Jump to content
Not connected, Your IP: 3.237.186.116
Dr Francis Greaves

pfSense openvpn will not keep connection

Recommended Posts

Posted ... (edited)

I have followed the excellent instructions on how to setup AirVPN with pdSense here. Then when it did not connect I have had a copnversation with the chap who created this, and he can find nothing wrong with my settings. I have tried two different AirVPN Connections, same result.
I can connect from my phone connected to my LAN using OpenVPN no problem.
I have tried the Netgate Forum because I am using a Netgate SG-3100 Router which is behind my ISP's Router, so may be Double NATted, they can see nothing wrong really other than this:

[UNDEF] Inactivity timeout (--ping-restart), restarting
which would suggest that the ping is not answered. However I can ping this address from the Router and from my laptop on the LAN.
I have even tried disabling all LAN Rules on the Router Firewall, but no good.
Here is the output from the log:
Oct 16 12:31:34 	openvpn 	26232 	MANAGEMENT: Client disconnected
Oct 16 12:31:34 	openvpn 	26232 	MANAGEMENT: CMD 'state 1'
Oct 16 12:31:34 	openvpn 	26232 	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 16 12:31:29 	openvpn 	26232 	UDPv4 link remote: [AF_INET]185.103.96.130:443
Oct 16 12:31:29 	openvpn 	26232 	UDPv4 link local (bound): [AF_INET]192.168.1.14:0
Oct 16 12:31:29 	openvpn 	26232 	Socket Buffers: R=[42080->524288] S=[57344->524288]
Oct 16 12:31:29 	openvpn 	26232 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Oct 16 12:31:29 	openvpn 	26232 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 16 12:31:29 	openvpn 	26232 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 16 12:31:29 	openvpn 	26232 	Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Oct 16 12:31:29 	openvpn 	26232 	Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Oct 16 12:31:29 	openvpn 	26232 	Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 16 12:31:29 	openvpn 	26232 	Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 16 12:31:29 	openvpn 	26232 	Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 16 12:31:29 	openvpn 	26232 	Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 16 12:31:29 	openvpn 	26232 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 16 12:31:29 	openvpn 	26232 	mlockall call succeeded
Oct 16 12:31:29 	openvpn 	26232 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Oct 16 12:31:29 	openvpn 	26079 	library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Oct 16 12:31:29 	openvpn 	26079 	OpenVPN 2.4.9 armv6-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020 
Here is the output from my Laptop:
Fri Oct 16 12:34:47 2020 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2020
Fri Oct 16 12:34:47 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Fri Oct 16 12:34:47 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Oct 16 12:34:47 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 16 12:34:47 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 16 12:34:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Fri Oct 16 12:34:47 2020 Socket Buffers: R=[212992->524288] S=[212992->524288]
Fri Oct 16 12:34:47 2020 UDP link local: (not bound)
Fri Oct 16 12:34:47 2020 UDP link remote: [AF_INET]185.103.96.130:443
Fri Oct 16 12:35:47 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 16 12:35:47 2020 TLS Error: TLS handshake failed
Fri Oct 16 12:35:47 2020 SIGUSR1[soft,tls-error] received, process restarting
Fri Oct 16 12:35:47 2020 Restart pause, 5 second(s)
I tried this command
nc -uvz 185.103.96.130 443

Connection to 185.103.96.130 443 port [udp/https] succeeded!
I understand that this might be caused by a Double NAT Problem, so I will probably have to get my ISP to change their router so it can be put into Bridged Mode at great expense!
I am not a beginner, been using Linux for 20 years, and use Gentoo Linux as my preferred Distro.
I would be most grateful for some advice on how to fix this! I am tearing my hair out here, well what is left of it.
  Edited ... by Dr Francis Greaves

Share this post


Link to post
Fri Oct 16 12:34:47 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 16 12:34:47 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Oct 16 12:34:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Fri Oct 16 12:34:47 2020 Socket Buffers: R=[212992->524288] S=[212992->524288]
Fri Oct 16 12:34:47 2020 UDP link local: (not bound)
Fri Oct 16 12:34:47 2020 UDP link remote: [AF_INET]185.103.96.130:443
Fri Oct 16 12:35:47 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 16 12:35:47 2020 TLS Error: TLS handshake failed


SHA1 ?

