pfSense OpenVPN Ubuntu 20.04 client setup

This post documents fixing pfSense + OpenVPN to work with Ubuntu 20.04. After years of upgrades to both systems and some configuration drift this stopped working after a laptop replacement and the following was required to get the connection working again. The main symptom was the client would connect to OpenVPN with no errors and no traffic would be passed over the connection.

No traffic being passed was a result of the ‘tun’ interface never being created on the new Ubuntu 20.04 install. This required “tunct” that is part of uml-utilities to setup the tun interface from SystemD. With this available, the tun interface was now created after openvpn tunnel was set up.

The other issue was that traffic was still corrupted due to mis-matching of the now deprecated compress LZO options. ( Deprecated due to security risk assocated with LZO compression ) If the compression is not the same on both client and server the tunnel was being dropped. Some legacy options were necessary to get compatible compression on both sides, ( Server: Asymmetric , Compression legacy no-lzo ) ( Client: comp-lzo no )

A more complete set of steps for both server and client follow below:

pfSense Server

This server is setup for TCP connections on port 443. Many public Wifi providers block UPD and or uncommon ports like 1194. Connections on port 443 are often allowed, thus allowing OpenVPN traffic on port 443 to work. Note that with high traffic using such TCP tunnels within TCP connection is known to “melt-down” and fail so use UDP:1194 when possible.

  • Install Client Export tool on the server and follow general setup here:
    https://boredadmin.com/configure-opnevpnn-in-pfsense-and-export-client/
  • The items to check are:
    In particular the Compression options were causing problems.
    The Data encryption recommended is now:
    • Data Encryption Algorithms
      • AES-256-GCM
      • AES-128-GCM
      • CHACHA20-POLY1305
    • Fallback Algorithms
      • AES-256-CBC
    • Auth Digest
      • SHA256
    • Allow Compression
      • Decompress incoming, Do not compress outgoing ( Assymetric)
    • Compression
      • No LZO compression (Legacy comp-lzo no )
        ( This option was needed to work withwith openvpn 2.4.x on Ubuntu )
    • Push selected compression settings
    • Topology – Subnet
    • Verbosity = 6 ( For debugging )

Export the Viscosity package

  • Chose “Legacy Client”
  • Bind, use a random source port
  • Export both Viscosity bundle, and Viscosity in-line configs to laptop.

Ubuntu 20.04 client using TCP

To setup the Ubuntu 20.04 OpenVPN on TCP ( to get around public Wiki blocking UDP: 1194 )

  • Install with apt
    • openvpn
    • openvpn-systemd-resolved
    • uml-utilities ( user mode utilities , contains tunctl )
  • Unzip viscosity bundle and edit config.conf
  • change keys to be root access
    • chown root *.keys
    • chmod 600 *.keys
  • Insert the items in BOLD, script-security line at top, and the 5 lines beginning with comp-lzo no
-- Config Auto Generated By pfSense for Viscosity --#

#viscosity startonopen false
#viscosity dhcp true
#viscosity dnssupport true
#viscosity name NewTCP443
script-security 3

dev tun
persist-tun
persist-key
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xx.xx.xx.xx 443 tcp-client
lport 0
verify-x509-name "domain.com" name
auth-user-pass
remote-cert-tls server
passtos
comp-lzo no
auth-nocache
# script from openvpn-systemd-resolved
up /etc/openvpn/update-systemd-resolved      
down /etc/openvpn/update-systemd-resolved
down-pre

ca ca.crt
tls-auth ta.key 1
cert cert.crt
key key.key

  • Run the script as root user:

cd /home/user/openvpn
openvpn --config config.conf --verb 6 --log ovpn.log
  • Inspect the log for errors / warnings to fix.
  • If VPN comes up you should have a new “tun” interface, and new routes.
    • >ip a
    • >ip route show

Summary: The issues causing problems seem to have been:

  • Missing tunctl ( to setup tun network interface )
  • Old / misconfigured Encryption Algorithems not matching on client / server.
  • compress-lzo deprecated, and the exact options above were the ones that allowed traffic to pass.

Connect with Network Manager

To connect with Network Manager instead of the command-line client.

  • Install with apt
    • network-manager-openvpn
    • network-manager-openvpn-gnome

Config OpenVPN settings ( using the files ca, cert, key, tls stored in the directory above )

  • Identity Tab
    • Gateway: IP of OVPN server
    • Type: Password with Certificates (TLS)
    • Username
    • password:
    • CA Cert ( ca file in ovpn dir )
    • User Cert ( User file in ovpn dir )
    • User private key ( key file in ovpn dir )
    • User kep password – blank
    • Advanced Options
      • Port 443
      • Use custom renegotiation interval: 0
      • Data compression: LZO disabled (legacy)
      • Use TCP connection YES
      • Set virtual device type: TUN, automatic
    • Security TAB
      • Cipher AES-256-GCM
    • TLS Auth Tab
      • Verify Peer (server) cert YES
      • Remote Peer: SERVER
      • Additional TLS
        • Mode: TLS-Auth
        • select ta.key (from directory )
        • Key direction: 1

Enable VPN, status shows as small icon in top right corner of Desktop.

Ubuntu 20.04 client using UDP ( Standard )

Using UDP is the standard and much more efficient, not creating TCP within TCP connections. If your outgoing UDP:1194 packets are not blocked this is the way to go.

Create a new server on the OpenVPN sever with same options, only changing the port to UDP: 1194

Create a new client config with port changed to UDP: 1194

Issues

Remaining issues:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s