OpenVPN could not be established after upgrade to 23.01 on SG-3100

JVComputers · Mar 22, 2023, 4:14 AM

@cneep That's an idea, but one I'd have to carefully consider. I don't like the idea of opening administrative ports directly to the internet, even if I lock them down to my IP.

stephenw10 · Mar 22, 2023, 4:28 PM

If it's an SSH port you can also use key based auth only. The risk of that combined with a limited source IP is close to zero.

Steve

JVComputers · Mar 22, 2023, 4:37 PM

@stephenw10 True, providing no future vulnerabilities are found in the SSH services which is, unfortunately, not unheard of.

stephenw10 · Mar 22, 2023, 4:49 PM

Right. But don't leave the port open after the upgrade is complete and the VPN is back up.
If you really wanted to you could put the rule on a schedule so it closed again automatically if you were still unable to access it for some other reason.

JVComputers · Mar 22, 2023, 4:52 PM

@stephenw10 I feel dumb, I should've thought of only opening it during an upgrade procedure. Good idea.

alvinestevez · Apr 14, 2023, 8:50 PM

After I upgraded my Netgate SG-3100 to pfsense 23.01-RELEASE (arm) from 22.05.1, the OpenVPN demon was unable to start.

Logs show: Cannot open TUN/TAP dev /dev/tun1: No such file or directory (errno=2)
I was unable to start the OpenVPN Deamon

Solution:

goto: Diagnostics, then click Command Prompt
execute: kldxref /boot/kernel
Reboot shortly after executing step 2

After I rebooted the my Openvpn server and and Client tunnel both were running!!!!!

This instructions on these threads are accurate!

jkalber · Apr 27, 2023, 1:09 PM

@mikej47 said in OpenVPN could not be established after upgrade to 23.01 on SG-3100:

kldxref /boot/kernel and a restart of the OpenVPN service worked for me on my Sg3100. I issued the command through the web gui.

Yup same here as well! Had a slight heart attack when the VPN tunnels didn't come back online though. Thankfully we have site to site IPSec tunnels in place or else I would have been making a 2hr round trip commute into the office to finish up everything onsite.

SteveITS · Apr 27, 2023, 3:12 PM

@jkalber There was also a kernel panic bug accessing the web GUI over IPSec and an nginx crash with OpenVPN, though I'm guessing from your message you weren't using pfSense for your remote access?

You might consider having an extra rule you can enable only during upgrades to allow access directly from your IP to WAN.

jkalber · Apr 27, 2023, 3:48 PM

@steveits Hey Steve! I manage a couple offices here in Texas and then a few others out of state. We use OpenVPN for our VPN service and I use the standard Remote Desktop app to remote into the FW's remotely to perform upgrades etc. I haven't ran into any issues aside from last night's little hiccup. Usually I will perform the upgrade and leave OpenVPN opened and reconnecting. Eventually once the FW comes back online the VPN reconnects and I re-gain access. Obviously with last nights upgrade it nuked the OpenVPN services so after about 1hr of it not connecting I disconnected from that sites VPN to my main corporate site. Once I was connected I remoted into our server, and then browsed to the FW that I was working on previously. I'm still new to networking so I hope this makes sense. Your recommendation on creating a rule to allow my static IP access to WAN for upgrades sounds like a great idea and I will look into this. I'm just happy the kernal panic bug you are referring to didn't affect me, guess I lucked out.

m7infratec · Apr 30, 2023, 6:38 PM

Version 23.01 was the worst of all. I have 2 Netgate 2100 in HA, I updated it first and when it restarted it didn't come back, I had to open a ticket, download the image, reinstall the system and redo everything from 0. Now comes the problem of OpenVPN that doesn't work, it even connects but I can't access it the other network, I tested everything and nothing. I'm seriously thinking about removing pfsense and netgate from all customers, because the level of stress and headache it's causing me is not worth it and the worst thing is that we don't see a light at the end of the tunnel, just a palliative solution that It doesn't work, just a waste of time.

stephenw10 · Apr 30, 2023, 7:57 PM

Well that's not the same issue as being discussed here since it applies only to arm32, the 3100.

I assume the initial issue with it not coming back up was because of the bootloader update issue from your other thread? That's unrelated to OpenVPN if so.

Have you opened a ticket about the OpenVPN issue I can review?

How exactly does it fail?

Steve

m7infratec · Apr 30, 2023, 9:01 PM

@stephenw10 My scenario is exactly the same as @jkalber, I use OpenVPN to administer the networks and I also have RDP enabled so that if the tunnel fails I can access a remote machine. I have 3 clients with pfsense in HA and 1 client using version 2100 Netgate also in HA, both after updating to 23.01 OpenVPN does not work anymore, it connects but does not reach the networks, the pfsense log feature is limited and I can not see where the fault is possibly. my solution would be to downgrade because everything was working, and leave it like that and never update anything again because I lost confidence in pfsense which for years was by far the best firewall in the world.

stephenw10 · Apr 30, 2023, 10:34 PM

Hmm, so you weren't seeing kernel panics as shown in the linked bug?:
https://redmine.pfsense.org/issues/13938

I'm not aware of anything that would prevent an OpenVPN tunnel passing traffic whilst still connecting. Do you have any logs from the failure situation? When you tested did you see traffic coming over the tunnel?

benisfroms · Feb 12, 2024, 2:10 PM

This post is deleted!