2.1 / OpenVPN /PIA: can't get it to work
-
Pic:
 -
Pic:
 -
And the final pic:
 -
Hmmm :P
Thanks to this fine thread:
https://forum.pfsense.org/index.php?topic=24435.msg126272#msg126272
I've added:
verb 5to the advanced settings of the OpenVPN client (part of the instruction in this thread is wrong, as:
21. In the 'Advanced' field, we need to enter several options, all separated by a ';'
leads to OpenVPN refusing to start. SO I just put it on a separate line, and then it starts again).
Anyway, the above thread says:
3. You need to look for is the line that says:
Code: [Select]
openvpn[49520]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 195.24.72.6,dhcp-option DNS 83.243.8.6,dhcp-option DNS 4.2.2.4,route 10.0.61.1,topology net30,ifconfig 10.0.61.54 10.0.61.53'
4. If that line says 'redirect-gateway def1', then your pfSense should be routing all traffic over the VPN connection. Browse to a 'what's my IP' page, and see if your connection is coming from another IP than your own
Well, my log says just that:
Apr 14 18:53:43 openvpn[32022]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,route 10.155.1.1,topology net30,ifconfig 10.155.1.6 10.155.1.5'
The log is saying something else which I don't understand (but there are many, many, many things I don't understand ;D):
Apr 14 18:53:43 openvpn[32022]: ROUTE_GATEWAY –-HERE IS MY EXTERNAL CABLE ISP---
Would the bold part make sense?
Thank you again for any help ;D,
Bye
-
I forgot to add: I also disabled Snort on the WAN2-interface, thinking perhaps that would block something. But no results.
-
I am a pitbull ;D ;D ;D
Thanks to Elkmoose here: https://forum.pfsense.org/index.php?topic=48847.msg258640#msg258640
I went into:
/var/etc/openvpn and should have a name like "clientN.conf
In there I found:
dev ovpnc1 dev-type tun tun-[b]ipv6[/b] dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local ---MY OWN EXTERNAL CABLE ISP ADDRESS--- tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote us-east.privateinternetaccess.com 1194 [b]ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key [/b] comp-lzo auth-user-pass /etc/openvpn-password.txt verb 5I think I will try to change the ipv6 in ipv4 and see what gives.
I have no clue about the bold parts concerning the certificates. I think I would expect /etc/ca.crt.
-
@Hollander:
I think I will try to change the ipv6 in ipv4 and see what gives.
Duh :'(
It stopped, and the log insn't very clear:
System logs: general:
Apr 14 19:13:09 php: rc.filter_configure_sync: Could not find IPv6 gateway for interface(opt1).
Apr 14 19:13:09 php: rc.filter_configure_sync: Could not find IPv6 gateway for interface(wan).
Apr 14 19:13:09 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Apr 14 19:13:08 php: rc.filter_configure_sync: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
Apr 14 19:13:05 check_reload_status: Reloading filter
Apr 14 19:13:05 php: /status_services.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
Apr 14 19:12:51 php: /index.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
Apr 14 19:12:51 php: /index.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
Apr 14 19:12:51 php: /index.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
Apr 14 19:12:51 php: /index.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
Apr 14 19:12:10 php: rc.filter_configure_sync: Could not find IPv6 gateway for interface(opt1).
Apr 14 19:12:10 php: rc.filter_configure_sync: Could not find IPv6 gateway for interface(wan).
Apr 14 19:12:10 php: rc.filter_configure_sync: Could not find IPv4 gateway for interface (wan).
Apr 14 19:12:09 php: rc.filter_configure_sync: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
Apr 14 19:12:07 php: /status_services.php: The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic'
Apr 14 19:12:06 check_reload_status: Reloading filter
Apr 14 19:12:06 kernel: ovpnc1: link state changed to DOWN
Apr 14 19:11:52 sshd[62061]: Accepted keyboard-interactive/pam for root from 192.168.23.42 port 52118 ssh2System logs: OpenVPN:
Apr 14 19:12:06 openvpn[32022]: SIGTERM[hard,] received, process exiting
Apr 14 19:12:06 openvpn[32022]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 10.155.1.6 10.155.1.5 init
Apr 14 19:12:06 openvpn[32022]: Closing TUN/TAP interface
Apr 14 19:12:06 openvpn[32022]: /sbin/route delete -net 128.0.0.0 10.155.1.5 128.0.0.0
Apr 14 19:12:06 openvpn[32022]: /sbin/route delete -net 0.0.0.0 10.155.1.5 128.0.0.0
Apr 14 19:12:06 openvpn[32022]: /sbin/route delete -net 68.232.186.243 MY CABLE GATEWAY 255.255.255.255
Apr 14 19:12:06 openvpn[32022]: /sbin/route delete -net 10.155.1.1 10.155.1.5 255.255.255.255
Apr 14 19:12:06 openvpn[32022]: TCP/UDP: Closing socket
Apr 14 19:12:06 openvpn[32022]: event_wait : Interrupted system call (code=4)
Apr 14 18:53:43 openvpn[32022]: Initialization Sequence Completed
Apr 14 18:53:43 openvpn[32022]: /sbin/route add -net 10.155.1.1 10.155.1.5 255.255.255.255
