Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [FIXED] pfsense 2.0 + openvpn (vypervpn), dont use vypervpn as default gateway?

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 3 Posters 8.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      hubsd
      last edited by

      Hello

      My vpn works fine but each time I enable it this change my default route/gateway to VyperVPN's. Is it possible to disable this "push route" or force VyperVPN only for some computers on my network ?

      exemple : LAN1 > always use WAN and LAN2 > always use VPN

      Thanks.

      1 Reply Last reply Reply Quote 0
      • H Offline
        hubsd
        last edited by

        no one know ?

        I just dont want my VPN to be the route by default. I will do it myself (change default gateway in "Advanced features").

        And the log :

        Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: Client disconnected
        Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: CMD 'status 2'
        Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: CMD 'state 1'
        Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
        Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: Client disconnected
        Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: CMD 'status 2'
        Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: CMD 'state 1'
        Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
        Oct 25 21:32:23 openvpn[46869]: Initialization Sequence Completed
        Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 128.0.0.0 10.15.0.1 128.0.0.0
        Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 0.0.0.0 10.15.0.1 128.0.0.0
        Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 138.199.67.151 82.244.198.254 255.255.255.255
        Oct 25 21:32:23 openvpn[46869]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1570 10.15.0.27 255.255.0.0 init
        Oct 25 21:32:23 openvpn[46869]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
        Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 10.15.0.0 10.15.0.27 255.255.0.0
        Oct 25 21:32:23 openvpn[46869]: /sbin/ifconfig ovpnc1 10.15.0.27 netmask 255.255.0.0 mtu 1500 up
        Oct 25 21:32:23 openvpn[46869]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
        Oct 25 21:32:23 openvpn[46869]: TUN/TAP device /dev/tun1 opened
        Oct 25 21:32:23 openvpn[46869]: ROUTE default_gateway=82.244.198.254
        Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
        Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: route-related options modified
        Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: route options modified
        Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: –ifconfig/up options modified
        Oct 25 21:32:23 openvpn[46869]: Socket Buffers: R=[65536->262144] S=[65536->65536]
        Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: –sndbuf/--rcvbuf options modified
        Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: explicit notify parm(s) modified
        Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: timers and/or timeouts modified
        Oct 25 21:32:23 openvpn[46869]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,explicit-exit-notify 5,rcvbuf 262144,route-gateway 10.15.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.15.0.27 255.255.0.0'
        Oct 25 21:32:22 openvpn[46869]: SENT CONTROL [eu1.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
        Oct 25 21:32:20 openvpn[46869]: [eu1.vpn.giganews.com] Peer Connection Initiated with [AF_INET]138.199.67.151:443
        Oct 25 21:32:20 openvpn[46869]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
        Oct 25 21:32:20 openvpn[46869]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
        Oct 25 21:32:20 openvpn[46869]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
        Oct 25 21:32:20 openvpn[46869]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
        Oct 25 21:32:20 openvpn[46869]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
        Oct 25 21:32:15 openvpn[46869]: VERIFY OK: depth=0, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
        Oct 25 21:32:15 openvpn[46869]: VERIFY X509NAME OK: /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
        Oct 25 21:32:15 openvpn[46869]: VERIFY OK: depth=1, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc_CA/emailAddress=admin@goldenfrog.com
        Oct 25 21:32:14 openvpn[46869]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
        Oct 25 21:32:13 openvpn[46869]: TLS: Initial packet from [AF_INET]138.199.67.151:443, sid=0881e814 1231c69f
        Oct 25 21:32:13 openvpn[46869]: UDPv4 link remote: [AF_INET]138.199.67.151:443
        Oct 25 21:32:13 openvpn[46869]: UDPv4 link local (bound): [AF_INET]EDITED WAN IP
        Oct 25 21:32:13 openvpn[45829]: Expected Remote Options hash (VER=V4): '79a26cd9'
        Oct 25 21:32:13 openvpn[45829]: Local Options hash (VER=V4): 'fc8ba345'
        Oct 25 21:32:13 openvpn[45829]: Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
        Oct 25 21:32:13 openvpn[45829]: Socket Buffers: R=[42080->65536] S=[57344->65536]
        Oct 25 21:32:13 openvpn[45829]: Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
        Oct 25 21:32:13 openvpn[45829]: LZO compression initialized
        Oct 25 21:32:13 openvpn[45829]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Oct 25 21:32:13 openvpn[45829]: WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).

        Thanks.

