Cant surf



  • Running 2.1.5 to connect to StrongVPN using the tutorial.
    Openvpn client connects but I cant surf.

    Any help appreciated.



  • Cricket's….....  Would it help if I posted a system log?



  • You have to give us more than that….  what is... "the tutorial"?



  • @dgeorge:

    Cricket's….....  Would it help if I posted a system log?

    Generally speaking: yes. It often helps if you detail your setup, your customizations, what you have tried to fix it, and where it goes wrong, yes ;D

    There's some amazingly bright and knowledgeable people in this fine place, but it is the same as it is everywhere: the bright minds need information to work with  ;)



  • The tutorial Im referring to is https://forum.pfsense.org/index.php?topic=29944.0
    Below is my openvpn log.  Thanks for any feedback and let me know if you need more details.

    an 10 14:30:56 pfSense openvpn[59236]: port_share_port = 0
    Jan 10 14:30:56 pfSense openvpn[59236]: client = ENABLED
    Jan 10 14:30:56 pfSense openvpn[59236]: pull = ENABLED
    Jan 10 14:30:56 pfSense openvpn[59236]: auth_user_pass_file = '[UNDEF]'
    Jan 10 14:30:56 pfSense openvpn[59236]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
    Jan 10 14:30:56 pfSense openvpn[59236]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Jan 10 14:30:56 pfSense openvpn[59236]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jan 10 14:30:56 pfSense openvpn[59236]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jan 10 14:30:56 pfSense openvpn[59236]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
    Jan 10 14:30:56 pfSense openvpn[59236]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 10 14:30:56 pfSense openvpn[59236]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 10 14:30:56 pfSense openvpn[59236]: Control Channel MTU parms [ L:1545 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Jan 10 14:30:56 pfSense openvpn[59236]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Jan 10 14:30:56 pfSense openvpn[59236]: Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:4 ET:0 EL:0 ]
    Jan 10 14:30:56 pfSense openvpn[59236]: Fragmentation MTU parms [ L:1545 D:1300 EF:45 EB:4 ET:0 EL:0 ]
    Jan 10 14:30:56 pfSense openvpn[59236]: Local Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Jan 10 14:30:56 pfSense openvpn[59236]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Jan 10 14:30:56 pfSense openvpn[59236]: Local Options hash (VER=V4): '885414e3'
    Jan 10 14:30:56 pfSense openvpn[59236]: Expected Remote Options hash (VER=V4): '8bcc3b84'
    Jan 10 14:30:56 pfSense openvpn[59288]: UDPv4 link local (bound): [AF_INET]192.168.1.102:50211
    Jan 10 14:30:56 pfSense openvpn[59288]: UDPv4 link remote: [AF_INET]108.171.114.28:4672
    Jan 10 14:30:56 pfSense openvpn[59288]: TLS: Initial packet from [AF_INET]108.171.114.28:4672, sid=6c22dd1f 41af9b41
    Jan 10 14:30:56 pfSense openvpn[59288]: VERIFY OK: depth=1, C=US, ST=CA, L=San-Francisco, O=reliablehosting.com, CN=ovpn027, emailAddress=techies@reliablehosting.com
    Jan 10 14:30:56 pfSense openvpn[59288]: VERIFY OK: depth=0, C=US, ST=CA, L=San-Francisco, O=reliablehosting.com, CN=vpn-in109, emailAddress=techies@reliablehosting.com
    Jan 10 14:30:56 pfSense openvpn[59288]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1545', remote='link-mtu 1546'
    Jan 10 14:30:56 pfSense openvpn[59288]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Jan 10 14:30:56 pfSense openvpn[59288]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 10 14:30:56 pfSense openvpn[59288]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 10 14:30:56 pfSense openvpn[59288]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 10 14:30:56 pfSense openvpn[59288]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 10 14:30:56 pfSense openvpn[59288]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Jan 10 14:30:56 pfSense openvpn[59288]: [vpn-in109] Peer Connection Initiated with [AF_INET]108.171.114.28:4672
    Jan 10 14:30:58 pfSense openvpn[59288]: SENT CONTROL [vpn-in109]: 'PUSH_REQUEST' (status=1)
    Jan 10 14:30:58 pfSense openvpn[59288]: PUSH: Received control message: 'PUSH_REPLY,ping 1,ping-restart 60,route-delay 2,route-metric 1,dhcp-option DNS 108.171.112.22,dhcp-option DNS 108.171.120.22,route 10.8.0.217,topology net30,ifconfig 10.8.0.222 10.8.0.221'
    Jan 10 14:30:58 pfSense openvpn[59288]: OPTIONS IMPORT: timers and/or timeouts modified
    Jan 10 14:30:58 pfSense openvpn[59288]: OPTIONS IMPORT: –ifconfig/up options modified
    Jan 10 14:30:58 pfSense openvpn[59288]: OPTIONS IMPORT: route options modified
    Jan 10 14:30:58 pfSense openvpn[59288]: OPTIONS IMPORT: route-related options modified
    Jan 10 14:30:58 pfSense openvpn[59288]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
    Jan 10 14:30:58 pfSense openvpn[59288]: ROUTE_GATEWAY 192.168.1.2
    Jan 10 14:30:58 pfSense openvpn[59288]: TUN/TAP device ovpnc1 exists previously, keep at program end
    Jan 10 14:30:58 pfSense openvpn[59288]: TUN/TAP device /dev/tun1 opened
    Jan 10 14:30:58 pfSense openvpn[59288]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jan 10 14:30:58 pfSense openvpn[59288]: /sbin/ifconfig ovpnc1 10.8.0.222 10.8.0.221 mtu 1500 netmask 255.255.255.255 up
    Jan 10 14:30:58 pfSense openvpn[59288]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1545 10.8.0.222 10.8.0.221 init
    Jan 10 14:31:00 pfSense openvpn[59288]: /sbin/route add -net 108.171.114.28 192.168.1.2 255.255.255.255
    Jan 10 14:31:00 pfSense openvpn[59288]: /sbin/route add -net 0.0.0.0 10.8.0.221 128.0.0.0
    Jan 10 14:31:00 pfSense openvpn[59288]: /sbin/route add -net 128.0.0.0 10.8.0.221 128.0.0.0
    Jan 10 14:31:00 pfSense openvpn[59288]: /sbin/route add -net 10.8.0.217 10.8.0.221 255.255.255.255
    Jan 10 14:31:00 pfSense openvpn[59288]: Initialization Sequence Completed



