pfSense Gold Subscription

Author Topic: How to create an OpenVPN client to StrongVPN  (Read 173343 times)

0 Members and 1 Guest are viewing this topic.

Offline smirta

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #15 on: March 09, 2011, 04:00:59 pm »
Better performance & policy routing

Performance
I am using pfsense 2.0 RC1. In my case the settings below in the "Advanced Configuration" field of the OpenVPN connection tab are resulting in a more stable connection:
Code: [Select]
verb 4; mute 5;tun-mtu 1500;route-method exe;route-delay 2;explicit-exit-notify 2;fragment 1300;mssfix 1450;
With these I can stream a lot more stable.

On the other hand I was interested in tunneling some clients to some ip addresses. It was quite an operation. I followed the guide above (thanks a lot to the author!) except the "all traffic through VPN" part.

Then I added a firewall rule to the LAN interface for a specific IP address to be routed through the OpenVPN . I figured out that after some time everything went through the WAN or through the VPN gateway (can't remember exactly which one). Additionally there was NAT didn't work as expected.


Fix NAT
I turned NAT off and added it manually. Firewall -> NAT -> Outbound : Add two entries there.
Code: [Select]
Interface:    WAN
Source:       CIDR of your LAN (e.g. 192.168.1.0/24)
Description:  LAN -> WAN (or anything you want)
Code: [Select]
Interface:    VPN
Source:       CIDR of your LAN (e.g. 192.168.1.0/24)
Description:  LAN -> OpenVPN (or anything you want)


Fix rules/gateways
After this NAT was working again. But there was still the problem with the routing of all traffic through either or the other interface. Somehow it was ignoring my rule. After some gambling around with the setting I was pretty surprised that "default" as gateway doesn't seem to work as expected. So I added to all rules a specific gateway. Now everything is working as expected. *phew*

My "Default allow LAN to any rule " looks now like this:
Code: [Select]
* LAN net * * * WAN
For example if you want to route the client 192.168.1.5 through VPN you have to add the following line above the default rule:
Code: [Select]
* 192.168.1.5 * * * VPN

I hope this helps and is no complete bullshit. I'm an absolute newbie to pfsense.
« Last Edit: March 09, 2011, 04:04:28 pm by smirta »

Offline ericab

  • Full Member
  • ***
  • Posts: 207
  • Karma: +1/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #16 on: March 09, 2011, 06:14:00 pm »
hi smirta;

these additional options are specific to windows only.
i would suggest removing them.

route-method exe
mssfix 1450

Offline smirta

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #17 on: March 10, 2011, 06:18:50 am »
thanks for the input (and the great tutorial btw), eric. I'll have a closer look at the options

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: How to create an OpenVPN client to StrongVPN
« Reply #18 on: March 18, 2011, 09:26:23 pm »
I hope this helps and is no complete bullshit. I'm an absolute newbie to pfsense.

That's ok for your typical home setup, but what you're actually doing there is overriding the fact that StrongVPN is pushing you a default route and modifying your firewall's routing table so it sends everything over the VPN (unless you override it with policy routing as you're doing). That will cause a number of issues with more advanced setups, as it's going to default to sending traffic initiated from the firewall out of the VPN which is usually going to be undesirable.

Offline smirta

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #19 on: March 22, 2011, 03:20:54 pm »
Thanks for your reply. As I updated to the latest snapshot everything became obsolete. You just have to follow the initial guide, disable the "automatic outbound NAT" (it will fill in the rules done so far) and modify the rules described as in my post above.

Offline yu130960

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #20 on: April 07, 2011, 10:20:52 am »
Thanks for your reply. As I updated to the latest snapshot everything became obsolete. You just have to follow the initial guide, disable the "automatic outbound NAT" (it will fill in the rules done so far) and modify the rules described as in my post above.

I have come back after some time away, but this remains an issue for me.  Glad to hear that you have had some success, just wanted to get clarification on your current set up under the latest snapshot.  Which of the above posts should I look to to establish a strongvpn connection for only 1 specific internal IP with all the other IPs going through the default gateway.

Thanks
« Last Edit: April 09, 2011, 05:32:02 pm by yu130960 »

Offline ericab

  • Full Member
  • ***
  • Posts: 207
  • Karma: +1/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #21 on: April 07, 2011, 12:32:38 pm »
hi yu130960;

A) go to Firewall --> Rules

B) select the LAN tab.

C) add a new rule with the following:



D) click save and your done



***Edit
ive fixed an error.
« Last Edit: April 09, 2011, 07:29:14 pm by ericab »

Offline yu130960

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #22 on: April 09, 2011, 05:34:36 pm »
Thanks post #1 and #15 solved my issue and I am up and running.

