ANSWERED Pfsense and airvpn won't connect to the internet

[clevoir 3]

These are my DD-WRT settings

These were from your original DD-WRT setup instructions, some years ago

[Staff 9972]

1 hour ago, clevoir said:

I found that no NTP server had been set up in DD-WRT, once this had been set I was able to gain access OK

Hello!

Excellent, we're glad to know that the cause of the problem was found and that the problem is solved.
 

1 hour ago, clevoir said:

For the bug where the client is showing connected / disconnected, would you recommend updating DD-WRT to the latest version?

In the past, that bug was not critical. Anyway your OpenVPN version is becoming obsolete therefore an upgrade in the near future, with no time pressure now that everything works, is recommended. Newest versions also support WireGuard, which could give you a remarkable performance boost.

The DD-WRT settings you posted in another message could be improved to slightly enhance performance with this router that does not support AES-NI. Try to change the "Encryption cipher" and the first "Data cipher" to CHACHA20-POLY1305 (if available) and check whether performance increases or not.

Kind regards
 

[juniormaxx 0]

are there any updated instructions on to set up pfsense with airvpn?

[alanm 1]

20 hours ago, Staff said:

Hello!
Please post complete log, don't cut it.
Kind regards

Apr 10 16:26:47 NAS syslog.info syslogd started: BusyBox v1.25.1
Apr 10 16:26:47 NAS kern.notice kernel: klogd started: BusyBox v1.25.1 (2017-11-17 17:41:12 CET)
Apr 10 16:26:47 NAS kern.info kernel: tun: Universal TUN/TAP device driver, 1.6
Apr 10 16:26:47 NAS kern.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Apr 10 16:27:00 NAS kern.info kernel: tun: Universal TUN/TAP device driver, 1.6
Apr 10 16:27:00 NAS kern.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Apr 10 16:27:00 NAS daemon.notice openvpn[15172]: OpenVPN 2.4.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 17 2017
Apr 10 16:27:00 NAS daemon.notice openvpn[15172]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Apr 10 16:27:00 NAS daemon.warn openvpn[15175]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 10 16:27:00 NAS daemon.notice openvpn[15175]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 10 16:27:00 NAS daemon.notice openvpn[15175]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 10 16:27:00 NAS daemon.notice openvpn[15175]: TCP/UDP: Preserving recently used remote address: [AF_INET]2.58.47.205:443
Apr 10 16:27:00 NAS daemon.notice openvpn[15175]: Socket Buffers: R=[120832->120832] S=[120832->120832]
Apr 10 16:27:00 NAS daemon.notice openvpn[15175]: UDP link local: (not bound)
Apr 10 16:27:00 NAS daemon.notice openvpn[15175]: UDP link remote: [AF_INET]2.58.47.205:443
Apr 10 16:27:01 NAS user.notice root: vpnrouting: clean-up
Apr 10 16:27:04 NAS daemon.err openvpn[15175]: event_wait : Interrupted system call (code=4)
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: OpenVPN STATISTICS
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: Updated,Wed Apr 10 16:27:04 2024
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: TUN/TAP read bytes,0
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: TUN/TAP write bytes,0
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: TCP/UDP read bytes,0
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: TCP/UDP write bytes,84
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: Auth read bytes,0
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: pre-compress bytes,0
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: post-compress bytes,0
Apr 10 16:27:04 NAS daemon.notice openvpn[15175]: pre-decompress bytes,0
Apr 10 16:28:00 NAS daemon.err openvpn[15175]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 10 16:28:00 NAS daemon.err openvpn[15175]: TLS Error: TLS handshake failed
Apr 10 16:28:00 NAS daemon.notice openvpn[15175]: SIGUSR1[soft,tls-error] received, process restarting
Apr 10 16:28:00 NAS daemon.notice openvpn[15175]: Restart pause, 5 second(s)
Apr 10 16:28:05 NAS daemon.warn openvpn[15175]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 10 16:28:05 NAS daemon.notice openvpn[15175]: TCP/UDP: Preserving recently used remote address: [AF_INET]2.58.47.205:443
Apr 10 16:28:05 NAS daemon.notice openvpn[15175]: Socket Buffers: R=[120832->120832] S=[120832->120832]
Apr 10 16:28:05 NAS daemon.notice openvpn[15175]: UDP link local: (not bound)
Apr 10 16:28:05 NAS daemon.notice openvpn[15175]: UDP link remote: [AF_INET]2.58.47.205:443
Apr 10 16:29:05 NAS daemon.err openvpn[15175]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 10 16:29:05 NAS daemon.err openvpn[15175]: TLS Error: TLS handshake failed
Apr 10 16:29:05 NAS daemon.notice openvpn[15175]: SIGUSR1[soft,tls-error] received, process restarting
Apr 10 16:29:05 NAS daemon.notice openvpn[15175]: Restart pause, 5 second(s)
Apr 10 16:29:10 NAS daemon.warn openvpn[15175]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 10 16:29:11 NAS daemon.notice openvpn[15175]: TCP/UDP: Preserving recently used remote address: [AF_INET]141.98.101.244:443
Apr 10 16:29:11 NAS daemon.notice openvpn[15175]: Socket Buffers: R=[120832->120832] S=[120832->120832]
Apr 10 16:29:11 NAS daemon.notice openvpn[15175]: UDP link local: (not bound)
Apr 10 16:29:11 NAS daemon.notice openvpn[15175]: UDP link remote: [AF_INET]141.98.101.244:443

[Staff 9972]

@alanm

Hello!