Apr 14 18:53:43 openvpn[32022]: /sbin/route add -net 128.0.0.0 10.155.1.5 128.0.0.0
Apr 14 18:53:43 openvpn[32022]: /sbin/route add -net 0.0.0.0 10.155.1.5 128.0.0.0
Apr 14 18:53:43 openvpn[32022]: /sbin/route add -net 68.232.186.243 MY CABLE GATEWAY 255.255.255.255
Apr 14 18:53:43 openvpn[32022]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.155.1.6 10.155.1.5 init
Apr 14 18:53:43 openvpn[32022]: /sbin/ifconfig ovpnc1 10.155.1.6 10.155.1.5 mtu 1500 netmask 255.255.255.255 up
Apr 14 18:53:43 openvpn[32022]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Apr 14 18:53:43 openvpn[32022]: TUN/TAP device /dev/tun1 opened
Apr 14 18:53:43 openvpn[32022]: TUN/TAP device ovpnc1 exists previously, keep at program end
Apr 14 18:53:43 openvpn[32022]: ROUTE_GATEWAY –-MY EXTERNAL CABLE IP---
Apr 14 18:53:43 openvpn[32022]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Apr 14 18:53:43 openvpn[32022]: OPTIONS IMPORT: route options modified
Apr 14 18:53:43 openvpn[32022]: OPTIONS IMPORT: –ifconfig/up options modified
Apr 14 18:53:43 openvpn[32022]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 14 18:53:43 openvpn[32022]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,route 10.155.1.1,topology net30,ifconfig 10.155.1.6 10.155.1.5'The 'can not find WAN ipv6' etc I see every day, btw, I have no clue why. None of the interfaces have ipv6 enabled.
Anyway, changing ipv4 back into ipv6 makes OpenVPN start again.
I am going to buy me a Draytek modem/router all in one ;D ;D ;D ;D ;D
( :-)
-
Hi have you done
Go to Firewall and select NAT, then click the Outbound tab. Select any existing rules and delete them. Select the “Automatic” option at the top and click Save, then select “Manual” and click Save. You should see a new set of rules which you can activate by clicking Apply Changes.did a set of rules appear in the firewall rule set.
I did try and add another client after I upgraded to 2.1.2 and they did not appear so I had to add them manually -
Hi have you done
Go to Firewall and select NAT, then click the Outbound tab. Select any existing rules and delete them. Select the “Automatic” option at the top and click Save, then select “Manual” and click Save. You should see a new set of rules which you can activate by clicking Apply Changes.did a set of rules appear in the firewall rule set.
I did try and add another client after I upgraded to 2.1.2 and they did not appear so I had to add them manuallyThanks for your reply ;D
Yes I did:
I tried the NAT-thing that KomodoSteve writed about afterwards, I rebooted the box, but nothing.
And to add to that: the NAT does have anything to do with the gateway not being up? I thought it was only for traffic after the gateway was up?
-
I will upload some screen shots of my setup. (I use PIA also) but it will not be today.
-
I will upload some screen shots of my setup. (I use PIA also) but it will not be today.
That is very nice of you, thank you ;D
I did find out something else: in System/Gateways, PIA was set to Ipv6 by default during install. I have no clue why, since PIA runs on WAN2, which is Ipv4 only. So yesterday I changed Ipv6 to Ipv4. I think perhaps I forgot to check if it saved that. Today I did. I hadn't saved it. So I changed it again. But: it doesn't save it at all.
I can change this to IPv4 all I want and press 'save' all I want; the second I go in again to see what it saved, it is back to IPv6 again.
Perhaps this is the reason there is no gateway up(?)
 -
My firewall/NAT btw (partly, as the board doesn't allow the full size pic due to the file size limitations. I picked the lower part which shows WAN2 and PIA).
 -
Hello I also have private internet access and cannot get OpenVPN to work. It connects just fine but I don't have any internet. I am using this ISO downloaded and installed today:
pfSense-LiveCD-2.1.2-RELEASE-amd64-20140410-0541.isoI think there is something wrong because the directions from (http://www.komodosteve.com/archives/232) are pretty straightforward. I will try an older ISO tomorrow. In the directions he says:
"Go to Firewall and select NAT, then click the Outbound tab. Select any existing rules and delete them. Select the “Automatic” option at the top and click Save, then select “Manual” and click Save. You should see a new set of rules which you can activate by clicking Apply Changes."
I did that but it doesn't show the OPT interface, even after reboot and with OpenVPN successfully connected with an IP. A screenshot is attached. Does anyone who has PIA working can you tell us the ISO of pfsense you are using? Did you have to make custom routing rules or NAT changes? Can you tell us how your pfsense is setup?
I also tried the "How to create an OpenVPN client to StrongVPN" sticky post but no go. I did try rebooting multiple times through each of these steps. The other TUVPN sticky looks a little strange so I haven't tried it.. it looks like he modifies the vpn interface to allow any traffic from anywhere?
