OpenVPN Open Beta

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
235 posts Page 2 of 24
by pmbell » Mon Jul 20, 2015 4:35 pm
Thank you very much for making this available!

I am able to connect from an android client but not from pfsense.

Is there a how-to I can read for the configuration that Sonic is deploying? I suspect I have some or many parameters set incorrectly on pfsense, which are set automatically on the software clients.

The error logging in pfsense suggests that it is not actually trying very hard to get the tunnel up; this is what I'm seeing when I tried enabling it a few minutes ago (in reverse chronological order)

Jul 22 12:40:31 openvpn[82695]: UDPv4 link remote: [AF_INET]184.23.168.54:1194
Jul 22 12:40:31 openvpn[82695]: UDPv4 link local (bound): [AF_INET]192.168.16.1
Jul 22 12:40:31 openvpn[82695]: Expected Remote Options hash (VER=V4): '40464ddb'
Jul 22 12:40:31 openvpn[82695]: Local Options hash (VER=V4): '1d1f9564'
Jul 22 12:40:31 openvpn[82695]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1485,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jul 22 12:40:31 openvpn[82695]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1485,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jul 22 12:40:31 openvpn[82695]: Data Channel MTU parms [ L:1542 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Jul 22 12:40:31 openvpn[82695]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 22 12:40:31 openvpn[82695]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
by kgc » Thu Jul 23, 2015 6:04 pm
I've changed the cipher from the default Blowfish CBC to AES-128-CBC. This should be just as fast, provide a reasonable level of security and allow for hardware acceleration on supported platforms. The unfortunate side affect is that the client configuration needs to be updated to reflect this change which likely means removing and reimporting the config for most users.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by netllama » Thu Jul 23, 2015 6:19 pm
Did the VPN server go down? I've been using it without any problems since last Saturday. As of about an hour ago, all attempts to connect are failing with:
openvpn[26151]: AUTH: Received control message: AUTH_FAILED
by netllama » Thu Jul 23, 2015 6:25 pm
EDIT: I missed the announcement from about 25 minutes ago explaining the change.

Turns out the profile from https://beta.vpn.sonic.net appears to have changed. Updating to the new profile has the VPN working for me again.

Was this intentional? Should we expect the profile to change often?
by blakers » Thu Jul 23, 2015 6:32 pm
It's a beta trial.

Probably a good idea to treat it as such -- assume that it's likely closer to release than not, but is being tested and fixed based on feedback, and can go down, change, etc with no notice.

I.e. -- do not use it where production requirements are called for.
by kgc » Thu Jul 23, 2015 8:48 pm
Yeah, I'm sorry about having to make an incompatible change, there's a chance that it won't be the last as I get further feedback, particularly from some users of devices running tomato or dd-wrt. I'm a little surprised that the server doesn't allow for some flexibility in what cipher can be used.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by pmbell » Fri Jul 24, 2015 8:16 am
kgc wrote:
Yeah, I'm sorry about having to make an incompatible change, there's a chance that it won't be the last as I get further feedback, particularly from some users of devices running tomato or dd-wrt. I'm a little surprised that the server doesn't allow for some flexibility in what cipher can be used.


I've seen providers offer openVPN with different parameters on different UDP ports, eg
port 1194 supports AES, port 1196 supports blowfish.

So it's at least possible that some of the settings are fixed per port rather than per instance.
by kgc » Fri Jul 24, 2015 10:47 am
I think they're probably running multiple instances on different ports.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by joss » Fri Jul 24, 2015 6:39 pm
Running on an ASUS RT-N66U router with Merlin's mods:
Download Speed: 15284 kbps (1910.5 KB/sec transfer rate)
Upload Speed: 1743 kbps (217.9 KB/sec transfer rate)
Latency: 32 ms
Jitter: 1 ms
7/24/2015, 6:35:46 PM

My normal download, without the VPN was between 22 and 23 Mbs. The upload is about the same with and without the VPN.
by pmbell » Fri Jul 24, 2015 7:13 pm
Below is the Sonic stanza from my openvpn config on pfsense. It seems that I'm missing something in the config - the tunnel never pulls an IP address. The CA, cert and TLS cert each seem to be operational.

I can hit as high as 40 mbps on the commercial openvpn service I use, but my impression is that what's limiting me most lately is ATT, which seems to support 50 mbps on my circuits only to a single Speedtest host in San Francisco., I max at 25-30 mbps using speedof.me or different Speedtest hosts (measured from a laptop hanging off the ATT router, bypassing the pfsense box.)

I'm not sure where, in the config, to place the private key from .ovpn file. Currently, I am configuring it as the private key tied to the Sonic cert (the cert manager lets me define a private key for the cert) and that seems to be the logical place, but if anyone happens to know different or can see a directive I don't have configured and should?

<openvpn-client>
<auth_user>username@beta.vpn.sonic.net</auth_user>
<auth_pass>xxxxxxxxxxxxxxxx</auth_pass>
<vpnid>3</vpnid>
<disable/>
<protocol>UDP</protocol>
<dev_mode>tun</dev_mode>
<ipaddr/>
<interface>lan</interface>
<local_port/>
<server_addr>184.23.168.54</server_addr>
<server_port>1194</server_port>
<resolve_retry>yes</resolve_retry>
<proxy_addr/>
<proxy_port/>
<proxy_authtype>none</proxy_authtype>
<proxy_user/>
<proxy_passwd/>
<mode>p2p_tls</mode>
<custom_options>link-mtu 1542; remote-cert-tls server</custom_options>
<caref>pointer to sonic CA from ovpn</caref>
<certref>pointer to sonic cert from ovpn, tied to private key and cert stanzas of ovpn</certref>
<tls>cert from ovpn data deleted</tls>
<crypto>AES-128-CBC</crypto>
<digest>SHA1</digest>
<engine>cryptodev</engine>
<tunnel_network/>
<tunnel_networkv6/>
<remote_network/>
<remote_networkv6/>
<use_shaper/>
<compression/>
<passtos/>
<no_tun_ipv6/>
<route_no_pull/>
<route_no_exec/>
<verbosity_level>5</verbosity_level>
</openvpn-client>
235 posts Page 2 of 24

Who is online

In total there are 14 users online :: 1 registered, 0 hidden and 13 guests (based on users active over the past 5 minutes)
Most users ever online was 700 on Thu Jun 18, 2020 12:00 pm

Users browsing this forum: Google [Bot] and 13 guests