[Solved] OpenVPN/ExpressVPN cannot connect



  • I configured pfSense based on the StrongVPN guide https://forum.pfsense.org/index.php?topic=29944.0

    but the connection yet doesn't work; IFCONFIG fails /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up as last command in the log

    Log:

    
    Last 50 OpenVPN log entries
    Jul 4 14:17:24	openvpn[31627]: Exiting due to fatal error
    Jul 4 14:17:24	openvpn[31627]: FreeBSD ifconfig failed: external program exited with error status: 1
    Jul 4 14:17:24	openvpn[31627]: /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
    Jul 4 14:17:24	openvpn[31627]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jul 4 14:17:24	openvpn[31627]: TUN/TAP device /dev/tun2 opened
    Jul 4 14:17:24	openvpn[31627]: ROUTE_GATEWAY 67.177.168.1
    Jul 4 14:17:24	openvpn[31627]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Jul 4 14:17:24	openvpn[31627]: OPTIONS IMPORT: route options modified
    Jul 4 14:17:24	openvpn[31627]: OPTIONS IMPORT: --ifconfig/up options modified
    Jul 4 14:17:24	openvpn[31627]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul 4 14:17:24	openvpn[31627]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.110 10.10.0.109'
    Jul 4 14:17:24	openvpn[31627]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Jul 4 14:17:22	openvpn[31627]: [server] Peer Connection Initiated with [AF_INET]67.212.xx.xx:1194
    Jul 4 14:17:22	openvpn[31627]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Jul 4 14:17:22	openvpn[31627]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 4 14:17:22	openvpn[31627]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul 4 14:17:22	openvpn[31627]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 4 14:17:22	openvpn[31627]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul 4 14:17:22	openvpn[31627]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
    Jul 4 14:17:22	openvpn[31627]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1546'
    Jul 4 14:17:21	openvpn[31627]: VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
    Jul 4 14:17:21	openvpn[31627]: VERIFY X509NAME OK: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
    Jul 4 14:17:21	openvpn[31627]: VERIFY OK: nsCertType=SERVER
    Jul 4 14:17:21	openvpn[31627]: VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
    Jul 4 14:17:21	openvpn[31627]: TLS: Initial packet from [AF_INET]67.212.xx.xx:1194, sid=9f36d269 ceb731b0
    Jul 4 14:17:21	openvpn[31627]: UDPv4 link remote: [AF_INET]67.212.xx.xx:1194
    Jul 4 14:17:21	openvpn[31627]: UDPv4 link local (bound): [AF_INET]67.177.170.202
    Jul 4 14:17:17	openvpn[91655]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Jul 4 14:17:17	openvpn[91655]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 4 14:17:17	openvpn[91655]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 4 14:17:17	openvpn[91655]: Control Channel Authentication: using '/var/etc/openvpn/client2.tls-auth' as a OpenVPN static key file
    Jul 4 14:17:17	openvpn[91655]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 4 14:17:17	openvpn[91655]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
    Jul 4 14:17:17	openvpn[91655]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Mar 27 2014
    Jul 4 14:17:17	openvpn[91655]: DEPRECATED OPTION: --tls-remote, please update your configuration
    Jul 4 14:10:11	openvpn[55966]: Exiting due to fatal error
    Jul 4 14:10:11	openvpn[55966]: FreeBSD ifconfig failed: external program exited with error status: 1
    Jul 4 14:10:11	openvpn[55966]: /sbin/ifconfig tun 10.10.0.110 10.10.0.109 mtu 1500 netmask 255.255.255.255 up
    Jul 4 14:10:11	openvpn[55966]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jul 4 14:10:11	openvpn[55966]: TUN/TAP device /dev/tun2 opened
    Jul 4 14:10:11	openvpn[55966]: ROUTE_GATEWAY 67.177.168.1
    Jul 4 14:10:11	openvpn[55966]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Jul 4 14:10:11	openvpn[55966]: OPTIONS IMPORT: route options modified
    Jul 4 14:10:11	openvpn[55966]: OPTIONS IMPORT: --ifconfig/up options modified
    Jul 4 14:10:11	openvpn[55966]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul 4 14:10:11	openvpn[55966]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.110 10.10.0.109'
    Jul 4 14:10:11	openvpn[55966]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Jul 4 14:10:09	openvpn[55966]: [server] Peer Connection Initiated with [AF_INET]67.212.xx.xx:1194
    Jul 4 14:10:09	openvpn[55966]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Jul 4 14:10:09	openvpn[55966]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    
    

