Just can't figure this out!



  • Ok I'm wondering if anyone can shed any light on my problem or what I'm missing.

    I followed this guide to get OpenVPN running on my box with Private Internet Access as my provider. I've used this in the past but when my ISP (Telus) locked out some hidden access to the Actiontec V1000H routers I lost bridging and shortly after my pfSense box died for some reason so I went back to regular internet. I recently got a new modem from my ISP, an Actiontec T1200H, which allows bridging on Port 1 when enabled. I thought it was a perfect time to resurrect the pfSense box but I'm having some real issues. The box has had no hardware changes and delivers regular internet just fine but will not route through my VPN.

    I used this guide by mpboden  https://forum.pfsense.org/index.php?topic=76015.0

    I get a WAN and LAN connection but no VPN. Any help is appreciated.

    Some screenshots.
    Interfaces




    ![Screenshot 2015-04-05 14.50.19.png](/public/imported_attachments/1/Screenshot 2015-04-05 14.50.19.png)
    ![Screenshot 2015-04-05 14.50.19.png_thumb](/public/imported_attachments/1/Screenshot 2015-04-05 14.50.19.png_thumb)



  • one more photo

    ![Screenshot 2015-04-05 14.59.21.png](/public/imported_attachments/1/Screenshot 2015-04-05 14.59.21.png)
    ![Screenshot 2015-04-05 14.59.21.png_thumb](/public/imported_attachments/1/Screenshot 2015-04-05 14.59.21.png_thumb)


  • LAYER 8 Netgate

    The VPN's not coming up.  You sent no VPN client configuration information.  What happens when you hit the start button in Status > Services? What's in the OpenVLN log in Status > System Logs, OpenVPN tab?



  • HI thanks for trying to help!
    Here's what I get when I look at Status>Services

    OpenVPN log


  • Netgate Administrator

    Need to see more log or your OpenVPN settings. Something you have set is preventing it from even starting.

    Steve



  • I appreciate all the help.
    Here are the last 50 entries

    | Apr 6 00:00:26 openvpn[9047]: push_ifconfig_ipv6_defined = DISABLED
    Apr 6 00:00:26 openvpn[9047]: push_ifconfig_ipv6_local = ::/0
    Apr 6 00:00:26 openvpn[9047]: push_ifconfig_ipv6_remote = ::
    Apr 6 00:00:26 openvpn[9047]: enable_c2c = DISABLED
    Apr 6 00:00:26 openvpn[9047]: duplicate_cn = DISABLED
    Apr 6 00:00:26 openvpn[9047]: cf_max = 0
    Apr 6 00:00:26 openvpn[9047]: cf_per = 0
    Apr 6 00:00:26 openvpn[9047]: max_clients = 1024
    Apr 6 00:00:26 openvpn[9047]: max_routes_per_client = 256
    Apr 6 00:00:26 openvpn[9047]: auth_user_pass_verify_script = '[UNDEF]'
    Apr 6 00:00:26 openvpn[9047]: auth_user_pass_verify_script_via_file = DISABLED
    Apr 6 00:00:26 openvpn[9047]: port_share_host = '[UNDEF]'
    Apr 6 00:00:26 openvpn[9047]: port_share_port = 0
    Apr 6 00:00:26 openvpn[9047]: client = ENABLED
    Apr 6 00:00:26 openvpn[9047]: pull = ENABLED
    Apr 6 00:00:26 openvpn[9047]: auth_user_pass_file = '/etc/openvpn-password.txt'
    Apr 6 00:00:26 openvpn[9047]: OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 13 2015
    Apr 6 00:00:26 openvpn[9047]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Apr 6 00:00:26 openvpn[9047]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Apr 6 00:00:26 openvpn[9177]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 6 00:00:26 openvpn[9177]: LZO compression initialized
    Apr 6 00:00:26 openvpn[9177]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Apr 6 00:00:26 openvpn[9177]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Apr 6 00:00:26 openvpn[9177]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Apr 6 00:00:26 openvpn[9177]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Apr 6 00:00:26 openvpn[9177]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Apr 6 00:00:26 openvpn[9177]: Local Options hash (VER=V4): '41690919'
    Apr 6 00:00:26 openvpn[9177]: Expected Remote Options hash (VER=V4): '530fdded'
    Apr 6 00:00:26 openvpn[9177]: UDPv4 link local (bound): [AF_INET]207.81.126.205
    Apr 6 00:00:26 openvpn[9177]: UDPv4 link remote: [AF_INET]104.207.136.67:1194
    Apr 6 00:00:26 openvpn[9177]: TLS: Initial packet from [AF_INET]104.207.136.67:1194, sid=88ace726 1b15bcb8
    Apr 6 00:00:26 openvpn[9177]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Apr 6 00:00:26 openvpn[9177]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
    Apr 6 00:00:26 openvpn[9177]: Validating certificate key usage
    Apr 6 00:00:26 openvpn[9177]: ++ Certificate has key usage 00a0, expects 00a0
    Apr 6 00:00:26 openvpn[9177]: VERIFY KU OK
    Apr 6 00:00:26 openvpn[9177]: Validating certificate extended key usage
    Apr 6 00:00:26 openvpn[9177]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Apr 6 00:00:26 openvpn[9177]: VERIFY EKU OK
    Apr 6 00:00:26 openvpn[9177]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
    Apr 6 00:00:26 openvpn[9177]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 6 00:00:26 openvpn[9177]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 6 00:00:26 openvpn[9177]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 6 00:00:26 openvpn[9177]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 6 00:00:26 openvpn[9177]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Apr 6 00:00:26 openvpn[9177]: [Private Internet Access] Peer Connection Initiated with [AF_INET]104.207.136.67:1194
    Apr 6 00:00:28 openvpn[9177]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
    Apr 6 00:00:28 openvpn[9177]: AUTH: Received control message: AUTH_FAILED
    Apr 6 00:00:28 openvpn[9177]: TCP/UDP: Closing socket
    Apr 6 00:00:28 openvpn[9177]: SIGTERM[soft,auth-failure] received, process exiting |


