2.1 / OpenVPN /PIA: can't get it to work



  • G'day lovers of the finest firewall in the world  ;D

    I am at a new attempt to use a VPN client to 'privatize' my internet usage a little bit more. Given the recommendations in this forum in some threads that PIA, PrivateInternetAccess, is a solid choice I bought a one month subscription to see if I could get it to work.

    And of course, I couldn't  :-[

    As another member already said: the PIA 'tutorial' sucks big time (VacantSouls, here: https://forum.pfsense.org/index.php?topic=65597.0). (The PIA tuto is here, btw: it leaves out at least 70% of the config: https://www.privateinternetaccess.com/pages/client-support/#pfsense_openvpn).

    So, as many people did, I followed this tutorial here:

    http://www.komodosteve.com/archives/232

    However, that doesn't seem to work for me either. Right under Enable Interface, KomodoSteve writes:

    [quote]
    Go to System: Routing and make sure the Gateway has an IP address

    For me (of course  ;D) it doesn't. I do have a private IP address, however, 10.145.1.6 (screenshot).

    I tried the NAT-thing that KomodoSteve writed about afterwards, I rebooted the box, but nothing.

    As, with many things in life (except for economics and accounting  :P) I don't actually have a clue what I am doing and what I am to do next.

    I also did look in the config file that member VacantSould posted in the above, and I think most looks similar to what I have configured in the GUI (screenshot). There is an exception, 'though, as in this config file there is also this:

    
    <caref>51a27acd681a9</caref>
    <certref>3e123151f39f9</certref>
    

    I have no clue why and how that is there, and how and where I should add something as similar to this in my config (I have no clue where his config file comes from in the first place).

    I am emailed this error as well:

    ERROR: FreeBSD route delete command failed: external program exited with error status: 1

    Which appears to happen randomly (as I tried to set it up 7 times now, and two times I got this error, 5 times I did not get this error. I am pretty sure I did exactly the same thing 7 times). I found several threads in this forum with that error, but none of them had information my limited brain could understand.

    The OpenVPN-log in the GUI says this:

    Apr 14 16:52:59 openvpn[63808]: Initialization Sequence Completed
    Apr 14 16:52:59 openvpn[63808]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.145.1.6 10.145.1.5 init
    Apr 14 16:52:59 openvpn[63808]: /sbin/ifconfig ovpnc1 10.145.1.6 10.145.1.5 mtu 1500 netmask 255.255.255.255 up
    Apr 14 16:52:59 openvpn[63808]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Apr 14 16:52:59 openvpn[63808]: TUN/TAP device /dev/tun1 opened
    Apr 14 16:52:59 openvpn[63808]: TUN/TAP device ovpnc1 exists previously, keep at program end
    Apr 14 16:52:56 openvpn[63808]: [server] Peer Connection Initiated with [AF_INET]46.165.208.194:1194
    Apr 14 16:52:56 openvpn[63808]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Apr 14 16:52:56 openvpn[63808]: UDPv4 link remote: [AF_INET]46.165.208.194:1194
    Apr 14 16:52:56 openvpn[63808]: UDPv4 link local (bound): [AF_INET]–-MY CABLE ISP EXTERNAL ADDRESS HERE---
    Apr 14 16:52:56 openvpn[63739]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 14 16:52:56 openvpn[63739]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Apr 14 16:52:56 openvpn[63739]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013
    Apr 14 16:52:56 openvpn[27116]: SIGTERM[hard,] received, process exiting
    Apr 14 16:52:56 openvpn[27116]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 10.115.1.6 10.115.1.5 init
    Apr 14 16:52:56 openvpn[27116]: ERROR: FreeBSD route delete command failed: external program exited with error status: 1
    Apr 14 16:52:56 openvpn[27116]: ERROR: FreeBSD route delete command failed: external program exited with error status: 1
    Apr 14 16:52:56 openvpn[27116]: ERROR: FreeBSD route delete command failed: external program exited with error status: 1
    Apr 14 16:52:56 openvpn[27116]: event_wait : Interrupted system call (code=4)
    Apr 14 16:49:44 openvpn[27116]: Initialization Sequence Completed
    Apr 14 16:49:44 openvpn[27116]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.115.1.6 10.115.1.5 init
    Apr 14 16:49:44 openvpn[27116]: /sbin/ifconfig ovpnc1 10.115.1.6 10.115.1.5 mtu 1500 netmask 255.255.255.255 up
    Apr 14 16:49:44 openvpn[27116]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Apr 14 16:49:44 openvpn[27116]: TUN/TAP device /dev/tun1 opened
    Apr 14 16:49:44 openvpn[27116]: TUN/TAP device ovpnc1 exists previously, keep at program end
    Apr 14 16:49:42 openvpn[27116]: [server] Peer Connection Initiated with [AF_INET]46.165.208.194:1194
    Apr 14 16:49:42 openvpn[27116]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Apr 14 16:49:42 openvpn[27116]: UDPv4 link remote: [AF_INET]46.165.208.194:1194
    Apr 14 16:49:42 openvpn[27116]: UDPv4 link local (bound): [AF_INET] –-MY CABLE ISP EXTERNAL ADDRESS HERE---
    Apr 14 16:49:42 openvpn[26850]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 14 16:49:42 openvpn[26850]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Apr 14 16:49:41 openvpn[26850]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013

