OpenVPN Issue with 2.4 upgrade
-
/sbin/ifconfig ovpnc1 10.4.4.12 10.4.0.1 mtu 1500 netmask 255.255.0.0 up
FreeBSD ifconfig failed: external program exited with error status: 1
Exiting due to fatal errorI tried manually deleting the route :
route del 10.4.0.1
route: writing to routing socket: Address already in use
del host 10.4.0.1 fib 0: gateway uses the same routeIf that happens again, post the entire contents of "netstat -rn" and "ifconfig -a" and "ps uxaww | grep openvpn" before attempting to delete the route. Something else must still be running/using that address.
-
If that happens again, post the entire contents of "netstat -rn" and "ifconfig -a" and "ps uxaww | grep openvpn" before attempting to delete the route. Something else must still be running/using that address.
It happended again and it won't connect anymore. I am posting below the information your requested.
netstat -rn
Destination Gateway Flags Netif Expire default ADSL_GATEWAY UGS pppoe0 10.4.0.1 10.4.4.12 UGHS lo0 8.8.8.8 192.168.1.1 UGHS em0 127.0.0.1 link#4 UH lo0 172.16.0.0/30 link#1 U re0 172.16.0.2 link#1 UHS lo0 ADSL_GATEWAY link#8 UH pppoe0 ADSL_IP link#8 UHS lo0 192.168.1.0/24 link#2 U em0 192.168.1.2 link#2 UHS lo0 192.168.2.0/24 link#3 U em1 192.168.2.1 link#3 UHS lo0 8.8.4.4 pppoe0 UHS pppoe0ifconfig -a
re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether xx:xx:xx:xx:xx:xx hwaddr xx:xx:xx:xx:xx:xx inet6 fe80::6666:b3ff:fe03:5569%re0 prefixlen 64 scopeid 0x1 inet 172.16.0.2 netmask 0xfffffffc broadcast 172.16.0.3 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether xx:xx:xx:xx:xx:xx hwaddr xx:xx:xx:xx:xx:xx inet6 fe80::7254:d2ff:feab:20a6%em0 prefixlen 64 scopeid 0x2 inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether xx:xx:xx:xx:xx:xx hwaddr xx:xx:xx:xx:xx:xx inet6 fe80::7254:d2ff:feab:20a7%em1 prefixlen 64 scopeid 0x3 inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 <performnud,auto_linklocal>groups: lo enc0: flags=0<> metric 0 mtu 1536 nd6 options=21 <performnud,auto_linklocal>groups: enc pflog0: flags=100 <promisc>metric 0 mtu 33160 groups: pflog pfsync0: flags=0<> metric 0 mtu 1500 groups: pfsync syncpeer: 224.0.0.240 maxupd: 128 defer: on syncok: 1 ovpnc1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500 options=80000 <linkstate>nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492 inet ADSL_IP --> ADSL_GATEWAY netmask 0xffffffff inet6 xxxx::xxxx:xxxx:xxxx:xxxx%pppoe0 prefixlen 64 scopeid 0x8 nd6 options=21<performnud,auto_linklocal></performnud,auto_linklocal></up,pointopoint,running,noarp,simplex,multicast></performnud,auto_linklocal></linkstate></pointopoint,multicast></promisc></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast>ps uxaww | grep openvpn
root 31186 0.0 0.0 14728 2432 0 S+ 22:21 0:00.00 grep openvpn -
I have the same issue.
I even went into System -> Routing and deleted the disabled gateways from there that were no longer active after removing the OpenVPN Server.
