Tutorial: Configuring pfSense as VPN client to Private Internet Access


  • LAYER 8 Netgate

    Shouldn't.  Possibly some additional rules on DMZ if you want to forward any traffic from hosts there out the VPN connection.

    @phil.davis yeah, I don't see a way in the interface to create a cert like that.  There's probably a way to re-run the commands that run at first boot after install but I don't feel like digging through the rc scripts.



  • @Derelict:

    @peehoo:

    Awesome tutorial… Is it anyhow possible to expand it in situations when somebody wants force only one - two - or certain amount of Lan IP:s to the VPN tunnel and all the others stay outside of that VPN...

    That would be exactly what I needed!!

    That's easy.  It's the opposite of this:

    I would define an alias, say vpn_hosts, that contained the source IPs of the hosts you want to go through the VPN.  Put a rule with that alias as the source, with the gateway set to the VPN (PIAVPN_VPNV4 in this example).  Next, place one after that with a source of LAN net with a WAN group, default, or specific gateway set.

    Like this:

    Hi!

    I think I managed this  ::)

    Basicly I needed only one internal IP-address go to the PIAVPN so I created two firewall rules.

    One which is telling that 192.168.1.60 goes to PIAVPN and one which is reverse for that -> all the other LAN addressess are going to WAN-interface. Is this kind of configuration any sense?

    Now my pc is showing me my ISP address and XBMC is showing PIA address.

    Ok, I changed that single host to the aliases list because it might be possible every now and then and some other pc:s to use PIAVPN also.

    One thing came to my mind… What comes to the security and hidden my network traffic - is there any kind of problem to use same PIA server every day? Manually when using pc-client I've changed it different countries every now and then... Ok, it is manually also possible with pfsense but is it any benefit to change it and if yes -> could it be possible to automaticly use several PIA servers different days?

    And at the end couple of stupid questions:

    • At this point it seems that PIAVPN is working (THX for a great tutorial)
    • Dashboard is showing in interfaces PIAVPN address BUT
    • for reason I do not know OpenVPN status shos that PIA client instance status is down??

    Should I be worried?

    Screencaps below:

    Dec 11 13:06:42	openvpn[68212]: Exiting due to fatal error
    Dec 11 13:06:42	openvpn[68212]: Cannot open TUN/TAP dev /dev/tun2: Device busy (errno=16)
    Dec 11 13:06:42	openvpn[68212]: TUN/TAP device ovpnc2 exists previously, keep at program end
    Dec 11 13:06:42	openvpn[68212]: ROUTE_GATEWAY xx.x.x.1
    

    Could this be a reason why I still have DNS Leak? How I manually (and to where) I configure PIA DNS-servers?

    Also one minor thing… How I can configure to those piavpn hosts traffic limiter especially upload limiter. I tried to do this with http://www.squidworks.net/2012/08/pfsense-2-0-limiting-users-upload-and-download-speeds-by-limiting-bandwidth/ this instructions but did not succeed.



  • I just wanted to say thank you!! This tutorial is the only tutorial that actually worked. All others seemed to not show enough info around certificates. This clearly advised how to create and apply.

    Again, thank you!!



  • Hi,
    I've just registered here but have been lurking for quite a while.

    Thanks for the guide it was much easier than a lot of other guides out there and it's appreciated greatly.

    I have a question about DNSleak protection. With this default configuration when I check https://www.dnsleaktest.com/ it's showing that pfSense is leaking. Has anyone configured using PIA's DNS? I'm a little worried to just give it a try because it's taken everything I got to get this far!!

    Anyhow if anyone has a tutorial for this it would be great.

    Thanks
    Steve



  • Hey Steve,

    The ONLY way I have found to prevent leaks is to use PIA's DNS servers. If anyone has found another way I would really like to hear about it as well.



  • Thanks wbennett77 I ended up using PIA's DNS servers as well and no leaks! It was quite easy which is nice for a change! I'm pretty happy to have found this guide as it's the most comprehensive and simple to use one on the net. I'm pairing it with a Netgear R7000 right now and it seems to be working well especially in the 5gHz range.



