OpenVPN to PIA (provider) without Private Key
-
My goal is to create a VPN connection to "PrivateInternetAccess," an anonymizing service, and use the connection from my pfSense box to PIA (for short) to route all my outgoing traffic from my LAN (or a certain computer, IP address, etc). I've been using the service without problem on OSX using Tunnelblick. Unfortunately, trying to set up the connection on pfSense has proven to be fairly difficult. PIA provides a file called "ca.crt," and two files called (for example) "access.conf" and "access.ovpn". I don't have any *.key files.
The instructions here (http://forum.pfsense.org/index.php?topic=24435.0) looked pretty good. I think I managed to get the configuration from the .ovpn or .conf files into pfsense. However, PIA uses a user-pass authentication scheme. The instructions explain a way to include a username password in a file, which I did. However, I ultimately get a bunch of "connection refused" errors. It seems I'm making a connection but not being allowed on the network, probably because of authentication.
Does anybody have any experience with PIA? Or any VPN without shared keys and just user/pass authentication? Thanks!
-
What's the exact error? "Connection refused" is generally a network level issue not an auth issue but no telling without seeing the exact log and its context.
-
I've attached both the log (after restarting a connection attempt) and my .conf file.
-
That means the server isn't listening on TCP 1194 and hence is refusing your connection. Probably should be UDP.
-
Well, that does seem to be helping, changing to UDP. I'm getting a host of new issues now, but now it seems to be stuck on "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]108.60.159.100:1194"
Looking at the log, it seems like the following may be a problem.
Local Options String:
'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Expected Remote Options String:
'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'I've highlighted the differences. In particular, the keydir value seems like it could be a problem. That being said, I'm not sure which option that corresponds to in the pfSense interface, or if it even is a particular option.
What I did find googling for the HMAC error was that I was trying to use tls on my side, whereas the server did not. I've managed to connect now. Once I get a solid, consistent connection, I'll post my config file for others to use as a starting point if they have the same VPN provider.
-
As I said, here's my config file for my VPN host. I hope it may help somebody else having difficulty connecting. The file is located under /var/etc/openvpn and should have a name like "clientN.conf". I did a "factory reset" on my box before setting this up, so it shouldn't be related to any other settings. Since pfSense reports the connection as working, I'll consider this solved. Unfortunately, if the VPN connection is active, my computers can't get out to brows the web or anything, neither through the WAN (as they do if I simply disable the OpenVPN rule) nor through the VPN (which as far as I know does nothing other than be connected when not disabled).
I don't know if this is intended behavior or not. It would make sense to block outgoing traffic if a VPN connection is active. I know more needs to be done to send traffic through the VPN connection instead of the WAN connection. My goal was first to see if I can connect to the VPN (yes), and then see if my regular network WAN access is still functioning (no). It's easy enough to turn the VPN connection on and off as needed, but I hope this is the correct behavior.
-
You generally want "route-nopull" as a custom option in the client config. That sounds like they're pushing you a default gateway, which you don't want to accept. You'll need manual outbound NAT for your LAN hosts to be able to get out via the VPN.
-
As I said, here's my config file for my VPN host. I hope it may help somebody else having difficulty connecting. The file is located under /var/etc/openvpn and should have a name like "clientN.conf". I did a "factory reset" on my box before setting this up, so it shouldn't be related to any other settings. Since pfSense reports the connection as working, I'll consider this solved. Unfortunately, if the VPN connection is active, my computers can't get out to brows the web or anything, neither through the WAN (as they do if I simply disable the OpenVPN rule) nor through the VPN (which as far as I know does nothing other than be connected when not disabled).
I don't know if this is intended behavior or not. It would make sense to block outgoing traffic if a VPN connection is active. I know more needs to be done to send traffic through the VPN connection instead of the WAN connection. My goal was first to see if I can connect to the VPN (yes), and then see if my regular network WAN access is still functioning (no). It's easy enough to turn the VPN connection on and off as needed, but I hope this is the correct behavior.
This guide seems to work just fine:
https://www.privateinternetaccess.com/pages/client-support/#pfsense_openvpn