OpenVPN just won't work



  • Dear pfSense Community,
    sorry to be so direct, but the openVPN is driving me mad. I have read tons of tutorials and tried all settings many many times but I just can't get it to work. I believe there must be something missing. most likely a tiny setting wich I have missed and I just can't find it. In Theory it should workin my opinion, but it just doesn't. I don't even know how to describe it. My best guess is a wrong Firewall setting.

    What I am trying to achive is: When I am not in my pfsense network, but let's say in an open wifi, I want to route all my traffic through my pfsense network and therby to appear with the pfsense's public IP Address to the internet (like I would sit behind my pfsense router)

    I can connect to the VPN but then nothing is rcheable. Not a Website nor can i ping any public internet ip-adresse or ip-adresses inside the network.
    I will attach some screenshots and logs and hope that you can help me:

    If I connect with Open VPN from Win10 I get the following response (looks good):

    Mon Nov 16 12:24:15 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
    Mon Nov 16 12:24:15 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
    Mon Nov 16 12:24:26 2015 Control Channel Authentication: using 'pfSense-udp-1194-testvpnuser-tls.key' as a OpenVPN static key file
    Mon Nov 16 12:24:26 2015 UDPv4 link local (bound): [undef]
    Mon Nov 16 12:24:26 2015 UDPv4 link remote: [AF_INET]###WAN-IP-Address###:1194
    Mon Nov 16 12:24:26 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Mon Nov 16 12:24:28 2015 [#####-VPN Cert] Peer Connection Initiated with [AF_INET]###WAN-IP-Address###:1194
    Mon Nov 16 12:24:30 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Mon Nov 16 12:24:30 2015 open_tun, tt->ipv6=0
    Mon Nov 16 12:24:30 2015 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{B618BE77-DA46-442C-A8E1-AE324AE37E9E}.tap
    Mon Nov 16 12:24:30 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.2/255.255.255.0 on interface {B618BE77-DA46-442C-A8E1-AE324AE37E9E} [DHCP-serv: 10.0.8.0, lease-time: 31536000]
    Mon Nov 16 12:24:30 2015 Successful ARP Flush on interface [17] {B618BE77-DA46-442C-A8E1-AE324AE37E9E}
    Mon Nov 16 12:24:35 2015 Initialization Sequence Completed
    

    likewise the log from the pfsense side (everything fine):

    Nov 16 12:24:25 	openvpn: user 'testvpnuser' authenticated
    Nov 16 12:24:25 	openvpn[81958]: 77.12.38.248:60125 [testvpnuser] Peer Connection Initiated with [AF_INET]77.12.38.248:60125
    Nov 16 12:24:25 	openvpn[81958]: testvpnuser/77.12.38.248:60125 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled)
    Nov 16 12:24:27 	openvpn[81958]: testvpnuser/77.12.38.248:60125 send_push_reply(): safe_cap=940
    Nov 16 12:38:18 	openvpn[81958]: testvpnuser/77.12.38.248:60125 [testvpnuser] Inactivity timeout (--ping-restart), restarting
    

    After connecting to the VPN nothing works. I can not open any website in the browser or ping any IP. Please see the log:

    C:\Users>ipconfig /all
    
    Windows-IP-Konfiguration
    
       Hostname  . . . . . . . . . . . . : #####
       Primäres DNS-Suffix . . . . . . . :
       Knotentyp . . . . . . . . . . . . : Hybrid
       IP-Routing aktiviert  . . . . . . : Nein
       WINS-Proxy aktiviert  . . . . . . : Nein
       DNS-Suffixsuchliste . . . . . . . : fritz.box
    
    [...]
    
    Ethernet-Adapter Ethernet 3:
    
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9
       Physische Adresse . . . . . . . . : 00-FF-B6-18-BE-77
       DHCP aktiviert. . . . . . . . . . : Ja
       Autokonfiguration aktiviert . . . : Ja
       Verbindungslokale IPv6-Adresse  . : fe80::e1c5:4dcc:a307:dbb3%17(Bevorzugt)
       IPv4-Adresse  . . . . . . . . . . : 10.0.8.2(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.255.0
       Lease erhalten. . . . . . . . . . : Montag, 16\. November 2015 12:24:30
       Lease läuft ab. . . . . . . . . . : Dienstag, 15\. November 2016 12:24:30
       Standardgateway . . . . . . . . . :
       DHCP-Server . . . . . . . . . . . : 10.0.8.0
       DHCPv6-IAID . . . . . . . . . . . : 553713590
       DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-1C-93-FE-1B-00-21-CC-68-13-15
       DNS-Server  . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS über TCP/IP . . . . . . . : Aktiviert
    
    Drahtlos-LAN-Adapter WiFi:
    
       Verbindungsspezifisches DNS-Suffix: fritz.box
       Beschreibung. . . . . . . . . . . : Intel(R) Centrino(R) Ultimate-N 6300 AGN
       Physische Adresse . . . . . . . . : 00-24-D7-E4-40-B4
       DHCP aktiviert. . . . . . . . . . : Ja
       Autokonfiguration aktiviert . . . : Ja
       Verbindungslokale IPv6-Adresse  . : fe80::4c7b:9216:479d:2015%6(Bevorzugt)
       IPv4-Adresse  . . . . . . . . . . : 192.168.178.23(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.255.0
       Lease erhalten. . . . . . . . . . : Montag, 16\. November 2015 08:32:09
       Lease läuft ab. . . . . . . . . . : Donnerstag, 26\. November 2015 08:32:09
       Standardgateway . . . . . . . . . : 192.168.178.1
       DHCP-Server . . . . . . . . . . . : 192.168.178.1
       DHCPv6-IAID . . . . . . . . . . . : 50341079
       DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-1C-93-FE-1B-00-21-CC-68-13-15
       DNS-Server  . . . . . . . . . . . : 192.168.178.1
       NetBIOS über TCP/IP . . . . . . . : Aktiviert
    
    [...]
    
