OpenVPN Site-to-Site client daemon will not start after upgrading CE from 2.6.0 to 2.7.0

blabs

v2.7.0 definitely created new issues with OpenVPN. Completely broke client OpenVPN daemons (server OpenVPN daemons seemed to be ok). OpenVPN message, "[error] Unable to contact daemon Service not running?". Messages in the OpenVPN log were very vague, "Exiting due to fatal error" with no other info as to what the actual issue was. Rolled back to v2.6.0 and staying there until the next release. If I have time to play with this at some point soon, I'll snapshot the VM, upgrade to 2.7.0 again, and see if I can dig a bit deeper to track down the problem.

Has anyone else experienced issues with the OpenVPN client daemon not starting after the upgrade?

Also, whoever made the decision to only keep package repos available from the current release/most recent previous release and not any older releases should NOT be working in the field of IT as they are freaking clueless on how actual production systems run. Not all businesses have the money, time, or manpower to devote to testing/fixing problems created by forcing people onto the current release and may need to operate for a time on a version a few releases back for WHATEVER REASON. Granted we have a very specific OpenVPN use case that nobody else is likely duplicating, but it it should be the decision of the business running pfSense to accept responsibility of any security repercussions of running an older release, not pfSense management or its developers. Rant over, sorry for going off-topic.

jimp

@blabs said in OpenVPN Site-to-Site client daemon will not start after upgrading CE from 2.6.0 to 2.7.0:

Has anyone else experienced issues with the OpenVPN client daemon not starting after the upgrade?

The first thing to check is if the client has a tunnel network filled in. If it does, remove it.

The most common cause for clients failing to start recently was having an invalid tunnel network specified in there.

Also make sure anything that should be a network is using a network address. OpenVPN will choke on certain things like x.x.x.1/24 when it should be x.x.x.0/24.

blabs

@jimp

@jimp said in OpenVPN Site-to-Site client daemon will not start after upgrading CE from 2.6.0 to 2.7.0:

@blabs said in OpenVPN Site-to-Site client daemon will not start after upgrading CE from 2.6.0 to 2.7.0:

Has anyone else experienced issues with the OpenVPN client daemon not starting after the upgrade?

The first thing to check is if the client has a tunnel network filled in. If it does, remove it.

The most common cause for clients failing to start recently was having an invalid tunnel network specified in there.

Also make sure anything that should be a network is using a network address. OpenVPN will choke on certain things like x.x.x.1/24 when it should be x.x.x.0/24.

The first thing to check is if the client has a tunnel network filled in. If it does, remove it.
That was always left blank so it can get its IP statically assigned from a client specific override on the other pfSense OpenVPN server.

Also make sure anything that should be a network is using a network address. OpenVPN will choke on certain things like x.x.x.1/24 when it should be x.x.x.0/24.
No IP's are being assigned anywhere in the client config except the destination OpenVPN server address so I don't believe that is the issue as it looks like the daemon won't even start. I'll double check this but if it isn't even reaching out to the server side OpenVPN server, then it can't be anything on the server end.

In all the years of using pfSense and all the upgrades through the years, this is the first time I am seeing a daemon failure with very little diag info. Very strange...

blabs

@blabs Additionally, no Peer Certificate Revocation list is defined as I've seen expired lists cause the daemon not to start so that is not the issue. Custom config options on the client side are as follows:

remote-cert-tls server;
tls-version-min 1.2;
verify-x509-name Site-OpenVPN-Server name;
link-mtu 1422;

Maybe one of these is deprecated in the new OpenVPN version and I just missed it?

jimp

Take them all out and see what happens. Add them back one by one.

blabs

This post is deleted!

blabs

@jimp said in OpenVPN Site-to-Site client daemon will not start after upgrading CE from 2.6.0 to 2.7.0:

Take them all out and see what happens. Add them back one by one.

Good idea, I'll give that a shot at the end of the day today. If that doesn't work, I'll delete the config and try recreating it manually.

elliopitas

@jimp i have the same problem but i use /30 so tunnel network should be specified right?
other subnets (tried /29 and it connected but no traffic and wrong ping due to wrong subnet) and no ipv4 tunnel network work (with this obviously no IP but still connects the server)
here is the thread I started