PfSense to OpenVPN but errors



  • Hello, I am configuring the pfSense to work with ExpressVPN(OpenVPN 2.3.2) . I have actually gotten it to work but it only works on one of their servers I get errors on the other ones. I compared the config files for each of their servers and the only difference in them is the server name. I download their .ovpn files and took the OpenVPN options out of them and placed them into pfsense. The config options from their file are:

    dev tun; fast-io; persist-key; persist-tun;replay-persist cur-replay-protection.cache; nobind; remote-random; pull; comp-lzo; tls-client; tls-remote server; ns-cert-type server; verb 5; key-direction 1;route-method exe; route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;

    But this returns the following errors:
    Feb 10 04:08:20 openvpn[97173]: DEPRECATED OPTION: –tls-remote, please update your configuration
    Feb 10 04:08:20 openvpn[97173]: Options error: –local and --nobind don't make sense when used together

    So I did some research and come up with the fix to the first error with the ‘verify-x509-name server name’ based on the errors I was getting it wanted to verify the CN name which is ‘server’.

    Feb 10 04:39:07 openvpn[13487]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Feb 10 04:39:08 openvpn[13487]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Feb 10 04:39:08 openvpn[13487]: UDPv4 link local (bound): [AF_INET]X.X.X.X
    Feb 10 04:39:08 openvpn[13487]: UDPv4 link remote: [AF_INET]Y.Y.Y.Y :1194
    Feb 10 04:39:08 openvpn[13487]: TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=47abcd6 90050be5
    Feb 10 04:39:08 openvpn[13487]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, emailAddress=me@myhost.mydomain
    Feb 10 04:39:08 openvpn[13487]: VERIFY OK: nsCertType=SERVER
    Feb 10 04:39:08 openvpn[13487]: VERIFY X509NAME ERROR: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain, must be server1
    Feb 10 04:39:08 openvpn[13487]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Feb 10 04:39:08 openvpn[13487]: TLS Error: TLS object -> incoming plaintext read error
    Feb 10 04:39:08 openvpn[13487]: TLS Error: TLS handshake failed
    Feb 10 04:39:08 openvpn[13487]: SIGUSR1[soft,tls-error] received, process restarting

    So now the config looks like this:

    dev tun; fast-io; persist-key; persist-tun;replay-persist cur-replay-protection.cache;remote-random; pull; comp-lzo; tls-client; verify-x509-name server name; ns-cert-type server; verb 3; key-direction 1;route-method exe; route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;

    Everything looks good but I get an error at the end:

    Feb 10 04:45:23 openvpn[71487]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
    Feb 10 04:45:23 openvpn[71487]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Feb 10 04:45:23 openvpn[71487]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Feb 10 04:45:23 openvpn[71487]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
    Feb 10 04:45:23 openvpn[71487]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 10 04:45:23 openvpn[71487]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 10 04:45:23 openvpn[71487]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Feb 10 04:45:23 openvpn[71783]: UDPv4 link local (bound): [AF_INET]X.X.X.X
    Feb 10 04:45:23 openvpn[71783]: UDPv4 link remote: [AF_INET]Y.Y.Y.Y:1194
    Feb 10 04:45:23 openvpn[71783]: TLS: Initial packet from [AF_INET]Y.Y.Y.Y:1194, sid=c039945a e9799e29
    Feb 10 04:45:24 openvpn[71783]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, emailAddress=me@myhost.mydomain
    Feb 10 04:45:24 openvpn[71783]: VERIFY OK: nsCertType=SERVER
    Feb 10 04:45:24 openvpn[71783]: VERIFY X509NAME OK: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain
    Feb 10 04:45:24 openvpn[71783]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain
    Feb 10 04:45:27 openvpn[71783]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 10 04:45:27 openvpn[71783]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 10 04:45:27 openvpn[71783]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 10 04:45:27 openvpn[71783]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 10 04:45:27 openvpn[71783]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Feb 10 04:45:27 openvpn[71783]: [server] Peer Connection Initiated with [AF_INET]Y.Y.Y.Y:1194
    Feb 10 04:45:29 openvpn[71783]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Feb 10 04:45:29 openvpn[71783]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.110 10.10.0.109'
    Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: timers and/or timeouts modified
    Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: –ifconfig/up options modified
    Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: route options modified
    Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
    Feb 10 04:45:29 openvpn[71783]: ROUTE_GATEWAY A.A.A.A
    Feb 10 04:45:29 openvpn[71783]: TUN/TAP device /dev/tun1 opened
    Feb 10 04:45:29 openvpn[71783]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Feb 10 04:45:29 openvpn[71783]: /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
    Feb 10 04:45:29 openvpn[71783]: FreeBSD ifconfig failed: external program exited with error status: 1
    Feb 10 04:45:29 openvpn[71783]: Exiting due to fatal error

