[FIXED] pfsense 2.0 + openvpn (vypervpn), dont use vypervpn as default gateway?



  • Hello

    My vpn works fine but each time I enable it this change my default route/gateway to VyperVPN's. Is it possible to disable this "push route" or force VyperVPN only for some computers on my network ?

    exemple : LAN1 > always use WAN and LAN2 > always use VPN

    Thanks.



  • no one know ?

    I just dont want my VPN to be the route by default. I will do it myself (change default gateway in "Advanced features").

    And the log :

    Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: Client disconnected
    Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: CMD 'status 2'
    Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: CMD 'state 1'
    Oct 25 21:32:36 openvpn[46869]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: Client disconnected
    Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: CMD 'status 2'
    Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: CMD 'state 1'
    Oct 25 21:32:27 openvpn[46869]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Oct 25 21:32:23 openvpn[46869]: Initialization Sequence Completed
    Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 128.0.0.0 10.15.0.1 128.0.0.0
    Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 0.0.0.0 10.15.0.1 128.0.0.0
    Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 138.199.67.151 82.244.198.254 255.255.255.255
    Oct 25 21:32:23 openvpn[46869]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1570 10.15.0.27 255.255.0.0 init
    Oct 25 21:32:23 openvpn[46869]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Oct 25 21:32:23 openvpn[46869]: /sbin/route add -net 10.15.0.0 10.15.0.27 255.255.0.0
    Oct 25 21:32:23 openvpn[46869]: /sbin/ifconfig ovpnc1 10.15.0.27 netmask 255.255.0.0 mtu 1500 up
    Oct 25 21:32:23 openvpn[46869]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Oct 25 21:32:23 openvpn[46869]: TUN/TAP device /dev/tun1 opened
    Oct 25 21:32:23 openvpn[46869]: ROUTE default_gateway=82.244.198.254
    Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
    Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: route-related options modified
    Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: route options modified
    Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: –ifconfig/up options modified
    Oct 25 21:32:23 openvpn[46869]: Socket Buffers: R=[65536->262144] S=[65536->65536]
    Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: –sndbuf/--rcvbuf options modified
    Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: explicit notify parm(s) modified
    Oct 25 21:32:23 openvpn[46869]: OPTIONS IMPORT: timers and/or timeouts modified
    Oct 25 21:32:23 openvpn[46869]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,explicit-exit-notify 5,rcvbuf 262144,route-gateway 10.15.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.15.0.27 255.255.0.0'
    Oct 25 21:32:22 openvpn[46869]: SENT CONTROL [eu1.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
    Oct 25 21:32:20 openvpn[46869]: [eu1.vpn.giganews.com] Peer Connection Initiated with [AF_INET]138.199.67.151:443
    Oct 25 21:32:20 openvpn[46869]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Oct 25 21:32:20 openvpn[46869]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Oct 25 21:32:20 openvpn[46869]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Oct 25 21:32:20 openvpn[46869]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Oct 25 21:32:20 openvpn[46869]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Oct 25 21:32:15 openvpn[46869]: VERIFY OK: depth=0, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
    Oct 25 21:32:15 openvpn[46869]: VERIFY X509NAME OK: /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
    Oct 25 21:32:15 openvpn[46869]: VERIFY OK: depth=1, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc_CA/emailAddress=admin@goldenfrog.com
    Oct 25 21:32:14 openvpn[46869]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Oct 25 21:32:13 openvpn[46869]: TLS: Initial packet from [AF_INET]138.199.67.151:443, sid=0881e814 1231c69f
    Oct 25 21:32:13 openvpn[46869]: UDPv4 link remote: [AF_INET]138.199.67.151:443
    Oct 25 21:32:13 openvpn[46869]: UDPv4 link local (bound): [AF_INET]EDITED WAN IP
    Oct 25 21:32:13 openvpn[45829]: Expected Remote Options hash (VER=V4): '79a26cd9'
    Oct 25 21:32:13 openvpn[45829]: Local Options hash (VER=V4): 'fc8ba345'
    Oct 25 21:32:13 openvpn[45829]: Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
    Oct 25 21:32:13 openvpn[45829]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Oct 25 21:32:13 openvpn[45829]: Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Oct 25 21:32:13 openvpn[45829]: LZO compression initialized
    Oct 25 21:32:13 openvpn[45829]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Oct 25 21:32:13 openvpn[45829]: WARNING: Make sure you understand the semantics of –tls-remote before using it (see the man page).

    Thanks.



