PureVpn device issue

[x0zerocool0x]

I have been unsuccessful in getting PureVPN to work. It doesnt seem like the VPN is connecting or the routes are being created.

Below is what I keep getting.

ip addr show dev vti256

Device "vti256" does not exist.

Below is my vpn.conf

### SPLIT VPN OPTIONS ###
# Enter multiple entries separated by spaces.
# Do not enter square brackets around the entries.

# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE"br2"
FORCED_SOURCE_IPV4="192.168.0.0/24"
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""

# Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...]
# Maximum 15 ports per entry.
FORCED_SOURCE_IPV4_PORT=""
FORCED_SOURCE_IPV6_PORT=""
FORCED_SOURCE_MAC_PORT=""

# Force these destinations through the VPN.
# These destinations will be forced regardless of source.
# Format: [IP/nn]
FORCED_DESTINATIONS_IPV4=""
FORCED_DESTINATIONS_IPV6=""

# Force local UDM traffic going out of these WAN interfaces to go through the
# VPN instead for both IPv4 and IPv6 traffic.
# This does not include routed traffic, only local traffic generated by the UDM.
# Do not enable this unless you want to force UDM local traffic through the VPN.
# For UDM-Pro, set to "eth8" for WAN1/Ethernet port, or "eth9" for WAN2/SFP+ port,
# or "eth8 eth9" for both. For UDM Base, set to "eth1" for the WAN port.
# This option might cause unintended problems, so disable it if you encounter any issues.
FORCED_LOCAL_INTERFACE=""

# Exempt these sources from the VPN.
# Format: [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
EXEMPT_SOURCE_IPV4=""
EXEMPT_SOURCE_IPV6=""
EXEMPT_SOURCE_MAC=""

# Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...]
# Maximum 15 ports per entry.
EXEMPT_SOURCE_IPV4_PORT=""
EXEMPT_SOURCE_IPV6_PORT=""
EXEMPT_SOURCE_MAC_PORT=""

# Exempt these destinations from the VPN.
# Format: [IP/nn]
EXEMPT_DESTINATIONS_IPV4=""
EXEMPT_DESTINATIONS_IPV6=""

# Force/exempt these IP sets
# IP sets need to be created before this script is run or the script will error.
# IP sets can be updated externally and will be matched dynamically.
# Each IP set entry consists of the IP set name and whether to match on source
# or destination. src/dst needs to be specified for each IP set field.
#
# Enable NAT hairpin by exempting UBIOS_ADDRv4_ethX:dst for IPv4 or
# UBIOS_ADDRv6_ethX:dst for IPv6 (where X = 8 for RJ45, or 9 for SFP+ WAN).
# For IPv6 prefix delegation, exempt UBIOS_ADDRv6_brX, where X = VLAN number (0 = LAN).
#
# To allow communication with your VLAN subnets without hardcoding the subnets,
# exempt the UBIOS_NETv4_brX:dst ipset for IPv4 or UBIOS_NETv6_brX:dst for IPv6.
#
# Format: [IPSet Name]:[src/dst,src/dst,...]
FORCED_IPSETS=""
EXEMPT_IPSETS=""

# VPN port forwards.
# Format: [tcp/udp/both]-[VPN Port]-[Forward IP]-[Forward Port]
PORT_FORWARDS_IPV4=""
PORT_FORWARDS_IPV6=""

# Redirect IPv4 and IPv6 DNS to these addresses for VPN-destined traffic.
# Note that many VPN providers redirect DNS going through their VPN network
# to their own DNS servers. Redirection to other IPs might not work on all providers,
# except for DNS redirects to a local address, or rejecting DNS traffic completely.
#
# IPV4 Format: [IP] to redirect to IP, "DHCP" if using OpenVPN or OpenConnect to obtain
# DNS from DHCP options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on
# other VPN types like wireguard/external.
#
# Example: Get DNS from DHCP
DNS_IPV4_IP="DHCP"
DNS_IPV4_PORT=53
# Set this to the interface (brX) the DNS is on if it is a local IP. Leave blank for
# non-local IPs. Local DNS redirects will not work without specifying the interface.
DNS_IPV4_INTERFACE=""

# IPV6 Format: [IP] to redirect to IP, or "REJECT" to reject IPv6 DNS traffic completely.
# IPV6 Format: [IP] to redirect to IP, "DHCP" if using OpenConnect to obtain DNS from DHCP
# options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on
# other VPN types.
DNS_IPV6_IP=""
DNS_IPV6_PORT=53
DNS_IPV6_INTERFACE=""

# Bypass masquerade (SNAT) for these source IPs. This option should only be used if your
# VPN server is setup to know how to route the subnet you do not want to masquerade
# (e.g.: the "iroute" option in OpenVPN).
# Set these options to ALL to disable masquerading completely.
# Format: [IP/nn] or "ALL"
BYPASS_MASQUERADE_IPV4=""
BYPASS_MASQUERADE_IPV6=""

# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=0

# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=1

# Enable this if you added blackhole routes in the Unifi Settings to prevent Internet
# access at system startup before the VPN script runs. This option removes the blackhole
# routes to restore Internet access after the killswitch has been enabled.
# If you do not set this to 1, openvpn will not be able to connect at startup, and your
# Internet access will never be enabled until you manually remove the blackhole routes.
# Set this to 0 only if you did not add any blackhole routes.
REMOVE_STARTUP_BLACKHOLES=1

# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="external"

# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
#VPN_ENDPOINT_IPV4=""
#VPN_ENDPOINT_IPV6=""

# Set this to the route table that contains the gateway route, "auto", or "disabled".
# The Ubiquiti route table is "201" if you're using Ethernet, "202" for SFP+, and
# "203" for U-LTE.
# Default is "auto" which works with WAN failover and automatically changes the endpoint
# via gateway route when the WAN or gateway routes changes.
# Set to "disabled" if you are using the nexthop option to connect to a VPN on your LAN.
GATEWAY_TABLE="auto"

# Set the MSS clamping on packets going out the VPN tunnel. Usually, it is not needed to
# set this manually, but some VPN connections stall if the MSS clamping is not set correctly.
# Typical values range from 1240 to 1460, but it could be lower.
MSS_CLAMPING_IPV4="1240"
MSS_CLAMPING_IPV6=""

# Set this to the timer to use for the rule watcher (in seconds).
# The script will wake up every N seconds to re-add rules if they're deleted by
# the system, or change gateway routes if they changed. Default is 1 second.
WATCHER_TIMER=1

# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101
MARK=0x169
PREFIX="VPN_"
PREF=99
DEV=vti256

# To execute commands when the VPN connects or disconnects, you can use the
# callback functions hooks_pre_up, hooks_up, hooks_down, and
# hooks_force_down. These functions will be invoked in response to VPN events
# pre-up, up, down, and force-down respectively.
#
# For an example on using these hooks, please see vpn.conf.filled.sample.

Here is an output from the logs:

Oct 12 19:05:07 10[CFG] <purevpn|14>   ocsp response correctly signed by "C=GB, O=Sectigo Limited, CN=OCSP Signer"
Oct 12 19:05:07 10[CFG] <purevpn|14>   ocsp response is valid: until Oct 16 08:47:37 2022
Oct 12 19:05:07 10[CFG] <purevpn|14>   using cached ocsp response
Oct 12 19:05:07 10[CFG] <purevpn|14> certificate status is good
Oct 12 19:05:07 10[CFG] <purevpn|14> certificate policy 1.3.6.1.4.1.6449.1.2.2.7 for 'CN=*.pointtoserver.com' not allowed by trustchain, ignored
Oct 12 19:05:07 10[CFG] <purevpn|14> certificate policy 2.23.140.1.2.1 for 'CN=*.pointtoserver.com' not allowed by trustchain, ignored
Oct 12 19:05:07 10[CFG] <purevpn|14>   reached self-signed root ca with a path length of 1
Oct 12 19:05:07 10[IKE] <purevpn|14> authentication of 'CN=*.pointtoserver.com' with RSA signature successful
Oct 12 19:05:07 10[IKE] <purevpn|14> server requested EAP_IDENTITY (id 0x00), sending 'purevpn0d1178649'
Oct 12 19:05:07 10[ENC] <purevpn|14> generating IKE_AUTH request 2 [ EAP/RES/ID ]
Oct 12 19:05:07 10[NET] <purevpn|14> sending packet: from xxx.xxx.xxx[xxxx] to xxx.xxx.xxx[xxxx] (84 bytes)
Oct 12 19:05:07 11[NET] <purevpn|14> received packet: from xxx.xxx.xxx[xxxx] to xxx.xxx.xxx[xxxx] (68 bytes)
Oct 12 19:05:07 11[ENC] <purevpn|14> parsed IKE_AUTH response 2 [ N(MS_STATUS(812)) ]
Oct 12 19:05:07 11[IKE] <purevpn|14> received MS_NOTIFY_STATUS notify error

[peacey]

Hi @x0zerocool0x ,

Sorry for the late reply, I've been a bit busy. Can you tell me which PureVPN server you're trying to connect to? Can you also show me your PureVPN config file with your user/pass removed? Thanks!

[x0zerocool0x]

Heres the config file. I did opt for the static IP option with PureVPN, not sure if thats what is causing the issues or not.

connections { purevpn { remote_addrs = us-ded-40.pointtoserver.com rekey_time = 4h reauth_time = 0s dpd_delay = 30s local_addrs = %any vips = 0.0.0.0 send_cert = never send_certreq = no proposals = 3des-sha1-modp1024 children { purevpn { start_action = start dpd_action = start close_action = start esp_proposals = 3des-sha1 local_ts = dynamic remote_ts = 0.0.0.0/0 mark_in = %unique mark_out = %unique updown = /etc/split-vpn/vpn/strongswan-updown.sh /etc/split-vpn/strongswan/purevpn/v } } local-0 { auth = eap-mschapv2 id = ######### eap_id = ############## } remote-0 { auth = pubkey cacerts = /etc/split-vpn/strongswan/purevpn/USERTrustRSACertificationAuthority.crt } } } pools { } authorities { } secrets { eap-########### { secret = "######" id-0=############

[peacey]

Are you sure your username is correct? I believe the error you're getting is indicating something is wrong with authentication. Please double-check your username in all 4 locations in the purevpn.conf file (the username might be missing a number at the end?).

I'm using the exact same configuration and it's working here (also dedicated server with static IP). If I put an incorrect username, it will give me the same error as you (received MS_NOTIFY_STATUS notify error).

[x0zerocool0x]

Wow, I checked that 10 times but somehow missed that it was missing the last number. Thank you sir! Now to get the port forwarding working!

[peacey]

No problem @x0zerocool0x. Closing this issue now, but if you have any more questions, feel free to re-open!