    I've set this up on my WAN2, which is cable, as on my WAN1, which is VDSL, it refused to do it too, I forgot the exact errors (and in the mean time my pfSense crashed and spontaneously rebooted), but I do recall it was trying mtu 1500 whereas for VDSL this has to be 1492, so perhaps this has anything to do with it.

    SO, I have no external IP and no gateway where KomodoSteve wrote I should have one. Rebooting the box didn't help, the deleting and recreation of the NAT-rules also didn't help. I also tried setting the PIA-interface to DHCP (guessing then it would take an external IP or something like that, but it didn't). I made pfSense crash hard when I changed the interface to PPPoE and enter my UID/PWD in the login details.

    I don't know what to do next  :'(

    Would anybody know what I can do to make this work? I've been trying for three days, and it is frustrating  :'(

    I don't mind switching to a different VPN-provider if that is a better one (their own manual disappoints me, and given that it still is the same six months after member VacantSouls reported to them their manual is wrong I am already getting an implicit signal about their 'service'. On top of that, it appears that the 'BF-CBC (128-bit)' that PIA uses is insecure according to Phil Zimmermann, says at least the competitor: https://airvpn.org/topic/10213-installing-a-pfsense-box-with-airvpn/page-3).

    Also, I don't mind making a bounty of this if somebody wants me to treat coffee  ;D

    I will attach screenshots next.

    Thank you in advance very much for any help  ;D

    Bye,

    EDIT: I found the missing part of the PIA 'support' manual ( ;D ;D ;D):

    https://support.privateinternetaccess.com/?/Knowledgebase/Article/View/29/0/pfsense-20

    Basically what this changes is that the CA-certificates are imported into the cert-manager, instead of feeding them to OpenVPN via advanced settings (auth-user-pass /etc/openvpn-password.txt and ca /etc/ca.crt). The end result however is the same: there is no gateway, although the internal 10.x address is there. And the log also shows exactly the same as I posted in the above.

    :-[

    [b]EDIT2: thanks to a much better tutorial by a competitor, IBVPN, http://www.ibvpn.com/billing/knowledgebase/63/OpenVPN-setup-on-pfSense-firewall.html, I discovered that the strange VPN6-name came from the fact that in system/routing it was IPv6 instead of IPv4. I changed it, restarted everything, but still nothing. I can't add a monitoring IP though, since I don't know which one it should be  :-X

    ![1. OpenVPN-client.jpg](/public/imported_attachments/1/1. OpenVPN-client.jpg)
    ![1. OpenVPN-client.jpg_thumb](/public/imported_attachments/1/1. OpenVPN-client.jpg_thumb)



  • Pic:

    ![2. Interfaces - assign.jpg](/public/imported_attachments/1/2. Interfaces - assign.jpg)
    ![2. Interfaces - assign.jpg_thumb](/public/imported_attachments/1/2. Interfaces - assign.jpg_thumb)



  • Pic:

    ![3. Interface - PIA.jpg](/public/imported_attachments/1/3. Interface - PIA.jpg)
    ![3. Interface - PIA.jpg_thumb](/public/imported_attachments/1/3. Interface - PIA.jpg_thumb)



  • Pic:

    ![4. System_gateways.jpg](/public/imported_attachments/1/4. System_gateways.jpg)
    ![4. System_gateways.jpg_thumb](/public/imported_attachments/1/4. System_gateways.jpg_thumb)



  • Pic:

    ![5. System_routes.jpg](/public/imported_attachments/1/5. System_routes.jpg)
    ![5. System_routes.jpg_thumb](/public/imported_attachments/1/5. System_routes.jpg_thumb)



  • Pic:

    ![6. Firewall_NAT.jpg](/public/imported_attachments/1/6. Firewall_NAT.jpg)
    ![6. Firewall_NAT.jpg_thumb](/public/imported_attachments/1/6. Firewall_NAT.jpg_thumb)



  • And the final pic:

    ![7. Status_dashboard.jpg](/public/imported_attachments/1/7. Status_dashboard.jpg)
    ![7. Status_dashboard.jpg_thumb](/public/imported_attachments/1/7. Status_dashboard.jpg_thumb)



  • Hmmm  :P

    Thanks to this fine thread:

    https://forum.pfsense.org/index.php?topic=24435.msg126272#msg126272

    I've added:

     verb 5
    

    to the advanced settings of the OpenVPN client (part of the instruction in this thread is wrong, as:

    21. In the 'Advanced' field, we need to enter several options, all separated by a ';'

    leads to OpenVPN refusing to start. SO I just put it on a separate line, and then it starts again).

