Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot get openvpn to work, traffic is not routed/flowing

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kripz
      last edited by

      I followed this guide: https://forum.pfsense.org/index.php?topic=84866.msg469736#msg469736
      I'm getting no route to host when pinging from pfsense connected through SSH.

      My lan machines are set to use 192.168.2.1 as the default gateway

      ifconfig

      vtnet0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      	options=6c00bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6>ether 52:54:00:32:5b:97
      	inet6 fe80::5054:ff:fe32:5b97%vtnet0 prefixlen 64 scopeid 0x1 
      	inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 
      	nd6 options=21 <performnud,auto_linklocal>media: Ethernet 10Gbase-T <full-duplex>
      	status: active
      vtnet1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      	options=6c00bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6>ether 52:54:00:32:b5:de
      	inet6 fe80::5054:ff:fe32:b5de%vtnet1 prefixlen 64 scopeid 0x2 
      	inet 192.168.2.1 netmask 0xffff0000 broadcast 192.168.255.255 
      	nd6 options=21 <performnud,auto_linklocal>media: Ethernet 10Gbase-T <full-duplex>
      	status: active
      pflog0: flags=100 <promisc>metric 0 mtu 33144
      pfsync0: flags=0<> metric 0 mtu 1500
      	syncpeer: 224.0.0.240 maxupd: 128 defer: on
      	syncok: 1
      lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
      	options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000 
      	inet6 ::1 prefixlen 128 
      	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
      	nd6 options=21 <performnud,auto_linklocal>enc0: flags=0<> metric 0 mtu 1536
      	nd6 options=21 <performnud,auto_linklocal>ovpnc1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      	options=80000 <linkstate>ether 00:bd:d9:00:00:01
      	inet6 fe80::2bd:d9ff:fe00:1%ovpnc1 prefixlen 64 scopeid 0x7 
      	inet 192.253.240.70 netmask 0xffffffe0 broadcast 192.253.240.70 
      	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect
      	status: no carrier
      tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
      	options=80000 <linkstate>nd6 options=21 <performnud,auto_linklocal>Opened by PID 63253</performnud,auto_linklocal></linkstate></pointopoint,multicast></performnud,auto_linklocal></linkstate></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast>
      

      http://screencloud.net/v/o2Us

      route-delay 2
      auth-nocache;
      keepalive 10 120;
      pull;
      route-nopull;
      route 0.0.0.0 0.0.0.0;
      remote-cert-tls server;
      
