Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgraded from 2.6 to 2.7 and OpenVPN client no longer works

    OpenVPN
    2
    4
    612
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anonymouse
      last edited by anonymouse

      I have a very basic and simple setup. I connect to an external VPN via this guide:
      https://mullvad.net/en/help/using-pfsense-mullvad/

      This used to work fine for 2.6, but now, unfortunately, no longer works.

      What happens is the following:

      1. I restart the OpenVPN client
      2. I ping from my laptop to a known external IP and I get back result (< 20ms)
      3. I start browsing the internet on a browser. Sometimes something renders, but most of the times it just gets stuck.
      4. I try to ping the external IP again from my laptop, and I get Request timeout for icmp_seq ...

      I can repeat the instructions above and it's 100% reproducable every single time.

      This is with a factory reset of 2.7, and by following the instructions on top of this post.

      Do you perhaps have an idea what could be going on here?

      S 1 Reply Last reply Reply Quote 0
      • S
        SeaMonkey @anonymouse
        last edited by

        @anonymouse What errors, if any, do you see in your OpenVPN log?

        1 Reply Last reply Reply Quote 0
        • A
          anonymouse
          last edited by

          I've attached the log below.

          There are two parts that I'm not too sure about:

          • SIGTERM[soft,exit-with-notification] received, process exiting
          • GDG6: problem writing to routing socket: No such process (errno=3)

          The web GUI says it connected successfully and stays connected while I experience the problems described in the first post.

          Jul 28 18:23:52	openvpn	70772	event_wait : Interrupted system call (fd=-1,code=4)
Jul 28 18:23:52	openvpn	70772	SIGTERM received, sending exit notification to peer
Jul 28 18:23:53	openvpn	70772	delete_route_ipv6(::/2)
Jul 28 18:23:53	openvpn	70772	delete_route_ipv6(4000::/2)
Jul 28 18:23:53	openvpn	70772	delete_route_ipv6(8000::/2)
Jul 28 18:23:53	openvpn	70772	delete_route_ipv6(c000::/2)
Jul 28 18:23:53	openvpn	70772	/sbin/ifconfig ovpnc1 10.15.0.31 -alias
Jul 28 18:23:53	openvpn	70772	/sbin/ifconfig ovpnc1 inet6 CENSORED_IPV6:1301::101d/64 -alias
Jul 28 18:23:53	openvpn	70772	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.15.0.31 255.255.0.0 init
Jul 28 18:23:53	openvpn	75022	Flushing states on OpenVPN interface ovpnc1 (Link Down)
Jul 28 18:23:53	openvpn	70772	SIGTERM[soft,exit-with-notification] received, process exiting
Jul 28 18:23:53	openvpn	88678	WARNING: file '/var/etc/openvpn/client1/up' is group or others accessible
Jul 28 18:23:53	openvpn	88678	OpenVPN 2.6.4 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Jul 28 18:23:53	openvpn	88678	library versions: OpenSSL 1.1.1t-freebsd 7 Feb 2023, LZO 2.10
Jul 28 18:23:53	openvpn	88678	DCO version: FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Jul 28 18:23:53	openvpn	88884	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 28 18:23:53	openvpn	88884	Initializing OpenSSL support for engine 'rdrand'
Jul 28 18:23:53	openvpn	88884	WARNING: experimental option --capath /var/etc/openvpn/client1/ca
Jul 28 18:23:53	openvpn	88884	TCP/UDP: Preserving recently used remote address: [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:53	openvpn	88884	Attempting to establish TCP connection with [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:53	openvpn	88884	TCP connection established with [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:53	openvpn	88884	TCPv4_CLIENT link local (bound): [AF_INET]192.168.178.23:0
Jul 28 18:23:53	openvpn	88884	TCPv4_CLIENT link remote: [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:53	openvpn	88884	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 28 18:23:53	openvpn	88884	[nl-ams-ovpn-003.mullvad.net] Peer Connection Initiated with [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:56	openvpn	88884	GDG6: problem writing to routing socket: No such process (errno=3)
Jul 28 18:23:56	openvpn	88884	TUN/TAP device ovpnc1 exists previously, keep at program end
Jul 28 18:23:56	openvpn	88884	TUN/TAP device /dev/tun1 opened
Jul 28 18:23:56	openvpn	88884	/sbin/ifconfig ovpnc1 10.6.0.7/16 mtu 1500 up
Jul 28 18:23:56	openvpn	88884	/sbin/ifconfig ovpnc1 inet6 CENSORED_IPV6:80::1005/64 mtu 1500 up
Jul 28 18:23:56	openvpn	88884	/usr/local/sbin/ovpn-linkup ovpnc1 1500 0 10.6.0.7 255.255.0.0 init
Jul 28 18:23:56	openvpn	88884	add_route_ipv6(::/2 -> CENSORED_IPV6:80:: metric -1) dev ovpnc1
Jul 28 18:23:56	openvpn	88884	add_route_ipv6(4000::/2 -> CENSORED_IPV6:80:: metric -1) dev ovpnc1
Jul 28 18:23:56	openvpn	88884	add_route_ipv6(8000::/2 -> CENSORED_IPV6:80:: metric -1) dev ovpnc1
Jul 28 18:23:56	openvpn	88884	add_route_ipv6(c000::/2 -> CENSORED_IPV6:80:: metric -1) dev ovpnc1
Jul 28 18:23:56	openvpn	88884	Initialization Sequence Completed

          What fascinates me is that I can keep pinging a remote host indefinitely without failure up until the point I start browsing on my laptop. At that stage, I can no longer ping anything.

          Could that be a routing problem? I have no firewall rules configured for OPT1 nor OpenVPN, and I have only the default 3 LAN rules setup:

          • 0/585 KiB * * * LAN Address 443 80 22 * * Anti-Lockout Rule
          • 23/1.16 MiB IPv4 * LAN net * * * * none Default allow LAN to any rule
          • 0/0 B IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
          1 Reply Last reply Reply Quote 0
          • A
            anonymouse
            last edited by

            I think I found the culprit, yet I have no idea how to fix it:

            Aug  5 19:49:25 pfSense filterlog[41547]: 5,,,1000000104,ovpnc1,match,block,out,4,0x0,,63,0,0,DF,6,tcp,141,10.15.0.2,OUTGOING_IP,13281,443,89,FPA,1717258034:1717258123,761365153,2048,,nop;nop;TS

            I see that it also blocks the OPT1 traffic in the system log, as it mentions Default deny rule IPv4 (1000000104).

            Does anyone see anything wrong with the instructions I posted in the first post? It doesn't mention any firewall rules on the OPT1 or OpenVPN tab. However, I have come to believe this is no longer correct. Yet when I allow any traffic, it also still doesn't work. It could potentially be asymmetric routing according to the documentation, but I use UDP as a protocol, which it mentions that it shouldn't affect it (https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html).

            Any help would be greatly appreciated!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.