    Anyway, the above thread says:

    3. You need to look for is the line that says:

    Code: [Select]

    openvpn[49520]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 195.24.72.6,dhcp-option DNS 83.243.8.6,dhcp-option DNS 4.2.2.4,route 10.0.61.1,topology net30,ifconfig 10.0.61.54 10.0.61.53'

    4. If that line says 'redirect-gateway def1', then your pfSense should be routing all traffic over the VPN connection. Browse to a 'what's my IP' page, and see if your connection is coming from another IP than your own

    Well, my log says just that:

    Apr 14 18:53:43 openvpn[32022]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,route 10.155.1.1,topology net30,ifconfig 10.155.1.6 10.155.1.5'

    The log is saying something else which I don't understand (but there are many, many, many things I don't understand  ;D):

    Apr 14 18:53:43 openvpn[32022]: ROUTE_GATEWAY –-HERE IS MY EXTERNAL CABLE ISP---

    Would the bold part make sense?

    Thank you again for any help ;D,

    Bye



  • I forgot to add: I also disabled Snort on the WAN2-interface, thinking perhaps that would block something. But no results.



  • I am a pitbull  ;D ;D ;D

    Thanks to Elkmoose here: https://forum.pfsense.org/index.php?topic=48847.msg258640#msg258640

    I went into:

    /var/etc/openvpn and should have a name like "clientN.conf

    In there I found:

    
    dev ovpnc1
    dev-type tun
    tun-[b]ipv6[/b]
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local ---MY OWN EXTERNAL CABLE ISP ADDRESS---
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote us-east.privateinternetaccess.com 1194
    [b]ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key [/b]
    comp-lzo
    auth-user-pass /etc/openvpn-password.txt
    verb 5
    
    

    I think I will try to change the ipv6 in ipv4 and see what gives.

    I have no clue about the bold parts concerning the certificates. I think I would expect /etc/ca.crt.



  • @Hollander:

    I think I will try to change the ipv6 in ipv4 and see what gives.

    Duh  :'(

    It stopped, and the log insn't very clear:

    System logs: general:

    Apr 14 19:13:09 php: rc.filter_configure_sync: Could not find IPv6 gateway for interface(opt1).
    Apr 14 19:13:09 php: rc.filter_configure_sync: Could not find IPv6 gateway for interface(wan).
    Apr 14 19:13:09 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
    Apr 14 19:13:08 php: rc.filter_configure_sync: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
    Apr 14 19:13:05 check_reload_status: Reloading filter
    Apr 14 19:13:05 php: /status_services.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
    Apr 14 19:12:51 php: /index.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
    Apr 14 19:12:51 php: /index.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
    Apr 14 19:12:51 php: /index.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
    Apr 14 19:12:51 php: /index.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
    Apr 14 19:12:10 php: rc.filter_configure_sync: Could not find IPv6 gateway for interface(opt1).
    Apr 14 19:12:10 php: rc.filter_configure_sync: Could not find IPv6 gateway for interface(wan).
    Apr 14 19:12:10 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
    Apr 14 19:12:09 php: rc.filter_configure_sync: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
    Apr 14 19:12:07 php: /status_services.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
    Apr 14 19:12:06 check_reload_status: Reloading filter
    Apr 14 19:12:06 kernel: ovpnc1: link state changed to DOWN
    Apr 14 19:11:52 sshd[62061]: Accepted keyboard-interactive/pam for root from 192.168.23.42 port 52118 ssh2

    System logs: OpenVPN:

    Apr 14 19:12:06 openvpn[32022]: SIGTERM[hard,] received, process exiting
    Apr 14 19:12:06 openvpn[32022]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 10.155.1.6 10.155.1.5 init
    Apr 14 19:12:06 openvpn[32022]: Closing TUN/TAP interface
    Apr 14 19:12:06 openvpn[32022]: /sbin/route delete -net 128.0.0.0 10.155.1.5 128.0.0.0
    Apr 14 19:12:06 openvpn[32022]: /sbin/route delete -net 0.0.0.0 10.155.1.5 128.0.0.0
    Apr 14 19:12:06 openvpn[32022]: /sbin/route delete -net 68.232.186.243 MY CABLE GATEWAY 255.255.255.255
    Apr 14 19:12:06 openvpn[32022]: /sbin/route delete -net 10.155.1.1 10.155.1.5 255.255.255.255
    Apr 14 19:12:06 openvpn[32022]: TCP/UDP: Closing socket
    Apr 14 19:12:06 openvpn[32022]: event_wait : Interrupted system call (code=4)
    Apr 14 18:53:43 openvpn[32022]: Initialization Sequence Completed
    Apr 14 18:53:43 openvpn[32022]: /sbin/route add -net 10.155.1.1 10.155.1.5 255.255.255.255
    Apr 14 18:53:43 openvpn[32022]: /sbin/route add -net 128.0.0.0 10.155.1.5 128.0.0.0
    Apr 14 18:53:43 openvpn[32022]: /sbin/route add -net 0.0.0.0 10.155.1.5 128.0.0.0
    Apr 14 18:53:43 openvpn[32022]: /sbin/route add -net 68.232.186.243 MY CABLE GATEWAY 255.255.255.255
    Apr 14 18:53:43 openvpn[32022]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.155.1.6 10.155.1.5 init
    Apr 14 18:53:43 openvpn[32022]: /sbin/ifconfig ovpnc1 10.155.1.6 10.155.1.5 mtu 1500 netmask 255.255.255.255 up
    Apr 14 18:53:43 openvpn[32022]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Apr 14 18:53:43 openvpn[32022]: TUN/TAP device /dev/tun1 opened
    Apr 14 18:53:43 openvpn[32022]: TUN/TAP device ovpnc1 exists previously, keep at program end
    Apr 14 18:53:43 openvpn[32022]: ROUTE_GATEWAY –-MY EXTERNAL CABLE IP---
    Apr 14 18:53:43 openvpn[32022]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
    Apr 14 18:53:43 openvpn[32022]: OPTIONS IMPORT: route options modified
    Apr 14 18:53:43 openvpn[32022]: OPTIONS IMPORT: –ifconfig/up options modified
    Apr 14 18:53:43 openvpn[32022]: OPTIONS IMPORT: timers and/or timeouts modified
    Apr 14 18:53:43 openvpn[32022]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,route 10.155.1.1,topology net30,ifconfig 10.155.1.6 10.155.1.5'

    The 'can not find WAN ipv6' etc I see every day, btw, I have no clue why. None of the interfaces have ipv6 enabled.

    Anyway, changing ipv4 back into ipv6 makes OpenVPN start again.

    I am going to buy me a Draytek modem/router all in one  ;D ;D ;D ;D ;D

    ( :-)



  • Hi have you done
    Go to Firewall and select NAT, then click the Outbound tab. Select any existing rules and delete them. Select the “Automatic” option at the top and click Save, then select “Manual” and click Save. You should see a new set of rules which you can activate by clicking Apply Changes.

    did a set of rules appear in the firewall rule set.
    I did try and add another client after I upgraded to 2.1.2 and they did not appear so I had to add them manually



  • @gazzaman:

    Hi have you done
    Go to Firewall and select NAT, then click the Outbound tab. Select any existing rules and delete them. Select the “Automatic” option at the top and click Save, then select “Manual” and click Save. You should see a new set of rules which you can activate by clicking Apply Changes.

    did a set of rules appear in the firewall rule set.
    I did try and add another client after I upgraded to 2.1.2 and they did not appear so I had to add them manually

    Thanks for your reply  ;D

    Yes I did:

    I tried the NAT-thing that KomodoSteve writed about afterwards, I rebooted the box, but nothing.

    And to add to that: the NAT does have anything to do with the gateway not being up? I thought it was only for traffic after the gateway was up?



  • I will upload some screen shots of my setup. (I use PIA also) but it will not be today.



  • @gazzaman:

    I will upload some screen shots of my setup. (I use PIA also) but it will not be today.

    That is very nice of you, thank you  ;D

    I did find out something else: in System/Gateways, PIA was set to Ipv6 by default during install. I have no clue why, since PIA runs on WAN2, which is Ipv4 only. So yesterday I changed Ipv6 to Ipv4. I think perhaps I forgot to check if it saved that. Today I did. I hadn't saved it. So I changed it again. But: it doesn't save it at all.

    I can change this to IPv4 all I want and press 'save' all I want; the second I go in again to see what it saved, it is back to IPv6 again.

    Perhaps this is the reason there is no gateway up(?)

    ![8. System_gateways2.jpg](/public/imported_attachments/1/8. System_gateways2.jpg)
    ![8. System_gateways2.jpg_thumb](/public/imported_attachments/1/8. System_gateways2.jpg_thumb)



  • My firewall/NAT btw (partly, as the board doesn't allow the full size pic due to the file size limitations. I picked the lower part which shows WAN2 and PIA).