I had to make the Rule to put the the target IP in the source box not the destination and then it worked.

It took a while, but it is great to see it work.

Thanks to all in the thread.

Offline Arisian

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #23 on: May 21, 2011, 11:45:27 am »
Hey guys,

I hate to drag this post out of the depths - it's better than starting a new thread when this is exactly the topic I need help w/, but I'm dying here.  I've been using pfsense boxes for about 4 years but that, by no means, should be read to suggest that I know what I'm doing.  I know very little, unfortunately and what I do know is probably wrong.

I've followed this exact tutorial before w/ success, but I think some things have changed in recent releases causing me to...basically, have to make changes to things I don't really understand.  I am using 2.0-RC2 (i386) - Built on May 18th.

Here's the basic situation.  I live in China and have 5 VPN accounts for business purposes as well as getting anything done here.  3 Are specifically for work in different locations and 2 are for play and backup.  One of those is an OpenVPN account w/ StrongVPN.

My home network looks like the following:

A pfsense box built around 5 nics, each separting an area in my home

 - 1 WAN Nic
 - 1 LAN Nic (my office computer)
 - 1 Wifi Nic, dedicated to a wireless router - DD-WRT
 - 1 Media - goes to my tv an entertainment system
 - 1 VOIP - use a voip phone/adapter for business.  DMZ'd basically...


I know that seems like overkill, but I really like to dedicate the NICs to each work area/task and I can really see the separation when it comes to data usage - plus I like to keep track of what the Chinese government is doing to my network.

My Media section of the house is really where Im dying.  I have an Xbox, AppleTV, Computer, Wii all attached to a Hub that all goes into the media nic.  Needless to say, to really be able to use these gaming and entertainment boxes, I really need these all to be connected to a VPN.  Thus this tutorial.  I'd like to keep the other segments off the VPN because I have PPTP accounts that I use for my 3 home computers that are much faster.

So here's where I'm having issues.  I follow this tutorial to a T, get the VPN to connect, set up the firewall rule to pass the VPN data to the WAN data, just like is mentioned in the tutorial... and nothing!  I set the VPN up as a DHCP interface like the review asks for but I still get NOTHING across the board.  At the point I'm not even connected to the WAN.  I don't have any firewall rules infront of the VPN gateway rule.  I'm at a complete loss here after trying to fix this for the last 6 hours.

I fear it has a lot to do w/ the NAT settings

I've attached screenshots to my setup.  Just as an FYI, Im testing it out on the WIFI nic here, I've done the exact same setup on the LAN nic.  Also, under NAT, AON (Manual Outbound NAT rule generation) is on.

Guys, I'd really appreciate some help with this  :).  Any thoughts on what I'm doing wrong?

If I need to clarify anything, please let me know.  I tried to stuff what I could into this post, but its 1am here and Im sure I missed something

Also, I can get the VPN to connect but I have to use BF-CBC(128-bit) encryption to make it work - id prefer no encryption since this really is just for a media center to get the US IP address so I can download games, watch netflix, etc.  Does anyone know how to do this... or could point me in the correct direction?

Very much appreciate your help!!!
http://www.brianhirschy.com/vpn/1.png
http://www.brianhirschy.com/vpn/2.png
http://www.brianhirschy.com/vpn/3.png
http://www.brianhirschy.com/vpn/4.png









« Last Edit: May 21, 2011, 12:05:52 pm by Arisian »

Offline ericab

  • Full Member
  • ***
  • Posts: 207
  • Karma: +1/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #24 on: May 21, 2011, 09:29:16 pm »
hi Arisian;

first, i see you mentioned your using a HUB on your MEDIA nic... if your really using a HUB, you should seriously consider updating to a switch, but...
as for your vpn issue, can you go back to my tutorial and see the "**edit - March 9 2011**"  note at the bottom? i believe that will fix you right up; if not please report back and i or someone else will gladly assist you. (also check and *make sure* the strong vpn device is using TUN mode)

Offline Arisian

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #25 on: May 21, 2011, 10:29:33 pm »
hi Arisian;

first, i see you mentioned your using a HUB on your MEDIA nic... if your really using a HUB, you should seriously consider updating to a switch, but...
as for your vpn issue, can you go back to my tutorial and see the "**edit - March 9 2011**"  note at the bottom? i believe that will fix you right up; if not please report back and i or someone else will gladly assist you. (also check and *make sure* the strong vpn device is using TUN mode)

Hi Ericab,

Thanks so much for your response.  A few comments:

First, It is a switch - sorry, wasn't accurate on that
Second - I got it to forward over the VPN w/ your suggestions!  Thanks so much.  Not sure why it worked THIS time and not the other times, but it's working great.  Now to setup my DNS forwarding and so on

All other settings are just like you posted

One last question:
The configuration you have listed here is for using some simple encryption and security on the openVPN setup.  Is there a way to make this work w/ using very little encryption or NO encryption so that I can just get the US ip address.  Not worry about security w/ my entertainment system.  Any thoughts you have on that would be much appreciated.


