[pfsense] OpenVPN met ipvanish

Ik ben een totale noob met pfsense en ben als dagen aan het modderen om met ipvanish te verbinden
Er is geen werkende guide dus ik ben met de DDwrt guide ana de slag gegaan

Server IP/Name: Choose a server from our server list and enter the address in this field
Port: use 1194 or 443
Tunnel Device: TUN
Tunnel Protocol: use UDP or TCP
Encryption Cipher: AES-256-CBC
Hash Algorithm: SHA256
User Pass Authentication: Enable
Username: Your IPVanish Username
Password: Your IPVanish Password
Advanced Options: Enable
TLS Cipher: None
LZO Compression: Adaptive
NAT: Enable

En vervolgens met de oude guide aan de slag gegaan (in bewust andere volgorde ivm versie verschillen)
https://forum.netgate.com...-ipvanish-updated-working

ca geimporteerd

Client geconfigureerd

opt1 interface gekozen

Enabe AON (Advanced Outbound NAT)
Hier gaat het mis, ik zie geen opt1

Dan krijg ik deze foutmeldingen
Die fout over geen encryption komt later welMaar hier loop ik op stuk
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Wie kan me in de juiste richting sturen hier ?

Apr 30 09:19:21 openvpn 3974 Restart pause, 10 second(s)
Apr 30 09:19:31 openvpn 3974 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 30 09:19:31 openvpn 3974 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 30 09:19:31 openvpn 3974 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 09:19:31 openvpn 3974 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 09:19:31 openvpn 3974 TCP/UDP: Preserving recently used remote address: [AF_INET]2.58.12.204:443
Apr 30 09:19:31 openvpn 3974 Socket Buffers: R=[42080->42080] S=[57344->57344]
Apr 30 09:19:31 openvpn 3974 UDPv4 link local (bound): [AF_INET]178.85.179.40:0
Apr 30 09:19:31 openvpn 3974 UDPv4 link remote: [AF_INET]2.58.12.204:443
Apr 30 09:19:31 openvpn 3974 TLS: Initial packet from [AF_INET]2.58.12.204:443, sid=3206032f 13dc9985
Apr 30 09:19:31 openvpn 3974 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]2.58.12.204:443
Apr 30 09:19:33 openvpn 3974 TLS: Initial packet from [AF_INET]2.58.12.204:443, sid=3206032f 13dc9985
Apr 30 09:19:33 openvpn 3974 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]2.58.12.204:443
Apr 30 09:19:37 openvpn 3974 TLS: Initial packet from [AF_INET]2.58.12.204:443, sid=3206032f 13dc9985
Apr 30 09:19:37 openvpn 3974 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]2.58.12.204:443
Apr 30 09:19:45 openvpn 3974 TLS: Initial packet from [AF_INET]2.58.12.204:443, sid=3206032f 13dc9985
Apr 30 09:19:45 openvpn 3974 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]2.58.12.204:443
Apr 30 09:20:01 openvpn 3974 TLS: Initial packet from [AF_INET]2.58.12.204:443, sid=3206032f 13dc9985
Apr 30 09:20:01 openvpn 3974 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]2.58.12.204:443
Apr 30 09:20:32 openvpn 3974 [UNDEF] Inactivity timeout (--ping-restart), restarting
Apr 30 09:20:32 openvpn 3974 SIGUSR1[soft,ping-restart] received, process restarting
Apr 30 09:20:32 openvpn 3974 Restart pause, 10 second(s)

@nike, dat helpt. Ik heb TLS key uit gezet en krijg nu een connectie
Er komt geen data door dus ik zal moeten nadenken over firewalls etc maar in ieder geval eens stapje verder

Dezelfde foutmelding blijft wel terugkomen
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Nu dan maar die video kijken

