pfSense Gold Subscription

Author Topic: How to create an OpenVPN client to StrongVPN  (Read 115941 times)

0 Members and 1 Guest are viewing this topic.

Offline toyotahead

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #135 on: July 24, 2014, 08:11:49 pm »
Just a thought... Why is there a 0.0.0.0/1 to 10.8.1.61 ahead of the default gateway line?

This is with the openvpn activated:
Diagnostics: Routing tables

IPv4
Destination    Gateway    Flags    Refs    Use    Mtu    Netif    Expire
0.0.0.0/1    10.8.1.61    UGS    0    41    1500    ovpnc1    =>
default    192.168.69.1    UGS    0    1097    1500    sk0    
10.8.1.57/32    10.8.1.61    UGS    0    0    1500    ovpnc1    
10.8.1.61    link#14    UH    0    0    1500    ovpnc1    
10.8.1.62    link#14    UHS    0    0    16384    lo0    
50.66.76.1    192.168.69.1    UGHS    0    1685    1500    sk0    
127.0.0.1    link#12    UH    0    51040    16384    lo0    
128.0.0.0/1    10.8.1.61    UGS    0    22210    1500    ovpnc1    
172.16.50.0/24    link#6    U    0    5891    1500    sk1    
172.16.50.1    link#6    UHS    0    0    16384    lo0    
172.16.75.0/24    link#1    U    0    0    1500    msk0    
172.16.75.1    link#1    UHS    0    0    16384    lo0    
172.16.100.0/24    link#7    U    0    0    1500    sk2    
172.16.100.1    link#7    UHS    0    0    16384    lo0    
172.16.150.0/24    link#8    U    0    0    1500    sk3    
172.16.150.1    link#8    UHS    0    0    16384    lo0    
172.16.200.0/24    link#3    U    0    0    1500    msk2    
172.16.200.1    link#3    UHS    0    41    16384    lo0    
172.16.201.0/24    link#13    U    0    0    1500    msk3_vlan201    
172.16.201.1    link#13    UHS    0    0    16384    lo0    
192.168.69.0/24    link#5    U    0    0    1500    sk0    
192.168.69.14    link#5    UHS    0    0    16384    lo0    
207.204.245.40/32    192.168.69.1    UGS    0    1784    1500    sk0    
208.67.222.222    10.8.1.61    UGHS    0    1611    1500    ovpnc1



This is with the openvpn deactivated:
Diagnostics: Routing tables
IPv4
Destination    Gateway    Flags    Refs    Use    Mtu    Netif    Expire
default    192.168.69.1    UGS    0    1200    1500    sk0    
50.66.76.1    192.168.69.1    UGHS    0    3803    1500    sk0    
127.0.0.1    link#12    UH    0    115900    16384    lo0    
172.16.50.0/24    link#6    U    0    17932    1500    sk1    
172.16.50.1    link#6    UHS    0    0    16384    lo0    
172.16.75.0/24    link#1    U    0    0    1500    msk0    
172.16.75.1    link#1    UHS    0    0    16384    lo0    
172.16.100.0/24    link#7    U    0    0    1500    sk2    
172.16.100.1    link#7    UHS    0    0    16384    lo0    
172.16.150.0/24    link#8    U    0    0    1500    sk3    
172.16.150.1    link#8    UHS    0    0    16384    lo0    
172.16.200.0/24    link#3    U    0    0    1500    msk2    
172.16.200.1    link#3    UHS    0    50    16384    lo0    
172.16.201.0/24    link#13    U    0    0    1500    msk3_vlan201    
172.16.201.1    link#13    UHS    0    0    16384    lo0    
192.168.69.0/24    link#5    U    0    2    1500    sk0    
192.168.69.14    link#5    UHS    0    0    16384    lo0


My gut is telling me this is the error I have been trying to track down. If this is so then how am i going to be able to amend this seemingly automaticly generated routing table? I have my NAT Outbound NAT rules set to manual at present.