    Tunneladapter isatap.fritz.box:
    
       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix: fritz.box
       Beschreibung. . . . . . . . . . . : Microsoft ISATAP Adapter
       Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
    
    Tunneladapter Teredo Tunneling Pseudo-Interface:
    
       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
    
    Tunneladapter LAN-Verbindung* 13:
    
       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
    
     C:\Users>ping 192.168.64.1 //(pfsenserouter from inside the LAN-interface)
    
    Ping wird ausgeführt für 192.168.64.1 mit 32 Bytes Daten:
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    
    Ping-Statistik für 192.168.64.1:
        Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
        (100% Verlust),
    
    C:\Users>ping 8.8.8.8
    
    Ping wird ausgeführt für 8.8.8.8 mit 32 Bytes Daten:
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    
    Ping-Statistik für 8.8.8.8:
        Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
        (100% Verlust),	
    

    my vpn serversettings:

    Please find more screenshots (including Firewall configuration) here:

    http://imgur.com/a/k0Zf8 <– Link to imgur album

    I would be super glad if you point out to me what I am missing. I want to learn new stuff, but now I am absolutely stuck.

    Thank you very much in advance!

    Kind Regards, Markus



  • Hi

    Dont know if this will help but run the OpenVPN client using run as administrator.  I found yesterday i could connect but not ping.

    I then saw routing access denied.  Run as administrator and boom can ping.

    Mat



  • Why tap device???
    Use tun and everything will be okay.


  • Banned

    @Mat1987:

    Dont know if this will help but run the OpenVPN client using run as administrator.

    Yeah that definitely has always been required (unless someone managed to get the "management interface" working - for me any messing with that screwed the OpenVPN GUI completely).



  • @doktornotor:

    @Mat1987:

    Dont know if this will help but run the OpenVPN client using run as administrator.

    Yeah that definitely has always been required (unless someone managed to get the "management interface" working - for me any messing with that screwed the OpenVPN GUI completely).

    yeah didnt see that bit



  • @Mat1987:

    Hi

    Dont know if this will help but run the OpenVPN client using run as administrator.  I found yesterday i could connect but not ping.

    I then saw routing access denied.  Run as administrator and boom can ping.

    Mat

    Dear Mat,
    I already learned that the hard way. Cost me about 4 hours of frustration -.-
    However in my case it is already running as admin (before there was a error message in the client log which is now fine as you can see above)

    @viragomann:

    Why tap device???
    Use tun and everything will be okay.

    Dear viragomann, I think I have also tried that, but I will retry now again.

    Thank you so much for your help so far! Keep it comming please  :)


  • LAYER 8 Global Moderator

    So how would this ever work??  IF your using tap you don't normally hand out a tunnel network..

    How do you expect to ever get to fec0 for dns??

    Start over, use TUN like the wizard defaults too..  Put in your local network you want to get to..  That has to be different than local network on your client… Going to have to hand out dns if you want your vpn client to look up something via the vpn connection, ie if you set force all clients through tunnel like you have set..

    This really is clickity clickity with the wizard up and running..



  • Thank you very much johnpoz!

    sorry for the mess. I guess i set it up using the wizard, and changed everything because I was frustrated that it doesn't work.

    Well, I took  your advise, deleted everything and started all over.

    wizzard:

    ############################

    resulting settingspage:

    as before i can connect to the vpn sucessfully:

    Tue Nov 17 14:09:27 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
    Tue Nov 17 14:09:27 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
    Enter Management Password:
    Tue Nov 17 14:09:38 2015 Control Channel Authentication: using 'pfSense-udp-1194-testvpnuser-tls.key' as a OpenVPN static key file
    Tue Nov 17 14:09:38 2015 UDPv4 link local (bound): [undef]
    Tue Nov 17 14:09:38 2015 UDPv4 link remote: [AF_INET]#####WAN-IP#####:1194
    Tue Nov 17 14:09:38 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Nov 17 14:09:39 2015 [SiSu-VPN Cert] Peer Connection Initiated with [AF_INET]#####WAN-IP#####:1194
    Tue Nov 17 14:09:41 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Tue Nov 17 14:09:41 2015 open_tun, tt->ipv6=0
    Tue Nov 17 14:09:41 2015 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{110E3111-18B9-4926-88B7-04C88CED934B}.tap
    Tue Nov 17 14:09:41 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {110E3111-18B9-4926-88B7-04C88CED934B} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
    Tue Nov 17 14:09:41 2015 Successful ARP Flush on interface [19] {110E3111-18B9-4926-88B7-04C88CED934B}
    Tue Nov 17 14:09:46 2015 Initialization Sequence Completed
    
    

    but i can not reach any computer;

    C:\Users>ipconfig -all
    [...]
    Ethernet-Adapter Ethernet 3:
    
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : TAP-Windows Adapter V9
       Physische Adresse . . . . . . . . : 00-FF-11-0E-31-11
       DHCP aktiviert. . . . . . . . . . : Ja
       Autokonfiguration aktiviert . . . : Ja
       Verbindungslokale IPv6-Adresse  . : fe80::7448:115f:4200:9928%19(Bevorzugt)
       IPv4-Adresse  . . . . . . . . . . : 10.0.8.6(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.255.252
       Lease erhalten. . . . . . . . . . : Dienstag, 17\. November 2015 14:09:41
       Lease läuft ab. . . . . . . . . . : Mittwoch, 16\. November 2016 14:09:41
       Standardgateway . . . . . . . . . :
       DHCP-Server . . . . . . . . . . . : 10.0.8.5
       DHCPv6-IAID . . . . . . . . . . . : 318832401
       DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-1C-93-FE-1B-00-21-CC-68-13-15
       DNS-Server  . . . . . . . . . . . : 192.168.64.1
                                           212.121.128.10
                                           8.8.8.8
                                           212.121.128.11
       NetBIOS über TCP/IP . . . . . . . : Aktiviert
    [...]
    
