Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Just can't figure this out!

    Installation and Upgrades
    3
    19
    7858
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      flowrider last edited by

      Ok I'm wondering if anyone can shed any light on my problem or what I'm missing.

      I followed this guide to get OpenVPN running on my box with Private Internet Access as my provider. I've used this in the past but when my ISP (Telus) locked out some hidden access to the Actiontec V1000H routers I lost bridging and shortly after my pfSense box died for some reason so I went back to regular internet. I recently got a new modem from my ISP, an Actiontec T1200H, which allows bridging on Port 1 when enabled. I thought it was a perfect time to resurrect the pfSense box but I'm having some real issues. The box has had no hardware changes and delivers regular internet just fine but will not route through my VPN.

      I used this guide by mpboden  https://forum.pfsense.org/index.php?topic=76015.0

      I get a WAN and LAN connection but no VPN. Any help is appreciated.

      Some screenshots.
      Interfaces




      ![Screenshot 2015-04-05 14.50.19.png](/public/imported_attachments/1/Screenshot 2015-04-05 14.50.19.png)
      ![Screenshot 2015-04-05 14.50.19.png_thumb](/public/imported_attachments/1/Screenshot 2015-04-05 14.50.19.png_thumb)

      1 Reply Last reply Reply Quote 0
      • F
        flowrider last edited by

        one more photo

        ![Screenshot 2015-04-05 14.59.21.png](/public/imported_attachments/1/Screenshot 2015-04-05 14.59.21.png)
        ![Screenshot 2015-04-05 14.59.21.png_thumb](/public/imported_attachments/1/Screenshot 2015-04-05 14.59.21.png_thumb)

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          The VPN's not coming up.  You sent no VPN client configuration information.  What happens when you hit the start button in Status > Services? What's in the OpenVLN log in Status > System Logs, OpenVPN tab?

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • F
            flowrider last edited by

            HI thanks for trying to help!
            Here's what I get when I look at Status>Services

            OpenVPN log

            1 Reply Last reply Reply Quote 0
            • stephenw10
              stephenw10 Netgate Administrator last edited by

              Need to see more log or your OpenVPN settings. Something you have set is preventing it from even starting.

              Steve

              1 Reply Last reply Reply Quote 0
              • F
                flowrider last edited by

                I appreciate all the help.
                Here are the last 50 entries

                | Apr 6 00:00:26 openvpn[9047]: push_ifconfig_ipv6_defined = DISABLED
                Apr 6 00:00:26 openvpn[9047]: push_ifconfig_ipv6_local = ::/0
                Apr 6 00:00:26 openvpn[9047]: push_ifconfig_ipv6_remote = ::
                Apr 6 00:00:26 openvpn[9047]: enable_c2c = DISABLED
                Apr 6 00:00:26 openvpn[9047]: duplicate_cn = DISABLED
                Apr 6 00:00:26 openvpn[9047]: cf_max = 0
                Apr 6 00:00:26 openvpn[9047]: cf_per = 0
                Apr 6 00:00:26 openvpn[9047]: max_clients = 1024
                Apr 6 00:00:26 openvpn[9047]: max_routes_per_client = 256
                Apr 6 00:00:26 openvpn[9047]: auth_user_pass_verify_script = '[UNDEF]'
                Apr 6 00:00:26 openvpn[9047]: auth_user_pass_verify_script_via_file = DISABLED
                Apr 6 00:00:26 openvpn[9047]: port_share_host = '[UNDEF]'
                Apr 6 00:00:26 openvpn[9047]: port_share_port = 0
                Apr 6 00:00:26 openvpn[9047]: client = ENABLED
                Apr 6 00:00:26 openvpn[9047]: pull = ENABLED
                Apr 6 00:00:26 openvpn[9047]: auth_user_pass_file = '/etc/openvpn-password.txt'
                Apr 6 00:00:26 openvpn[9047]: OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 13 2015
                Apr 6 00:00:26 openvpn[9047]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
                Apr 6 00:00:26 openvpn[9047]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
                Apr 6 00:00:26 openvpn[9177]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                Apr 6 00:00:26 openvpn[9177]: LZO compression initialized
                Apr 6 00:00:26 openvpn[9177]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
                Apr 6 00:00:26 openvpn[9177]: Socket Buffers: R=[42080->65536] S=[57344->65536]
                Apr 6 00:00:26 openvpn[9177]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
                Apr 6 00:00:26 openvpn[9177]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
                Apr 6 00:00:26 openvpn[9177]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
                Apr 6 00:00:26 openvpn[9177]: Local Options hash (VER=V4): '41690919'
                Apr 6 00:00:26 openvpn[9177]: Expected Remote Options hash (VER=V4): '530fdded'
                Apr 6 00:00:26 openvpn[9177]: UDPv4 link local (bound): [AF_INET]207.81.126.205
                Apr 6 00:00:26 openvpn[9177]: UDPv4 link remote: [AF_INET]104.207.136.67:1194
                Apr 6 00:00:26 openvpn[9177]: TLS: Initial packet from [AF_INET]104.207.136.67:1194, sid=88ace726 1b15bcb8
                Apr 6 00:00:26 openvpn[9177]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
                Apr 6 00:00:26 openvpn[9177]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
                Apr 6 00:00:26 openvpn[9177]: Validating certificate key usage
                Apr 6 00:00:26 openvpn[9177]: ++ Certificate has key usage 00a0, expects 00a0
                Apr 6 00:00:26 openvpn[9177]: VERIFY KU OK
                Apr 6 00:00:26 openvpn[9177]: Validating certificate extended key usage
                Apr 6 00:00:26 openvpn[9177]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
                Apr 6 00:00:26 openvpn[9177]: VERIFY EKU OK
                Apr 6 00:00:26 openvpn[9177]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
                Apr 6 00:00:26 openvpn[9177]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
                Apr 6 00:00:26 openvpn[9177]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
                Apr 6 00:00:26 openvpn[9177]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
                Apr 6 00:00:26 openvpn[9177]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
                Apr 6 00:00:26 openvpn[9177]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
                Apr 6 00:00:26 openvpn[9177]: [Private Internet Access] Peer Connection Initiated with [AF_INET]104.207.136.67:1194
                Apr 6 00:00:28 openvpn[9177]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
                Apr 6 00:00:28 openvpn[9177]: AUTH: Received control message: AUTH_FAILED
                Apr 6 00:00:28 openvpn[9177]: TCP/UDP: Closing socket
                Apr 6 00:00:28 openvpn[9177]: SIGTERM[soft,auth-failure] received, process exiting |

