Cloud hosted VPN and router/pfsense

Networking & Firewalls
1

Hello, did not see a similar post when searching the forum, sorry if this has been posted,

I have set up a cloud hosted VPN as per Tom’s instructions in the video, https://www.youtube.com/watch?v=7SSXpfd1JLw. Have also tried this one, https://www.youtube.com/watch?v=IneAGgh9hQg.

I cannot get either .ovpn file to work with pfsense or an Advanced Tomato router. Both .ovpn files work great in several linux machines when importing a custom file(.ovpn config file)

My pfsense and Tomato router are seeming working normally as both expressvpn and mullvad files work properly when testing. The self hosted cloud .ovpn files do not work. I have tried to play with settings and no luck connecting.

Has someone got a cloud hosted OpenVPN file to work in a router or pfsense?

Thanks in advance!

2

Have you looked through the pfsense error logs to determine why?

3

does the openvpn session start at all? or is it failing on that? if its working i whould not push gw but do all the routes your self. just figured out mine. also on you vpn do you have all your masqurades and firewall configured?

use tcpdump -ni tun0 on server side to see what u are gettingback
also check your /etc/ufw/before.rules

Forward traffic from OpenVPN through eth0.

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

tell ufw to process the lines

COMMIT

Don’t delete these required lines, otherwise there will be errors

*filter
-A ufw-before-input -i tun0 -j ACCEPT
-A ufw-before-output -i tun0 -j ACCEPT
-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT

make sure you have these

4

port 1234

TCP or UDP server?

;proto tcp
proto udp
dev tun
ca ca.crt
cert our.crt
key our.key # This file should be kept secret

openssl dhparam -out dh2048.pem 2048

dh dh.pem
topology subnet
server 1.2.3.4 255.255.255.0
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256

pretty much this works please note i did not include all teh defaults. on pfsence just specified the same informaioin and keys and it connects no issue … plesae note ports and ipaddress you need to change to what you want,

once that is configured you need to configure routeing on pfsence
create a interface and a gw and route traphic trought it

5

Thanks for the replies,

Forgot to mention in original post that I am Using UDP on port 443 as I find this is a good way to not get blocked on websites. Works in a linux machine but not pfsese

Tom, what logs should I be looking for/to post here to give you more information? when setting up VPN says “up” however loosing packets and no internet. on the main pfsense page it shows VPN up but no gateway

raslin, Not 100% following your first post, sorry I am new at self hosting VPN’s/ Below is my config file and have put it into pfsense. this is what is above the certificates. putting “resolv-retry infinite, ignore-unknown-option block-outside-dns, block-outside-dns” into custom options.

client
dev tun
proto udp
remote 172.105.xx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3

Thanks for the help

6

I am not to familiar with reading these logs but figured I would need to post the OpenVPN logs. also here are the gateway logs

Sep 15 10:34:08 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:34:18 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:34:28 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:34:38 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:34:38 openvpn 64683 [server] Inactivity timeout (–ping-restart), restarting
Sep 15 10:34:38 openvpn 64683 SIGUSR1[soft,ping-restart] received, process restarting
Sep 15 10:34:43 openvpn 64683 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 15 10:34:43 openvpn 64683 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 15 10:34:43 openvpn 64683 TCP/UDP: Preserving recently used remote address: [AF_INET]172.105.29.161:443
Sep 15 10:34:43 openvpn 64683 UDPv4 link local (bound): [AF_INET]192.168.1.69:0
Sep 15 10:34:43 openvpn 64683 UDPv4 link remote: [AF_INET]172.105.29.161:443
Sep 15 10:34:43 openvpn 64683 WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1602’, remote=‘link-mtu 1601’
Sep 15 10:34:43 openvpn 64683 WARNING: ‘comp-lzo’ is present in local config but missing in remote config, local=‘comp-lzo’
Sep 15 10:34:43 openvpn 64683 [server] Peer Connection Initiated with [AF_INET]172.105.29.161:443
Sep 15 10:34:44 openvpn 64683 Preserving previous TUN/TAP instance: ovpnc2
Sep 15 10:34:44 openvpn 64683 Initialization Sequence Completed
Sep 15 10:34:54 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:35:04 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:35:14 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:35:24 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:35:34 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:35:44 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:35:54 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:36:04 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:36:14 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:36:24 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:36:34 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:36:44 openvpn 64683 [server] Inactivity timeout (–ping-restart), restarting
Sep 15 10:36:44 openvpn 64683 SIGUSR1[soft,ping-restart] received, process restarting
Sep 15 10:36:49 openvpn 64683 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 15 10:36:49 openvpn 64683 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 15 10:36:49 openvpn 64683 TCP/UDP: Preserving recently used remote address: [AF_INET]172.105.29.161:443
Sep 15 10:36:49 openvpn 64683 UDPv4 link local (bound): [AF_INET]192.168.1.69:0
Sep 15 10:36:49 openvpn 64683 UDPv4 link remote: [AF_INET]172.105.29.161:443
Sep 15 10:36:49 openvpn 64683 WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1602’, remote=‘link-mtu 1601’
Sep 15 10:36:49 openvpn 64683 WARNING: ‘comp-lzo’ is present in local config but missing in remote config, local=‘comp-lzo’
Sep 15 10:36:49 openvpn 64683 [server] Peer Connection Initiated with [AF_INET]172.105.29.161:443
Sep 15 10:36:50 openvpn 64683 Preserving previous TUN/TAP instance: ovpnc2
Sep 15 10:36:50 openvpn 64683 Initialization Sequence Completed
Sep 15 10:37:00 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:37:10 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:37:20 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:37:30 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:37:40 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:37:50 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:38:00 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:38:10 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:38:20 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:38:30 openvpn 64683 Bad compression stub (swap) decompression header byte: 42
Sep 15 10:38:40 openvpn 64683 Bad compression stub (swap) decompression header byte: 42

gateway logs

Sep 15 10:04:10 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.254 bind_addr 192.168.1.69 identifier "WAN_DHCP "
Sep 15 10:04:11 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.254 bind_addr 192.168.1.69 identifier "WAN_DHCP "
Sep 15 10:04:24 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.254 bind_addr 192.168.1.69 identifier "WAN_DHCP "
Sep 15 10:04:24 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 10.16.0.1 bind_addr 10.16.0.2 identifier "VPN_VPNV4 "
Sep 15 10:09:45 dpinger VPN_VPNV4 10.16.0.1: Alarm latency 33284us stddev 2344us loss 22%
Sep 15 10:28:27 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.254 bind_addr 192.168.1.69 identifier "WAN_DHCP "
Sep 15 10:28:27 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 10.8.0.1 bind_addr 10.8.0.2 identifier "VPN_VPNV4 "
Sep 15 10:28:29 dpinger VPN_VPNV4 10.8.0.1: Alarm latency 0us stddev 0us loss 100%

7

Not sure if you need to know but the above information is all from the https://github.com/Nyr/openvpn-install cloud server I started

8

So after using my “brain” and reading the logs showing bad compression, i turned the defauild compression selection to “Open VPN default” and now gateway is up and I have internet.

Thanks for pointing me to the logs. Newer to networking and did not even think to look at the logs

Thank you!