OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: ciaduck on June 12, 2019, 05:22:28 am
-
Sorry if this has been asked before, but I'm at my whits end with this.
I had a setup with OPNsense as my core router/gateway, and it worked. I recently moved and no longer have that option. I'm stuck behind an ISP provided router.
I've made several modifications to the VPN configurations, I've tried a fresh (re)install of opnsense, I've tried a different VPN provider on a different port and different client.
I can get the VPN to work from my phone and from my laptop. So the issue isn't with the VPN provider getting through my ISP.
I've made my opnsense the "DMZ" host for my ISPs router. I've enabled port forwarding as well, and I've disabled the ISP firewall entirely.
Even with all this I can't get the VPN client to stay up. It will connect, authenticate, handshake.... Wait... Then it somehow gets an "interrupt" and exits. At this point the service restarts under a new child pid, rinse and repeat.
Do I need to set a client IP that reflects my WAN IP? I'm running pi.hole on my network so DNS and DHCP service on opnsense is disabled. How do I get opnsense to get the WAN IP from behind a NAT? (like ddclient)
Attached is an example log. Note that it successfully connects, pulls routes, then decides to quit, teardown, and start all over.
-
There are some warnings you need to attend to. Check your cipher, Auth and keysize
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jun 11 22:51:55 OPNsense openvpn[86766]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'Jun 11 22:51:55 OPNsense openvpn[86766]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
-
Thank you for taking the time to look into this.
Yes. I've opted for a stronger cipher suite and auth hash than what the service advertises. I can fix the warnings, but please note, the connection is still established after negotiation. I'm not convinced my choice in cipher suite is causing these constant restarts of the OpenVPN service.
I went ahead and tried a different provider, and configured it in a way that those kinds of local/remote mismatch warnings are not present. I still have constant resets.
Attached is the log from that session. Of note is this time there is a SIGTERM every time it cycles to a new PID. I'm not sending a kill to that PID, so I can only imagine there is some other piece of code in OPNsense that is sending a kill for some reason.
The plot thickens...
I might try a complete install and reconfigure. The last reinstall was a restore from a backup config. I wonder if there was something about the backup config that was no good.
-
Sorry to drag this up. But I've solved my problem.
It seems that something in my config was incompatible. I finally took the time to do a fresh install and reconfigure everything from scratch. This solved the problem.
I don't know what about the configs are different/incompatible. I can compare them line-by-line, but I don't think this is a very useful exercise at this point.
I will note that NordVPN has updated their tutorial on how to get their VPN running on OPNsense, which is great.
I use a pihole DNS on my local network, and so I don't have unbound running on OPNsense. I also had to disable DNSSEC in pihole to get queries to go through the VPN, because NordVPN is doing forwarding on their end (thus breaking DNSSEC).
I hope this helps someone if they experience the same issue. Not an idea solution, but it's what I had to do.