As follows:
netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 10.1.1.1 UGS re0 8.8.8.8 172.21.34.53 UGHS lo0 10.1.1.0/24 link#1 U re0 10.1.1.254 link#1 UHS lo0 10.8.0.2 10.8.0.1 UGHS lo0 61.9.242.33 10.1.1.1 UGHS re0 127.0.0.1 link#4 UH lo0 172.21.34.0/23 172.21.34.1 UGS ovpnc2 172.21.34.1 link#8 UH ovpnc2 172.21.34.53 link#8 UHS lo0 192.168.1.0/24 link#2 U re1 192.168.1.1 link#2 UHS lo0 198.18.0.1 172.21.34.53 UGHS lo0 198.18.0.2 172.21.34.53 UGHS lo0 208.67.220.220 172.21.34.53 UGHS lo0 208.67.222.222 172.21.34.53 UGHS lo0 Internet6: Destination Gateway Flags Netif Expire ::1 link#4 UH lo0 fe80::%re0/64 link#1 U re0 fe80::428d:5cff:fe52:d947%re0 link#1 UHS lo0 fe80::%re1/64 link#2 U re1 fe80::1:1%re1 link#2 UHS lo0 fe80::%lo0/64 link#4 U lo0 fe80::1%lo0 link#4 UHS lo0 fe80::428d:5cff:fe52:d947%ovpnc2 link#8 UHS lo0ps uxaww | grep openvpn root 71827 0.0 0.2 20332 6320 - Ss Tue18 18:03.62 /usr/local/sbin/openvpn --config /var/etc/openv pn/client2.conf root 89326 0.0 0.1 14728 2312 0 S+ 06:43 0:00.00 grep openvpnifconfig -a re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 40:8d:5c:52:d9:47 hwaddr 40:8d:5c:52:d9:47 inet6 fe80::428d:5cff:fe52:d947%re0 prefixlen 64 scopeid 0x1 inet 10.1.1.254 netmask 0xffffff00 broadcast 10.1.1.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active re1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 40:8d:5c:52:d9:45 hwaddr 40:8d:5c:52:d9:45 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::1:1%re1 prefixlen 64 scopeid 0x2 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active enc0: flags=0<> metric 0 mtu 1536 nd6 options=21 <performnud,auto_linklocal>groups: enc lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 <performnud,auto_linklocal>groups: lo pflog0: flags=100 <promisc>metric 0 mtu 33160 groups: pflog pfsync0: flags=0<> metric 0 mtu 1500 groups: pfsync syncpeer: 224.0.0.240 maxupd: 128 defer: on syncok: 1 ovpnc2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 options=80000 <linkstate>inet6 fe80::428d:5cff:fe52:d947%ovpnc2 prefixlen 64 scopeid 0x8 inet 172.21.34.53 --> 172.21.34.1 netmask 0xfffffe00 nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn Opened by PID 71827</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast></promisc></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast>I currently have no OpenVPN server configured as Ive done these commands.
-
I am also having the same issue.
netstat -rn
Routing tables Internet: Destination Gateway Flags Netif Expire default WAN1_GW UGS bge1 8.8.4.4 WAN2_GW UGHS bge2 8.8.8.8 WAN1_GW UGHS bge1 9.9.9.9 WAN2_GW UGHS bge2 10.4.0.1 10.4.28.44 UGHS lo0 127.0.0.1 link#4 UH lo0 WAN1_RANGE/24 link#2 U bge1 192.168.0.0/22 link#1 U bge0 WAN1_IP link#2 UHS lo0 192.168.1.1 link#1 UHS lo0 WAN2_RANGE/27 link#3 U bge2 WAN2_IP link#3 UHS lo0 208.67.220.220 WAN1_GW UGHS bge1 208.67.222.222 WAN2_GW UGHS bge2ifconfig -a
bge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=c009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwtso,linkstate>ether xx:xx:xx:xx:xx:xx hwaddr xx:xx:xx:xx:xx:xx inet6 xxxx::xxx:xxxx:xxxx:xxxx%bge0 prefixlen 64 scopeid 0x1 inet 192.168.1.1 netmask 0xfffffc00 broadcast 192.168.3.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active bge1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate>ether xx:xx:xx:xx:xx:xx hwaddr xx:xx:xx:xx:xx:xx inet6 xxxx::xxx:xxxx:xxxx:xxxx%bge1 prefixlen 64 scopeid 0x2 inet WAN1_IP netmask 0xffffffe0 broadcast 255.255.255.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex,master>) status: active bge2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate>ether xx:xx:xx:xx:xx:xx hwaddr xx:xx:xx:xx:xx:xx inet6 xxxx::xxx:xxxx:xxxx:xxxx%bge2 prefixlen 64 scopeid 0x3 inet WAN2_IP netmask 0xffffffe0 broadcast 255.255.255.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex,master>) status: active lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 <performnud,auto_linklocal>groups: lo enc0: flags=0<> metric 0 mtu 1536 nd6 options=21 <performnud,auto_linklocal>groups: enc pflog0: flags=100 <promisc>metric 0 mtu 33160 groups: pflog pfsync0: flags=0<> metric 0 mtu 1500 groups: pfsync syncpeer: 224.0.0.240 maxupd: 128 defer: on syncok: 1 ovpnc1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500 options=80000 <linkstate>nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn</performnud,auto_linklocal></linkstate></pointopoint,multicast></promisc></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></full-duplex,master></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate></up,broadcast,running,simplex,multicast></full-duplex,master></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwtso,linkstate></up,broadcast,running,simplex,multicast>ps uxaww | grep openvpn
root 24877 0.0 0.0 14728 2432 0 S+ 21:21 0:00.00 grep openvpn1. Is the VPN interface assigned/enabled under the Interfaces menu? Yes.
