Search the Community
Showing results for tags 'PFSENSE'.
Found 60 results
-
ANSWERED Wireguard configuration on pfSense
MrCircinus posted a topic in Troubleshooting and Problems
Hello, It took me some time but I'm really warming up to AirVPN. I've just configured my first wireguard tunnel on pfsense. I created two VPN devices in the client area for the same physical machine: one for all OpenVPN connections and a new one for the wireguard connection. Am I right that I need to add another VPN device for every wireguard tunnel please? Thanks. -
I'm using pfsense to connect, and today it had suddenly stopped working. I suspected that the reason was that I hadn't updated the certs in many years as others seemed to have issues with that too, so I downloaded some new config files and updated the CA and the cert. I also updated the cipher, digest algorithm and tls key to match the new file. Unfortunately I still can't connect. The client tries, and immediately disconnects. The logs do not provide much insight into what's going on... Any suggestions? My config is based on the old pfsense 2.3 -guide available in the forum, (and basically stems from a time when pfsense 2.3 was state of the art). Apr 8 22:09:19 openvpn 86390 Server poll timeout, restarting Apr 8 22:09:19 openvpn 86390 SIGUSR1[soft,server_poll] received, process restarting Apr 8 22:09:19 openvpn 86390 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Apr 8 22:09:19 openvpn 86390 TCP/UDP: Preserving recently used remote address: [AF_INET]128.127.104.82:443 Apr 8 22:09:19 openvpn 86390 Socket Buffers: R=[42080->262144] S=[57344->262144] Apr 8 22:09:19 openvpn 86390 UDPv4 link local (bound): [AF_INET]XXX.XXX.XXX.XXX:0 Apr 8 22:09:19 openvpn 86390 UDPv4 link remote: [AF_INET]128.127.104.82:443 Apr 8 22:09:19 openvpn 86390 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Apr 8 22:09:19 openvpn 86390 MANAGEMENT: CMD 'state 1' Apr 8 22:09:19 openvpn 86390 MANAGEMENT: Client disconnected
-
TLDR Issue: When port forwarding is enabled, traffic forwarded from the VPN is being return via the WAN. So it's going AirVPN -> pfsense via VPN -> server -> pfsense via WAN -> Clear Internet. Software: pfsense 2.7.2-RELEASE, Package: WireGuard 0.2.1. Server: ubuntu 22.04.03 LTS I'm reaching out to the community because I'm out of ideas on how to fix what's going wrong. I'm not a network or firewall guru, I'm tech savy but clearly not enough to resolve my issue 😧. I followed the pfSense baseline setup guide available at nguvu.org to configure my pfsense. While the guide primarily focuses on using OpenVPN for the VPN setup, I adapted the instructions to use WireGuard instead but clearly I've missed something or fundermentally misunderstanding something. When I configure port forwarding using AirVPN with WireGuard to pfSense to my VPN network to a sever, I can see on a TCPDump the the initial inbound packets from AirVPN that's being port forwarded reaches the server, but each reply seems to vanish when returned to the router. Using diag_packet_capture on pfsense, I can see the inbound traffic from AirVPN, but when the server replies, it's going out on the WAN interface. Clearly there's some sort of gateway issue. I even tried to pay someone on Fiverr to fix it but they couldn't see any reason for it, they're claming it's a software defect, but seeing other people have somehow managed to do it, must be possible. Have I missed something silly? The port: The Server: These are my rules so far: WAN: WireGuard: Floating: VL20_VPN: Note: Selective_Routing (or VPN whitelist) isn't set: Gateways: Port Forward: Outbound NAT
-
Hello, I have been using AirVPN for quite some time now... I was previously using the Eddie client on a single machine, but decided to build a PFSense box and configure the VPN there. I am located in Canada, and setting a connection to a single VPN server in Toronto. It seems to give the best connection and reliability rather then going for the ca.airvpn (I seem to always end up at a BC server using this entry) My issue is.... I currently have a 150mbps connection with my ISP. Using PFSense without AirVPN I am able to reach my advertised speeds With AirVPN configured, I am only ever seeing a max of about 30mbps. My hardware setup is quite decent. Intel® Core i5 CPU 650 @ 3.20GHz 4gb DDR3 memory120gb SSD2 Intel NICs (both showing as igb) My speeds using Eddie were very very good, much better then the PFSense speeds; so I can only assume that I have a configuration error (my hardware seems to be quite good from what I have been reading) Some research from other posts did not help better my issue, so I am hoping that posting my own thread on this topic can being me closer to a conclusion with mine. I followed the guide by "pfSense_fan"https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/ I can post any diagnostics or logs as necessary, I just do not know what you guys would like to see. Any help with this would be appreactiated Regards
-
My current setup is pfSense Plus 23.09.01, with a vlan exiting all traffic via AirVPN. This works fine. The vpn traffic exits via a gateway group, when that gateway group has openVPN servers I can reach the site, when it's Wireguard servers the browser says the connection has timed out. Furthermore, I use Firefox with Duck Duck Go as the search engine, this fails to resolve any websites over Wireguard (when I use Google no problem), over openVPN I don't have any problems. Tried Brave browser, same result. I checked the route on the AirVPN site, it was ok! Again the only thing I have changed was the protocol. Site: https://oysta.co/account/login openVPN servers: Alathfar, Kital Wireguard servers: Betelgeuse, Alshain ISP: Virgin Media Any insight ? I'm not even sure how to troubleshoot this, nothing in the pfSense logs jumps out at me.
