Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense to OpenVPN but errors

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 4 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      powerextreme
      last edited by

      Hello, I am configuring the pfSense to work with ExpressVPN(OpenVPN 2.3.2) . I have actually gotten it to work but it only works on one of their servers I get errors on the other ones. I compared the config files for each of their servers and the only difference in them is the server name. I download their .ovpn files and took the OpenVPN options out of them and placed them into pfsense. The config options from their file are:

      dev tun; fast-io; persist-key; persist-tun;replay-persist cur-replay-protection.cache; nobind; remote-random; pull; comp-lzo; tls-client; tls-remote server; ns-cert-type server; verb 5; key-direction 1;route-method exe; route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;

      But this returns the following errors:
      Feb 10 04:08:20 openvpn[97173]: DEPRECATED OPTION: –tls-remote, please update your configuration
      Feb 10 04:08:20 openvpn[97173]: Options error: –local and --nobind don't make sense when used together

      So I did some research and come up with the fix to the first error with the ‘verify-x509-name server name’ based on the errors I was getting it wanted to verify the CN name which is ‘server’.

      Feb 10 04:39:07 openvpn[13487]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Feb 10 04:39:08 openvpn[13487]: Socket Buffers: R=[42080->65536] S=[57344->65536]
      Feb 10 04:39:08 openvpn[13487]: UDPv4 link local (bound): [AF_INET]X.X.X.X
      Feb 10 04:39:08 openvpn[13487]: UDPv4 link remote: [AF_INET]Y.Y.Y.Y :1194
      Feb 10 04:39:08 openvpn[13487]: TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=47abcd6 90050be5
      Feb 10 04:39:08 openvpn[13487]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, emailAddress=me@myhost.mydomain
      Feb 10 04:39:08 openvpn[13487]: VERIFY OK: nsCertType=SERVER
      Feb 10 04:39:08 openvpn[13487]: VERIFY X509NAME ERROR: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain, must be server1
      Feb 10 04:39:08 openvpn[13487]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
      Feb 10 04:39:08 openvpn[13487]: TLS Error: TLS object -> incoming plaintext read error
      Feb 10 04:39:08 openvpn[13487]: TLS Error: TLS handshake failed
      Feb 10 04:39:08 openvpn[13487]: SIGUSR1[soft,tls-error] received, process restarting

      So now the config looks like this:

      dev tun; fast-io; persist-key; persist-tun;replay-persist cur-replay-protection.cache;remote-random; pull; comp-lzo; tls-client; verify-x509-name server name; ns-cert-type server; verb 3; key-direction 1;route-method exe; route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;

      Everything looks good but I get an error at the end:

      Feb 10 04:45:23 openvpn[71487]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
      Feb 10 04:45:23 openvpn[71487]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
      Feb 10 04:45:23 openvpn[71487]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Feb 10 04:45:23 openvpn[71487]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
      Feb 10 04:45:23 openvpn[71487]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
      Feb 10 04:45:23 openvpn[71487]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
      Feb 10 04:45:23 openvpn[71487]: Socket Buffers: R=[42080->65536] S=[57344->65536]
      Feb 10 04:45:23 openvpn[71783]: UDPv4 link local (bound): [AF_INET]X.X.X.X
      Feb 10 04:45:23 openvpn[71783]: UDPv4 link remote: [AF_INET]Y.Y.Y.Y:1194
      Feb 10 04:45:23 openvpn[71783]: TLS: Initial packet from [AF_INET]Y.Y.Y.Y:1194, sid=c039945a e9799e29
      Feb 10 04:45:24 openvpn[71783]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, emailAddress=me@myhost.mydomain
      Feb 10 04:45:24 openvpn[71783]: VERIFY OK: nsCertType=SERVER
      Feb 10 04:45:24 openvpn[71783]: VERIFY X509NAME OK: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain
      Feb 10 04:45:24 openvpn[71783]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain
      Feb 10 04:45:27 openvpn[71783]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
      Feb 10 04:45:27 openvpn[71783]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      Feb 10 04:45:27 openvpn[71783]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
      Feb 10 04:45:27 openvpn[71783]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      Feb 10 04:45:27 openvpn[71783]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
      Feb 10 04:45:27 openvpn[71783]: [server] Peer Connection Initiated with [AF_INET]Y.Y.Y.Y:1194
      Feb 10 04:45:29 openvpn[71783]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
      Feb 10 04:45:29 openvpn[71783]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.110 10.10.0.109'
      Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: timers and/or timeouts modified
      Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: –ifconfig/up options modified
      Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: route options modified
      Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
      Feb 10 04:45:29 openvpn[71783]: ROUTE_GATEWAY A.A.A.A
      Feb 10 04:45:29 openvpn[71783]: TUN/TAP device /dev/tun1 opened
      Feb 10 04:45:29 openvpn[71783]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
      Feb 10 04:45:29 openvpn[71783]: /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
      Feb 10 04:45:29 openvpn[71783]: FreeBSD ifconfig failed: external program exited with error status: 1
      Feb 10 04:45:29 openvpn[71783]: Exiting due to fatal error

      It looks like it should be working. Any ideas?

