@viragomann said in Unable to contact daemon:

check the system log for hints to the reason, why the server did not start.

Thanks for the suggestion. It looks like I had a few separate (unrelated) issues. The first was my logs were not actually working at all...since none of the logs had updated since 19 March 2023 (the most recent entries for the System, Firewall, DHCP, etc. logs are 19 March).

Going to System Logs > Settings showed a PHP error:

Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/status_logs_settings.php:72 Stack trace: #0 {main} thrown in /usr/local/www/status_logs_settings.php on line 72 PHP ERROR: Type: 1, File: /usr/local/www/status_logs_settings.php, Line: 72, Message: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/status_logs_settings.php:72 Stack trace: #0 {main} thrown

This seemed related to a bug in pfSense 23.01 where if the <syslog> portion of the config.xml file is empty then this error will happen and no logging occurs. This is in the bug report here: https://redmine.pfsense.org/issues/13942

So, once I got that fixed and the logs worked again I saw that OpenVPN had the following error when starting:

cannot open tun/tap dev /dev/tun1 no such file or directory pfsense

...which was related to another bug detailed here: https://redmine.pfsense.org/issues/13963

The ultimate fix for the OpenVPN issue was running the following command:

kldxref /boot/kernel

...and then the OpenVPN service started immediately.

Hope this might help anyone else in the same situation as me!

@scottlindner re "Is there a solution to that that can be automated?" not as far as I know.

I've set up a gateway group of all 3 and set the tier priorities:-

Screenshot 2023-05-16 at 16.09.26.png

I also have a Nord LAN segment that I route all the traffic out to the gateway group:-

Screenshot 2023-05-16 at 16.09.54.png

@mimu

I'm using the OpenVPN server just as access for myself for remote administration.
So, multiple connections, for me, is a rare thing.

Still, I've set :

be7e33ae-4fa9-4c02-b4c0-ff20980e0612-image.png

because : why not.

I guess (OpenVPN doc should explain more), as soon as a 'client' tries to connect, a 'slot' is allocated.
If you have many 'clients' that try, and these are just scripted scanners looking for less protected (NON TLS) VPN access, slots can allocated fast.
Again : I guess.

I've not (never) seen "I/O wait events" in my OpenVPN logs.
I'm using two OpenVPN servers , port 1194 and port 1195. Both are completely separated, and work fine both. Both servers use TLS, and no user+pasword.

@parushev
Is CARP working well? Check the system log for regarding entries.

Is the OpenVPN server down on the secondary?

Do you have a single router or is it an HA system as well?

How are your pfSense boxes connected to it? Is there a switch or another device in between?

Are they installed on bare metal or virtualized?

Note: When a device is talking to the CARP VIP, it resolves the VIP and get the CARP MAC address and send the packet to this. However, pfSense uses its real interface address (WAN in your case), when replying.
Some devices don't love this behavior. Maybe you're affected of this.

@viragomann Unfortunately, I lost access and won't be able to regain access until I revisit the site tomorrow. I didn't implement any rules on my OpenVPN server; I only selected the boxes while installing OpenVPN with the wizard to create the required rules. OpenVPN had been working before I enabled the interface and then changed the interface's name. I never implemented any rules under the interface OPT1 tab. The only rule that is implemented is under the OpenVPN tab and I believe it's just IPv4 with * in all the fields.

@viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:

Consider that rules on interface group have priority over ones on member interfaces. So if there is a pass rule allowing any to any, rules on member interfaces would not have any affect.

So then enabling the OpenVPN interface creates an interface group? The single OpenVPN tab that is created when you setup the wizard is a member interface? (I don't know if this OpenVPN tab is their prior to the wizards use as I didn't look before I used the OpenVPN wizard.)

@viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:

What is the purpose of the other tab then?

I'm trying to understand the difference between the rules associated with the tab created when you enable the OpenVPN interface in assignments and the rules made under the tab that is purely labeled OpenVPN.

@tank330 Never resolved the issue..the mute-reply warnings are still there. Just clutters up the logs...

@dbadovsky
Yeah, it has to be in the client specific file, mentioned above.

Nice that you got it sorted.

All sorted now, a couple of badly configured alias's were the issue and have now been rectified. all is working now as desired.

I want to post the critical take away I learned from this discussion for others searching in the future. I did find other discussions but they were very detailed and specigfic to the person's situation very much like this one is, so it is hard to know what are the specifc parts from the ones that apply to everyone. So here just to call it out, the key takeaway that taught me what I needed is.

Check the gateway status (Status -> Gateways) for the VPN Client interface. That will tell you if you have a client configuration problem or not. I ultimately did but the Status -> OpenVPN page indicated it was fine and it actually wasn't.

@johnpoz

It doesn't look like my load is that significant. It's been like this since this box has been running.
947788aa-a1a3-4669-ab8b-c0d3ad215875-image.png

@n8lbv

You are main focusing one point from several available.

