- Upvote score
As a pfSense Newbie, I am seeking advice on how to setup Oeck in pfSense Qotom Q355G4.
|Aug 13 04:14:40||php-fpm||342||/status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/client2.conf'' returned exit code '1', the output was ''|
|Aug 13 04:14:40||php-fpm||342||OpenVPN failed to start|
|Aug 13 04:14:40||check_reload_status||Reloading filter|
Thanks, however, I have my hands full at the moment with pfSense and the Qotom box. Once I have that sorted, then perhaps time to look further afield.As an aside, we have a couple of people on here using untangle instead of pfSense on qotom.
Might be worth checking out.
How to setup Oeck(OpenVPN) on Untangle. Untangle is a router solution based on Linux Debian, it is very easy to use once setup, the solution itself is mostly free but the part that costs money is their premium filtering apps which shouldn't interest you unless you want to view any and all...www.oeck.com
Thanks Cameron,So I have a few things I can see-
- auth-user-pass doesn't need a file parameter after it
- seems to be 4 different dev lines (maybe a pfsense thing)
- key-direction is for an inline tls cert, not a file
- a few lines are in multiple times - maybe ok, not sure but worth cleaning up
- protocol is specified twice - proto udp4 and on the remote line. openvpn manual doesn't list udp4 as an option under proto.
- ncp-ciphers is not used on the server end, may be a problem listing ncp in client end
Some of these things may be due to the pfSense implementation of openvpn. I've never set up a pfSense device.
Cameron @ Oeck
Seems like you are having fun with it anyway.
I'll help if I can.
The one in your conf file should be OK, but if you want to try a different one, you can use 184.108.40.206, port 1194.
The port will depend on the type of connection and encryption:
1194 - UDP - AES-256-GCM
1196 - UDP - AES-128-CBC
443 - TCP - AES-256-GCM
445 - TCP - AES-128-CBC
Thanks Cameron,I'll do my best - without knowing if any are pfsense specific:
client - yes
dev tun - yes (depending on other pfsense options
auth-user-pass - yes, although pfsense might use a file specified here (I didnt find that before)
resolv-retry infinite - not necessary
nobind - cannot be used together with lport, otherwise yes
persist-key - depends on privileges in pfsense, probably yes
persist-tun - - depends on privileges in pfsense, probably yes
remote-cert-tls server - yes
key-direction 1 - no, clashes with tls-auth
verb 3 - yes
dhcp-option DOMAIN-ROUTE . - not necessary
|Aug 13 21:56:11||check_reload_status||Reloading filter|
|Aug 13 21:58:26||php-fpm||60266||/status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/client2.conf'' returned exit code '1', the output was ''|
|Aug 13 21:58:26||php-fpm||60266||OpenVPN failed to start|
|Aug 13 21:58:26||check_reload_status||Reloading filter|
I think it would be helpful to find the openvpn log. That one seems to be an overall system log.
Hi Cameron,Hi Wayne,
I can't find anything in the log related to either client2 or Oeck.
Looks like it has a problem before openvpn does anything.
Could this be a file permission problem?
Or something in pfSense that is controlling which client files to open?
Hi Cameron,Hi Wayne,
So it might be changing the message, but you can't use linux-Sydney-udp-256 as the remote hostname.
Also you can't use 220.127.116.11.
The only ones you can use are listed in the .ovpn file:
They are the only ip addresses with openvpn servers running on them.
Also, none of those IP's have DNS entries. The IP is the only way to connect.
Hope this helps a bit.
Hi Cameron,So far - that log looks OK.
Is that the whole log? It looks a little light.
I think the key will be somewhere in the log. If it's not connecting, the openvpn log should tell us why.
At the moment the log you have seems to be only the beginning of the process, which looks Ok.
The next steps should see it checking certificates and authenticating.
I can't tell from the log whether it is going through the whole connection process and not telling us about it, or not doing it at all.
Well I guess this is a downside of not logging. The one thing I can tell you is the status of your last login. It's limited to: Successful login, Wrong password, Account in arrears, and Too many concurrent devices.
Currently it's a successful login. If you try now, I'll be able to tell you something.
Hi Cameron,Hi Wayne,
So there are a few things that need to change:
-> cipher AES-256-GCM
-> auth SHA256
-> tls-auth /var/etc/openvpn/client2.tls-crypt 1
Those 3 will stop it from working, but I would have thought each one would have error messages associated.
OK, thanks Cameron.That's the one.
I'm not sure how that relates to the files listed in the config file. I assume pfsense puts them in the relevant files.
Looks like 'TLS key usage mode' needs to be set to 'Authenticate' not 'Encrypt and Authenticate'
That would be the difference between tls-crypt and tls-auth.
If you do that, then I assume the name of the file will be client2.tls-auth, but i have no idea how you would find that out.
Gidday Cameron,Ok, so I compared your log to my ubuntu log. Mine is line-for-line identical to yours until yours stops.
The next thing mine does is this:
Sun Aug 16 08:14:03 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
I think we still have a TLS config problem. Do you have any settings that look like that?
Can you test this config file?
Copy your old one to a backup, then put this in:
remote 18.104.22.168 1194
keepalive 10 60
management /var/etc/openvpn/client1.sock unix
tls-auth /var/etc/openvpn/client1.tls-auth 1
Gidday Cameron,You'll be a pro at this by the end.
I understand Oeck staff will be placing up some info from working through pfSense with me.can you please share with us what you found out so others may follow in your footsteps? perhaps edit your original post with some notes?
Hi justinmeryment,Here are my OpenVPN Client settings that are working for me.
You'll then need to configure an OpenVPN interface and the DNS settings I posted earlier.
Hi justinmerymentThanks Wayne and Cameron, following these notes I've also managed to get Oeck to connect on my Pfsense box.
I've also just figured out the DNS server settings.
What I've done:
1. Go to system/general setup
2. Configure Oeck DNS servers (10.204.2.1, 10.207.0.1) with your VPN interface as the gateway
3. Add your ISP DNS servers with your WAN interface as the gateway, ensuring these are below the Oeck ones
4. Disable "DNS Server Override"
5. Save this page and apply changes if required.
6. Go to "Services/DNS Resolver"
7. Untick "Enable DNS resolver"
8. Save this page and apply changes if required.
9. Go to "Services/DNS Forwarder"
10. Tick "Enable DNS forwarder"
11. Tick "Query DNS servers sequentially" (ensures Oeck DNS is used before ISP, but will allow fallback if Oeck is down)
12. Optionally, tick "Register DHCP leases in DNS forwarder" and " Register DHCP static mappings in DNS forwarder" to allow local network host lookups.
13. Save this page and apply changes if required.
14. Go to "System/Advanced"
15. Tick " Disable DNS Rebinding Checks" (This is required because Oeck deliver netflix/hulu etc services on a private IP address)
16. Save this page and apply changes if required.
17. Go to "Services/DHCP Server"
18. Ensure "DNS Servers" list is either blank or has your pfsense IP address only
19. Save this page and apply changes if required.
20. You should be all done, check by doing an nslookup on netflix.com from your PC. A private IP address (10.X.X.X) should be returned.
21. If it's not working, try restarting your device to ensure the new DHCP settings are picked up.