Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Stopped Working with 2.3.3

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 5 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      ericnix
      last edited by

      I've had no problems with OpenVPN until upgrading to 2.3.3. Now I can never get iOS or macOS to connect. I've rebooted the server without any change.

      Anyone else having problems?

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        With this massive amount of information, you should buy people a couple of crystal balls.

        1 Reply Last reply Reply Quote 0
        • S Offline
          Soyokaze
          last edited by

          You SHOULD examine server OpenVPN logs to determine problem.

          Need full pfSense in a cloud? PM for details!

          1 Reply Last reply Reply Quote 0
          • V Offline
            vogelkamm
            last edited by

            Hi,
            Yes, I also have a problem with (all) our openVPN configurations after the upgrade to 2.3.3.
            To concrete the problem:

            We are using a OpenVPN cert based auth config with 2 intermediate CAs
            The generated Config is the following (local IP and hostname changed  :D):

            dev ovpns2
            verb 1
            dev-type tun
            tun-ipv6
            dev-node /dev/tun2
            writepid /var/run/openvpn_server3.pid
            #user nobody
            #group nobody
            script-security 3
            daemon
            keepalive 10 60
            ping-timer-rem
            persist-tun
            persist-key
            proto tcp-server
            cipher AES-256-CBC
            auth SHA256
            up /usr/local/sbin/ovpn-linkup
            down /usr/local/sbin/ovpn-linkdown
            local 127.0.0.1
            tls-server
            server 10.10.1.0 255.255.255.0
            client-config-dir /var/etc/openvpn-csc/server2
            tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.example.com' 3"
            lport 1195
            management /var/etc/openvpn/server2.sock unix
            ca /var/etc/openvpn/server2.ca 
            cert /var/etc/openvpn/server2.cert 
            key /var/etc/openvpn/server2.key 
            dh /etc/dh-parameters.2048
            crl-verify /var/etc/openvpn/server2.crl-verify 
            tls-auth /var/etc/openvpn/server2.tls-auth 0
            topology subnet
            route 10.10.11.0 255.255.255.0
            

            and the problematic log output:

            Feb 23 22:24:02 vpn openvpn[78709]:   auth_user_pass_file = '[UNDEF]'
            Feb 23 22:24:02 vpn openvpn[78709]: OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017
            Feb 23 22:24:02 vpn openvpn[78709]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
            Feb 23 22:24:02 vpn openvpn[78982]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server2.sock
            Feb 23 22:24:02 vpn openvpn[78982]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
            Feb 23 22:24:02 vpn openvpn[78982]: Diffie-Hellman initialized with 2048 bit key
            Feb 23 22:24:02 vpn openvpn[78982]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
            Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 4 did not validate)
            Feb 23 22:24:02 vpn openvpn[78982]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
            Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 5 did not validate)
            Feb 23 22:24:02 vpn openvpn[78982]: Cannot load CA certificate file /var/etc/openvpn/server2.ca (only 3 of 5 entries were valid X509 names)
            Feb 23 22:24:02 vpn openvpn[78982]: Exiting due to fatal error
            

            The CA file is a "bundled" CA file with the full chain

            In a other config it helped using not the bundled CA file, but not in this example edit: my fault, CA Cert was also "bundled"

            Kind regards
            vogelkamm

            P.S.: investigating the (my) specific problem:
            pfsense seems to build the CA chain correctly, now!
            my config with the bundles CA seems to be is not necessary any more!

            so: read the change log at https://doc.pfsense.org/index.php/2.3.3_New_Features_and_Changes#OpenVPN (Improved handling of chained/intermediate CAs in OpenVPN #2800) and the ticket

            1 Reply Last reply Reply Quote 0
            • E Offline
              ericnix
              last edited by

              It appears Viscosity isn't compatible with 2.4 yet.

              1 Reply Last reply Reply Quote 0
              • S Offline
                spyshagg
                last edited by

                I have 8  2.3.2-RELEASE-p1  pfsenses connected with OPENVPN to a 2.3.2-RELEASE-p1 server.  The only  machine I upgraded to 2.3.3 can no longer connect to my openvpn server.

                I will create a new topic when I get access to the machine logs.

                1 Reply Last reply Reply Quote 0
                • E Offline
                  ericnix
                  last edited by

                  I'm an idiot. Problem was me accidentally deleting the port forwarding rule on my router when deleting rules for my camera server/recorder. (I use a separate router instead of the pfSense box serving as router).

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.