PfSense to OpenVPN but errors

powerextreme

Hello, I am configuring the pfSense to work with ExpressVPN(OpenVPN 2.3.2) . I have actually gotten it to work but it only works on one of their servers I get errors on the other ones. I compared the config files for each of their servers and the only difference in them is the server name. I download their .ovpn files and took the OpenVPN options out of them and placed them into pfsense. The config options from their file are:

dev tun; fast-io; persist-key; persist-tun;replay-persist cur-replay-protection.cache; nobind; remote-random; pull; comp-lzo; tls-client; tls-remote server; ns-cert-type server; verb 5; key-direction 1;route-method exe; route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;

But this returns the following errors:
Feb 10 04:08:20 openvpn[97173]: DEPRECATED OPTION: –tls-remote, please update your configuration
Feb 10 04:08:20 openvpn[97173]: Options error: –local and --nobind don't make sense when used together

So I did some research and come up with the fix to the first error with the ‘verify-x509-name server name’ based on the errors I was getting it wanted to verify the CN name which is ‘server’.

Feb 10 04:39:07 openvpn[13487]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Feb 10 04:39:08 openvpn[13487]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Feb 10 04:39:08 openvpn[13487]: UDPv4 link local (bound): [AF_INET]X.X.X.X
Feb 10 04:39:08 openvpn[13487]: UDPv4 link remote: [AF_INET]Y.Y.Y.Y :1194
Feb 10 04:39:08 openvpn[13487]: TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=47abcd6 90050be5
Feb 10 04:39:08 openvpn[13487]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, emailAddress=me@myhost.mydomain
Feb 10 04:39:08 openvpn[13487]: VERIFY OK: nsCertType=SERVER
Feb 10 04:39:08 openvpn[13487]: VERIFY X509NAME ERROR: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain, must be server1
Feb 10 04:39:08 openvpn[13487]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Feb 10 04:39:08 openvpn[13487]: TLS Error: TLS object -> incoming plaintext read error
Feb 10 04:39:08 openvpn[13487]: TLS Error: TLS handshake failed
Feb 10 04:39:08 openvpn[13487]: SIGUSR1[soft,tls-error] received, process restarting

So now the config looks like this:

dev tun; fast-io; persist-key; persist-tun;replay-persist cur-replay-protection.cache;remote-random; pull; comp-lzo; tls-client; verify-x509-name server name; ns-cert-type server; verb 3; key-direction 1;route-method exe; route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;

Everything looks good but I get an error at the end:

Feb 10 04:45:23 openvpn[71487]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Feb 10 04:45:23 openvpn[71487]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Feb 10 04:45:23 openvpn[71487]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Feb 10 04:45:23 openvpn[71487]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Feb 10 04:45:23 openvpn[71487]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 10 04:45:23 openvpn[71487]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 10 04:45:23 openvpn[71487]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Feb 10 04:45:23 openvpn[71783]: UDPv4 link local (bound): [AF_INET]X.X.X.X
Feb 10 04:45:23 openvpn[71783]: UDPv4 link remote: [AF_INET]Y.Y.Y.Y:1194
Feb 10 04:45:23 openvpn[71783]: TLS: Initial packet from [AF_INET]Y.Y.Y.Y:1194, sid=c039945a e9799e29
Feb 10 04:45:24 openvpn[71783]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, emailAddress=me@myhost.mydomain
Feb 10 04:45:24 openvpn[71783]: VERIFY OK: nsCertType=SERVER
Feb 10 04:45:24 openvpn[71783]: VERIFY X509NAME OK: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain
Feb 10 04:45:24 openvpn[71783]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain
Feb 10 04:45:27 openvpn[71783]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 10 04:45:27 openvpn[71783]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 10 04:45:27 openvpn[71783]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 10 04:45:27 openvpn[71783]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 10 04:45:27 openvpn[71783]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Feb 10 04:45:27 openvpn[71783]: [server] Peer Connection Initiated with [AF_INET]Y.Y.Y.Y:1194
Feb 10 04:45:29 openvpn[71783]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Feb 10 04:45:29 openvpn[71783]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.110 10.10.0.109'
Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: timers and/or timeouts modified
Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: –ifconfig/up options modified
Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: route options modified
Feb 10 04:45:29 openvpn[71783]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Feb 10 04:45:29 openvpn[71783]: ROUTE_GATEWAY A.A.A.A
Feb 10 04:45:29 openvpn[71783]: TUN/TAP device /dev/tun1 opened
Feb 10 04:45:29 openvpn[71783]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Feb 10 04:45:29 openvpn[71783]: /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
Feb 10 04:45:29 openvpn[71783]: FreeBSD ifconfig failed: external program exited with error status: 1
Feb 10 04:45:29 openvpn[71783]: Exiting due to fatal error

