I set up a BTGuard openvpn connection. It worked, I messed with it, broken



  • I set everything up and it worked just fine. Then I added an interface and set the opt1 as ovpnc1. This was fine. Then I tried applying it and then things went south. So I unchecked apply and tried to set it back to the way it was. It was not having it. So I deleted the opt1 interface, and the associated gateway. Still no luck. Finally I deleted the openvpn connection and recreated it. At this point it would no longer even connect anymore.

    Here's what my log looks like:

    Mar 16 14:35:13	openvpn[55365]: Restart pause, 5 second(s)
    Mar 16 14:35:13	openvpn[55365]: SIGUSR1[soft,connection-reset] received, process restarting
    Mar 16 14:35:13	openvpn[55365]: TCP/UDP: Closing socket
    Mar 16 14:35:13	openvpn[55365]: Connection reset, restarting [0]
    Mar 16 14:35:12	openvpn[55365]: TCPv4_CLIENT link remote: [AF_INET]95.211.139.147:1194
    Mar 16 14:35:12	openvpn[55365]: TCPv4_CLIENT link local (bound): [AF_INET]xxx.173.24.149
    Mar 16 14:35:12	openvpn[55365]: TCP connection established with [AF_INET]95.211.139.147:1194
    Mar 16 14:35:11	openvpn[55365]: Attempting to establish TCP connection with [AF_INET]95.211.139.147:1194 [nonblock]
    Mar 16 14:35:11	openvpn[55365]: Expected Remote Options hash (VER=V4): 'c413e92e'
    Mar 16 14:35:11	openvpn[55365]: Local Options hash (VER=V4): 'd8421bb0'
    Mar 16 14:35:11	openvpn[55365]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Mar 16 14:35:11	openvpn[55365]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Mar 16 14:35:11	openvpn[55365]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
    Mar 16 14:35:11	openvpn[55365]: RESOLVE: NOTE: eu.vpn.btguard.com resolves to 4 addresses
    Mar 16 14:35:11	openvpn[55365]: Socket Buffers: R=[65228->65536] S=[65228->65536]
    Mar 16 14:35:11	openvpn[55365]: Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
    Mar 16 14:35:11	openvpn[55365]: Re-using SSL/TLS context
    Mar 16 14:35:11	openvpn[55365]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 16 14:35:11	openvpn[55365]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Mar 16 14:35:06	openvpn[55365]: MANAGEMENT: Client disconnected
    Mar 16 14:35:06	openvpn[55365]: MANAGEMENT: CMD 'state 1'
    Mar 16 14:35:06	openvpn[55365]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    


  • Unchecking Enable authentication of TLS packets fixed that issue.

    Now the issue is that it connects, but I can't ping anything other than ca.vpn.btguard.com. I'm guessing it's something to do with routing, but I'm not sure.

