Netgate SG-1000 microFirewall

Author Topic: Tutorial: Configuring pfSense as VPN client to Private Internet Access  (Read 198484 times)

0 Members and 3 Guests are viewing this topic.

Offline humungus

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #285 on: July 13, 2016, 06:24:59 am »
We're not limited to AES-128 and 2048 bit cert, higher values - 256 and 4096 - are supported already, see https://forum.pfsense.org/index.php?topic=103934.msg634754#msg634754

These strong settings are available on UDP port 1197 and on TCP port 501 (at least).

Cool I'm using it now with aes-256 and port 1197 as stated default in openvpn file. This appears to be a new CA as well although made quite awhile ago. Can you verify as I wasn't using it before? Valid From: Thu, 17 Apr 2014 10:40:33 -0700 Valid Until: Wed, 12 Apr 2034 10:40:33 -0700

https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
« Last Edit: July 13, 2016, 06:55:39 am by humungus »

Offline mhertzfeld

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +4/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #286 on: July 14, 2016, 05:31:35 pm »
The cert contained within the compressed file you linked to has been out for a while.  I've been using it for 4 months or more.

Offline killerb81

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +1/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #287 on: July 18, 2016, 11:01:29 am »
I'm wondering if someone can help clear up some confusion I'm having... that being said, my PIA is setup and working fine in pfSense.
My question is regarding some confusion with CA / certificate setup.

In this post on the PIA forums:  https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video

They say to:

Quote
Certificate Setup
=====================
    - Click "System"
    - Click "Cert Manager"
    - Click "CAs"
    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
    - "Descriptive name" type in "PIA-internal-CA"
    - "Method" select "Create an internal Certificate Authority"
    - "Key length" use "2048" bits
    - "Digest Algorithm" use "SHA256"
    - "Lifetime" type in "3650" days (10 years)
    - "Country Code :" (your choice)
    - "State or Province :" (your choice, can be invalid data)
    - "City :" (your choice, can be invalid data)
    - "Organization :" (your choice, can be invalid data)
    - "Email Address :" (your choice, can be invalid data)
    - "Common Name :" = internal-ca
Now click "Save"


System: Certificate Manager
=====================
    - Click "System"
    - Click "Cert Manager"
    - Click "Certificates"
    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
    - "Method:" select "Create an internal Certificate"
    - "Descriptive name" type in "PIA-Certificate"
    - "Key length" use "2048" bits   
    - "Digest Algorithm" use "SHA256"
    - "Lifetime" type in "3650" days (10 years)
    - "Country Code :" (your choice)
    - "State or Province :" (your choice, can be invalid data)
    - "City :" (your choice, can be invalid data)
    - "Organization :" (your choice, can be invalid data)
    - "Email Address :" (your choice, can be invalid data)
    - "Common Name :" type in "PIA-Certificate"
Now click "Save"

In this post in pfSense forums, it makes no mention to these two steps... no need to make an internal-CA (not clear on what that is)... and apparently no need to add a certificate.
So, what are these two extra steps for that are listed in the PIA forums?

Also, when adding a client, both posts agree that:
"Client Certificate" = "webConfigurator default *In use"

If you follow the guide on the PIA forum, why wouldn't you choose the client certificate that you made in the above two steps that I quoted?
If you're not choosing that, then why even make it (like in the guide posted in this thread)?

Any insight would be lovely... as I want to also setup another VPN (from another provider) in pfSense but this provider doesn't have any guides for pfSense.
I figure I can use these guides as a template if I understood the difference here.

Anyone?

Thanks!

Offline mhertzfeld

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +4/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #288 on: August 13, 2016, 10:26:04 am »
I'm wondering if someone can help clear up some confusion I'm having... that being said, my PIA is setup and working fine in pfSense.
My question is regarding some confusion with CA / certificate setup.