Entire pfSense is multi or single core
Underlying system FreeBSD WAN part ist single or multicore pending on the
usage of PPPoE or not. (PPPoE = single queue not
PPPoE = multi queues) One queue per each CPU
core is able to use OPNvpn package is taking advantage of multi CPU
cores usage or not.

It all plays together and not something alone.
You may be able to tune some things here in the game
according to your hardware and use case, like;

mbuf amount mbuf size queues amount queues length queues size

@viragomann Thank you very much for your answers, in particular I did not consider that the error could be in the official tutorial of ProtonVPN, probably I will set up the variant "Client - pfsense - ProtonVPN" with DNS over HTTPS.

@gokulapandi
Yes should work for A and C.
But if you restrict access on B to certain subnets as well, you need to add the same rule as you have at A on the interface connected C and that one you have at C on the interface connected to A.

@tangooversway
Presumably the VPN server pushes the default route to you.
This is a pretty common setting of VPN services.

To avoid it go to the VPN client settings and add a check at "Don't pull routes".
After that you have to create policy routing rules to direct the desired traffic out through the VPN.

Also, with my own OpenVPN setup, I didn't have to switch interfaces in the NAT rules. With the BrandX, it didn't work at all until I switched them.

What do you mean with "switch interfaces in the NAT rules"?
Basically you need to add outbound NAT rules for your internal subnets on the VPN interface, if you want to pass out upstream traffic. But there is nothing to switch. Existing rules (automatic) should stay in place.

@mhassman In our case, as I seem to recall from a few years ago now, the service was running but people couldn't connect until the service was restarted. I am not finding my notes in a quick search though. The weekly restart was just a sledgehammer approach to fixing it.

@roberto-bianchi Yes, is not compatible right now.
We need to stick with 2.5.x line until someone fix this issue.
I have the same situation and I'm testing pfsense 2.7-dev and some case.
Hope to soon see the solution here, regards!!!

@marvosa said in Site-to-site up but not routing, can't use a /30 or /24 tunnel?:

No tunnel network defined, need to add 10.152.0.0/24 in the "IPv4 Tunnel Network" box

I think there's some misunderstandings and misleading info on the tunnel network for a site to site. It shouldn't be needed unless someone is using a /30 topology. It should get the tunnel network from the server.

Regardless, before yesterday's patch, the tunnel network setting wouldn't accept anything less than a /30.

Hmm, so you weren't seeing kernel panics as shown in the linked bug?:
https://redmine.pfsense.org/issues/13938

I'm not aware of anything that would prevent an OpenVPN tunnel passing traffic whilst still connecting. Do you have any logs from the failure situation? When you tested did you see traffic coming over the tunnel?

@johnpoz

@johnpoz said in Using pfSense as OpenVPN Client:

What your trying to do requires some basic understanding of routing, dns, etc. So no you wouldn't follow some vpn guide to connect to their service and route all your traffic out it..

I think I should not have listened to the people who told me, "Sure, this is easy to do and only takes a few hours." OpenVPN wasn't that hard to set up, in the long run, but dealing with the firewall rules and NAT to redirect ONLY the LAN traffic that is either responding to requests from within the VPN or that is only going to the VPN turns out to take a lot more than I thought it would from trying to remember what I was doing 15-20 years ago.

@ebeagle said in Pfsense as Ivacy VPN client:

Hi @DavieJG ,

Sorry for necro-posting.

Do you mind sharing your Ivacy VPN OpenVPN settings?

I've been in contact with their support who provided me a guide to pfSense 2.4.4 that doesn't work. According to them there seems to be some issues with version 2.4.4 that their R&D team is trying to get sorted.

I tried to use their OpenVPN config files for Linux as a reference but those don't work even on Linux.

Hopefully your config can shed some light why mine is not working.

Cheers

Were you able to figure this out? I am having authentication failures with Ivacy but I have followed the guides multiple times and I don't see what I am doing wrong.

@pippin said in OpenVPN client connecting - but is useless:

server 172.16.8.0 255.255.255.0
push "route 172.16.7.0 255.255.255.0"
route 172.16.7.0 255.255.255.0

I may have missed something (reading disability), but is the only change removing where I typed 2 or 3 zeroes instead of just one? If so, what do the extra 0s do for the system? Won't they still be evaluated as integers?

Although SSL certificate was valid I still was unable to connect using ldapsearch client or openvpn. May be CA certificate is expired on LetsEncrypt end or it is because of free cert. Not sure. But again in pfsense under user management -> ldap configuration were not issues after certificate was renewed on ldap server.

Anyway

Was able to solve the issue by adding.
TLS_REQCERT allow

to

/usr/local/etc/openldap/ldap.conf

Now openvpn connects fine as well as ldap cmd client

Well it's working now.
It had been assigning .3 to the second client (the client had .3)
But the server's route table was showing it's subnet routed to .2
Not sure why.
And not sure how it got fixed.

