pfSense 2.5.0 upgrade broke my NordVPN gateway

Question

Ever since I upgraded to pfSense 2.5.0, my NordVPN interface does not work anymore. Traffic does not get routes to the NordVPN gateway, as pfSense reports it as "down" with 100% package loss. When checking "Status -> OpenVPN" the connection is reported as UP, but the gateway is DOWN. I don't understand how this is possible, but the log provides some clues, although I don't understand what goes wrong when reading the log.

OpenVPN Log (private IPs removed):

Feb 19 07:42:59 openvpn 79266   Initialization Sequence Completed
Feb 19 07:43:58 openvpn 79266   Authenticate/Decrypt packet error: missing authentication info
Feb 19 07:44:58 openvpn 79266   Authenticate/Decrypt packet error: missing authentication info
Feb 19 07:45:58 openvpn 79266   [nl852.nordvpn.com] Inactivity timeout (--ping-restart), restarting
Feb 19 07:45:58 openvpn 79266   SIGUSR1[soft,ping-restart] received, process restarting
Feb 19 07:45:58 openvpn 79266   Restart pause, 10 second(s)
Feb 19 07:46:08 openvpn 79266   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 07:46:08 openvpn 79266   Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 07:46:08 openvpn 79266   Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 07:46:08 openvpn 79266   TCP/UDP: Preserving recently used remote address: [AF_INET]194.127.172.103:1194
Feb 19 07:46:08 openvpn 79266   Socket Buffers: R=[42080->524288] S=[57344->524288]
Feb 19 07:46:08 openvpn 79266   UDPv4 link local (bound): [AF_INET]x.x.x.x:0
Feb 19 07:46:08 openvpn 79266   UDPv4 link remote: [AF_INET]y.y.y.y:1194
Feb 19 07:46:08 openvpn 79266   TLS: Initial packet from [AF_INET]y.y.y.y.z:1194, sid=2ce7940f f02613d1
Feb 19 07:46:08 openvpn 79266   VERIFY WARNING: depth=0, unable to get certificate CRL: CN=nl852.nordvpn.com
Feb 19 07:46:08 openvpn 79266   VERIFY WARNING: depth=1, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN CA5
Feb 19 07:46:08 openvpn 79266   VERIFY WARNING: depth=2, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 19 07:46:08 openvpn 79266   VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 19 07:46:08 openvpn 79266   VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5
Feb 19 07:46:08 openvpn 79266   VERIFY KU OK
Feb 19 07:46:08 openvpn 79266   Validating certificate extended key usage
Feb 19 07:46:08 openvpn 79266   ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Feb 19 07:46:08 openvpn 79266   VERIFY EKU OK
Feb 19 07:46:08 openvpn 79266   VERIFY OK: depth=0, CN=nl852.nordvpn.com
Feb 19 07:46:08 openvpn 79266   WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1582', remote='link-mtu 1634'
Feb 19 07:46:08 openvpn 79266   WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
Feb 19 07:46:08 openvpn 79266   Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Feb 19 07:46:08 openvpn 79266   [nl852.nordvpn.com] Peer Connection Initiated with [AF_INET]194.127.172.103:1194
Feb 19 07:46:09 openvpn 79266   SENT CONTROL [nl852.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Feb 19 07:46:09 openvpn 79266   PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway z.z.z.z,topology subnet,ping 60,ping-restart 180,ifconfig g.g.g.g 255.255.255.0,peer-id 3'
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: timers and/or timeouts modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: explicit notify parm(s) modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: compression parms modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Feb 19 07:46:09 openvpn 79266   Socket Buffers: R=[524288->524288] S=[524288->524288]
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: --ifconfig/up options modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: route options modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: route-related options modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: peer-id set
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: adjusting link_mtu to 1657
Feb 19 07:46:09 openvpn 79266   Using peer cipher 'AES-256-CBC'
Feb 19 07:46:09 openvpn 79266   Data Channel: using negotiated cipher 'AES-256-CBC'
Feb 19 07:46:09 openvpn 79266   Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 19 07:46:09 openvpn 79266   Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 07:46:09 openvpn 79266   Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 19 07:46:09 openvpn 79266   Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 07:46:09 openvpn 79266   Preserving previous TUN/TAP instance: ovpnc8
Feb 19 07:46:09 openvpn 79266   NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Feb 19 07:46:09 openvpn 79266   Closing TUN/TAP interface
Feb 19 07:46:09 openvpn 79266   /usr/local/sbin/ovpn-linkdown ovpnc8 1500 1637 a.b.c.d 255.255.255.0 init
Feb 19 07:46:10 openvpn 79266   ROUTE_GATEWAY a.b.c.d/255.255.254.0 IFACE=re0 HWADDR=00:e2:6c:68:07:be
Feb 19 07:46:10 openvpn 79266   TUN/TAP device ovpnc8 exists previously, keep at program end
Feb 19 07:46:10 openvpn 79266   TUN/TAP device /dev/tun8 opened
Feb 19 07:46:10 openvpn 79266   /sbin/ifconfig ovpnc8 x.x.x.x y.y.y.y mtu 1500 netmask 255.255.255.0 up
Feb 19 07:46:10 openvpn 79266   /sbin/route add -net x.x.x.x x.x.x.x 255.255.255.0
Feb 19 07:46:10 openvpn 79266   /usr/local/sbin/ovpn-linkup ovpnc8 1500 1637 x.x.x.x 255.255.255.0 init
Feb 19 07:46:10 openvpn 79266   Initialization Sequence Completed

And the gateway log:

Feb 19 04:16:02 dpinger 68141   send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr x.x.x.x bind_addr x.x.x.x identifier "NORDVPN_VPNV4 "
Feb 19 04:16:04 dpinger 68141   NORDVPN_VPNV4 x.x.x.x: Alarm latency 0us stddev 0us loss 100%
Feb 19 04:19:13 dpinger 16894   send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr x.x.x.x bind_addr x.x.x.x identifier "WAN_DHCP "
Feb 19 04:19:13 dpinger 17398   send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr x.x.x.x bind_addr x.x.x.x identifier "NORDVPN_VPNV4 "
Feb 19 04:19:15 dpinger 17398   NORDVPN_VPNV4 x.x.x.x: Alarm latency 0us stddev 0us loss 100%

In Firewall -> Rules -> LAN I adjusted the "default allow LAN to any rule" to the gateway "NordVPN". Outbound NAT is set to manual, with the top rule taking the LAN net as source and the NORDVPN interface.

Any help is appreciated. As said, the current configuration worked fine in 2.4.5 -- the latest release before upgrading to 2.5.0. I'm considering downgrading at this point.

score 6 · Accepted Answer · answered Feb 19 '21 at 14:12

6

Changed fallback DEA to AES-256-CBC from AES-256-GCM, and it's working fine

Go to VPN/OpenVPN/Client, and edit the setting "Fallback Data Encryption Algorithm"

answered Feb 19 '21 at 14:12

NDK

76
1

Confirmed this fixed my issue as well. – slm Feb 27 '21 at 13:59

score 3 · Answer 2 · edited Feb 27 '21 at 14:02

3

NordVPN has posted updated documentation for pfSense 2.5.0, titled: pfSense 2.5 Setup with NordVPN.

As @NDK has mentioned in their A'er the updated docs show that you need to change the Fallback Data Encryption Algorithm to AES-256-CBC.

edited Feb 27 '21 at 14:02

slm

15,396
12
109
124

answered Feb 24 '21 at 02:35

B. Doe

31
2

pfSense 2.5.0 upgrade broke my NordVPN gateway

2 Answers2