In this post on the PIA forums:  https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video

They say to:

Quote
Certificate Setup
=====================
    - Click "System"
    - Click "Cert Manager"
    - Click "CAs"
    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
    - "Descriptive name" type in "PIA-internal-CA"
    - "Method" select "Create an internal Certificate Authority"
    - "Key length" use "2048" bits
    - "Digest Algorithm" use "SHA256"
    - "Lifetime" type in "3650" days (10 years)
    - "Country Code :" (your choice)
    - "State or Province :" (your choice, can be invalid data)
    - "City :" (your choice, can be invalid data)
    - "Organization :" (your choice, can be invalid data)
    - "Email Address :" (your choice, can be invalid data)
    - "Common Name :" = internal-ca
Now click "Save"


System: Certificate Manager
=====================
    - Click "System"
    - Click "Cert Manager"
    - Click "Certificates"
    - Click "add or import ca" (icon is a "+" symbol on a small lined sheet of paper)
    - "Method:" select "Create an internal Certificate"
    - "Descriptive name" type in "PIA-Certificate"
    - "Key length" use "2048" bits   
    - "Digest Algorithm" use "SHA256"
    - "Lifetime" type in "3650" days (10 years)
    - "Country Code :" (your choice)
    - "State or Province :" (your choice, can be invalid data)
    - "City :" (your choice, can be invalid data)
    - "Organization :" (your choice, can be invalid data)
    - "Email Address :" (your choice, can be invalid data)
    - "Common Name :" type in "PIA-Certificate"
Now click "Save"

In this post in pfSense forums, it makes no mention to these two steps... no need to make an internal-CA (not clear on what that is)... and apparently no need to add a certificate.
So, what are these two extra steps for that are listed in the PIA forums?

Also, when adding a client, both posts agree that:
"Client Certificate" = "webConfigurator default *In use"

If you follow the guide on the PIA forum, why wouldn't you choose the client certificate that you made in the above two steps that I quoted?
If you're not choosing that, then why even make it (like in the guide posted in this thread)?

Any insight would be lovely... as I want to also setup another VPN (from another provider) in pfSense but this provider doesn't have any guides for pfSense.
I figure I can use these guides as a template if I understood the difference here.

Anyone?

Thanks!

I am wondering the same thing.

This is what I can figure out with the little research I did. 

With OpenVPN the Client Certificate is used to authenticate the client.  Since PIA is using a Username and Password for authentication the Client Certificate ignored.

Here's a quote from the OpenVPN how to documentation.

Quote
Using username/password authentication as the only form of client authentication

By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated.

While it is discouraged from a security perspective, it is also possible to disable the use of client certificates, and force username/password authentication only. On the server:

    client-cert-not-required

Such configurations should usually also set:

    username-as-common-name

which will tell the server to use the username for indexing purposes as it would use the Common Name of a client which was authenticating via a client certificate.

Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.


For the Client Cert to work, PIA would need to either.
     1. generate a client certificate for each user account
     2. have each user generate a CSR and submit it to PIA who would return a client certificate to the user

Source: https://openvpn.net/index.php/open-source/documentation/howto.html

Offline squiggie

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #289 on: August 23, 2016, 04:27:26 pm »
I'm wondering if someone could offer some advice. I just followed this to setup PIA and openvpn on my pfsense. My setup is like this;

at&t router --> pfsense box --> wireless AP/switch

I got everything working with the exception of getting the openvpn client to connect via dns name. When I enter in the dns name us-midwest.privateinternetaccess.com, I get the following error in the openvpn connection logs.