    C:\Users>ping 10.0.8.5
    
    Ping wird ausgeführt für 10.0.8.5 mit 32 Bytes Daten:
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    Zeitüberschreitung der Anforderung.
    
    Ping-Statistik für 10.0.8.5:
        Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
        (100% Verlust),
    
    C:\Users>ping 8.8.8.8
    
    Ping wird ausgeführt für 8.8.8.8 mit 32 Bytes Daten:
    Zeitüberschreitung der Anforderung.
    
    Ping-Statistik für 8.8.8.8:
        Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1
        (100% Verlust),
    
    

    Any more Ideas?


  • LAYER 8 Global Moderator

    I don't see any routes being handed to your client.. Why should anything go through the tunnel?

    Bump up your verb in your client and post your log…  I will be at work in a bit and will connect in and post my log and you will see ROUTES get sent..  You not going to do anything down the tunnel with out routes through it.  Post up your route print from your client once your connected..

    Also what does your openvpn interface rules look like?




  • Dear Johnpoz,

    can you please explain what does: "Bump up your verb in your client" mean?

    about the routes: I ticked "Force all client generated traffic through the tunnel. " Isn't it sufficient? What else I can do?

    the screenshot is here:


  • LAYER 8 Global Moderator

    just because you check it doesn't mean its getting handed to your clients..  What does output of route print look like after you connect to vpn?

    The verb setting is the logging level, edit your client config to have higher level - say 4..

    my config for example

    –----
    dev tun
    tun-ipv6
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote 24.13.snipped 443 tcp-client
    lport 0
    verify-x509-name "pfsenseopenvpn" name
    pkcs12 pfSense-TCP-443-johnpoz.p12
    tls-auth pfSense-TCP-443-johnpoz-tls.key 1
    ns-cert-type server
    comp-lzo adaptive
    verb 4

    edit:
    You have multiple WANS?  That could be an issue as well..  Which wan is the vpn connection coming in?  Looks like you have 3??  Internet wan_fiber and wan2?? do you have any rules in floating?



  • Hello,
    I understand now what you mean. thank you for the explination!

    Here is the log with verb 4:

