Jump to content
Not connected, Your IP: 54.236.35.159

Recommended Posts

Posted ... (edited)

Hi
I am trying to connect to AirVPN from an OPNSense Firewall. I have tried many different configs and the status of my openvpn tunnel is always "connecting". The log file shows no errors, there is just a entry state all and client disconnected.
Is there any working guide for the current OPNSense version. I do not have any problems to connect to AirVPN from any Windows Client in my network.
I looked at my firewall log and did a tcpdump, but i can not see any incoming traffic. I do not have a private ip address, because i use a 5G router. could this be the problem? why is it working on other clients (Android, Windows Workstation)?

thank you for your help

Edited ... by tangledSoul

Share this post


Link to post

I am also on the same boat. It appears that the differences between pfsense and opnsense are becoming more pronounced as time goes on.

I am stuck in the same place you seem to be with the openvpn client not able to connect. Setting logging level to 11 yields no errors. It almost looks like the outbound request is getting nat'd wrong so a response from the server gets lost in the ether.

I spent a few hours over the weekend trying to get it running and will try again this week. I dont have much time to keep messing with the internet since everyone is home using it 24/7 nowadays.

Ill post up what I find. Unless you have managed to get it working yourself.

Share this post


Link to post

I got it to connect but it will not use tls 1.2 settings from the config generator. I had to use the regular flavor tls.

I was following the nguvu.org setup as well as their prior pfsense tutorials. The only thing I changed in the setup to get it to work was to swap the tls-1.2 key with whatever the normal tls version is.

perhaps its an opnsense problem or the fact that I am using LibreSSL.
Im using the LibreSSL 3.0.2 flavor, openvpn 2.4.9_3

It does appear that Pfsense does not use or plan to use libressl.
I might try it later with openssl and find out.
 

Share this post


Link to post

I switched to openssl and tried to get the client to connect.

It would not connect with tls-crpt 1.2 server and key.

It does connect with the regular tls version and servers.

I see from the logs that it sends the entry server a single udp packet and begins negotiating the key exchange. Then it sends three udp packets to the server and then times out. It will try this 1-3 times before 'freezing'.

Not really sure if 'freeze' is accurate but the log stops refreshing and the live feed from the firewall stops updating... but everyone else on the network can still use the web on clearnet.

Perhaps I have to specify something tls 1.2 specific in the advanced config options that is not autoconfigured in opnsense but is in pfsense.

Ill ask over in the opnsense forums and keep looking because now it just bugs me.

Share this post


Link to post

I don't think it matters if it's TLS 1.2 or TLS only – the only version accepted is 1.2, anyway.


» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Ok the problem is that opnsense does not have tls-crypt as a feature listed in the GUI. What it shows for TLS settings is TLS-auth, which must be what the standard air entry protocol is.

The fix, is also what someone here found worked for a DD-WRT.

1. Disable TLS authentication (Uncheck the box)
2. Under "Advanced"
<tls-crypt>
[your tls 1.2 key here]
</tls-crypt>

and then add all the other client config stuff like usual

Its being worked on by the opnsense team but is slated to show up in the GUI for a later release.

Share this post


Link to post

Oooh, I see. But I don't believe it's not a feature because that's standard in OpenVPN. I think it's fairly easy to fix it yourself. You see, there are four entry IPs for every server. 1 and 2 is for tls-auth, and 3 and 4 for tls-crypt. The even number is an alternative address in case of blocks.
Your fix with disabling TLS authentication is correct because it seems like the option needed for IPs 1 or 2, so you must make sure you use IP 3 or 4 to connect, and then it should work.


» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Hi
your solution to disable TLS auth and add it under advanced works for me. 
thanks, that solved my problem.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...