    Troubleshooting based on

    didn't change anything.

    OpenVPN client config:

    verb 3
    dev tun
    fast-io
    #proto tcp-client
    persist-key
    persist-tun
    replay-persist cur-replay-protection.cache
    remote canada-cluster.expressnetwork.net 1194
    remote canada-cluster2.expressnetwork.net 1194
    remote canada-cluster3.expressnetwork.net 1194
    remote canada-cluster4.expressnetwork.net 1194
    remote-random
    pull

    Use compression

    comp-lzo

    Strong encryption

    tls-client
    ns-cert-type server
    route-method exe
    route-delay 2
    tun-mtu 1500
    fragment 1300
    mssfix 1450
    tls-auth /etc/ssl/ExpressVPN/ta.key 1
    cert /etc/ssl/ExpressVPN/client.crt
    key /etc/ssl/ExpressVPN/client.key
    ca /etc/ssl/ExpressVPN/ca.crt

    Routing tables:

    default 67.xxx.xxx.x UGS 0 106334 1500 em1
    67.xxx.xxx.0/22 link#2 U 0 2406 1500 em1
    c-67-xxx-xxx-xxx.hsd1.tn.comcast.net link#2 UHS 0 0 16384 lo0
    cdns01.comcast.net 00:0c:29:e5:xx:xx UHS 0 1478 1500 em1
    cdns02.comcast.net 00:0c:29:e5:xx:xx UHS 0 1477 1500 em1
    localhost link#7 UH 0 171 16384 lo0
    192.168.1.0 link#1 U 0 479391 1500 em0
    gateway.home link#1 UHS 0 0 16384 lo0

    nation Gateway Flags Refs Use Mtu Netif Expire
    localhost localhost UH 0 0 16384 lo0
    fe80::%em0 link#1 U 0 124 1500 em0
    fe80::1:1%em0 link#1 UHS 0 0 16384 lo0
    fe80::%em1 link#2 U 0 451 1500 em1
    fe80::1:1%em1 link#2 UHS 0 0 16384 lo0
    fe80::%em2 link#3 U 0 0 1500 em2
    fe80::20c:29ff:fee5:f11d%em2 link#3 UHS 0 0 16384 lo0
    fe80::%lo0 link#7 U 0 0 16384 lo0
    fe80::1%lo0 link#7 UHS 0 0 16384 lo0
    ff01::%em0 fe80::1:1%em0 U 0 0 1500 em0
    ff01::%em1 fe80::1:1%em1 U 0 0 1500 em1
    ff01::%em2 fe80::20c:29ff:fee5:f11d%em2 U 0 0 1500 em2
    ff01::%lo0 localhost U 0 0 16384 lo0
    ff02::%em0 fe80::1:1%em0 U 0 0 1500 em0
    ff02::%em1 fe80::1:1%em1 U 0 0 1500 em1
    ff02::%em2 fe80::20c:29ff:fee5:f11d%em2 U 0 0 1500 em2
    ff02::%lo0 localhost U 0 0 16384 lo0

    Any thoughts?

    Thanks!



  • Update … fixed, by altering the OpenVPN client config to

    fast-io; persist-key;replay-persist cur-replay-protection.cache; remote-random; pull; verb 5; key-direction 1;route-method exe; route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;
    persist-tun;keepalive 10 120;

    keepalive 10 120 was the actual differentiator that made it work.


Log in to reply