    ![9b. Firewall_NAT.jpg](/public/imported_attachments/1/9b. Firewall_NAT.jpg)
    ![9b. Firewall_NAT.jpg_thumb](/public/imported_attachments/1/9b. Firewall_NAT.jpg_thumb)



  • Hello I also have private internet access and cannot get OpenVPN to work. It connects just fine but I don't have any internet. I am using this ISO downloaded and installed today:
    pfSense-LiveCD-2.1.2-RELEASE-amd64-20140410-0541.iso

    I think there is something wrong because the directions from (http://www.komodosteve.com/archives/232) are pretty straightforward. I will try an older ISO tomorrow. In the directions he says:

    "Go to Firewall and select NAT, then click the Outbound tab. Select any existing rules and delete them. Select the “Automatic” option at the top and click Save, then select “Manual” and click Save. You should see a new set of rules which you can activate by clicking Apply Changes."

    I did that but it doesn't show the OPT interface, even after reboot and with OpenVPN successfully connected with an IP. A screenshot is attached. Does anyone who has PIA working can you tell us the ISO of pfsense you are using? Did you have to make custom routing rules or NAT changes? Can you tell us how your pfsense is setup?

    I also tried the "How to create an OpenVPN client to StrongVPN" sticky post but no go. I did try rebooting multiple times through each of these steps. The other TUVPN sticky looks a little strange so I haven't tried it.. it looks like he modifies the vpn interface to allow any traffic from anywhere?




  • @brick41:

    Hello I also have private internet access and cannot get OpenVPN to work. It connects just fine but I don't have any internet. I am using this ISO downloaded and installed today:
    pfSense-LiveCD-2.1.2-RELEASE-amd64-20140410-0541.iso

    I think there is something wrong because the directions from (http://www.komodosteve.com/archives/232) are pretty straightforward. I will try an older ISO tomorrow.

    Good to see for my self confidence that I am not the only one  ;D

    My attempts were at 2.1 (since you wrote you will try an older one than 2.1.2), and that I couldn't get to work.

    For more than just this reason of PIA I decided to completely rebuild my box, yesterday evening I deleted everything and installed 2.1.2. I have yet to try PIA, but given your feedback I think I already know my answer  :'(



  • In versions prior to 2.1.2 the automatic outbound NAT was not making outbound NAT rules for OpenVPN clients that connected out to VPN providers. That was the intended behavior. But there was a [bug|feature] that when you switched to manual outbound NAT, the initial set of rules generated did include NAT rules for OpenVPN clients. That is why the step of switching to manual outbound NAT did the trick.
    From 2.1.2, the underlying automatic outbound NAT rules and the set generated when you switch to manual outbound NAT are now the same.
    You have to switch to manual outbound NAT, and then add outbound NAT rule/s for traffic leaving the OpenVPN client towards the VPN provider.



  • @phil.davis:

    In versions prior to 2.1.2 the automatic outbound NAT was not making outbound NAT rules for OpenVPN clients that connected out to VPN providers. That was the intended behavior. But there was a [bug|feature] that when you switched to manual outbound NAT, the initial set of rules generated did include NAT rules for OpenVPN clients. That is why the step of switching to manual outbound NAT did the trick.
    From 2.1.2, the underlying automatic outbound NAT rules and the set generated when you switch to manual outbound NAT are now the same.
    You have to switch to manual outbound NAT, and then add outbound NAT rule/s for traffic leaving the OpenVPN client towards the VPN provider.

    Thank you very much for your reply, Phil  ;D

    PS The OpenVPN log doesn't appear to show any errors.

    I tried to add 'some' manual NAT rules, basically by copying the existing ones the switch to 'manual' generated and only changing the interface, but I am still not there yet  :-\

    I do have something more now: it now shows me an IP on the gateway (but it is an internal IP, I would have expected an external one), but the gateway itself is offline (screenshot).

    So probably I've done something wrong again.

    Interesting to see is the firewall on the PIA-interface is blocking something (screenshot).

    Would you happen to have a clue as to how to fix this?

    Thank you again for all your great help  :-*

    ![10. Some Progress.jpg](/public/imported_attachments/1/10. Some Progress.jpg)
    ![10. Some Progress.jpg_thumb](/public/imported_attachments/1/10. Some Progress.jpg_thumb)



  • Picture of my manual NAT outbound:

    ![11. Manual NAT.jpg](/public/imported_attachments/1/11. Manual NAT.jpg)
    ![11. Manual NAT.jpg_thumb](/public/imported_attachments/1/11. Manual NAT.jpg_thumb)



  • Mmmm. Interesting ( ::)): when I restart the openvpn-service the gateway is up for three seconds, then it is down again. To my understanding the log (attached) doesn't show anything strange.

