Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

HOWTO: pfSense

Guides, HOWTOs etc on how to setup Cryptostorm on PCs, smartphones, tablets and routers.

Topic Author
grystch
Posts: 6
Joined: Sat Mar 08, 2014 3:37 am

HOWTO: pfSense

Postby grystch » Sat Mar 08, 2014 4:04 am

{direct link: cryptostorm.org/pfsense}


pfSense is a FreeBSD router that runs on standard computer hardware as well as some other devices. It's freely available at http://www.pfsense.org. It has builtin OpenVPN server and client capability, so you can use it to connect to Cryptostorm and secure all of your internet traffic easily. Because it can run on computer hardware, it can handle greater amounts of traffic than DD-WRT or the other WRT-based routers. If you have an old computer around this is a great use for it.

To use pfSense you need to get some hardware and install it. Refer to the pfSense site for specifics on installing and setup. Make a note of the router's ip address, so you
can log into it.

This guide is specific to pfSense 2.1 i386 build. Instructions that follow are based on a
guide here.
http://www.komodosteve.com/archives/232

To set it up to connect to Cryptostorm:
1.Download the Linux raw config .conf file.
cryptostorm.org/conf
You will need these parameters.
pfSense is FreeBSD, not Linux but both are UNIX-based. You can connect using the Windows config, but it may be unstable.
*If you're on a Windows computer, open the .conf file in your browser like firefox, and then you can read it.

Now to how to set it up. The linked guide says to SSH in, but that's not necessary. The instructions that follow can all be done in the web GUI.

2.Log in to pfSense.
The username and password for this should be set when you do the initial setup. Refer to pfSense documentation.

3.Navigate to: System - Cert Manager.
The following instructions come from KomodoSteve's page and worked just fine for me.
"In pfSense’s webConfigurator, go to System and select Cert Manager.
Add a new CA, call it something like “Internal CA” using method “Create an internal Certificate Authority”.
Fill in the Distinguished Name pieces below as you see fit.

Now click on Certificates and add a new certificate using “Create an internal certificate”. Call it something like “OpenVPN” and select type “Certificate Authority”."
-end KomodoSteve quote

The certificates created here are meaningless as far as connecting to Cryptostorm, but the pfSense OpenVPN client won't work without a certificate created here. You don't have to worry about the specifics of what's created here, unless you plan to issue certs to people so they can use your network. If you're doing that you probably don't need this guide anyway.

4.Now you need to create your password file.
This is where your hashed token will go.
Navigate to: Diagnostics - Edit File - Browse. Select the folder where you want the file to go. /etc is fine.
Click Load. You will get a message saying "Loading a directory is not supported." Don't worry about this message. Scroll to the bottom and you will see an empty white box. This box accepts text. Enter (type or paste) your hashed token.
Scroll back up to the top. There is a field that says "Save/Load from path:" and shows the folder you're in. In this field, you will give your token file a name. Simply type it in after the folder name. Your token file will be created using this syntax: /pfSensefolder/tokenfilename.txt
Example for the file created in the /etc folder: /etc/tokenfilename.txt
"tokenfilename" can be whatever you choose.
MAKE SURE that a / separates the folder name and the name of your file. Make a note of this location, you'll need it later. I suggest copying it directly from the field.
Now: Click Save, and your password file should be created.

5. Now you need to create the file for the SERVER certficate.
This is the certificate in the config file, NOT the certificate you created in step 3. This is important!
You create this certificate file in the same way you did the token file, with one important change.
Navigate to: Diagnose - Edit File then the folder of your choice. I suggest the same folder your used for your token to keep things simple.
Copy the certificate from the config. You can leave out the <ca> and </ca> part, but make sure you include all the random text.
Name the file, the same way for your token file, with one exception. Instead of filename.txt, use filename.crt naming.
Example: /etc/yourcertfilename.crt
Just as the token file, you can give it any name you want. MAKE SURE you use .crt at the end, NOT .txt like your token file. This .crt tells pfSense it's a certificate.
Make a note of this file location and click Save.