    Tue Nov 17 15:15:07 2015 us=553272 Current Parameter Settings:
    Tue Nov 17 15:15:07 2015 us=554271   config = 'pfSense-udp-1194-testvpnuser-config.ovpn'
    Tue Nov 17 15:15:07 2015 us=554271   mode = 0
    Tue Nov 17 15:15:07 2015 us=554271   show_ciphers = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   show_digests = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   show_engines = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   genkey = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   key_pass_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   show_tls_ciphers = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271 Connection profiles [default]:
    Tue Nov 17 15:15:07 2015 us=554271   proto = udp
    Tue Nov 17 15:15:07 2015 us=554271   local = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   local_port = 0
    Tue Nov 17 15:15:07 2015 us=554271   remote = '###WAN-IP###'
    Tue Nov 17 15:15:07 2015 us=554271   remote_port = 1194
    Tue Nov 17 15:15:07 2015 us=554271   remote_float = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   bind_defined = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   bind_local = ENABLED
    Tue Nov 17 15:15:07 2015 us=554271   connect_retry_seconds = 5
    Tue Nov 17 15:15:07 2015 us=554271   connect_timeout = 10
    Tue Nov 17 15:15:07 2015 us=554271   connect_retry_max = 0
    Tue Nov 17 15:15:07 2015 us=554271   socks_proxy_server = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   socks_proxy_port = 0
    Tue Nov 17 15:15:07 2015 us=554271   socks_proxy_retry = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   tun_mtu = 1500
    Tue Nov 17 15:15:07 2015 us=554271   tun_mtu_defined = ENABLED
    Tue Nov 17 15:15:07 2015 us=554271   link_mtu = 1500
    Tue Nov 17 15:15:07 2015 us=554271   link_mtu_defined = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   tun_mtu_extra = 0
    Tue Nov 17 15:15:07 2015 us=554271   tun_mtu_extra_defined = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   mtu_discover_type = -1
    Tue Nov 17 15:15:07 2015 us=554271   fragment = 0
    Tue Nov 17 15:15:07 2015 us=554271   mssfix = 1450
    Tue Nov 17 15:15:07 2015 us=554271   explicit_exit_notification = 0
    Tue Nov 17 15:15:07 2015 us=554271 Connection profiles END
    Tue Nov 17 15:15:07 2015 us=554271   remote_random = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   ipchange = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   dev = 'tun'
    Tue Nov 17 15:15:07 2015 us=554271   dev_type = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   dev_node = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   lladdr = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   topology = 1
    Tue Nov 17 15:15:07 2015 us=554271   tun_ipv6 = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   ifconfig_local = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   ifconfig_remote_netmask = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   ifconfig_noexec = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   ifconfig_nowarn = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   ifconfig_ipv6_local = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   ifconfig_ipv6_netbits = 0
    Tue Nov 17 15:15:07 2015 us=554271   ifconfig_ipv6_remote = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   shaper = 0
    Tue Nov 17 15:15:07 2015 us=554271   mtu_test = 0
    Tue Nov 17 15:15:07 2015 us=554271   mlock = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   keepalive_ping = 0
    Tue Nov 17 15:15:07 2015 us=554271   keepalive_timeout = 0
    Tue Nov 17 15:15:07 2015 us=554271   inactivity_timeout = 0
    Tue Nov 17 15:15:07 2015 us=554271   ping_send_timeout = 0
    Tue Nov 17 15:15:07 2015 us=554271   ping_rec_timeout = 0
    Tue Nov 17 15:15:07 2015 us=554271   ping_rec_timeout_action = 0
    Tue Nov 17 15:15:07 2015 us=554271   ping_timer_remote = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   remap_sigusr1 = 0
    Tue Nov 17 15:15:07 2015 us=554271   persist_tun = ENABLED
    Tue Nov 17 15:15:07 2015 us=554271   persist_local_ip = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   persist_remote_ip = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   persist_key = ENABLED
    Tue Nov 17 15:15:07 2015 us=554271   passtos = DISABLED
    Tue Nov 17 15:15:07 2015 us=554271   resolve_retry_seconds = 1000000000
    Tue Nov 17 15:15:07 2015 us=554271   username = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   groupname = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   chroot_dir = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   cd_dir = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   writepid = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=554271   up_script = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555274   down_script = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555274   down_pre = DISABLED
    Tue Nov 17 15:15:07 2015 us=555274   up_restart = DISABLED
    Tue Nov 17 15:15:07 2015 us=555274   up_delay = DISABLED
    Tue Nov 17 15:15:07 2015 us=555274   daemon = DISABLED
    Tue Nov 17 15:15:07 2015 us=555274   inetd = 0
    Tue Nov 17 15:15:07 2015 us=555274   log = ENABLED
    Tue Nov 17 15:15:07 2015 us=555274   suppress_timestamps = DISABLED
    Tue Nov 17 15:15:07 2015 us=555274   nice = 0
    Tue Nov 17 15:15:07 2015 us=555274   verbosity = 4
    Tue Nov 17 15:15:07 2015 us=555274   mute = 0
    Tue Nov 17 15:15:07 2015 us=555274   status_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555274   status_file_version = 1
    Tue Nov 17 15:15:07 2015 us=555274   status_file_update_freq = 60
