Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    openvpn client misbehaving

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    21 Posts 2 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      strangegopher
      last edited by

      @Derelict you think it might be "Skip rules when gateway is down" option under System/Advanced/Miscellaneous?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        It would more likely be state killing on gateway failure. Are you having intermittent connectivity problems on that WAN?

        Why did you mention suricata in the first place?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          strangegopher
          last edited by strangegopher

          @Derelict I unchecked both "state killing on gateway failure" and “Skip rules when gateway is down” and created no_wan_egress tag for kill switch and I hope that will fix the issue. I mention suricata is because I saw other post here long time ago about it and I noticed it happen when I restarted suricata. Edit: It still happens without suricata enabled, so weird.

          1 Reply Last reply Reply Quote 0
          • S
            strangegopher
            last edited by strangegopher

            PF is still blocking openvpn but I have no idea what to do about this.

            1 Reply Last reply Reply Quote 0
            • S
              strangegopher
              last edited by

              I created a bug report https://redmine.pfsense.org/issues/8541

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by Derelict

                Not convinced it's a bug. Probably a misconfiguration somewhere. Just because it's a mystery right now does not mean it's a bug. Steps to reproduce from a plain install would be the first step.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S
                  strangegopher
                  last edited by

                  @Derelict Should "Reset all states if WAN IP Address changes" be enabled?

                  DerelictD 1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate @strangegopher
                    last edited by

                    @strangegopher If that's what you want to have happen.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • S
                      strangegopher
                      last edited by

                      @Derelict Did a bit of reading about Asymmetric Routing https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

                      I wonder if that is what is causing this.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Could be. Do you have an asymmetric routing situation? Draw out the pieces involved and it's usually obvious. That can certainly be a cause of out-of-state blocks like you are seeing.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • S
                          strangegopher
                          last edited by

                          Finally figured out a workaround that limits the write TCPv4_CLIENT: Permission denied (code=13) message to 10 seconds max. I added keepalive 3 10; to custom options and I get this message for 10 seconds before ping-restart and then it connects. I have turned every setting I can think of on and off other than ramdisk and but for now I will live with this quirk.

                          1 Reply Last reply Reply Quote 0
                          • S
                            strangegopher
                            last edited by

                            fixed the error by changing to hostname instead of ip address, I compared the system logs and openvpn logs and noticed openvpn tried to connect before wan interface was up so I changed it to hostname, now it starts before wan is up but won't connect until it can resolve the hostname.

                            extra options:

                            remote-cert-tls server;
auth-nocache;
auth-retry nointeract;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1400;
mlock;
pull-filter ignore "redirect-gateway";
pull-filter ignore "dhcp-option";
                            1 Reply Last reply Reply Quote 0
                            • S
                              strangegopher
                              last edited by

                              error came back but went away when I uninstalled pfblockerng-devel, only caused issues with tcp connections

                              1 Reply Last reply Reply Quote 0
                              • GertjanG Gertjan referenced this topic on
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.