      Mar 5 17:21:15	openvpn[62917]: WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
      Mar 5 17:21:15	openvpn[63253]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Mar 5 17:21:15	openvpn[63253]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
      Mar 5 17:21:15	openvpn[63253]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
      Mar 5 17:21:15	openvpn[63253]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
      Mar 5 17:21:15	openvpn[63253]: LZO compression initialized
      Mar 5 17:21:15	openvpn[63253]: Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
      Mar 5 17:21:15	openvpn[63253]: Socket Buffers: R=[42080->65536] S=[57344->65536]
      Mar 5 17:21:16	openvpn[63253]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
      Mar 5 17:21:16	openvpn[63253]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
      Mar 5 17:21:16	openvpn[63253]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
      Mar 5 17:21:16	openvpn[63253]: Local Options hash (VER=V4): '9e7066d2'
      Mar 5 17:21:16	openvpn[63253]: Expected Remote Options hash (VER=V4): '162b04de'
      Mar 5 17:21:16	openvpn[63253]: UDPv4 link local (bound): [AF_INET]192.168.1.2
      Mar 5 17:21:16	openvpn[63253]: UDPv4 link remote: [AF_INET]192.253.240.2:53
      Mar 5 17:21:16	openvpn[63253]: TLS: Initial packet from [AF_INET]192.253.240.2:53, sid=4ecbb28d 58748260
      Mar 5 17:21:17	openvpn[63253]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
      Mar 5 17:21:17	openvpn[63253]: Validating certificate key usage
      Mar 5 17:21:17	openvpn[63253]: ++ Certificate has key usage 00a0, expects 00a0
      Mar 5 17:21:17	openvpn[63253]: VERIFY KU OK
      Mar 5 17:21:17	openvpn[63253]: Validating certificate extended key usage
      Mar 5 17:21:17	openvpn[63253]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      Mar 5 17:21:17	openvpn[63253]: VERIFY EKU OK
      Mar 5 17:21:17	openvpn[63253]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
      Mar 5 17:21:21	openvpn[63253]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
      Mar 5 17:21:21	openvpn[63253]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      Mar 5 17:21:21	openvpn[63253]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
      Mar 5 17:21:21	openvpn[63253]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
      Mar 5 17:21:21	openvpn[63253]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
      Mar 5 17:21:21	openvpn[63253]: [PureVPN] Peer Connection Initiated with [AF_INET]192.253.240.2:53
      Mar 5 17:21:23	openvpn[63253]: SENT CONTROL [PureVPN]: 'PUSH_REQUEST' (status=1)
      Mar 5 17:21:23	openvpn[63253]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 8.8.4.4,route-gateway 192.253.240.65,topology subnet,ping 10,ping-restart 120,ifconfig 192.253.240.70 255.255.255.224'
      Mar 5 17:21:23	openvpn[63253]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
      Mar 5 17:21:23	openvpn[63253]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
      Mar 5 17:21:23	openvpn[63253]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
      Mar 5 17:21:23	openvpn[63253]: OPTIONS IMPORT: timers and/or timeouts modified
      Mar 5 17:21:23	openvpn[63253]: OPTIONS IMPORT: --ifconfig/up options modified
      Mar 5 17:21:23	openvpn[63253]: OPTIONS IMPORT: route-related options modified
      Mar 5 17:21:23	openvpn[63253]: WARNING: potential conflict between --remote address [192.253.240.2] and --ifconfig address pair [192.253.240.70, 255.255.255.224] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn)
      Mar 5 17:21:23	openvpn[63253]: ROUTE_GATEWAY 192.168.1.1
      Mar 5 17:21:23	openvpn[63253]: TUN/TAP device ovpnc1 exists previously, keep at program end
      Mar 5 17:21:23	openvpn[63253]: TUN/TAP device /dev/tun1 opened
      Mar 5 17:21:23	openvpn[63253]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Mar 5 17:21:23	openvpn[63253]: /sbin/ifconfig ovpnc1 192.253.240.70 192.253.240.70 mtu 1500 netmask 255.255.255.224 up
      Mar 5 17:21:23	openvpn[63253]: /sbin/route add -net 192.253.240.64 192.253.240.70 255.255.255.224
      Mar 5 17:21:23	openvpn[63253]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
      Mar 5 17:21:23	openvpn[63253]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 192.253.240.70 255.255.255.224 init
      Mar 5 17:21:25	openvpn[63253]: /sbin/route add -net 0.0.0.0 192.253.240.65 0.0.0.0
      Mar 5 17:21:25	openvpn[63253]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
      Mar 5 17:21:25	openvpn[63253]: Initialization Sequence Completed
      
      netstat -nr
      Routing tables
      
      Internet:
      Destination        Gateway            Flags      Netif Expire
      default            192.168.1.1        UGS      vtnet0
      127.0.0.1          link#5             UH          lo0
      192.168.0.0/16     link#2             U        vtnet1
      192.168.1.0/24     link#1             U        vtnet0
      192.168.1.2        link#1             UHS         lo0
      192.168.2.1        link#2             UHS         lo0
      192.253.240.64/27  link#7             U        ovpnc1
      192.253.240.70     link#7             UHS         lo0
      
      

      Firewall rules

      LAN

      ID	Proto	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	
      delete selected rules	add
       	pass	 	*	*	*	LAN Address	443
      80
      22	*	*	 	Anti-Lockout Rule	
      move	edit
      add
       avanced	icon	 	IPv4 *	LAN net	*	*	*	PUREVPN_VPNV4	none	 	Default allow LAN to any rule 	
      move selected rules before this rule	edit
      delete	add
      	icon	 	IPv6 *	LAN net	*	*	*	*	none	 	Default allow LAN IPv6 to any rule 	
      move selected rules before this rule	edit
      delete	add
      
      

      WAN

      ID	Proto	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	
      delete	add
       	block	 	*	RFC 1918 networks	*	*	*	*	*	 	Block private networks	
      edit	edit
      add
       	block	 	*	Reserved/not assigned by IANA	*	*	*	*	*	*	Block bogon networks	
      move	 edit
      add
      
      

      Other tabs are empty.

