Struggling to get OpenVPN working



  • OK –- all the usual....just got a SG-2440 (two of them actually), have all the basic stuff set up and am now trying to set up OpenVPN so that I can connect from a remote location (using Viscosity on a Mac and OpenVPN app on iPhone).

    I've set up everything (certificates, etc) and exported the OVPN files. New firewall rules are loaded etc.

    When I try to connect from my iPhone, it just times out after some time. I am however prompted for username/password.

    I'm not 100% sure that I configured everything appropriately, took the defaults as much as possible. The one thing I'm unclear about is defining the IP network for the tunnel.

    My home network is  192.168.0.0/24  so I set up the tunnel IP to be 192.168.18.0/24

    Should that work?

    Anything else I need to do?

    Thanks


  • LAYER 8 Netgate

    That looks fine. Though I would pick something random for the LAN and tunnel networks. If you try to connect from somewhere else that uses 192.168.0.0/24 as their LAN (which is probably billions of networks) you'll have problems.

    Status > System Logs, OpenVPN tab

    What's in there when you try to connect.

    And you're trying to connect from outside your network right?



  • Odd my thread isn't here anymore.  Searched for it.

    The update changed something, and I don't remember what I did to fix it.  I thought I'd leave it here to remember for me.

    Did it ever work before? Say before 2.2.5?



  • @Derelict

    Below are the logs –- 192.168.1.3 is the WAN address of the SG-2440 (it is connected to a subnet of a Verizon FIOS router). That address is configured as the DMZ for the FIOS router so all connections from the outside world are passed directly to the SG-2440. Yes, I'm using a cellular phone as a hotspot specially to ensure that connections are coming from the outside.

    @W4RH34D
    I only got this router a few days ago, so it's a brand new system for me. According to the dashboard it is running 2.2.6


    Jan 18 13:37:33 pfSense openvpn[76611]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
    Jan 18 13:37:33 pfSense openvpn[76611]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Jan 18 13:37:33 pfSense openvpn[76915]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jan 18 13:37:33 pfSense openvpn[76915]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Jan 18 13:37:33 pfSense openvpn[76915]: TUN/TAP device ovpns1 exists previously, keep at program end
    Jan 18 13:37:33 pfSense openvpn[76915]: TUN/TAP device /dev/tun1 opened
    Jan 18 13:37:33 pfSense openvpn[76915]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    Jan 18 13:37:33 pfSense openvpn[76915]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jan 18 13:37:33 pfSense openvpn[76915]: /sbin/ifconfig ovpns1 192.168.18.1 192.168.18.2 mtu 1500 netmask 255.255.255.255 up
    Jan 18 13:37:33 pfSense openvpn[76915]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 192.168.18.1 192.168.18.2 init
    Jan 18 13:37:33 pfSense openvpn[76915]: UDPv4 link local (bound): [AF_INET]192.168.1.3:1194
    Jan 18 13:37:33 pfSense openvpn[76915]: UDPv4 link remote: [undef]
    Jan 18 13:37:33 pfSense openvpn[76915]: Initialization Sequence Completed
    Jan 18 15:17:27 pfSense openvpn[76915]: event_wait : Interrupted system call (code=4)
    Jan 18 15:17:27 pfSense openvpn[76915]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 192.168.18.1 192.168.18.2 init
    Jan 18 15:17:27 pfSense openvpn[76915]: SIGTERM[hard,] received, process exiting
    Jan 18 15:20:19 pfSense openvpn[94758]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
    Jan 18 15:20:19 pfSense openvpn[94758]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Jan 18 15:20:19 pfSense openvpn[94864]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jan 18 15:20:19 pfSense openvpn[94864]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Jan 18 15:20:19 pfSense openvpn[94864]: TUN/TAP device ovpns1 exists previously, keep at program end
    Jan 18 15:20:19 pfSense openvpn[94864]: TUN/TAP device /dev/tun1 opened
    Jan 18 15:20:19 pfSense openvpn[94864]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    Jan 18 15:20:19 pfSense openvpn[94864]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Jan 18 15:20:19 pfSense openvpn[94864]: /sbin/ifconfig ovpns1 10.0.9.1 10.0.9.2 mtu 1500 netmask 255.255.255.255 up
    Jan 18 15:20:19 pfSense openvpn[94864]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.0.9.1 10.0.9.2 init
    Jan 18 15:20:19 pfSense openvpn[94864]: UDPv4 link local (bound): [AF_INET]192.168.1.3:1194
    Jan 18 15:20:19 pfSense openvpn[94864]: UDPv4 link remote: [undef]
    Jan 18 15:20:19 pfSense openvpn[94864]: Initialization Sequence Completed


  • LAYER 8 Netgate

    I don't think that shows a connection attempt.

