Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense openvpn client to ubuntu server connects but wont reconnect

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 2 Posters 1.4k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      ariban99
      last edited by

      i can succesfully upload the config file into pfsense from ubuntu server and it connect well and works. in the server i have the extra CCD files for the client specific override.
      however, if for any reason the router restarts (updates to pfsense or any other reason) the vpn will not start and wont connect. i get the Unable to contact daemon: and if i press the start button, nothing happens! i have to reupload the file again as if i am making a new client .
      logs show this

      Dec 30 13:49:33 openvpn 82621 event_wait : Interrupted system call (fd=-1,code=4)
      Dec 30 13:49:33 openvpn 82621 Closing TUN/TAP interface
      Dec 30 13:49:33 openvpn 82621 /sbin/ifconfig ovpnc1 10.8.0.0 -alias
      Dec 30 13:49:33 openvpn 82621 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.0.0 255.255.255.0 init
      Dec 30 13:49:33 openvpn 11077 Flushing states on OpenVPN interface ovpnc1 (Link Down)
      Dec 30 13:49:34 openvpn 82621 SIGTERM[hard,] received, process exiting
      Dec 30 14:14:54 openvpn 22253 Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:39: block-outside-dns (2.6.12)
      Dec 30 14:14:54 openvpn 22253 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:40: 89adff0d024f4b0cdeb8f2b5f0d7d52d (2.6.12)
      Dec 30 14:14:54 openvpn 22253 Use --help for more information.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @ariban99
        last edited by Gertjan

        This one :

        @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

        Dec 30 14:14:54 openvpn 22253 Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:39: block-outside-dns (2.6.12)

        You see this option ( taken from the pfSense Client Export page ) :

        f901578e-be05-4d67-9b16-c6d0d1491e91-image.png

        I know, you've created your client ovpn config file on an Ubuntu OpenVPN server, butt somehow, the option was set in the config file. As pfSense, and thus the OpenVPN client isn't "Windows" it tells you that it can't understand that option.
        Open your ovpn config file in a etxt editor, you will find :

        setenv opt block-outside-dns

        Line 39 ;)

        and that option makes only sense on a Windows OpenVPN system, not a pfSense OpenVPN.

        Btw : It's just a message telling the admin, "what are you doing ? I'm not a Windows system, I will ignore this option".

        @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

        Dec 30 14:14:54 openvpn 22253 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:40: 89adff0d024f4b0cdeb8f2b5f0d7d52d (2.6.12)

        This is the actual error that will make the pfSense OpenVPN client to fail.

        Open the config file again.
        You'll see stuff like this :

        fd39a25d-a2ed-4f19-bc8d-93afe463d747-image.png

        Some how, the ovpn config is miss interpreted, and the OpenVPN clients completely fails.

        The line was 40 .... but that can't be treu, because there would have to start with (for example) :

        <ca>
-----BEGIN CERTIFICATE-----

        or well ready know that on line 39 you have this

        setenv opt block-outside-dns

        Show us your ovpn config file.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        A 1 Reply Last reply Reply Quote 0
        • A Offline
          ariban99 @Gertjan
          last edited by

          @Gertjan thank you for your reply, this is the ovpn file (i changed the ip and certs)
          client
          proto udp
          explicit-exit-notify
          remote 1.1.1.1 1194
          dev tun
          resolv-retry infinite
          nobind
          persist-key
          persist-tun
          remote-cert-tls server
          verify-x509-name server_11e name
          auth SHA256
          auth-nocache
          cipher AES-128-GCM
          tls-client
          pull-filter ignore redirect-gateway
          route-nopull
          route 10.8.0.0 255.255.255.0
          tls-version-min 1.2
          tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
          ignore-unknown-option block-outside-dns
          setenv opt block-outside-dns # Prevent Windows 10 DNS leak
          verb 3
          <ca>
          -----BEGIN CERTIFICATE-----
          111
          -----END CERTIFICATE-----
          </ca>
          <cert>
          -----BEGIN CERTIFICATE-----
          11
          -----END CERTIFICATE-----
          </cert>
          <key>
          -----BEGIN PRIVATE KEY-----
          11
          -----END PRIVATE KEY-----
          </key>
          <tls-crypt>

          2048 bit OpenVPN static key

          -----BEGIN OpenVPN Static key V1-----
          11
          -----END OpenVPN Static key V1-----
          </tls-crypt>

          GertjanG 2 Replies Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan @ariban99
            last edited by Gertjan

            @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

            setenv opt block-outside-dns # Prevent Windows 10 DNS leak

            That's line 22, or close, not line 39 as your pfSense OpenVPN client said.

            Double check with what the OpenVPN client actually uses : it here :

            /var/etc/openvpn/client1/config.opvn

            (the '1' here might be a '2' )

            The rest of the format looks right to me.
            Just to be sure, before importing, remove the inline comment :

            a76e70ef-af39-4f27-b0eb-b7b5fb746983-image.png

            Or remove that line entirely, as it is a Windows only option, and pfSense isn't Windows ;)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            A 1 Reply Last reply Reply Quote 0
            • A Offline
              ariban99 @Gertjan
              last edited by

              @Gertjan i removed the line completely, now the logs show an issue with the tls cipher
              Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
              Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'state 1'
              Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'status 2'
              Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client disconnected
              Jan 1 22:35:22 openvpn 82472 event_wait : Interrupted system call (fd=-1,code=4)
              Jan 1 22:35:22 openvpn 82472 Closing TUN/TAP interface
              Jan 1 22:35:22 openvpn 82472 /sbin/ifconfig ovpnc1 10.8.0.0 -alias
              Jan 1 22:35:22 openvpn 82472 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.0.0 255.255.255.0 init
              Jan 1 22:35:22 openvpn 48655 Flushing states on OpenVPN interface ovpnc1 (Link Down)
              Jan 1 22:35:22 openvpn 82472 SIGTERM[hard,] received, process exiting
              Jan 1 22:35:23 openvpn 52243 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:35: tls-cipher (2.6.12)
              Jan 1 22:35:23 openvpn 52243 Use --help for more information.
              Jan 1 22:37:45 openvpn 94131 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:34: <tls-crypt>-----BEGIN (2.6.12)
              Jan 1 22:37:45 openvpn 94131 Use --help for more information.

