OpenVPN Open Beta

[pmbell]

Are any of the folks in this thread using pfSense today, with our new OpenVPN platform?

I have tried using it, but my current setup is such that all of my traffic routes defaults over a different VPN provider. In order to test the Sonic openVPN I need to disable the primary VPN and I'm less interested in doing so each time ATT appears in the news.

Unfortunately for this test, I'm not the only using the connection, so taking it out of service for a few hours isn't popular unless I'm the only home and don't need the system functioning for a bit.

I know of two occasions when I was unable to login but was actually passing credentials. I finally sorted out that the key issue was that I thought I needed to use username@sonic.net to log in, but actually only needed username.

I may have time again this week, though. And I've been able to bring up an Edgerouter on the Sonic connection, as well as software clients.

[blakers]

Is there a wiki page for settings/etc for this beta vpn yet, so that searching through this infinite-thread isn't required for every bit of information?

> my traffic routes defaults over a different VPN provider

Generally same boat here.

I've peeled off ALL of my IPv6 traffic already, moving it elsewhere via VPN so that it's actually useful and under my control.

I'm also redirecting my DNS traffic, both IPV4 & IPv6.

That leaves IPv4 general traffic. I've a working VPN already to VPN my way away from open-traversal on AT&T. I'm inclined to just use my own, but if this can be made to work with Sonic's IPv4 openvpn -> a simpler solution. In-kernel IPSEC could be simpler still, but not holding my breath.

To get to a WORKSFORME OpenVpn solution, have to extract the key/crypto info from the Sonic-provided ovpn, and build/configure the rest to match both my needs and their VPN.

In the user-specific ovpn config we DL from Sonic,

(1)

Why are

Code: Select all

	sndbuf 100000
	rcvbuf 100000

rather than

Code: Select all

	sndbuf 0
	rcvbuf 0

, letting the OS manage/negotiate?

(2) What's the presumed / required client side 'dh' .pem bit depth?

(3) I see

Code: Select all

	cipher AES-128-CBC

_is_ defined.

What are the available and/or preferred values for

Code: Select all

	auth ????		(--show-digest)
	tls-cipher ???? (--show-tls)

(4) Are faster/lighter EC crypto available/used? Or just non-EC?

If so, what's the used

Code: Select all

	ecdh-curve ???

(5) What's the expected MTU for the us -> Sonic link?
To what value is 'mssfix' set (default == MTU - 40)?
Is it pushed by the server config?

(6) What is the intention of the repetition in these remote stanzas?

Code: Select all

	...
	remote beta.vpn.sonic.net 1194 udp
	remote beta.vpn.sonic.net 1194 udp
	remote beta.vpn.sonic.net 443 tcp
	remote beta.vpn.sonic.net 1194 udp
	remote beta.vpn.sonic.net 1194 udp
	remote beta.vpn.sonic.net 1194 udp
	remote beta.vpn.sonic.net 1194 udp
	remote beta.vpn.sonic.net 1194 udp
	...

?

[jefnbev]

First, thanks for looking at options other than Cisco.

I'd definitely be interested in trying out one of the SoC edge routers with hardware encryption support, especially if they are price competitive with the $100-class WiFi AP/routers on which I presently run OpenWRT (and they don't have horrendous buffer latency). Edit: Looks like the throughput, at least with stock software, is better on the TP-Link Archer C7 that I use. I'll have to see what adding in software encryption will do to latency.

One bit of good news, at least from my perspective, is that PolarSSL (used in the Android app) has been picked up by ARM and rebranded as mbedTLS. That means hopefully strong support and code review, as well as getting off GPL.

http://community.arm.com/groups/interne ... e-mbed-tls

A little thing that has bothered me for a while is sharing the VPN password with the Sonic account (and, for that matter shell). If that is "open for consideration" by you all, I'd prefer to have them all separate.

Thanks again!

Note: Searching for "OpenVPN for Android" returns a different app than what I believe is the "official" one called "OpenVPN Connect" https://play.google.com/store/apps/deta ... pn.openvpn

Works reasonably well using a Nexus 5 connected to hotel WiFi from London. Once I found the "right" Android client, install was straightforward (imported settings from Sonic VPN server using my Sonic credentials). Bandwidth here is spotty and the additional 200 ms through to the US makes direct vs. VPN comparisons pretty meaningless.

