Broken again :( 2.4.1: Unable to start server
-
Hi all
I'm not sure exactly when this happened, but for some reason I can no longer manually start, or restart, my OpenVPN server.
If I reboot, it's fine (though it won't do my gateway checks against a client that autoconnects properly) but if I go to manually restart it, it won't start.
I have removed the instance, and rebuilt it repeatedly using the wizard and tried to tweak what's happening as far as trying to change network ranges, hardware crypto, not using a TLS key to authenticate, using a TLS key, but no joy.
Upping the verbosity hasn't helped with logs either (at 6).
The strange thing is, if I run and get clients to connect to it, it works fine. Just gateway checks don't work and I can't restart the service without a reboot.
Any ideas?
-
So strange thing.
I rebuilt it again from scratch but I also decided to nuke the self-signed internal CA and the associated certificates as well (hadn't done that step before) and now it seems to be working.
Thanks all!
-
Nope, it broke again.
I made a change to my config and I think that's what broke it.
Config below:
dev ovpns1 verb 3 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.1.1.254 tls-server server 10.8.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server.domain.ovpn' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 10 push "route 192.168.1.0 255.255.255.0" push "dhcp-option DOMAIN mydomain.net" push "register-dns" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1.tls-auth 0 ncp-ciphers AES-256-GCM:AES-128-GCM persist-remote-ip float topology subnet
This was created using the Wizard, including new CA and cert again. Yes there's a double NAT, but that existed pre-2.4.1 too and it never dropped a beat.
-
Someone previously asked about ifconfig errors:
Nov 14 18:34:54 openvpn 10528 FreeBSD ifconfig failed: external program exited with error status: 1 Nov 14 18:34:54 openvpn 10528 Exiting due to fatal error Nov 14 18:36:08 openvpn 79464 MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Nov 14 18:36:08 openvpn 79464 MANAGEMENT: CMD 'state 1' Nov 14 18:36:08 openvpn 79464 MANAGEMENT: CMD 'status 2' Nov 14 18:36:08 openvpn 79464 MANAGEMENT: Client disconnected Nov 14 18:36:08 openvpn 79464 MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Nov 14 18:36:08 openvpn 79464 MANAGEMENT: CMD 'state 1' Nov 14 18:36:08 openvpn 79464 MANAGEMENT: CMD 'status 2' Nov 14 18:36:08 openvpn 79464 MANAGEMENT: Client disconnected Nov 14 18:36:12 openvpn 41550 OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 4 2017 Nov 14 18:36:12 openvpn 41550 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10 Nov 14 18:36:12 openvpn 41867 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 14 18:36:12 openvpn 41867 TUN/TAP device ovpns1 exists previously, keep at program end Nov 14 18:36:12 openvpn 41867 TUN/TAP device /dev/tun1 opened Nov 14 18:36:12 openvpn 41867 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Nov 14 18:36:12 openvpn 41867 /sbin/ifconfig ovpns1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.0 up
-
Sounds like what people reported in this thread, see what, if any, of these things apply: https://forum.pfsense.org/index.php?topic=138608.msg764734#msg764734