              A 1 Reply Last reply Reply Quote 0
              • A Offline
                ariban99 @ariban99
                last edited by

                @ariban99 i tried removing the tls-cipher and hence got the second error
                Jan 1 22:37:45 openvpn 94131 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:34: <tls-crypt>-----BEGIN (2.6.12)
                Jan 1 22:37:45 openvpn 94131 Use --help for more information.
                but if i put it back i only get
                Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
                Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'state 1'
                Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'status 2'
                Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client disconnected
                Jan 1 22:35:22 openvpn 82472 event_wait : Interrupted system call (fd=-1,code=4)
                Jan 1 22:35:22 openvpn 82472 Closing TUN/TAP interface
                Jan 1 22:35:22 openvpn 82472 /sbin/ifconfig ovpnc1 10.8.0.0 -alias
                Jan 1 22:35:22 openvpn 82472 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.0.0 255.255.255.0 init
                Jan 1 22:35:22 openvpn 48655 Flushing states on OpenVPN interface ovpnc1 (Link Down)
                Jan 1 22:35:22 openvpn 82472 SIGTERM[hard,] received, process exiting
                Jan 1 22:35:23 openvpn 52243 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:35: tls-cipher (2.6.12)
                Jan 1 22:35:23 openvpn 52243 Use --help for more information.

                1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan @ariban99
                  last edited by

                  @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

                  tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

                  Hummm.

                  Run

                  openvpn --show-tls

                  on the pfSense command line (the real one, console or SSH).
                  pfSense 2.7.2 or 24.11 uses a recent OpenVPN, 2.6.12 and probably doesn't support your "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" (I guess ...)

                  I don't recall I've seen these two :

                  @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

                  tls-version-min 1.2
                  tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

                  in my config files - client or server.

                  This part :

                  <tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
893c76e84187bb1e40f987c83db4d256
affa44d8bdafead00ef6c206862f1d39
fda1cac0ea6cd969c2f35d1777256f90
e11433e025ae0024a2583ac71db58b55
857f07c3e2ff571cee71e5d7070b07a4
b5a7b74ab7a4fc9420104f0760840fed
47ecc410d57de29ba7c75e02b91dda2d
.......
97577cfa0a03aa384350e49bf26d2b15
97ba6f852d7b3531f8204a73c7f1293f
ece32853d36402fe32c384500c0baa5d
d98ddda17568898ed19b75671bb24467
8c5a6102dc6ab3275c6fa36d8853b668
-----END OpenVPN Static key V1-----
</tls-crypt>

                  is 'mandatory'.
                  Yours looks the same ?

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  A 3 Replies Last reply Reply Quote 0
                  • A Offline
                    ariban99 @Gertjan
                    last edited by

                    @Gertjan the output is
                    Available TLS Ciphers, listed in order of preference:

                    For TLS 1.3 and newer (--tls-ciphersuites):

                    TLS_AES_256_GCM_SHA384
                    TLS_CHACHA20_POLY1305_SHA256
                    TLS_AES_128_GCM_SHA256

                    For TLS 1.2 and older (--tls-cipher):

                    TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
                    TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
                    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
                    TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
                    TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
                    TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
                    TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
                    TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
                    TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
                    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
                    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
                    TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
                    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
                    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
                    TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
                    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
                    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
                    TLS-DHE-RSA-WITH-AES-256-CBC-SHA
                    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
                    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
                    TLS-DHE-RSA-WITH-AES-128-CBC-SHA

                    Be aware that that whether a cipher suite in this list can actually work
                    depends on the specific setup of both peers. See the man page entries of
                    --tls-cipher and --show-tls for more details.

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      ariban99 @Gertjan
                      last edited by

                      @Gertjan
                      both my my client ovpn and the server config file has
                      tls-version-min 1.2
                      tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

                      yes my file has this for the TLS ( i broke the real one with lines that start with 111

                      <tls-crypt>

                      2048 bit OpenVPN static key

                      -----BEGIN OpenVPN Static key V1-----
                      89adff0d024f4b0cdeb8f2b5f0d7d52d
                      1111ec561
                      6757da21950d7bf075cbd3b9430fd552
                      7861728c9db9a99c8da70d09678c4c94
                      6900a656e7642edc64ada8c960f9990e
                      111120e67dc1
                      4b996b5309bc42e7771fe43637fdc1ce
                      986ea2b7c8116b5577c503a790bc0f0d
                      111e2544be6b
                      ab6a818fb8dd5e212ee5f0183e43ff1b
                      -----END OpenVPN Static key V1-----
                      </tls-crypt>

                      1 Reply Last reply Reply Quote 0
                      • A Offline
                        ariban99 @Gertjan
                        last edited by

                        @Gertjan
                        in case anyone has this issue, i found the solution. besides removing the DNS line remove the TLS key from Custom options under advanced configuration towards the bottom of the openvpn client. then go to the top and select USE A TLS KEY, then uncheck automatically generate a key and paste your key from your server here.
                        then for TLS Key Usage Mode change it to TLS encryption and authentication.
                        now it works after saving the changes!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.