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  AUTH: Received control message: AUTH_FAILED
                  

                  You have the wrong set of login credentials / certificates.
                  Has it expired since you last used it?

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • F
                    flowrider last edited by

                    Which is strange because other than the password it hasn't changed. I'll try and fix that and update you.

                    1 Reply Last reply Reply Quote 0
                    • F
                      flowrider last edited by

                      @stephenw10:

                      AUTH: Received control message: AUTH_FAILED
                      

                      You have the wrong set of login credentials / certificates.
                      Has it expired since you last used it?

                      Steve

                      Nope I just checked the username and password and no go. The /etc/openvpn-password.txt is correct and I've even reset the password with no change in result.

                      Here's some screens of my OpenVPN Client screen

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        AUTH: Received control message: AUTH_FAILED

                        Not sure what is ambiguous about that log.

                        Also, why are people insistent on using auth-user-pass files when 2.2 added the authentication fields in the GUI?

                        Chattanooga, Tennessee, USA
                        The pfSense Book is free of charge!
                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • F
                          flowrider last edited by

                          Not ambiguous at all. I'm just not well versed but I'm learning. Reason why I used what I did is because I followed the guide. I'd happily follow another updated guide!

                          1 Reply Last reply Reply Quote 0
                          • Derelict
                            Derelict LAYER 8 Netgate last edited by

                            I just don't get it.  The log clearly says auth failed, yet you insist your credentials are correct.

                            Chattanooga, Tennessee, USA
                            The pfSense Book is free of charge!
                            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • F
                              flowrider last edited by

                              @Derelict:

                              I just don't get it.  The log clearly says auth failed, yet you insist your credentials are correct.

                              No idea what's going on. The Same user name and password works in the PIA app.

                              1 Reply Last reply Reply Quote 0
                              • Derelict
                                Derelict LAYER 8 Netgate last edited by

                                Sure you don't have any extra characters in that file?

                                Do this:

                                Delete the following line from the Advanced settings: auth-user-pass /etc/openvpn-userpass.txt;

                                Enter your PIA username and password in the client config under User Authentication Settings

                                Chattanooga, Tennessee, USA
                                The pfSense Book is free of charge!
                                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • F
                                  flowrider last edited by

                                  Solved!
                                  I worked with PIA's tech support and they issued me a new username and password which seemed to do the trick. Not too sure what went wrong but it's working now. Thank you everyone for the help!!

                                  1 Reply Last reply Reply Quote 0
                                  • Derelict
                                    Derelict LAYER 8 Netgate last edited by

                                    I would still eliminate the (now) unnecessary admin overhead and config complexity of the credential text file.

                                    Chattanooga, Tennessee, USA
                                    The pfSense Book is free of charge!
                                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      flowrider last edited by

                                      I will do that as soon as I figure out how. I'm guessing that I can't delete anything from the /etc/ folder via the gui?

                                      1 Reply Last reply Reply Quote 0
                                      • Derelict
                                        Derelict LAYER 8 Netgate last edited by

                                        Use the same method you used to create the file.

                                        Deleting the file is not as important as removing it from the gui config for the client as I described above.  Deleting the file will occur naturally next time you reinstall or something.

                                        Or, after the new config is confirmed working, use Diagnostics > Command Prompt and run rm /etc/openvpn-userpass.txt

                                        Chattanooga, Tennessee, USA
                                        The pfSense Book is free of charge!
                                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          flowrider last edited by

                                          Thanks I will try that.

                                          And thank you for all your help. It's greatly appreciated.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post