How to create an OpenVPN client to StrongVPN

cmb · Oct 3, 2011, 4:48 AM

Nothing has changed in OpenVPN for quite some time, well before release. Upgrading is no different from clean install except possibly in cases of running early alpha versions years ago where they may have done something bad to your config.

Some of the symptoms described sound like letting the client get a default route from StrongVPN, which you do not want. Others who are configuring the interface as DHCP, don't do that, that's going to break things nicely, you don't get DHCP over a VPN. It has to be set to "none" which lets OpenVPN handle the addressing.

cmb · Oct 3, 2011, 4:50 AM

I see where people were getting DHCP, as it was stated in the original post. I updated it to fix that. The rest of it looks ok at a glance, but I don't have a StrongVPN connection.

AuZZZie · Oct 3, 2011, 3:20 PM

You mention to set your NAT outbound rules to manual, but you don't actually create any rules. Is that correct?

AuZZZie · Oct 3, 2011, 3:36 PM

Also, with your config exactly, I see my VPN gateway come online (Status -> Gateways) then always go offline after a few seconds. With the VPN interface assigned to DHCP the Gateway stays online and I can even ping out that interface from pfSense, but nothing behind pfSense will go out.

EDIT: Scratch that. It makes no difference. When you change from DHCP/None on the interface it refreshes something in the background. That is all that is changing. If I reboot the machine with the interface on DHCP the Gateway does the same thing.. Online for a few seconds then offline.

acids7n · Oct 4, 2011, 4:24 AM

@AuZZZie:

Add another one to the list. I've gone over my config 100 times and it is correct. There is something up here.. I have the exact same symptoms as described.

Also using the 2.0 Official release.

I too have followed the guide to a T. And my problem is exactly the same. It connects in the logs. I get a strong vpn private ip. I can ping it from my pc. But I cannot surf or ping out beyond. I turn it off and everything works. I am only routing one ip logitech revue box rather than whole subnet. And I've made all the nat changes and aon etc.
PS first post. First time user of pfsense or any other linux router distribution. Loving this (pfsense)

EDIT***
well i added the option comp-lzo to the end of the long string of options in (vpn/openvpn/client/advanced configuration)
verb 5;tun-mtu 1500;fragment 1300;keysize 128;redirect-gateway def1;persist-key;comp-lzo

and now it all works great, hope that helps

AuZZZie · Oct 4, 2011, 2:57 PM

@acids7n:

@AuZZZie:

Add another one to the list. I've gone over my config 100 times and it is correct. There is something up here.. I have the exact same symptoms as described.

Also using the 2.0 Official release.

I too have followed the guide to a T. And my problem is exactly the same. It connects in the logs. I get a strong vpn private ip. I can ping it from my pc. But I cannot surf or ping out beyond. I turn it off and everything works. I am only routing one ip logitech revue box rather than whole subnet. And I've made all the nat changes and aon etc.
PS first post. First time user of pfsense or any other linux router distribution. Loving this (pfsense)

EDIT***
well i added the option comp-lzo to the end of the long string of options in (vpn/openvpn/client/advanced configuration)
verb 5;tun-mtu 1500;fragment 1300;keysize 128;redirect-gateway def1;persist-key;comp-lzo

and now it all works great, hope that helps

Thanks for posting mate. I'll give it a shot.. Can you clarify your other settings.

Are you using Manual NAT?
Is your VPN interface on DHCP or None?

AuZZZie · Oct 4, 2011, 3:28 PM

Ok I'm to the point where I can reliably connect the OpenVPN client, pfSense Gateway shows online and pfSense itself can ping out the VPN interface. I still lose internet connectivity from any node behind pfSense though. I've attached all the relevant screenshots. Hopefully someone spots something I'm missing cause this is driving me wild.

Here you can see the config….

Here you can see the OpenVPN client connected and the pfSense box able to send out the VPN interface

acids7n · Oct 4, 2011, 6:02 PM

@AuZZZie:

@acids7n:

@AuZZZie:

Add another one to the list. I've gone over my config 100 times and it is correct. There is something up here.. I have the exact same symptoms as described.

Also using the 2.0 Official release.

