Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Broken again :( 2.4.1: Unable to start server

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jarrad
      last edited by

      Hi all

      I'm not sure exactly when this happened, but for some reason I can no longer manually start, or restart, my OpenVPN server.

      If I reboot, it's fine (though it won't do my gateway checks against a client that autoconnects properly) but if I go to manually restart it, it won't start.

      I have removed the instance, and rebuilt it repeatedly using the wizard and tried to tweak what's happening as far as trying to change network ranges, hardware crypto, not using a TLS key to authenticate, using a TLS key, but no joy.

      Upping the verbosity hasn't helped with logs either (at 6).

      The strange thing is, if I run and get clients to connect to it, it works fine. Just gateway checks don't work and I can't restart the service without a reboot.

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • J Offline
        jarrad
        last edited by

        So strange thing.

        I rebuilt it again from scratch but I also decided to nuke the self-signed internal CA and the associated certificates as well (hadn't done that step before) and now it seems to be working.

        Thanks all!

        1 Reply Last reply Reply Quote 0
        • J Offline
          jarrad
          last edited by

          Nope, it broke again.

          I made a change to my config and I think that's what broke it.

          Config below:

          dev ovpns1
          verb 3
          dev-type tun
          dev-node /dev/tun1
          writepid /var/run/openvpn_server1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp4
          cipher AES-256-CBC
          auth SHA256
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 10.1.1.254
          tls-server
          server 10.8.0.0 255.255.255.0
          client-config-dir /var/etc/openvpn-csc/server1
          tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server.domain.ovpn' 1"
          lport 1194
          management /var/etc/openvpn/server1.sock unix
          max-clients 10
          push "route 192.168.1.0 255.255.255.0"
          push "dhcp-option DOMAIN mydomain.net"
          push "register-dns"
          client-to-client
          ca /var/etc/openvpn/server1.ca 
          cert /var/etc/openvpn/server1.cert 
          key /var/etc/openvpn/server1.key 
          dh /etc/dh-parameters.2048
          tls-auth /var/etc/openvpn/server1.tls-auth 0
          ncp-ciphers AES-256-GCM:AES-128-GCM
          persist-remote-ip
          float
          topology subnet
          

          This was created using the Wizard, including new CA and cert again. Yes there's a double NAT, but that existed pre-2.4.1 too and it never dropped a beat.

          1 Reply Last reply Reply Quote 0
          • J Offline
            jarrad
            last edited by

            Someone previously asked about ifconfig errors:

            Nov 14 18:34:54	openvpn	10528	FreeBSD ifconfig failed: external program exited with error status: 1
            Nov 14 18:34:54	openvpn	10528	Exiting due to fatal error
            Nov 14 18:36:08	openvpn	79464	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
            Nov 14 18:36:08	openvpn	79464	MANAGEMENT: CMD 'state 1'
            Nov 14 18:36:08	openvpn	79464	MANAGEMENT: CMD 'status 2'
            Nov 14 18:36:08	openvpn	79464	MANAGEMENT: Client disconnected
            Nov 14 18:36:08	openvpn	79464	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
            Nov 14 18:36:08	openvpn	79464	MANAGEMENT: CMD 'state 1'
            Nov 14 18:36:08	openvpn	79464	MANAGEMENT: CMD 'status 2'
            Nov 14 18:36:08	openvpn	79464	MANAGEMENT: Client disconnected
            Nov 14 18:36:12	openvpn	41550	OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 4 2017
            Nov 14 18:36:12	openvpn	41550	library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
            Nov 14 18:36:12	openvpn	41867	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
            Nov 14 18:36:12	openvpn	41867	TUN/TAP device ovpns1 exists previously, keep at program end
            Nov 14 18:36:12	openvpn	41867	TUN/TAP device /dev/tun1 opened
            Nov 14 18:36:12	openvpn	41867	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
            Nov 14 18:36:12	openvpn	41867	/sbin/ifconfig ovpns1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.0 up
            
            1 Reply Last reply Reply Quote 0
            • jimpJ Offline
              jimp Rebel Alliance Developer Netgate
              last edited by

              Sounds like what people reported in this thread, see what, if any, of these things apply: https://forum.pfsense.org/index.php?topic=138608.msg764734#msg764734

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.