Having trouble with making a connection to VyprVPN



  • Hey guys,

    I've been wrangling trying to setup an OpenVPN connection to VyprVPN/Goldenfrog for a few days now. I've gone through the guide over at https://forum.pfsense.org/index.php?topic=35292.0, which seemed to be the most specific VyprVPN specific tutorial out there, but I'm still having connection issues after following the steps. I think I might be missing some pieces considering the screenshots the author linked to are now invalid.

    I wanted to set this up to alleviate some buffering issues with Netflix due to the Cogent peering issue that's going on between VZ and Cogent right now (since I'm on FiOS). I don't have too much of a problem usually, but during high peek times I can't sustain an HD stream without it dropping out constantly, so I figured I'd evaluate. Since I'm a Giganews customer, I just went ahead and added VyprVPN for the package deal instead of going through a different provider. Since they include a few connections along with a decent client, I figured I'd give this a shot. After setting everything up, I get presented with:

    Then in the logs:

    Feb 23 18:21:37 	openvpn[2163]: push_ifconfig_ipv6_remote = ::
    Feb 23 18:21:37 	openvpn[2163]: enable_c2c = DISABLED
    Feb 23 18:21:37 	openvpn[2163]: duplicate_cn = DISABLED
    Feb 23 18:21:37 	openvpn[2163]: cf_max = 0
    Feb 23 18:21:37 	openvpn[2163]: cf_per = 0
    Feb 23 18:21:37 	openvpn[2163]: max_clients = 1024
    Feb 23 18:21:37 	openvpn[2163]: max_routes_per_client = 256
    Feb 23 18:21:37 	openvpn[2163]: auth_user_pass_verify_script = '[UNDEF]'
    Feb 23 18:21:37 	openvpn[2163]: auth_user_pass_verify_script_via_file = DISABLED
    Feb 23 18:21:37 	openvpn[2163]: port_share_host = '[UNDEF]'
    Feb 23 18:21:37 	openvpn[2163]: port_share_port = 0
    Feb 23 18:21:37 	openvpn[2163]: client = ENABLED
    Feb 23 18:21:37 	openvpn[2163]: pull = ENABLED
    Feb 23 18:21:37 	openvpn[2163]: auth_user_pass_file = '/cf/conf/Vypr.pas'
    Feb 23 18:21:37 	openvpn[2163]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
    Feb 23 18:21:37 	openvpn[2163]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client3.sock
    Feb 23 18:21:37 	openvpn[2163]: WARNING: file '/cf/conf/Vypr.pas' is group or others accessible
    Feb 23 18:21:37 	openvpn[2163]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 23 18:21:37 	openvpn[2163]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 23 18:21:37 	openvpn[2163]: Initializing OpenSSL support for engine 'cryptodev'
    Feb 23 18:21:37 	openvpn[2163]: LZO compression initialized
    Feb 23 18:21:37 	openvpn[2163]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 23 18:21:37 	openvpn[2163]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Feb 23 18:21:38 	openvpn[2163]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 23 18:21:38 	openvpn[2163]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
    Feb 23 18:21:38 	openvpn[2163]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
    Feb 23 18:21:38 	openvpn[2163]: Local Options hash (VER=V4): '22188c5b'
    Feb 23 18:21:38 	openvpn[2163]: Expected Remote Options hash (VER=V4): 'a8f55717'
    Feb 23 18:21:38 	openvpn[2377]: UDPv4 link local (bound): [AF_INET]173.69.59.163
    Feb 23 18:21:38 	openvpn[2377]: UDPv4 link remote: [AF_INET]216.168.3.151:1194
    Feb 23 18:21:38 	openvpn[2377]: TLS: Initial packet from [AF_INET]216.168.3.151:1194, sid=138bd116 3fb27f06
    Feb 23 18:21:38 	openvpn[2377]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Feb 23 18:21:38 	openvpn[2377]: VERIFY OK: depth=1, C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, emailAddress=admin@goldenfrog.com
    Feb 23 18:21:38 	openvpn[2377]: VERIFY OK: depth=0, C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=us2.vpn.giganews.com, emailAddress=admin@goldenfrog.com
    Feb 23 18:21:40 	openvpn[2377]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
    Feb 23 18:21:40 	openvpn[2377]: MANAGEMENT: CMD 'state 1'
    Feb 23 18:21:40 	openvpn[2377]: MANAGEMENT: Client disconnected
    Feb 23 18:21:40 	openvpn[2377]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
    Feb 23 18:21:40 	openvpn[2377]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
    Feb 23 18:21:40 	openvpn[2377]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
    Feb 23 18:21:40 	openvpn[2377]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Feb 23 18:21:40 	openvpn[2377]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 23 18:21:40 	openvpn[2377]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Feb 23 18:21:40 	openvpn[2377]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 23 18:21:40 	openvpn[2377]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Feb 23 18:21:40 	openvpn[2377]: [us2.vpn.giganews.com] Peer Connection Initiated with [AF_INET]216.168.3.151:1194
    Feb 23 18:21:43 	openvpn[2377]: SENT CONTROL [us2.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
    Feb 23 18:21:43 	openvpn[2377]: AUTH: Received control message: AUTH_FAILED
    Feb 23 18:21:43 	openvpn[2377]: TCP/UDP: Closing socket
    Feb 23 18:21:43 	openvpn[2377]: SIGTERM[soft,auth-failure] received, process exiting
    