    What is strange too, is: suddenly my MS Outlook mail client can not access my POP3 gmail accounts anymore, due to 'password incorrect'. Even 'though I have not even yet sent any traffic over the PIA interface (firewall rule), as that is still not working correctly.

    log1.txt



  • That looks good to me.
    PIA allocates some private address space to your VPN tunnel (they won't want to use up their valuable public IP addresses). They know who you are, and will NAT your traffic when it goes out of their VPN server onto the public internet.
    But of course they don't know what other private IP addresses you are using behind the PIA tunnel. So pfSense has to NAT onto the tunnel - that way PIA sees all the traffic as coming from the OpenVPN client tunnel IP.
    Can someone else spot what else is missing here?



  • @phil.davis:

    That looks good to me.
    PIA allocates some private address space to your VPN tunnel (they won't want to use up their valuable public IP addresses). They know who you are, and will NAT your traffic when it goes out of their VPN server onto the public internet.
    But of course they don't know what other private IP addresses you are using behind the PIA tunnel. So pfSense has to NAT onto the tunnel - that way PIA sees all the traffic as coming from the OpenVPN client tunnel IP.
    Can someone else spot what else is missing here?

    Thank you Phil  ;D ;D

    It gets Eek  :o :o :o

    The errors from gmail apparently are because gmail is blocking the logins because of …:

    Someone recently used your password to try to sign in to your Google Account. This person was using an application such as an email client or mobile device.

    We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

    Wednesday, April 16, 2014 10:19:58 AM UTC
    IP Address: 46.165.251.68
    Location: Berlin, Germany

    If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.

    When I go to dslreports.com/whois, I do note suddenly my external address is one in the 46.x.x.x range, so probably that same 46.x.x.x block Google thought was a hacker.

    Which would mean that PIA is working.
    But:

    • Why does the gateway show 'down'?
    • Why is all traffic routed over PIA when I never told pfSense to do this?

    I'm not quite sure I guess how I need to do this:

    • After following the setup tutorial from Komodosteve (my first post), there 'suddenly' where two new interfaces. PIA and OpenVPN.
    • According to the tuto I had to assign the openvpn-client to the WAN interface, which is my normal VDSL-account.
    • I don't want all traffic to go through PIA, only some.

    But now, without me directing any traffic from the LAN into the PIA gateway, apparently all traffic is going through PIA 'anyway'.

    Could this have to do something with the way I set up this manual NAT outbound?

    To summarize:
    1. Why does the gateway for PIA show down when apparently it isn't?
    2. Why is all traffic going through PIA by default even if I didn't tell pfSense to do it by directing LAN-traffic through PIA?

    Thank you again for your great help  ;D ;D ;D



  • EDIT: although PIA was NOT the default gateway (in system/routing), so that couldn't be the cause for all traffic going through the gateway even when I didn't tell it do to so, while in system/routing I decided the change the monitor IP to 8.8.4.4, instead of the internal 10.x. pfSense assigned itself. That makes the gateway appear as up in the dashboard.

    So all I need to figure out now is why all traffic is going through the PIA. Which I definitely don't want (and I hope my Google mail accounts are still recoverable now  :-).



  • EDIT2 ( ;D):

    It appears that if I have the default LAN rule direct all traffic into my Failover group, which consists of only my local VDSL and my local Cable, I get my old Dutch external IP. If I then remove the failover group from the gateway in the firewall rule screen, hence leave it at 'default', I will have the German IP again.

    I think I can use this knowledge to construct firewall rules the way I want it, but I still don't understand why all traffic is directed through PIA by default, when PIA is not the default gateway (WAN1, VDSL, is).

    ??? :o

    ![12. WAN1_default_gateway.jpg](/public/imported_attachments/1/12. WAN1_default_gateway.jpg)
    ![12. WAN1_default_gateway.jpg_thumb](/public/imported_attachments/1/12. WAN1_default_gateway.jpg_thumb)



    • According to the tuto I had to assign the openvpn-client to the WAN interface, which is my normal VDSL-account.

    I haven't watched the tutorial, but this seems an odd thing to do. I would want my WAN interface to be the real, unencrypted link to my ISP. Then I build an OpenVPN client to PIA connection on top of that. The PIA connection is assigned to a new interface (OPTn), enable that interface, pfSense automagically makes a gateway that points to the PIA server end of the OpenVPN link.
    Then add firewall rules to LAN to match desired traffic and select the PIA GW to push the traffic you want to go through PIA.



  • @phil.davis:

    • According to the tuto I had to assign the openvpn-client to the WAN interface, which is my normal VDSL-account.

