Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Beta 3 & 4 & RC1a : openvpn interface

    Scheduled Pinned Locked Moved General pfSense Questions
    30 Posts 7 Posters 15.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sullrich
      last edited by

      Now commited to RELENG_1 as well.

      If you are on a full installation from a shell run:

      cvs_sync.sh releng_1

      And you will be on the latest 1.0-BETA3 version.

      1 Reply Last reply Reply Quote 0
      • R
        r0n
        last edited by

        Hi,

        I juste update to RELENG_1_SNAPSHOT-04-20-2006,

        and got these errors in client mode, PKI auth mode :

        The following input errors were detected:

        * The field 'Local IP' is required.
            * The field 'Remote IP' is required.

        Even if there is no field blank. It seems to have a problem..
        By the way, this fields must not be required ..

        Could you fix this problem ?

        Regards,
        ronan

        1 Reply Last reply Reply Quote 0
        • B
          billm
          last edited by

          @r0n:

          Hi,

          I juste update to RELENG_1_SNAPSHOT-04-20-2006,

          and got these errors in client mode, PKI auth mode :

          The following input errors were detected:

          * The field 'Local IP' is required.
              * The field 'Remote IP' is required.

          Even if there is no field blank. It seems to have a problem..
          By the way, this fields must not be required ..

          Could you fix this problem ?

          Regards,
          ronan

          RELENG_1_SNAPSHOT-04-20-2006 < BETA3

          –Bill

          pfSense core developer
          blog - http://www.ucsecurity.com/
          twitter - billmarquette

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Yes, DO NOT report problems on past versions.  The current version is Beta 3 with the hot fix applied.

            I repeat, WE DO NOT SUPPORT OLDER VERSIONS.

            1 Reply Last reply Reply Quote 0
            • R
              r0n
              last edited by

              @sullrich:

              Now commited to RELENG_1 as well.

              If you are on a full installation from a shell run:

              cvs_sync.sh releng_1

              And you will be on the latest 1.0-BETA3 version.

              I just have done this to update to RELENG_1_SNAPSHOT-04-20-2006.
              Its the latest BETA3 no ?

              ronan.

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                Yes, that is the latest.  Sorry, I thought you downloaded an image somewhere.

                1 Reply Last reply Reply Quote 0
                • R
                  r0n
                  last edited by

                  ok, no pbs :)

                  So, fernandotcl, what do yout hink about that ?

                  Regards,
                  ronan.

                  @r0n:

                  Hi,

                  I juste update to RELENG_1_SNAPSHOT-04-20-2006,

                  and got these errors in client mode, PKI auth mode :

                  The following input errors were detected:

                  * The field 'Local IP' is required.
                      * The field 'Remote IP' is required.

                  Even if there is no field blank. It seems to have a problem..
                  By the way, this fields must not be required ..

                  Could you fix this problem ?

                  Regards,
                  ronan

                  1 Reply Last reply Reply Quote 0
                  • F
                    fernandotcl
                    last edited by

                    Hmmm, I'll take a look at that, should be simple to fix. Today I'll be very busy, maybe by the end of day I'll take a look at it. Thanks for reporting.

                    1 Reply Last reply Reply Quote 0
                    • F
                      fernandotcl
                      last edited by

                      Hmmm wait a second… This is old stuff.

                      I think the newest code hasn't been commited to RELENG_1 yet. To update OpenVPN to HEAD, do as follows:

                      1. Backup your stuff. The files: /etc/inc/openvpn.inc, /usr/local/pkg/openvpn.xml, /usr/local/pkg/openvpn_cli.xml.
                      2. Go to CVSweb ( http://www.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/ ). Browse through CVSweb to the directory pfSense. Grab the following files: /etc/inc/openvpn.inc, /usr/local/pkg/openvpn.xml, /usr/local/pkg/openvpn_cli.xml, /usr/local/pkg/openvpn_csc.xml. When you find those files, click on them, and then click on "Download" for the newest version of the file that is available, i.e., the one in HEAD. The latest version of the files have something like: "Branches: MAIN; CVS tags: HEAD" in their description as you click them.
                      3. Install those files into pfSense. The /etc files go to /etc, the /usr/local/pkg ones go to /usr/local/pkg. If everything goes right, you'll see the changes in the interface. If not, restore your backups and post more info here.
                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        All files with exception of /usr/local/pkg/openvpn_csc.xm (which does not exist in head) have been MFC'd to RELENG_1.

                        To get the updates do a cvs_sync.sh RELENG_1 from a shell prompt.

                        1 Reply Last reply Reply Quote 0
                        • R
                          r0n
                          last edited by

                          Hi !

