[Solved] : Upgrade to 2.3 broke OpenVPN

jc2it

I am not an expert, but I have been reading about the update. OpenVPN in particular. Did you read these?

https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#OpenVPN

https://doc.pfsense.org/index.php/UpgradeGuide#Note_for_users_of_the_OpenVPN_Status_Package

bennyc

What can be the problem and what is the resolution.

I have seen the same issue, reboot cures it. I see the issue once per x-reboots on my unit. There are a couple of redmine tickets on it.

I've been told (all credits to pfSense support) it would be fixed by v2.3.1, in a couple of weeks…

techytim

bennyc & cheesyboofs

The upgrade just broke my OpenVPN too :-[

I am using manual NAT, what Outbound NAT rules to you have, anything specific for OpenVPN?

Thanks in advance.

mevans336

@cheesyboofs:

Hi Guys,

Hope you can help.

For the 1st time ever an in-place upgrade broke something.

I use OpenVPN on port UDP 500 but when I upgraded from 2.2.6 to 2.3 the OpenVPN service would not start with the following error.

Apr 13 18:39:15 openvpn 65339 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Apr 13 18:39:15 openvpn 65339 TCP/UDP: Socket bind failed on local address [AF_INET]188.220.73.192:500: Address already in use
Apr 13 18:39:15 openvpn 65339 Exiting due to fatal error

Unfortunately I was remoted in at the time so lost connection.
What can be the problem and what is the resolution.

Many Thanks

Cheesy

UDP port 500 is https://en.wikipedia.org/wiki/Internet_Key_Exchange. I believe the upgrade notes said that IPSec is globally enabled after the upgrade to 2.3.

https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#IPsec

"Removed global IPsec disable flag as it is no longer necessary. On upgrade, if the IPsec enable box was unchecked, all Phase 1 entries are disabled individually instead."

Do you have anything under VPN - IPsec? If so, I'd disable it all or remove them if they're not in use. You can also SSH into your box, choose option 8, and type 'sockstat -4' which will show you what process is listening on port 500.

I have entries under VPN - IPSec, but noting is listening on UDP/500 because all my IPSec entries have been manually disabled.

cheesyboofs

@mevans336 & bennyc.

Thanks to you both.
I will look into both of your suggestions tonight. I needed VPN back in a hurry so dropped back to a snapshot. Lucily I create a VMware snapshot before every upgrade.

If any of you are interested here is my where my pfsense firewall lives, as a VM under the boiler in my garage.

http://www.cheesyboofs.co.uk/esxi-vsan-microserver-homelab

Cheesy

cheesyboofs

@mevans336

I think you've cracked it mate.
I did have a Phase 1 entry under IPSec even though disabled. I deleted it and performed an upgrade. So far so good, the OpenVPN service has started this time but I cant test it till I get to work tomorrow but I am confident you have cracked it.

Cheers, I will have a drink to your good health tonight ;)

Cheesy

mevans336

Neat, I'm a VMWare guy too. Studying for my VCP6-DCV right now actually. :)

johnpoz

Why would you/anyone run openvpn on the standard IKE port of udp 500 is the bigger question.. No shit stuff prob going to break when you use non standard odd ball configurations ;)

cheesyboofs

@johnpoz:

Why would you/anyone run openvpn on the standard IKE port of udp 500 is the bigger question.. No shit stuff prob going to break when you use non standard odd ball configurations ;)

Its the only port permitted directly out of work due to the antiquated Cisco VPN we use on some of our old customer sites. And yes I just passed my VCP6-DCV exam too 8)

cmb

@mevans336:

I believe the upgrade notes said that IPSec is globally enabled after the upgrade to 2.3.

Not globally enabled, the global enable/disable checkbox just doesn't exist anymore. If you have any enabled IPsec connections, it's enabled. If you had it globally disabled pre-upgrade, then any enabled P1s will be disabled upon upgrade to retain the existing behavior. No enabled P1s means the same as globally disabled previously.

cheesyboofs

Well I had a Phase 1 entry there but NOT enabled. I performed an upgrade and somehow it became enabled mapping to UDP port 500 preventing the OpenVPN service from starting.
I rolled back deleted the Phase 1 entry then upgraded and all cooking. Whatever its fixed and I am a happy bunny …

johnpoz

"Its the only port permitted directly out of work"

That sure wouldn't be standard now would it.. Openvpn bounces off a proxy just fine by the way..