      NAT set to manual outbound rule generation

      Interface	Source	Source Port	Destination	Destination Port	NAT Address	NAT Port	Static Port	Description	
       add
      	 icon	WAN	 	127.0.0.0/8	*	*	500	WAN address	*	YES	Auto created rule for ISAKMP - localhost to WAN 	
      move selected rules before this rule	 edit
       delete	 duplicate
      	 icon	PUREVPN  	127.0.0.0/8	*	*	500	PUREVPN address	*	YES	Auto created rule for ISAKMP - localhost to WAN 	
      move selected rules before this rule	 edit
       delete	 duplicate
      	 icon	WAN	 	127.0.0.0/8	*	*	*	WAN address	*	NO	Auto created rule - localhost to WAN 	
      move selected rules before this rule	 edit
       delete	 duplicate
      	 icon	PUREVPN  	127.0.0.0/8	*	*	*	PUREVPN address	*	NO	Auto created rule - localhost to WAN 	
      move selected rules before this rule	 edit
       delete	 duplicate
      	 icon	WAN	 	192.168.0.0/16	*	*	500	WAN address	*	YES	Auto created rule for ISAKMP - LAN to WAN 	
      move selected rules before this rule	 edit
       delete	 duplicate
      	 icon	PUREVPN  	192.168.0.0/16	*	*	500	PUREVPN address	*	YES	Auto created rule for ISAKMP - LAN to WAN 	
      move selected rules before this rule	 edit
       delete	 duplicate
      	 icon	WAN	 	192.168.0.0/16	*	*	*	WAN address	*	NO	Auto created rule - LAN to WAN 	
      move selected rules before this rule	 edit
       delete	 duplicate
      	 icon	PUREVPN  	192.168.0.0/16	*	*	*	PUREVPN address	*	NO	Auto created rule - LAN to WAN 	
      move selected rules before this rule	 edit
       delete	 duplicate
      

      EDIT: Here's the open vpn settings from purevpn themselves.

      client
      dev tun
      proto udp
      remote hk1-ovpn-udp.purevpn.net 53
      persist-key
      persist-tun
      ca ca.crt
      tls-auth Wdc.key 1
      cipher AES-256-CBC
      comp-lzo
      verb 1
      mute 20
      route-method exe
      route-delay 2
      route 0.0.0.0 0.0.0.0
      auth-user-pass
      auth-retry interact
      explicit-exit-notify 2
      ifconfig-nowarn
      auth-nocache 
      
      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Use tap device.

        1 Reply Last reply Reply Quote 0
        • K
          kripz
          last edited by

          Same thing. I got a little bit further as i set it back to TUN and took out:

          pull;
          route-nopull;
          route 0.0.0.0 0.0.0.0;
          

          Now the default gateway is correctly set to route all traffic through the VPN gateway when i type

          netstat -nr
          

          Now my problem is clients in the 192.168.2.0/24 subnet cannot get out through the VPN. I can ping 192.168.2.1 but anything else wont work, dns doesnt work either. Seems like it's being blocked by pfsense but it's not showing up in the logs.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            From the OVPN server you get an IP in it's own subnet. That only works correctly with tap device as it is suggested by PureVPN.
            So use tap and if there are further problems post the logs again.

            1 Reply Last reply Reply Quote 0
            • K
              kripz
              last edited by

              Changed back to TAP, left the advanced options out.

              [2.2-RELEASE][admin@vm-vpn.home.vpn]/root: ifconfig
              vtnet0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
              	options=6c00bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6>ether 52:54:00:32:5b:97
              	inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255 
              	inet6 fe80::5054:ff:fe32:5b97%vtnet0 prefixlen 64 scopeid 0x1 
              	nd6 options=21 <performnud,auto_linklocal>media: Ethernet 10Gbase-T <full-duplex>status: active
              vtnet1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
              	options=6c00bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6>ether 52:54:00:32:b5:de
              	inet 192.168.2.1 netmask 0xffff0000 broadcast 192.168.255.255 
              	inet6 fe80::5054:ff:fe32:b5de%vtnet1 prefixlen 64 scopeid 0x2 
              	nd6 options=21 <performnud,auto_linklocal>media: Ethernet 10Gbase-T <full-duplex>status: active
              pflog0: flags=100 <promisc>metric 0 mtu 33144
              pfsync0: flags=0<> metric 0 mtu 1500
              	syncpeer: 224.0.0.240 maxupd: 128 defer: on
              	syncok: 1
              lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
              	options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000 
              	inet6 ::1 prefixlen 128 
              	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
              	nd6 options=21 <performnud,auto_linklocal>enc0: flags=0<> metric 0 mtu 1536
              	nd6 options=21 <performnud,auto_linklocal>ovpnc1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
              	options=80000 <linkstate>ether 00:bd:e7:00:00:01
              	inet6 fe80::2bd:e7ff:fe00:1%ovpnc1 prefixlen 64 scopeid 0x7 
              	inet 192.253.240.75 netmask 0xffffffe0 broadcast 192.253.240.75 
              	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect
              	status: active
              	Opened by PID 10235</performnud,auto_linklocal></linkstate></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast> 
              
