Dr Francis Greaves 0 Posted ... (edited) I have followed the excellent instructions on how to setup AirVPN with pdSense here. Then when it did not connect I have had a copnversation with the chap who created this, and he can find nothing wrong with my settings. I have tried two different AirVPN Connections, same result. I can connect from my phone connected to my LAN using OpenVPN no problem. I have tried the Netgate Forum because I am using a Netgate SG-3100 Router which is behind my ISP's Router, so may be Double NATted, they can see nothing wrong really other than this: [UNDEF] Inactivity timeout (--ping-restart), restarting which would suggest that the ping is not answered. However I can ping this address from the Router and from my laptop on the LAN. I have even tried disabling all LAN Rules on the Router Firewall, but no good. Here is the output from the log: Oct 16 12:31:34 openvpn 26232 MANAGEMENT: Client disconnected Oct 16 12:31:34 openvpn 26232 MANAGEMENT: CMD 'state 1' Oct 16 12:31:34 openvpn 26232 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Oct 16 12:31:29 openvpn 26232 UDPv4 link remote: [AF_INET]185.103.96.130:443 Oct 16 12:31:29 openvpn 26232 UDPv4 link local (bound): [AF_INET]192.168.1.14:0 Oct 16 12:31:29 openvpn 26232 Socket Buffers: R=[42080->524288] S=[57344->524288] Oct 16 12:31:29 openvpn 26232 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443 Oct 16 12:31:29 openvpn 26232 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server' Oct 16 12:31:29 openvpn 26232 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client' Oct 16 12:31:29 openvpn 26232 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Oct 16 12:31:29 openvpn 26232 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ] Oct 16 12:31:29 openvpn 26232 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 16 12:31:29 openvpn 26232 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 16 12:31:29 openvpn 26232 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 16 12:31:29 openvpn 26232 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 16 12:31:29 openvpn 26232 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 16 12:31:29 openvpn 26232 mlockall call succeeded Oct 16 12:31:29 openvpn 26232 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Oct 16 12:31:29 openvpn 26079 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10 Oct 16 12:31:29 openvpn 26079 OpenVPN 2.4.9 armv6-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020 Here is the output from my Laptop: Fri Oct 16 12:34:47 2020 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2020 Fri Oct 16 12:34:47 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 Fri Oct 16 12:34:47 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Fri Oct 16 12:34:47 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Oct 16 12:34:47 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Oct 16 12:34:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443 Fri Oct 16 12:34:47 2020 Socket Buffers: R=[212992->524288] S=[212992->524288] Fri Oct 16 12:34:47 2020 UDP link local: (not bound) Fri Oct 16 12:34:47 2020 UDP link remote: [AF_INET]185.103.96.130:443 Fri Oct 16 12:35:47 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Oct 16 12:35:47 2020 TLS Error: TLS handshake failed Fri Oct 16 12:35:47 2020 SIGUSR1[soft,tls-error] received, process restarting Fri Oct 16 12:35:47 2020 Restart pause, 5 second(s) I tried this command nc -uvz 185.103.96.130 443 Connection to 185.103.96.130 443 port [udp/https] succeeded! I understand that this might be caused by a Double NAT Problem, so I will probably have to get my ISP to change their router so it can be put into Bridged Mode at great expense! I am not a beginner, been using Linux for 20 years, and use Gentoo Linux as my preferred Distro. I would be most grateful for some advice on how to fix this! I am tearing my hair out here, well what is left of it. Edited ... by Dr Francis Greaves Quote Share this post Link to post
Wolke68 5 Posted ... Fri Oct 16 12:34:47 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Oct 16 12:34:47 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Oct 16 12:34:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443 Fri Oct 16 12:34:47 2020 Socket Buffers: R=[212992->524288] S=[212992->524288] Fri Oct 16 12:34:47 2020 UDP link local: (not bound) Fri Oct 16 12:34:47 2020 UDP link remote: [AF_INET]185.103.96.130:443 Fri Oct 16 12:35:47 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Oct 16 12:35:47 2020 TLS Error: TLS handshake failed SHA1 ? I think you should do SHA512 and Test again Quote Share this post Link to post
