Open VPN Connection (UDP 53)
-
Hi,
I'm currently using 2.1.5-RELEASE (i386) and I'm having a problem with OpenVPN.. I can't seem to figure where the issue is occuring, hopefully someone might be able to shed some light on it and point me in the right direction. Basically I'm currently using pfsense as an internet gateway to route our internet traffic through HMAs VPN server in Korea.
I've set everything up connecting openVPN using TCP port 443 as per the guide HMA has provided here:
After doing that initially the conection was not working, after tweaking firewall settings and nat routing it was then working fine and has been working fine. However the speed is a little slower than what i've experienced using openvpn client for windows with UDP port 53.
HMA advised that simply changing the port to 53 and protocol to UDP would work fine for pfsense also. However after doing this I can no longer access the internet from the lan side. I accessed the firewall logs and some TCP and UDP requests were being blocked, I set up temporary port rules to allow this traffic through.
At the moment the firewall log shows it is blocking nothing, yet still no internet access from the LAN side.
-
If I disable the openvpn connection, I can access the internet fine (IP shows traffic is routed through the ISP).. [/il]
-
If I change the settings of the openvpn connection back to TCP, I can then access the internet fine (with the IP showing traffic is being routed through the VPN)
-
If I change the protocol to UDP and the port to 53, the VPN shows an IP address and that its connected as does the lan and WAN. Yet I cannot gain access to the internet.
OPENVPN LOG (TCP port 443, WORKING CONFIG)
Dec 10 11:28:53 openvpn[91857]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014 Dec 10 11:28:53 openvpn[91857]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Dec 10 11:28:53 openvpn[91857]: WARNING: file '/conf/hmauser.conf' is group or others accessible Dec 10 11:28:53 openvpn[91857]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 10 11:28:53 openvpn[91857]: Socket Buffers: R=[65228->65536] S=[65228->65536] Dec 10 11:28:53 openvpn[92056]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Dec 10 11:28:53 openvpn[92056]: Attempting to establish TCP connection with [AF_INET]113.29.231.2:443 [nonblock] Dec 10 11:28:54 openvpn[92056]: TCP connection established with [AF_INET]113.29.231.2:443 Dec 10 11:28:54 openvpn[92056]: TCPv4_CLIENT link local (bound): [AF_INET]192.168.254.4 Dec 10 11:28:54 openvpn[92056]: TCPv4_CLIENT link remote: [AF_INET]113.29.231.2:443 Dec 10 11:28:54 openvpn[92056]: TLS: Initial packet from [AF_INET]113.29.231.2:443, sid=4757805d 83589bbf Dec 10 11:28:54 openvpn[92056]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Dec 10 11:28:56 openvpn[92056]: VERIFY OK: depth=1, C=GB, ST=London, L=London, O=Privax Ltd, OU=HMA Pro VPN, CN=hidemyass.com, name=HMA, emailAddress=info@privax.com Dec 10 11:28:56 openvpn[92056]: VERIFY OK: nsCertType=SERVER Dec 10 11:28:56 openvpn[92056]: VERIFY OK: depth=0, C=GB, ST=London, L=London, O=Privax Ltd, OU=HMA Pro VPN, CN=server, emailAddress=info@privax.com Dec 10 11:29:03 openvpn[92056]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Dec 10 11:29:03 openvpn[92056]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 10 11:29:03 openvpn[92056]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Dec 10 11:29:03 openvpn[92056]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 10 11:29:03 openvpn[92056]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Dec 10 11:29:03 openvpn[92056]: [server] Peer Connection Initiated with [AF_INET]113.29.231.2:443 Dec 10 11:29:05 openvpn[92056]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Dec 10 11:29:08 openvpn[92056]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.200.0.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1,ifconfig 10.200.2.193 255.255.252.0' Dec 10 11:29:08 openvpn[92056]: OPTIONS IMPORT: --ifconfig/up options modified Dec 10 11:29:08 openvpn[92056]: OPTIONS IMPORT: route options modified Dec 10 11:29:08 openvpn[92056]: OPTIONS IMPORT: route-related options modified Dec 10 11:29:08 openvpn[92056]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Dec 10 11:29:08 openvpn[92056]: ROUTE_GATEWAY 192.168.254.254 Dec 10 11:29:08 openvpn[92056]: TUN/TAP device ovpnc1 exists previously, keep at program end Dec 10 11:29:08 openvpn[92056]: TUN/TAP device /dev/tun1 opened Dec 10 11:29:08 openvpn[92056]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Dec 10 11:29:08 openvpn[92056]: /sbin/ifconfig ovpnc1 10.200.2.193 10.200.2.193 mtu 1500 netmask 255.255.252.0 up Dec 10 11:29:08 openvpn[92056]: /sbin/route add -net 10.200.0.0 10.200.2.193 255.255.252.0 Dec 10 11:29:08 openvpn[92056]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1543 10.200.2.193 255.255.252.0 init Dec 10 11:29:08 openvpn[92056]: /sbin/route add -net 113.29.231.2 192.168.254.254 255.255.255.255 Dec 10 11:29:08 openvpn[92056]: ERROR: FreeBSD route add command failed: external program exited with error status: 1 Dec 10 11:29:08 openvpn[92056]: /sbin/route add -net 0.0.0.0 10.200.0.1 128.0.0.0 Dec 10 11:29:08 openvpn[92056]: /sbin/route add -net 128.0.0.0 10.200.0.1 128.0.0.0 Dec 10 11:29:08 openvpn[92056]: GID set to nobody Dec 10 11:29:08 openvpn[92056]: UID set to nobody Dec 10 11:29:08 openvpn[92056]: Initialization Sequence Completed