I too have followed the guide to a T. And my problem is exactly the same. It connects in the logs. I get a strong vpn private ip. I can ping it from my pc. But I cannot surf or ping out beyond. I turn it off and everything works. I am only routing one ip logitech revue box rather than whole subnet. And I've made all the nat changes and aon etc.
PS first post. First time user of pfsense or any other linux router distribution. Loving this (pfsense)

EDIT***
well i added the option comp-lzo to the end of the long string of options in (vpn/openvpn/client/advanced configuration)
verb 5;tun-mtu 1500;fragment 1300;keysize 128;redirect-gateway def1;persist-key;comp-lzo

and now it all works great, hope that helps

Thanks for posting mate. I'll give it a shot.. Can you clarify your other settings.

Are you using Manual NAT?
Is your VPN interface on DHCP or None?

Manual (aon)
And VPN is on none now (i tried dhcp before also and even though it showed as up it actually wasn't) but it works on none for me.

I'm too much of a newbie to really give you advice but your screen shots look like mine, i got the comp-lzo thing from looking at the system logs it showed up as warning, so i did a search on it and found another user on this forum with a different issue who put that option in and it worked for them. so maybe the logs hold the answer….

AuZZZie · Oct 7, 2011, 6:54 PM

Still no success. I'm starting to wonder if something is different in the NanoBSD version that I'm using. It makes no sense that others have it working with the exact same config.

AuZZZie · Oct 7, 2011, 8:00 PM

So I restored to factory defaults.. Did everything the exact same and what do you know, it's working.. ???

Except now, despite the VPN route not being set as default and the ACL rules being in the correct order it routes EVERYTHING over the tunnel while it is connected. It completely ignores any of the PBR rules.

Losing faith in pfSense.

AuZZZie · Oct 7, 2011, 10:13 PM

VICTORY!!!

I don't know what is happening on the backend but this is what I determined. I had everything correct from the get go. The problem is I also have some IPSEC tunnels.

I blew away my config back to factory defaults and tried it again. Still couldn't get it to work. So I reset to factory defaults again, this time I created the OpenVPN client tunnel BEFORE my IPSEC tunnels. All of a sudden everything works nicely.

For whatever reason if I have my IPSEC tunnels created first I have issues. Makes no sense to me but I'm glad I've finally got it working.

acids7n · Oct 10, 2011, 11:12 PM

i too turned rules/settings/interfaces on and off multiple times, and the lzo compression was the last setting for me, glad us newbies got it to work, now if i can get the right firewall rule to route all netflix/hulu traffic through the vpn…

AuZZZie · Oct 12, 2011, 3:14 PM

@acids7n:

i too turned rules/settings/interfaces on and off multiple times, and the lzo compression was the last setting for me, glad us newbies got it to work, now if i can get the right firewall rule to route all netflix/hulu traffic through the vpn…

I haven't had a lot of luck routing JUST Netflix/Vudu etc traffic. I route based on source IP as I haven't managed to find definitive subnets for the Netflix content delivery system.

It works for my main devices, would be nice to route based on destination though.

madbouy · Oct 23, 2011, 8:31 PM

Thanks for the excellent article. I am now able to route AStrill Openvpn through my pfsense using your guide as a base. Excellent work. Thanks again.

wanie · Nov 1, 2011, 10:30 PM

Hi,

thanks for the howto.
I have configuratet all your steps correctly, but i'm using pp instead of strongvpn.
The VPN tunnel is working, but firewall is blocking my traffic.
AON is active.
I called the Interface "PP_CZ" and can see in the firewall log, that all traffic to the web is blocked.
I was allready trying with play arround the firewall rule, but no luck. :-(

Have anyone some advice?
If any screenshot are helpful, pleas let me know what you have to see.

regards,
wanie

singerie · Jan 7, 2012, 4:11 PM

is the how to still accurate ? i had some issue too. vpn is comming up, put i can't pass any traffic.

ericab · Jan 7, 2012, 5:39 PM

singerie,

i haven't tunnel traffic through a VPN for a time now, so i'm not sure how accurate it is anymore, but i don't see any reason why it wouldn't be;

are you sure you've added the proper firewall rules for routing traffic through the gateway ?

