Is the guide for PIA on PFsense (link) outdated and is there a newer guide? All my searches are from 3-5 years ago.
My logs show “LS Error: cannot locate HMAC in incoming packet from”
The VPN is in a status of waiting for peer or reconnecting.
Ive tried using the guide twice with no luck.
Do you have the openvpn configuration file? You can go through that and make sure everything is set correctly in the GUI. Likely they have changed a key or cipher since that guide was written
Using the guide I attempted a few of the basic us.ovpn files.
The Guide is designed for 2.6 but the latest version is 2.7. Some of the TLS options have changed, but I don’t know how to translate
If you can post the ovpn file I’ll work out the pfsense config
If I am to extrapolate the my config experience from another VPN vendor, I’d wager with confidence that the config is not compatible anymore and you’d have to redo some configs manually.
Yeah it’s usually a good idea to ignore the specific settings used in the guide and get the settings from a current config file, they don’t always update the guides to reflect changes to the server config. I doubt they’re still using SHA160 for example
Which options have changed in 2.7? It’s looking pretty similar to me. I would suggest using the strong configuration as it’s possible that pfsense just won’t let you use SHA1 anymore. Also in the allowed data encryption algorithms list have both the CBC and GCM version of the cipher in the config file, for the fallback encryption algorithm use what’s in the config file.
Set the verbosity to 4 and try starting it again, if it doesn’t work again you may get some more detail in the logs. Possibly unchecking enforce key usage under Server Certificate Key Usage Validation may get it to work.
@PlusFramesOnBlock I think you have two options.
#1 contact PIA support to confirm their guide / openvpn configuration has not changed.
#2 post screen shots of your openvpn settings for us.
Enjoy the holiday and I’ll reach out in the mean time.
I’ll change the verbosity and consider the options; I look through the xml and see if i can post that, or spin up a new instance and troubleshoot from that. Thanks so far.
Screenshots will work fine
Is that a PIA TLS key? Because it wasn’t in the config file
You want to uncheck that
Thanks, It works i was following where you were going next.
Do I neeeeeeeed the TLS? Its on the config in question
Do I assume its covered by the custom option
remote-cert-tls server
The logs are showing tls_pre_encrypt: key_id
For future clarifications
Deselect Use TLS Key or the Auto-generate?
The Answer my own question; if the auto generate and no key is provided the following error will appear.
It’s unchecked in the config. The TLS key is a pre-shared key used to authenticate the control channel, both the client and server need to use the same key so if they don’t give you a key then you can’t try and connect with one
Thanks again, I see the mistake now.
" 8. The checkbox for Use a TLS key will be checked by default uncheck this. "
I translated the green box as select here and not do this.