      1 Reply Last reply Reply Quote 0
      • C
        CosmoNerd
        last edited by

        powerextreme,

        Did you ever get a solution for this issue?

        I am facing exactly the same behavior.

        Response highly appreciated ;)

        1 Reply Last reply Reply Quote 0
        • S
          saytar
          last edited by

          Pretty much the same problems you both have, I'm getting (depending on which variation of things I enter).

          But…........I hope you are NOT putting all those paramerter's all in the advanced option's block... :o :o

          dev tun;<<<<< You do this at the top of the page, if you do it again at the bottom you'll get and ERROR....... fast-io; persist-key;<<<<< Don't need this in Pfsense I believe it's a default setting..................... persist-tun;<<<<<<<< Pfsense will retry to connect your Tunnel I believe at least 3 times before it quits..........................replay-persist cur-replay-protection.cache; nobind;<<<<<<<<<<<<<< I don't think you need these except in very, very special cases or unusual configuration..................... remote-random; <<<< never seen this one................?????? pull;  ???????? comp-lzo; <<<<<<< this is a checkbox on the configuration page..don't need it twice.................. tls-client; tls-remote server;<<<<<<<< These go in the Advanced settings box.................. ns-cert-type server;<<<< Not sure on this one for your configuration.................. verb 5; <<<<<<< use this one to give you a verbose output for troubleshooting...........key-direction 1;<<<<< <not unless="" your="" provider="" require's="" this="" one......................route-method="" exe;="" route-delay="" 2;<<<<<<="" not="" says="" to="" use="" these..............tun-mtu="" 1500;="" <<<<<<="" is="" set="" on="" configuration="" page="" (of="" client)="" and="" pfsense="" default="" setting.......................fragment="" 1300;mssfix="" 1450;<br="">I am only using (or trying to use) the Client......
          My settings for Private Internet Access

          Server Mode......Peer to Peer (SSL/TLS)
          Protocol.........UDP
          Device mode.....tun
          Interface......WAN
          Local Port .............empty
          Server Host or address.............my-location.privateinternetaccess.com
          Server Port...........1194 (also default)
          Proxy Host ............none
          Proxy Port.............none
          Proxy auth.......NONE
          Server host name resolution...............Checked ---Infinitely
          Description of Course

          TLS ....................NOT checked (yours maybe depending on your provider)
          Peer Certificate Authority...........PIA (in my case)
          Client Certificate.............PIA user cert ----(signed with PIA Cert Authority, created by signing my CA with theirs)
          Encryption Alogrithm .........BF-CBC (128-bit) in my case
          No Hardware Crypto

          Tunnel settings depend on your usage....I' not real clear on that yet I may be required to set this up some unusual way as I don't want all my network traffic to go out through the Tunnel, Only certain user's and IP's. I believe that if you don't mind ALL traffic going out thru the tunnel, that not much if anything is done with this.................I COULD be very wrong on this...take this bit with a grain of salt.

          Compression ...........Checked for LZO....in my case (most case's I believe)

          Now.............this is ALL I have in my advanced settings:

          verb5;
          auth-user-pass /etc/openvpn-password.txt
          remote-cert-tls server

          Hope it Helps some............Nothing like the blind leading the blind, but maybe if you get enough angles we'll all be able to figure it out right...........</not>

          “An armed society is a polite society. Manners are good when one may have to back up his acts with his life.”

          “Ignorance is curable, stupid is forever.”
          ― Robert A. Heinlein, Beyond This Horizon

          1 Reply Last reply Reply Quote 0
          • S
            steve_cohen
            last edited by

            try bringing up a shell and executing the line that is failing

            /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
            ya might get a better error message.

            i see this when the vpn becomes disconnected and your user/group is depreciated and can't be removed.
            when it re-tries it hasn't dropped permissions yet. But that's a second pass and it is still there so it fails.

            see if the tun is there with ifconfig.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.