The ipsec internal routing is a bit confusing as well.
I'm not used to that yet.
Seems like it has it's own routes and not what you see out at the routing table.
Are there tools to much better see what's going on with it.
To make matters even more fun in packet capture you can choose the ipsec "interface".
But capture does not work when you click start. (1.7dev)
Anyhow I have a working single server instance and two site-site remote clients.
I have a lot more to learn.. and not a super pro yet here :)

Ok, so apparently it just wanted me to create this topic in order to start working. 😉

I had previously come across this link: https://forums.openvpn.net/viewtopic.php?t=33561 where the person had to go to http(s)://pfsense.router.ip.address/status_filter_reload.php to get things working again. Well I had tried that at the very beginning, but not again since reconfiguring the server settings on the one upgraded to pfSense 2.6.0. After writing the opening for the thread, I went back over my steps, and figured it couldn't hurt to run the filter reload again, even though I had been applying changes to the firewall filters during troubleshooting. As soon as I reloaded the filter, I began receiving pings from a LAN address on the internal network through OpenVPN that was a separate address from the pfSense box. The only other thing I additionally did was to add outbound NAT rules, specifically for my OpenVPN ranges to LAN, although automatic created the same rule plus more. I suspect this was the answer as typically you need some sort of a NAT to route through a firewall. However, there wasn't one setup in the previous config (pfSense 2.4.5-RELEASE-p1), so... 🤷 Hopefully writing up this response will help someone (possibly even myself in the future) if they experience the same problem.

@richie1985

Easy : and I'll excuse upfront for the answer : set an alarm on whenever is "during night" and then do whatever you need to do.
There is no such thing as "pre set" a setting, and have it taken in account at a pre determined (date) time.

A openvpn server restart will disconnect all the connected users, I get it.

If you 'really' need this possibility, there is only one solution :
As the GUI handles everything that is 'settings' and 'functionality start' and 'functionality start' the good old "script it yourself" will work just fine ( open source means also IMHO : do what you want with your copy 😊 ).
The good news or the bad news - whatever applies to you : it's just PHP.

If not : go here - or here.

NetSetMan let you change fast the IP of your PC to swap fast over into another subnet or network. Perhaps it will be supporting one or more of the other given tips and hints related to that problem.

I have now tried stopping both OpenVPN tunnels and restarted them one after another and they are now both up again. Not sure what the issue is but at least I now have a way to get the link up.
I will see if the die again in a couple of hours...

@michmoor said in Remove OpenVPN access admin:

@jimp Curious is there a way to use certs if you have an internal PKI? It would be more scalable using that then the firewall itself to manage all my users and certs.

Sure, you just import the CA cert (not the key) and the server cert on the firewall, then pick those in OpenVPN. The other certs never need to touch the firewall, they only need to validate against the chosen CA.

@hope-it-works said in Having problems connecting two OpenVPN-Servers:

That's what I had configured before. There I couldn't use the same subnet for both VPN servers.

That's correct. But is there any reason for needing both to be within the same layer 2?
For accessing services that's not a requirement at all.

I should mention that we currently don't have a LAN Interface. Is a LAN interface required for this setup?

You only need access to the pfSense GUI to configure it. If you have open the WAN for this purpose, you don't need a LAN interface.

Dear @jimp
Thank you very much for your suggestion,
the problem was resolved by just removing the tunnel network!

07e6c93d-99c8-473a-abea-932b70ace8bb-image.png

@dlogan
Basically OpenVPN is designed to connect multiple clients to a server. But this is only possible if the mask is larger than /30. Consequently that gateway is not unique and you need another method to tell pfSense the correct gateway to route traffic to.
You can enable routing in such setup a adding client specific overrides for each client on the server, where you define the remote networks.

However, if you don't want to create CSO (which makes no sense in your case as you have a separate server for each client), you can set the tunnel to /30, so the gateway is unique.

But I can't tell you, why this is not an issue with a pre-shared key setup.

@tjrjcj You can do what I (and others) do and have your VPN connection be dedicated to a single network and then change which network you use... on my iMac I can do that one of two ways: Service Order in the Mac or switch port at my desk. But it depends on your employer's VPN on if this is possible.

@rcoleman-netgate That makes sense if I were hitting the 10 year mark but it'll be awhile until that happens. My concern is from upgrading pfSense. My first 2.6.0 upgrade that had OpenVPN fell apart so I've been holding back until now when I can devote a large amount of time to both the upgrades and supporting the influx of calls. Now that I've upgraded a second unit and it didn't have the issues I'm trying to determine what to expect on the next 30 or so upgrades. Until now I thought that the upgrade necessitated a change in OpenVPN that would cause issues with remote users until a new cert was put in place but it appears not.

@michmoor Cool, thanks for clarifying that 👍