  • have anyone figure out DNS settings yet? I stumbled across a topic https://forum.pfsense.org/index.php?topic=29944.0 Step 4, i cannot test this at the moment im waiting for my new mobo. I talked to a PIA rep and he recommended to manually configure DNS and provided me with ip's 208.67.222.222 and 208.67.220.220. i should get my mobo tomorrow and will start playing with my new hardware and installing pfsense.


  • LAYER 8 Netgate

    Those are OpenDNS servers.

    Copyright enforcement bots are not going to have access to DNS server records.  I think all you PIA, etc. users might be overthinking things a bit.  Yes, I'm making a generalization that is probably wrong.  :P

    Just about anything is possible with pfSense.  If you want to make sure NOTHING from a particular internal host is transmitted out the normal WAN, set firewall rules on LAN that sets the gateway to PIA and marks the traffic with something like NO_WAN_EGRESS.

    Then make a floating rule that blocks any traffic on WAN out marked with NO_WAN_EGRESS.



  • @Derelict:

    Those are OpenDNS servers.

    Copyright enforcement bots are not going to have access to DNS server records.  I think all you PIA, etc. users might be overthinking things a bit.  Yes, I'm making a generalization that is probably wrong.  :P

    Just about anything is possible with pfSense.  If you want to make sure NOTHING from a particular internal host is transmitted out the normal WAN, set firewall rules on LAN that sets the gateway to PIA and marks the traffic with something like NO_WAN_EGRESS.

    Then make a floating rule that blocks any traffic on WAN out marked with NO_WAN_EGRESS.

    im lost :) , want to show us step by step?  ::)


  • LAYER 8 Netgate

    Post the rule that forwards your traffic to PIA.



  • @Derelict:

    Post the rule that forwards your traffic to PIA.

    I got my new mobo coming today, ill se teverything up and post it, thank you for the help

    EDIT

    so i got my mobo MSI Z87I AC(waiting on AR9380). Pretty much i followed this guide to the end and added opendns ips( im on 2.2-RC (amd64)  built on Mon Dec 29 07:41:21 CST 2014 FreeBSD 10.1 RELEASE-p3) to System>General Setup DNS servers and i dont have nay DNS leaks



  • After testing a bit, I see issues when using DHCP (LAN) and the DNS Forwarder.  Clients on the LAN are given the pfSense LAN IP as a DNS server and the DNS lookups done by the DNS Forwarder don't seem to be very sophisticated.  My firewall rules route a couple machines over the VPN and everything else goes over the WAN:

    However, I still see geo-optimized IPs when I do DNS lookups (ex: google.com).  I changed my DNS a bit to see if I could figure out what was going on.  I set two DNS servers:

    Note that one is set to use the WAN gateway and the other is set to use the TGNEWYORK gateway (I'm using TorGuard, not PIA).  After doing this, the behavior of one of my 'vpnclients' gives a good indication of what's happening.

    When I do a DNS leak test I can see that both DNS servers are being used and the route depends on which DNS server is picked by the DNS Forwarder.  I can tell this because it appears that TorGuard forces all DNS requests through OpenDNS, so half the servers found are Google, half are OpenDNS.

    There are two things to be careful of in my opinion.  1) Make sure all vpnclients bypass the DNS Forwarder.  2) Make sure normal connections don't use the VPN for DNS lookups.  I use a port forward rule to get the vpnclients to bypass the DNS Forwarder.  Note the rule uses the LAN interface.  Also note the firewall rule I have above to intentionally block all traffic from vpnclients to pfsense.

    Another option would be to make sure the DHCP server passes non-local DNS to clients, but keeping the vpnclients and normal clients separated is a pain.  To ensure normal connections don't use the VPN for DNS, I explicitly specify the WAN gateway for DNS and don't allow the settings to be overridden by DHCP.

    From the testing I did, leaving a gateway of 'none' doesn't work.  I still saw DNS lookups going over the VPN gateway.  To me this is incorrect behavior since my default gateway is the WAN gateway (only tested on 2.1.4).

    Does anyone know if it's possible to get the DNS Forwarder to use a specific gateway for lookups?



  • Has anyone successfully gotten PIA to work with SHA256? Works flawlessly with SHA1. Also if you receive MTU or HMAC authentication errors, try another server. Some servers are acting really wonky right now.

    Cheers!



  • great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.

    Having TWO openVPN client setup via PIA.

    So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west

    The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada

    Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.