  • Netgate Administrator

    AUTH: Received control message: AUTH_FAILED
    

    You have the wrong set of login credentials / certificates.
    Has it expired since you last used it?

    Steve



  • Which is strange because other than the password it hasn't changed. I'll try and fix that and update you.



  • @stephenw10:

    AUTH: Received control message: AUTH_FAILED
    

    You have the wrong set of login credentials / certificates.
    Has it expired since you last used it?

    Steve

    Nope I just checked the username and password and no go. The /etc/openvpn-password.txt is correct and I've even reset the password with no change in result.

    Here's some screens of my OpenVPN Client screen


  • LAYER 8 Netgate

    AUTH: Received control message: AUTH_FAILED

    Not sure what is ambiguous about that log.

    Also, why are people insistent on using auth-user-pass files when 2.2 added the authentication fields in the GUI?



  • Not ambiguous at all. I'm just not well versed but I'm learning. Reason why I used what I did is because I followed the guide. I'd happily follow another updated guide!


  • LAYER 8 Netgate

    I just don't get it.  The log clearly says auth failed, yet you insist your credentials are correct.



  • @Derelict:

    I just don't get it.  The log clearly says auth failed, yet you insist your credentials are correct.

    No idea what's going on. The Same user name and password works in the PIA app.


  • LAYER 8 Netgate

    Sure you don't have any extra characters in that file?

    Do this:

    Delete the following line from the Advanced settings: auth-user-pass /etc/openvpn-userpass.txt;

    Enter your PIA username and password in the client config under User Authentication Settings



  • Solved!
    I worked with PIA's tech support and they issued me a new username and password which seemed to do the trick. Not too sure what went wrong but it's working now. Thank you everyone for the help!!


  • LAYER 8 Netgate

    I would still eliminate the (now) unnecessary admin overhead and config complexity of the credential text file.



  • I will do that as soon as I figure out how. I'm guessing that I can't delete anything from the /etc/ folder via the gui?


  • LAYER 8 Netgate

    Use the same method you used to create the file.

    Deleting the file is not as important as removing it from the gui config for the client as I described above.  Deleting the file will occur naturally next time you reinstall or something.

    Or, after the new config is confirmed working, use Diagnostics > Command Prompt and run rm /etc/openvpn-userpass.txt



  • Thanks I will try that.

    And thank you for all your help. It's greatly appreciated.


Log in to reply