    Tue Nov 17 15:15:07 2015 us=555274   occ = ENABLED
    Tue Nov 17 15:15:07 2015 us=555274   rcvbuf = 0
    Tue Nov 17 15:15:07 2015 us=555274   sndbuf = 0
    Tue Nov 17 15:15:07 2015 us=555274   sockflags = 0
    Tue Nov 17 15:15:07 2015 us=555274   fast_io = DISABLED
    Tue Nov 17 15:15:07 2015 us=555274   lzo = 1
    Tue Nov 17 15:15:07 2015 us=555274   route_script = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555274   route_default_gateway = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555274   route_default_metric = 0
    Tue Nov 17 15:15:07 2015 us=555274   route_noexec = DISABLED
    Tue Nov 17 15:15:07 2015 us=555274   route_delay = 5
    Tue Nov 17 15:15:07 2015 us=555274   route_delay_window = 30
    Tue Nov 17 15:15:07 2015 us=555274   route_delay_defined = ENABLED
    Tue Nov 17 15:15:07 2015 us=555274   route_nopull = DISABLED
    Tue Nov 17 15:15:07 2015 us=555274   route_gateway_via_dhcp = DISABLED
    Tue Nov 17 15:15:07 2015 us=555274   max_routes = 100
    Tue Nov 17 15:15:07 2015 us=555786   allow_pull_fqdn = DISABLED
    Tue Nov 17 15:15:07 2015 us=555786   management_addr = '127.0.0.1'
    Tue Nov 17 15:15:07 2015 us=555786   management_port = 25340
    Tue Nov 17 15:15:07 2015 us=555786   management_user_pass = 'stdin'
    Tue Nov 17 15:15:07 2015 us=555786   management_log_history_cache = 250
    Tue Nov 17 15:15:07 2015 us=555786   management_echo_buffer_size = 100
    Tue Nov 17 15:15:07 2015 us=555786   management_write_peer_info_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   management_client_user = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   management_client_group = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   management_flags = 6
    Tue Nov 17 15:15:07 2015 us=555786   shared_secret_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   key_direction = 2
    Tue Nov 17 15:15:07 2015 us=555786   ciphername_defined = ENABLED
    Tue Nov 17 15:15:07 2015 us=555786   ciphername = 'AES-256-CBC'
    Tue Nov 17 15:15:07 2015 us=555786   authname_defined = ENABLED
    Tue Nov 17 15:15:07 2015 us=555786   authname = 'SHA256'
    Tue Nov 17 15:15:07 2015 us=555786   prng_hash = 'SHA1'
    Tue Nov 17 15:15:07 2015 us=555786   prng_nonce_secret_len = 16
    Tue Nov 17 15:15:07 2015 us=555786   keysize = 0
    Tue Nov 17 15:15:07 2015 us=555786   engine = DISABLED
    Tue Nov 17 15:15:07 2015 us=555786   replay = ENABLED
    Tue Nov 17 15:15:07 2015 us=555786   mute_replay_warnings = DISABLED
    Tue Nov 17 15:15:07 2015 us=555786   replay_window = 64
    Tue Nov 17 15:15:07 2015 us=555786   replay_time = 15
    Tue Nov 17 15:15:07 2015 us=555786   packet_id_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   use_iv = ENABLED
    Tue Nov 17 15:15:07 2015 us=555786   test_crypto = DISABLED
    Tue Nov 17 15:15:07 2015 us=555786   tls_server = DISABLED
    Tue Nov 17 15:15:07 2015 us=555786   tls_client = ENABLED
    Tue Nov 17 15:15:07 2015 us=555786   key_method = 2
    Tue Nov 17 15:15:07 2015 us=555786   ca_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   ca_path = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   dh_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   cert_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   priv_key_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   pkcs12_file = 'pfSense-udp-1194-testvpnuser.p12'
    Tue Nov 17 15:15:07 2015 us=555786   cryptoapi_cert = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   cipher_list = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   tls_verify = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   tls_export_cert = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=555786   verify_x509_type = 2
    Tue Nov 17 15:15:07 2015 us=555786   verify_x509_name = 'XXXXXXXX-VPN Cert'
    Tue Nov 17 15:15:07 2015 us=555786   crl_file = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=556284   ns_cert_type = 1
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_ku[i] = 0
    Tue Nov 17 15:15:07 2015 us=556284   remote_cert_eku = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=556284   ssl_flags = 0
    Tue Nov 17 15:15:07 2015 us=556284   tls_timeout = 2
    Tue Nov 17 15:15:07 2015 us=556284   renegotiate_bytes = 0
    Tue Nov 17 15:15:07 2015 us=556284   renegotiate_packets = 0
    Tue Nov 17 15:15:07 2015 us=556284   renegotiate_seconds = 3600
    Tue Nov 17 15:15:07 2015 us=556284   handshake_window = 60
    Tue Nov 17 15:15:07 2015 us=556284   transition_window = 3600
    Tue Nov 17 15:15:07 2015 us=556284   single_session = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   push_peer_info = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   tls_exit = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   tls_auth_file = 'pfSense-udp-1194-testvpnuser-tls.key'
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_protected_authentication = DISABLED
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556284   pkcs11_private_mode = 00000000
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_cert_private = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_pin_cache_period = -1
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_id = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=556784   pkcs11_id_management = DISABLED
    Tue Nov 17 15:15:07 2015 us=556784   server_network = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=556784   server_netmask = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559284   server_network_ipv6 = ::
    Tue Nov 17 15:15:07 2015 us=559284   server_netbits_ipv6 = 0