    Mar 16 15:40:03	openvpn[30134]: MANAGEMENT: Client disconnected
    Mar 16 15:40:03	openvpn[30134]: MANAGEMENT: CMD 'status 2'
    Mar 16 15:40:03	openvpn[30134]: MANAGEMENT: CMD 'state 1'
    Mar 16 15:40:03	openvpn[30134]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Mar 16 15:40:02	openvpn[30134]: Initialization Sequence Completed
    Mar 16 15:40:02	openvpn[30134]: /sbin/route add -net 10.10.0.1 10.10.0.5 255.255.255.255
    Mar 16 15:40:02	openvpn[30134]: WARNING: potential route subnet conflict between local LAN [10.10.0.0/255.255.255.0] and remote VPN [10.10.0.1/255.255.255.255]
    Mar 16 15:40:02	openvpn[30134]: /sbin/route add -net 0.0.0.0 10.10.0.5 0.0.0.0
    Mar 16 15:40:02	openvpn[30134]: /sbin/route delete -net 0.0.0.0 xxx.173.24.145 0.0.0.0
    Mar 16 15:40:02	openvpn[30134]: /sbin/route add -net xxx.16.202.135 xxx.173.24.145 255.255.255.255
    Mar 16 15:40:02	openvpn[30134]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1543 10.10.0.6 10.10.0.5 init
    Mar 16 15:40:02	openvpn[30134]: /sbin/ifconfig ovpnc1 10.10.0.6 10.10.0.5 mtu 1500 netmask 255.255.255.255 up
    Mar 16 15:40:02	openvpn[30134]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Mar 16 15:40:02	openvpn[30134]: TUN/TAP device /dev/tun1 opened
    Mar 16 15:40:02	openvpn[30134]: ROUTE default_gateway=xxx.173.24.145
    Mar 16 15:40:02	openvpn[30134]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Mar 16 15:40:02	openvpn[30134]: OPTIONS IMPORT: route options modified
    Mar 16 15:40:02	openvpn[30134]: OPTIONS IMPORT: --ifconfig/up options modified
    Mar 16 15:40:02	openvpn[30134]: OPTIONS IMPORT: timers and/or timeouts modified
    Mar 16 15:40:02	openvpn[30134]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,redirect-gateway,route 10.10.0.1,topology net30,ping 20,ping-restart 240,ifconfig 10.10.0.6 10.10.0.5'
    Mar 16 15:40:02	openvpn[30134]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Mar 16 15:40:00	openvpn[30134]: [server] Peer Connection Initiated with [AF_INET]204.16.202.135:1194
    Mar 16 15:40:00	openvpn[30134]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Mar 16 15:40:00	openvpn[30134]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 16 15:40:00	openvpn[30134]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 16 15:40:00	openvpn[30134]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 16 15:40:00	openvpn[30134]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 16 15:39:59	openvpn[30134]: VERIFY OK: depth=0, /C=DE/ST=Hesse-Nassau/L=Frankfurt/O=BTGuard/CN=server/emailAddress=support@btguard.com
    Mar 16 15:39:59	openvpn[30134]: VERIFY OK: depth=1, /C=DE/ST=Hesse-Nassau/L=Frankfurt/O=BTGuard/CN=BTGuard_CA/emailAddress=support@btguard.com
    Mar 16 15:39:59	openvpn[30134]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Mar 16 15:39:59	openvpn[30134]: TLS: Initial packet from [AF_INET]204.16.202.135:1194, sid=59916de8 87410756
    Mar 16 15:39:59	openvpn[30134]: TCPv4_CLIENT link remote: [AF_INET]204.16.202.135:1194
    Mar 16 15:39:59	openvpn[30134]: TCPv4_CLIENT link local (bound): [AF_INET]xxx.173.24.149
    Mar 16 15:39:59	openvpn[30134]: TCP connection established with [AF_INET]204.16.202.135:1194
    Mar 16 15:39:58	openvpn[30134]: Attempting to establish TCP connection with [AF_INET]204.16.202.135:1194 [nonblock]
    Mar 16 15:39:58	openvpn[30134]: Expected Remote Options hash (VER=V4): '7e068940'
    Mar 16 15:39:58	openvpn[30134]: Local Options hash (VER=V4): 'db02a8f8'
    Mar 16 15:39:58	openvpn[30134]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Mar 16 15:39:58	openvpn[30134]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Mar 16 15:39:58	openvpn[30134]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
    Mar 16 15:39:58	openvpn[30134]: RESOLVE: NOTE: ca.vpn.btguard.com resolves to 2 addresses
    Mar 16 15:39:58	openvpn[30134]: Socket Buffers: R=[65228->65536] S=[65228->65536]
    Mar 16 15:39:58	openvpn[30134]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Mar 16 15:39:58	openvpn[30134]: Re-using SSL/TLS context
    Mar 16 15:39:58	openvpn[30134]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 16 15:39:58	openvpn[30134]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Mar 16 15:39:53	openvpn[30134]: Restart pause, 5 second(s)
    Mar 16 15:39:53	openvpn[30134]: SIGUSR1[soft,ping-restart] received, process restarting
    Mar 16 15:39:53	openvpn[30134]: TCP/UDP: Closing socket
    Mar 16 15:39:53	openvpn[30134]: [UNDEF] Inactivity timeout (--ping-restart), restarting
    


  • Ok I believe I made progress. The VPN will stay connected now. I can also ping the other end of the tunnel which would be 204.16.202.135 in this case. The issue now is that I can't get any further than that ip. I still have Enable authentication of TLS packets unchecked.

    Also, the gateway for the vpn's status is down which is weird because I can ping the 204.16.202.135. Maybe the issue lies there.

    Another interesting thing is that I can ping www.yahoo.com from the opt1 (vpn) interface.

    I am also not able to ping the gateway I'm getting from the vpn. For instance, if my ip is 10.10.0.118 my gateway is 10.10.0.117. I can't ping 10.10.0.117.

    So basically the vpn seems to work ok as long as I'm just pinging from the pfsense to the outside world. The issue seems to be in getting the lan traffic to use the vpn connection. I have rules in place, but either they aren't working or I have the wrong ones, or there is another issue altogether.



  • Oh sweet success! After many hours, I've finally got it working! Somewhere else on the forums someone said to set the outbound nat to manaul outbound nat rule generation. I tried this, but it didn't work. I must have had a firewall rule incorrect at the time. I tried it again just now, and it works!

    I'll post a new thread with how to setup a functional BTGuard vpn this weekend.



  • Still waiting :D

    Also, don't hesitate to take screenshot ;)



  • Sorry I got distracted with Easter stuff. I'll get it together ASAP I promise :D.

    Edit:

    Ok this should work.LINK Copying and pasting from word to here mangled the formatting. If that works for you, I'll make a new post and redo the formatting for the forum.


Log in to reply