[kgc]

The pfSense SG-2220 has no trouble connecting to the beta vpn server and initial testing suggests that it can flood my 50M connection just fine with or without hardware encryption acceleration enabled. Looks like it would be an okay solution for someone looking for a standalone fixed vpn terminator.

[mbhinder]

I'm having trouble configuring pfsense to the vpn. Using tunnelblick on my Mac, it connects fine. On Pfsense, the web ui just shows "down" and from the logs it seems to be stuck in a wait loop:

Code: Select all

Aug 30 21:13:51	openvpn[29153]: PO_CTL rwflags=0x0001 ev=11 arg=0x0068df58
Aug 30 21:13:51	openvpn[29153]: I/O WAIT T?|T?|SR|Sw [1/244477]
Aug 30 21:13:53	openvpn[29153]: event_wait returned 0
Aug 30 21:13:53	openvpn[29153]: I/O WAIT status=0x0020
Aug 30 21:13:53	openvpn[29153]: TIMER: coarse timer wakeup 1 seconds
Aug 30 21:13:53	openvpn[29153]: PO_CTL rwflags=0x0001 ev=12 arg=0x0068f0f8
Aug 30 21:13:53	openvpn[29153]: PO_CTL rwflags=0x0001 ev=11 arg=0x0068df58
Aug 30 21:13:53	openvpn[29153]: I/O WAIT T?|T?|SR|Sw [1/244477]
Aug 30 21:13:54	openvpn[29153]: event_wait returned 0
Aug 30 21:13:54	openvpn[29153]: I/O WAIT status=0x0020
Aug 30 21:13:54	openvpn[29153]: TIMER: coarse timer wakeup 1 seconds
Aug 30 21:13:54	openvpn[29153]: PO_CTL rwflags=0x0001 ev=12 arg=0x0068f0f8
Aug 30 21:13:54	openvpn[29153]: PO_CTL rwflags=0x0001 ev=11 arg=0x0068df58
Aug 30 21:13:54	openvpn[29153]: I/O WAIT T?|T?|SR|Sw [1/244477]

I've double checked all the settings with my download ovpn profile from the website and don't see anything wrong. Any ideas? Maybe the server logs have a clue about why my connection is stuck?

I've verified connectivity to the vpn ip and port from my pfsense box.

[mbhinder]

Update: I did some more research and looks like pfsense can connect to the server but the server cannot connect back to pfsense. I saw some CLIENT_HARD_RESET messages in the logs. Then I realized that I didn't forward ports on the AT&T modem, will try that tonight. However, I'm still confused how Tunnelblick would work on the Macbook since it was even deeper in the network than pfsense if that makes sense.

[kgc]

I'll try to put together a quick How-To for configuring pfSense tonight. I found that even though they were a bit outdated the instructions on how to setup pfSense to connect to privateinternetaccess worked fine for me.

[mbhinder]

That would be awesome, no luck with adding the pfsense to a DMZ zone - I'm still seeing P_CONTROL_HARD_RESET_CLIENT_V2 errors.

[fng]

@mhbinder

Hi,
I installed pfSense on an old computer and was able to get it working and currently running 24/7. Eventually, I will get a box from the pfSense store to save electricity and space once this is out of beta. Sounds like you are an FTTN customer also like me since you have the ATT box. I have mine working without using the DMZ or any port forwarding the in ATT Box. I'm assuming you have the OpenVPN and interface setup? Did you setup the Firewall/NAT/Outbound settings in pfSense?

[mbhinder]

Thanks for the reply - yes I am an FTTN customer like yourself. I haven't added any outbound settings to pfSense but I logged onto the appliance and verified that I could telnet to port 1914 on the VPN. I also ran tcpdump and saw packets going out of pfSense but no packets coming back from the VPN. Maybe our AT&T modems are different models?

Would you have a link to any documentation that you used to configure your appliance?