    I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?



  • very good guide but mine seems to restart if put under any stress like a download



  • TerryD, did you upgrade to the latest pfSense 2.2 that was released yesterday?

    As for my issue, upgrading to 2.2 totally fixed the issues



  • @ryan29:

    Does anyone know if it's possible to get the DNS Forwarder to use a specific gateway for lookups?

    I did set it up like this, using no special rules:
    check in the dns forwarder: Query DNS servers sequentially

    209.222.18.218 -> pia gateway
    209.222.18.222 -> pia gateway
    8.8.8.8 ->  wan gateway



  • @kintaroju:

    great tutorial you guys have. I have a more complicated situation that I have been trying to get setup.

    Having TWO openVPN client setup via PIA.

    So the idea is this, based on IP range 192.168.0.2-192.168.0.20 it'll go to PIA USA west

    The based on IP range 192.168.0.21-192.168.0.40 it'll go to PIA Canada

    Then the remaining IP 192.168.0.41-192.168.0.254 will be on the WAN.

    I've tried to follow the instructions before and just add a 2nd VPN client accordingly, but everything just default to the PIA USA West, is there anything I could be missing?

    Once you have one vpn gateway there isn't anything different setting up an other one and select the gateway based on lan ip.
    However, there can be a situation where the vpn clients both have the same local interface ip. (the 10.x.x.x ip address)
    I don't know what caused it but restarting one vpn client did solve it for me.


  • LAYER 8 Netgate

    Save yourself some headaches and set your IPs on subnet boundaries instead.  That'll make your rules a lot easier.

    Like instead of assigning hosts IP addresses from 192.168.0.21 through 192.168.0.40, assign them 192.168.0.33 through 192.168.0.62.  You can then cover them in one rule with source IP 192.168.0.32/29 (255.255.255.248)

    You could:

    pass ip any source 192.168.0.32/29 dest any gateway PIA_USA_WEST # (hosts .33 through .62 - in this case you could actually use .32 and .63 too but I wouldn't)
    pass ip any source 192.168.0.64/29 dest any gateway PIA_CANADA # (hosts .65 through .94)
    pass ip any source LAN network dest any gateway default # everything else.



  • Since the upgrade to 2.2 I have had PIA randomly disconnect and remain disconnected for me until I manually click connect again. Anyone else experience this problem? Seems to be every couple of days, on 2.1. 5 the only time I had connectivity issues when an internet issue caused a bad route to the server I had been connecting to. Other than that previously it has been very solid for me up until the upgrade.



  • Thanks for this guide, I got PIA up and running for just my FireTV and the rest of my devices go through the normal WAN.

    The problem I'm having now is I'm trying to access content on hulu and watch Disney Junior with my FireTV, but it says I'm outside of the US (I'm not, and I'm using the PIA California server, I know that Hulu has blocked a lot of VPNs). I don't care if the traffic for Hulu and Disney aren't over PIA, I want to make a rule to bypass the VPN for Hulu, Disney, and potentially a couple of other streaming services. I've tried creating an alias for hulu.com and then I made a firewall rule (placed before my VPN hosts rule) that said if the destination was the hulu alias it would use the WAN gateway instead of the PIA gateway, but I still got the same outside of the US or private network error. I've also added an ipcheck to the alias to make sure it was working and it returned the IP address I wanted when the rule was applied, so it worked for that site at least.

    Any ideas how to get this to work? I don't really want to have to turn the VPN off each time I want to turn on Disney Junior for the kids.



  • hi moatilliata,

    instead of rerouting the traffic you could try to use a dnsmasq server to forward your dns request so you can use the PIA vpn still.

    One service that could work although I haven't tried it before is using UnoTelly:

    https://www2.unotelly.com/home#2-channels



  • @kintaroju:

    hi moatilliata,

    instead of rerouting the traffic you could try to use a dnsmasq server to forward your dns request so you can use the PIA vpn still.

    One service that could work although I haven't tried it before is using UnoTelly:

    https://www2.unotelly.com/home#2-channels

    Well the sites work on my other PC's and iPad, and I'm pretty sure the DNS being sent on my normal WAN is still the PIA DNS, the only difference is the IP address. There must be a DNS or IP that's not included in my alias for Disney and Hulu when my location is being checked on the devices behind the VPN.

