OpenVPN Open Beta

[pmbell]

Thanks for the reply - yes I am an FTTN customer like yourself. I haven't added any outbound settings to pfSense but I logged onto the appliance and verified that I could telnet to port 1914 on the VPN. I also ran tcpdump and saw packets going out of pfSense but no packets coming back from the VPN. Maybe our AT&T modems are different models?

Would you have a link to any documentation that you used to configure your appliance?

I think the question is about whether you have a firewall rule permitting outbound traffic from your lan through the openvpn interface with NAT for the traffic.

I know it's an easy step to forget, as I've forgotten to do it in the past! pfsense treats a VPN interface as a firewall interface with its own default deny policy.

I followed the wizard to set up my connection to my commercial VPN provider and the wizard did take me to the outbound nat page.

the guide I've found most helpful in general is this one

https://forum.pfsense.org/index.php?topic=76015.0

(registration, I think, required to post there but not to view)

another key point is setting up routing to use the VPN. I have my system configured to use the VPN as the default route, with an explicit route to the att network for one traditional DNS host and with dnscrypt as my preferred DNS lookup type. when the system is running correctly I send out less than one cleartext DNS lookup a day.

I need that one host able to do traditional DNS so that I can bring the tunnel up - my VPN provider has a group of servers resolved via hostname.

[mikeditty]

I'll try to put together a quick How-To for configuring pfSense tonight. I found that even though they were a bit outdated the instructions on how to setup pfSense to connect to privateinternetaccess worked fine for me.

Looking forward to this, I did the setup but something is wrong as the connection isn't coming up. I'll look more later but a How-To would be great.

[gourn3]

I only read some of the first few posts, but I just tried this OpenVPN out, did a speed test, and I got something around 14 mbps - 19 mbps down with my ping around 43-96 ms on various speed test websites (including Sonic's). Without the VPN, my real speed is around 4.5 mbps, ping 26 ms.

With OpenVPN on, I d/led the Sonic test file and was getting 500 KB/s so, about 4 Mbps. Anyone know why my it's generating false speeds on various speed testing websites? When I use the Cisco Vpn, it's much more closer to my real speed than the OpenVpn one.

[parker_day]

Anyone know why my it's generating false speeds on various speed testing websites?

It's something in OpenVPN called LZO compression, which confuses a lot of speed tests.

[svist]

Anyone know why my it's generating false speeds on various speed testing websites?

It's something in OpenVPN called LZO compression, which confuses a lot of speed tests.

A good speedtest uses non-compressible data..

[fng]

I've noticed maxmind has already updated the precison GeoIP with the /24 block of IP's that I get when using the VPN. Not one address but all 24!? Is there anyway to get a bigger block of dynamic ip's once the beta is over? Slowly getting it narrowed down to the business sharing the info.

[forest]

The Edgerouter's Cavium chip does IPSEC in hardware, so we're working on an IPSEC VPN solution which will be more appropriate than OpenVPN for that equipment. FYI!

Any update on this? Is there an ETA on the IPSEC solution?

Not at this time but there are some other solutions including a pfsense box with SSL offload as a OpenVPN client that may be easier to support than IPSEC on an Edgerouter. Or, perhaps Ubiquiti will update their vyatta fork to offload ssl to the cavium chip. (IRRC, it is technically possibly to do so.)

Ubiquiti's EdgeRouter X just hit the market, and is probably worth a look. It doesn't have the EdgeRouter Lite's Cavium chip (or its IPSEC offload), but it has a faster CPU and costs only $50.

It's so new that I haven't found any reviews yet, but one early report claims to be getting IPSEC throughput that would match Sonic's FTTN service rather well.

[jnurthen]

I'm getting
"This access server has reached its concurrent connections limit. Please try again later."

It is 4.30 am in California so this seems like a low-demand time of day to be getting this kind of error.
This happens from both windows and iOS

[joss]

I get a message similar to the one jnurthen does:

Sep 7 06:35:46 openvpn[27260]: AUTH: Received control message: AUTH_FAILED,LICENSE: Access Server license failure: maximum concurrent_connections exceeded (2)

I sign out of the VPN and back in twice a day so that the 24 hour lease doesn't catch me and leave me sending data to AT&T. But this morning, after disconnecting, I couldn't reconnect and got the above message.

[EDIT] I normally connect via my router, I tried the OpenVPN app on my PC and it just doesn't connect, but gives no reason.

[pmbell]

glad I took a look here and installed the client stack on a device.

I'm also gretting the license count exceeded message on the client.

I was able to bring up a tunnel, I think, on pfsense this morning but it wasn't getting an address. I made a few changes and was no longer able to connect at all. now I'll try to get a timestamp on a config which did connect and revert to it.

It looks to me as if the most important change I made was in System... Cert Manager... CA.

Instead of using the uncommented CA bundled inline in the .ovpn profile I downloaded, I connected via https
to beta.vpn.sonic.net and exported the certificate from Firefox.

Defining the CA based on that, I wind up with cert authority with the following summary:

OU=PositiveSSL, OU=Domain Control Validated, CN=beta.vpn.sonic.net
Valid From: Wed, 08 Jul 2015 17:00:00 -0700
Valid Until: Fri, 08 Jul 2016 16:59:59 -0700

When I import the uncommented CA section from the .ovpn file, I wind up with a CA that looks like this:

CN=OpenVPN CA
Valid From: Fri, 01 May 2015 14:14:17 -0700
Valid Until: Mon, 05 May 2025 14:14:17 -0700

The error logging on pfsense when using that cert looks like this:

Sep 7 09:44:12 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=OpenVPN CA
Sep 7 09:44:12 pfSense openvpn[56207]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sep 7 09:44:12 pfSense openvpn[56207]: TLS Error: TLS object -> incoming plaintext read error
Sep 7 09:44:12 pfSense openvpn[56207]: TLS Error: TLS handshake failed
Sep 7 09:44:12 pfSense openvpn[56207]: TCP/UDP: Closing socket
Sep 7 09:44:12 pfSense openvpn[56207]: SIGUSR1[soft,tls-error] received, process restarting