  • @dgeorge:

    Jan 10 14:30:56  pfSense openvpn[59288]: UDPv4 link local (bound): [AF_INET]192.168.1.102:50211
    Jan 10 14:30:56  pfSense openvpn[59288]: TLS: Initial packet from [AF_INET]108.171.114.28:4672, sid=6c22dd1f 41af9b41
    Jan 10 14:30:56  pfSense openvpn[59236]: auth_user_pass_file = '[UNDEF]'
    Jan 10 14:30:56  pfSense openvpn[59288]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1545', remote='link-mtu 1546'
    Jan 10 14:30:56  pfSense openvpn[59288]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

    Only being the eternal noob that I will always be; might the above be relevant and need to be fixed?

    ;D



  • Does that indicate something in my config or is it a problem with Strongs config on their end?
    I tried googling that phrase but dont seem to see any hits for undef?

    Thanks for your help



  • Just to clarify, are you saying all five lines are a concern or just the one in bold?



  • Hey guys.  Can I get some more help with this?  If you need more info let me know what you need and I'll provide it.
    I have contacted StrongVPN but they are not much help as they dont really support pfsense and because I am able to surf when using the strongvpn windows client so they say it must be a problem with pfsense not their settings.

    As you can see from my log, I can connect to the strongvpn server but am unable to surf when openvpn is running.  If I stop openvpn, I can surf again.

    Any help is appreciated.



  • @dgeorge:

    I have contacted StrongVPN but they are not much help as they dont really support pfsense and because I am able to surf when using the strongvpn windows client so they say it must be a problem with pfsense not their settings.

    This in itself would be enough reason for me to ditch them right away. This is the usual 'blame somebody else, not us'.

    Ask them if they own the hardware (actually bought the stuff) in their own data center (actually pay rent for the building), or are simply renting it on a monthly basis, via their paypal account, from their attic  ;) :P ;D

    It's too easy to blame pfSense for everything  :)



  • If I could not surf while logged in via the windows app I would agree, but since it does work via the app, it makes me think the issue is pfsense.

    I did have this working a few months ago but I think it stopped after I upgraded to 2.1.5.

    Couple of other points;

    If I look at the dashboard, it does show "You are on the latest version" which I believe means it does have a working internet connection.

    In the previous version of pfsense, under firewall rules/source, I would select lan subnet.  That option is not in the new version.  It only shows lan net or lan address.  Which do I use?

    Thanks for your help



  • @dgeorge:

    If I could not surf while logged in via the windows app I would agree, but since it does work via the app, it makes me think the issue is pfsense.

    As Robert The Niro said in 'Heat' (marvelous movie, btw, it's in my all time favourite top 10 list, right after 'The Godfather' trilogy and Schindler's List  ;D ):

    'There's a flip side to that coin'.

    The fact that you are able to run this from you desktop, using proprietary software (what's in there to make it show all green lights when you connect to their server?), does not mean they have their servers configured right to withstand the test of having your router, with the real OpenVPN, connect to it succesfully.

    Don't get me wrong, I don't mean any disrespect towards you, I know you are only sincerely struggling to get it to work ( ;) ), but if it works with their 'secret software', but doesn't work with the open source OpenVPN and they refuse to help you and instead point you to their 'secret software', I get suspicous.

    I've been there myself: 1001 attic-rented VPS servers-paypal-by-the-month-crooks who don't know sh*t and were only there to rip customers like you and me from my money, blaming pfSense for stuff it surely wasn't to blame for. Because they appeared to know not the least of VPN's in the first place.