    I haven't watched the tutorial, but this seems an odd thing to do. I would want my WAN interface to be the real, unencrypted link to my ISP. Then I build an OpenVPN client to PIA connection on top of that. The PIA connection is assigned to a new interface (OPTn), enable that interface, pfSense automagically makes a gateway that points to the PIA server end of the OpenVPN link.
    Then add firewall rules to LAN to match desired traffic and select the PIA GW to push the traffic you want to go through PIA.

    And thank you once again Phil, for your great assistance  ;D

    I would have expected it to be like you write, but when I try what you say (pic) the gateway goes down immediately. Set the interface back to WAN in the OpenVPN-client, and the gateway is up immediately again.

    Could it be some error in another part of the system that I need to check?

    (Been working for three hours to get Radius with EAP-TLS working again on this new box. Completely frustrated I asked WIFE if she had a clue. She browsed in all my screenshots for 5 minutes and said 'this picture of NAT, in december last year, did you that? The exact NAT-thing you told me this morning… Why you now have to set NAT manually is a bit of a mystery to me; having pfSense do it automatically is more user comfortable, so to speak. Anyway: where would I be without WIFE  ;D).




  • sorry not had chance until now to post these
    If you need anymore let me know








  • Hi else I had to do was create the ca.crt in the txt editor and save it to /etc/ca.crt



  • @phil.davis:

    In versions prior to 2.1.2 the automatic outbound NAT was not making outbound NAT rules for OpenVPN clients that connected out to VPN providers. That was the intended behavior. But there was a [bug|feature] that when you switched to manual outbound NAT, the initial set of rules generated did include NAT rules for OpenVPN clients. That is why the step of switching to manual outbound NAT did the trick.
    From 2.1.2, the underlying automatic outbound NAT rules and the set generated when you switch to manual outbound NAT are now the same.
    You have to switch to manual outbound NAT, and then add outbound NAT rule/s for traffic leaving the OpenVPN client towards the VPN provider.

    You hit the nail on the head, Phil. I have working Private Internet Access now.

    For everyone else here are some directions. After you follow the directions on http://www.komodosteve.com/archives/232 make sure that Status > Gateways shows your OPT1_VPNV4 interface. If it doesn't you will have to reboot (I had to). It may show as down (screenshot) since there is no ping reply but that's ok. After the reboot it should automatically connect to PIA so check the Status > OpenVPN and then try a traceroute. You should see the traceroute is done over PIA (screenshot).

    Firewall > NAT > Outbound: After switching to Manual Outbound NAT there is a rule "Auto created rule for LAN to WAN" (not the ISAKMP one). I clicked on the little + button to right of it to "add a new NAT based on this one" (tooltip text). That gave me a copy of that rule and I changed WAN to OPT1 and saved the rule as "OpenVPN (PIA)". Then it returned me to the Outbound page and I clicked the "Apply Changes" button that appeared in a red banner above the rules.

    The next problem I had was DNS leaks. DNS was still going out on the WAN. Is that normal? Did I miss some OpenVPN setting? Anyway I decided to make it so that LAN traffic would go out only over the VPN. Skip the rest of these instructions if you don't want to do that. In other words traffic is blocked when the VPN is down. Here's how I did it, and if this is wrong or is leaky please let me know:

    This first step was my last step. I tried several times to route traffic over the VPN but traffic kept leaking. I did some searching and read that pfSense will create failover rules when a gateway is down. To disable that you have to "skip rules":
    RESOLVED : Firewall rules and OpenVPN client Vs. default gateway
    System > Advanced > Miscellaneous > Gateway Monitoring > Skip rules when gateway is down > CHECK

    If you're not using IPv6 you could disallow it. I'm not using it but after I disallowed it my logs were filled with IPv6 router availability broadcasts, so I turned it back on just for less noise. There is probably a way to disable IPv6 entirely. This is more of a filtering:
    System > Advanced > Networking > IPv6 Options > Allow IPv6 > UNCHECK

    This forces traffic to go from the LAN to the VPN, however it doesn't stop communicating with the LAN.
    Firewall > Rules > LAN > Disable all rules, Make a new rule:
    Action: Pass
    Interface: LAN
    TCP/IP Version: IPv4
    Protocol: any
    Source > Type: LAN net
    Advanced features > Gateway: OPT1_VPNV4

    I used that rule but also added two block rules (one for IPv4, one for IPv6) above it so that anything to the destination of "LAN net" is blocked. In other words no DNS requests can be sent to 192.168.10.1 (the pfSense LAN interface). Blocking all dest LAN net is pretty restrictive, you may not want it.