-
Hello I also have private internet access and cannot get OpenVPN to work. It connects just fine but I don't have any internet. I am using this ISO downloaded and installed today:
pfSense-LiveCD-2.1.2-RELEASE-amd64-20140410-0541.isoI think there is something wrong because the directions from (http://www.komodosteve.com/archives/232) are pretty straightforward. I will try an older ISO tomorrow.
Good to see for my self confidence that I am not the only one ;D
My attempts were at 2.1 (since you wrote you will try an older one than 2.1.2), and that I couldn't get to work.
For more than just this reason of PIA I decided to completely rebuild my box, yesterday evening I deleted everything and installed 2.1.2. I have yet to try PIA, but given your feedback I think I already know my answer :'(
-
In versions prior to 2.1.2 the automatic outbound NAT was not making outbound NAT rules for OpenVPN clients that connected out to VPN providers. That was the intended behavior. But there was a [bug|feature] that when you switched to manual outbound NAT, the initial set of rules generated did include NAT rules for OpenVPN clients. That is why the step of switching to manual outbound NAT did the trick.
From 2.1.2, the underlying automatic outbound NAT rules and the set generated when you switch to manual outbound NAT are now the same.
You have to switch to manual outbound NAT, and then add outbound NAT rule/s for traffic leaving the OpenVPN client towards the VPN provider. -
In versions prior to 2.1.2 the automatic outbound NAT was not making outbound NAT rules for OpenVPN clients that connected out to VPN providers. That was the intended behavior. But there was a [bug|feature] that when you switched to manual outbound NAT, the initial set of rules generated did include NAT rules for OpenVPN clients. That is why the step of switching to manual outbound NAT did the trick.
From 2.1.2, the underlying automatic outbound NAT rules and the set generated when you switch to manual outbound NAT are now the same.
You have to switch to manual outbound NAT, and then add outbound NAT rule/s for traffic leaving the OpenVPN client towards the VPN provider.Thank you very much for your reply, Phil ;D
PS The OpenVPN log doesn't appear to show any errors.
I tried to add 'some' manual NAT rules, basically by copying the existing ones the switch to 'manual' generated and only changing the interface, but I am still not there yet :-\
I do have something more now: it now shows me an IP on the gateway (but it is an internal IP, I would have expected an external one), but the gateway itself is offline (screenshot).
So probably I've done something wrong again.
Interesting to see is the firewall on the PIA-interface is blocking something (screenshot).
Would you happen to have a clue as to how to fix this?
Thank you again for all your great help :-*
 -
Picture of my manual NAT outbound:
 -
Mmmm. Interesting ( ::)): when I restart the openvpn-service the gateway is up for three seconds, then it is down again. To my understanding the log (attached) doesn't show anything strange.
What is strange too, is: suddenly my MS Outlook mail client can not access my POP3 gmail accounts anymore, due to 'password incorrect'. Even 'though I have not even yet sent any traffic over the PIA interface (firewall rule), as that is still not working correctly.
-
That looks good to me.
PIA allocates some private address space to your VPN tunnel (they won't want to use up their valuable public IP addresses). They know who you are, and will NAT your traffic when it goes out of their VPN server onto the public internet.
But of course they don't know what other private IP addresses you are using behind the PIA tunnel. So pfSense has to NAT onto the tunnel - that way PIA sees all the traffic as coming from the OpenVPN client tunnel IP.
Can someone else spot what else is missing here? -
That looks good to me.
PIA allocates some private address space to your VPN tunnel (they won't want to use up their valuable public IP addresses). They know who you are, and will NAT your traffic when it goes out of their VPN server onto the public internet.
But of course they don't know what other private IP addresses you are using behind the PIA tunnel. So pfSense has to NAT onto the tunnel - that way PIA sees all the traffic as coming from the OpenVPN client tunnel IP.
Can someone else spot what else is missing here?Thank you Phil ;D ;D
It gets Eek :o :o :o
The errors from gmail apparently are because gmail is blocking the logins because of …:
Someone recently used your password to try to sign in to your Google Account. This person was using an application such as an email client or mobile device.
We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
Wednesday, April 16, 2014 10:19:58 AM UTC
IP Address: 46.165.251.68
Location: Berlin, GermanyIf you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.
When I go to dslreports.com/whois, I do note suddenly my external address is one in the 46.x.x.x range, so probably that same 46.x.x.x block Google thought was a hacker.
Which would mean that PIA is working.
But:- Why does the gateway show 'down'?
- Why is all traffic routed over PIA when I never told pfSense to do this?
I'm not quite sure I guess how I need to do this:
- After following the setup tutorial from Komodosteve (my first post), there 'suddenly' where two new interfaces. PIA and OpenVPN.
- According to the tuto I had to assign the openvpn-client to the WAN interface, which is my normal VDSL-account.
- I don't want all traffic to go through PIA, only some.
But now, without me directing any traffic from the LAN into the PIA gateway, apparently all traffic is going through PIA 'anyway'.
Could this have to do something with the way I set up this manual NAT outbound?
To summarize:
1. Why does the gateway for PIA show down when apparently it isn't?
2. Why is all traffic going through PIA by default even if I didn't tell pfSense to do it by directing LAN-traffic through PIA?Thank you again for your great help ;D ;D ;D