It looks like it should be working. Any ideas?

CosmoNerd

powerextreme,

Did you ever get a solution for this issue?

I am facing exactly the same behavior.

Response highly appreciated ;)

saytar

Pretty much the same problems you both have, I'm getting (depending on which variation of things I enter).

But…........I hope you are NOT putting all those paramerter's all in the advanced option's block... :o :o

dev tun;<<<<< You do this at the top of the page, if you do it again at the bottom you'll get and ERROR....... fast-io; persist-key;<<<<< Don't need this in Pfsense I believe it's a default setting..................... persist-tun;<<<<<<<< Pfsense will retry to connect your Tunnel I believe at least 3 times before it quits..........................replay-persist cur-replay-protection.cache; nobind;<<<<<<<<<<<<<< I don't think you need these except in very, very special cases or unusual configuration..................... remote-random; <<<< never seen this one................?????? pull;  ???????? comp-lzo; <<<<<<< this is a checkbox on the configuration page..don't need it twice.................. tls-client; tls-remote server;<<<<<<<< These go in the Advanced settings box.................. ns-cert-type server;<<<< Not sure on this one for your configuration.................. verb 5; <<<<<<< use this one to give you a verbose output for troubleshooting...........key-direction 1;<<<<< <not unless="" your="" provider="" require's="" this="" one......................route-method="" exe;="" route-delay="" 2;<<<<<<="" not="" says="" to="" use="" these..............tun-mtu="" 1500;="" <<<<<<="" is="" set="" on="" configuration="" page="" (of="" client)="" and="" pfsense="" default="" setting.......................fragment="" 1300;mssfix="" 1450;<br="">I am only using (or trying to use) the Client......
My settings for Private Internet Access

Server Mode......Peer to Peer (SSL/TLS)
Protocol.........UDP
Device mode.....tun
Interface......WAN
Local Port .............empty
Server Host or address.............my-location.privateinternetaccess.com
Server Port...........1194 (also default)
Proxy Host ............none
Proxy Port.............none
Proxy auth.......NONE
Server host name resolution...............Checked ---Infinitely
Description of Course

TLS ....................NOT checked (yours maybe depending on your provider)
Peer Certificate Authority...........PIA (in my case)
Client Certificate.............PIA user cert ----(signed with PIA Cert Authority, created by signing my CA with theirs)
Encryption Alogrithm .........BF-CBC (128-bit) in my case
No Hardware Crypto

Tunnel settings depend on your usage....I' not real clear on that yet I may be required to set this up some unusual way as I don't want all my network traffic to go out through the Tunnel, Only certain user's and IP's. I believe that if you don't mind ALL traffic going out thru the tunnel, that not much if anything is done with this.................I COULD be very wrong on this...take this bit with a grain of salt.

Compression ...........Checked for LZO....in my case (most case's I believe)

Now.............this is ALL I have in my advanced settings:

verb5;
auth-user-pass /etc/openvpn-password.txt
remote-cert-tls server

Hope it Helps some............Nothing like the blind leading the blind, but maybe if you get enough angles we'll all be able to figure it out right...........</not>

steve_cohen

try bringing up a shell and executing the line that is failing

/sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
ya might get a better error message.

i see this when the vpn becomes disconnected and your user/group is depreciated and can't be removed.
when it re-tries it hasn't dropped permissions yet. But that's a second pass and it is still there so it fails.

see if the tun is there with ifconfig.