OpenVPN Issue with 2.4 upgrade

amires

I have clean installed pfSense 2.4.1 and made all the necessary configs all by hand and still have this issue. I am going to disable ip monitoring
for OpenVPN and see if that helps.

I found out that is not just a WAN IP change that triggers this, there are other circumstances involved. I manually forced WAN IP change many
times and OpenVPN client recovered successfully every time. So it is not just a WAN IP change that triggers this.

By the way I am not using OpenVPN Server, it is the OpenVPN Client that I have issues with.

UPDATE : I haven't had any more issues since I have disabled gateway monitoring on OpenVPN Client interface. My pfSense machine has been
up for 3 days now without any kind of problem.

jarrad

I spoke too soon.

It broke as soon as I added a second client.

I've since rebuilt it again from scratch and now the server won't assign itself an IP so routing internally is broken but clients can communicate.

This also coincided with the upgrade to 2.4.2.

unclebacon

Still having this same issue. It seems to happen upon any manual changes to the routes or if OpenVPN loses it's connection and attempts to reestablish it, giving these errors:

Nov 30 10:16:28	openvpn	89059	TUN/TAP device ovpnc1 exists previously, keep at program end
Nov 30 10:16:28	openvpn	89059	TUN/TAP device /dev/tun1 opened
Nov 30 10:16:28	openvpn	89059	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 30 10:16:28	openvpn	89059	/sbin/ifconfig ovpnc1 10.4.28.44 10.4.0.1 mtu 1500 netmask 255.255.0.0 up
Nov 30 10:16:28	openvpn	89059	FreeBSD ifconfig failed: external program exited with error status: 1
Nov 30 10:16:28	openvpn	89059	Exiting due to fatal error

It appears the only way to fix it (albeit temporarily) is to reboot and wait for it to happen once more.

10.4.0.1           10.4.28.44         UGHS        lo0

This is the leftover route that seems to be causing the issue, and any attempt to remove it manually gives:

[2.4.2-RELEASE][root@pfSense.local.lan]/dev: route delete 10.4.0.1
route: writing to routing socket: Address already in use
delete host 10.4.0.1 fib 0: gateway uses the same route

I have tried multiple iterations of the above route command with no success. I've manually removed the ovpnc1 interface, tun device. No luck. Any ideas?

Slugger

Hitting the same issues and I'm also using AirVPN as my vpn provider.  I have 3 OpenVPN connections on my 2.4.2 install:

Site to Site with shared key
Remote access
Client connection to AirVPN

Site to site and remote access haven't had any problems and the client connection to AirVPN only causes troubles when I've set an explicit monitor IP.  Once I removed the monitor IP, the AirVPN connection hasn't caused me any problems.  Once I add the monitor IP, the connection is fine until it drops and needs to reconnect (for whatever reason) then it won't reconnect with the same ifconfig error as reported by others.  That same static route for the monitor IP hangs around as reported by others and I simply can't get it to go away nor can I get the tunnel to AirVPN to reconnect unless I:

1. reboot pfSense OR
2. Change the port I connect to AirVPN on, which then changes the link IP on the connection from 10.6.0.0/16 to say 10.4.0.0/16 which then let's everything reconnect but with that extra static route hanging around and then when it disconnects again then I now have two static routes that hang around, etc.

And to answer the questions posed earlier in the thread:

1. Is the VPN interface assigned/enabled under the Interfaces menu? Yes
2. Does the VPN gateway have an alternate monitoring IP address? Yes (when I hit this problem, but for now I've removed the explicit monitor IP and haven't had any problems)
3. Is there a DNS server set to use the VPN gateway? No
4. Are there any manually-defined static routes set to the use VPN gateway? (there should never be, but some people add them not realizing they are a problem) No
5. Any dynamic routing protocols using the VPN? No

jimp

So now my question is this: Is there anyone having this problem that is NOT using AirVPN?

It may be triggered by some option pushed to the client by AirVPN. Rather than focusing on the disconnection, get some logs from when AirVPN connects, maybe with an increased verb level that will show what they are pushing.

unclebacon

@jimp:

So now my question is this: Is there anyone having this problem that is NOT using AirVPN?

It may be triggered by some option pushed to the client by AirVPN. Rather than focusing on the disconnection, get some logs from when AirVPN connects, maybe with an increased verb level that will show what they are pushing.

Here is a full log from OpenVPN set to the highest verbosity level.

https://pastebin.com/29eWQCGY

dsp3

@SirJohnEh:

Site to site and remote access haven't had any problems and the client connection to AirVPN only causes troubles when I've set an explicit monitor IP.  Once I removed the monitor IP, the AirVPN connection hasn't caused me any problems.  Once I add the monitor IP, the connection is fine until it drops and needs to reconnect (for whatever reason) then it won't reconnect with the same ifconfig error as reported by others.  That same static route for the monitor IP hangs around as reported by others and I simply can't get it to go away nor can I get the tunnel to AirVPN to reconnect unless I:

Leave gateway monitoring enabled, but do not put in an IP address to monitor. Does that work for you?

Slugger

Yes it does.  The only issue is it ends up monitoring its own IP address, which isn't very useful, but yes it does work (and it's what I'm actually doing now as a workaround).

unclebacon

That seems to be a workaround for me as well.

amires

For me the solution was to stop using AirVPN's gateway (10.4.0.1) as monitoring ip. I set 8.8.8.8 as the monitoring ip about two weeks ago and since then there were not any more OpenVPN crashes.

RHLinux

@jimp:

So now my question is this: Is there anyone having this problem that is NOT using AirVPN?

It may be triggered by some option pushed to the client by AirVPN. Rather than focusing on the disconnection, get some logs from when AirVPN connects, maybe with an increased verb level that will show what they are pushing.

Sorry for the late reply, but yes I had this issue and I am not using AirVPN, I have my own private VPN server setup and had this issue also.  Seems to be linked to the monitoring IP on the remote end.  After changing the remote monitoring end IP address it seems to clear the route in the routing table.

RHLinux

Warudo

Ran into the same issue with Mullvad.

Gabri.91

Hi @jimp I have the same issue and updated the redmine: https://redmine.pfsense.org/issues/8142

As you can see I have full control over the VPN server (and options) so I can do whatever test/log is needed in order to sort out the issue.