6.Now, navigate to VPN - OpenVPN - Client.
Here you will enter the config info.
Click the + for adding a client.

Follow these settings carefully.
In General Information:
Server Mode = Peer to Peer (SSL/TLS)
Protocol = UDP
Device mode = tun
Interface = WAN
Server host or address = your Linux node of choice, refer to the configs. Just enter the name. example: cluster-montreal.cryptostorm.net
Server port = 443
Leave all the Proxy fields blank or set to none.
Server host name resolution = You can check this on, or leave it blank. It won't affect your ability to connect. Resolve infinite isn't in the config, so I don't know if it should be turned on or not.
Description = You can type in a description if you want.

Crypographic Settings:
TLS Authentication = Leave this unchecked. This will be set in the Advanced configuration options at the bottom.
Peer Certificate Authority = This is the Certificate Authority you set up in step 3. If you only created one, it should be the only one you can select, and it should show by default.
Client Certificate = This is the certficate you created in step 3. Again this doesn't matter as far as affecting Cryptostorm, except I think something needs to be here or it won't work.
Encryption algorithm = AES-256-CBC (256-bit). You can also set this to None and enter it in the advanced options at the bottom, that's what I do.
Hardware Crypto = Probably set to none, if you have such hardware you probably don't need this guide

Tunnel Settings:
Leave all this blank. Tunnel and network settings here are beyond the scope of this guide. Also leave Compression and Type-of-Service unchecked.

Advanced configuration:
All the special config settings go here.
Ideally you would be able to simply paste in the config file, but pfSense doesn't recognize certain parameters or html code that the config has. You have to enter things here manually.
Use the # symbol to comment out anything you want ignored, just as in the config. Or you can leave it out.
Be careful, and watch for typos. I add a ; (semicolon) after each setting, just to be safe.

Note the following problematic config settings:
#dev tun; If you include this, you will get an error and will not be able to connect!
It's set above as the Device mode. Something about having it both places causes an error!
Either leave it out or comment it out as shown.
#nobind; If you include this, you will get a specific error that says local and nobind don't make sense when used together, and you won't be able to connect. Comment out as shown or leave it out.
#txqueuelen 486; This setting isn't supported at all in pfSense, either leave or comment it out.

You can copy/paste the following, from ##start to ##end and it should work with these changes:
remote serveraddress 443 udp; replace serveraddress with the address in the config
auth-user-pass /tokenfilefolder/tokenfilename.txt; replace /tokenfilefolder/tokenfilename.txt with the path to the file in step 4
ca /certfilefolder/yourcertfilename.crt; replace /certfilefolder/yourcertfilename.crt with the path to the file in step 5

One more thing: you will see some lines starting with ##. Those are my comments, the ## is to indicate they're not in original Cryptostorm config.

##start advanced config
client;
#dev tun;
resolv-retry 16;
#nobind;
float;

#txqueuelen 486;
# expanded packet queue plane, to improve throughput on high-capacity sessions

sndbuf size 1655368;
rcvbuf size 1655368;
# increase pre-ring packet buffering cache, to improve high-throughput session
performance

remote-random;
# randomizes selection of connection profile from list below, for redundancy against...
# DNS blacklisting-based session blocking attacks
remote serveraddress 443 udp;
remote serveraddress 443 udp;
remote serveraddress 443 udp;
remote serveraddress 443 udp;
##Poster's note: enter the server you want to connect to, NOT serveraddress.
## Get that from the config file for the server you want to connect to.

comp-lzo no;
# specifies refusal of link-layer compression defaults
# we prefer compression be handled elsewhere in the OSI layers
# see forum for ongoing discussion - viewtopic.php?f=38&t=5981

down-pre;
# runs client-side "down" script prior to shutdown, to help minimise risk...
# of session termination packet leakage