-
Please see also here for an updated baseline guide for systems newer than 2.3 (updated 2021/02/20): https://nguvu.org/pfsense/pfsense-baseline-setup/ pfSense_fan's Guide How To Set Up pfSense 2.3 for AirVPN Guide is updated to pfSense Version 2.3 This guide will work on 2 or more interfaces. Please inform me of any and all errors found! Feedback is appreciated! Please rate this post or leave a comment to share if this worked for you! Table of Contents: Step 1: Disable IPv6 System Wide Step 2: Entering our AirVPN CA, Certificate and Key General Settings and Preparation Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface & Setting the AirVPN Gateway Step 5: IP and Port Alias Creation to Aid Interface Setup Step 6: Setting up an AirVPN Routed Interface Step 7: General Settings, Advanced Settings and Other Tweaks Step 8: Setting up the DNS Resolver -----
-
I am trying to use a pfsense router without breaking the bank and getting the best possible vpn speed I can get. I can get 200Mbps on my windows and mac using airvpn client. But on my ddwrt router I get max 30Mbps. So that is getting me to think about pfsense routers. After talking to some people I got the following recommendations --- please let me know if you have any other better options: https://www.amazon.com/dp/B01M25WO36/ref=wl_it_dp_o_pC_S_ttl?_encoding=UTF8&colid=8KBFV5I6BSV1&coliid=I3FSXBLHOBC2XK http://www.shuttle.eu/products/slim/ds57u5/ I would like to keep my budget under $300
-
*****THIS GUIDE SHOULD NOW BE CONSIDERED OBSOLETE***** pfSense 2.3 WAS RELEASED APRIL 12, 2016 WITH THAT RELEASE, I TOO RELEASED AN UPDATED GUIDE FOR 2.3 THE NEW GUIDE CAN BE FOUND HERE: How To Set Up pfSense 2.3 for AirVPN I HIGHLY RECOMMEND BACKING UP ALL SETTINGS, AS WELL AS EACH INDIVIDUAL BACKUP AREA AFTER BACKING UP, I RECOMMEND A CLEAN INSTALL OF 2.3, BUT AN UPGRADE SHOULD BE OK FOR MOST pfSense_fan's Guide How To Set Up pfSense 2.1 for AirVPN Using Three or more NIC's Have only two NIC's? Follow the guide through step 5, then go to the alternate step 6+7!! Table of Contents: PrefaceUnderstanding Certificates and OpenVPN Config Files on pfSenseUnderstanding OpenVPN Settings on pfSenseStep 1: Entering our AirVPN CA (Certificate Authority)Step 2: Entering our AirVPN Certificate and KeyStep 3: Setting up the OpenVPN ClientStep 4: Assigning the OpenVPN InterfaceStep 5: Setting up the AirVPN GatewayStep 6: Setting up the DNS ForwarderStep 7: Setting up the LAN InterfaceStep 8: Setting up the AirVPN_LAN InterfaceStep 9: Setting Misc Advanced Options (Optional)Step 10: Setting Bootloader and System Tunables (Optional)Step 11: Setting Advanced OpenVPN Options (Optional)Alternate Step 6+7 For Dual (Two) NIC installs
-
Hi, I have four pfSense routers (installed on Netgate hardware) that I use in different circumstances. Two of these four routers are configured to use AirVPN. Today, I updated my older router using AirVPN to the latest version of pfSense, which is pfSense Plus 21.02.2-RELEASE. This update includes the latest version of the OpenVPN client. Upon completing the pfSense update, it was necessary for me to fix some of the deprecated settings. To do so, I went through the latest AirVPN guide provided for pfSense (https://nguvu.org/pfsense/pfsense-baseline-setup/) and followed the OpenVPN settings section exactly (using the recommended UDP settings rather than the TCP I prefer). Now, when I boot up either of my AirVPN routers running pfSense from being powered off or, if I do a reboot from the user interface, AirVPN will not connect. Upon startup (and logging into pfSense), the pfSense Dashboard displays that the OpenVPN client interface statistics widget has a green arrow icon pointing up, but I am unable to send/receive any information to/from the Internet. The Interface Statistics widget within the pfSense dashboard shows a lot of of activity within the AirVPN_LAN interface, but very little (if any) activity within the AirVPN_WAN interface (only 0 - 30 packets in/out even after long periods of time). In order to get the OpenVPN service working, I have to restart it manually three to four times using the pfSense Dashboard controls. While doing so, the unbound DNS Resolver service crashes with each startup, forcing me to also start that manually each time. In case it is helpful, I have looked through the OpenVPN logs and noticed a recurring error "ioctl(TUNSIFMODE): Device busy (errno=16)". After repeatedly restarting these services, the OpenVPN WAN interface will finally begin to work, connecting me to AirVPN successfully. This is true for both my older and newer pfSense routers using AirVPN services. To anticipate possible questions that may arise: I use my AirVPN routers frequently but not consistently, making it necessary to turn them on and off. I prefer TCP because: TCP is said by some to be more stable than UDP (less dropped packets). TCP is said by others to be more secure than UDP. Regardless of whether either of the statements immediately above are true, for my needs, the slight drop in speed is not noticeable. My third and fourth pfSense routers, that connect via OpenVPN using VPN services from other providers, do not have this issue when powered off then on again. Thank you in advance for your guidance in fixing this problem.
-
Hi Everyone Installed pfsense 2.5.0 community, no major dramas updating from 2.4.5.. However i'm getting the following error when starting up openvpn. Feb 17 16:24:49 192.168.10.1 openvpn[53019]: Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client4/config.ovpn:41: key-method (2.5.0) I'm trying to find out what this parameter may be and if it's specfic to Airvpn, any ideas please?
-
I just added in IPv6 support on my pfSense box, using AirVPN and a VLAN. Note that I already had the VPN VLAN setup and working correctly with IPv4, so this guide is only about what needed to be changed to add in IPv6 support. Recently, AirVPN has implemented IPv6 across their servers. Provided you are running a recent version of OpenVPN (>= 2.4), and you adjust your client configuration properly, you will be assigned an IPv6 address along with the typical IPv4 address. In my setup, I’m using pfSense as my firewall / router, and have several VLANs configured for various purposes. One of these VLANs is specifically for VPN usage. So the question becomes, how to take the single IPv6 address assigned from AirVPN and make it usable on a VLAN, for multiple hosts. This setup is severely sub-optimal, as IPv6 was designed to avoid NAT (there are what, 3.4x10^38 available addresses?). Given that the design of the protocol and AirVPN’s implementation are at odds, there are some problems that you will encounter. The most annoying being that browsers don’t want to use your IPv6 address, and you will continue to use IPv4, despite having everything setup “correctly.” It may be possible to overcome this with some per-host modifications (on Linux, look to /etc/gai.conf), but that is perhaps not maintainable in the long run. This problem stems from the fact that the address Air is providing is a Unique Local Address (ULA), which, by definition, is not globally routable. This address gets translated at Air’s servers into a normal, globally routable, address. But what the software on your machine sees is a ULA, and since that isn’t a globally routable IP address, the software will prefer the IPv4 address, where it is understood that NAT will probably be used. Given this implementation, I am not convinced it is worth it to setup IPv6 in this type of configuration. Having said all that, here is how I configured things to get IPv6 “working” with AirVPN on a pfSense VLAN: 1: Get an IPv6 address from AirVPN Assuming you are running a recent release of pfSense, you should have the necessary OpenVPN version for this to work (I’m on pfSense 2.4.4, which is using OpenVPN 2.4.6). Go into your OpenVPN client configuration and set “Protocol” to “UDP IPv4 and IPv6 on all interfaces (multihome)” scroll down to “Custom options” and make sure you have these 2 lines: push-peer-info; setenv UV_IPV6 yes; Save, and possibly restart the service. You should now have both IPv4 and IPv6 addresses assigned to your VPN connection 2: Create a new Gateway I can’t remember if the gateway was automatically created at this point. If not, Add a new gateway. If one was auto created, edit it. Then Make sure Interface is set to the VPN Address family is IPv6 Give it a name (VPN1_WAN_IPv6 in my case) I’ve left everything else at default settings, then set a description, and Save and reload 3: Modify your VPN VLAN From the “Interfaces” menu, select your VPN VLAN entry, then Set “IPv6 Configuration Type” to “Static IPv6” Scroll down to the “Static IPv6 Configuration” section and set an address and prefix. I chose a “random” ULA (FDxx:xxxx:xxxx:10::1). Obviously, choose hex characters in place of the “x”s and the “10” matches my vlan number. Set the prefix to /64 Leave the “use IPv4 connectivity” unchecked and the gateway set to “None” Save and reload 4: Configure Router Advertisements and/or DHCPv6 From the “Services” menu, select “DHCPv6 Server & RA” - then choose your VLAN. In my setup, I’m not bothering with DHCP, just using SLACC, so I go directly to the “Router Advertisements” tab. Set Router Mode to unmanaged Priority to Normal You may choose to put your IPv6 DNS server into the DNS configuration section (I believe Air’s server is fde6:7a:7d20:4::1 Leave everything else as is (blank) Save and reload 5: Set NAT Rules From the “Firewall” menu, select “NAT”, then go to the “Outbound” tab Click the second “Add” button Set “Interface” to your VPN gateway “Address Family” is “IPv6” Source type is “network” Source network is the ULA you setup earlier (“Fdxx:xxxx:xxxx:10::/64”) I did this using an alias. Note that the subnet drop down doesn’t list anything above a /32 (it’s meant for IPv4), so I left it at /32. Seems to work anyway. The Translation Address should be set to “Interface Address” Add in a description, if you wish, and Save and reload 6: Set Firewall Rules From the “Firewall” menu, select “Rules” and then the appropriate VLAN tab Click the second “Add” button “Action” is “Pass” “Interface” is your VLAN “Address Family” is “IPv6” Set the rules appropriately for your situation. In my case, just to get things working, I set “Protocol” to “Any” “Source” to “[VLAN] net” Click the “Display Advanced” button Scroll down to “Gateway” and select your previously configured VPN IPv6 gateway Save and reload NOTE: Be sure to move the rule you just created into the correct spot in your rules list! Remember, the rules are checked in order, so if you have a deny rule above your new pass rule in the list, it won’t work. At this point I rebooted pfSense and my VPN client machine. I now have an IPv6 address, assigned from the ULA block I setup. Visiting https://ipleak.net shows I have both IPv4 and IPv6 connectivity. Going to https://test-ipv6.com gives me a 10/10, but with the note that the browser is avoiding using the IPv6 address. See the note from AirVPN Staff about this: https://airvpn.org/topic/25140-the-issue-your-browser-is-avoiding-ipv6/ Hopefully this is helpful to someone out there. MrFricken
-
Hi, If you want to port-forward and not use the upnp in pfsense, then follow this instruction: In the pfsense browser navigate to Firewall ------> NAT -------> Port Forward Click on the Plus button and follow the instructions in the picture (in the Redirect Target IP section, fill in your client's IP (192.168.0.115 for example) running the program (utorrent for example)In the port sections fill in the forwarded port created on the airvpn websiteIn the Filter rule association section select: create new associated filter rule (this will create a rule for the firewall automatically) Click save and navigate to the Outbound tab and click on the lowest Plus button and follow instructions on the picture (in the Destination IP section, fill in your router's IP)(in the Redirect Target IP section, fill in your client's IP (192.168.0.115 for example) running the program (utorrent for example)In the port sections fill in the forwarded port created on the airvpn website Click Save As you can see in the green light in the below picture, I'm connected: Up and running! Good luck, knicker
-
I have tried to use an ovpn-config from my pfsense with the Eddie-app. I have tried several client export formats on the pfsense, but Eddie does not accept the opvn-files. So I assume mulit-provider-suppurt is not available in the android app right now?
-
I have configured pfSense using one of the guides and the connection is working fine over port 443. However, I've learnt that it is better to use tls-crypt over TCP from my location and I was wondering what changes would I need to make to pfSense for this. Also, the speed right now is already a tad bit slow (comparing to to PIA that I am also testing). I am based in Dubai and connecting to the new UK/Manchester server. Does anyone have epxerience with a faster server?
-
If you are looking on how to configure AirVPN on pfSEnse, please follow this great post The following are just a few changes I made that worked for me and that might help someone with the same problems I had. Mostly, avoiding a DNS leak. Note that I am not an expert so anyone is welcome to comment if you think I'm doing something wrong. What follows is just a patch of multiple ideas on the net that led me to a working solution. 1. Create the VPN Certificates you need Go to AirVPN and download a config file (.ovpn) https://airvpn.org/generator/ Now go to pfSense and create a CA for AirVPN Descriptive name: [AirVPN CA] Method: [import an existing Certificate Authority] Certificate data: [Open .ovpn file and insert data found between <ca> and </ca>] Save Now open the Certificates tab and create a new certificate Method: [import an existing certificate] Descriptive name: [AirVPN Client] Certificate data: [Open .ovpn file and insert data found between <cert> and </cert>] Private key data: [Open .ovpn file and insert data found between <key> and </key>] 2. Create an OpenVPN connection https://rtr.noh.lan/vpn_openvpn_server.php Follow the document mentioned above and make the following modifications to it, Go to the Clients tab and make sure that: - You use an IP as the Server host to make sure you can re-connect if the line goes down. If the DNS you use is the one from AirVPN, the VPN connection has to be up before you can access it... - Add the following options: server-poll-timeout 10; explicit-exit-notify 5; auth-nocache mlock; fast-io; key-direction 1; prng SHA512 64; tls-version-min 1.2; key-method 2; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384; tls-timeout 2; remote-cert-tls server; remote 185.206.225.58 443 # no.vpn.airdns.org remote 82.102.27.194 443 # no.vpn.airdns.org remote 91.207.102.162 443 # ro.vpn.airdns.org remote 86.105.9.66 443 # ro.vpn.airdns.org The "remote" entries allow your VPN to connect to another server if the VPN connection drops. 3. The resolver settings I have General Settings Enable: [X] Listen Port: [Blank] Network Interfaces: [LAN] + any other local network you may have Outgoing Network Interfaces: [Your VPN Interface] System Domain Local Zone Type: [Transparent] DNSSEC: [X] DNS Query Forwarding: [ ] DHCP Registration: [ ] Static DHCP: [X] OpenVPN Clients: [ ] Custom options: forward-zone: name: "." forward-addr: 10.4.0.1 Note that the Custom settings forward to an AirVPN internal DNS. Depending on the type of connection you use, the IP will change so check our it will fail. Advanced Settings Hide Identity: [x] Hide Version: [X] Prefetch Support: [X] Prefetch DNS Key Support: [X] Harden DNSSEC Data: [X] Serve Expired : [ ] The rest I have left as default. Now go to DNSLeakTest and test! I hope this helped someone.
-
Hi everyone, Here's what happened. I have set up my pfSense Firewall Appliance almost two months ago. Using the pfSense Tutorial that AirVPN provides. It worked flawlessly until last Thursday. Suddenly my pfSense router wasn't transferring data anymore and I went on doing some tweaking and noticed that AirDNS (10.4.0.1 wasn't resolving DNS queries anymore. I replaced it with Google, Cisco, Cloudfare, you name DNSs and was back online. I wonder if someone else here has also encountered (or is encountering) this situation? This is very weird. I am positively sure that wasn't any loss of data (my Firewall Appliance is connected to a brand new UPS) Please, let me know. Regards
-
Good Morning, I've noticed over the past week since i have started installing development version of pfsense (currently 2.4.5.a.20180918.0149): i did this remotely at work yesterday and i lost internet at home entirely.. since my network being down is quite a bad thing i started trying to fix it remotely. spectrum has a feature to login to their site and reboot the modem. i did that AND i logged into my airvpn account and under client area i disconnected my session. 5 minutes later my internet was backup. this morning there was another update. i applied the update and it automatically rebooted. i lost connection again. this time i simply disconnected my session under client area. 5 minutes later my connection was backup. not pointing fingers at all here. i just wanted to share my experience and hopefully this will save someone some driving
-
I have AirVPN all set up and running great on a pf Sense router that my home network sits behind. I am trying to get port forwarding set up for torrenting on a server running Windows Server 2016. As far as I can tell everything is set up exactly as it should be but I just can't get it to work. I am connected to Metallah. I have created the forwarded port on the AirVPN site. I have the port open in my Windows firewall. I have the port forwarded in pfSense. I have my torrent client configured to listen on the port I've set up in AirVPN and pfSense and I have my torrent client running with an active torrent trying to download. I have verified that the port is open and can be connected to on my LAN. I have tried 2 different torrent clients (qBittorrent and Deluge) as well as a port listener tool that simply opens any port you specify on TCP or UDP and just listens for connections. When I check the port on the AirVPN site I get error 110 timeout. I've also tried other sites and tools for performing external tests on that port and they all indicate that the port is not open. I have tried creating several new ports on AirVPN (at least 4) and tested on multiple computers on my network all with new corresponding NAT rules in pfSense. No matter what I do I can't get port forwarding to work and I'm at my wits end. I hope someone can help me figure this out. Here is a screenshot of my NAT rule in pfSense.
