OpenVPN server fails to start

tedquade

23.01-DEVELOPMENT (amd64)
built on Mon Nov 14 06:04:55 UTC 2022
FreeBSD 14.0-CURRENT

Config restored from operational 22.05 installation.

OpenVPN not functional with the following logged

Nov 14 10:00:02 openvpn 76378 Exiting due to fatal error
Nov 14 10:00:02 openvpn 76378 FreeBSD ifconfig failed: external program exited with error status: 1
Nov 14 10:00:02 openvpn 76378 /sbin/ifconfig ovpns1 10.3.201.1/24 mtu 1500 up
Nov 14 10:00:02 openvpn 76378 TUN/TAP device /dev/tun1 opened
Nov 14 10:00:02 openvpn 76378 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Nov 14 10:00:02 openvpn 76378 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 14 10:00:02 openvpn 76378 library versions: OpenSSL 1.1.1q-freebsd 5 Jul 2022, LZO 2.10
Nov 14 10:00:02 openvpn 76378 OpenVPN 2.6_git amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO]

Ted Quade

stephenw10

What server config is that?

tedquade

@stephenw10 I do not understand your question. The OpenVPN server is OpenVPN incorporated within pfSense.

If you are requesting configuration data, I can provide the relevant portions of the config XML.

Please advise.

Ted Quade

stephenw10

Yes, I mean what server mode, protocol, authentication, encryption etc.

stephenw10

Seeing something very similar to that using TCP with DCO enabled for example.

tedquade

@stephenw10
Remote Access (SSL/TLS + User Auth)
DCO enabled
Local Database
UDP on IPv4 only
WAN
1194
Use a TLS Key
TLS Authentication
Use default direction
Gryphons Walk CA
Gryphons Walk Server Certificate ( various bits of related items )
2048 bit
Use Default
AES-256-GCM (256 bit key, 128 bit block)
AES-256-GCM (256 bit key, 128 bit block)
SHA256 (256-bit)
No Hardware Crypto Acceleration
One (Client+Server)
Enforce key usage
10.3.201.0/24
Force all client-generated IPv4 traffic through the tunnel
Force all client-generated IPv6 traffic through the tunnel
Decompress incomming, do not compress outgoing (Asymmetric)
Disable Compression [Omit Preference]
Allow connected clients to retain their connections if their IP address changes.
Subnet - One IP address per client in a common subnet
keepalive - Use keepalive helper to define ping configuration
10
60
Provide a default domain name to clients
teddelee.net
Provide a DNS server list to clients. Addresses may .......
127.0.0.1
65.87.230.5
65.87.230.4
216.130.208.3
Enable NetBIOS over TCP/IP
none
Use the authenticated client username ............
Reconnect to this server / Retry once
Both
default

stephenw10

Oh, I think that's the compression setting. DCO does not allow compression and that should be suppressed. Looks like that's something the upgrade code will need to catch.
Try setting 'Allow Compression' to 'Refuse any non stub compression'. Let me know if that allow it to start.

Steve

tedquade

@stephenw10 That was the issue. Thanks.

Ted