#allow-pull-fqdn;
# allows client to pull DNS names from server
# we don't use but may in future leakblock integration

explicit-exit-notify 3;
# attempts to notify exit node when client session is terminated
# strengthens MiTM protections for orphan sessions

hand-window 37;
# specified duration (in seconds) to wait for the session handshake to complete
# a renegotiation taking longer than this has a problem, & should be aborted

mssfix 1400;
# congruent with server-side --fragment directive

auth-user-pass /tokenfilefolder/tokenfilename.txt;
##poster's note: /tokenfilefolder/tokenfilename.txt; is the path to the password file you created in step 4.
# passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet

# auth-retry interact
# 'interact' is an experimental parameter not yet in our production build.

ca /certfilefolder/yourcertfilename.crt;
##poster's note: /certfilefolder/yourcertfilename.crt is the path to the CERTIFICATE file in step 5
##inline keys and certs don't work in pfSense, you get parameter not recognized error
# specification & location of server-verification PKI materials
# for details, see http://pki.cryptostorm.org

ns-cert-type server;
# requires TLS-level confirmation of categorical state of server-side certificate for
MiTM hardening.

auth SHA512;
# data channel HMAC generation
# heavy processor load from this parameter, but the benefit is big gains in packet-
level...
# integrity checks, & protection against packet injections / MiTM attack vectors

cipher AES-256-CBC;
##poster's note: you can leave this out if you selected it above
##it doesn't seem to cause problems if it's in both places, I set above to None and put it here
# data channel stream cipher methodology
# we are actively testing CBC alternatives & will deploy once well-tested...
# cipher libraries support our choice - AES-GCM is looking good currently

replay-window 128 30;
# settings which determine when to throw out UDP datagrams that are out of order...
# either temporally or via sequence number

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;
# implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...
# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
# http://ecc.cryptostorm.org

tls-client;
key-method 2;
# specification of entropy source to be used in initial generation of TLS keys as part of
session bootstrap

log devnull.txt;
verb 5;
mute 1;
##if you're having trouble connecting try changing these parameters or commenting them out so there will be more details in the log.
# sets logging verbosity client-side, by default, to zero
# no logs kept locally of connections - this can be changed...
# if you'd like to see more details of connection initiation & negotiation
##end advanced config

That's the end of the config setup. Double-check your settings, then click Save.
Note: There's a box at the top where you can disable this client. If it's checked, you can still save it, but it won't try to connect. If you don't have it disabled, if it successfully connects to Cryptostorm your internet connection will likely go down. Some changes to the router will have to be made before you can actually pass traffic through the OpenVPN connection.

7.Navigate to Status - System Logs - OpenVPN.
Hopefully, you will see Initialization Sequence Completed. This means the OpenVPN client successfully connected. If not, review the errors and try to connect them to a config setting. Sometimes it's just a typo.
You can also go to Status - OpenVPN, if you see "up" it's connected.
You will probably see some WARNING statements in the OpenVPN log.
1.WARNING: file '/tokenfilefolder/yourtokenfile.txt' is group or others accessible (the folder where your token file is and the name will show)
I'm not sure of the specific security issues with this. If it's a problem fixing it is beyond the scope of this guide.
2.WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
The auth-nocache config setting doesn't work. You'll be able to connect until the key renews, then the connection will break. If there's a way to use auth-nocache it's beyond the scope of this guide.
As long as you see Initialization Sequence Completed and no errors after that it worked.

Initialization Sequence Completed doesn't mean you're now ready to start using the vpn. A couple more steps are needed. If your internet connection is down, that's normal. The remaining instructions in 8 and 9 are copied directly from KomodoSteve.
http://www.komodosteve.com/archives/232

8. Enable Interface:
Go to Interfaces and select (assign). Click the add button. A new entry called OPTn should appear with “ovpnc1" as the port. Click Save.
Now you can enable your new interface. Go to Interfaces and select OPTn. Simply click Enable and Save.
Note that you can rename the interface if you want to something like “VPN” but it’s not necessary.
(my note: OPTn, "n" will be a number, probably 1)

Restart the OpenVPN service so everything is in sync. Go to Status and select Services, then click the restart button beside the OpenVPN service.
Ensure that the OPTn gateway has an IP. Go to System: Routing and make sure the Gateway has an IP address.

