Solved Can't connect to openvpn

hbsd

hbsd

Hello everybody, I want to connect to a openvpn client with a .ovpn profile as follows:

sudo openvpn ~/Downloads/openvpn_servers.ovpn

I get the following messages and everything seems fine but openvpn does not work and I can't open the websites blocked by the government (There is no problem in android):

Code: 
2023-03-12 18:14:34 Unrecognized option or missing or extra parameter(s) in /home/hbsd/Downloads/openvpn_servers.ovpn:14: block-outside-dns (2.6_rc2)
2023-03-12 18:14:34 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-03-12 18:14:34 OpenVPN 2.6_rc2 [git:480ad2a84e2983e8a1b61d537cf82da5c5141853] amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 20 2023
2023-03-12 18:14:34 library versions: OpenSSL 1.1.1o-freebsd  3 May 2022, LZO 2.10
Enter Auth Username:myusername
Enter Auth Password:
2023-03-12 18:14:55 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-03-12 18:14:55 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-03-12 18:14:55 TCP/UDP: Preserving recently used remote address: [AF_INET]185.97.117.224:80
2023-03-12 18:14:55 Socket Buffers: R=[65536->65536] S=[32768->32768]
2023-03-12 18:14:55 Attempting to establish TCP connection with [AF_INET]185.97.117.224:80
2023-03-12 18:14:55 TCP connection established with [AF_INET]185.97.117.224:80
2023-03-12 18:14:55 TCPv4_CLIENT link local: (not bound)
2023-03-12 18:14:55 TCPv4_CLIENT link remote: [AF_INET]185.97.117.224:80
2023-03-12 18:14:55 TLS: Initial packet from [AF_INET]185.97.117.224:80, sid=076d5e6d eb8688e3
2023-03-12 18:14:55 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-03-12 18:14:55 VERIFY OK: depth=1, CN=ChangeMe
2023-03-12 18:14:55 VERIFY KU OK
2023-03-12 18:14:55 Validating certificate extended key usage
2023-03-12 18:14:55 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-12 18:14:55 VERIFY EKU OK
2023-03-12 18:14:55 VERIFY OK: depth=0, CN=server
2023-03-12 18:14:56 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-03-12 18:14:56 [server] Peer Connection Initiated with [AF_INET]185.97.117.224:80
2023-03-12 18:14:56 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-12 18:14:56 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-12 18:14:57 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2023-03-12 18:14:57 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.114 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-03-12 18:14:57 OPTIONS IMPORT: timers and/or timeouts modified
2023-03-12 18:14:57 OPTIONS IMPORT: --ifconfig/up options modified
2023-03-12 18:14:57 OPTIONS IMPORT: route options modified
2023-03-12 18:14:57 OPTIONS IMPORT: route-related options modified
2023-03-12 18:14:57 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-03-12 18:14:57 OPTIONS IMPORT: peer-id set
2023-03-12 18:14:57 OPTIONS IMPORT: data channel crypto options modified
2023-03-12 18:14:57 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=re0 HWADDR=40:8d:5c:a4:33:76
2023-03-12 18:14:57 TUN/TAP device /dev/tun0 opened
2023-03-12 18:14:57 /sbin/ifconfig tun0 10.8.0.114/24 mtu 1500 up
2023-03-12 18:14:57 /sbin/route add -net 185.97.117.224 192.168.1.1 255.255.255.255
add net 185.97.117.224: gateway 192.168.1.1
2023-03-12 18:14:57 /sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.1
2023-03-12 18:14:57 /sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.1
2023-03-12 18:14:57 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-03-12 18:14:57 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-12 18:14:57 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-12 18:14:57 Initialization Sequence Completed

What do you suggest? Thanks.
 
covacat said:
can you reach any host thru the vpn ?
Click to expand...
Yes. It works exactly the same as when I don't use vpn. for example, I can open this site or search engines and etc but I can't open filtered sites like YouTube.
 
I attached log files from openvpn on my android phone. I'm connected to Netherlands servers and the speed is good and all blocked sites are opened quickly (in my phone).
 

Attachments

  • ICS_OpenVPN_log_file.txt
    55.2 KB · Views: 86
In the description of this VPN, it's said that Irancell/Rightel SIM cards should be used to connect to this service. I have both and tried both but nothing changed.
Unfortunately, almost always the support services do not have any information about FreeBSD. Please let me know if you have any suggestions. I really need a VPN service...
 
covacat said:
look at netstat -rn after connection
also you can traceroute
also make sure you have no proxy set
Click to expand...
Code: 
$ netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          10.8.0.1           UGS        tun0
default            192.168.1.1        UGS         re0
10.8.0.0/24        link#3             U          tun0
10.8.0.19          link#3             UHS         lo0
127.0.0.1          link#2             UH          lo0
128.0.0.0/1        10.8.0.1           UGS        tun0
185.97.117.224     192.168.1.1        UGHS        re0
192.168.1.0/24     link#1             U           re0
192.168.1.102      link#1             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#2                        UHS         lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#2                        U           lo0
fe80::1%lo0                       link#2                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0
 
openvpn stuff is ok,route ok
are you sure that 185.97.117.224 should work with youtube, etc ?
the ip looks located in iran or close by
 
covacat said:
openvpn stuff is ok,route ok
are you sure that 185.97.117.224 should work with youtube, etc ?
the ip looks located in iran or close by
Click to expand...
Yes. I use exactly the same profiles on my phone and YouTube videos open quickly.
 
does the config file contain an ip address for the server or a fqdn ?
if it is a hostname (fqdn) it may resolve to different thinks in bsd/android
navigate from android to a site like whatmyip.com and try to use that ip in freebsd in openvpn.conf
if its an ip on android too, then i don't know, probably the server has some fingerprinting and allows connections from one device and not the other / no idea
 
I just took these screenshots from my phone with exactly the same openvpn config files.