    You exported the config for viscosity using the client export package right?


  • LAYER 8 Global Moderator

    I don't see anything connecting either

    ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)

    Looks to be a problem..



  • Yes, I installed the client export package, created the ovpn files and installed them into OpenVPN client on my Mac and on an iPhone

    I don't believe that Verizon FIOS blocks port 1194. So that's why I don't understand why I'm not seeing anything


  • LAYER 8 Global Moderator

    your not seeing anything because its never trying to connect because it says

    Device busy: Device busy (errno=16)



  • So then the questions is why? I have Viscosity on a Mac, and the Mac is connected to a hotspot that is outside my LAN (I've checked that with such tools as whatismyip.com, etc)


  • LAYER 8 Global Moderator

    dude your openvpn interface is most likely hung.. disable and then enable the interface or reboot ;)



  • It's not down –- already tried restarting.

    Here are the logs from the remote Viscosity client. The last line of that log is the correct IP address of the WAN interface on my firewall so it would seem to have managed to connect through the Verizon router with no problem.
    It just doesn't go any further.

    Jan 19 10:31:16: Viscosity Mac 1.5.11 (1314)
    Jan 19 10:31:16: Viscosity OpenVPN Engine Started
    Jan 19 10:31:16: Running on Mac OS X 10.11.4
    Jan 19 10:31:16: ---------
    Jan 19 10:31:16: Checking reachability status of connection...
    Jan 19 10:31:16: Connection is reachable. Starting connection attempt.
    Jan 19 10:31:16: OpenVPN 2.3.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 23 2015
    Jan 19 10:31:16: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
    Jan 19 10:31:23: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.NGQTco/ta.key' as a OpenVPN static key file
    Jan 19 10:31:23: UDPv4 link local (bound): [undef]
    Jan 19 10:31:23: UDPv4 link remote: [AF_INET]192.168.1.3:1194


  • LAYER 8 Global Moderator

    Where is your initial packet?  So for example I just connected..

    Tue Jan 19 09:41:23 2016 TCPv4_CLIENT link local (bound): [undef]
    Tue Jan 19 09:41:23 2016 TCPv4_CLIENT link remote: [AF_INET]10.56.226.130:8080
    Tue Jan 19 09:41:23 2016 MANAGEMENT: >STATE:1453218083,WAIT,,,
    Tue Jan 19 09:41:23 2016 MANAGEMENT: >STATE:1453218083,AUTH,,,
    Tue Jan 19 09:41:23 2016 TLS: Initial packet from [AF_INET]10.56.226.130:8080, sid=bd72773b 9ed9bb88

    I bounce off a proxy here, which is why you see the rfc1918 address and port 8080..  But you should see something sim, do you see the packet leave your machine??  If so then its not getting to your pfsense server..  What is the next few lines in the log say?

    What is your logging level?  Bump it up to say 4 or so..  In your config its the verb statement on the client.



  • That's the thing –- the connection seems to be hanging at that point, there are no new lines in the Viscosity log after

    Jan 19 10:31:23: UDPv4 link remote: [AF_INET]192.168.1.3:1194

    By the way, I really appreciate the help and feedback from you guys.

    D



  • I figured everything out –- the problem was with the OVPN export part. I needed to change the hostname resolution part because it was defaulting to the WAN IP address but because there is a Verizon Router in front of my pfSense box, that WAN IP address is still an internal subnet address. After I changed the host name resolution to use a name, everything worked fine.

    Hope this helps anyone else who runs a pfSense behind a Verizon router


Log in to reply