9. Firewall Config
At this point the OpenVPN service is running but you aren’t using it. You may not even be able to access the Internet in this state. While there’s a lot you can do to tailor your firewall access, here’s a quick way to route all your outgoing traffic through your new VPN connection.

Go to Firewall and select NAT, then click the Outbound tab.
Select any existing rules and delete them.
Select the “Automatic” option at the top and click Save, then select “Manual” and click Save.
You should see a new set of rules which you can activate by clicking Apply Changes.

There’s lots more that could be done to pfSense to tighten up your security but this is a
starting point.
-end quotes from KomodoSteve

Make sure that you delete ALL the listed rules. If you don't, it likely won't work.
You only need to do Automatic, or Manual, not both. Automatic rules don't show here after they're created (you can look them up in a folder if you want) but manual rules will. If you want to be able to easily see the rules, just do Manual.

Depending on the system you're running pfSense on, it might take a few moments for these rules to take effect. Give it some time. If after a couple minutes it doesn't seem to be working, check your OpenVPN connection and make sure it's still up, then repeat the Firewall Config step.

IMPORTANT SECURITY NOTE.
This setup as described, will NOT prevent traffic from going out if your Cryptostorm connection goes down for some reason. It's not ideal but this isn't really a big problem for me. Good news is the only time I've lost connection is when I broke it by playing with things.
If your threat model is different, you'll need to find out how to set things so that if your Cryptostorm connection goes down no traffic goes out. You can review the pfSense forum for suggestions how to do this.
https://forum.pfsense.org/index.php/top ... #msg354989

This concludes the guide. At this point all of your internet traffic should be going through Cryptostorm. :clap:
Good luck!


Guest

Re: HOWTO: pfSense

Postby Guest » Thu Apr 03, 2014 2:21 am

It's possible to configure pfSense router so that no traffic goes out or in if the vpn connection goes down, but I haven't been able to figure how to do it. I hae some traffic I don't want or need going through vpn and that's complicated things. I'm not aware of a way to notify you when the token expires besides losing internet connection when it happens. If youre like me and haven't been able to stop it from passing traffic when the vpn goes down you'll just have to keep an eye on when the token expires and check your OpenVPN status.

What to do when your token expires
When your token expires setting up the new one is simple.
Navigate to Diagnostics - Edit File - click Browse (or if you know the path you can type that in and click Load) and go to the folder where you stored your token file.
Click the file and you will see a message "File successfully loaded" and you will see your hashed token load.
Delete the expired hash and enter the new. Click Save. You will see a message "file successfully saved".
Naveigate to Status - OpenVPN and click the Restart Service button (not the square, that's STop). After a moment the page should reload and you should see Up as the status. You can also go to Status - System logs - OpenVPN and you should see Initialization Sequence Completed message, showing you're connected.
If you can't connect, repeat and doublecheck you put the right hash in, then restart the openvpn service.


distant.prime
Posts: 3
Joined: Tue Jul 22, 2014 10:29 am

Re: HOWTO: pfSense

Postby distant.prime » Wed Jul 23, 2014 8:16 pm

Thanks for providing this HowTo. :clap:

Let me just say that I am a total newb to Networking and only tinkering around with pfSense/OpenVPN as a hobby. I don’t have any background in IT at all so please forgive me if my approach is incorrect or rudimentary. :oops:

I am trying to figure out how a piece of your configuration code is supposed to work.

I have followed your instructions exactly and have a working system. I just need clarification on this section of your configuration file, namely:

###------------------------------------------------------------------------------------------------------
remote-random;
# randomizes selection of connection profile from list below, for redundancy against...
# DNS blacklisting-based session blocking attacks
remote serveraddress 443 udp;
remote serveraddress 443 udp;
remote serveraddress 443 udp;
remote serveraddress 443 udp;
##Poster's note: enter the server you want to connect to, NOT serveraddress.
## Get that from the config file for the server you want to connect to.