Offline toyotahead

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #136 on: July 24, 2014, 08:47:34 pm »
My openvpn config diagnostic output:



Jul 24 17:08:05 openvpn[63624]: LZO compression initialized
Jul 24 17:08:05 openvpn[63624]: Control Channel MTU parms [ L:1562 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jul 24 17:08:05 openvpn[63624]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 24 17:08:05 openvpn[63624]: Data Channel MTU parms [ L:1562 D:1450 EF:62 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 24 17:08:05 openvpn[63624]: Fragmentation MTU parms [ L:1562 D:1300 EF:61 EB:135 ET:1 EL:0 AF:3/1 ]
Jul 24 17:08:05 openvpn[63624]: Local Options String: 'V4,dev-type tun,link-mtu 1562,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jul 24 17:08:05 openvpn[63624]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1562,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jul 24 17:08:05 openvpn[63624]: Local Options hash (VER=V4): '84ab6e17'
Jul 24 17:08:05 openvpn[63624]: Expected Remote Options hash (VER=V4): '6a64613d'
Jul 24 17:08:05 openvpn[63624]: UDPv4 link local (bound): [AF_INET]192.168.69.14
Jul 24 17:08:05 openvpn[63624]: UDPv4 link remote: [AF_INET]207.204.245.40:4672
Jul 24 17:08:05 openvpn[63624]: TLS: Initial packet from [AF_INET]207.204.245.40:4672, sid=bf5e0c09 180c3de9
Jul 24 17:08:05 openvpn[63624]: VERIFY OK: depth=1, C=US, ST=CA, L=San-Francisco, O=reliablehosting.com, CN=ovpn039, emailAddress=techies@reliablehosting.com
Jul 24 17:08:05 openvpn[63624]: VERIFY OK: depth=0, C=US, ST=CA, L=San-Francisco, O=reliablehosting.com, CN=vpn28, emailAddress=techies@reliablehosting.com
Jul 24 17:08:06 openvpn[63624]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 24 17:08:06 openvpn[63624]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 24 17:08:06 openvpn[63624]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 24 17:08:06 openvpn[63624]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 24 17:08:06 openvpn[63624]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jul 24 17:08:06 openvpn[63624]: [vpn28] Peer Connection Initiated with [AF_INET]207.204.245.40:4672
Jul 24 17:08:08 openvpn[63624]: SENT CONTROL [vpn28]: 'PUSH_REQUEST' (status=1)
Jul 24 17:08:08 openvpn[63624]: PUSH: Received control message: 'PUSH_REPLY,ping 1,ping-restart 60,route-delay 2,route-metric 1,dhcp-option DNS 207.204.224.10,dhcp-option DNS 68.68.32.123,route 10.8.1.57,topology net30,ifconfig 10.8.1.62 10.8.1.61'
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: route options modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: route-related options modified
Jul 24 17:08:08 openvpn[63624]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 24 17:08:08 openvpn[63624]: ROUTE_GATEWAY 192.168.69.1
Jul 24 17:08:08 openvpn[63624]: TUN/TAP device ovpnc1 exists previously, keep at program end
Jul 24 17:08:08 openvpn[63624]: TUN/TAP device /dev/tun1 opened
Jul 24 17:08:08 openvpn[63624]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jul 24 17:08:08 openvpn[63624]: /sbin/ifconfig ovpnc1 10.8.1.62 10.8.1.61 mtu 1500 netmask 255.255.255.255 up
Jul 24 17:08:08 openvpn[63624]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1562 10.8.1.62 10.8.1.61 init
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 207.204.245.40 192.168.69.1 255.255.255.255
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 0.0.0.0 10.8.1.61 128.0.0.0
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 128.0.0.0 10.8.1.61 128.0.0.0
Jul 24 17:08:10 openvpn[63624]: /sbin/route add -net 10.8.1.57 10.8.1.61 255.255.255.255
Jul 24 17:08:10 openvpn[63624]: Initialization Sequence Completed
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: CMD 'state 1'
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: CMD 'status 2'
Jul 24 17:08:15 openvpn[63624]: MANAGEMENT: Client disconnected
Jul 24 17:15:46 openvpn[63624]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 24 17:15:46 openvpn[63624]: MANAGEMENT: CMD 'state 1'
Jul 24 17:15:46 openvpn[63624]: MANAGEMENT: CMD 'status 2'
Jul 24 17:15:47 openvpn[63624]: MANAGEMENT: Client disconnected
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: CMD 'state 1'
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: CMD 'status 2'
Jul 24 17:17:40 openvpn[63624]: MANAGEMENT: Client disconnected