                          I have update via cvs_sync.sh. Thank for the new interface, it works fine.

                          Btw, after some time of inactivity, (hours or days), openvpn seems to be down.
                          The process "openvpn" is not present on the process list and/or the tun0 interface is up,
                          with the correct IP, but remote IP/subnet is not pingable (no openvpn logs on the remote server).

                          You need to manually launch the openvpn process to make it up, or to reboot the pfsense server.

                          What do you think about that ?

                          Regards,
                          ronan.

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba
                            last edited by

                            Sounds like the process dies for some reason. Anything in the logs? You should retest this behavior with the upcoming beta4 which is build on FreeBSD 6.1R.

                            1 Reply Last reply Reply Quote 0
                            • R
                              r0n
                              last edited by

                              I will,
                              no, there is nothing in the logs.
                              I will set the daemon to be more verbose.

                              But is there any system that monitor the openvpn, and relaunch it when it dies ?
                              (it could be usefull, but crappy cause the existents tcp sessions results to be closed)

                              regards,
                              ronan.

                              1 Reply Last reply Reply Quote 0
                              • R
                                r0n
                                last edited by

                                Hi all,

                                After some days testing 1beta4, i have these results :
                                Openvpn Client process do not crash on this new pfsense. After some days of activity, i am unable to use the vpn.
                                In the remote server side, i have these logs when i try to ping through the vpn from the client side (from pfsense).

                                WRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRW
                                RMon May 22 10:33:59 2006 us=338268 client/86.220.X.X:1194 MULTI: bad source address from client [10.255.254.6], packet dropped
                                RMon May 22 10:34:00 2006 us=338125 client/86.220.X.X:1194 MULTI: bad source address from client [10.255.254.6], packet dropped
                                RMon May 22 10:34:01 2006 us=337632 client/86.220.X.X:1194 MULTI: bad source address from client [10.255.254.6], packet dropped

                                I need to Kill openvpn process on pfsense client side and to restart it to make it working.

                                What do you think about that.The WAN interface is an ADSL line, with non-static IP.
                                Is there a way to automaticly refresh all the vpn configuration(client side & server side), make it accepting the New IP configuration ?

                                It would be nice to be able to configure a "HMAC firewall", with tls-auth ta.key in a PKI auth mode.

                                On pfsense, openvpn logs appear 2 times in the System Logs on the webgui. And not in the openvpn tab :


                                May 22 11:32:24 openvpn[17519]: Cannot allocate TUN/TAP dev dynamically
                                May 22 11:32:24 openvpn[17519]: Cannot allocate TUN/TAP dev dynamically
                                May 22 11:32:24 openvpn[17519]: Exiting
                                May 22 11:32:24 openvpn[17519]: Exiting
                                May 22 11:35:16 openvpn[18825]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
                                May 22 11:35:16 openvpn[18825]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
                                May 22 11:35:16 openvpn[18825]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
                                May 22 11:35:16 openvpn[18825]: IMPORTANT: OpenVPN's default port number is now 1194, based on an officia


                                Another thing, it would be nice too to have a bigger window to add the Custom options no ? ;)

                                Thats all ! :)
                                Thanks,

                                regards,
                                ronan.

                                1 Reply Last reply Reply Quote 0
                                • N
                                  nsumner
                                  last edited by

                                  I am looking to setup OpenVPN on my system. The problem is that I can't find a way to create the keys. I would assume I should be able to using SSH but I can't find the openvpn directory. Can anybody make any suggestions?

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    r0n
                                    last edited by

                                    i have some logs to point the problem (from the pfsense openvpn client), before the crash,
                                    before the adsl rotation of the dynamic adress of the pppoe WAN interface :