Aug 23 09:28:49   openvpn[78359]: ifconfig_pool_persist_refresh_freq = 600
Aug 23 09:28:49   openvpn[78359]: ifconfig_ipv6_pool_defined = DISABLED
Aug 23 09:28:49   openvpn[78359]: ifconfig_ipv6_pool_base = ::
Aug 23 09:28:49   openvpn[78359]: ifconfig_ipv6_pool_netbits = 0
Aug 23 09:28:49   openvpn[78359]: n_bcast_buf = 256
Aug 23 09:28:49   openvpn[78359]: tcp_queue_limit = 64
Aug 23 09:28:49   openvpn[78359]: real_hash_size = 256
Aug 23 09:28:49   openvpn[78359]: virtual_hash_size = 256
Aug 23 09:28:49   openvpn[78359]: client_connect_script = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: learn_address_script = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: client_disconnect_script = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: client_config_dir = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: ccd_exclusive = DISABLED
Aug 23 09:28:49   openvpn[78359]: tmp_dir = '/tmp'
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_defined = DISABLED
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_local = 0.0.0.0
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_remote_netmask = 0.0.0.0
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_ipv6_defined = DISABLED
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_ipv6_local = ::/0
Aug 23 09:28:49   openvpn[78359]: push_ifconfig_ipv6_remote = ::
Aug 23 09:28:49   openvpn[78359]: enable_c2c = DISABLED
Aug 23 09:28:49   openvpn[78359]: duplicate_cn = DISABLED
Aug 23 09:28:49   openvpn[78359]: cf_max = 0
Aug 23 09:28:49   openvpn[78359]: cf_per = 0
Aug 23 09:28:49   openvpn[78359]: max_clients = 1024
Aug 23 09:28:49   openvpn[78359]: max_routes_per_client = 256
Aug 23 09:28:49   openvpn[78359]: auth_user_pass_verify_script = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: auth_user_pass_verify_script_via_file = DISABLED
Aug 23 09:28:49   openvpn[78359]: port_share_host = '[UNDEF]'
Aug 23 09:28:49   openvpn[78359]: port_share_port = 0
Aug 23 09:28:49   openvpn[78359]: client = ENABLED
Aug 23 09:28:49   openvpn[78359]: pull = ENABLED
Aug 23 09:28:49   openvpn[78359]: auth_user_pass_file = '/etc/openvpn-passwd.txt'
Aug 23 09:28:49   openvpn[78359]: OpenVPN 2.3.8 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
Aug 23 09:28:49   openvpn[78359]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Aug 23 09:28:49   openvpn[78359]: WARNING: file '/etc/openvpn-passwd.txt' is group or others accessible
Aug 23 09:28:49   openvpn[78634]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Aug 23 09:28:49   openvpn[78634]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 23 09:28:49   openvpn[78634]: LZO compression initialized
Aug 23 09:28:49   openvpn[78634]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Aug 23 09:28:49   openvpn[78634]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Aug 23 09:28:49   openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Aug 23 09:28:49   openvpn[78634]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Aug 23 09:28:49   openvpn[78634]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug 23 09:28:49   openvpn[78634]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug 23 09:28:49   openvpn[78634]: Local Options hash (VER=V4): '41690919'
Aug 23 09:28:49   openvpn[78634]: Expected Remote Options hash (VER=V4): '530fdded'
Aug 23 09:28:49   openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Aug 23 09:28:54   openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Aug 23 09:28:59   openvpn[78634]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known


If I enter in the IP address, it will connect and everything will work. However this isn't acceptable as every couple days the IP address changes.

I've tried setting up my DNS servers to be the at&t router as well as the PIA DNS servers and neither seems to work.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10269
  • Karma: +1177/-313
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #290 on: August 23, 2016, 08:30:39 pm »
Looks like your firewall can't resolve names. Or at least that name.

What is your DNS configuration in System > General?

Can you resolve names in Diagnostics > DNS Lookup?

When you bring up Status > Dashboard does the update checker complete? Can you bring up System > Package Manager and get a list of packages?
« Last Edit: August 24, 2016, 12:26:39 am by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline squiggie

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #291 on: August 25, 2016, 10:45:33 am »
Looks like your firewall can't resolve names. Or at least that name.

What is your DNS configuration in System > General?

Can you resolve names in Diagnostics > DNS Lookup?

When you bring up Status > Dashboard does the update checker complete? Can you bring up System > Package Manager and get a list of packages?

DNS is pointing to 209.222.18.218 and 209.222.18.222 and both are using the WAN interface as gateway.