Is there a way to make it so that when the vpn establishes that this route is not done?

Offline toyotahead

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #137 on: July 24, 2014, 09:38:49 pm »
SOLVED


Ok in the advanced config section of the openvpn client just DONT add the "redirect-gateway def1;" This effectively will override the route table with a blanket forward all traffic out the vpn tunnel.


NOW you are able to specify in your firewall rules which *filtered* matches you want to go out the VPN tunnel via the advanced features - gateway - and select the gateway of the vpn.


CHEERS EVERYONE. I see this has been a brutally long thread and many times this very question on how to selectively push traffic though the tunnel has been asked with no definitive solution. I am glad to have been able to contribute. :)


Offline thermo

  • Full Member
  • ***
  • Posts: 152
  • Karma: +2/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #138 on: July 25, 2014, 05:03:18 am »
SOLVED
Ok in the advanced config section of the openvpn client just DONT add the "redirect-gateway def1;" This effectively will override the route table with a blanket forward all traffic out the vpn tunnel.

The server by default will send this to the client...
Anyway, to prevent all traffic being routed through a vpn connection by default, you just need to add "route-nopull;" to the advanced section, then do your individual routing on your firewall rules.

Offline clevoir

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to AirVPN
« Reply #139 on: December 07, 2014, 12:41:14 pm »
I have had some problems setting up AirVPN on a new pfSense box, as posted elsewhere

I stumbled on this post, and despite following the instructions in detail, I simply cannot get a reliable internet connection. At the end of the guide I am able to confirm that I am using the AirVPN IP address instead of my own, but get a very slow internet connection, with most pages timing out.

I have tried a number of different servers, all using the UDP straight proticol, but all have the effect.

Following another guide I am using remote-cert-tls server;verb 3;explicit-exit-notify 5;key-direction 1;auth SHA1;keysize 256;key-method 2;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;persist-tun; persist-key in the advanced configuration of the OpenVPN client. I have tried omitting the persist-key option as suggested but this makes on efferct