    Tue Nov 17 15:15:07 2015 us=559284   server_bridge_ip = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559284   server_bridge_netmask = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559284   server_bridge_pool_start = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559284   server_bridge_pool_end = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559284   ifconfig_pool_defined = DISABLED
    Tue Nov 17 15:15:07 2015 us=559284   ifconfig_pool_start = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559284   ifconfig_pool_end = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559284   ifconfig_pool_netmask = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559284   ifconfig_pool_persist_filename = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=559284   ifconfig_pool_persist_refresh_freq = 600
    Tue Nov 17 15:15:07 2015 us=559284   ifconfig_ipv6_pool_defined = DISABLED
    Tue Nov 17 15:15:07 2015 us=559284   ifconfig_ipv6_pool_base = ::
    Tue Nov 17 15:15:07 2015 us=559284   ifconfig_ipv6_pool_netbits = 0
    Tue Nov 17 15:15:07 2015 us=559284   n_bcast_buf = 256
    Tue Nov 17 15:15:07 2015 us=559284   tcp_queue_limit = 64
    Tue Nov 17 15:15:07 2015 us=559284   real_hash_size = 256
    Tue Nov 17 15:15:07 2015 us=559284   virtual_hash_size = 256
    Tue Nov 17 15:15:07 2015 us=559284   client_connect_script = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=559284   learn_address_script = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=559284   client_disconnect_script = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=559284   client_config_dir = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=559284   ccd_exclusive = DISABLED
    Tue Nov 17 15:15:07 2015 us=559284   tmp_dir = 'C:\Users\Markus\AppData\Local\Temp\'
    Tue Nov 17 15:15:07 2015 us=559284   push_ifconfig_defined = DISABLED
    Tue Nov 17 15:15:07 2015 us=559284   push_ifconfig_local = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559284   push_ifconfig_remote_netmask = 0.0.0.0
    Tue Nov 17 15:15:07 2015 us=559782   push_ifconfig_ipv6_defined = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   push_ifconfig_ipv6_local = ::/0
    Tue Nov 17 15:15:07 2015 us=559782   push_ifconfig_ipv6_remote = ::
    Tue Nov 17 15:15:07 2015 us=559782   enable_c2c = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   duplicate_cn = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   cf_max = 0
    Tue Nov 17 15:15:07 2015 us=559782   cf_per = 0
    Tue Nov 17 15:15:07 2015 us=559782   max_clients = 1024
    Tue Nov 17 15:15:07 2015 us=559782   max_routes_per_client = 256
    Tue Nov 17 15:15:07 2015 us=559782   auth_user_pass_verify_script = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=559782   auth_user_pass_verify_script_via_file = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   client = ENABLED
    Tue Nov 17 15:15:07 2015 us=559782   pull = ENABLED
    Tue Nov 17 15:15:07 2015 us=559782   auth_user_pass_file = 'stdin'
    Tue Nov 17 15:15:07 2015 us=559782   show_net_up = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   route_method = 0
    Tue Nov 17 15:15:07 2015 us=559782   ip_win32_defined = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   ip_win32_type = 3
    Tue Nov 17 15:15:07 2015 us=559782   dhcp_masq_offset = 0
    Tue Nov 17 15:15:07 2015 us=559782   dhcp_lease_time = 31536000
    Tue Nov 17 15:15:07 2015 us=559782   tap_sleep = 0
    Tue Nov 17 15:15:07 2015 us=559782   dhcp_options = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   dhcp_renew = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   dhcp_pre_release = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   dhcp_release = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782   domain = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=559782   netbios_scope = '[UNDEF]'
    Tue Nov 17 15:15:07 2015 us=559782   netbios_node_type = 0
    Tue Nov 17 15:15:07 2015 us=559782   disable_nbt = DISABLED
    Tue Nov 17 15:15:07 2015 us=559782 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
    Tue Nov 17 15:15:07 2015 us=559782 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
    Enter Management Password:
    Tue Nov 17 15:15:07 2015 us=560283 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Tue Nov 17 15:15:07 2015 us=560283 Need hold release from management interface, waiting...
    Tue Nov 17 15:15:07 2015 us=991578 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Tue Nov 17 15:15:08 2015 us=93291 MANAGEMENT: CMD 'state on'
    Tue Nov 17 15:15:08 2015 us=93291 MANAGEMENT: CMD 'log all on'
    Tue Nov 17 15:15:08 2015 us=279826 MANAGEMENT: CMD 'hold off'
    Tue Nov 17 15:15:08 2015 us=281828 MANAGEMENT: CMD 'hold release'
    Tue Nov 17 15:15:19 2015 us=141452 MANAGEMENT: CMD 'username "Auth" "testvpnuser"'
    Tue Nov 17 15:15:19 2015 us=157451 MANAGEMENT: CMD 'password [...]'
    Tue Nov 17 15:15:19 2015 us=386506 Control Channel Authentication: using 'pfSense-udp-1194-testvpnuser-tls.key' as a OpenVPN static key file
    Tue Nov 17 15:15:19 2015 us=386506 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Tue Nov 17 15:15:19 2015 us=386506 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Tue Nov 17 15:15:19 2015 us=386506 LZO compression initialized
    Tue Nov 17 15:15:19 2015 us=386506 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ]
    Tue Nov 17 15:15:19 2015 us=386506 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Tue Nov 17 15:15:19 2015 us=387507 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
    Tue Nov 17 15:15:19 2015 us=387507 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
    Tue Nov 17 15:15:19 2015 us=387507 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
