Page 2 of 24

Re: OpenVPN Open Beta

Posted: Mon Jul 20, 2015 4:35 pm
by pmbell
Thank you very much for making this available!

I am able to connect from an android client but not from pfsense.

Is there a how-to I can read for the configuration that Sonic is deploying? I suspect I have some or many parameters set incorrectly on pfsense, which are set automatically on the software clients.

The error logging in pfsense suggests that it is not actually trying very hard to get the tunnel up; this is what I'm seeing when I tried enabling it a few minutes ago (in reverse chronological order)

Jul 22 12:40:31 openvpn[82695]: UDPv4 link remote: [AF_INET]184.23.168.54:1194
Jul 22 12:40:31 openvpn[82695]: UDPv4 link local (bound): [AF_INET]192.168.16.1
Jul 22 12:40:31 openvpn[82695]: Expected Remote Options hash (VER=V4): '40464ddb'
Jul 22 12:40:31 openvpn[82695]: Local Options hash (VER=V4): '1d1f9564'
Jul 22 12:40:31 openvpn[82695]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1485,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jul 22 12:40:31 openvpn[82695]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1485,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jul 22 12:40:31 openvpn[82695]: Data Channel MTU parms [ L:1542 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Jul 22 12:40:31 openvpn[82695]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 22 12:40:31 openvpn[82695]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]

Re: OpenVPN Open Beta

Posted: Thu Jul 23, 2015 6:04 pm
by kgc
I've changed the cipher from the default Blowfish CBC to AES-128-CBC. This should be just as fast, provide a reasonable level of security and allow for hardware acceleration on supported platforms. The unfortunate side affect is that the client configuration needs to be updated to reflect this change which likely means removing and reimporting the config for most users.

Re: OpenVPN Open Beta

Posted: Thu Jul 23, 2015 6:19 pm
by netllama
Did the VPN server go down? I've been using it without any problems since last Saturday. As of about an hour ago, all attempts to connect are failing with:
openvpn[26151]: AUTH: Received control message: AUTH_FAILED

Re: OpenVPN Open Beta

Posted: Thu Jul 23, 2015 6:25 pm
by netllama
EDIT: I missed the announcement from about 25 minutes ago explaining the change.

Turns out the profile from https://beta.vpn.sonic.net appears to have changed. Updating to the new profile has the VPN working for me again.

Was this intentional? Should we expect the profile to change often?

Re: OpenVPN Open Beta

Posted: Thu Jul 23, 2015 6:32 pm
by blakers
It's a beta trial.

Probably a good idea to treat it as such -- assume that it's likely closer to release than not, but is being tested and fixed based on feedback, and can go down, change, etc with no notice.

I.e. -- do not use it where production requirements are called for.

Re: OpenVPN Open Beta

Posted: Thu Jul 23, 2015 8:48 pm
by kgc
Yeah, I'm sorry about having to make an incompatible change, there's a chance that it won't be the last as I get further feedback, particularly from some users of devices running tomato or dd-wrt. I'm a little surprised that the server doesn't allow for some flexibility in what cipher can be used.

Re: OpenVPN Open Beta

Posted: Fri Jul 24, 2015 8:16 am
by pmbell
kgc wrote:
Yeah, I'm sorry about having to make an incompatible change, there's a chance that it won't be the last as I get further feedback, particularly from some users of devices running tomato or dd-wrt. I'm a little surprised that the server doesn't allow for some flexibility in what cipher can be used.


I've seen providers offer openVPN with different parameters on different UDP ports, eg
port 1194 supports AES, port 1196 supports blowfish.

So it's at least possible that some of the settings are fixed per port rather than per instance.

Re: OpenVPN Open Beta

Posted: Fri Jul 24, 2015 10:47 am
by kgc
I think they're probably running multiple instances on different ports.

Re: OpenVPN Open Beta

Posted: Fri Jul 24, 2015 6:39 pm
by joss
Running on an ASUS RT-N66U router with Merlin's mods:
Download Speed: 15284 kbps (1910.5 KB/sec transfer rate)
Upload Speed: 1743 kbps (217.9 KB/sec transfer rate)
Latency: 32 ms
Jitter: 1 ms
7/24/2015, 6:35:46 PM

My normal download, without the VPN was between 22 and 23 Mbs. The upload is about the same with and without the VPN.

Re: OpenVPN Open Beta

Posted: Fri Jul 24, 2015 7:13 pm
by pmbell
Below is the Sonic stanza from my openvpn config on pfsense. It seems that I'm missing something in the config - the tunnel never pulls an IP address. The CA, cert and TLS cert each seem to be operational.

I can hit as high as 40 mbps on the commercial openvpn service I use, but my impression is that what's limiting me most lately is ATT, which seems to support 50 mbps on my circuits only to a single Speedtest host in San Francisco., I max at 25-30 mbps using speedof.me or different Speedtest hosts (measured from a laptop hanging off the ATT router, bypassing the pfsense box.)

I'm not sure where, in the config, to place the private key from .ovpn file. Currently, I am configuring it as the private key tied to the Sonic cert (the cert manager lets me define a private key for the cert) and that seems to be the logical place, but if anyone happens to know different or can see a directive I don't have configured and should?

<openvpn-client>
<auth_user>username@beta.vpn.sonic.net</auth_user>
<auth_pass>xxxxxxxxxxxxxxxx</auth_pass>
<vpnid>3</vpnid>
<disable/>
<protocol>UDP</protocol>
<dev_mode>tun</dev_mode>
<ipaddr/>
<interface>lan</interface>
<local_port/>
<server_addr>184.23.168.54</server_addr>
<server_port>1194</server_port>
<resolve_retry>yes</resolve_retry>
<proxy_addr/>
<proxy_port/>
<proxy_authtype>none</proxy_authtype>
<proxy_user/>
<proxy_passwd/>
<mode>p2p_tls</mode>
<custom_options>link-mtu 1542; remote-cert-tls server</custom_options>
<caref>pointer to sonic CA from ovpn</caref>
<certref>pointer to sonic cert from ovpn, tied to private key and cert stanzas of ovpn</certref>
<tls>cert from ovpn data deleted</tls>
<crypto>AES-128-CBC</crypto>
<digest>SHA1</digest>
<engine>cryptodev</engine>
<tunnel_network/>
<tunnel_networkv6/>
<remote_network/>
<remote_networkv6/>
<use_shaper/>
<compression/>
<passtos/>
<no_tun_ipv6/>
<route_no_pull/>
<route_no_exec/>
<verbosity_level>5</verbosity_level>
</openvpn-client>