Dr Francis Greaves 0 Posted ... (edited) Well here is my .ovpn file @Wolke68, is there something wrong with it, It is waht I downloaded from the AirVPN site, with additional settings from the pfSense HowTo client dev tun remote 185.103.96.130 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache verb 3 explicit-exit-notify 5 rcvbuf 262144 sndbuf 262144 push-peer-info setenv UV_IPV6 yes remote-cert-tls server cipher AES-256-CBC comp-lzo no proto udp key-direction 1 remote-cert-tls server auth sha512 prng sha256 64 mlock So I set the SHA512 and here is the output Fri Oct 16 15:41:31 2020 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2020 Fri Oct 16 15:41:31 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 Fri Oct 16 15:41:31 2020 mlockall call succeeded Fri Oct 16 15:41:31 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Fri Oct 16 15:41:31 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Fri Oct 16 15:41:31 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Fri Oct 16 15:41:31 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443 Fri Oct 16 15:41:31 2020 Socket Buffers: R=[212992->524288] S=[212992->524288] Fri Oct 16 15:41:31 2020 UDP link local: (not bound) Fri Oct 16 15:41:31 2020 UDP link remote: [AF_INET]185.103.96.130:443 Fri Oct 16 15:42:31 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Oct 16 15:42:31 2020 TLS Error: TLS handshake failed Fri Oct 16 15:42:31 2020 SIGUSR1[soft,tls-error] received, process restarting Fri Oct 16 15:42:31 2020 Restart pause, 5 second(s) Edited ... by Dr Francis Greaves Quote Share this post Link to post
Dr Francis Greaves 0 Posted ... I have tried the TCP Connection to AirVPN to see if that makes any difference: Here is the output, clearly the connection is established, then is being Reset for some reason. Oct 16 18:25:36 openvpn 1757 Restart pause, 20 second(s) Oct 16 18:25:36 openvpn 1757 SIGUSR1[soft,connection-reset] received, process restarting Oct 16 18:25:36 openvpn 1757 TCP/UDP: Closing socket Oct 16 18:25:36 openvpn 1757 Connection reset, restarting [0] Oct 16 18:25:36 openvpn 1757 TCPv4_CLIENT link remote: [AF_INET]185.103.96.137:443 Oct 16 18:25:36 openvpn 1757 TCPv4_CLIENT link local (bound): [AF_INET]192.168.1.14:0 Oct 16 18:25:36 openvpn 1757 TCP connection established with [AF_INET]185.103.96.137:443 Oct 16 18:25:35 openvpn 1757 Attempting to establish TCP connection with [AF_INET]185.103.96.137:443 [nonblock] Oct 16 18:25:35 openvpn 1757 Socket Buffers: R=[65228->524288] S=[65228->524288] Oct 16 18:25:35 openvpn 1757 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.137:443 Oct 16 18:25:35 openvpn 1757 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server' Oct 16 18:25:35 openvpn 1757 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client' Oct 16 18:25:35 openvpn 1757 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ] Oct 16 18:25:35 openvpn 1757 Control Channel MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ] Oct 16 18:25:35 openvpn 1757 Re-using SSL/TLS context Oct 16 18:25:35 openvpn 1757 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Strange Quote Share this post Link to post
Wolke68 5 Posted ... If you set it like ngu it goes well and it is without ipv6 try the Option 1:1 in the advanced Field you only need the option from ngu Key-derection you can set in the other Option and First without ipv6 i i would try But if you wanna try there two option you need push-peer-info; setenv UV_IPV6; Quote Share this post Link to post
Dr Francis Greaves 0 Posted ... (edited) @Wolke6, I am a bit confused, sorry. What is option 1:1 is it the NAT 1:1 If So I have tried setting my Internal Router address to the WAN Address using that and the destination as either the AirVPN 185.103.96.130 or even 'any' but no good.I have tried setting the TLS keydir direction to 0 and 1 but no good. I have added your push-peer-info; setenv UV_IPV6; both with Protocol set at IPv4 and IPv6 and both, but no good. To be honest I think it is not going to work. I will get my ISP to change their modem and set it in Bridged Mode, and report back after that. I am really VERY grateful for you time in helping out. Regards Edited ... by Dr Francis Greaves more information Quote Share this post Link to post
Wolke68 5 Posted ... It has nothing to do with Bridge Mode Your config is Not the same Point for Point like ngu thats the problem Check your config Quote Share this post Link to post
Not connected, Your IP: 18.224.38.176
Online: 27937 users - 388086 Mbit/s total BW