    Tue Nov 17 15:15:19 2015 us=387507 Local Options hash (VER=V4): '73e43c96'
    Tue Nov 17 15:15:19 2015 us=387507 Expected Remote Options hash (VER=V4): '8a3b3cca'
    Tue Nov 17 15:15:19 2015 us=387507 UDPv4 link local (bound): [undef]
    Tue Nov 17 15:15:19 2015 us=387507 UDPv4 link remote: [AF_INET]###WAN-IP###:1194
    Tue Nov 17 15:15:19 2015 us=387507 MANAGEMENT: >STATE:1447769719,WAIT,,,
    Tue Nov 17 15:15:19 2015 us=420505 MANAGEMENT: >STATE:1447769719,AUTH,,,
    Tue Nov 17 15:15:19 2015 us=420505 TLS: Initial packet from [AF_INET]###WAN-IP###:1194, sid=79ee18ce 6a7be43b
    Tue Nov 17 15:15:19 2015 us=421507 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Nov 17 15:15:20 2015 us=112619 VERIFY OK: depth=1, C=de, ST=Berlin, L=Berlin, O=XXXXXXXX, emailAddress=XXXXXXXX@XXXXXXXX.de, CN=XXXXXXXXVPN Cert
    Tue Nov 17 15:15:20 2015 us=113617 VERIFY OK: nsCertType=SERVER
    Tue Nov 17 15:15:20 2015 us=113617 VERIFY X509NAME OK: C=de, ST=Berlin, L=Berlin, O=XXXXXXXX, emailAddress=XXXXXXXX@XXXXXXXX.de, CN=XXXXXXXX-VPN Cert
    Tue Nov 17 15:15:20 2015 us=113617 VERIFY OK: depth=0, C=de, ST=Berlin, L=Berlin, O=XXXXXXXX, emailAddress=XXXXXXXX@XXXXXXXX.de, CN=XXXXXXXX-VPN Cert
    Tue Nov 17 15:15:20 2015 us=899766 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Tue Nov 17 15:15:20 2015 us=899766 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Tue Nov 17 15:15:20 2015 us=899766 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Tue Nov 17 15:15:20 2015 us=899766 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Tue Nov 17 15:15:20 2015 us=900765 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
    Tue Nov 17 15:15:20 2015 us=900765 [XXXXXXXX-VPN Cert] Peer Connection Initiated with [AF_INET]###WAN-IP###:1194
    Tue Nov 17 15:15:21 2015 us=903960 MANAGEMENT: >STATE:1447769721,GET_CONFIG,,,
    Tue Nov 17 15:15:22 2015 us=907057 SENT CONTROL [XXXXXXXX-VPN Cert]: 'PUSH_REQUEST' (status=1)
    Tue Nov 17 15:15:22 2015 us=930054 PUSH: Received control message: 'PUSH_REPLY,route 192.168.64.0 255.255.255.0,route 192.168.150.8 255.255.255.255,dhcp-option DNS 192.168.64.1,dhcp-option DNS 212.121.128.10,dhcp-option DNS 8.8.8.8,dhcp-option DNS 212.121.128.11,redirect-gateway def1,route 10.0.8.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.8.6 10.0.8.5'
    Tue Nov 17 15:15:22 2015 us=930054 OPTIONS IMPORT: timers and/or timeouts modified
    Tue Nov 17 15:15:22 2015 us=930054 OPTIONS IMPORT: --ifconfig/up options modified
    Tue Nov 17 15:15:22 2015 us=930054 OPTIONS IMPORT: route options modified
    Tue Nov 17 15:15:22 2015 us=930054 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Tue Nov 17 15:15:22 2015 us=946054 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Tue Nov 17 15:15:22 2015 us=946054 MANAGEMENT: >STATE:1447769722,ASSIGN_IP,,10.0.8.6,
    Tue Nov 17 15:15:22 2015 us=946054 open_tun, tt->ipv6=0
    Tue Nov 17 15:15:22 2015 us=947056 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{110E3111-18B9-4926-88B7-04C88CED934B}.tap
    Tue Nov 17 15:15:22 2015 us=948056 TAP-Windows Driver Version 9.21 
    Tue Nov 17 15:15:22 2015 us=948056 TAP-Windows MTU=1500
    Tue Nov 17 15:15:22 2015 us=950054 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {110E3111-18B9-4926-88B7-04C88CED934B} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
    Tue Nov 17 15:15:22 2015 us=950054 DHCP option string: 0610c0a8 4001d479 800a0808 0808d479 800b
    Tue Nov 17 15:15:22 2015 us=950054 Successful ARP Flush on interface [19] {110E3111-18B9-4926-88B7-04C88CED934B}
    Tue Nov 17 15:15:27 2015 us=97573 TEST ROUTES: 4/4 succeeded len=3 ret=1 a=0 u/d=up
    Tue Nov 17 15:15:27 2015 us=97573 C:\WINDOWS\system32\route.exe ADD ###WAN-IP### MASK 255.255.255.255 192.168.178.1
    Tue Nov 17 15:15:27 2015 us=100573 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
    Tue Nov 17 15:15:27 2015 us=100573 Route addition via IPAPI succeeded [adaptive]
    Tue Nov 17 15:15:27 2015 us=100573 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.8.5
    Tue Nov 17 15:15:27 2015 us=104572 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
    Tue Nov 17 15:15:27 2015 us=104572 Route addition via IPAPI succeeded [adaptive]
    Tue Nov 17 15:15:27 2015 us=104572 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.8.5
    Tue Nov 17 15:15:27 2015 us=107570 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
    Tue Nov 17 15:15:27 2015 us=107570 Route addition via IPAPI succeeded [adaptive]
    Tue Nov 17 15:15:27 2015 us=107570 MANAGEMENT: >STATE:1447769727,ADD_ROUTES,,,
    Tue Nov 17 15:15:27 2015 us=107570 C:\WINDOWS\system32\route.exe ADD 192.168.64.0 MASK 255.255.255.0 10.0.8.5
    Tue Nov 17 15:15:27 2015 us=135589 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
    Tue Nov 17 15:15:27 2015 us=135589 Route addition via IPAPI succeeded [adaptive]
    Tue Nov 17 15:15:27 2015 us=135589 C:\WINDOWS\system32\route.exe ADD 192.168.150.8 MASK 255.255.255.255 10.0.8.5
    Tue Nov 17 15:15:27 2015 us=139588 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
    Tue Nov 17 15:15:27 2015 us=139588 Route addition via IPAPI succeeded [adaptive]
    Tue Nov 17 15:15:27 2015 us=139588 C:\WINDOWS\system32\route.exe ADD 10.0.8.1 MASK 255.255.255.255 10.0.8.5
    Tue Nov 17 15:15:27 2015 us=142589 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
    Tue Nov 17 15:15:27 2015 us=142589 Route addition via IPAPI succeeded [adaptive]
    Tue Nov 17 15:15:27 2015 us=142589 Initialization Sequence Completed
    Tue Nov 17 15:15:27 2015 us=142589 MANAGEMENT: >STATE:1447769727,CONNECTED,SUCCESS,10.0.8.6,###WAN-IP###
    
