[Solved] Opnsense 20.7.3 and PIA VPN

Started by s4rs, October 06, 2020, 11:20:12 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
October 31, 2020, 11:27:13 PM #30
From my side it looks like there is something wrong with your gateway configuration.

I see PIA is telling your OPNsense that there is the network 10.x.x.0/24 with gateway 10.x.x.1 but in your gateway view it is thinking 10.18.110.2 is the gateway, which is wrong. I had this with NordVPN I think. On some servers the routing was a bit strange and I needed to remove the checkbox from "don't pull routes" from the OpenVPN client configuration (which might be problematic). You can try to remove it and check the routes and gateway again. I think the gateway should be 10.18.110.1.
,,The S in IoT stands for Security!" :)
November 01, 2020, 01:47:48 AM #31
So, I removed the check from "don't pull routes" ... how do the gateway IPs and routes look now? However, the VPN still doesn't work, and it breaks default internet connectivity.

November 01, 2020, 07:03:55 AM #32
Yes, internet connectivity was broken because PIA changed the default gateway.
Like I thought the gateway was not ,,.2" but ,,.1".

Can you try to switch ,,don't pull routes" again and try to ping or traceroute something from the OPNsense? Seams as if there was something broken with NAT but the box itself should then be able to send traffic through the tunnel.

You could add
Code Select
pull-filter ignore redirect-gateway
To custom options. Internet should then still be working while the rest of the routes will be pulled. Please try

And maybe send a screenshot of the OpenVPN interface assignment.
,,The S in IoT stands for Security!" :)
November 01, 2020, 03:03:21 PM #33
Ok... so, I unticked, " Don't pull routes" and, "Don't add/remove routes". Also, added "pull-filter ignore redirect-gateway;" to the advanced option of the client config... disabled the service the PIA VPN service and then re-enabled it.

traceroute still times out from OPNsense... attached are the VPN config and the interface config for PIA.

November 02, 2020, 03:11:30 AM #34
I found this....

https://github.com/opnsense/core/pull/4433

I wonder if it would fix my problem?

Seems like OPENVPN is broken is OPNSense?

What do you think?
November 02, 2020, 06:26:48 AM #35
Possible, one last guess, did you try to tick ,,Dynamic Gateway" on the interface settings page? Maybe that helps.
,,
,,The S in IoT stands for Security!" :)
November 02, 2020, 04:17:05 PM #36 Last Edit: November 02, 2020, 04:18:53 PM by Chrome
If I tick, "Dynamic gateway policy", then the gateway goes "offline", So, I restart the connection... but the traecroute still doesn't go anywhere...just times out.
November 02, 2020, 09:49:23 PM #37
Quote from: Chrome on November 02, 2020, 03:11:30 AM
I found this....

https://github.com/opnsense/core/pull/4433

I wonder if it would fix my problem?

Seems like OPENVPN is broken is OPNSense?

What do you think?

If you ssh into the opnsense console and do a ping -S 10.8.110.<yourIP> google.com does it work?
November 09, 2020, 05:59:17 PM #38
I just ran into an interesting issue. I have a primary and backup Opnsense install. I upgraded the hypervisor on the primary and switched to the secondary. I set up PIA and ran into an issue. For some reason icmp and udp traffic is getting blocked on the lan gateway address. TCP/IP traffic is fine. I found this since DNS look ups were failing but I could ping external IPs. I setup PiHole as a new DNS server, pointed the PIA systems to its IP and all is fine. Any idea what would cause the protocol block?
November 09, 2020, 06:01:25 PM #39
I never got this solved... ended up switch the PIA with WIREGUARD... and haven't looked back.

I've got it running just like I did with PFSense..but only better, now using wireguard, which was one of my main reasons for switching.
November 09, 2020, 07:30:46 PM #40
There's a script to manage the PIA WireGuard tunnel for you. (Created by me)

This is what Chrome used to setup the PIA WireGuard  ;)

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard
Adventuring through internet pipes
My Blog
November 09, 2020, 07:38:12 PM #41
Jonny is right... the script is a beauty!

Get it ... and you won't want to deal with OPENVPN... WG just works, and its especially easy with the script.
November 09, 2020, 09:50:09 PM #42
What needs to be setup before the trying the script? Do I remove all the PIA configuration I have? Can I pick the IPs that get pushed through Wiregaurd?
November 09, 2020, 09:52:20 PM #43
Before I try wireguard script I was wondering if anyone has an idea why I see this error when I select Don't pull routes?

Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.0.0.243,dhcp-option DNS 10.0.0.242,ping 10,comp-lzo no,route-gateway 10.11.112.1,topology subnet,ifconfig 10.11.112.3 255.255.255.0,auth-token'
November 09, 2020, 09:58:07 PM #44
Quote from: s4rs on November 09, 2020, 09:50:09 PM
What needs to be setup before the trying the script? Do I remove all the PIA configuration I have? Can I pick the IPs that get pushed through Wiregaurd?

You don't need to setup too much before running the script...the README tells you everything you need to know. If you have trouble, myself or Jonny can help.

yes, it is essentially the samething... I didn't remove anything I had setup for OPENVPN, I just setup WG...and made sure that my firewall rules directed traffic through the WG VPN ... instead of the OPENVPN.

Just two different method of transport... train vs plane.

You can still pick your IPs like you always have.... just direct them to WG instead of OPENVPN.

Print
Go Up Pages 1 2 3 4
User actions