Screenshot_2023-03-13-00-07-43-851_de.blinkt.openvpn.jpg

Screenshot_2023-03-13-00-08-41-034_lockscreen.jpg


and now YouTube...
Screenshot_2023-03-13-00-09-39-310_com.google.android.youtube.jpg
 
covacat said:
does the config file contain an ip address for the server or a fqdn ?
Click to expand...
It contains a full domain name not an ip address.

covacat said:
if its an ip on android too, then i don't know, probably the server has some fingerprinting and allows connections from one device and not the other / no idea
Click to expand...
This account allows me to connect to two devices at the same time. I even connected as a single connection, but it didn't help. I even used it on two Android devices at the same time and there was no problem.
 
Dear covacat sometimes (like right now that I don't have a vpn!) I use a crap, stupid tool called shecan (development by goverment!). In fact, It's an anti-sanction and it's only opens sites that have banned our country but it works without problems. But I'm never be able to start a vpn in my system. I bought a cisco vpn account but sellers gave me a server with http (not https or without ssl/tls certificate) account and unfortunately openconnect does not be able to connect a non-secure http. (However, they closed that account very soon!)
Thank you so much for your help. Please help me if you come up with a solution to my vpn problem, thanks.
 
covacat said:
try this with and without vpn connected
curl https://ifconfig.io/
Click to expand...
Weird! with VPN my ip is Amsterdam, Noord-holland, Netherlands (1101)
and without VPN my ip is Tehran, Iran (10000)
I checked ifconfig.io and searched on duckduckgo.com "what is my ip"
P.S. I didn't send the IP address of my system due to security issues...
 
When I use VPN, like always I can open non blocked sites, like:
wikipedia, freebsd amazon, ...
but filtered sites will never open, like:
youtube, instagram, facebook , twitter, whatsapp, ...
 
cracauer@ said:
Try a traceroute.
Click to expand...
(VPN is on now)

freebsd.org:
Code: 
$ traceroute freebsd.org
traceroute to freebsd.org (96.47.72.84), 64 hops max, 40 byte packets
 1  10.8.0.1 (10.8.0.1)  122.458 ms  119.974 ms  128.004 ms
 2  * * *
 3  100.100.100.1 (100.100.100.1)  113.698 ms  119.233 ms  118.819 ms
 4  10.72.3.81 (10.72.3.81)  125.929 ms
    10.72.3.85 (10.72.3.85)  139.458 ms
    10.72.3.81 (10.72.3.81)  524.008 ms
 5  10.72.2.5 (10.72.2.5)  127.935 ms
    10.72.0.157 (10.72.0.157)  123.918 ms
    10.72.1.157 (10.72.1.157)  131.993 ms
 6  10.72.2.1 (10.72.2.1)  399.965 ms
    ae0-1452.cr4-ams2.ip4.gtt.net (154.14.36.77)  115.970 ms  123.950 ms
 7  ae4.cr2-nyc2.ip4.gtt.net (89.149.129.214)  232.032 ms  199.926 ms  200.021 ms
 8  ip4.gtt.net (74.199.181.98)  200.000 ms
    ae4.cr2-nyc2.ip4.gtt.net (89.149.129.214)  239.941 ms  239.970 ms
 9  ip4.gtt.net (74.199.181.98)  203.989 ms  211.974 ms
    cs78.cs40.60hudson.nyinternet.net (64.147.115.17)  191.977 ms
10  cs78.cs40.60hudson.nyinternet.net (64.147.115.17)  191.979 ms
    96.47.65.81.static.nyinternet.net (96.47.65.81)  199.949 ms  232.002 ms
11  96.47.65.81.static.nyinternet.net (96.47.65.81)  199.979 ms  199.969 ms  200.031 ms
12  cs80.cs89new.v.ewr.nyinternet.net (96.47.77.158)  199.980 ms
    96.47.66.42.static.nyinternet.net (96.47.66.42)  222.251 ms  199.926 ms
13  wfe0.nyi.freebsd.org (96.47.72.84)  200.024 ms
    96.47.66.42.static.nyinternet.net (96.47.66.42)  603.917 ms  343.932 ms


youtube.com:
Code: 
traceroute youtube.com
traceroute to youtube.com (10.10.34.35), 64 hops max, 40 byte packets
 1  10.8.0.1 (10.8.0.1)  156.006 ms  155.242 ms  116.512 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * *

cracauer@ said:
Also make sure ipv6 is not becoming involved.
Click to expand...
My ipv6 is disabled.
 
Dear friends, I bought a Cisco VPN from another website. After my repeated calls they upgraded http server to https (because openconnect doesn't work without SSL/TLS certification) so now I can connect with security/openconnect.
Now I can open all sites at high speed 😁😍. Thank you very much for all your help. I'm crazy about FreeBSD and this society! 🌹🌹🌹

2023-03-13-170220_1024x768_scrot.png
 
You must log in or register to reply here.
Back
Top