###------------------------------------------------------------------------------------------------------


For reference, here is a definition from the OpenVPN Manual:
***-----------------------------------------------------------------------------------------------------
--remote-random
When multiple --remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load-balancing measure.

***------------------------------------------------------------------------------------------------------

From this I would expect my VPN IP address to be variable but it is not. From the way that my system behaves I don’t really understand how this bit of code functions. Should I notice any changes over time to my external given VNP IP address? I do notice a slight difference to my DHCP lease from time to time. Could it be for that purpose? Also, if I comment everything out and only stipulate one explicit address(either of the given four addresses), then my given VNP IP address is also always the same. I must be missing something since this bit of code seems to makes no difference to the way my tunnels are formed.

Would you please be so kind as to provide a little more detail as to how this bit of code is supposed to work and what I am missing so that I can take full advantage of the services available?


tlsbreak
Posts: 17
Joined: Mon Jul 21, 2014 6:45 am

Re: HOWTO: pfSense

Postby tlsbreak » Sat Jul 26, 2014 8:05 am

I'm not an expert on anything but I'll give this a shot. :)

The guide appears to be based on the original Montreal raw config here.
viewtopic.php?f=47&t=5996

Notice this part.
<connection>
remote cluster-montreal.cryptostorm.net 443 udp
</connection>

<connection>
remote cluster-montreal.cryptostorm.org 443 udp
</connection>

<connection>
remote cluster-montreal.cryptostorm.nu 443 udp
</connection>

<connection>
remote cluster-montreal.cstorm.pw 443 udp
</connection>

I think the purpose of remote-random is to randomly select one of these addresses when you connect, probably in case one or more would get blocked. As far as I know your public facing ip shouldn't change after you're connected, if it does change (especially to an ip you don't recognize) you should let support know right away. The one exception to that might be the Montreal host switchover that's taking place, I don't know if it's completed yet or not.
viewtopic.php?f=47&t=6252#p9656

I think you can remove the remote and remote-random setting if you choose to connect by ip address instead. I don't think there's any benefit to using remote-random with the actual ip address, but I'm sure support or one of the actual experts will correct me if any of this is wrong.

What version of pfSense are you using? If you're on the current 2.1.4 build I'm surprised this guide worked.


tlsbreak
Posts: 17
Joined: Mon Jul 21, 2014 6:45 am

Re: HOWTO: pfSense

Postby tlsbreak » Thu Aug 07, 2014 9:18 am

How to Keep Traffic in Cryptostorm VPN

Most don't want any traffic going out to the internet if the Cryptostorm connection goes down. This isn't hard to do in pfSense, but there is one special thing you need.

First you need to turn off a secret setting. :eh:
Go to System | Advanced | Miscellaneous
Scroll toward the bottom to Gateway Monitoring.
UNCHECK the Skip rules when gateway is down setting. Then click Save at the bottom.
pfSense assumes you always want connected. This setting makes traffic go out the default gateway (for us that's the WAN) if the preferred gateway (our Cryptostorm vpn) goes down. Turning this off will disable that.

We need a rule to only pass traffic through Cryptostorm.
Go to Firewall | Rules
You will see Floating, WAN, LAN, Opt1 and OpenVPN. (Rules are processed left to right, top to bottom, so if you have a Floating rule it will be applied first, then any WAN rules, and so on.)
Go to LAN tab.
In here you should see the default rule which is pass everything. (There are 2 other rules, ignore them for now.)
Image
We need a rule like this one but applied only to the vpn gateway. That's probably OPT1.
Click Edit. That's the e button at the far right.
Scroll down to Gateways.
Click the menu arrow and select the Cryptostorm gateway. It's probably OPT1.
Image
Click Save, then Apply on the next page. That's it!

