Having trouble with making a connection to VyprVPN

simplyzero · Feb 24, 2014, 4:41 PM

Hey guys,

I've been wrangling trying to setup an OpenVPN connection to VyprVPN/Goldenfrog for a few days now. I've gone through the guide over at https://forum.pfsense.org/index.php?topic=35292.0, which seemed to be the most specific VyprVPN specific tutorial out there, but I'm still having connection issues after following the steps. I think I might be missing some pieces considering the screenshots the author linked to are now invalid.

I wanted to set this up to alleviate some buffering issues with Netflix due to the Cogent peering issue that's going on between VZ and Cogent right now (since I'm on FiOS). I don't have too much of a problem usually, but during high peek times I can't sustain an HD stream without it dropping out constantly, so I figured I'd evaluate. Since I'm a Giganews customer, I just went ahead and added VyprVPN for the package deal instead of going through a different provider. Since they include a few connections along with a decent client, I figured I'd give this a shot. After setting everything up, I get presented with:

Then in the logs:

Feb 23 18:21:37 	openvpn[2163]: push_ifconfig_ipv6_remote = ::
Feb 23 18:21:37 	openvpn[2163]: enable_c2c = DISABLED
Feb 23 18:21:37 	openvpn[2163]: duplicate_cn = DISABLED
Feb 23 18:21:37 	openvpn[2163]: cf_max = 0
Feb 23 18:21:37 	openvpn[2163]: cf_per = 0
Feb 23 18:21:37 	openvpn[2163]: max_clients = 1024
Feb 23 18:21:37 	openvpn[2163]: max_routes_per_client = 256
Feb 23 18:21:37 	openvpn[2163]: auth_user_pass_verify_script = '[UNDEF]'
Feb 23 18:21:37 	openvpn[2163]: auth_user_pass_verify_script_via_file = DISABLED
Feb 23 18:21:37 	openvpn[2163]: port_share_host = '[UNDEF]'
Feb 23 18:21:37 	openvpn[2163]: port_share_port = 0
Feb 23 18:21:37 	openvpn[2163]: client = ENABLED
Feb 23 18:21:37 	openvpn[2163]: pull = ENABLED
Feb 23 18:21:37 	openvpn[2163]: auth_user_pass_file = '/cf/conf/Vypr.pas'
Feb 23 18:21:37 	openvpn[2163]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
Feb 23 18:21:37 	openvpn[2163]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client3.sock
Feb 23 18:21:37 	openvpn[2163]: WARNING: file '/cf/conf/Vypr.pas' is group or others accessible
Feb 23 18:21:37 	openvpn[2163]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 23 18:21:37 	openvpn[2163]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 23 18:21:37 	openvpn[2163]: Initializing OpenSSL support for engine 'cryptodev'
Feb 23 18:21:37 	openvpn[2163]: LZO compression initialized
Feb 23 18:21:37 	openvpn[2163]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb 23 18:21:37 	openvpn[2163]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Feb 23 18:21:38 	openvpn[2163]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Feb 23 18:21:38 	openvpn[2163]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Feb 23 18:21:38 	openvpn[2163]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Feb 23 18:21:38 	openvpn[2163]: Local Options hash (VER=V4): '22188c5b'
Feb 23 18:21:38 	openvpn[2163]: Expected Remote Options hash (VER=V4): 'a8f55717'
Feb 23 18:21:38 	openvpn[2377]: UDPv4 link local (bound): [AF_INET]173.69.59.163
Feb 23 18:21:38 	openvpn[2377]: UDPv4 link remote: [AF_INET]216.168.3.151:1194
Feb 23 18:21:38 	openvpn[2377]: TLS: Initial packet from [AF_INET]216.168.3.151:1194, sid=138bd116 3fb27f06
Feb 23 18:21:38 	openvpn[2377]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 23 18:21:38 	openvpn[2377]: VERIFY OK: depth=1, C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, emailAddress=admin@goldenfrog.com
Feb 23 18:21:38 	openvpn[2377]: VERIFY OK: depth=0, C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=us2.vpn.giganews.com, emailAddress=admin@goldenfrog.com
Feb 23 18:21:40 	openvpn[2377]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
Feb 23 18:21:40 	openvpn[2377]: MANAGEMENT: CMD 'state 1'
Feb 23 18:21:40 	openvpn[2377]: MANAGEMENT: Client disconnected
Feb 23 18:21:40 	openvpn[2377]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Feb 23 18:21:40 	openvpn[2377]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Feb 23 18:21:40 	openvpn[2377]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Feb 23 18:21:40 	openvpn[2377]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 23 18:21:40 	openvpn[2377]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 23 18:21:40 	openvpn[2377]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 23 18:21:40 	openvpn[2377]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 23 18:21:40 	openvpn[2377]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Feb 23 18:21:40 	openvpn[2377]: [us2.vpn.giganews.com] Peer Connection Initiated with [AF_INET]216.168.3.151:1194
Feb 23 18:21:43 	openvpn[2377]: SENT CONTROL [us2.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
Feb 23 18:21:43 	openvpn[2377]: AUTH: Received control message: AUTH_FAILED
Feb 23 18:21:43 	openvpn[2377]: TCP/UDP: Closing socket
Feb 23 18:21:43 	openvpn[2377]: SIGTERM[soft,auth-failure] received, process exiting