I can resolve names when I connect to the VPN via IP address but when it's trying to connect vie DNS name, it will not resolve. I get...
127.0.0.1   0 msec
209.222.18.218   No response
209.222.18.222   No response

I"m not able to see the update nor see packages when this happens.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10269
  • Karma: +1177/-313
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #292 on: August 25, 2016, 11:01:52 am »
209.222.18.218   No response
209.222.18.222   No response

Have to figure that out...
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15771
  • Karma: +1502/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #293 on: August 25, 2016, 11:11:48 am »
;; QUESTION SECTION:
;218.18.222.209.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
218.18.222.209.in-addr.arpa. 300 IN     PTR     resolver2.privateinternetaccess.com.

So your saying pfsense can not use them..  Well pfsense doesn't go out the vpn for its own traffic..

I can use them from non privateinternaccess.  Does your normal isp block/redirect dns traffic and only allow you to use their dns?

that fqdn your trying to connect resolves just fine

;; QUESTION SECTION:
;us-midwest.privateinternetaccess.com. IN A

;; ANSWER SECTION:
us-midwest.privateinternetaccess.com. 300 IN A  104.207.136.87
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.62
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.54
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.80
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.27
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.79
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.20
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.140
us-midwest.privateinternetaccess.com. 300 IN A  104.207.136.7
us-midwest.privateinternetaccess.com. 300 IN A  108.61.101.131
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.116
us-midwest.privateinternetaccess.com. 300 IN A  108.61.228.69
us-midwest.privateinternetaccess.com. 300 IN A  104.207.136.9

;; AUTHORITY SECTION:
privateinternetaccess.com. 86400 IN     NS      ns2.p28.dynect.net.
privateinternetaccess.com. 86400 IN     NS      ns4.p28.dynect.net.
privateinternetaccess.com. 86400 IN     NS      ns3.p28.dynect.net.
privateinternetaccess.com. 86400 IN     NS      ns1.p28.dynect.net.

How do you have your pfsense setup for dns.. Looks like you point to loopback which would be a normal setup if using the resolver, but then why do you have the PIA dns listed there as well??  How do you have pfsense setup for dns, forwarder, resolver, resolver in forward mode?

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline squiggie

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #294 on: August 25, 2016, 11:37:54 am »
Ok, I think I know what's going on here now. My pfSense WAN interface is receiving a bridged connection from the router. I'm not for sure how this was resolved but I figured that my ISP might not allow alternate DNS servers and thus the PIA servers I put in weren't being allowed. So what I did was remove those PIA DNS servers under system --> general setup and then check the box for Allow DNS server list to be overridden by DHCP/PPP on WAN. After doing that, I rebooted and then reran the test and it was successful and connected to the VPN via the DNS name instead of the IP address.

However, that allowed a DNS Leak and I don't want that. So I simply redid my settings, adding the PIA DNS entries back again under system --> general setup and unchecked the box. I'm not really sure if something is operating off a cached IP address or value but things are working now. I guess we'll see if things blow up again in a few days.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15771
  • Karma: +1502/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #295 on: August 25, 2016, 02:05:01 pm »
So your using the forwarder not the resolver?

You can force the resolver to use the vpn connection I do believe.  In the resolver settings pick your vpn interface for the outgoing connection, put it in forwarder mode and put your pia nameservers in general setup and make sure you uncheck allow dhcp override your dns, etc.  dnssec prob doesn't work with their nameservers, would have to check.

So I put in that IP you listed, changed my resolver to forwarder and picked the vpn interface that I have setup to one of my vps as the outgoing interface.  Did a simple test of what is the IP of what is doing dns for me and

Code: [Select]
> dig whoami.akamai.net

; <<>> DiG 9.10.4-P2 <<>> whoami.akamai.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36815
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;whoami.akamai.net.             IN      A

;; ANSWER SECTION:
whoami.akamai.net.      180     IN      A       209.222.18.218

;; Query time: 150 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Thu Aug 25 13:58:05 Central Daylight Time 2016
;; MSG SIZE  rcvd: 62