This is a typical OpenVPN log:-

Dec 7 17:18:12    openvpn[24752]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Dec 7 17:18:12    openvpn[24752]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Dec 7 17:18:12    openvpn[24752]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 7 17:18:12    openvpn[24752]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Dec 7 17:18:12    openvpn[24752]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:12    openvpn[24752]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:12    openvpn[24752]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Dec 7 17:18:12     openvpn[25084]: UDPv4 link local (bound): [AF_INET]192.168.1.250
Dec 7 17:18:12    openvpn[25084]: UDPv4 link remote: [AF_INET]95.211.138.7:443
Dec 7 17:18:12    openvpn[25084]: TLS: Initial packet from [AF_INET]95.211.138.7:443, sid=6fa95ce8 b20f1f7b
Dec 7 17:18:12    openvpn[25084]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 7 17:18:12    openvpn[25084]: Validating certificate key usage
Dec 7 17:18:12    openvpn[25084]: ++ Certificate has key usage 00a0, expects 00a0
Dec 7 17:18:12    openvpn[25084]: VERIFY KU OK
Dec 7 17:18:12    openvpn[25084]: Validating certificate extended key usage
Dec 7 17:18:12    openvpn[25084]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 7 17:18:12    openvpn[25084]: VERIFY EKU OK
Dec 7 17:18:12    openvpn[25084]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 7 17:18:20    openvpn[25084]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Dec 7 17:18:20    openvpn[25084]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Dec 7 17:18:20    openvpn[25084]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 17:18:20    openvpn[25084]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:20    openvpn[25084]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 17:18:20    openvpn[25084]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 17:18:20    openvpn[25084]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Dec 7 17:18:20    openvpn[25084]: [server] Peer Connection Initiated with [AF_INET]95.211.138.7:443
Dec 7 17:18:22    openvpn[25084]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 7 17:18:23    openvpn[25084]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.23.110 10.4.23.109'
Dec 7 17:18:23    openvpn[25084]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 7 17:18:23    openvpn[25084]: OPTIONS IMPORT: --ifconfig/up options modified
Dec 7 17:18:23    openvpn[25084]: OPTIONS IMPORT: route options modified
Dec 7 17:18:23    openvpn[25084]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Dec 7 17:18:23    openvpn[25084]: ROUTE_GATEWAY 192.168.1.1
Dec 7 17:18:23    openvpn[25084]: TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 7 17:18:23    openvpn[25084]: TUN/TAP device /dev/tun1 opened
Dec 7 17:18:23    openvpn[25084]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 7 17:18:23    openvpn[25084]: /sbin/ifconfig ovpnc1 10.4.23.110 10.4.23.109 mtu 1500 netmask 255.255.255.255 up
Dec 7 17:18:23    openvpn[25084]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1557 10.4.23.110 10.4.23.109 init
Dec 7 17:18:23    openvpn[25084]: /sbin/route add -net 95.211.138.7 192.168.1.1 255.255.255.255
Dec 7 17:18:23    openvpn[25084]: /sbin/route add -net 0.0.0.0 10.4.23.109 128.0.0.0
Dec 7 17:18:23    openvpn[25084]: /sbin/route add -net 128.0.0.0 10.4.23.109 128.0.0.0
Dec 7 17:18:23    openvpn[25084]: /sbin/route add -net 10.4.0.1 10.4.23.109 255.255.255.255
Dec 7 17:18:23    openvpn[25084]: Initialization Sequence Completed