    Here's what I have setup:



    I've tried toggling 256 bit encryption to 128 bit, no go. Switched the port to 443, but that didn't work either. Enabled the LZO algorithm on and off, as well as TLS'ing the packets, but nothing has worked.


  • Rebel Alliance Global Moderator

    well this seems to point to auth, password username issue

    AUTH: Received control message: AUTH_FAILED

    I assume you have your username and password in here
    /cf/conf/Vypr.pas



  • @johnpoz:

    well this seems to point to auth, password username issue

    AUTH: Received control message: AUTH_FAILED

    I assume you have your username and password in here
    /cf/conf/Vypr.pas

    Yeah, I do. Username is on the first line, password on the second.

    I think the permissions look okay:

    -rw-r–r--  1 root  wheel      27 Feb 24 12:00 Vypr.pas



  • WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
    

    Someone else just recently mentioned that BF-CBC had to be set on their VPN connection. Try changing AES to BF-CBC.
    and pick 128 bit key - like the next message suggests
    and there are some messages about MTU - but I would try sorting out the cipher first, before messing with MTU settings.



  • @phil.davis:

    WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
    

    Someone else just recently mentioned that BF-CBC had to be set on their VPN connection. Try changing AES to BF-CBC.
    and pick 128 bit key - like the next message suggests
    and there are some messages about MTU - but I would try sorting out the cipher first, before messing with MTU settings.

    Thanks. I did change that to BF-CBC after looking through the log, but still no such luck with it fully connecting, unfortunately. I still get that auth message at the very end of the log like without the change, which continues to be perplexing. I have logged into the Vyprvpn portal with the username and password combination successfully, as well as used the client before on a Windows machine to test account connectivity, and all was well. However, pfsense seems to still have trouble.



  • Interesting enough, it managed to connect after the trial was over and it charged my card. Strange. Support couldn't explain that one either, but maybe it was just some sort of fluke.

    However, when the OpenVPN connection sets up and connects to Vyprvpn, I no longer can access anything out on the Internet on any connected machine. I don't have any rule sets for the whole LAN segment to route out via Vyprvpn, etc. If I disable it, then I can get back out to the Internet.

    Also looks like I keep getting messages of:

    Mar 1 20:24:25 	openvpn[41699]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #18477269 / time = (1393696330) Sat Mar 1 12:52:10 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    

    Any ideas what that could be?