Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense Release 2.5 + OpenVPN 2.5 broken? Any fixes?

    Scheduled Pinned Locked Moved General pfSense Questions
    118 Posts 9 Posters 32.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N8LBVN
      N8LBV @stephenw10
      last edited by

      @stephenw10 Cool!
      I'm still not quite over the shock and thrill that it's working again :)
      Did without it for quite a long time and poked at it here & there over that time.

      I feel more like I do now.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate @stephenw10
        last edited by

        @stephenw10 said in PFSense Release 2.5 + OpenVPN 2.5 broken? Any fixes?:

        If you set the VPN to use a VIP address instead of the main WAN it will always be that IP even if you hit this bug. But that means either changing the clients to use the VIP address or swapping the main interface and VIP IPs. That may not be practical in some setups.

        Or bind to localhost and use port forward in on WAN port to the instance on localhost.

        Or bind to all interfaces/multihome and control access with rules.

        Only real reason to bind to a specific interface would be on a client if it had to source from a specific address, but even that is of questionable use these days.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 2
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yup that^. Works well for OpenVPN.

          N8LBVN 1 Reply Last reply Reply Quote 0
          • N8LBVN N8LBV referenced this topic on
          • N8LBVN N8LBV referenced this topic on
          • N8LBVN N8LBV referenced this topic on
          • N8LBVN
            N8LBV @stephenw10
            last edited by N8LBV

            This will be a topic for another thread, I had the problem "come back"
            After I had tried to create an additional site to site shared key openvpn server on a different port.
            I was able to get the tunnel to come up and work between the two PFSense systems,
            I could ping and reach hosts on both LANS local and remote. (from either PFSense box)
            I setup the remote site as a client.
            But I could not get any traffic from one LAN to the other (not being routed fully to the other LAN).
            I checked and double checked all of my firewall settings and have the usual "allow all to pass" type rules in place on the openvpn interfaces on each pfsense system-
            And the routing tables look good on both systems local and remote.
            And I can reach both openvpn interface addresses from both LANs so some routing is occurring
            part way though at least to the far end openvpn interface.
            Anyhow that's not working as planned or expected and it's weird.
            I also tried a packet capture on the openvpn interface at the far end while trying to ping a host on the far end LAN, and did not see any traffic here.
            The packets originate of the local LAN and are destined to the far end LAN,
            I have all of the usual and expected stuff in place, LAN to any rule on both ends etc.
            Routing table firewall rules all look proper on both ends and looks like it should work.
            reboots made no difference.
            I deleted that attempt and was left with my main VPN server on 1194 not responding again until I re-did the save WAN interface settings trick.

            I feel more like I do now.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              That sounds like it must be a routing issue. Do you have policy based routing that might be overriding the routes added for OpenVPN?

              N8LBVN 2 Replies Last reply Reply Quote 0
              • N8LBVN
                N8LBV @stephenw10
                last edited by

                @stephenw10 1- I don't think so. 2- I don't think so because I'm not familiar with policy based routing. I will attempt to get familiar.

                I feel more like I do now.

                1 Reply Last reply Reply Quote 0
                • N8LBVN
                  N8LBV @stephenw10
                  last edited by N8LBV

                  @stephenw10 I did also do a packet capture on the WAN interface /gateway while trying to ping a host on the far end LAN just to confirm it was not taking the default route to the Internet and it was not seen there either.

                  I feel more like I do now.

                  N8LBVN 1 Reply Last reply Reply Quote 0
                  • N8LBVN
                    N8LBV @N8LBV
                    last edited by

                    @n8lbv ok did same test with openvpn and routes removed, and I'd expect to see these packets appear on my WAN interface and they are not..
                    Something's up.
                    I have something somewhere going on here. I'll find it.

                    I feel more like I do now.

                    N8LBVN 1 Reply Last reply Reply Quote 0
                    • N8LBVN
                      N8LBV @N8LBV
                      last edited by N8LBV

                      @n8lbv OK I had an old IPSEC config still stuck in there from testing a week ago that I thought I deleted which involved the same distant LAN subnet.
                      Nice!

                      Sorry to waste anyone's time here.
                      But I guess I did figure out that the original 'problem' can come back while messing with openvpn changes, additions & changes.

                      LOL

                      I feel more like I do now.

                      N8LBVN 1 Reply Last reply Reply Quote 0
                      • N8LBVN
                        N8LBV @N8LBV
                        last edited by

                        And that remote subnet is now back and working :)
                        Along with my "main" server for dynamic client devices.
                        Life isn't so bad.

                        I feel more like I do now.

                        stephenw10S 1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator @N8LBV
                          last edited by

                          @n8lbv said in PFSense Release 2.5 + OpenVPN 2.5 broken? Any fixes?:

                          Life isn't so bad.

                          There are much worse things that can happen! 😉

                          Still it would be very nice to get that bug squashed. The primary IP address should not change like that.

                          Steve

                          N8LBVN 1 Reply Last reply Reply Quote 0
                          • N8LBVN
                            N8LBV @stephenw10
                            last edited by

                            @stephenw10 Do you figure it's fixed in 2.6?

                            I feel more like I do now.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              It might have been fixed by something that was pulled in but there has not been anything actively applied to fix it. Unfortunately since I still can't replicate it here I've been unable to test that.

                              Steve

                              N8LBVN 1 Reply Last reply Reply Quote 0
                              • N8LBVN
                                N8LBV @stephenw10
                                last edited by

                                @stephenw10 This is probably a new thread and at this point is just for entertainment.
                                I updated one simple client site to 2.6.0 and sure enough openvpn back to a 2.5.2 server site is now broken since the update.

                                I have everything working everywhere now with 2.5.2
                                I thought I try updating one site to 2.6 and boom.
                                Was confident that it was just going to 'work'.
                                Nope. :)

                                I've not looked any further into it yet.
                                Other than reboots restarts etc do not fix it.
                                And everything at the immediate surface looks like it should be working.

                                I feel more like I do now.

                                N8LBVN 1 Reply Last reply Reply Quote 0
                                • N8LBVN
                                  N8LBV @N8LBV
                                  last edited by

                                  @n8lbv I had to restart the service on the server side..
                                  There is something wierd going on if it loses connection from the client, the service dies
                                  and never ever restarts on it's own.
                                  I noticed this in 2.5.2 as well
                                  It's an issue that I have not addressed yet.
                                  So false alarm on 2.6.0 there. but the other issue persists.
                                  While I was updating the remote site to 2.6 it was down "long enough" to case the issue to happen.
                                  Causes the server to say that the service is not running on it.
                                  As soon as I restart it on the server it comes back and is ok.

                                  I feel more like I do now.

                                  N8LBVN 1 Reply Last reply Reply Quote 0
                                  • N8LBVN
                                    N8LBV @N8LBV
                                    last edited by

                                    @n8lbv I will also further note that I am new with using OPENVPN for anything site to site.
                                    I used to always use IPSEC.
                                    So I have some unfamiliarity along with this server stopping issue when the connection is lost or breaks.

                                    I feel more like I do now.

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Hmm, sort of sounds like this: https://redmine.pfsense.org/issues/12102
                                      But that's specifically fixed in 2.6.
                                      Check the server side logs for why it shutdown. I wonder if that option is somehow still present in your setup though.

                                      Steve

                                      N8LBVN 1 Reply Last reply Reply Quote 0
                                      • N8LBVN
                                        N8LBV @stephenw10
                                        last edited by

                                        @stephenw10 I upgraded the server side of things today to 2.6.0
                                        Before the upgrade I did the traditional remove any packages and restart before upgrading.
                                        only package I had installed with OpenVPN client export.
                                        After the reboot, the vpn client connection was no longer working.
                                        Tried restarting services on both server and client system to no avail-
                                        connection would not come back up.
                                        Went ahead and completed the 2.6.0 upgrade and reboot on the server side.
                                        (client was already upgraded to 2.6.0) a day ago as mentioned in my previous post.
                                        Working VPN connection did not come back.
                                        Tried restarting services and systems again which did not work.
                                        The only thing that worked and worked instantly was re-applying and saving the WAN settings page without making any changes.
                                        Note: This was on the CLIENT end! and not the server.
                                        Single IP on the WAN and it is dynamically (DHCP) configured from the Internet provider.
                                        I will keep tabs on this and experiment to see if I can reliably get it to fail or re-create the problem.
                                        All along I have only expected that problem to be on the server end where it has multiple static IP V4 addresses.

                                        I feel more like I do now.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Hmm, so only one IP on the client side WAN?

                                          Maybe no default route? That gets re-applied by resaving the WAN.

                                          Steve

                                          N8LBVN 1 Reply Last reply Reply Quote 0
                                          • N8LBVN
                                            N8LBV @stephenw10
                                            last edited by

                                            @stephenw10 Yes only one IP (dynamic) and default route existed and worked.

                                            I feel more like I do now.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.