    It looks like it should be working. Any ideas?



  • powerextreme,

    Did you ever get a solution for this issue?

    I am facing exactly the same behavior.

    Response highly appreciated ;)



  • Pretty much the same problems you both have, I'm getting (depending on which variation of things I enter).

    But…........I hope you are NOT putting all those paramerter's all in the advanced option's block... :o :o

    dev tun;<<<<< You do this at the top of the page, if you do it again at the bottom you'll get and ERROR....... fast-io; persist-key;<<<<< Don't need this in Pfsense I believe it's a default setting..................... persist-tun;<<<<<<<< Pfsense will retry to connect your Tunnel I believe at least 3 times before it quits..........................replay-persist cur-replay-protection.cache; nobind;<<<<<<<<<<<<<< I don't think you need these except in very, very special cases or unusual configuration..................... remote-random; <<<< never seen this one................?????? pull;  ???????? comp-lzo; <<<<<<< this is a checkbox on the configuration page..don't need it twice.................. tls-client; tls-remote server;<<<<<<<< These go in the Advanced settings box.................. ns-cert-type server;<<<< Not sure on this one for your configuration.................. verb 5; <<<<<<< use this one to give you a verbose output for troubleshooting...........key-direction 1;<<<<< <not unless="" your="" provider="" require's="" this="" one......................route-method="" exe;="" route-delay="" 2;<<<<<<="" not="" says="" to="" use="" these..............tun-mtu="" 1500;="" <<<<<<="" is="" set="" on="" configuration="" page="" (of="" client)="" and="" pfsense="" default="" setting.......................fragment="" 1300;mssfix="" 1450;<br="">I am only using (or trying to use) the Client......
    My settings for Private Internet Access

    Server Mode......Peer to Peer (SSL/TLS)
    Protocol.........UDP
    Device mode.....tun
    Interface......WAN
    Local Port .............empty
    Server Host or address.............my-location.privateinternetaccess.com
    Server Port...........1194 (also default)
    Proxy Host ............none
    Proxy Port.............none
    Proxy auth.......NONE
    Server host name resolution...............Checked ---Infinitely
    Description of Course

    TLS ....................NOT checked (yours maybe depending on your provider)
    Peer Certificate Authority...........PIA (in my case)
    Client Certificate.............PIA user cert ----(signed with PIA Cert Authority, created by signing my CA with theirs)
    Encryption Alogrithm .........BF-CBC (128-bit) in my case
    No Hardware Crypto

    Tunnel settings depend on your usage....I' not real clear on that yet I may be required to set this up some unusual way as I don't want all my network traffic to go out through the Tunnel, Only certain user's and IP's. I believe that if you don't mind ALL traffic going out thru the tunnel, that not much if anything is done with this.................I COULD be very wrong on this...take this bit with a grain of salt.

    Compression ...........Checked for LZO....in my case (most case's I believe)

    Now.............this is ALL I have in my advanced settings:

    verb5;
    auth-user-pass /etc/openvpn-password.txt
    remote-cert-tls server

    Hope it Helps some............Nothing like the blind leading the blind, but maybe if you get enough angles we'll all be able to figure it out right...........</not>



  • try bringing up a shell and executing the line that is failing

    /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
    ya might get a better error message.

    i see this when the vpn becomes disconnected and your user/group is depreciated and can't be removed.
    when it re-tries it hasn't dropped permissions yet. But that's a second pass and it is still there so it fails.

    see if the tun is there with ifconfig.


Log in to reply