pfSense Support Subscription

Author Topic: How to create an OpenVPN client to StrongVPN  (Read 173488 times)

0 Members and 1 Guest are viewing this topic.

Offline Bergling

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #45 on: September 12, 2011, 01:45:45 pm »
The build is 2.0-RC3 (i386)
built on Tue Jun 21 16:50:25 EDT 2011

I don't know if it will help, but here are the route table:


The 148.160.*.* range is my WAN ip/gateway


Can I do something from my pfsense box if I SSH into it? Like pinging or perform dns lookups to try to resolve it?


edit: Just tried to do a traceroute in the pfsense shell by using SSH. But I'm unable to find any route!
On a client PC connected to the pfsense box, traceroute works perfectly. Seems strange...
« Last Edit: September 12, 2011, 02:28:39 pm by Bergling »

Offline Bergling

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #46 on: September 14, 2011, 03:28:14 pm »
More updates (forgive me if I seem desperate, just want go get it working):

I'm just a newbie when it comes to unix-like systems, but I've been searching the net for different suggestions, and just wanted to share some findings, so that maybe we can get closer to a solution.

I tried using tcpdump on my vpn interface, and saw dns traffic. Maybe not that strange, but since i tried adding a dns server on the VPN gateway, this means that some traffic gets routed out my vpn connection. Just not the traffic I want:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpnc1, link-type NULL (BSD loopback), capture size 96 bytes
22:17:29.877110 IP 10.8.0.86.16951 > 8.8.8.8.53: 39536+ A? www.fritidsresor.se. (37)
22:17:29.877304 IP 10.8.0.86.16951 > 98.158.112.6.53: 39536+ A? www.fritidsresor.se. (37)
22:17:30.325436 IP 10.8.0.86.34056 > 8.8.8.8.53: 25217+[|domain]
22:17:30.325540 IP 10.8.0.86.34056 > 98.158.112.6.53: 25217+[|domain]
22:17:33.439298 IP 10.8.0.86.13739 > 8.8.8.8.53: 58026+ A? p4web.freebsd.org. (35)
22:17:33.439465 IP 10.8.0.86.13739 > 98.158.112.6.53: 58026+ A? p4web.freebsd.org. (35)
22:17:33.440737 IP 10.8.0.86.48344 > 8.8.8.8.53: 30409+ A? forums.freebsd.org. (36)
22:17:33.441609 IP 10.8.0.86.48344 > 98.158.112.6.53: 30409+ A? forums.freebsd.org. (36)
22:17:33.442590 IP 10.8.0.86.59308 > 8.8.8.8.53: 39845+ A? cvsweb.freebsd.org. (36)
22:17:33.442809 IP 10.8.0.86.59308 > 98.158.112.6.53: 39845+ A? cvsweb.freebsd.org. (36)
22:17:33.489111 IP 10.8.0.86.32009 > 8.8.8.8.53: 52364+ A? security.freebsd.org. (38)
22:17:33.489530 IP 10.8.0.86.32009 > 98.158.112.6.53: 52364+ A? security.freebsd.org. (38)
22:17:33.491161 IP 10.8.0.86.46316 > 8.8.8.8.53: 29314+ A? svn.freebsd.org. (33)
22:17:33.491205 IP 10.8.0.86.46316 > 98.158.112.6.53: 29314+ A? svn.freebsd.org. (33)
22:17:33.524131 IP 10.8.0.86.45570 > 8.8.8.8.53: 6443+ A? wiki.freebsd.org. (34)

By this I draw the conclusion that this must be some sort of routing problem. Does anyone agree?

The question is just exactly what is wrong?

Offline Bergling

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #47 on: September 16, 2011, 02:27:33 am »
Even more updates.

I solved the ping issue by disabling the OpenVPN client, and then the new default route (0.0.0.0/1 10.8.0.85) was removed and I could ping freeley using my ISP gateway.

From my perspective it all seems like I don't get any incoming packets in return from the VPN connection, but I still need to verify this with StrongVPN, but I seem to be able to route packets out on the VPN interface.


Offline pfSensoryOverload

  • Full Member
  • ***
  • Posts: 116
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #48 on: September 16, 2011, 05:08:08 pm »
How can I configure pfSense to only route traffic through the VPN? Meaning if the VPN goes down, you cannot get out to the internet, only pfSense can to re-connect the VPN.
I assumed that the LAN rule that was created forcing traffic through the VPN gateway would take care of this, but testing shows that is not in fact the case and a bad assumption. I get routed out through my ISP for some reason, even though the only rule that exists is the LAN to Any through VPN Gateway. What am I missing?

I also figured out the answer to my previous DNS leaking question. In System > General Setup I configured 3 DNS servers, the first 2 with the gateway set to VPN and the third with gateway set to none. Through wireshark I am able to verify that my dns lookups do not get routed out my ISP configured like this, but rather through the VPN. If I change the third DNS server to WAN gateway then all my DNS does go out ISP gateway and is thus leaked. So to recap a little, you have to have at least 1 DNS server set to none so that your VPN can lookup the DNS name you have configured for your vpn, otherwise you won't be able to connect. Also any aliases you have configured as hostnames will be looked up through your ISP gateway, just FYI.

