[Solved] : Upgrade to 2.3 broke OpenVPN
-
Hi Guys,
Hope you can help.
For the 1st time ever an in-place upgrade broke something.
I use OpenVPN on port UDP 500 but when I upgraded from 2.2.6 to 2.3 the OpenVPN service would not start with the following error.
Apr 13 18:39:15 openvpn 65339 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Apr 13 18:39:15 openvpn 65339 TCP/UDP: Socket bind failed on local address [AF_INET]188.220.73.192:500: Address already in use
Apr 13 18:39:15 openvpn 65339 Exiting due to fatal errorUnfortunately I was remoted in at the time so lost connection.
What can be the problem and what is the resolution.Many Thanks
Cheesy
-
I am not an expert, but I have been reading about the update. OpenVPN in particular. Did you read these?
https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#OpenVPN
https://doc.pfsense.org/index.php/UpgradeGuide#Note_for_users_of_the_OpenVPN_Status_Package
-
What can be the problem and what is the resolution.
I have seen the same issue, reboot cures it. I see the issue once per x-reboots on my unit. There are a couple of redmine tickets on it.
I've been told (all credits to pfSense support) it would be fixed by v2.3.1, in a couple of weeks…
-
bennyc & cheesyboofs
The upgrade just broke my OpenVPN too :-[
I am using manual NAT, what Outbound NAT rules to you have, anything specific for OpenVPN?
Thanks in advance.
-
Hi Guys,
Hope you can help.
For the 1st time ever an in-place upgrade broke something.
I use OpenVPN on port UDP 500 but when I upgraded from 2.2.6 to 2.3 the OpenVPN service would not start with the following error.
Apr 13 18:39:15 openvpn 65339 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Apr 13 18:39:15 openvpn 65339 TCP/UDP: Socket bind failed on local address [AF_INET]188.220.73.192:500: Address already in use
Apr 13 18:39:15 openvpn 65339 Exiting due to fatal errorUnfortunately I was remoted in at the time so lost connection.
What can be the problem and what is the resolution.Many Thanks
Cheesy
UDP port 500 is https://en.wikipedia.org/wiki/Internet_Key_Exchange. I believe the upgrade notes said that IPSec is globally enabled after the upgrade to 2.3.
https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#IPsec
"Removed global IPsec disable flag as it is no longer necessary. On upgrade, if the IPsec enable box was unchecked, all Phase 1 entries are disabled individually instead."
Do you have anything under VPN - IPsec? If so, I'd disable it all or remove them if they're not in use. You can also SSH into your box, choose option 8, and type 'sockstat -4' which will show you what process is listening on port 500.
I have entries under VPN - IPSec, but noting is listening on UDP/500 because all my IPSec entries have been manually disabled.
-
@mevans336 & bennyc.
Thanks to you both.
I will look into both of your suggestions tonight. I needed VPN back in a hurry so dropped back to a snapshot. Lucily I create a VMware snapshot before every upgrade.If any of you are interested here is my where my pfsense firewall lives, as a VM under the boiler in my garage.
http://www.cheesyboofs.co.uk/esxi-vsan-microserver-homelab
Cheesy
-
I think you've cracked it mate.
I did have a Phase 1 entry under IPSec even though disabled. I deleted it and performed an upgrade. So far so good, the OpenVPN service has started this time but I cant test it till I get to work tomorrow but I am confident you have cracked it.Cheers, I will have a drink to your good health tonight ;)
Cheesy
-
Neat, I'm a VMWare guy too. Studying for my VCP6-DCV right now actually. :)
-
Why would you/anyone run openvpn on the standard IKE port of udp 500 is the bigger question.. No shit stuff prob going to break when you use non standard odd ball configurations ;)
-
Why would you/anyone run openvpn on the standard IKE port of udp 500 is the bigger question.. No shit stuff prob going to break when you use non standard odd ball configurations ;)
Its the only port permitted directly out of work due to the antiquated Cisco VPN we use on some of our old customer sites. And yes I just passed my VCP6-DCV exam too 8)
-
I believe the upgrade notes said that IPSec is globally enabled after the upgrade to 2.3.
Not globally enabled, the global enable/disable checkbox just doesn't exist anymore. If you have any enabled IPsec connections, it's enabled. If you had it globally disabled pre-upgrade, then any enabled P1s will be disabled upon upgrade to retain the existing behavior. No enabled P1s means the same as globally disabled previously.
-
Well I had a Phase 1 entry there but NOT enabled. I performed an upgrade and somehow it became enabled mapping to UDP port 500 preventing the OpenVPN service from starting.
I rolled back deleted the Phase 1 entry then upgraded and all cooking. Whatever its fixed and I am a happy bunny … -
"Its the only port permitted directly out of work"
That sure wouldn't be standard now would it.. Openvpn bounces off a proxy just fine by the way..