-
Hi, I've been trying to get a Gen 2 Server working on my pfSense 2.4 without much success. It seems I am getting no resonse from the VPN Server. I downloaded a config file for Linux for version 2.4 and above and for ipv4/6 with an ipv4 connection. I mention two ip addresses bellow 100.200.100.100 is the modded ip of Alphirk 80.60.1.70 is my WAN The following is my VPN settings: Server Mode = Peer to Peer (SSL/TLS) Protocol = UDP on IPv4 only Device mode = tun - Layer 3 Tunnel Mode Interface = WAN Local Port = Server host = 100.200.100.100 Server port = 443 Proxy host or address = empty Proxy Port = empty Proxy authentication = none Description = AirVPN client User Authentication Settings Username = Empty Password = Empty Cryptographic settings TLS Key = [From file] TLS Key Usage Mode = TLS Authentication Peer certificate authority = AirVPN_CA Peer certificate revocation list = No Lists defined Client certificate = AirVPN_cert (CA: AirVPN_CA) Encryption algorithm = AES-256-CBC (256bit key, 128 bit block) Allowed NCP Encryption Algorithms: AES-256-GCM, AES-256-CBC Auth digest Algorithm = SHA512 Hardware crypto = Intel RDRAND (aI have intel hw) Tunnel Settings IPv4 Tunnel Network = Empty IPv6 Tunnel Network = Empty IPv4 Remote Network(s) = Empty IPv6 Remote Network(s) = Empty Limit outgoing bandwidth = Default Compression = No LZO compression Topology = Subnet - One IP address per client in a common subnet Type-of-Service = Disabled Dont pull routes = Enabled Dont add/remove routes = Enabled Advanced Configuration Custom Options = resolv-retry infinite; persist-key; persist-tun; auth-nocache; route-delay 5; explicit-exit-notify 5; push-peer-info; setenv UV_IPV6 yes; remote-cert-tls server; client; key-method 2; key-direction 1; mlock; keepalive 5 30; Send/Receive Buffer = 512KiB I have tried with and without the added Custom Options. When I do a tcpdump, I don't seem to get a reply from the server. # tcpdump -vv -i pppoe0 dst host 100.200.100.100 tcpdump: listening on pppoe0, link-type NULL (BSD loopback), capture size 262144 bytes 09:33:50.140639 IP (tos 0x0, ttl 64, id 61213, offset 0, flags [none], proto UDP (17), length 114) 80.60.1.70.14587 > 100.200.100.100.https: [udp sum ok] UDP, length 86 09:33:52.678718 IP (tos 0x0, ttl 64, id 55421, offset 0, flags [none], proto UDP (17), length 114) 80.60.1.70.14587 > 100.200.100.100.https: [udp sum ok] UDP, length 86 09:33:56.509027 IP (tos 0x0, ttl 64, id 21398, offset 0, flags [none], proto UDP (17), length 114) 80.60.1.70.14587 > 100.200.100.100.https: [udp sum ok] UDP, length 86 This is a dump of a VPN connection attempt. Sep 11 09:33:55 openvpn[50510]: MANAGEMENT: Client disconnected Sep 11 09:33:55 openvpn[50510]: MANAGEMENT: CMD 'state 1' Sep 11 09:33:55 openvpn[50510]: MANAGEMENT: Client connected from /var/etc/openvpn/client6.sock Sep 11 09:33:55 openvpn[87430]: MANAGEMENT: Client disconnected Sep 11 09:33:55 openvpn[87430]: MANAGEMENT: CMD 'status 2' Sep 11 09:33:55 openvpn[87430]: MANAGEMENT: CMD 'state 1' Sep 11 09:33:55 openvpn[87430]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock Sep 11 09:33:52 openvpn[50510]: UDPv4 WRITE [86] to [AF_INET]100.200.100.100:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0 Sep 11 09:33:50 openvpn[50510]: UDPv4 WRITE [86] to [AF_INET]100.200.100.100:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0 Sep 11 09:33:50 openvpn[50510]: SENT PING Sep 11 09:33:50 openvpn[50510]: TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Sep 11 09:33:50 openvpn[50510]: UDPv4 link remote: [AF_INET]100.200.100.100:443 Sep 11 09:33:50 openvpn[50510]: UDPv4 link local (bound): [AF_INET]80.60.1.70:0 Sep 11 09:33:50 openvpn[50510]: Socket Buffers: R=[42080->524288] S=[57344->524288] Sep 11 09:33:50 openvpn[50510]: TCP/UDP: Preserving recently used remote address: [AF_INET]100.200.100.100:443 Sep 11 09:33:50 openvpn[50510]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server' Sep 11 09:33:50 openvpn[50510]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client' Sep 11 09:33:50 openvpn[50510]: calc_options_string_link_mtu: link-mtu 1622 -> 1602 Sep 11 09:33:50 openvpn[50510]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes Sep 11 09:33:50 openvpn[50510]: calc_options_string_link_mtu: link-mtu 1622 -> 1602 Sep 11 09:33:50 openvpn[50510]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes Sep 11 09:33:50 openvpn[50510]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Sep 11 09:33:50 openvpn[50510]: RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0 Sep 11 09:33:50 openvpn[50510]: MTU DYNAMIC mtu=1450, flags=2, 1622 -> 1450 Sep 11 09:33:50 openvpn[50510]: Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ] Sep 11 09:33:50 openvpn[50510]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 11 09:33:50 openvpn[50510]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 11 09:33:50 openvpn[50510]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 11 09:33:50 openvpn[50510]: PID packet_id_init seq_backtrack=64 time_backtrack=15 Sep 11 09:33:50 openvpn[50510]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes Sep 11 09:33:50 openvpn[50510]: Incoming Control Channel Authentication: HMAC size=64 block_size=64 Sep 11 09:33:50 openvpn[50510]: Incoming Control Channel Authentication: HMAC KEY: a1198ef6 49f1c238 61a2a19f 2c6b27aa 5e43be76 1e0c71e9 c2e8d33b 75af289e ffb1b1e4 ec603d86 5f74e2b4 348ff631 c5c81202 d90003ed 263dca40 22aa9861 Sep 11 09:33:50 openvpn[50510]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Sep 11 09:33:50 openvpn[50510]: Outgoing Control Channel Authentication: HMAC size=64 block_size=64 Sep 11 09:33:50 openvpn[50510]: Outgoing Control Channel Authentication: HMAC KEY: f2763f8a 62ca5983 d145faa2 276532ae 5e18459a 0b729dc6 7f41b928 e592b394 67ec3d79 c7020559 5718b1bc e56ca4ff 58e692ce 09c8282d 2770d2bf 5c217c06 Sep 11 09:33:50 openvpn[50510]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Sep 11 09:33:50 openvpn[50510]: PRNG init md=SHA1 size=36 Sep 11 09:33:50 openvpn[50510]: Initializing OpenSSL support for engine 'rdrand' Sep 11 09:33:50 openvpn[50510]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 11 09:33:50 openvpn[50510]: mlockall call succeeded Sep 11 09:33:50 openvpn[50510]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client6.sock Sep 11 09:33:50 openvpn[50251]: library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10 Sep 11 09:33:50 openvpn[50251]: OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018 Sep 11 