    In any case change the DNS your LAN clients use. I changed the DHCP server for the LAN interface to use Google's DNS servers but you can also use PIA's (209.222.18.222, 209.222.18.218).
    Services > DHCP server > LAN > DNS servers > 8.8.8.8, 8.8.4.4

    Since I'm not using the DNS forwarder now I turned it off:
    Services > DNS forwarder > General DNS Forwarder Options > Enable > UNCHECK

    Two things still concern me, I see this in my OpenVPN logs:
    Apr 17 00:17:49 openvpn[14080]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 17 00:17:49 openvpn[14080]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    How do I determine the script security level? Is it recorded anywhere and can I or should I change it? And if I specified the ca certificate in the ca.crt file why does it say no verification method has been enabled?

    @Hollander:

    I still don't understand why all traffic is directed through PIA by default, when PIA is not the default gateway (WAN1, VDSL, is).

    I'm pretty sure that's OpenVPN. When you connect to a server I think it runs some command that changes your default route to the address OpenVPN was assigned. It might be the route command, I don't know. Maybe there is an OpenVPN configuration option to stop that from happening?

    @gazzaman:

    sorry not had chance until now to post these
    If you need anymore let me know

    Thanks!

    ![gw down.PNG](/public/imported_attachments/1/gw down.PNG)
    ![gw down.PNG_thumb](/public/imported_attachments/1/gw down.PNG_thumb)


    ![opt1 nat.PNG](/public/imported_attachments/1/opt1 nat.PNG)
    ![opt1 nat.PNG_thumb](/public/imported_attachments/1/opt1 nat.PNG_thumb)



  • @brick41:

    The next problem I had was DNS leaks. DNS was still going out on the WAN. Is that normal? Did I miss some OpenVPN setting? Anyway I decided to make it so that LAN traffic would go out only over the VPN. Skip the rest of these instructions if you don't want to do that. In other words traffic is blocked when the VPN is down. Here's how I did it, and if this is wrong or is leaky please let me know:

    Thanks for your addition to this thread: very useful  ;D

    Could I ask: how do you see if there are DNS-leaks?



  • Hmmm, this also still was an open tab in my browser:

    http://homeservershow.com/forums/index.php?/topic/5958-pfsense-and-openvpn-problem/

    The military man here says that the order of the rules in NAT is important (VPN should be at the top of the list), whereas some comments below it he says this is not necessary if your VPN is the default gateway. However, I have neither: my PIA VPN is not at the top of the rules in NAT, nor is it the default gateway. But I think my PIA VPN is working - looking at the traffic in the GUI, as well as when I look up my own external IP. So apparently what he writes isn't true  ???



  • @Hollander:

    Could I ask: how do you see if there are DNS-leaks?

    You could create a firewall rule to allow and log any outgoing traffic on port 53 for the WAN. You should see the only name resolutions will be for pfSense stuff and PIA servers. What's nice about the logging is it deconstructs the packet to determine what hostname was requested to be looked up. If you are interested in logging DNS but just in general check out the thread I started here:
    How can I record and maybe monitor all DNS requests and replies?

    If you stop DNS outgoing on the WAN there is a "which came first, the chicken or the egg" problem because then how does pfSense lookup the address for the PIA server you're connecting to, or pfSense to check the latest version of FreeBSD?

    Also keep in mind about the DNS forwarder if you have that enabled you could leak in certain scenarios. For example I have a pfSense box behind a wireless router. So my router has address 192.168.1.1 and when it assigns an IP via DHCP it offers nameserver 192.168.1.1. So the pfSense WAN IP address is something like 192.168.1.2 for example with nameserver 192.168.1.1. Then the pfSense LAN has a DHCP server (192.168.10.1) that assigns an IP 192.168.10.2 and nameserver 192.168.10.1. When client 192.168.10.2 wants to resolve it sends its request to 192.168.10.1 which is the pfSense DNS forwarder. That then sends the request to 192.168.1.1 which is the wireless router DNS forwarder. I believe that would happen even if I was routing my traffic over OpenVPN because 192.168.1.x is a local route. The setup I have right now is I disabled the pfSense LAN DNS forwarder and the pfSense LAN DHCP instead offers google nameservers. The google nameservers are not a local route so they go over VPN.

    @Hollander:

    The military man here says that the order of the rules in NAT is important (VPN should be at the top of the list), whereas some comments below it he says this is not necessary if your VPN is the default gateway. However, I have neither: my PIA VPN is not at the top of the rules in NAT, nor is it the default gateway. But I think my PIA VPN is working - looking at the traffic in the GUI, as well as when I look up my own external IP. So apparently what he writes isn't true  ???

    That I don't know about, you may have to start a separate thread to ask that question and get someone's attention. In my rules the OpenVPN PIA is first.

    Also, unrelated, the biggest issue I've had so far with my setup has been OpenVPN continues to work even after it's terminated due to fatal error. So FYI, you may encounter that. It looks to be a bug.