Sometimes I get Client disconnected as below:-

Dec 7 10:50:34    openvpn[95554]: ROUTE_GATEWAY 192.168.1.1
Dec 7 10:50:34    openvpn[95554]: TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 7 10:50:34    openvpn[95554]: TUN/TAP device /dev/tun1 opened
Dec 7 10:50:34    openvpn[95554]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 7 10:50:34    openvpn[95554]: /sbin/ifconfig ovpnc1 10.4.51.250 10.4.51.249 mtu 1500 netmask 255.255.255.255 up
Dec 7 10:50:34    openvpn[95554]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1557 10.4.51.250 10.4.51.249 init
Dec 7 10:50:34    openvpn[95554]: /sbin/route add -net 95.211.186.93 192.168.1.1 255.255.255.255
Dec 7 10:50:34    openvpn[95554]: /sbin/route add -net 0.0.0.0 10.4.51.249 128.0.0.0
Dec 7 10:50:34    openvpn[95554]: /sbin/route add -net 128.0.0.0 10.4.51.249 128.0.0.0
Dec 7 10:50:34    openvpn[95554]: /sbin/route add -net 10.4.0.1 10.4.51.249 255.255.255.255
Dec 7 10:50:34    openvpn[95554]: Initialization Sequence Completed
Dec 7 10:51:34    openvpn[95554]: [server] Inactivity timeout (--ping-restart), restarting
Dec 7 10:51:34    openvpn[95554]: SIGUSR1[soft,ping-restart] received, process restarting
Dec 7 10:51:34    openvpn[95554]: Restart pause, 2 second(s)
Dec 7 10:51:36    openvpn[95554]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 7 10:51:36    openvpn[95554]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Dec 7 10:51:36    openvpn[95554]: UDPv4 link local (bound): [AF_INET]192.168.1.250
Dec 7 10:51:36    openvpn[95554]: UDPv4 link remote: [AF_INET]95.211.186.93:443
Dec 7 10:51:36    openvpn[95554]: TLS: Initial packet from [AF_INET]95.211.186.93:443, sid=72e60795 f425b2a5
Dec 7 10:51:36    openvpn[95554]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 7 10:51:36    openvpn[95554]: Validating certificate key usage
Dec 7 10:51:36    openvpn[95554]: ++ Certificate has key usage 00a0, expects 00a0
Dec 7 10:51:36    openvpn[95554]: VERIFY KU OK
Dec 7 10:51:36    openvpn[95554]: Validating certificate extended key usage
Dec 7 10:51:36    openvpn[95554]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 7 10:51:36    openvpn[95554]: VERIFY EKU OK
Dec 7 10:51:36    openvpn[95554]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 7 10:51:41    openvpn[95554]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 10:51:41    openvpn[95554]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 10:51:41    openvpn[95554]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 7 10:51:41    openvpn[95554]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 7 10:51:41    openvpn[95554]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Dec 7 10:51:41    openvpn[95554]: [server] Peer Connection Initiated with [AF_INET]95.211.186.93:443
Dec 7 10:51:43    openvpn[95554]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 7 10:51:43    openvpn[95554]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.51.250 10.4.51.249'
Dec 7 10:51:43    openvpn[95554]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 7 10:51:43    openvpn[95554]: OPTIONS IMPORT: LZO parms modified
Dec 7 10:51:43    openvpn[95554]: OPTIONS IMPORT: --ifconfig/up options modified
Dec 7 10:51:43    openvpn[95554]: OPTIONS IMPORT: route options modified
Dec 7 10:51:43    openvpn[95554]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Dec 7 10:51:43    openvpn[95554]: Preserving previous TUN/TAP instance: ovpnc1
Dec 7 10:51:43    openvpn[95554]: Initialization Sequence Completed
Dec 7 10:58:46    openvpn[95554]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 7 10:58:46    openvpn[95554]: MANAGEMENT: CMD 'state 1'
Dec 7 10:58:46    openvpn[95554]: MANAGEMENT: CMD 'status 2'
Dec 7 10:58:46    openvpn[95554]: MANAGEMENT: Client disconnected
Dec 7 11:42:42    openvpn[95554]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 7 11:42:42    openvpn[95554]: MANAGEMENT: CMD 'state 1'
Dec 7 11:42:42    openvpn[95554]: MANAGEMENT: CMD 'status 2'
Dec 7 11:42:42    openvpn[95554]: MANAGEMENT: Client disconnected

A connection is alway made with AirVPN and their gateway is always green after a number of seconds, see attachments

I can not us the monitor IP address as stated in the guide, bit have used 10.4.0.1 (which is an AirVPN address given in another setup guide) or google's 8.8.8.8

The OpenVPN connection is clearly been made and a gateway to AirVPN is being set up, I am at a complete loss as to why I can't get an internet connection.

I did wonder whether to try different ports rather than 443 UDP straight, but thought that I would post here first

I would be very grateful of some assistance, I have hit a brick wall and just don't kno where to turn next

I am running Snort, Squid and ClamAV as well, if this makes any difference

Also I am currently using the same subnet for WAN and LAN, could this be the cause of my problem?
« Last Edit: December 07, 2014, 12:55:15 pm by clevoir »

Offline sysfu

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #140 on: December 07, 2014, 01:16:10 pm »
What happens when you connect to the AirVPN account using an OpenVPN client on your computer? Do the problems go away?

Offline clevoir

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #141 on: December 08, 2014, 12:18:15 pm »
Yes when I use AirVPN's own client software I get no problems at all using the same servers and UDP 443 port that I have tried to set up my pF=fSense box with

As such I can't see it is a problem at their end, more the pfSense setup?

