new interface is selected as "ovpnc1" (it could be ovpnc2, ovpnc3, etc… depends if you have other ovpn interfaces or not)

Step 3:

navigate to the system dropdown menus Interfaces –-> OPT1 (or whatever your new interface from the previous step is)
Enable the interface.
Enter a Description --> "StrongVPN"
"Type" ---> none
leave everything else alone
click Save.

Step 4:

navigate to the system dropdown menus System –-> Routing

click the plus button:

ensure the Interface selected is the new one we have just assigned to the vpn client; should be "OPT1"
Enter the gateway name.
for "Gateway", enter "dynamic"
do NOT click "Default gateway"
for monitor IP, enter 208.67.222.222 (or whater will respond to ICMP)(208.67.222.222 is openDNS fyi)
leave "Advanced" alone
enter a description for "Description"
click save

Step 5:

navigate to the system dropdown menus Firewall –-> Rules
click on the LAN tab.

Step 6:

create a new rule that looks like this:

Action: PASS
–
Interface: LAN
Protocol: ANY
Source: LAN Subnet
Destination: ANY
–
Description: LAN to Internet force through VPN

IMPORTANT: scroll down to "Gateway" under the "Advanced features" of the rule.
Set gateway to your VPN interface.

it should look something like this:

click save.

the rule should look like this:

at this point, i would give the box a reboot (possibly an unnecessary step)
if this isnt an option, disable the VPN client, wait a minute and then go ahead and re-enable it.

CHECK OpenVPN syslog for errors !

navigate to "http://www.whatismyip.com/" and your public pacing IP will be one of strongvpn's IP's.

you're done !

edit - November 23 2010
– removed persist-tun, from additional configuration options

edit - March 9 2011
-- from now on, in order for traffic to be routed through the vpn gateway; from the pfSense interface, navigate to the dropdown menus: FIREWALL –> NAT --> OUTBOUND --| enable "Manual Outbound NAT rule generation" and select save.

jetbee0 · Feb 29, 2012, 5:25 AM

I had same problem, but I've resolved with following methods.

I changed some client settings:
In VPN –-> OpenVPN Client settings.

Check compression.
Change Advance value to "verb 4; tun-mtu 1500; fragment 1390; keysize 128; redirect-gateway def1; persist-key;"
note) this value may depend on each servers.
I checked connection via pinging to obtained remote server gateway ip address.

I created some NAT roles:
In Firewall ---> NAT:

Check Mode "Manual Outbound NAT rule generation".
Add 2 Mappings: LAN to WAN and LAN to VPN-OUT.

sysfu · Mar 3, 2012, 3:46 AM

Got this working with AirVPN. All the steps are pretty much the same with the important exception: Make sure to UNcheck the "Enable authentication of TLS packets." box under "Cryptographic Settings". Otherwise you'll get the "WARNING: No server certificate verification method has been enabled" errors in the OpenVPN log and the tunnel will not come up.

Here are options that I used under the VPN => OpenVPN => Client => Advanced configuration box

keysize 256;ns-cert-type server;verb 3;explicit-exit-notify 5;redirect-gateway def1;

pkwong · May 11, 2012, 10:43 PM

While I've written a howto on how to implement StrongVPN with Pfsense (that actually works), I thought it would be interesting reading to take a look at Amazon's free tier. I like StrongVPN, but the reality is why pay for something you can get for free?

Check it out: http://swimminginthought.com/201204amazons-free-tier-personal-vpn-server/

Getting a VPN for free for one year isn't a bad deal considering you control both ends of the pipe. You're guaranteed to know whether or not you're having any ports blocked (you choose). Just a thought.

My posting for employing strongvpn via pfsense is still at: http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/

It works flawlessly by the way. Over 30+ happy customers that I've personally set up.

yu130960 · Jul 11, 2012, 3:16 PM

I have to agree with the previous posts that something is weird.

I was using PFsense and strongvpn for over a year and successfully upgraded to the latest 2.01.

However when I changed servers I did a factory reset and have never been able to get the traffic to pass through again. It acutally locks up PFsense and it does not pass internet traffic on aspects of the Lan.

I have spent two days trying to figure it out and even did a restore to the old settings and simply changed out the certificates and other server info to address the new open vpn server and it still does not work.

pkwong · Jul 23, 2012, 11:15 PM

Since StrongVPN has changed their set up Again.. Here's the updated link on how to get it working: http://swimminginthought.com/update-strongvpn-pfsense-working-file-config/

Works perfectly.. tested.. etc.

singerie · Jul 30, 2012, 6:45 AM

@pkwong:

Since StrongVPN has changed their set up Again.. Here's the updated link on how to get it working: http://swimminginthought.com/update-strongvpn-pfsense-working-file-config/

Works perfectly.. tested.. etc.

what did they change ?

pkwong · Aug 24, 2012, 7:54 PM

I honestly have no idea. I found it interesting that they don't support AES encryption in my latest round of helping someone get their vpn up. So it's basically easy to break via Deep Packet Inspection tech. Essentially, no security of privacy in my eyes.

singerie · Aug 26, 2012, 8:39 AM

i saw they support AES-256-CBC in their 'ultra-secure config' in their vpn summary pannel.