                                    Mon May 22 12:49:07 2006 [server] Peer Connection Initiated with 194.X.X.X:27594
                                    Mon May 22 12:49:09 2006 gw 86.X.X.1
                                    Mon May 22 12:49:09 2006 TUN/TAP device /dev/tun0 opened
                                    Mon May 22 12:49:09 2006 /sbin/ifconfig tun0 10.255.254.6 10.255.254.5 mtu 1500 netmask 255.255.255.255 up
                                    add net 10.2.0.0: gateway 10.255.254.5
                                    add net 10.1.0.0: gateway 10.255.254.5
                                    add net 10.9.0.0: gateway 10.255.254.5
                                    add net 10.255.254.1: gateway 10.255.254.5
                                    Mon May 22 12:49:09 2006 GID set to nobody
                                    Mon May 22 12:49:09 2006 UID set to nobody
                                    Mon May 22 12:49:09 2006 Initialization Sequence Completed
                                    Tue May 23 12:48:36 2006 write UDPv4: Network is unreachable (code=51)
                                    Tue May 23 12:50:26 2006 [server] Inactivity timeout (–ping-restart), restarting
                                    Tue May 23 12:50:26 2006 SIGUSR1[soft,ping-restart] received, process restarting
                                    Tue May 23 12:50:28 2006 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
                                    Tue May 23 12:50:28 2006 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
                                    Tue May 23 12:50:28 2006 Re-using SSL/TLS context
                                    Tue May 23 12:50:28 2006 LZO compression initialized
                                    Tue May 23 12:50:28 2006 UDPv4 link local (bound): [undef]:1194
                                    Tue May 23 12:50:28 2006 UDPv4 link remote: 194.X.X.X:27594
                                    Tue May 23 12:50:29 2006 [server] Peer Connection Initiated with 194.X.X.X:27594
                                    Tue May 23 12:50:30 2006 Preserving previous TUN/TAP instance: tun0
                                    Tue May 23 12:50:30 2006 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
                                    route: must be root to alter routing table
                                    Tue May 23 12:50:30 2006 ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
                                    route: must be root to alter routing table
                                    Tue May 23 12:50:30 2006 ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
                                    route: must be root to alter routing table
                                    Tue May 23 12:50:30 2006 ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
                                    route: must be root to alter routing table
                                    Tue May 23 12:50:30 2006 ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
                                    Tue May 23 12:50:31 2006 gw 86.X.X.X.1
                                    Tue May 23 12:50:31 2006 Cannot allocate TUN/TAP dev dynamically
                                    Tue May 23 12:50:31 2006 Exiting


                                    regards,
                                    ronan.

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      fernandotcl
                                      last edited by

                                      @r0n:

                                      Yeah, looks like your server pushed you something like a different IP for the tun interface when your WAN address changed, so your client tries to change the routing tables accordinagly and OpenVPN panics cause it's already dropped its root priviledges and therefore cannot change it. That's bad. One would think OpenVPN would be smart enough to issue warnings and not simply crash if it can't change the routing table.

                                      Well, as of now, if you have access to the server, make it not push an IP address from its pool to each client. Or you can try to set up client-specific configuration so that your IP never changes, though I don't really remember if this is doable through the interface as of now (it's been long).

                                      Those are just workarounds. I'm out of ideas. We might need to run the OpenVPN client as root when dynamic IP addresses are assumed. I'm accepting suggestions.

                                      @nsummer:

                                      I have something like an interface that allows you to crate shared keys (but not a PKI) in mind. For now, just ssh into your pfSense box and enter "openvpn –genkey --static secret.key". That will create a static key that you can read with "cat secret.key". If you're considering using TLS, well, then you should know already how to create your PKI. If you don't, stick with the shared key.

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        r0n
                                        last edited by

                                        Hi fernandotcl,
                                        how are you :)

                                        Maybe, it could be usefull to add some features like :

                                        • one ping /10 minutes to the remote gateway to test the vpn, if its down 3 times –> kill and relaunch the process
                                        • monitoring the process regulary, if its absent--> relaunch

                                        What do you thing about that ? Is this too crappy ?

                                        regards,
                                        ronan.

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          fernandotcl
                                          last edited by

                                          @r0n:

                                          Hi fernandotcl,
                                          how are you :)

                                          Hello there…

                                          @r0n:

                                          • one ping /10 minutes to the remote gateway to test the vpn, if its down 3 times –> kill and relaunch the process

                                          We have that already. The keepalive directive does that. The way it's set now, each 60 seconds if no packet pass through the interface, there's a reconnection.

                                          @r0n:

                                          • monitoring the process regulary, if its absent–> relaunch

                                          Well, it isn't meant to fail, really. It fails because it expects to be able to change the system routing table. While your solution would work, I think it's more elegant to run it as root…

                                          Keep the suggestions coming. I'll prolly run OpenVPN as root, though.

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            tunge2
                                            last edited by

                                            Do you have to add an extra firewall rule for openvpn in beta 4/RC1?? We had openvpn perfectly running in beta3 but in beta4 it is not running anymore (openvpn process is running perfectly)? I can connect with an openvpn client (I get a green icon on the client with the correct IPadres) to the server but that's it. I can also not ping any hosts in the vpnsubnet? This works in Beta3 perfect (so I don’t think it is my server config?) ps. I run the openvpn process as the root user and the wheel group!

                                            I found the solution!! You have to add openvpn server config with the web-gui and not with ssh  ??? If I manual adjust the openvpnconfig with ssh it is not working but if I add it with the web-gui it is working (strange!!)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.