2. Does the VPN gateway have an alternate monitoring IP address? No.
3. Is there a DNS server set to use the VPN gateway? No.
4. Are there any manually-defined static routes set to the use VPN gateway? No.
5. Any dynamic routing protocols using the VPN? No.I currently have 1 AirVPN client configured and no OpenVPN servers configured. Hope this helps.
-
An update from me.
I would say that the fault lays here:
Any OpenVPN gateways under System -> Routing that were present with an alternate monitoring IP prior to 2.4.1 are the cause of the issue.
I went through and deleted the following:
OpenVPN Server, Interface, CA, Certs, GatewaysI am now able to
- Stop and start the OpenVPN server correctly without having to reboot
- Have alternate IP monitoring respond correctly via dpinger.
-
An update from me.
I would say that the fault lays here:
Any OpenVPN gateways under System -> Routing that were present with an alternate monitoring IP prior to 2.4.1 are the cause of the issue.
I went through and deleted the following:
OpenVPN Server, Interface, CA, Certs, GatewaysI am now able to
- Stop and start the OpenVPN server correctly without having to reboot
- Have alternate IP monitoring respond correctly via dpinger.
That is good to know. I also cleared all the above but still had some issues. I also had an alternative monitoring IP address (monitoring the other end of the link) and had this issue only when upgrading. I ended up changing the IP address of the link and rebooted the system. This seemed to fix the problem.
RHLinux
-
I have clean installed pfSense 2.4.1 and made all the necessary configs all by hand and still have this issue. I am going to disable ip monitoring
for OpenVPN and see if that helps.I found out that is not just a WAN IP change that triggers this, there are other circumstances involved. I manually forced WAN IP change many
times and OpenVPN client recovered successfully every time. So it is not just a WAN IP change that triggers this.By the way I am not using OpenVPN Server, it is the OpenVPN Client that I have issues with.
UPDATE : I haven't had any more issues since I have disabled gateway monitoring on OpenVPN Client interface. My pfSense machine has been
up for 3 days now without any kind of problem. -
I spoke too soon.
It broke as soon as I added a second client.
I've since rebuilt it again from scratch and now the server won't assign itself an IP so routing internally is broken but clients can communicate.
This also coincided with the upgrade to 2.4.2.
-
Still having this same issue. It seems to happen upon any manual changes to the routes or if OpenVPN loses it's connection and attempts to reestablish it, giving these errors:
Nov 30 10:16:28 openvpn 89059 TUN/TAP device ovpnc1 exists previously, keep at program end Nov 30 10:16:28 openvpn 89059 TUN/TAP device /dev/tun1 opened Nov 30 10:16:28 openvpn 89059 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Nov 30 10:16:28 openvpn 89059 /sbin/ifconfig ovpnc1 10.4.28.44 10.4.0.1 mtu 1500 netmask 255.255.0.0 up Nov 30 10:16:28 openvpn 89059 FreeBSD ifconfig failed: external program exited with error status: 1 Nov 30 10:16:28 openvpn 89059 Exiting due to fatal errorIt appears the only way to fix it (albeit temporarily) is to reboot and wait for it to happen once more.