Here's what I have setup:

I've tried toggling 256 bit encryption to 128 bit, no go. Switched the port to 443, but that didn't work either. Enabled the LZO algorithm on and off, as well as TLS'ing the packets, but nothing has worked.

johnpoz · Feb 25, 2014, 12:39 AM

well this seems to point to auth, password username issue

AUTH: Received control message: AUTH_FAILED

I assume you have your username and password in here
/cf/conf/Vypr.pas

simplyzero · Feb 25, 2014, 2:44 AM

@johnpoz:

well this seems to point to auth, password username issue

AUTH: Received control message: AUTH_FAILED

I assume you have your username and password in here
/cf/conf/Vypr.pas

Yeah, I do. Username is on the first line, password on the second.

I think the permissions look okay:

-rw-r–r-- 1 root wheel 27 Feb 24 12:00 Vypr.pas

phil.davis · Feb 25, 2014, 4:50 PM

WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'

Someone else just recently mentioned that BF-CBC had to be set on their VPN connection. Try changing AES to BF-CBC.
and pick 128 bit key - like the next message suggests
and there are some messages about MTU - but I would try sorting out the cipher first, before messing with MTU settings.

simplyzero · Feb 25, 2014, 4:53 PM

@phil.davis:

WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Someone else just recently mentioned that BF-CBC had to be set on their VPN connection. Try changing AES to BF-CBC.
and pick 128 bit key - like the next message suggests
and there are some messages about MTU - but I would try sorting out the cipher first, before messing with MTU settings.

Thanks. I did change that to BF-CBC after looking through the log, but still no such luck with it fully connecting, unfortunately. I still get that auth message at the very end of the log like without the change, which continues to be perplexing. I have logged into the Vyprvpn portal with the username and password combination successfully, as well as used the client before on a Windows machine to test account connectivity, and all was well. However, pfsense seems to still have trouble.

simplyzero · Mar 2, 2014, 2:17 AM

Interesting enough, it managed to connect after the trial was over and it charged my card. Strange. Support couldn't explain that one either, but maybe it was just some sort of fluke.

However, when the OpenVPN connection sets up and connects to Vyprvpn, I no longer can access anything out on the Internet on any connected machine. I don't have any rule sets for the whole LAN segment to route out via Vyprvpn, etc. If I disable it, then I can get back out to the Internet.

Also looks like I keep getting messages of:

Mar 1 20:24:25 	openvpn[41699]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #18477269 / time = (1393696330) Sat Mar 1 12:52:10 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Any ideas what that could be?