I put it back to resolver

Code: [Select]
> dig whoami.akamai.net

; <<>> DiG 9.10.4-P2 <<>> whoami.akamai.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11143
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;whoami.akamai.net.             IN      A

;; ANSWER SECTION:
whoami.akamai.net.      180     IN      A       24.13.snipped

;; Query time: 12 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Thu Aug 25 14:02:01 Central Daylight Time 2016
;; MSG SIZE  rcvd: 62

And as expected comes back with my public IP since I am doing the resolving directly, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline nitdawg1

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #296 on: October 09, 2016, 02:20:55 pm »
Hello,

I've been trying to configure a setup where my Plex servers torrent traffic is routed through openVPN/PIA. I would also like still access my plex server remotely. I run the plex server on a different VLAN than the rest of my network (ex. VLAN30). So, I guess in essence what I'm trying to do is setup split tunneling so all my torrent traffic is secure using openvpn/PIA and all other traffic is sent over the network as usual.

I tried to use the tutorial in this post however, after following the instruction I lost all my Vlan interfaces and only had access to the LAN interface. I used a backup config.xml to restore my old settings but I really need some help.

I'm not sure what logs or screenshots I could offer to assist with troubleshooting. Let me know and I will provide then ASAP.

Offline User1503

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #297 on: October 10, 2016, 05:26:32 am »
Great this is still alive and thanks again to everyone contributing. My [nflx-movies] were using an alias for IP's going through PIA and working fine.  Then all of a sudden quit; along with my [amzn-jungle] box which gives geo-restriction.  What changed?  Jungle always worked, didn't complain like movies which was blocked for everyone a while back.  Is there a simple setup so I can check my DNS to be correct?  Currently I have DNS Srvr 1 as PIA with the PIAopt1 interface assigned.  DNS 2 is google with the WAN_DHCP interface assigned.  My setup is ISP provider router to PFsense box which controls local Lan.  Some clients [jungle/movies] are under a firewall alias that routes everything through PIA.  Other clients just bypass PIA and go out ISP router.  All this is tested and works.  I find it hard to believe that jungle all of the sudden is geo-blocking due to PIA?  If others are seeing this please post.  Otherwise, what did I change that I need to correct?  Thanks!

Offline Finger79

  • Full Member
  • ***
  • Posts: 195
  • Karma: +18/-0
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #298 on: October 18, 2016, 01:09:01 am »
I'm able to connect just fine to PIA, but I'm seeing this in the logs every 10-15 seconds or so.  Can someone help me interpret this?

Oct 18 01:25:46    openvpn    13031    MANAGEMENT: CMD 'state 1'
Oct 18 01:25:46    openvpn    13031    MANAGEMENT: CMD 'status 2'
Oct 18 01:25:46    openvpn    13031    MANAGEMENT: Client disconnected
Oct 18 01:25:51    openvpn    13031    MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 18 01:25:51    openvpn    13031    MANAGEMENT: CMD 'state 1'
Oct 18 01:25:51    openvpn    13031    MANAGEMENT: CMD 'status 2'
Oct 18 01:25:51    openvpn    13031    MANAGEMENT: Client disconnected
Oct 18 01:25:58    openvpn    13031    MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 18 01:25:58    openvpn    13031    MANAGEMENT: CMD 'state 1'
Oct 18 01:25:58    openvpn    13031    MANAGEMENT: CMD 'status 2'
Oct 18 01:25:58    openvpn    13031    MANAGEMENT: Client disconnected

Advanced options as follows:

persist-key
persist-tun
remote-cert-tls server
auth-nocache
script-security 2
tls-version-min 1.2


I see the same "Management" things anyways with or without some of the above advanced options.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10269
  • Karma: +1177/-313
    • View Profile
Re: Tutorial: Configuring pfSense as VPN client to Private Internet Access
« Reply #299 on: October 18, 2016, 03:16:59 am »
I believe those are simply logging of the Status > OpenVPN page or the OpenVPN status dashboard widget.

Turning down logging should clear those if they bother.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM