Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    openvpn client misbehaving

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    21 Posts 2 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      strangegopher
      last edited by strangegopher

      @Derelict I unchecked both "state killing on gateway failure" and “Skip rules when gateway is down” and created no_wan_egress tag for kill switch and I hope that will fix the issue. I mention suricata is because I saw other post here long time ago about it and I noticed it happen when I restarted suricata. Edit: It still happens without suricata enabled, so weird.

      1 Reply Last reply Reply Quote 0
      • S
        strangegopher
        last edited by strangegopher

        PF is still blocking openvpn but I have no idea what to do about this.

        1 Reply Last reply Reply Quote 0
        • S
          strangegopher
          last edited by

          I created a bug report https://redmine.pfsense.org/issues/8541

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            Not convinced it's a bug. Probably a misconfiguration somewhere. Just because it's a mystery right now does not mean it's a bug. Steps to reproduce from a plain install would be the first step.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              strangegopher
              last edited by

              @Derelict Should "Reset all states if WAN IP Address changes" be enabled?

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @strangegopher
                last edited by

                @strangegopher If that's what you want to have happen.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S
                  strangegopher
                  last edited by

                  @Derelict Did a bit of reading about Asymmetric Routing https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

                  I wonder if that is what is causing this.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Could be. Do you have an asymmetric routing situation? Draw out the pieces involved and it's usually obvious. That can certainly be a cause of out-of-state blocks like you are seeing.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • S
                      strangegopher
                      last edited by

                      Finally figured out a workaround that limits the write TCPv4_CLIENT: Permission denied (code=13) message to 10 seconds max. I added keepalive 3 10; to custom options and I get this message for 10 seconds before ping-restart and then it connects. I have turned every setting I can think of on and off other than ramdisk and but for now I will live with this quirk.

                      1 Reply Last reply Reply Quote 0
                      • S
                        strangegopher
                        last edited by

                        fixed the error by changing to hostname instead of ip address, I compared the system logs and openvpn logs and noticed openvpn tried to connect before wan interface was up so I changed it to hostname, now it starts before wan is up but won't connect until it can resolve the hostname.

                        extra options:

                        remote-cert-tls server;
auth-nocache;
auth-retry nointeract;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1400;
mlock;
pull-filter ignore "redirect-gateway";
pull-filter ignore "dhcp-option";
                        1 Reply Last reply Reply Quote 0
                        • S
                          strangegopher
                          last edited by

                          error came back but went away when I uninstalled pfblockerng-devel, only caused issues with tcp connections

                          1 Reply Last reply Reply Quote 0
                          • GertjanG Gertjan referenced this topic on
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.