    the multiple WANs are old. only one is active nowadays. floating rules is also empty.
    
    Please klick here for screenshots of the other firewall rules:
    >>>>> [url]http://imgur.com/a/k0Zf8[/url] <<<<<
    [/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i][/i]
    

  • LAYER 8 Global Moderator

    sorry have gotten tied up with real work today..

    But looks like your routes got added so if you look at your route print

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      10.56.41.1    10.56.41.174    10
            10.0.8.1  255.255.255.255        10.0.8.5        10.0.8.6    20
            10.0.8.4  255.255.255.252        On-link          10.0.8.6    276
            10.0.8.6  255.255.255.255        On-link          10.0.8.6    276
            10.0.8.7  255.255.255.255        On-link          10.0.8.6    276
            192.168.2.0    255.255.255.0        10.0.8.5        10.0.8.6    20
          192.168.3.0    255.255.255.0        10.0.8.5        10.0.8.6    20
          192.168.9.0    255.255.255.0        10.0.8.5        10.0.8.6    20

    you should see the route to the first IP in the range you were given.. so for example see that route to 10.0.8.1 in my above route table

    C:>ping 10.0.8.1

    Pinging 10.0.8.1 with 32 bytes of data:
    Reply from 10.0.8.1: bytes=32 time=175ms TTL=64
    Reply from 10.0.8.1: bytes=32 time=173ms TTL=64
    Reply from 10.0.8.1: bytes=32 time=180ms TTL=64
    Reply from 10.0.8.1: bytes=32 time=171ms TTL=64

    Ping statistics for 10.0.8.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 171ms, Maximum = 180ms, Average = 174ms

    C:\

    You should be able to ping your pfsense interface on your lan interface for example

    C:>ping 192.168.9.253

    Pinging 192.168.9.253 with 32 bytes of data:
    Reply from 192.168.9.253: bytes=32 time=175ms TTL=64
    Reply from 192.168.9.253: bytes=32 time=167ms TTL=64
    Reply from 192.168.9.253: bytes=32 time=168ms TTL=64
    Reply from 192.168.9.253: bytes=32 time=166ms TTL=64

    Ping statistics for 192.168.9.253:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 166ms, Maximum = 175ms, Average = 169ms

    C:>

    As to pinging stuff on your lan - they could be running firewall that block that ping..

    My ping times are HIGH because I have to bounce off a proxy here at work to get out, proxy is in TX while I am in chicago area and so is my home connection I am vpn into.

    Take a look at your vpn interface.. Do you have any firewalls attached to it, and security stuff?  I couldn't get ipv6 to work over the tunnel until I remove the firewall binding..




  • Thank you for your advice! I'm learning a ton of new stuff here =)

    Here is my routingtable after connectiong to the vpn:

    IPv4-Routentabelle
    ===========================================================================
    Aktive Routen:
         Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
              0.0.0.0          0.0.0.0    192.168.178.1   192.168.178.23     20
              0.0.0.0        128.0.0.0         10.0.8.5         10.0.8.6     20
             10.0.8.1  255.255.255.255         10.0.8.5         10.0.8.6     20
             10.0.8.4  255.255.255.252   Auf Verbindung          10.0.8.6    276
             10.0.8.6  255.255.255.255   Auf Verbindung          10.0.8.6    276
             10.0.8.7  255.255.255.255   Auf Verbindung          10.0.8.6    276
            127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
            127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
      127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
            128.0.0.0        128.0.0.0         10.0.8.5         10.0.8.6     20
         192.168.64.0    255.255.255.0         10.0.8.5         10.0.8.6     20
        192.168.150.8  255.255.255.255         10.0.8.5         10.0.8.6     20
        192.168.178.0    255.255.255.0   Auf Verbindung    192.168.178.23    276
       192.168.178.23  255.255.255.255   Auf Verbindung    192.168.178.23    276
      192.168.178.255  255.255.255.255   Auf Verbindung    192.168.178.23    276
    (openVPN Server IP)  255.255.255.255    192.168.178.1   192.168.178.23     20
            224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
            224.0.0.0        240.0.0.0   Auf Verbindung    192.168.178.23    276
            224.0.0.0        240.0.0.0   Auf Verbindung          10.0.8.6    276
      255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
      255.255.255.255  255.255.255.255   Auf Verbindung    192.168.178.23    276
      255.255.255.255  255.255.255.255   Auf Verbindung          10.0.8.6    276
    ===========================================================================
    

    note: I still can not ping 10.0.8.1 or any other ip adresse :(

    I also checked the settingspage you shown, but I dont have this entry. Also I disabled the windows firewall, but it didn't change anything.

    I am now comparing our routing tables, maybe there is some hint to it  :o


  • LAYER 8 Global Moderator

    My security software that was bound to my vpn interface was just an example.. Do you have any bindings?

    Would you be up to sending me vpn info via PM and I can try and connect to rule out issues with your client.


  • LAYER 8 Global Moderator

    So I did a quick teamviewer with the OP, and he had his nats set to manual and was missing the openvpn tunnel network nats and also had a NAT for ALL ports to be static..

    I suggested he get rid of that ALL static nat, that is a bad idea.  If you have some application or device that has issues with pfsense changing the source port on the outside when it does the napt.  Then this should be limited to the specific port and or port and IP of the device having the problems.  Doing ALL and ALL going to have issues the more and more users you have behind the nat.  When you run into a issue where more than 1 IP behind is wanting to use the same source port when talking to something.

    Once he switches to auto on his nats, and the tunnel network gets added it should be working just fine.



  • it is amazing! Literally all I had to do was to switch to "Automatic outbound NAT rule generation (IPsec passthrough included)"
    However I would never found it alone - so huge, huge thanks to johnpoz!!!  :) :) :) :) :D

    besides I had pretty stupid 1:1 NAT rules in place which were, in fact, obsolete as I checked. Thanks for pointing that out to me additionally.

    The important automatic rules were this:

    
    Interface 	Source 	Source Port 	Dest 	Dest Port 	NAT Address 	 	NAT Port 	Static Port 	Description
    WAN_FIBER  10.0.8.0/24 	* 	 	* 	 500  		WAN_FIBER address 	* 	 	YES 	 	Auto created rule for ISAKMP  
    WAN_FIBER  10.0.8.0/24 	* 	 	* 	 * 	 	WAN_FIBER address 	* 	 	NO 	 	Auto created rule  
    

    Now everything works just fine!  ;D


  • LAYER 8 Global Moderator

    See clickity clickity ;)  Glad you got it sorted and you got rid of that static nat for ANY ANY I hope..



  • yes, I did that. After I switched to automatic, all other rules got disabled. After that I checked that all network applications are still running as intended and it turned out they were obsolete anyway :-D


Log in to reply