OPENVPN LOG (UDP port 53)
Dec 10 11:40:38 openvpn[69222]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014 Dec 10 11:40:38 openvpn[69222]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Dec 10 11:40:38 openvpn[69222]: WARNING: file '/conf/hmauser.conf' is group or others accessible Dec 10 11:40:38 openvpn[69222]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 10 11:40:38 openvpn[69222]: Socket Buffers: R=[42080->65536] S=[57344->65536] Dec 10 11:40:38 openvpn[69314]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Dec 10 11:40:38 openvpn[69314]: UDPv4 link local (bound): [AF_INET]192.168.254.4 Dec 10 11:40:38 openvpn[69314]: UDPv4 link remote: [AF_INET]113.29.231.2:53 Dec 10 11:40:38 openvpn[69314]: TLS: Initial packet from [AF_INET]113.29.231.2:53, sid=795fb863 a7560aa2 Dec 10 11:40:38 openvpn[69314]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Dec 10 11:40:39 openvpn[69314]: VERIFY OK: depth=1, C=GB, ST=London, L=London, O=Privax Ltd, OU=HMA Pro VPN, CN=hidemyass.com, name=HMA, emailAddress=info@privax.com Dec 10 11:40:39 openvpn[69314]: VERIFY OK: nsCertType=SERVER Dec 10 11:40:39 openvpn[69314]: VERIFY OK: depth=0, C=GB, ST=London, L=London, O=Privax Ltd, OU=HMA Pro VPN, CN=server, emailAddress=info@privax.com Dec 10 11:40:43 openvpn[69314]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Dec 10 11:40:43 openvpn[69314]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 10 11:40:43 openvpn[69314]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Dec 10 11:40:43 openvpn[69314]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 10 11:40:43 openvpn[69314]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Dec 10 11:40:43 openvpn[69314]: [server] Peer Connection Initiated with [AF_INET]113.29.231.2:53 Dec 10 11:40:45 openvpn[69314]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Dec 10 11:40:50 openvpn[69314]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Dec 10 11:40:51 openvpn[69314]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.200.4.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 10,ping-restart 90,redirect-gateway def1,ifconfig 10.200.5.111 255.255.252.0' Dec 10 11:40:51 openvpn[69314]: OPTIONS IMPORT: timers and/or timeouts modified Dec 10 11:40:51 openvpn[69314]: OPTIONS IMPORT: --ifconfig/up options modified Dec 10 11:40:51 openvpn[69314]: OPTIONS IMPORT: route options modified Dec 10 11:40:51 openvpn[69314]: OPTIONS IMPORT: route-related options modified Dec 10 11:40:51 openvpn[69314]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Dec 10 11:40:51 openvpn[69314]: ROUTE_GATEWAY 192.168.254.254 Dec 10 11:40:51 openvpn[69314]: TUN/TAP device ovpnc1 exists previously, keep at program end Dec 10 11:40:51 openvpn[69314]: TUN/TAP device /dev/tun1 opened Dec 10 11:40:51 openvpn[69314]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Dec 10 11:40:51 openvpn[69314]: /sbin/ifconfig ovpnc1 10.200.5.111 10.200.5.111 mtu 1500 netmask 255.255.252.0 up Dec 10 11:40:51 openvpn[69314]: /sbin/route add -net 10.200.4.0 10.200.5.111 255.255.252.0 Dec 10 11:40:51 openvpn[69314]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1541 10.200.5.111 255.255.252.0 init Dec 10 11:40:51 openvpn[69314]: /sbin/route add -net 113.29.231.2 192.168.254.254 255.255.255.255 Dec 10 11:40:51 openvpn[69314]: ERROR: FreeBSD route add command failed: external program exited with error status: 1 Dec 10 11:40:51 openvpn[69314]: /sbin/route add -net 0.0.0.0 10.200.4.1 128.0.0.0 Dec 10 11:40:51 openvpn[69314]: /sbin/route add -net 128.0.0.0 10.200.4.1 128.0.0.0 Dec 10 11:40:51 openvpn[69314]: GID set to nobody Dec 10 11:40:51 openvpn[69314]: UID set to nobody Dec 10 11:40:51 openvpn[69314]: Initialization Sequence Completed Dec 10 11:40:51 openvpn[69314]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.200.4.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 10,ping-restart 90,redirect-gateway def1,ifconfig 10.200.5.111 255.255.252.0'
Firewall Log is blank when i try to access websites from either setup.
If anyone has any ideas or can give me an idea on how to figure out what/where its going wrong, I'd be grateful.
-
-