At the time of this problem I was using the same subnet for WAN and LAN, and wonder if it might be part of the problem?

I now have WAN and LAN on seperate subnets now, and will try again

Offline sysfu

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #142 on: December 08, 2014, 01:01:47 pm »
Yes, typically the IP address assigned to each interface must be on a different network or subnet. That's how the router is able to determine which interface the packet should be forwarded to. If both interfaces are on the same network, it doesn't know how to decide between the two.

Think if you were tasked with delivering a package to an office to a person there named "Charlie". When you get to the office, you find out where are two people named "Charlie".

How would you be able to decide definitively on which desk the package should ultimately go? You wouldn't without more info.

Offline clevoir

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #143 on: December 13, 2014, 04:28:52 am »
I have just found that AirVPN block all conections on UDP ports where a proxy is used. as I am using Snort, Squid and Clam AV I guess that this will be why I can't get a connection as I was uisng UDP port 443

I am to try agian using TCP ports but appreciate that the connection speed might be slower

Offline clevoir

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #144 on: December 14, 2014, 06:59:42 am »
This morning I tried again using AirVPn TCP 443 and 80 settings and still can't get an internet connection.

Log is:-

Dec 14 10:11:50    openvpn[11670]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Dec 14 10:11:50    openvpn[11670]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Dec 14 10:11:50    openvpn[11670]: /sbin/ifconfig ovpnc1 10.5.14.90 10.5.14.89 mtu 1500 netmask 255.255.255.255 up
Dec 14 10:11:50    openvpn[11670]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1559 10.5.14.90 10.5.14.89 init
Dec 14 10:11:50    openvpn[11670]: /sbin/route add -net 37.48.81.11 192.168.2.1 255.255.255.255
Dec 14 10:11:50    openvpn[11670]: /sbin/route add -net 0.0.0.0 10.5.14.89 128.0.0.0
Dec 14 10:11:50    openvpn[11670]: /sbin/route add -net 128.0.0.0 10.5.14.89 128.0.0.0
Dec 14 10:11:50    openvpn[11670]: /sbin/route add -net 10.5.0.1 10.5.14.89 255.255.255.255
Dec 14 10:11:50    openvpn[11670]: Initialization Sequence Completed
Dec 14 10:13:52    openvpn[11670]: Connection reset, restarting