09:33:50 openvpn[50251]: auth_user_pass_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: pull = ENABLED Sep 11 09:33:50 openvpn[50251]: client = ENABLED Sep 11 09:33:50 openvpn[50251]: port_share_port = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: port_share_host = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: auth_token_lifetime = 0 Sep 11 09:33:50 openvpn[50251]: auth_token_generate = DISABLED Sep 11 09:33:50 openvpn[50251]: auth_user_pass_verify_script_via_file = DISABLED Sep 11 09:33:50 openvpn[50251]: auth_user_pass_verify_script = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: max_routes_per_client = 256 Sep 11 09:33:50 openvpn[50251]: max_clients = 1024 Sep 11 09:33:50 openvpn[50251]: cf_per = 0 Sep 11 09:33:50 openvpn[50251]: cf_max = 0 Sep 11 09:33:50 openvpn[50251]: duplicate_cn = DISABLED Sep 11 09:33:50 openvpn[50251]: enable_c2c = DISABLED Sep 11 09:33:50 openvpn[50251]: push_ifconfig_ipv6_remote = :: Sep 11 09:33:50 openvpn[50251]: push_ifconfig_ipv6_local = ::/0 Sep 11 09:33:50 openvpn[50251]: push_ifconfig_ipv6_defined = DISABLED Sep 11 09:33:50 openvpn[50251]: push_ifconfig_remote_netmask = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: push_ifconfig_local = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: push_ifconfig_defined = DISABLED Sep 11 09:33:50 openvpn[50251]: tmp_dir = '/tmp' Sep 11 09:33:50 openvpn[50251]: ccd_exclusive = DISABLED Sep 11 09:33:50 openvpn[50251]: client_config_dir = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: client_disconnect_script = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: learn_address_script = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: client_connect_script = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: virtual_hash_size = 256 Sep 11 09:33:50 openvpn[50251]: real_hash_size = 256 Sep 11 09:33:50 openvpn[50251]: tcp_queue_limit = 64 Sep 11 09:33:50 openvpn[50251]: n_bcast_buf = 256 Sep 11 09:33:50 openvpn[50251]: ifconfig_ipv6_pool_netbits = 0 Sep 11 09:33:50 openvpn[50251]: ifconfig_ipv6_pool_base = :: Sep 11 09:33:50 openvpn[50251]: ifconfig_ipv6_pool_defined = DISABLED Sep 11 09:33:50 openvpn[50251]: ifconfig_pool_persist_refresh_freq = 600 Sep 11 09:33:50 openvpn[50251]: ifconfig_pool_persist_filename = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: ifconfig_pool_netmask = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: ifconfig_pool_end = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: ifconfig_pool_start = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: ifconfig_pool_defined = DISABLED Sep 11 09:33:50 openvpn[50251]: server_bridge_pool_end = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: server_bridge_pool_start = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: server_bridge_netmask = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: server_bridge_ip = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: server_netbits_ipv6 = 0 Sep 11 09:33:50 openvpn[50251]: server_network_ipv6 = :: Sep 11 09:33:50 openvpn[50251]: server_netmask = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: server_network = 0.0.0.0 Sep 11 09:33:50 openvpn[50251]: tls_crypt_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: tls_auth_file = '/var/etc/openvpn/client6.tls-auth' Sep 11 09:33:50 openvpn[50251]: tls_exit = DISABLED Sep 11 09:33:50 openvpn[50251]: push_peer_info = ENABLED Sep 11 09:33:50 openvpn[50251]: single_session = DISABLED Sep 11 09:33:50 openvpn[50251]: transition_window = 3600 Sep 11 09:33:50 openvpn[50251]: handshake_window = 60 Sep 11 09:33:50 openvpn[50251]: renegotiate_seconds = 3600 Sep 11 09:33:50 openvpn[50251]: renegotiate_packets = 0 Sep 11 09:33:50 openvpn[50251]: renegotiate_bytes = -1 Sep 11 09:33:50 openvpn[50251]: tls_timeout = 2 Sep 11 09:33:50 openvpn[50251]: ssl_flags = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_eku = 'TLS Web Server Authentication' Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 0 Sep 11 09:33:50 openvpn[50251]: remote_cert_ku[i] = 65535 Sep 11 09:33:50 openvpn[50251]: ns_cert_type = 0 Sep 11 09:33:50 openvpn[50251]: crl_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: verify_x509_name = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: verify_x509_type = 0 Sep 11 09:33:50 openvpn[50251]: tls_export_cert = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: tls_verify = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: cipher_list = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: pkcs12_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: priv_key_file = '/var/etc/openvpn/client6.key' Sep 11 09:33:50 openvpn[50251]: extra_certs_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: cert_file = '/var/etc/openvpn/client6.cert' Sep 11 09:33:50 openvpn[50251]: dh_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: ca_path = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: ca_file = '/var/etc/openvpn/client6.ca' Sep 11 09:33:50 openvpn[50251]: key_method = 2 Sep 11 09:33:50 openvpn[50251]: tls_client = ENABLED Sep 11 09:33:50 openvpn[50251]: tls_server = DISABLED Sep 11 09:33:50 openvpn[50251]: test_crypto = DISABLED Sep 11 09:33:50 openvpn[50251]: use_iv = ENABLED Sep 11 09:33:50 openvpn[50251]: packet_id_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: replay_time = 15 Sep 11 09:33:50 openvpn[50251]: replay_window = 64 Sep 11 09:33:50 openvpn[50251]: mute_replay_warnings = DISABLED Sep 11 09:33:50 openvpn[50251]: replay = ENABLED Sep 11 09:33:50 openvpn[50251]: engine = ENABLED Sep 11 09:33:50 openvpn[50251]: keysize = 0 Sep 11 09:33:50 openvpn[50251]: prng_nonce_secret_len = 16 Sep 11 09:33:50 openvpn[50251]: prng_hash = 'SHA1' Sep 11 09:33:50 openvpn[50251]: authname = 'SHA512' Sep 11 09:33:50 openvpn[50251]: ncp_ciphers = 'AES-256-GCM:AES-256-CBC' Sep 11 09:33:50 openvpn[50251]: ncp_enabled = ENABLED Sep 11 09:33:50 openvpn[50251]: ciphername = 'AES-256-CBC' Sep 11 09:33:50 openvpn[50251]: key_direction = 2 Sep 11 09:33:50 openvpn[50251]: shared_secret_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: management_flags = 256 Sep 11 09:33:50 openvpn[50251]: management_client_group = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: management_client_user = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: management_write_peer_info_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: management_echo_buffer_size = 100 Sep 11 09:33:50 openvpn[50251]: management_log_history_cache = 250 Sep 11 09:33:50 openvpn[50251]: management_user_pass = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: management_port = 'unix' Sep 11 09:33:50 openvpn[50251]: management_addr = '/var/etc/openvpn/client6.sock' Sep 11 09:33:50 openvpn[50251]: allow_pull_fqdn = DISABLED Sep 11 09:33:50 openvpn[50251]: route_gateway_via_dhcp = DISABLED Sep 11 09:33:50 openvpn[50251]: route_nopull = ENABLED Sep 11 09:33:50 openvpn[50251]: route_delay_defined = ENABLED Sep 11 09:33:50 openvpn[50251]: route_delay_window = 30 Sep 11 09:33:50 openvpn[50251]: route_delay = 5 Sep 11 09:33:50 openvpn[50251]: route_noexec = ENABLED Sep 11 09:33:50 openvpn[50251]: route_default_metric = 0 Sep 11 09:33:50 openvpn[50251]: route_default_gateway = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: route_script = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: comp.flags = 0 Sep 11 09:33:50 openvpn[50251]: comp.alg = 1 Sep 11 09:33:50 openvpn[50251]: fast_io = ENABLED Sep 11 09:33:50 openvpn[50251]: sockflags = 0 Sep 11 09:33:50 openvpn[50251]: sndbuf = 524288 Sep 11 09:33:50 openvpn[50251]: rcvbuf = 524288 Sep 11 09:33:50 openvpn[50251]: occ = ENABLED Sep 11 09:33:50 openvpn[50251]: status_file_update_freq = 60 Sep 11 09:33:50 openvpn[50251]: status_file_version = 1 Sep 11 09:33:50 openvpn[50251]: status_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: gremlin = 0 Sep 11 09:33:50 openvpn[50251]: mute = 0 Sep 11 09:33:50 openvpn[50251]: verbosity = 7 Sep 11 09:33:50 openvpn[50251]: nice = 0 Sep 11 09:33:50 openvpn[50251]: machine_readable_output = DISABLED Sep 11 09:33:50 openvpn[50251]: suppress_timestamps = DISABLED Sep 11 09:33:50 openvpn[50251]: log = DISABLED Sep 11 09:33:50 openvpn[50251]: inetd = 0 Sep 11 09:33:50 openvpn[50251]: daemon = ENABLED Sep 11 09:33:50 openvpn[50251]: up_delay = DISABLED Sep 11 09:33:50 openvpn[50251]: up_restart = DISABLED Sep 11 09:33:50 openvpn[50251]: down_pre = DISABLED Sep 11 09:33:50 openvpn[50251]: down_script = '/usr/local/sbin/ovpn-linkdown' Sep 11 09:33:50 openvpn[50251]: up_script = '/usr/local/sbin/ovpn-linkup' Sep 11 09:33:50 openvpn[50251]: writepid = '/var/run/openvpn_client6.pid' Sep 11 09:33:50 openvpn[50251]: cd_dir = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: chroot_dir = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: groupname = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: username = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: resolve_in_advance = DISABLED Sep 11 09:33:50 openvpn[50251]: resolve_retry_seconds = 1000000000 Sep 11 09:33:50 openvpn[50251]: passtos = DISABLED Sep 11 09:33:50 openvpn[50251]: persist_key = ENABLED Sep 11 09:33:50 openvpn[50251]: persist_remote_ip = DISABLED Sep 11 09:33:50 openvpn[50251]: persist_local_ip = DISABLED Sep 11 09:33:50 openvpn[50251]: persist_tun = ENABLED Sep 11 09:33:50 openvpn[50251]: remap_sigusr1 = 0 Sep 11 09:33:50 openvpn[50251]: ping_timer_remote = ENABLED Sep 11 09:33:50 openvpn[50251]: ping_rec_timeout_action = 2 Sep 11 09:33:50 openvpn[50251]: ping_rec_timeout = 30 Sep 11 09:33:50 openvpn[50251]: ping_send_timeout = 5 Sep 11 09:33:50 openvpn[50251]: inactivity_timeout = 0 Sep 11 09:33:50 openvpn[50251]: keepalive_timeout = 30 Sep 11 09:33:50 openvpn[50251]: keepalive_ping = 5 Sep 11 09:33:50 openvpn[50251]: mlock = ENABLED Sep 11 09:33:50 openvpn[50251]: mtu_test = 0 Sep 11 09:33:50 openvpn[50251]: shaper = 0 Sep 11 09:33:50 openvpn[50251]: ifconfig_ipv6_remote = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: ifconfig_ipv6_netbits = 0 Sep 11 09:33:50 openvpn[50251]: ifconfig_ipv6_local = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: ifconfig_nowarn = DISABLED Sep 11 09:33:50 openvpn[50251]: ifconfig_noexec = DISABLED Sep 11 09:33:50 openvpn[50251]: ifconfig_remote_netmask = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: ifconfig_local = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: topology = 1 Sep 11 09:33:50 openvpn[50251]: lladdr = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: dev_node = '/dev/tun6' Sep 11 09:33:50 openvpn[50251]: dev_type = 'tun' Sep 11 09:33:50 openvpn[50251]: dev = 'ovpnc6' Sep 11 09:33:50 openvpn[50251]: ipchange = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: remote_random = DISABLED Sep 11 09:33:50 openvpn[50251]: Connection profiles END Sep 11 09:33:50 openvpn[50251]: explicit_exit_notification = 5 Sep 11 09:33:50 openvpn[50251]: mssfix = 1450 Sep 11 09:33:50 openvpn[50251]: fragment = 0 Sep 11 09:33:50 openvpn[50251]: mtu_discover_type = -1 Sep 11 09:33:50 openvpn[50251]: tun_mtu_extra_defined = DISABLED Sep 11 09:33:50 openvpn[50251]: tun_mtu_extra = 0 Sep 11 09:33:50 openvpn[50251]: link_mtu_defined = DISABLED Sep 11 09:33:50 openvpn[50251]: link_mtu = 1500 Sep 11 09:33:50 openvpn[50251]: tun_mtu_defined = ENABLED Sep 11 09:33:50 openvpn[50251]: tun_mtu = 1500 Sep 11 09:33:50 openvpn[50251]: socks_proxy_port = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: socks_proxy_server = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: connect_timeout = 120 Sep 11 09:33:50 openvpn[50251]: connect_retry_seconds = 5 Sep 11 09:33:50 openvpn[50251]: bind_ipv6_only = DISABLED Sep 11 09:33:50 openvpn[50251]: bind_local = ENABLED Sep 11 09:33:50 openvpn[50251]: bind_defined = DISABLED Sep 11 09:33:50 openvpn[50251]: remote_float = DISABLED Sep 11 09:33:50 openvpn[50251]: remote_port = '443' Sep 11 09:33:50 openvpn[50251]: remote = '100.200.100.100' Sep 11 09:33:50 openvpn[50251]: local_port = '0' Sep 11 09:33:50 openvpn[50251]: local = '80.60.1.70' Sep 11 09:33:50 openvpn[50251]: proto = udp4 Sep 11 09:33:50 openvpn[50251]: Connection profiles [0]: Sep 11 09:33:50 openvpn[50251]: connect_retry_max = 0 Sep 11 09:33:50 openvpn[50251]: show_tls_ciphers = DISABLED Sep 11 09:33:50 openvpn[50251]: key_pass_file = '[UNDEF]' Sep 11 09:33:50 openvpn[50251]: genkey = DISABLED Sep 11 09:33:50 openvpn[50251]: show_engines = DISABLED Sep 11 09:33:50 openvpn[50251]: show_digests = DISABLED Sep 11 09:33:50 openvpn[50251]: show_ciphers = DISABLED Sep 11 09:33:50 openvpn[50251]: mode = 0 Sep 11 09:33:50 openvpn[50251]: config = '/var/etc/openvpn/client6.conf' Sep 11 09:33:50 openvpn[50251]: Current Parameter Settings: Sep 11 09:33:47 openvpn[87430]: MANAGEMENT: Client disconnected Sep 11 09:33:47 openvpn[87430]: MANAGEMENT: CMD 'status 2' Sep 11 09:33:47 openvpn[87430]: MANAGEMENT: CMD 'state 1' Sep 11 09:33:47 openvpn[87430]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock Can soneone see what it is I am doing wrong?