I didn't mention this to avoid confusion, but you could also delete the LAN rule and create a new one, or duplicate it, edit the copy and disable it. I duplicated/disabled it since I wanted to have it as a reference in case I broke something. Disable the rule by clicking the triangle by the checkbox at the left. If you click Edit there's a checkbox to disable it in there also.
When a rule is disabled it's grayed out.


You'll see a couple other rules in LAN, a rule for passing IPv6 traffic and the lockout rule. Disable the IPv6 rule. Leave the lockout rule (unless you really know what you're doing). If you mess with that you risk locking yourself out of pfSense.

Troubleshooting
This should keep all your traffic in the vpn and nothing should go out the WAN. To check it, Go to Openvpn | Client or Status | Openvpn and disable Cryptostorm. Try accessing the net. You should fail. :mrgreen: You can also go to Diagnostics | Packet Capture and inspect that in Wireshark to make sure stuff is going or not going where it should.
If you're still able to access the net you may need to reset the route states.
Go to Diagnostics | States. Click Reset States. It might take a couple minutes.
If Cryptostorm is down but you can still get to the net make sure you don't have another rule somewhere that's passing traffic.


Guest

Re: HOWTO: pfSense

Postby Guest » Fri Oct 31, 2014 5:28 am

So I just signed up for Cryptostorm and with a little help from the mods in the IRC channel, got it working.. There are a few things that have changed with the new version of pfsense so I figured I'd add to this thread.

Key stuff you need to know:
Pfsense 2.1.5
Openvpn
IPs were valid as at 31/10/2014

1.Follow the above guide as a starting point - Point 9 does not work as it is based on a bug that was fixed with a newer version of pfsense

2. Download newclientcerts.zip and update the crt file you created with the contents of the crt file that is in the zip file

3. Change the advanced config in openvpn to something resembling the below (note I have removed comments as the line breaks caused issues)

Code: Select all

##start advanced config
client;
resolv-retry 16;
float;

sndbuf size 1655368;
rcvbuf size 1655368;

remote-random;

remote 23.19.35.14 443 udp;
remote 198.27.89.56 443 udp;
remote 79.134.235.133 443 udp;
remote 46.165.222.248 443 udp;


down-pre;


explicit-exit-notify 3;


hand-window 37;


mssfix 1400;


auth-user-pass /etc/tokenfile.txt;


ca /etc/ca2.crt;


ns-cert-type server;

auth SHA512;


cipher AES-256-CBC;


replay-window 128 30;


tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA;
tls-client;
key-method 2;
##end advanced config


4.Save the config

5. Set up NAT rules to point the ip range of the network you are using to the new vpn end point. Save config
6. Set up the firewall rules to point the ip range to the openvpn CS client (allow) to get access out. Save config
7. Set up the firewall rules to point the openvpn client to the openvpn CS client you created. save config
8. Set up the firewall rules to point the openvpn CS client to the wan. Save config


Troubleshooting:
1. Cert invalid issues can usually be solved with a reboot
2. Gotcha for new players is you need to hash the token you receive from CS.


pfsensenewbie

Re: HOWTO: pfSense

Postby pfsensenewbie » Mon Mar 16, 2015 7:48 pm

Hi,

at first: Thank you for the great tutorial. I made all the steps but have a problem with the Step 4: Create password file:

After doing all the steps I get an errormessage, that the /etc/tokenfilename.txt needs two lines (username/password). I tried all variants:
- first line: hashed token / no enter
- first line: hashed token / enter
- first line hashed token / enter / enter
- first line: hashed token / hashed token
- first line: empty / enter /hashed token

Has anyone the same problem and a solution? I use the actual version 2.2.

Thanks in advance

User avatar

Fermi
Site Admin
Posts: 226
Joined: Tue Jun 17, 2014 11:42 am

Re: HOWTO: pfSense

Postby Fermi » Tue Mar 17, 2015 11:46 am

Hi pfsensenewbie,

The password file indeed needs two lines.
first line: hash of the token (which will be considered the OpenVPN username)
second line: 93b66e7059176bbfa418061c5cba87dd (which is the official Cryptostorm password, but in fact you can type anything here, as long as there's something)

I'm having pfsense 2.2 connected to Cryptostorm in a virtual environment.