              [2.2-RELEASE][admin@vm-vpn.home.vpn]/root: netstat -nr
              Routing tables
              
              Internet:
              Destination        Gateway            Flags      Netif Expire
              0.0.0.0/1          192.253.240.65     UGS      ovpnc1
              default            192.168.1.1        UGS      vtnet1
              127.0.0.1          link#5             UH          lo0
              128.0.0.0/1        192.253.240.65     UGS      ovpnc1
              192.168.0.0/16     link#2             U        vtnet1
              192.168.2.1        link#2             UHS         lo0
              192.168.3.0/24     link#1             U        vtnet0
              192.168.3.1        link#1             UHS         lo0
              192.253.240.2/32   192.168.1.1        UGS      vtnet1
              192.253.240.64/27  link#7             U        ovpnc1
              192.253.240.75     link#7             UHS         lo0
              
              Internet6:
              Destination                       Gateway                       Flags      Netif Expire
              ::1                               link#5                        UH          lo0
              fe80::%vtnet0/64                  link#1                        U        vtnet0
              fe80::5054:ff:fe32:5b97%vtnet0    link#1                        UHS         lo0
              fe80::%vtnet1/64                  link#2                        U        vtnet1
              fe80::5054:ff:fe32:b5de%vtnet1    link#2                        UHS         lo0
              fe80::%lo0/64                     link#5                        U           lo0
              fe80::1%lo0                       link#5                        UHS         lo0
              fe80::%ovpnc1/64                  link#7                        U        ovpnc1
              fe80::2bd:e7ff:fe00:1%ovpnc1      link#7                        UHS         lo0
              ff01::%vtnet0/32                  fe80::5054:ff:fe32:5b97%vtnet0 U        vtnet0
              ff01::%vtnet1/32                  fe80::5054:ff:fe32:b5de%vtnet1 U        vtnet1
              ff01::%lo0/32                     ::1                           U           lo0
              ff01::%ovpnc1/32                  fe80::2bd:e7ff:fe00:1%ovpnc1  U        ovpnc1
              ff02::%vtnet0/32                  fe80::5054:ff:fe32:5b97%vtnet0 U        vtnet0
              ff02::%vtnet1/32                  fe80::5054:ff:fe32:b5de%vtnet1 U        vtnet1
              ff02::%lo0/32                     ::1                           U           lo0
              ff02::%ovpnc1/32                  fe80::2bd:e7ff:fe00:1%ovpnc1  U        ovpnc1
              
