Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense 2.7.0 OpenVPN problems

    OpenVPN
    openvpn configuration config 2.7.0
    8
    9
    5.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mslauria
      last edited by

      Hello,
      I upgraded my PFSense to latest version and it messed up OpenVPN configuration.
      I will give you some details:
      Branch Office that serves both as:
      a) VPN Server for local clients when they are roaming around so not to need to buy another VPN software to surf internet
      b) Client Connection to the main server where it rotates traffic for main server and other offices
      c) VPN Server to another Server in Cloud

      now after upgrading:
      a) WORKING
      b) NOT WORKING
      c) NOT WORKING

      I tried to downgrade with no success as I can't install packages anymore
      two cents: "Is it normal to close package installation for 2.6.0 in the same moment when you release a new version?
      at least to have waited for 6 months would have been wiser      "

      so I started from zero with a clean 2.7.0 installation I imported certificates and managed everything and the client connection
      to the main server worked.
      BTW if I use a SSL/TLS OpenVPN the connection goes up but there is no way that traffic goes through it if I use a Shared Key,
      I know it's deprecated, it worked but till works only till the moment when I try to setup the VPN Server for Remote Access.
      In the same moment that I try to setup the VPN Server for Remote Access the Client connection remains connected but
      no traffic is rotated throw the client connection anymore.

      The subnets are all different and since 2.4.6 till 2.6.0 I never had any problem.

      What can I do?

      Thanks a lot for anyone giving me any hints
      Marco

      S 1 Reply Last reply Reply Quote 3
      • F
        frater
        last edited by

        Bridged VPN effectively stopped here as well since the upgrade.

        I am supposed to have 3 pfsenses bridged.
        On version 2.6.0 the clients of the 3 networks could reach each other.

        I was monitoring this connectivity by having each router ping the others on their local IP.
        This is still working!!!

        When I setup the VPN-bridge in 2.6.0 I merely was unable to get pfsenses to connect the other servers.

        https://forum.netgate.com/topic/178217/triple-site-to-site-working-but-2-pfsenses-can-only-ping-the-ovpn-server-site?_=1688633738215
        It behaves different than before.

        1 Reply Last reply Reply Quote 2
        • J
          jagradang
          last edited by

          ah, NOT JUST ME THEN!!!

          I have the same issue. Been banging my head against this for a few days trying to figure out what broke, only to realise the upgrade messed me up!! Same issue, and again yep i can't downgrade either so now i'm stuck with no VPN tunnels across my multi-site network..

          Has anyone reported this to netgate? just wondering if a fix for this is in progress or not

          1 Reply Last reply Reply Quote 2
          • S
            spittlbm @mslauria
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              It's unlikely you all have the same root cause even though you believe you have similar symptoms. Please start your own individual threads and include as much detail as possible.

              "Not working" isn't a helpful description of the problem. What exactly isn't working? Is it not connecting? Connecting but not passing traffic? Passing traffic but not in the expected way? Routing traffic incorrectly? Those sorts of things.

              Most likely there is a configuration problem that has always been wrong but some change on the backend changed and now your previously "working" settings which happened to be incorrect in some way stopped working.

              A few common things we have seen are:

              • SSL/TLS setups where people had filled in a tunnel network on the client when they should not
              • SSL/TLS setups with a /24 tunnel network where the Client-Specific Overrides were not setup correctly breaking LAN-to-LAN routing
              • Static Key configurations using the wrong subnet size for the tunnel network (e.g. /24 when it should have been /30)
              • Not explicitly setting the same topology on both sides
              • Some other routing conflict preventing the correct entries from being in the tables
              • A configuration that worked by chance before that was never correct (e.g. routes in System > Routing instead of in OpenVPN natively)
              • Policy routing rules overriding the VPN and sending the client traffic in some unexpected path
              • Missing or incorrectly configured default gateway (e.g. set to auto when it should be set to a WAN or WAN failover group)

              Compare your setup against the reference here: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

              There are a lot of troubleshooting suggestions for that sort of stuff at https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

              But to boil that down a bit, you should check:

              • Look at the OS routing table on both sides, make sure there are entries for the default route and opposite side LAN(s) and that those routes are pointing to the correct OpenVPN interface(s).
              • When you ping from the firewall make sure to ping from both the OpenVPN interface itself (default source) and again using the LAN interface as a source. That tests routing between the LANs in both directions, not just to/from the OpenVPN interface directly, which is a much different test.
              • When pinging from a client on the LAN, look at its states under Diagnostics > States on both firewalls, there should be two entries on each, one as it enters the firewall and one as it exits the firewall. If something like outbound NAT is catching it, the NAT would show in these states. If the traffic is taking the wrong path, that would also show (e.g. it should go in LAN, out VPN, in VPN, out LAN).
              • If the packets are exiting a WAN unexpectedly it may be from those clients hitting a policy routing firewall rule, so you might need to add a rule above whatever rule it's hitting to pass VPN traffic without a gateway set.

              That should give you a better idea of what's going on and what needs fixed.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              B 1 Reply Last reply Reply Quote 0
              • C
                cesargdmi
                last edited by

                Hello Team

                Firstly, I apologize for my English, it is not my native language, the same thing was happening to me since I updated to version 2.7.0, the solution was simple, in the OpenVPN Server, in Endpoint Configuration, they must change the protocol to "UDP IPv4 and IPv6 on all interfaces (multihome)" and problem solved for me,

                Kind regards.

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @cesargdmi
                  last edited by

                  @cesargdmi said in PFSense 2.7.0 OpenVPN problems:

                  the solution was simple, in the OpenVPN Server, in Endpoint Configuration, they must change the protocol to "UDP IPv4 and IPv6 on all interfaces (multihome)" and problem solved for me,

                  "multihome" is useful if you have more then one WAN interface.
                  If you have more the one (1) WAN interface, then you needed this option also before 2.7.0 and is this not related to upgrading to 2.7.0.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • B
                    Bohodir @jimp
                    last edited by

                    @jimp Same issue I had working multi site VPN connection over SSL/TLS. Now only one site working intermittently and randomly. I can ping to the sites but not UDP/TCP communication. Only first ack working on TCP stream and getting reset sent to client or vise versa. I'm stumbled over this issue.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Start your own thread, it's unlikely to be the same issues others have hit. While symptoms may be similar, there are numerous possible causes that can look the same, and trying to diagnose multiple people's issues in a single thread is not feasible.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post