What's up with OpenVPN and 2.4.5 update?
-
The OpenVPN client no longer connects on 2.4.5 after upgrading. It's been working fine for years. I see several others have current issues with site-to-site VPN. One fix was to change the --proto tcp option to --proto tcp-client
I'm using UDP with P.I.A. so added proto udp-client to the Advanced Config > Custom Options in the client config but that doesn't look right:
Jul 7 06:18:45 openvpn 65518 Options error: Bad protocol: 'udp-client'. Allowed protocols with --proto option: [proto-uninitialized] [udp] [tcp-server] [tcp-client] [tcp] [udp4] [tcp4-server] [tcp4-client] [tcp4] [udp6] [tcp6-server] [tcp6-client] [tcp6]
My ovpnc1 interface usually has an IPv4 on it when the VPN is up (of course) but it's not showing an IP at the moment (via ifconfig ovpnc1)
ovpnc1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::xxxx:xxxx:xxxx:beef%ovpnc1 prefixlen 64 scopeid 0x9 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: tun openvpn
After removing the tcp edit, still no IP on my ovpnc1 interface. Any thoughts? I've confirmed PIA is working by connecting with the same auth creds from my desktop.
Thanks.Jul 7 06:15:26 openvpn 67867 SIGUSR1[soft,ping-restart] received, process restarting Jul 7 06:15:26 openvpn 67867 Restart pause, 10 second(s) Jul 7 06:15:36 openvpn 67867 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 7 06:15:36 openvpn 67867 Re-using SSL/TLS context Jul 7 06:15:36 openvpn 67867 PID packet_id_init seq_backtrack=64 time_backtrack=15 Jul 7 06:15:36 openvpn 67867 PID packet_id_init seq_backtrack=64 time_backtrack=15 Jul 7 06:15:36 openvpn 67867 PID packet_id_init seq_backtrack=64 time_backtrack=15 Jul 7 06:15:36 openvpn 67867 PID packet_id_init seq_backtrack=64 time_backtrack=15 Jul 7 06:15:36 openvpn 67867 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ] Jul 7 06:15:36 openvpn 67867 MTU DYNAMIC mtu=1450, flags=2, 1621 -> 1450 Jul 7 06:15:36 openvpn 67867 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] Jul 7 06:15:36 openvpn 67867 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes Jul 7 06:15:36 openvpn 67867 calc_options_string_link_mtu: link-mtu 1621 -> 1569 Jul 7 06:15:36 openvpn 67867 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes Jul 7 06:15:36 openvpn 67867 calc_options_string_link_mtu: link-mtu 1621 -> 1569 Jul 7 06:15:36 openvpn 67867 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client' Jul 7 06:15:36 openvpn 67867 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server' Jul 7 06:15:36 openvpn 67867 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.18:1197 Jul 7 06:15:36 openvpn 67867 Socket Buffers: R=[42080->42080] S=[57344->57344] Jul 7 06:15:36 openvpn 67867 UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.56:0 Jul 7 06:15:36 openvpn 67867 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.18:1197 Jul 7 06:15:36 openvpn 67867 TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Jul 7 06:15:36 openvpn 67867 SENT PING Jul 7 06:15:36 openvpn 67867 UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Jul 7 06:15:38 openvpn 67867 UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Jul 7 06:15:43 openvpn 67867 UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Jul 7 06:15:51 openvpn 67867 UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Jul 7 06:16:02 openvpn 67867 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Jul 7 06:16:02 openvpn 67867 SENT PING
-
@Dave-R2 nothing ‘up’ with it, working fine here. Post your VPN config screen, it looks like your key setup in pfSense is off.
-
Thanks for the quick reply. I grabbed the openvpn.zip from the docs to get an updated CA cert from those configs. Changed out the server, port and CA cert with one from the zip and it's working now. Why this coincides with the 2.4.5 update I have no idea but clearly not an issue with PfSense.
-
Could have been another case of those SSL problems with one of the Root CAs rotating their CA cert (old one expired). Perhaps working fine without actually "touching" / restarting it but now needed the new certificate chain to reconnect.