    Hulu isn't my real problem because my TV has an app, but I don't have an app for Disney. I guess I'll just use the iPad and Chromecast, but that's just one more thing I have to teach my wife how to do.



  • One thing I was thinking if you are testing multiple devices, you should test if the registered external IP is the VPN IP or not?

    Also you should do a DNS leak test to ensure that the DNS resolution is coming from the correct DNS server, be it be the VPN or local DNS server.

    So what I do to troubleshoot the VPN issues is to use the below:

    https://www.dnsleaktest.com/
    http://whatismyipaddress.com/



  • I've done both of those things already.

    The DNS that comes back on DNS leak is always the VPN DNS, but when I'm on my normal WAN the inaccessible content is accessible.

    As far as IP check, behind the VPN I'm getting my VPN IP and on the WAN I'm getting my normal IP from my ISP.

    That's why I think my alias for Hulu and Disney are incomplete.  They must connect to another DNS or IP that I'm not bypassing in my alias.  I've pretty much given up on it for now. I just wanted it to the convenience of accessing those apps from the Fire TV.

    Is there a way to make it so certain source IP's use the VPN DNS and my sources going through WAN use the local DNS? I couldn't figure this out without having a DNS leak which is why I just left it on the VPN DNS.



  • if you want to have specific DNS for specific interfaces, you can do it two ways.

    One you forward all DNS requests via the firewall to the interface you want to the specific DNS server OR

    Go to System -> General Setup. Under DNS servers you can specify specific DNS servers based on the Gateway, or in your case the "VPN Gateway"

    Let me know if that helps your cause or not.



  • Anyone else experiencing slower download speeds through PIA when upgrading from pfsense 2.1.5 to 2.2? My download speeds have been constantly 10-14 Mbps and with 2.1.5 they were 100+ Mbps.



  • Nope, I personally haven't had that problem. My speeds to PIA are the same before the upgrade.

    Also for the record going from 2.1.5 to 2.2 solved a lot of issues that I was having when opening multiple OpenVPN clients to PIA.



  • edit  the firewall at my work was blocking all images.

    Thank you



  • Great tutorial.  Setup my pfsense on the first go-round, thanks!  Now, the 2 issues.  1 is really just speed, I'm only getting 1.6-2.x mbps but that's not really a pfsense issue, more of a PIA issue.  Using Texas server seems to be fastest but still slow compared to my 50mbps VDsL.  #2,  Email.  Email pop3 doesn't work over PIA (goDaddy) and they know it.  Can receive, can't send.  Is there a rule? or setting to let smtp bypass the VPN and use the Wan?  I tried a few tests, obviously unsuccessfully.  Again, great stuff!
    Thanks


  • LAYER 8 Netgate

    Try setting your mail server to use port 587.

    Sending email is not POP3.  Sending is SMTP.  Port 587 is the SMTP submit port.  You will have to authenticate.  Hopefully your mail provider supports STARTTLS.  Make it required.

    A quick telnet mailserver 587 will either result in an SMTP banner or it won't.



  • Thanks for the response.  I'm not hosting a mail server.  What I need to do is route my SMTP requests from my pop3 outlook account thru to the wan, bypassing the PIAVPN.  Currently all LAN machines are using pfSense DHCP and pfSense is configured to automatically connect and route to PIA's VPN connection.  Can (How?) do I take an smtp request from a machine that is using the vpn connection and have it's outlook pop3 route past (bypass) the pia vpn?  Let me know if this makes sense.  Thx


  • LAYER 8 Netgate

    I know.

    I'm sure PIA blocks port 25.  Try 587 instead.

    That or make a rule above the rule that routes your traffic to PIA that routes connections to your mail ports (TCP 110,143,993,995,25,587 and 465) out your WAN gateway (or the default route).

    Note that any application you use that attempts to bypass firewalling by using one of these commonly-passed ports will no longer go through the VPN either.  If you only use one to a few mail servers, you might want to create an alias using their FQDNs and set the destination address to that to limit the scope of the rule even more.