Arisian · Jan 15, 2012, 1:03 AM

@ericab

It's me again :)

I hate to harp on this, but I'm still trying to get it to work with TCP rather than UDP since it's just a bit faster with strongVPN.

Again, this is literally only for my AppleTV and xbox. I live in far western China and would really like to watch netflix, hulu, etc on my tv.

I have success setting up UDP connections and in the past have not been able to get the TCP protocol to work - however, yesterday after coming back home I decided to give it a try. Low and behold I got a TCP connection to work - at at twice the speed I was getting before through my strongvpn connection!

However, this morning I noticed that it was all down - I tried changing servers and messing with some of the config, but I'm at a loss now. Really not wanting to go back to UDP after tasting the fruits of the TCP connection. It seems to connect and then immediately lose, or reset, the connection! Arrggh!

Any suggestions?

Jan 15 09:02:55 openvpn[6790]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 15 09:02:55 openvpn[6790]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jan 15 09:02:55 openvpn[6790]: Re-using SSL/TLS context
Jan 15 09:02:55 openvpn[6790]: LZO compression initialized
Jan 15 09:02:55 openvpn[6790]: Control Channel MTU parms [ L:1528 D:168 EF:68 EB:0 ET:0 EL:0 ]
Jan 15 09:02:55 openvpn[6790]: Socket Buffers: R=[65228->65536] S=[65228->65536]
Jan 15 09:02:55 openvpn[6790]: Data Channel MTU parms [ L:1528 D:1450 EF:28 EB:135 ET:0 EL:0 AF:14/28 ]
Jan 15 09:02:55 openvpn[6790]: Local Options String: 'V4,dev-type tun,link-mtu 1528,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher [null-cipher],auth SHA1,keysize 0,tls-auth,key-method 2,tls-client'
Jan 15 09:02:55 openvpn[6790]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1528,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher [null-cipher],auth SHA1,keysize 0,tls-auth,key-method 2,tls-server'
Jan 15 09:02:55 openvpn[6790]: Local Options hash (VER=V4): 'ab7819be'
Jan 15 09:02:55 openvpn[6790]: Expected Remote Options hash (VER=V4): '9e38dab6'
Jan 15 09:02:55 openvpn[6790]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xx:443 [nonblock]
Jan 15 09:02:56 openvpn[6790]: TCP connection established with [AF_INET]xxx.xxx.xxx.xx:443
Jan 15 09:02:56 openvpn[6790]: TCPv4_CLIENT link local (bound): [AF_INET]xxx.xxx.xxx.x:50211
Jan 15 09:02:56 openvpn[6790]: TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xx:443
Jan 15 09:02:56 openvpn[6790]: Connection reset, restarting [0]
Jan 15 09:02:56 openvpn[6790]: TCP/UDP: Closing socket
Jan 15 09:02:56 openvpn[6790]: SIGUSR1[soft,connection-reset] received, process restarting
Jan 15 09:02:56 openvpn[6790]: Restart pause, 5 second(s)

cmb · Jan 15, 2012, 1:17 AM

@Arisian:

I have success setting up UDP connections and in the past have not been able to get the TCP protocol to work - however, yesterday after coming back home I decided to give it a try. Low and behold I got a TCP connection to work - at at twice the speed I was getting before through my strongvpn connection!

That's atypical, I suspect the "Great Firewall of China" or your ISP was throttling your UDP. UDP is a faster and better tunneling protocol.

@Arisian:

However, this morning I noticed that it was all down - I tried changing servers and messing with some of the config, but I'm at a loss now. Really not wanting to go back to UDP after tasting the fruits of the TCP connection. It seems to connect and then immediately lose, or reset, the connection! Arrggh!

Any suggestions?

Does StrongVPN offer any other TCP ports? I suspect you're almost certainly again getting hit by China's screwing with Internet traffic. That or it's a StrongVPN issue, but I suspect that's less likely.

ericab · Jan 15, 2012, 2:28 AM

@Arisian

im going to agree with cmb on this one.
if this was an issue on strongVPN's side, i can grantee you we would see more posts like yours in this thread.
its safe to say that strongVPN has been blacklisted.

although somewhat unrelated, it reminds me of an article i recently read.
its worth a read.

https://threatpost.com/en_us/blogs/how-great-firewall-china-blocks-tor-010912