  • ok I found an easy fix

    add route-noexec in openvpn advanced client settings so route table on pfsense will not be changed and your VPN will not always be the default gateway for everything

    Quick dirty how to for VyperVPN and pfsense :

    1. add giganews certificate in cert manager

    –---BEGIN CERTIFICATE-----
    MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
    VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv
    d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n
    LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN
    MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS
    BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK
    Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh
    BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B
    AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7
    pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i
    qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2
    d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP
    ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr
    QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G
    A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM
    h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT
    C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk
    ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG
    9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw
    AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5
    8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU
    hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI
    8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8
    8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz
    Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ==
    -----END CERTIFICATE-----

    1. create a file with vypervpn login/password
      exemple in /cf/conf/VyprVPN.pas

    yourlogin
    yourpass

    1. add your client settings in openvpn client
      exemple for a 256 bit tunnel on vypervpn europe server

    server mode : peer to peer (ssl/tls)
    protocol : udp
    device mode : tun
    interface : WAN
    server host : eu1.vpn.giganews.com
    server port 443
    server host name resolution : CHECK infinitely resolve server
    tls authentification : UNCHECK
    peer certificate authority : choose the vypervpn CA certificate
    encryption algorithm : AES-256-CBC
    compression : CHECK compress tunnel packets using the LZO algorithm
    advanced : verb 5;auth-user-pass /cf/conf/VyprVPN.pas;tls-remote eu1.vpn.giganews.com;persist-key;persist-tun;persist-remote-ip;auth SHA256;keysize 256;tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA;route-noexec

    1. In interfaces, add your VPN interface (should be named ovpncX), enable it and set type to None.
    2. In routing you should find this new interface, just edit it and add a monitor IP (208.67.220.220 by exemple)
    3. In NAT, change Outbound rules to Manual Outbound NAT rule generation and save.
    4. Now you just need to go in Rules, then change your default gateway to your VPN.
      exemple : you can force all HTTP trafic to your VPN gateway and other trafic will always use default gateway (WAN)


  • Hi,

    I've been trying to setup VyprVPN via Giganews on my pfSense box and have followed the instructions as above but keep getting the following error in the OpenVPN Syslog

    Authenticate/Decrypt packet error: packet HMAC authentication failed.

    This happens regardless of which VyprVPN Server I try connect to.

    Any ideas?

    Thanks

    Chris



  • do you have a CA certificate installed for VyprVPN ?



  • Looks like it was a Copy Pasta issue between OS X Chrome and Firefox. When SSHing in and overwriting the file with vi it's connected normally. Thanks to all.



  • @hubsd:

    ok I found an easy fix

    add route-noexec in openvpn advanced client settings so route table on pfsense will not be changed and your VPN will not always be the default gateway for everything

    Quick dirty how to for VyperVPN and pfsense :

    1. add giganews certificate in cert manager

    –---BEGIN CERTIFICATE-----
    MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
    VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv
    d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n
    LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN
    MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS
    BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK
    Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh
    BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B
    AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7
    pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i
    qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2
    d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP
    ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr
    QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G
    A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM
    h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT
    C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk
    ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG
    9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw
    AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5
    8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU
    hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI
    8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8
    8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz
    Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ==
    -----END CERTIFICATE-----

    1. create a file with vypervpn login/password
      exemple in /cf/conf/VyprVPN.pas

    yourlogin
    yourpass

    1. add your client settings in openvpn client
      exemple for a 256 bit tunnel on vypervpn europe server

    server mode : peer to peer (ssl/tls)
    protocol : udp
    device mode : tun
    interface : WAN
    server host : eu1.vpn.giganews.com
    server port 443
    server host name resolution : CHECK infinitely resolve server
    tls authentification : UNCHECK
    peer certificate authority : choose the vypervpn CA certificate
    encryption algorithm : AES-256-CBC
    compression : CHECK compress tunnel packets using the LZO algorithm
    advanced : verb 5;auth-user-pass /cf/conf/VyprVPN.pas;tls-remote eu1.vpn.giganews.com;persist-key;persist-tun;persist-remote-ip;auth SHA256;keysize 256;tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA;route-noexec

    1. In interfaces, add your VPN interface (should be named ovpncX), enable it and set type to None.
    2. In routing you should find this new interface, just edit it and add a monitor IP (208.67.220.220 by exemple)
    3. In NAT, change Outbound rules to Manual Outbound NAT rule generation and save.
    4. Now you just need to go in Rules, then change your default gateway to your VPN.
      exemple : you can force all HTTP trafic to your VPN gateway and other trafic will always use default gateway (WAN)

    Thank you very much for your GREAT howto. It works very good but when a disconnect occurs, it always openvpn reconnects too fast. How is the best way to insert a delay not less than 120 seconds (Because the old connection on the remote server is still alive and an error AUTH_FAILED is thrown when the reconnect happens too fast).

    Greetings from Germany

    Steve



  • I added keepalive 120 240 but still no luck :-( If the connection goes down and a reconnect is done, an error "AUTH_failed" is thrown (Because the old connection still exists on the server of my VPN-Provider) from the Server, it stays down until you manually restart it :-( Is there a way to add (re)connect retries although of the "AUTH_failed" message?


Log in to reply