-
Hi and good morning to all, I am here because,like so many others i am at the end of my tether and need help and assistance from those of you in the know. I need to open ports for my Gameserver bypassing the VPN. I will keep my first description as short as possible of my current setup and anybody whom wishes to help may ask for further details, I have 2X instances of Pfsense running on a windows 2012 R2 server machine in Hyper-V, one is configured using this tut https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/ and the other handles the DHCP and Squid, my reasoning for this is, Squid does not play nice with Vpn's, i have tried everything to get them to work together but pfsense wants to use the default WAN when squid is installed so this was my workaround, i have tried others like pfBlockerNG but it does not have the level of control that Squid offers. Now to the complicated bit, for the purpose of this i will refer to Pfsense 1 VPN as "Firewall" and Pfsense 2 DHCP & Squid as "Proxy", The proxy has 2X LAN subnets 192.168.1.1 which is the local LAN network and is hooked to Squid, and 192.168.3.1 which is an isolated Lan i wish to use for a gameserver which has an Ip of 3.5 Then i have 2X wans 192.168.2.2 static which is bridged to 2.1 on the firewall, and 192.168.4.2 Vlan-Id=10 which connects to 4.1 Vlan-Id=10 on the Firewall, my 192.168.3.5 is routed out this interface in order for it to be passed to the firewall and onto the WAN The Firewall is set up as described in the tut above and works as intended with the exception that the default LAN has changed to 192.168.2.1 is now a Virtual LAN interface and is bridged with the Virtual WAN interface of the proxy which is 2.2, It also has a another LAN interface VLAN of 192.168.4.1 Id =10 which is hooked up to the 4.2 of the proxy, this interface is to bypass the VPN and is routed out the WAN. Up until this point everything works as intended normal LAN clients can access the internet through the VPN, and my isolated Subnet can access the web through the WAN, i can also access any game servers i have running locally, and this is where the fun ends, for the life of me i cant get ports open to the outside world, it is strange to me that my Gameserver can access the web and servers can contact steam but beyond that, there seems to be no ports open, i have tried many things such as forwarding ports using nat out the various gateways. According to the various port checking sites i have visited all my ports are closed, even port 80 and i know this can not be because i can access the web just fine. I appreciate that i may have many extra steps to take with my currant configuration in order to get this to work, and i am very much looking forward to any help than can be given. Thanks in Advance.
-
Good morning! Sorry if I posted this in the wrong area, but I've been looking for a guide to help setup IPV6 on PfSense over AirVPN's updated servers. No, I don't want IPV6 from my ISP (I already have that and have been testing that); instead, I would like someone who is knowledgeable about the subject to help me (and other people) out with setting it up. If I figure something out in the meantime, I will post w/ my results. Thanks in advance! ------- Mods: please move the topic if I put it in the wrong area. I is sorry in advance.
-
Hi, I am getting several alert entries in my pfsense firewall. There are connections denied to 4 different TOR relays in the US, Switzerland, Germany and the Netherlands. I never had these entries before so I am a bit worried. Example: AirVPN_LAN Source: 192.168.1.xxx:476xx Destination:176.10.104.240:443 Any ideas?
-
ANSWERED Port forwarding not working anymore
LazyLizard14 posted a topic in Troubleshooting and Problems
I have set up AirVPn on Pfsense according to the guide here in the forums and running well for many years. Also port forwarding worked flawless in the past. Some days ago I started Vuze to do some torrenting and and wondering about the slow speeds. The NAT/Firewall test revealed that only the port forwarding for UDP packets seem to work. The test for incoming TCP connection always times out. Please see attached NAT-rule from my pfsense box. Worked flawless in the past and I have not changed any configuration. Whats wrong ? -
I've managed to get a pfSense VM working with AirVPN's Serpentis server via Stunnel. Given the importance of using the latest versions of Stunnel and OpenSSL, I used pfSense 2.2-BETA x64, which is based on FreeBSD 10.1-RELEASE x64. Working in a FreeBSD 10.1 x64 VM, I made the stunnel-5.07 package and its dependencies from ports. See <http://www.freshports.org/security/stunnel/>. Also see <https://forums.freebsd.org/threads/howto-setting-up-stunnel-in-freebsd.1717/>. pfSense 2.2-BETA x64 VM: 512 MB RAM 7 MB video RAM 2 GB dynamic VDI PAE/NX, VT-x/AMD-V, Nested Paging Adapter 1: Intel PRO/1000 MT Desktop (NAT) Adapter 2: Intel PRO/1000 MT Desktop (Internal Network, 'AV') audio and USB disabled otherwise defaults FreeBSD 10.1 x64 VM 1024 MB RAM 7 MB video RAM 10 GB dynamic VDI PAE/NX, VT-x/AMD-V, Nested Paging Adapter 1: Intel PRO/1000 MT Desktop (Internal Network, 'AV') audio and USB disabled otherwise defaults Debian 7.6 x64 workspace VM 1024 MB RAM 128 MB video RAM 20 GB dynamic VDI PAE/NX, VT-x/AMD-V, Nested Paging Adapter 1: Intel PRO/1000 MT Desktop (Internal Network, 'AV') audio and USB disabled otherwise defaults legacy Gnome desktop installed openssh-server Working in FreeBSD VM: # portsnap fetch extract # mkdir /usr/ports/packages # cd /usr/ports/security/stunnel # make config [x] DOCS [x] EXAMPLES [ ] FIPS [ ] IPV6 [ ] LIBWRAP [x] SSL_PORT [ ] FORK [x] PTHREAD [ ] UCONTEXT # make package-recursive [use default openssl-1.0.1_16 settings] [use default perl5-5.18.4_10 settings] # cd /usr/ports/packages/All # ls openssl-1.0.1_16.txz pkg-1.3.8_3.txz perl5-5.18.4_10.txz stunnel-5.07.txz # sftp user@192.168.10.11 [Debian VM] # put * # exit # shutdown -p now Working in Debian VM: login pfSense webGUI browse "Diagnostics: Command Prompt" upload openssl-1.0.1_16.txz and move to /root/ upload pkg-1.3.8_3.txz and move to /root/ upload perl5-5.18.4_10.txz and move to /root/ upload stunnel-5.07.txz and move to /root/ Working in pfSense VM console: : pkg install *.txz The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y ... New packages to be INSTALLED: openssl-1.0.1_16 perl5-5.18.4_10 stunnel: 5.07 The process will require 61 MB more space. Proceed with this action? [y/N]: y [1/3] Installing openssl-1.0.1_16: 100% [2/3] Installing perl5-5.18.4_10: 100% makewhatis: not found makewhatis: not found pkg: POST-INSTALL script failed ===> Creating users and/or groups. Creating group 'stunnel' with gid '341'. Creating user 'stunnel' with uid '341'. [3/3] Installing