New sg-5100 setup, one issues with OpenVPN and client device (openvpn works, but receiving a warning)

dtgate

I have a windows 10 client that is connecting and seems to be working, but I do see a warning in the OpenVPN GUI (on windows 10):

You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results

I did try to google this, but the top results take me to OpenVPN standalone server topics and not OpenVPN built into pfsense. I'll keep looking, but I'm hoping that someone can assist with solving this since I'm using OpenVPN within pfsense and not standalone.

I used 'viscosity inline config' as the profile, which is what I have done in the past based on the file name the OpenVPN client is set to use. I can't connect if I use any of the other 'windows' profiles, I don't know where else I should check for the specific redirect-gateway and/or redirect-private options.

2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:54 EDT 2020
FreeBSD 11.3-STABLE
The system is on the latest version.

Thanks.

Rico

Viscosity is proprietary and you should use this config only with the Viscosity Client.
For OpenVPN Client use Inline Configurations Most Clients

-Rico

dtgate

@Rico I used viscosity with my last pfsense setup, which was a few years ago, and I don't recall this Warning, but I don't want to use the viscosity config if I should be using something else, for windows 10.

Here is what I see when using a 'Most Clients' profile.

WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results (same as viscosity profile)

OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-128-GCM') if you want to connect to this server. (very well could be something I may need to correct, I just used OpenVPN server defaults, to my knowledge)

ERROR: Failed to apply push options (I am using a push option in my config, which was also on my last pfsense box and worked, here is the entry... push "route 10.10.15.0 255.255.255.0"

Failed to open tun/tap interface

Since I don't often set up OpenVPN on pfsense, I forget which profile I used in the past (this is being used at home and I only set it up when I upgrade pfsense, which isn't very often). However, I have been taking better notes for my installs since I have to pick certain profiles and change certain settings. This may be why I used viscosity config, in the past, I probably tried with other profile options and had these errors. It could very well be that I am doing something wrong, but since viscosity config worked, I just assumed it was the profile I was using. I don't seem to have any issues with my iOS profile and my Mac OS profile, only with windows 10 profile/OpenVPN client.

Thanks.

Rico

Failed to open tun/tap interface looks like a broken Windows OpenVPN Installation to me. Uninstall the OpenVPN Client, Reboot Windows, Install the 2.4.9 package (https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.9-I601-Win10.exe), Reboot and try again.

Push routes via the IPv4 Local network(s) box, not Custom options.

-Rico

dtgate

@Rico The route I am pushing is a network on the other end of the pfsense OpenVPN server I am connecting to. Meaning, I am connecting with OpenVPN client on windows 10 to site 1 and the network I am pushing is on site 2, which is connected via IPSEC to site 1. It works as expected, as far as I know.

My windows 10 OpenPVN install is 2.5, I can upgrade to 2.9 as you recommend, but I also have another pfsense box (a friends OpenVPN server) that I sometimes connect to and make changes, if needed. Will the current profile I have for that network break with 2.9?

Thanks

Rico

It's 2.4.9 - not 2.9
Version 2.4.9 is the exact same version as pfSense 2.4.5-p1 is running:

[2.4.5-RELEASE][admin@xxx]/root: openvpn --version
OpenVPN 2.4.9 armv6-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020

I'd just want to make sure all Options/Parameters match 100%, there are some changes in 2.5

-Rico

dtgate

@Rico Thanks, I just realized I mis-read the version number. Ok, let me try 2.4.9 and see if that makes a difference.

dtgate

@Rico I uninstalled 2.5, rebooted and installed 2.4.9, imported the Most Clients profile and wasn't even prompted for a user/password, it popped up an error message "connecting to the management interface failed" and pointed me to the log file, here is what the log file shows.

Options error: Unrecognized option or missing or extra parameter(s) in most-clients-profile.ovpn:4: data-ciphers (2.4.9) Use --help for more information.

I was able to connect using the viscosity profile, that I have been using, and this time there are no Warnings, which is good, but you stated that I shouldn't be using the viscosity profile. I do want to use the correct method, I guess getting Most Clients profile working is the new issue.

I do think I know why I had 2.5....One of the export options is windows 10, which I didn't realize meant current OpenVPN client, I took it as the current version of windows. That exports as an exe, which upgraded me to 2.5 (before making this thread, yesterday). I do see there is an option for 2.4.9 as a client export, but we haven't discussed that. Shouldn't that be the option I should be using over most clients, since I am now running 2.4.9?

Thanks.

Rico

Please post your Server configuration via screenshots.

-Rico

dtgate

This post is deleted!

dtgate

@dtgate said in New sg-5100 setup, one issues with OpenVPN and client device (openvpn works, but receiving a warning):

@rico Here is a link to the picture, https://i.imgur.com/Pn4eIH3.png

Thanks.

@Rico What do you think?

Thanks.

dtgate

I deleted the post with the link to the screenshots since it the topic/discussion has gone stale.