OpenVPN says: FreeBSD ifconfig failed: external program exited with error status: 1
-
Hi there!
I want to connect pfSense as a client to an Ubuntu OpenVPN Server.
The strange thing is, yesterday all went really well.
I have assigned the client to an interface ovpnc4 (the other 3 are OpenVPN Servers) and routed some traffic through the tunnel.Last thing I know was that I changed the Monitor IP for the ovpnc4 Gateway, because it monitored the pfSense client IP x.x.x.10 and not the Ubuntu server IP x.x.x.1
Now I cannot reconnect to the server.
pfSense is exiting due to fatal error:
Sep 19 18:54:01 openvpn 41366 Exiting due to fatal error Sep 19 18:54:01 openvpn 41366 FreeBSD ifconfig failed: external program exited with error status: 1 Sep 19 18:54:01 openvpn 41366 /sbin/ifconfig ovpnc4 x.x.x.2 x.x.x.1 mtu 1500 netmask 255.255.255.0 up Sep 19 18:54:01 openvpn 41366 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sep 19 18:54:01 openvpn 41366 ioctl(TUNSIFMODE): Device busy (errno=16) Sep 19 18:54:01 openvpn 41366 TUN/TAP device /dev/tun4 opened Sep 19 18:54:01 openvpn 41366 TUN/TAP device ovpnc4 exists previously, keep at program end Sep 19 18:54:01 openvpn 41366 Incoming Data Channel: CIPHER block_size=16 iv_size=12
And Ubuntu is desperately waiting for an answer from pfSense:
Sep 19 18:48:43 [my_server] ovpn-server[909]: client/[my_client] UDPv4 READ [112] from [AF_INET][my_client]: P_CONTROL_V1 kid=0 pid=[ #12 ] Sep 19 18:48:43 [my_server] ovpn-server[909]: client/[my_client] PUSH: Received control message: 'PUSH_REQUEST' Sep 19 18:48:43 [my_server] ovpn-server[909]: client/[my_client] SENT CONTROL [client]: 'PUSH_REPLY,route-gateway x.x.x.1,topology subnet,ping Sep 19 18:48:43 [my_server] ovpn-server[909]: client/[my_client] Data Channel: using negotiated cipher 'AES-256-GCM' Sep 19 18:48:43 [my_server] ovpn-server[909]: client/[my_client] Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ] Sep 19 18:48:43 [my_server] ovpn-server[909]: client/[my_client] Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sep 19 18:48:43 [my_server] ovpn-server[909]: client/[my_client] Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sep 19 18:48:43 [my_server] ovpn-server[909]: client/[my_client] UDPv4 WRITE [78] to [AF_INET][my_client]: P_ACK_V1 kid=0 pid=[ #10 ] [ 6 ] Sep 19 18:48:43 [my_server] ovpn-server[909]: client/[my_client] UDPv4 WRITE [241] to [AF_INET][my_client]: P_CONTROL_V1 kid=0 pid=[ #11 ] Sep 19 18:48:46 [my_server] ovpn-server[909]: client/[my_client] UDPv4 WRITE [241] to [AF_INET][my_client]: P_CONTROL_V1 kid=0 pid=[ #12 ]
I see that this might be an issue that the subnet x.x.x.0/24 is already in use, because i messed up the ovpns4 gateway somehow. But I already deleted the gateway, the OpenVPN-Client and the ovpnc4 interface to no avail.
Can you give me any advice, how to troubleshoot this issue?
P.S.: I have not restarted the pfSense machine yet, because I like to pretend this is a production environment and rebooting the entire firewall would be a bad idea.
Kind regards,
Holger
-
I think I have found something?
"netstat -r" shows this route
Routing tables Internet: Destination Gateway Flags Netif Expire x.x.x.1 x.x.x.10 UGHS lo0
This might be some garbage from unecessary experiments I have done.
How do I delete this?route delete -net x.x.x.1/32 x.x.x.10
says
route: route has not been found delete net x.x.x.1: gateway x.x.x.10 fib 0: not in table
and
route delete x.x.x.1
says
route: writing to routing socket: Address already in use delete host x.x.x.1 fib 0: gateway uses the same route
I am failing to find out how to delete a route with no netmask in BSD :(
-
I have found some more.
This is apparently a known issue that is caused by changing the Monitor IP on an OpenVPN-Interface.
Here is the bug report: https://redmine.pfsense.org/issues/8142
And here the discussion linked in the report: https://forum.pfsense.org/index.php?topic=138608.msg764734#msg764734The issue is still present in 2.4.3-RELEASE (amd64).
The only workaround I have found without resetting the system was to change the subnet of the Ubuntu OpenVPN-server to something different than x.x.x.0/24.
x.x.x.0/24 seems to be forever blocked by the non removable route.
If anyone has any updates in that regard, I would be highly interested, so please let me know!
Kind regards,
Holger