    Just the other day, I was having a 'group' conversation, via email, with the three OpenVPN services I currently use; each of them work flawlessly with pfSense (Thanks CMB, for helping me with only one sentence of yours on fixing my problems  :-* :-* ), however, there are performance differences. It is actually quite interesting to see tech's from these three different services exchange highly technical arguments to eachother: it shows they really know what they are actually doing.

    I did have this working a few months ago but I think it stopped after I upgraded to 2.1.5.

    Couple of other points;

    @dgeorge:

    If I look at the dashboard, it does show "You are on the latest version" which I believe means it does have a working internet connection.

    That tells you not much about your VPN (since, unless you hacked and tweaked things I wouldn't even know how to do (I'm sure it's possible, but I'm a noob  ;D ), your pfSense normally goes out on the default gateway (your WAN, so not the VPN interface), to check for updates).

    @dgeorge:

    In the previous version of pfsense, under firewall rules/source, I would select lan subnet.  That option is not in the new version.  It only shows lan net or lan address.  Which do I use?

    LAN net = LAN subnet (e.g. all your clients in LAN, so by default desktop on 192.168.1.10, other desktop on 1.11, etc).

    LAN address is the adress of your gateway, so typically 192.168.1.1, the address of pfSense itself.

    My final thoughts: go to privateinternetaccess, and buy a one month subscription (it's only a few dollars). Set that up (there is an excellent tutorial, search for 'PIA' or 'privateinternetaccess' on this forum, and you will find it. DON'T mess with Snort (thanks again, CMB :-* -  Bill: I will contact you about this - Snort is killing my VPN by one of it's rules, and I don't know which rule it is; you are a Master, so I don't blame you (of course not ;D ), I simply need to report it to you to see if you could perhaps see what is wrong  :-* ).

    Bottom line: If PIA works, then OpenVPN works (hint: PIA works, I know, as I am using it  ;) ).



  • I may have to try that but before I hand my credit card out to another provider, is there any other trouble shooting you can suggest for my pfsense configuration?

    Thanks


  • LAYER 8 Global Moderator

    Just a comment to these vpn providers – I really don't get why anyone uses them.  You can get a vps for pennies.  You don't need a lot of umph to provide vpn.  If its just for you.. You get a vps, I have a couple with different providers for $12 a year, and $15 a year.  And found one the other day someone recommended for $6 a YEAR!!

    Here is the $6 a year one https://bandwagonhost.com/cart.php the micro-128, 300GB a month transfer
    I have accounts with http://www.chicagovps.net/ $12 a year and 2 with http://buyvm.net/ at $15 a year..  You add these all up and they are still cheaper than most "vpn" providers ;)  From what I have seen playing with the new one - prob let the other ones expire and move over to the $6 a year host..  Shoot for what I need the $4 a year micro-64 might work ;)  But its only 100GB a month.

    Click click - you can install openvpnas package that gives you 2 free concurrent connections and away you go!  I was working on a guide, doing this but got a bit side tracked.  Need to complete that.  I had the vpn up and running in less than 15 min total.. and that was with changing the vps from centos to ubuntu 14.04 minimal, etc..

    Or you can install the full blown openvpn server free version and go to town.  What is it that this vpn provider is giving you can not get by just going with your own vps?  In whatever country you want/need.  With the low cost ones you could get multiple and still be way cheaper than these providers..



  • John, I have actually started looking into a vps.  If you have a guide on how to set one up that would be great.

    Thanks for the links.  Much appreciated!


  • LAYER 8 Global Moderator

    I had started one..  But there was visual annoyance for me with the gateway widget and it creating gateway couldn't get rid of.. Then got side tracked ;)  But I think the latest snaps fix up the gateway widget ;)

    When I get a chance I will finish it up and can post here or send to you.



  • @johnpoz:

    I had started one..  But there was visual annoyance for me with the gateway widget and it creating gateway couldn't get rid of.. Then got side tracked ;)  But I think the latest snaps fix up the gateway widget ;)

    When I get a chance I will finish it up and can post here or send to you.

    I'd be most interested to see such a guide too, John  :-*

    On the providers you posted: how is their speed and reliability? I mean, for those prices, 'something's got to give', so to speak, not?

    I mean, I get 100/15 over PIA; I'd assume these providers can't do that?



  • Ok,. I have done some more tinkering and could use some more help.

    I installed dd-wrt x86 on the same PC and am able to get openvpn connected and surf so this seems to be an issue with my pfsense configuration.  I also noticed when I still had pfsense running that the VPN gateway status was offline.

    Whether I use strongvpn or a vps this will be an issue if I stay with pfsense so I would like to get this solved.

    If there is any other info needed please let me know.

    Thanks



  • johnpoz - I tunnel every last packet back to the USA.

    With the VPS(s) you posted, what sorts of data limits might I run into?



  • So this does not morph into a vps thread, please start a new post to discuss vps'.

    Thanks


Log in to reply