Apr 30 10:27:49 openvpn 37711 event_wait : Interrupted system call (code=4)
Apr 30 10:27:49 openvpn 37711 SIGTERM received, sending exit notification to peer
Apr 30 10:27:53 openvpn 18396 WARNING: Compression for sending and receiving enabled. Compression has been used in the past to break encryption. Allowing compression allows attacks that break encryption. Using "--allow-compression yes" is strongly discouraged for common usage. See --compress in the manual page for more information
Apr 30 10:27:53 openvpn 18396 WARNING: file '/var/etc/openvpn/client1/up' is group or others accessible
Apr 30 10:27:53 openvpn 18396 OpenVPN 2.5.1 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 5 2021
Apr 30 10:27:53 openvpn 18396 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10
Apr 30 10:27:53 openvpn 18563 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1/sock
Apr 30 10:27:53 openvpn 18563 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 30 10:27:53 openvpn 18563 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 30 10:27:53 openvpn 18563 WARNING: experimental option --capath /var/etc/openvpn/client1/ca
Apr 30 10:27:53 openvpn 18563 TCP/UDP: Preserving recently used remote address: [AF_INET]2.58.12.204:443
Apr 30 10:27:53 openvpn 18563 Socket Buffers: R=[42080->42080] S=[57344->57344]
Apr 30 10:27:53 openvpn 18563 UDPv4 link local (bound): [AF_INET]178.85.xxx.40:0
Apr 30 10:27:53 openvpn 18563 UDPv4 link remote: [AF_INET]2.58.xxx.204:443
Apr 30 10:27:53 openvpn 18563 TLS: Initial packet from [AF_INET]2.58.xxx.204:443, sid=28d88xxx 580c9bac
Apr 30 10:27:53 openvpn 18563 VERIFY WARNING: depth=0, unable to get certificate CRL: C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=ams-a33.ipvanish.com, emailAddress=support@ipvanish.com
Apr 30 10:27:53 openvpn 18563 VERIFY WARNING: depth=1, unable to get certificate CRL: C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=IPVanish CA, emailAddress=support@ipvanish.com
Apr 30 10:27:53 openvpn 18563 VERIFY OK: depth=1, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=IPVanish CA, emailAddress=support@ipvanish.com
Apr 30 10:27:53 openvpn 18563 VERIFY OK: depth=0, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=ams-a33.ipvanish.com, emailAddress=support@ipvanish.com
Apr 30 10:27:53 openvpn 18563 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 30 10:27:53 openvpn 18563 [ams-a33.ipvanish.com] Peer Connection Initiated with [AF_INET]2.58.12.204:443
Apr 30 10:27:54 openvpn 18563 SENT CONTROL [ams-a33.ipvanish.com]: 'PUSH_REQUEST' (status=1)
Apr 30 10:27:54 openvpn 18563 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 493216,sndbuf 493216,explicit-exit-notify 5,comp-lzo no,route-gateway 172.21.xxx.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.21.xxx.88 255.255.254.0,peer-id 13'
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: timers and/or timeouts modified
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: explicit notify parm(s) modified
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: compression parms modified
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Apr 30 10:27:54 openvpn 18563 Socket Buffers: R=[42080->493216] S=[57344->493216]
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: --ifconfig/up options modified
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: route options modified
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: route-related options modified
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: peer-id set
Apr 30 10:27:54 openvpn 18563 OPTIONS IMPORT: adjusting link_mtu to 1625
Apr 30 10:27:54 openvpn 18563 Using peer cipher 'AES-256-CBC'
Apr 30 10:27:54 openvpn 18563 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 30 10:27:54 openvpn 18563 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 10:27:54 openvpn 18563 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 30 10:27:54 openvpn 18563 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 10:27:54 openvpn 18563 ROUTE_GATEWAY 178.85.xxx.1/255.255.255.0 IFACE=em1 HWADDR=d2:74:e6:4f:a6:dc
Apr 30 10:27:54 openvpn 18563 TUN/TAP device ovpnc1 exists previously, keep at program end
Apr 30 10:27:54 openvpn 18563 TUN/TAP device /dev/tun1 opened
Apr 30 10:27:54 openvpn 18563 /sbin/ifconfig ovpnc1 172.21.24.88 172.21.24.1 mtu 1500 netmask 255.255.254.0 up
Apr 30 10:27:54 openvpn 18563 /sbin/route add -net 172.21.xxx.0 172.xxx.24.1 255.255.254.0
Apr 30 10:27:54 openvpn 18563 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1625 172.21.xxx.88 255.255.254.0 init
Apr 30 10:27:54 openvpn 18563 /sbin/route add -net 2.58.xxx.204 178.xxx.179.1 255.255.255.255
Apr 30 10:27:54 openvpn 18563 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Apr 30 10:27:54 openvpn 18563 /sbin/route add -net 0.0.0.0 172.21.xxx.1 128.0.0.0
Apr 30 10:27:54 openvpn 18563 /sbin/route add -net 128.0.0.0 172.21.xxx.1 128.0.0.0
Apr 30 10:27:54 openvpn 18563 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 30 10:27:54 openvpn 18563 Initialization Sequence Completed
Apr 30 10:27:58 openvpn 18563 MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Apr 30 10:27:58 openvpn 18563 MANAGEMENT: CMD 'state 1'
Apr 30 10:27:58 openvpn 18563 MANAGEMENT: CMD 'status 2'
Apr 30 10:27:58 openvpn 18563 MANAGEMENT: Client disconnected

@nike Wow met jouw settings en wat pia guides is het me gelukt
Eerst steeds niet tot ik de VM heb gereboot... Daarna wel

Your IP addresses
185.147.213.80
Sweden - Stockholm County

Daar ben ik heel blij mee
Nu wil ik het nu splitsen en een killswitch etc toevoegen maar in de basis werkt het eindelijk

Bedankt !!

Eerst goed gedocumenteerd hoe het werkt met IPvanish

En nu ben inmiddels best ver mbv de PIA filmpjes van Lawrence
Selective routing werkt (PC A naar WAN, PC B naar AMS en PC C naar STO)
En er zit een killswitch op

Helemaal blij nu