I think you should do SHA512 and Test again 

Share this post


Link to post
Posted ... (edited)

Well here is my .ovpn file @Wolke68, is there something wrong with it, It is waht I downloaded from the AirVPN site, with additional settings from the pfSense HowTo

client
dev tun
remote 185.103.96.130 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
rcvbuf 262144
sndbuf 262144
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1
remote-cert-tls server
auth sha512
prng sha256 64
mlock
So I set the SHA512 and here is the output
Fri Oct 16 15:41:31 2020 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on May 11 2020
Fri Oct 16 15:41:31 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Fri Oct 16 15:41:31 2020 mlockall call succeeded
Fri Oct 16 15:41:31 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Oct 16 15:41:31 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Oct 16 15:41:31 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Oct 16 15:41:31 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.130:443
Fri Oct 16 15:41:31 2020 Socket Buffers: R=[212992->524288] S=[212992->524288]
Fri Oct 16 15:41:31 2020 UDP link local: (not bound)
Fri Oct 16 15:41:31 2020 UDP link remote: [AF_INET]185.103.96.130:443
Fri Oct 16 15:42:31 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 16 15:42:31 2020 TLS Error: TLS handshake failed
Fri Oct 16 15:42:31 2020 SIGUSR1[soft,tls-error] received, process restarting
Fri Oct 16 15:42:31 2020 Restart pause, 5 second(s)
Edited ... by Dr Francis Greaves

Share this post


Link to post

I have tried the TCP Connection to AirVPN to see if that makes any difference:
Here is the output, clearly the connection is established, then is being Reset for some reason.

Oct 16 18:25:36 	openvpn 	1757 	Restart pause, 20 second(s)
Oct 16 18:25:36 	openvpn 	1757 	SIGUSR1[soft,connection-reset] received, process restarting
Oct 16 18:25:36 	openvpn 	1757 	TCP/UDP: Closing socket
Oct 16 18:25:36 	openvpn 	1757 	Connection reset, restarting [0]
Oct 16 18:25:36 	openvpn 	1757 	TCPv4_CLIENT link remote: [AF_INET]185.103.96.137:443
Oct 16 18:25:36 	openvpn 	1757 	TCPv4_CLIENT link local (bound): [AF_INET]192.168.1.14:0
Oct 16 18:25:36 	openvpn 	1757 	TCP connection established with [AF_INET]185.103.96.137:443
Oct 16 18:25:35 	openvpn 	1757 	Attempting to establish TCP connection with [AF_INET]185.103.96.137:443 [nonblock]
Oct 16 18:25:35 	openvpn 	1757 	Socket Buffers: R=[65228->524288] S=[65228->524288]
Oct 16 18:25:35 	openvpn 	1757 	TCP/UDP: Preserving recently used remote address: [AF_INET]185.103.96.137:443
Oct 16 18:25:35 	openvpn 	1757 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 16 18:25:35 	openvpn 	1757 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 16 18:25:35 	openvpn 	1757 	Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Oct 16 18:25:35 	openvpn 	1757 	Control Channel MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Oct 16 18:25:35 	openvpn 	1757 	Re-using SSL/TLS context
Oct 16 18:25:35 	openvpn 	1757 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 

Strange

Share this post


Link to post

If you set it like ngu it goes well and it is without ipv6 
try the Option 1:1 

in the advanced Field you only need the option from ngu
Key-derection you can set in the other Option 
and First without ipv6 i i would  try
But if you wanna try there two option you need 

push-peer-info;
setenv UV_IPV6;


 

Share this post


Link to post
Posted ... (edited)
@Wolke6, I am a bit confused, sorry.
What is option 1:1 is it the NAT 1:1
If So I have tried setting my Internal Router address to the WAN Address using that and the destination as either the AirVPN
185.103.96.130 or even 'any' but no good.

I have tried setting the TLS keydir direction to 0 and 1 but no good.

I have added your
push-peer-info; setenv UV_IPV6; both with Protocol set at IPv4 and IPv6  and both, but no good.

To be honest I think it is not going to work. I will get my ISP to change their modem and set it in Bridged Mode, and report back after that.
I am really VERY grateful for you time in helping out.
Regards

  Edited ... by Dr Francis Greaves
more information

Share this post


Link to post

It has nothing to do with Bridge Mode

Your config is Not the same Point for Point like ngu thats the problem 

Check your config 
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...