Regards,

/Fermi


tlsbreak
Posts: 17
Joined: Mon Jul 21, 2014 6:45 am

Re: HOWTO: pfSense

Postby tlsbreak » Wed Mar 18, 2015 7:08 am

pfsensenewbie wrote:Hi,

at first: Thank you for the great tutorial. I made all the steps but have a problem with the Step 4: Create password file:

After doing all the steps I get an errormessage, that the /etc/tokenfilename.txt needs two lines (username/password).
/snip
Has anyone the same problem and a solution? I use the actual version 2.2.

Thanks in advance


I don't have this problem. I don't know why, maybe because I set it up first on an older version. 2.2 has username and password fields now. You can use those instead of creating the file in the guide, hashed token for the username and if you still get that error anything for the password like Fermi said.


pfsensenewbie

Re: HOWTO: pfSense

Postby pfsensenewbie » Sun Mar 22, 2015 7:53 pm

Hi tlsbreak and fermi,

1000 thanks for your help. I tried to use the username/password combination in the openvpn-page but it does not work again.
Now I have a tls-error, but as I read, this is not a very specific error. I managed to get access to three other openvpn-providers with my pfsense in vsphere.

Can you tlsbreak or you fermi backup your pfsense (without username) and upload it here? It would be really great, because I do not find my error and I made the setup from the beginning two times. (I hope, this is not a security problem to backup, but I do not think, that there are personal data included)


tlsbreak
Posts: 17
Joined: Mon Jul 21, 2014 6:45 am

Re: HOWTO: pfSense

Postby tlsbreak » Mon Mar 23, 2015 4:47 pm

Hi pfsensenewbie.

pfsensenewbie wrote:Hi tlsbreak and fermi,

1000 thanks for your help. I tried to use the username/password combination in the openvpn-page but it does not work again.
Now I have a tls-error, but as I read, this is not a very specific error. I managed to get access to three other openvpn-providers with my pfsense in vsphere.

Can you tlsbreak or you fermi backup your pfsense (without username) and upload it here? It would be really great, because I do not find my error and I made the setup from the beginning two times. (I hope, this is not a security problem to backup, but I do not think, that there are personal data included)


I haven't tried running pfSense in a virtual environment so can't offer suggestions for that. The tls error could be from a network connection problem, or a wrong setting. Do you have the TLS authentication box checked? If so try unchecking and enter the tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA; setting in the advanced configuration instead. I don't think it should matter but if the parameter is in the conf file I set it to none in the gui where I can.

I've got too many rules to share mine as I need some things to bypass the vpn. I can post my settings if you want.


HandShakeFail

Re: HOWTO: pfSense

Postby HandShakeFail » Mon May 11, 2015 4:18 pm

Hi,

It's good after so long time someone started pfSense oriented topic.
I use pfSense for routing Cryptostorm for long time, i've alwayes had problem when pfSense randomly throws TLS-handshake error.

The disturbing part is - it happens without reason! Yesterday i've used pfSense normaly, two days ago to, even month ago it worked fine with my current config. Today, i power it up, copy-paste my token to user-pass file and ... TLS-Error. Tried reboot around 10 times, tried editing config, searching on forums but nothing. It just happens once every month, than after few days of struggle it seems as it usually getting up by itself, without my help. Why?

This only happens with Cryptostorm. I would paste my config but it's pretty much the same as posted above. I also have rules on Firewall for blocking connection after vpn fails.

Also, i've noticed that it may have something to do with another vpn i'm using, on host machine (pfSense is in virtual enviroment), as first VPN throws a lot of "Authentication Error Packet encrypt/decrypt Bad ID", yet internet works fine.

Can someone help? It's getting more and more frustarting as it happens frequently and i cannot find any reason for that.


Return to “guides, HOWTOs & tutorials”

Who is online

Users browsing this forum: No registered users and 4 guests

Login