    ![Screen Shot 2015-02-13 at 7.10.59 AM.png](/public/imported_attachments/1/Screen Shot 2015-02-13 at 7.10.59 AM.png)
    ![Screen Shot 2015-02-13 at 7.10.59 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-02-13 at 7.10.59 AM.png_thumb)



  • Thx Derelict. Your advice on the ports worked but only without SSL so I'm not connecting securely to send/receive.  Can you outline in a few steps how to add an smtp to a rule for bypass?  smtp.out.secureserver.net is what godaddy uses for sending, if I can put that in a rule to bypass the vpn and use the wan it should work with encryption (SSL) applied.


  • LAYER 8 Netgate

    Should have nothing to do with negotiating SSL.  I don't know how that server is set up but there are two ways to get SMTP over SSL/TLS:

    1. Connect on port 465.  This usually expects SSL right off the bat like an HTTPS connection.  You can test this with openssl s_client -connect smtp.out.secureserver.net:465.  Port 465 is a de facto standard for this thanks to Microsoft. YMMV.

    2. Connect to port 25 or 587.  This establishes a normal SMTP or SMTP Submit connection.  The client must then issue a STARTTLS command to negotiate TLS prior to sending authentication credentials. You can test this with openssl s_client -connect smtp.out.secureserver.net:[25|587] -starttls smtp


  • LAYER 8 Netgate

    @User1503:

    Can you outline in a few steps how to add an smtp to a rule for bypass?

    Post your LAN rules (or the rules for whatever interface is being used for forwarding to PIA.)


  • LAYER 8 Netgate

    Hmmm.  smtp.out.secureserver.net doesn't resolve.  You need to figure out where you need to send your outgoing mail.



  • I just started using pfSense again after a long hiatus and can't get OpenVPN to work with PIA.  I had it working in an old version of pfSense but the options are different in v2.2 and I'm tearing my hair out.  Everything looks setup right but the gateway never stays up.

    After restarting the OpenVPN service the 'PIAVPN' Interface shows an IP address, but when I go to the Gateway status, the 'PIAVPN_VPNV4' gateway is always 'offline.'  According to the Gateway log:

    Feb 14 14:31:57 apinger: SIGHUP received, reloading configuration.
    Feb 14 14:31:57 apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.100.4.5) *** down ***
    Feb 14 14:32:08 apinger: ALARM: PIAVPN_VPNV4(10.153.1.5) *** down ***
    Feb 14 14:32:13 apinger: SIGHUP received, reloading configuration.
    Feb 14 14:32:13 apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.153.1.5) *** down ***
    Feb 14 14:32:23 apinger: ALARM: PIAVPN_VPNV4(10.183.1.5) *** down ***
    Feb 14 14:33:26 apinger: SIGHUP received, reloading configuration.
    Feb 14 14:33:26 apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.183.1.5) *** down ***
    Feb 14 14:33:36 apinger: ALARM: PIAVPN_VPNV4(10.182.147.5) *** down ***
    Feb 14 14:33:40 apinger: SIGHUP received, reloading configuration.
    Feb 14 14:33:40 apinger: alarm canceled (config reload): PIAVPN_VPNV4(10.182.147.5) *** down ***
    Feb 14 14:33:50 apinger: ALARM: PIAVPN_VPNV4(10.181.1.5) *** down ***

    This repeats constantly.  I checked the OpenVPN logs:

    Feb 14 14:33:35 openvpn[45195]: client = ENABLED
    Feb 14 14:33:35 openvpn[45195]: pull = ENABLED
    Feb 14 14:33:35 openvpn[45195]: auth_user_pass_file = '/etc/openvpn-password.txt'
    Feb 14 14:33:35 openvpn[45195]: OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec 1 2014
    Feb 14 14:33:35 openvpn[45195]: library versions: OpenSSL 1.0.1k-freebsd 8 Jan 2015, LZO 2.08
    Feb 14 14:33:35 openvpn[45195]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Feb 14 14:33:35 openvpn[45424]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 14 14:33:35 openvpn[45424]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Feb 14 14:33:35 openvpn[45424]: LZO compression initialized
    Feb 14 14:33:35 openvpn[45424]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 14 14:33:35 openvpn[45424]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Feb 14 14:33:35 openvpn[45424]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 14 14:33:35 openvpn[45424]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Feb 14 14:33:35 openvpn[45424]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Feb 14 14:33:35 openvpn[45424]: Local Options hash (VER=V4): '41690919'
    Feb 14 14:33:35 openvpn[45424]: Expected Remote Options hash (VER=V4): '530fdded'
    Feb 14 14:33:35 openvpn[45424]: UDPv4 link local (bound): [AF_INET]73.34.122.142
    Feb 14 14:33:35 openvpn[45424]: UDPv4 link remote: [AF_INET]66.85.147.138:1194
    Feb 14 14:33:35 openvpn[45424]: TLS: Initial packet from [AF_INET]66.85.147.138:1194, sid=97ab86e1 7dcc85ab
    Feb 14 14:33:35 openvpn[45424]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Feb 14 14:33:36 openvpn[45424]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
    Feb 14 14:33:36 openvpn[45424]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
    Feb 14 14:33:36 openvpn[45424]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 14 14:33:36 openvpn[45424]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 14 14:33:36 openvpn[45424]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 14 14:33:36 openvpn[45424]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 14 14:33:36 openvpn[45424]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Feb 14 14:33:36 openvpn[45424]: [Private Internet Access] Peer Connection Initiated with [AF_INET]66.85.147.138:1194
    Feb 14 14:33:38 openvpn[45424]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
    Feb 14 14:33:39 openvpn[45424]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.181.1.1,topology net30,ifconfig 10.181.1.6 10.181.1.5'
    Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: timers and/or timeouts modified
    Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: LZO parms modified
    Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: –ifconfig/up options modified
    Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: route options modified
    Feb 14 14:33:39 openvpn[45424]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
    Feb 14 14:33:39 openvpn[45424]: ROUTE_GATEWAY 73.34.122.1
    Feb 14 14:33:39 openvpn[45424]: TUN/TAP device ovpnc1 exists previously, keep at program end
    Feb 14 14:33:39 openvpn[45424]: TUN/TAP device /dev/tun1 opened
    Feb 14 14:33:39 openvpn[45424]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Feb 14 14:33:39 openvpn[45424]: /sbin/ifconfig ovpnc1 10.181.1.6 10.181.1.5 mtu 1500 netmask 255.255.255.255 up
    Feb 14 14:33:39 openvpn[45424]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1542 10.181.1.6 10.181.1.5 init
    Feb 14 14:33:39 openvpn[45424]: /sbin/route add -net 66.85.147.138 73.34.122.1 255.255.255.255
    Feb 14 14:33:39 openvpn[45424]: /sbin/route add -net 0.0.0.0 10.181.1.5 128.0.0.0
    Feb 14 14:33:39 openvpn[45424]: /sbin/route add -net 128.0.0.0 10.181.1.5 128.0.0.0
    Feb 14 14:33:39 openvpn[45424]: /sbin/route add -net 10.181.1.1 10.181.1.5 255.255.255.255
    Feb 14 14:33:39 openvpn[45424]: Initialization Sequence Completed

    Nothing really stands out as problematic there…nothing else gets logged  until maybe 15 minutes later when I get this:

    Feb 14 14:48:59 openvpn[45424]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Feb 14 14:48:59 openvpn[45424]: MANAGEMENT: CMD 'state 1'
    Feb 14 14:48:59 openvpn[45424]: MANAGEMENT: CMD 'status 2'
    Feb 14 14:48:59 openvpn[45424]: MANAGEMENT: Client disconnected

    Any ideas where I should be looking to resolve this?

    Thanks for the help!


  • LAYER 8 Netgate

    Looks like it's connecting to me.  What's not working?

    You probably can't ping the gateway directly.  Just turn off monitoring or find something else to use as a monitor IP.



  • Thanks for the tutorial and it works….but does anybody know how to force OpenVPN to route traffic from only one vlan?  So, for example, I have the following interfaces:

    WAN
    LAN (10.0.1.0/24)
    Guest (10.0.2.0/24)
    OVPN (10.0.3.0/24)

    I want the LAN and Guest get routed through WAN.  How do I make only the clients on the OVPN interface use the OpenVPN tunnel?

    I've tried to limit the NAT to only the 10.0.3.0/24 net, but then the LAN (and probably Guest) wasn't routing any traffic out.  I also tried to setup some firewall rules to route the LAN to the WAN and make OVPN route it through the OpenVPN gateway, but nothing.

    Thanks!


Log in to reply