10.4.0.1 10.4.28.44 UGHS lo0This is the leftover route that seems to be causing the issue, and any attempt to remove it manually gives:
[2.4.2-RELEASE][root@pfSense.local.lan]/dev: route delete 10.4.0.1 route: writing to routing socket: Address already in use delete host 10.4.0.1 fib 0: gateway uses the same routeI have tried multiple iterations of the above route command with no success. I've manually removed the ovpnc1 interface, tun device. No luck. Any ideas?
-
Hitting the same issues and I'm also using AirVPN as my vpn provider. I have 3 OpenVPN connections on my 2.4.2 install:
Site to Site with shared key
Remote access
Client connection to AirVPNSite to site and remote access haven't had any problems and the client connection to AirVPN only causes troubles when I've set an explicit monitor IP. Once I removed the monitor IP, the AirVPN connection hasn't caused me any problems. Once I add the monitor IP, the connection is fine until it drops and needs to reconnect (for whatever reason) then it won't reconnect with the same ifconfig error as reported by others. That same static route for the monitor IP hangs around as reported by others and I simply can't get it to go away nor can I get the tunnel to AirVPN to reconnect unless I:
- reboot pfSense OR
- Change the port I connect to AirVPN on, which then changes the link IP on the connection from 10.6.0.0/16 to say 10.4.0.0/16 which then let's everything reconnect but with that extra static route hanging around and then when it disconnects again then I now have two static routes that hang around, etc.
And to answer the questions posed earlier in the thread:
1. Is the VPN interface assigned/enabled under the Interfaces menu? Yes
2. Does the VPN gateway have an alternate monitoring IP address? Yes (when I hit this problem, but for now I've removed the explicit monitor IP and haven't had any problems)
3. Is there a DNS server set to use the VPN gateway? No
4. Are there any manually-defined static routes set to the use VPN gateway? (there should never be, but some people add them not realizing they are a problem) No
5. Any dynamic routing protocols using the VPN? No -
So now my question is this: Is there anyone having this problem that is NOT using AirVPN?
It may be triggered by some option pushed to the client by AirVPN. Rather than focusing on the disconnection, get some logs from when AirVPN connects, maybe with an increased verb level that will show what they are pushing.
-
So now my question is this: Is there anyone having this problem that is NOT using AirVPN?
It may be triggered by some option pushed to the client by AirVPN. Rather than focusing on the disconnection, get some logs from when AirVPN connects, maybe with an increased verb level that will show what they are pushing.
Here is a full log from OpenVPN set to the highest verbosity level.
https://pastebin.com/29eWQCGY
-
@SirJohnEh:
Site to site and remote access haven't had any problems and the client connection to AirVPN only causes troubles when I've set an explicit monitor IP. Once I removed the monitor IP, the AirVPN connection hasn't caused me any problems. Once I add the monitor IP, the connection is fine until it drops and needs to reconnect (for whatever reason) then it won't reconnect with the same ifconfig error as reported by others. That same static route for the monitor IP hangs around as reported by others and I simply can't get it to go away nor can I get the tunnel to AirVPN to reconnect unless I:
Leave gateway monitoring enabled, but do not put in an IP address to monitor. Does that work for you?
-
Yes it does. The only issue is it ends up monitoring its own IP address, which isn't very useful, but yes it does work (and it's what I'm actually doing now as a workaround).
-
That seems to be a workaround for me as well.
-
For me the solution was to stop using AirVPN's gateway (10.4.0.1) as monitoring ip. I set 8.8.8.8 as the monitoring ip about two weeks ago and since then there were not any more OpenVPN crashes.
-
So now my question is this: Is there anyone having this problem that is NOT using AirVPN?
It may be triggered by some option pushed to the client by AirVPN. Rather than focusing on the disconnection, get some logs from when AirVPN connects, maybe with an increased verb level that will show what they are pushing.
Sorry for the late reply, but yes I had this issue and I am not using AirVPN, I have my own private VPN server setup and had this issue also. Seems to be linked to the monitoring IP on the remote end. After changing the remote monitoring end IP address it seems to clear the route in the routing table.
RHLinux
-
Ran into the same issue with Mullvad.
-
Hi @jimp I have the same issue and updated the redmine: https://redmine.pfsense.org/issues/8142
As you can see I have full control over the VPN server (and options) so I can do whatever test/log is needed in order to sort out the issue.