stunnel-5.07: 100% Message for openssl-1.0.1_16: Copy /usr/local/openssl/openssl.cnf.sample to /usr/local/openssl/openssl.cnf and edit it to fit your needs. [DON'T DO THAT. USE EXISTING openssl.cnf] Message for stunnel-5.07: *************************************************************************** To create and install a new certificate, type "make cert" And don't forget to check out the FAQ at http://www.stunnel.org/ *************************************************************************** : mkdir /usr/local/etc/stunnel/run : chown stunnel:stunnel /usr/local/etc/stunnel/run : chmod 0622 /usr/local/etc/stunnel/run Working in Debian VM: login pfSense webGUI browse "Diagnostics: Edit File" browse "/usr/local/etc/stunnel/stunnel.conf-sample" and open to edit save as "/usr/local/etc/stunnel/stunnel.conf" replace content with this and save: ................................... ; create local jail chroot = /usr/local/etc/stunnel/run ; set own UID and GID setuid = stunnel setgid = stunnel client = yes foreground = no options = NO_SSLv2 [openvpn] accept = 1413 connect = 178.248.30.133:443 TIMEOUTclose = 0 ................................... browse "/etc/defaults/rc.conf" and open to edit add this at end and save: ......................................................... stunnel_enable="YES" stunnel_pid_file="/usr/local/etc/stunnel/run/stunnel.pid" ......................................................... browse "Diagnostics: Command Prompt" run "mv /usr/local/etc/rc.d/stunnel /usr/local/etc/rc.d/stunnel.sh" Working in pfSense VM console: hit "5" and "y" to reboot Working in Debian VM: login pfSense webGUI browse "Status: System logs: General" should see: ................................................................................................... ... ... php-fpm[243]: /rc.start_packages: Restarting/Starting all packages. ... kernel: done. ... stunnel: LOG5[34393318400]: stunnel 5.07 on amd64-portbld-freebsd10.1 platform ... stunnel: LOG5[34393318400]: Compiled/running with OpenSSL 1.0.1j 15 Oct 2014 ... stunnel: LOG5[34393318400]: Threading:PTHREAD Sockets:POLL,IPv4 SSL:ENGINE,OCSP ... stunnel: LOG5[34393318400]: Reading configuration from file /usr/local/etc/stunnel/stunnel.conf ... stunnel: LOG5[34393318400]: UTF-8 byte order mark not detected ... stunnel: LOG5[34393318400]: Configuration successful ... ................................................................................................... browse "System: General Setup" specify desired third-party DNS servers on WAN_DHCP [x] Do not use the DNS Forwarder as a DNS server for the firewall browse "Services: DNS Forwarder" [ ] Enable DNS forwarder browse "System: Advanced: Networking" [ ] Allow IPv6 [x] Prefer to use IPv4 even if IPv6 is available browse "System: Advanced: Miscellaneous" [x] Skip rules when gateway is down [x] Enable gateway monitoring debug logging browse "System: Certificate Authority Manager" add ca.crt browse "System: Certificate Manager" add client.crt|client.key browse "VPN: OpenVPN: Client" Protocol: TCP Interface: Localhost Server host or address: 127.0.0.1 Server port: 1413 Server host name resolution: don't "Infinitely resolve server" Encryption algorithm: AES-256-CBC Compression: Disabled - No Compression Disable IPv6: Don't forward IPv6 traffic Advanced: persist-key;persist-tun;remote-cert-tls server; route 178.248.30.133 255.255.255.255 net_gateway Verbosity level: 5 browse "Status: System logs: General" should see: ................................................................................................... ... ... openvpn[86987]: [server] Peer Connection Initiated with [AF_INET]127.0.0.1:1413 ... openvpn[86987]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) ... openvpn[86987]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1, dhcp-option DNS 10.50.0.1,comp-lzo no,route 10.50.0.1,topology net30,ping 10, ping-restart 60,ifconfig 10.50.2.74 10.50.2.73' ... ... openvpn[86987]: /sbin/ifconfig ovpnc1 10.50.2.74 10.50.2.73 mtu 1500 netmask 255.255.255.255 up ... openvpn[86987]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 10.50.2.74 10.50.2.73 init ... openvpn[86987]: /sbin/route add -net 127.0.0.1 10.0.2.2 255.255.255.255 ... openvpn[86987]: /sbin/route add -net 0.0.0.0 10.50.2.73 128.0.0.0 ... openvpn[86987]: /sbin/route add -net 128.0.0.0 10.50.2.73 128.0.0.0 ... openvpn[86987]: /sbin/route add -net 178.248.30.133 10.0.2.2 255.255.255.255 ... openvpn[86987]: /sbin/route add -net 10.50.0.1 10.50.2.73 255.255.255.255 ... openvpn[86987]: Initialization Sequence Completed ................................................................................................... browse "Services: DHCP Server" set 10.50.0.1 as DNS server browse "Interfaces: Assign Network Ports" add OPT1 browse "Interfaces: OPT1" enable and rename "AIRVPN" browse "Firewall: NAT: Outbound" select "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" save and apply changes leave localhost rules alone "Auto created rule for ISAKMP - localhost to WAN" "Auto created rule - localhost to WAN" change interface for LAN rules from WAN to AIRVPN "Rule for ISAKMP - LAN to AIRVPN" "Rule - LAN to AIRVPN" apply changes browse "Firewall: Rules: LAN" delete IPv6 rule edit IPv4 rule specify AIRVPN_VPNV4 as Gateway\ rename as "Allow LAN to any rule via AIRVPN_VPNV4" apply changes Working in pfSense VM console: hit "5" and "y" to reboot Working in Debian VM: login pfSense webGUI browse "Status: OpenVPN" should see that Client TCP is up Done Edit: I've added rules on WAN, and required aliases. Aliases are needed for three types of outbound traffic: 1) the DNS server IPs specified in “System: General Setup”; 2) the pfSense NTP server hostname specified in “System: General Setup”; and 3) the connect server IP specified in the Stunnel configuration. In Firewall: Aliases: IP, create three aliases, using the + button to add the values: Name Values Description dnssvr 208.67.220.220 208.67.222.222 DNS server IP addresses ntpsvr 0.pfsense.pool.ntp.org default pfSense NTP server sslsvr 178.248.30.133 Stunnel server Using these aliases, you then add rules for the WAN interface to pass necessary outbound traffic, and then a final rule to block everything else. In "Firewall: Rules: WAN", create these rules, specifying “Single host or address” for the pass rules: Action TCP/IP Proto Source Port Dest Port Gateway Queue Description pass IPv4 TCP/UDP WAN address * dnssvr * * none Allow to DNS servers pass IPv4 UDP WAN address * ntpsvr * * none Allow to NTP server pass IPv4 TCP/UDP WAN address * sslsvr * * none Allow to SSL server block IPv4 * WAN address * * * * none Block all other IPv4 block IPv6 * WAN address * * * * none Block all IPv6 Then reboot from the console window, by entering 5 and then y to confirm.