Also, 1 question.

I managed to have strongvpn to work, but now pfsense in 'unable to check for update' on the dashboard (using beta 2.1).

this is my oopenvpn option : verb 5;tun-mtu 1500; route-delay 2;explicit-exit-notify 2;fragment 1390;key-direction 1;

and i've put 2 manual dns server in the general config, and disabled Allow DNS server list to be overridden by DHCP/PPP on WAN.

but i see ovpn has created a route 0.0.0.0 to strongvpn. Do you guys think it might be my issue ? And i have to manage to remove this route ?

edit : config issue, now working after a reboot :)

pkwong · Aug 26, 2012, 2:15 PM

Just my personal opinion, but I don't see the purpose of charging extra for encryption that works, although, they are a business and AES is 14 levels deep when it comes to AES 128. So it is more CPU intensive and any business deserves to make money. I am, however, using an Amazon Free Tier OpenVPN server that does it just fine. All incoming traffic is free so unless you're doing tons of outbound (even then it's only .12 per Gigabyte), it's still a bargain.

If you take a look at your upstream bandwidth and calculate it out to what you can maximally push over the month, you'll realize it's VERY cheap.

Cheers.

Percy
http://swimminginthought.com/free-server-it/

Valis · Sep 16, 2012, 3:06 PM

@pkwong:

I followed your tutorial to a tee and it didn't work. StrongVPN's tech support wasn't much of a help. After much experimentation, I got it working. I made a step by step post on it: http://www.swimminginthought.com/2012/02/15/netflix-and-isp-throttling-bypassed-by-vpn-solved/

Something must have changed in 2.0.1

Thank you for your detailed tutorial :)

yu130960 · Sep 18, 2012, 7:37 PM

To those that have read through the thread you can see that I have been working and at times struggling with this set up for some time.

I had to do a factory reset on pfsense after trying some betas and was having trouble.

It seems that I have pinpointed my problems with the default routing not always taking hold. In the rules I have set the default Lan rule to explicitly state the WAN rather than default routing gateway and also turned on LZO compression with the following settings

verb 5;tun-mtu 1500;fragment 1300;keysize 128;redirect-gateway def1;persist-key;comp-lzo adaptive;

raclure · Dec 7, 2012, 3:00 PM

Hi everyone,

I followed part of this tutorial to set-up a working VPN connection to vpntunnel.com. It works like a charm, and i'm able to redirect certain LAN ip through the VPN, while all others goes to the normal route.

As all the traffic reaching the VPN ip is redirected to the box, i tried to build some firewall rules to block traffic coming from the VPN and going to certain port (like the ssh port and the http port). I added 2 rules in the appropriate firewall rules tab (the tab dedicated to the VPN connection) to drop any tcp packet hitting port 22 or port 80. But this had no effect, even after a reboot.

Am i doing this right ? Has someone already tried this ?

(I'm using version 2.1-BETA0 (i386)built on Tue Dec 4 21:53:03 EST 2012)

raclure · Dec 7, 2012, 3:22 PM

Ok, the solution to my problem lies within the 'floating' rules. It's where the block rules are to be set. Now it works perfectly.

pelle_chanslos · Jan 13, 2013, 2:21 PM

@raclure:

Hi everyone,

I followed part of this tutorial to set-up a working VPN connection to vpntunnel.com. It works like a charm, and i'm able to redirect certain LAN ip through the VPN, while all others goes to the normal route.

(I'm using version 2.1-BETA0 (i386)built on Tue Dec 4 21:53:03 EST 2012)

How do you manage to redirect certain LAN IPs through the VPN and others through the normal WAN?

raclure · Jan 16, 2013, 9:44 AM

For version 2.1:

In Firewall->Rules->LAN you simply add a rule where source is your LAN IP, DESTINATION is * and in advance features, you set the Gateway to the VPN.
Be careful to look what is the default gateway, as it might have become the VPN.
Be also careful that the rules work as 'first match applies', so as long as a rule doesn't match, it'll look at the next one down.
Also, if the VPN is down, packet might be routed through the default gateway (and you might not want that), be sure to set up rules correctly

I hope it helps.

arisap3 · Jun 28, 2013, 3:52 AM

;D ;D ;D ;D Working… thanks guys

panz · Aug 7, 2013, 10:04 AM

After reading/experimenting with OpenVPN + AirVPN my doubt is: is my internal LAN exposed to Internet if i change the "Firewall Rules" according to the first (original) post?

For VPN to work, I thought it was sufficient to set manual NAT rules. Touching firewall rules seems overkill to me.

ericab · Aug 9, 2013, 3:15 AM

panz;
the firewall rule is required as it route OUTGOING traffic through your newly established gateway.
it is an OUTGOING rule only.

remember; every interface on pfSense's default rule is to block everything, unless otherwise specified, which in this case allows outgoing traffic, AND forces it through the VPN.

panz · Aug 9, 2013, 7:51 AM

This seems quite strange to me, because my setup is perfectly working without setting that firewall rule; LAN clients browse the Internet just enabling manual NAT. Am I doing something wrong? ???