        1 Reply Last reply Reply Quote 0
        • H Offline
          hubsd
          last edited by

          ok I found an easy fix

          add route-noexec in openvpn advanced client settings so route table on pfsense will not be changed and your VPN will not always be the default gateway for everything

          Quick dirty how to for VyperVPN and pfsense :

          1. add giganews certificate in cert manager

          –---BEGIN CERTIFICATE-----
          MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
          VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv
          d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n
          LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN
          MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS
          BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK
          Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh
          BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B
          AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7
          pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i
          qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2
          d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP
          ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr
          QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G
          A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM
          h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT
          C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk
          ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG
          9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw
          AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5
          8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU
          hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI
          8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8
          8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz
          Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ==
          -----END CERTIFICATE-----

          1. create a file with vypervpn login/password
            exemple in /cf/conf/VyprVPN.pas

          yourlogin
          yourpass

          1. add your client settings in openvpn client
            exemple for a 256 bit tunnel on vypervpn europe server

          server mode : peer to peer (ssl/tls)
          protocol : udp
          device mode : tun
          interface : WAN
          server host : eu1.vpn.giganews.com
          server port 443
          server host name resolution : CHECK infinitely resolve server
          tls authentification : UNCHECK
          peer certificate authority : choose the vypervpn CA certificate
          encryption algorithm : AES-256-CBC
          compression : CHECK compress tunnel packets using the LZO algorithm
          advanced : verb 5;auth-user-pass /cf/conf/VyprVPN.pas;tls-remote eu1.vpn.giganews.com;persist-key;persist-tun;persist-remote-ip;auth SHA256;keysize 256;tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA;route-noexec

          1. In interfaces, add your VPN interface (should be named ovpncX), enable it and set type to None.
          2. In routing you should find this new interface, just edit it and add a monitor IP (208.67.220.220 by exemple)
          3. In NAT, change Outbound rules to Manual Outbound NAT rule generation and save.
          4. Now you just need to go in Rules, then change your default gateway to your VPN.
            exemple : you can force all HTTP trafic to your VPN gateway and other trafic will always use default gateway (WAN)
          1 Reply Last reply Reply Quote 0
          • C Offline
            cpressland
            last edited by

            Hi,

            I've been trying to setup VyprVPN via Giganews on my pfSense box and have followed the instructions as above but keep getting the following error in the OpenVPN Syslog

            Authenticate/Decrypt packet error: packet HMAC authentication failed.

            This happens regardless of which VyprVPN Server I try connect to.

            Any ideas?

            Thanks

            Chris

            1 Reply Last reply Reply Quote 0
            • H Offline
              hubsd
              last edited by

              do you have a CA certificate installed for VyprVPN ?

              1 Reply Last reply Reply Quote 0
              • C Offline
                cpressland
                last edited by

                Looks like it was a Copy Pasta issue between OS X Chrome and Firefox. When SSHing in and overwriting the file with vi it's connected normally. Thanks to all.

                1 Reply Last reply Reply Quote 0
                • L Offline
                  LA_FORGE
                  last edited by

                  @hubsd:

                  ok I found an easy fix

                  add route-noexec in openvpn advanced client settings so route table on pfsense will not be changed and your VPN will not always be the default gateway for everything

                  Quick dirty how to for VyperVPN and pfsense :

                  1. add giganews certificate in cert manager

                  –---BEGIN CERTIFICATE-----
                  MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
                  VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv
                  d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n
                  LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN
                  MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS
                  BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK
                  Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh
                  BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B
                  AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7
                  pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i
                  qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2
                  d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP
                  ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr
                  QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G
                  A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM
                  h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT
                  C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk
                  ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG
                  9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw
                  AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5
                  8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU
                  hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI
                  8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8
                  8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz
                  Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ==
                  -----END CERTIFICATE-----

                  1. create a file with vypervpn login/password
                    exemple in /cf/conf/VyprVPN.pas

                  yourlogin
                  yourpass

                  1. add your client settings in openvpn client
                    exemple for a 256 bit tunnel on vypervpn europe server

                  server mode : peer to peer (ssl/tls)
                  protocol : udp
                  device mode : tun
                  interface : WAN
                  server host : eu1.vpn.giganews.com
                  server port 443
                  server host name resolution : CHECK infinitely resolve server
                  tls authentification : UNCHECK
                  peer certificate authority : choose the vypervpn CA certificate
                  encryption algorithm : AES-256-CBC
                  compression : CHECK compress tunnel packets using the LZO algorithm
                  advanced : verb 5;auth-user-pass /cf/conf/VyprVPN.pas;tls-remote eu1.vpn.giganews.com;persist-key;persist-tun;persist-remote-ip;auth SHA256;keysize 256;tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA;route-noexec

                  1. In interfaces, add your VPN interface (should be named ovpncX), enable it and set type to None.
                  2. In routing you should find this new interface, just edit it and add a monitor IP (208.67.220.220 by exemple)
                  3. In NAT, change Outbound rules to Manual Outbound NAT rule generation and save.
                  4. Now you just need to go in Rules, then change your default gateway to your VPN.
                    exemple : you can force all HTTP trafic to your VPN gateway and other trafic will always use default gateway (WAN)

                  Thank you very much for your GREAT howto. It works very good but when a disconnect occurs, it always openvpn reconnects too fast. How is the best way to insert a delay not less than 120 seconds (Because the old connection on the remote server is still alive and an error AUTH_FAILED is thrown when the reconnect happens too fast).

                  Greetings from Germany

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • L Offline
                    LA_FORGE
                    last edited by

                    I added keepalive 120 240 but still no luck :-( If the connection goes down and a reconnect is done, an error "AUTH_failed" is thrown (Because the old connection still exists on the server of my VPN-Provider) from the Server, it stays down until you manually restart it :-( Is there a way to add (re)connect retries although of the "AUTH_failed" message?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.