pfSense 2.5.0 升级破坏了我的 NordVPN 网关

pfSense 2.5.0 upgrade broke my NordVPN gateway

自从我升级到 pfSense 2.5.0 后,我的 NordVPN 界面就不能用了。流量无法获得通往 NordVPN 网关的路由,因为 pfSense 将其报告为“停机”,并有 100% 的数据包丢失。检查“状态 -> OpenVPN”时,连接报告为 UP,但网关为 DOWN。我不明白这是怎么可能的,但是日志提供了一些线索,虽然我不明白阅读日志时出了什么问题。

OpenVPN 日志(删除了私有 IP):

Feb 19 07:42:59 openvpn 79266   Initialization Sequence Completed
Feb 19 07:43:58 openvpn 79266   Authenticate/Decrypt packet error: missing authentication info
Feb 19 07:44:58 openvpn 79266   Authenticate/Decrypt packet error: missing authentication info
Feb 19 07:45:58 openvpn 79266   [nl852.nordvpn.com] Inactivity timeout (--ping-restart), restarting
Feb 19 07:45:58 openvpn 79266   SIGUSR1[soft,ping-restart] received, process restarting
Feb 19 07:45:58 openvpn 79266   Restart pause, 10 second(s)
Feb 19 07:46:08 openvpn 79266   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 07:46:08 openvpn 79266   Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 07:46:08 openvpn 79266   Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 07:46:08 openvpn 79266   TCP/UDP: Preserving recently used remote address: [AF_INET]194.127.172.103:1194
Feb 19 07:46:08 openvpn 79266   Socket Buffers: R=[42080->524288] S=[57344->524288]
Feb 19 07:46:08 openvpn 79266   UDPv4 link local (bound): [AF_INET]x.x.x.x:0
Feb 19 07:46:08 openvpn 79266   UDPv4 link remote: [AF_INET]y.y.y.y:1194
Feb 19 07:46:08 openvpn 79266   TLS: Initial packet from [AF_INET]y.y.y.y.z:1194, sid=2ce7940f f02613d1
Feb 19 07:46:08 openvpn 79266   VERIFY WARNING: depth=0, unable to get certificate CRL: CN=nl852.nordvpn.com
Feb 19 07:46:08 openvpn 79266   VERIFY WARNING: depth=1, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN CA5
Feb 19 07:46:08 openvpn 79266   VERIFY WARNING: depth=2, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 19 07:46:08 openvpn 79266   VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 19 07:46:08 openvpn 79266   VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5
Feb 19 07:46:08 openvpn 79266   VERIFY KU OK
Feb 19 07:46:08 openvpn 79266   Validating certificate extended key usage
Feb 19 07:46:08 openvpn 79266   ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Feb 19 07:46:08 openvpn 79266   VERIFY EKU OK
Feb 19 07:46:08 openvpn 79266   VERIFY OK: depth=0, CN=nl852.nordvpn.com
Feb 19 07:46:08 openvpn 79266   WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1582', remote='link-mtu 1634'
Feb 19 07:46:08 openvpn 79266   WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
Feb 19 07:46:08 openvpn 79266   Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Feb 19 07:46:08 openvpn 79266   [nl852.nordvpn.com] Peer Connection Initiated with [AF_INET]194.127.172.103:1194
Feb 19 07:46:09 openvpn 79266   SENT CONTROL [nl852.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Feb 19 07:46:09 openvpn 79266   PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway z.z.z.z,topology subnet,ping 60,ping-restart 180,ifconfig g.g.g.g 255.255.255.0,peer-id 3'
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: timers and/or timeouts modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: explicit notify parm(s) modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: compression parms modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Feb 19 07:46:09 openvpn 79266   Socket Buffers: R=[524288->524288] S=[524288->524288]
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: --ifconfig/up options modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: route options modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: route-related options modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: peer-id set
Feb 19 07:46:09 openvpn 79266   OPTIONS IMPORT: adjusting link_mtu to 1657
Feb 19 07:46:09 openvpn 79266   Using peer cipher 'AES-256-CBC'
Feb 19 07:46:09 openvpn 79266   Data Channel: using negotiated cipher 'AES-256-CBC'
Feb 19 07:46:09 openvpn 79266   Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 19 07:46:09 openvpn 79266   Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 07:46:09 openvpn 79266   Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 19 07:46:09 openvpn 79266   Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 07:46:09 openvpn 79266   Preserving previous TUN/TAP instance: ovpnc8
Feb 19 07:46:09 openvpn 79266   NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Feb 19 07:46:09 openvpn 79266   Closing TUN/TAP interface
Feb 19 07:46:09 openvpn 79266   /usr/local/sbin/ovpn-linkdown ovpnc8 1500 1637 a.b.c.d 255.255.255.0 init
Feb 19 07:46:10 openvpn 79266   ROUTE_GATEWAY a.b.c.d/255.255.254.0 IFACE=re0 HWADDR=00:e2:6c:68:07:be
Feb 19 07:46:10 openvpn 79266   TUN/TAP device ovpnc8 exists previously, keep at program end
Feb 19 07:46:10 openvpn 79266   TUN/TAP device /dev/tun8 opened
Feb 19 07:46:10 openvpn 79266   /sbin/ifconfig ovpnc8 x.x.x.x y.y.y.y mtu 1500 netmask 255.255.255.0 up
Feb 19 07:46:10 openvpn 79266   /sbin/route add -net x.x.x.x x.x.x.x 255.255.255.0
Feb 19 07:46:10 openvpn 79266   /usr/local/sbin/ovpn-linkup ovpnc8 1500 1637 x.x.x.x 255.255.255.0 init
Feb 19 07:46:10 openvpn 79266   Initialization Sequence Completed

以及网关日志:

Feb 19 04:16:02 dpinger 68141   send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr x.x.x.x bind_addr x.x.x.x identifier "NORDVPN_VPNV4 "
Feb 19 04:16:04 dpinger 68141   NORDVPN_VPNV4 x.x.x.x: Alarm latency 0us stddev 0us loss 100%
Feb 19 04:19:13 dpinger 16894   send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr x.x.x.x bind_addr x.x.x.x identifier "WAN_DHCP "
Feb 19 04:19:13 dpinger 17398   send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr x.x.x.x bind_addr x.x.x.x identifier "NORDVPN_VPNV4 "
Feb 19 04:19:15 dpinger 17398   NORDVPN_VPNV4 x.x.x.x: Alarm latency 0us stddev 0us loss 100%

在防火墙 -> 规则 -> LAN 中,我将“默认允许 LAN 到任何规则”调整为网关“NordVPN”。出站 NAT 设置为手动,最上面的规则以 LAN 网络为源和 NORDVPN 接口。

感谢任何帮助。如前所述,当前配置在 2.4.5 中运行良好——升级到 2.5.0 之前的最新版本。我正在考虑降级。

将后备 DEA 从 AES-256-GCM 更改为 AES-256-CBC,并且工作正常

转到 VPN/OpenVPN/Client,并编辑设置“后备数据加密算法”

NordVPN 已发布 pfSense 2.5.0 的更新文档,标题为:pfSense 2.5 Setup with NordVPN

正如@NDK 在他们的 A'er 中提到的,更新后的文档显示您需要将回退数据加密算法更改为 AES-256-CBC。