Again, thanks for your reply!  Very eager to get this working
Brian



« Last Edit: May 21, 2011, 10:39:01 pm by Arisian »

Offline ericab

  • Full Member
  • ***
  • Posts: 207
  • Karma: +1/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #26 on: May 21, 2011, 10:57:18 pm »
Brian;
during the negotiation process you and the server decide what methods are acceptable.
since the whole point of using StrongVPN (openvpn) is to encrypt your traffic over an insecure public internet, your going to be stuck with an encrypted payload.

what would be the reason you'd want to use "very little encryption" ?
there are of course proven weak algorithms, but its still encrypted and protected from a casual viewing from a packet dump if this is what youd want to accomplish (monitoring employees/family members).
are you worried about CPU usage of the encryption process or...? maybe your on a high bandwidth link and your PC cant cope with the load ?
in either of those cases your solution is a hardware upgrade.



Offline Arisian

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #27 on: May 22, 2011, 12:56:02 am »
Totally understand w/ the encryption point.  StrongVPN's service does include a port 443/8080 non compressed, non encrypted option which should be the fastest.  Of course, they are using a TCP option, which might not be as fast.  The only point for me is to skirt around the geoip issues that come w/ using services like Xbox Live, Hulu & Netflix, which is the main point of my entertainment center.

The rest of the house is on a highly encrypted line that I use for work.  These superfluous (xbox, etc) items simply need to be the fastest they possible can.  Unfortunately Im on a really crappy chinese connection that maxes out at 600 kb/sec and generally runs in the 400-500kb / sec range, which, despite how it may sound, is extremely fast for where I live (Think middle of nowheresville China).

I'm running my pfsense on a 2.4ghz intel box.


Offline 2CaP

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #28 on: June 14, 2011, 07:41:18 am »
This guide is great. Easy to follow. everything you want in a guide.

However I cant get the connection to establish properly. I have this config in place on a 2.0 RC2 box.

I have worked with IPSec in the past but, an relatively new to open VPN.

MY reason to implement this is to circumvent geo tagging / the anonymity they provide. I have tested Private Internet Access (User/Pass Auth) access via my PC's & it works great at that level. I haven't tried to implement it on the 2.0 RC2 box.

I decided to go with Strong VPN on the 2.0 RC2 box due to the great detail in the guide & the great feedback it has recieved.

BTW - This is a fresh install with no additional packages, firewall rules or other vpns running.

Here is my log...

Jun 14 08:13:55    openvpn[42636]: Restart pause, 2 second(s)
Jun 14 08:13:57    openvpn[42636]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 14 08:13:57    openvpn[42636]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 14 08:13:57    openvpn[42636]: Re-using SSL/TLS context
Jun 14 08:13:57    openvpn[42636]: Control Channel MTU parms [ L:1545 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jun 14 08:13:57    openvpn[42636]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jun 14 08:13:57    openvpn[42636]: Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:4 ET:0 EL:0 ]
Jun 14 08:13:57    openvpn[42636]: Fragmentation MTU parms [ L:1545 D:1300 EF:45 EB:4 ET:0 EL:0 ]
Jun 14 08:13:57    openvpn[42636]: Local Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jun 14 08:13:57    openvpn[42636]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,mtu-dynamic,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jun 14 08:13:57    openvpn[42636]: Local Options hash (VER=V4): '885414e3'
Jun 14 08:13:57    openvpn[42636]: Expected Remote Options hash (VER=V4): '8bcc3b84'
Jun 14 08:13:57    openvpn[42636]: UDPv4 link local (bound): [AF_INET]myip:50211
Jun 14 08:13:57    openvpn[42636]: UDPv4 link remote: [AF_INET]strongvpnip:4672
Jun 14 08:14:57    openvpn[42636]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Jun 14 08:14:57    openvpn[42636]: TCP/UDP: Closing socke

Thanks in advance for your Replies...

2CaP

Offline ericab

  • Full Member
  • ***
  • Posts: 207
  • Karma: +1/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #29 on: June 15, 2011, 03:22:46 pm »
hi 2CaP;

2 things:

what is the build date of your 2.0 RC2

also, will you paste your "Advanced Configuration" options here ? (the very bottom of the OpenVPN Client page).