Dec 14 10:13:52    openvpn[11670]: SIGUSR1[soft,connection-reset] received, process restarting
Dec 14 10:13:52    openvpn[11670]: Restart pause, 5 second(s)
Dec 14 10:13:57    openvpn[11670]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 14 10:13:57    openvpn[11670]: Socket Buffers: R=[65228->65536] S=[65228->65536]
Dec 14 10:13:57    openvpn[11670]: Attempting to establish TCP connection with [AF_INET]37.48.81.11:443 [nonblock]
Dec 14 10:13:58    openvpn[11670]: TCP connection established with [AF_INET]37.48.81.11:443
Dec 14 10:13:58    openvpn[11670]: TCPv4_CLIENT link local (bound): [AF_INET]192.168.2.200
Dec 14 10:13:58    openvpn[11670]: TCPv4_CLIENT link remote: [AF_INET]37.48.81.11:443
Dec 14 10:13:58    openvpn[11670]: TLS: Initial packet from [AF_INET]37.48.81.11:443, sid=7f752825 a08fa24f
Dec 14 10:13:58    openvpn[11670]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Dec 14 10:13:58    openvpn[11670]: Validating certificate key usage
Dec 14 10:13:58    openvpn[11670]: ++ Certificate has key usage 00a0, expects 00a0
Dec 14 10:13:58    openvpn[11670]: VERIFY KU OK
Dec 14 10:13:58    openvpn[11670]: Validating certificate extended key usage
Dec 14 10:13:58    openvpn[11670]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 14 10:13:58    openvpn[11670]: VERIFY EKU OK
Dec 14 10:13:58    openvpn[11670]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Dec 14 10:14:02    openvpn[11670]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 14 10:14:02    openvpn[11670]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 14 10:14:02    openvpn[11670]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 14 10:14:02    openvpn[11670]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 14 10:14:02    openvpn[11670]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Dec 14 10:14:02    openvpn[11670]: [server] Peer Connection Initiated with [AF_INET]37.48.81.11:443
Dec 14 10:14:04    openvpn[11670]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 14 10:14:04    openvpn[11670]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.5.0.1,comp-lzo no,route 10.5.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.5.14.90 10.5.14.89'
Dec 14 10:14:04    openvpn[11670]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 14 10:14:04    openvpn[11670]: OPTIONS IMPORT: LZO parms modified
Dec 14 10:14:04    openvpn[11670]: OPTIONS IMPORT: --ifconfig/up options modified
Dec 14 10:14:04    openvpn[11670]: OPTIONS IMPORT: route options modified
Dec 14 10:14:04    openvpn[11670]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Dec 14 10:14:04    openvpn[11670]: Preserving previous TUN/TAP instance: ovpnc1
Dec 14 10:14:04    openvpn[11670]: Initialization Sequence Completed
Dec 14 10:16:19    openvpn[11670]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 14 10:16:19    openvpn[11670]: MANAGEMENT: CMD 'state 1'
Dec 14 10:16:19    openvpn[11670]: MANAGEMENT: CMD 'status 2'
Dec 14 10:16:19    openvpn[11670]: MANAGEMENT: Client disconnected
Dec 14 10:26:19    openvpn[11670]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 14 10:26:19    openvpn[11670]: MANAGEMENT: CMD 'state 1'
Dec 14 10:26:19    openvpn[11670]: MANAGEMENT: CMD 'status 2'
Dec 14 10:26:19    openvpn[11670]: MANAGEMENT: Client disconnected

Adanced Configurations in OpenVPN client are

 

remote-cert-tls server;verb 3;key-direction 1;auth SHA1;keysize 256;key-method 2;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;persist-tun; persist-key

 
Firewire NAT Outgoing rules have been set to Manual Outbound NAT rule generations, but no addtional rules have been set up.

 
LAN Firewire rules are set as:-

Action=Pass

Interface=LAN

TCP/IP Version=IP4v

Proticol=any

Source=LAN net

Destrination=any

Gateway = AirVPN gateway (Dynamic)

Note that I have edited the Default allow LAN to any rule settings to the above
 
Dashboard Settings show an AirVPN connection 10.5.14.90 in green

AirVPN Gateway settings show gateway 10.5.14.89 Monitor 10.4.0.1. in green


Offline irj972

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +3/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #145 on: December 14, 2014, 07:32:11 am »
Im not sure its related but a couple of things worth checking.

Check WAN interface is set to Active but type = none and LAN is set yo your subnet of choice.
Do not set your WAN address to a private range, i.e 192.168.x.x.
Also I noticed your routing screenshot doesn't show a default route, this should be WAN_DHCP.
Ive attached a shot of my NAT rules too, hopefully these don't add to your confusion as I have a lot more interfaces as well as some VPN_LAN -> non VPN output rules but you'll get the idea if you take the time to read it.
AirVPN works fine with UDP and proxies like squid etc so suspect you have a weird config somewhere back up the chain, moving to TCP isn't going to help I suspect.

Take your time, go through the AirVPN guide step by step and verify at each stage you are seeing the expected behaviors, i.e can you Ping / DNS lookup at the interim stages.
« Last Edit: December 14, 2014, 07:45:26 am by irj972 »

Offline clevoir

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #146 on: December 14, 2014, 10:29:46 am »
I got it working now, I was missing an Outgoing NAT rule for the VPN gateway

Thanks for you help