              Mar 7 10:34:41	openvpn[10235]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
              Mar 7 10:34:41	openvpn[10235]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
              Mar 7 10:34:41	openvpn[10235]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
              Mar 7 10:34:41	openvpn[10235]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
              Mar 7 10:34:41	openvpn[10235]: LZO compression initialized
              Mar 7 10:34:41	openvpn[10235]: Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
              Mar 7 10:34:41	openvpn[10235]: Socket Buffers: R=[42080->65536] S=[57344->65536]
              Mar 7 10:34:47	openvpn[10235]: Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
              Mar 7 10:34:47	openvpn[10235]: Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
              Mar 7 10:34:47	openvpn[10235]: Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
              Mar 7 10:34:47	openvpn[10235]: Local Options hash (VER=V4): '48527533'
              Mar 7 10:34:47	openvpn[10235]: Expected Remote Options hash (VER=V4): '44bd8b5e'
              Mar 7 10:34:47	openvpn[10235]: UDPv4 link local (bound): [AF_INET]192.168.3.1
              Mar 7 10:34:47	openvpn[10235]: UDPv4 link remote: [AF_INET]192.253.240.2:53
              Mar 7 10:34:47	openvpn[10235]: TLS: Initial packet from [AF_INET]192.253.240.2:53, sid=dddc401d 519eb1d9
              Mar 7 10:35:01	openvpn[10235]: Validating certificate key usage
              Mar 7 10:35:01	openvpn[10235]: ++ Certificate has key usage 00a0, expects 00a0
              Mar 7 10:35:01	openvpn[10235]: VERIFY KU OK
              Mar 7 10:35:01	openvpn[10235]: Validating certificate extended key usage
              Mar 7 10:35:01	openvpn[10235]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
              Mar 7 10:35:01	openvpn[10235]: VERIFY EKU OK
              Mar 7 10:35:01	openvpn[10235]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
              Mar 7 10:35:10	openvpn[10235]: WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
              Mar 7 10:35:10	openvpn[10235]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1558'
              Mar 7 10:35:10	openvpn[10235]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
              Mar 7 10:35:10	openvpn[10235]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
              Mar 7 10:35:10	openvpn[10235]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
              Mar 7 10:35:10	openvpn[10235]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
              Mar 7 10:35:10	openvpn[10235]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
              Mar 7 10:35:10	openvpn[10235]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
              Mar 7 10:35:10	openvpn[10235]: [PureVPN] Peer Connection Initiated with [AF_INET]192.253.240.2:53
              Mar 7 10:35:12	openvpn[10235]: SENT CONTROL [PureVPN]: 'PUSH_REQUEST' (status=1)
              Mar 7 10:35:13	openvpn[10235]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 8.8.4.4,route-gateway 192.253.240.65,topology subnet,ping 10,ping-restart 120,ifconfig 192.253.240.75 255.255.255.224'
              Mar 7 10:35:13	openvpn[10235]: OPTIONS IMPORT: timers and/or timeouts modified
              Mar 7 10:35:13	openvpn[10235]: OPTIONS IMPORT: --ifconfig/up options modified
              Mar 7 10:35:13	openvpn[10235]: OPTIONS IMPORT: route options modified
              Mar 7 10:35:13	openvpn[10235]: OPTIONS IMPORT: route-related options modified
              Mar 7 10:35:13	openvpn[10235]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
              Mar 7 10:35:13	openvpn[10235]: ROUTE_GATEWAY 192.168.1.1
              Mar 7 10:35:13	openvpn[10235]: TUN/TAP device ovpnc1 exists previously, keep at program end
              Mar 7 10:35:13	openvpn[10235]: TUN/TAP device /dev/tap1 opened
              Mar 7 10:35:13	openvpn[10235]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
              Mar 7 10:35:13	openvpn[10235]: /sbin/ifconfig ovpnc1 192.253.240.75 192.253.240.75 mtu 1500 netmask 255.255.255.224 up
              Mar 7 10:35:13	openvpn[10235]: /sbin/route add -net 192.253.240.64 192.253.240.75 255.255.255.224
              Mar 7 10:35:13	openvpn[10235]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
              Mar 7 10:35:13	openvpn[10235]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1590 192.253.240.75 255.255.255.224 init
              Mar 7 10:35:15	openvpn[10235]: /sbin/route add -net 192.253.240.2 192.168.1.1 255.255.255.255
              Mar 7 10:35:15	openvpn[10235]: /sbin/route add -net 0.0.0.0 192.253.240.65 128.0.0.0
              Mar 7 10:35:15	openvpn[10235]: /sbin/route add -net 128.0.0.0 192.253.240.65 128.0.0.0
              Mar 7 10:35:15	openvpn[10235]: Initialization Sequence Completed
              
              [2.2-RELEASE][admin@vm-vpn.home.vpn]/root: ping 8.8.8.8
              PING 8.8.8.8 (8.8.8.8): 56 data bytes
              ping: sendto: No route to host
              ping: sendto: No route to host
              ping: sendto: No route to host
              
              

              If it helps, heres the openvpn settings from purevpn's .ovpn file

              client
              dev tun
              proto udp
              remote hk1-ovpn-udp.purevpn.net 53
              persist-key
              persist-tun
              ca ca.crt
              tls-auth Wdc.key 1
              cipher AES-256-CBC
              comp-lzo
              verb 1
              mute 20
              route-method exe
              route-delay 2
              route 0.0.0.0 0.0.0.0
              auth-user-pass
              auth-retry interact
              explicit-exit-notify 2
              ifconfig-nowarn
              auth-nocache 
              
              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.