The problem seems related to TLS Crypt authentication (you connect to an entry-IP address three). You should re-check that you have the correct TLS Crypt key and configuration:

• TLS Configuration = Use a TLS Key (checked)
• Automatically generate a TLS Key (unchecked)
• TLS Key = Paste contents of the tls-crypt.key downloaded here
• TLS Key Usage Mode = TLS Encryption and Authentication
• TLS keydir = use default direction

or you can go back to TLS Auth, with the ta.key and entry-IP address 1.

More in general, you're running an indeed obsolete OpenVPN version, please consider to upgrade, or even switch to WireGuard if you like.

@juniormaxx

Quote

are there any updated instructions on to set up pfsense with airvpn?

This great guide is very good for pfSense versions running OpenVPN 2.5 and OpenVPN 2.6 with DCO disabled. https://nguvu.org/pfsense/pfsense-baseline-setup/

Kind regards
 

[alanm 1]

3 hours ago, Staff said:

@alanm

Hello!

The problem seems related to TLS Crypt authentication (you connect to an entry-IP address three). You should re-check that you have the correct TLS Crypt key and configuration:

• TLS Configuration = Use a TLS Key (checked)
• Automatically generate a TLS Key (unchecked)
• TLS Key = Paste contents of the tls-crypt.key downloaded here
• TLS Key Usage Mode = TLS Encryption and Authentication
• TLS keydir = use default direction

or you can go back to TLS Auth, with the ta.key and entry-IP address 1.

More in general, you're running an indeed obsolete OpenVPN version, please consider to upgrade, or even switch to WireGuard if you like.

Right, I'm now up and running again after re-flashing my router to the latest version of DD-WRT. Using the same keys and certs as before, but now it just works. The main difference I can see is that the new firmware is using OpenVPN 2.5. The problem I have now is getting my NAS setup working, but that's nothing to do with the VPN side of things...

👍

[Air4141841 24]

looking at the logs in this thread.   a lot of users are running really old versions of Pfsense
any reason why you are not updating ? 
openssl from 2017?    

[overmorrow 2]

14 hours ago, Air4141841 said:

looking at the logs in this thread.   a lot of users are running really old versions of Pfsense
any reason why you are not updating ? 
openssl from 2017?    

Speaking only for myself here, but it's a combination of two things:
1) Setting up a router (like pfsense) with an even slightly more complicated network layout (and adding VPN tunneling definitely complicates things) is about as much fun as rolling around naked in a pile of crushed glass and rock salt. Unless you're a network engineer with at least a decade of experience, it involves a lot of arcane settings which affect things in subtle and often non-intuitive ways, so your only bet is to find a detailed guide and follow it like the Bible. Even then things usually don't work perfectly, and you end up having to tweak things without knowing exactly what you're doing. This meme captures the experience quite well: My code works, I have no idea why
2) Updating pfsense comes with a small, but definitely non-0 risk of things going pear-shaped, and you having to go through all the joy of setting it up again.

Let a very practical anecdote illustrate the above: When I updated from pfsense 2.4.5 to 2.5.0 a few years ago, something went to sh*t and my Internet no longer worked. Before updating I had taken a config backup, but restoring that backup on top of the new version did not restore functionality. Since the settings were exactly the same as before the update, I had absolutely no idea what to change to make it work again. The only solution was to downgrade to 2.4.5, which also turned out to be an unholy pain in the arse because:
a) My Internet wasn't working, so I had to drag a laptop down to the ISP router and plug it in directly to it, then search for everything I needed with it uncomfortably propped up in a place in my house not designed to house any computer equipment.
b) Pfsense does seemengly everything it can to hide away old versions, because they don't want people installing them, so just finding the right image to install took hours.
c) I then had to drag the pfsense box to the only computer in the house that still has a COM port, and hook the thing up to it. This was also a pain because the machine is now a mutimedia machine, and only hooked up to a projector. The keyboard is also in an extremly unergonomic position, because you're meant to watch movies on the thing, not hack stuff. Then I had to fight with getting the COM port connection to work, only to figure out that the cable I was using was apparently the wrong kind, so I had to get another, which finally allowed me to downgrade pfsense, import the old settings and have everything working again.

This whole clusterf*** took about 10 - 12 hours of work spread out over two days - all the time with no Internet connection other than the crappy laptop one, and an annoyed wife nagging about when she can go on Facebook again, and why we can't have "normal Internet like everybody else". So when faced with the choice whether to update or not... I hope you realize that experiences like the above have just a tiny bit of impact on the cost/risk/value -evaluation people do whenever they're faced with a choice of any kind...

[Air4141841 24]

totally get it.
I've had to reload pfsense and now opnsense a few times.

I was in a panic for a few hours.    and only had my cellphone with working internet..

backup config files are a must, but I have never not had a backup configuration file not work after a restore... never in almost 10 years of both firewalls. 

we are trying to secure our networks.   being on old versions seems like the wrong direction is all I am getting at