Offline kmitche

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #49 on: September 19, 2011, 04:10:30 pm »
I am trying to set up an OpenVPN connection to my StrongVPN account using  pfSense 2.0 release. While I had success with earlier 2.0-RC3 builds, I have been unable to get the system to work with the release build.

I can connect to StrongVPN using a Mac and a Windows machine, so I am pretty sure that the problem is with my pfSense configuration.

I can establish a connection to StrongVPN but as soon as the connection is made, I lose the ability to connect to the internet with a browser.  I seem to have issues similar to those of Bergling.

When I am connected to the StrongVPN server (the dashboard shows the VPN gateway as being up), the gateway status window shows the VPN gateway offline. Traffic logs show outbound traffic but nothing inbound. The firewall seems to be blocking all inbound connections per the firewall log. When I shut off the OpenVPN client, internet access is restored.

Offline ericab

  • Full Member
  • ***
  • Posts: 207
  • Karma: +1/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #50 on: September 19, 2011, 04:13:50 pm »
Quote
The firewall seems to be blocking all inbound connections per the firewall log. When I shut off the OpenVPN client, internet access is restored.


just so i understand fully, you actually checked the log and noticed this or is this an assumption ?
if so, can you copy/paste the logs for the openvpn client and related firewall logs ? remember to remove personal IP information.

thanks

Offline kmitche

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #51 on: September 19, 2011, 05:57:15 pm »
Thanks for the quick response. I did check but the assumption is that I can accurately describe and interpret what I see.  ;D  I'll get the snapshots to you later. Shall I post or PM?

Offline kmitche

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #52 on: September 19, 2011, 08:10:53 pm »
Quote
The firewall seems to be blocking all inbound connections per the firewall log. When I shut off the OpenVPN client, internet access is restored.


just so i understand fully, you actually checked the log and noticed this or is this an assumption ?
if so, can you copy/paste the logs for the openvpn client and related firewall logs ? remember to remove personal IP information.

thanks

I have internet access if I disable the OpenVPN client. At that point the Opt1 gateway goes online and I can connect to the internet. The pfSense install is fresh with no additions save for time and LAN configuration.

Offline mlimo

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #53 on: September 23, 2011, 08:51:19 pm »
I am trying to set up an OpenVPN connection to my StrongVPN account using  pfSense 2.0 release. While I had success with earlier 2.0-RC3 builds, I have been unable to get the system to work with the release build.

I can connect to StrongVPN using a Mac and a Windows machine, so I am pretty sure that the problem is with my pfSense configuration.

I can establish a connection to StrongVPN but as soon as the connection is made, I lose the ability to connect to the internet with a browser.  I seem to have issues similar to those of Bergling.

When I am connected to the StrongVPN server (the dashboard shows the VPN gateway as being up), the gateway status window shows the VPN gateway offline. Traffic logs show outbound traffic but nothing inbound. The firewall seems to be blocking all inbound connections per the firewall log. When I shut off the OpenVPN client, internet access is restored.

I have been experiencing the same issues.

I have this morning been playing around with it, but not made any real headway either.

To re-iterate, i have created the Strong VPN OpenVPN connection as per the initial post in this thread.
I can see it connect watching the openVPN logs.
If I dont modify the Interface to DHCP, i can ping the address that I can ping the IP address i get assigned, and the console shows the IP address.
I cant ping the next hop though.
(I dont however have any internet access at all, even though no routing has been configured)
As soon as i change it to DHCP, i start seeing disconnected messages in the logs for the VPN.

I will capture some log screen shots and post later today when I get back to it.

Offline AuZZZie

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #54 on: September 28, 2011, 12:56:06 am »
Add another one to the list. I've gone over my config 100 times and it is correct. There is something up here.. I have the exact same symptoms as described.

Also using the 2.0 Official release.

Offline ericab

  • Full Member
  • ***
  • Posts: 207
  • Karma: +1/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #55 on: September 28, 2011, 10:23:02 am »
sorry folks i'm just not sure what the issue is. it works just fine for me :/
lets hope one of the devs chimes in with some hints.


untill then, lets try to narrow down the last working build that was working for you. please post the build dates.

Offline mlimo

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #56 on: September 29, 2011, 09:10:23 am »
I didnt find this solution or look into it until the 2.0 full release came out.
It actually coincided with my need to do this :)

I havent ever had it working :(

ericab Does your configuration differ in any way from the steps shown on page one?

Offline ericab

  • Full Member
  • ***
  • Posts: 207
  • Karma: +1/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #57 on: September 29, 2011, 10:35:58 am »
ericab Does your configuration differ in any way from the steps shown on page one?

mlimo; no it doesnt, im the author of that how-to

Offline AuZZZie

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #58 on: September 29, 2011, 02:03:55 pm »
ericab what version are you running? I'm considering downgrading. Something is clearly broken/changed in 2.0 Final.

Offline ericab

  • Full Member
  • ***
  • Posts: 207
  • Karma: +1/-0
    • View Profile
Re: How to create an OpenVPN client to StrongVPN
« Reply #59 on: September 29, 2011, 07:42:25 pm »
im running 2.0 RELEASE, but ive been updating weekly for about 6 months now. i wonder if it makes the difference that some of you did a fresh install of 2.0 RELEASE, vs updating...