Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN to 2.5.0 works ?

    Scheduled Pinned Locked Moved OpenVPN
    17 Posts 4 Posters 1.8k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC Offline
      chudak
      last edited by

      I see people are having some issues with this, but was anyone successful running OpenVPN server on 2.5.0 after upgrade ?

      Did clients’ ovpn configuration files require reissue?

      Thx

      1 Reply Last reply Reply Quote 0
      • H Offline
        hypnosis4u2nv
        last edited by

        I had no problems with the server after the upgrade. My issues are all client related.

        JKnottJ 1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @hypnosis4u2nv
          last edited by

          @hypnosis4u2nv

          Yeah, the server runs fine, but the clients can't connect. 😉

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          H 1 Reply Last reply Reply Quote 0
          • H Offline
            hypnosis4u2nv @JKnott
            last edited by

            @jknott I get the OpenVPN clients to connect, but I either get the entire network using the gateway or issues with aliases not connecting. I setup Wireguard and have no issues.

            chudakC 1 Reply Last reply Reply Quote 0
            • chudakC Offline
              chudak @hypnosis4u2nv
              last edited by

              @hypnosis4u2nv said in OpenVPN to 2.5.0 works ?:

              @jknott I get the OpenVPN clients to connect, but I either get the entire network using the gateway or issues with aliases not connecting. I setup Wireguard and have no issues.

              That's pretty bad in my view if you couldn't use OpenVPN after upgrade :(

              Some people say they had no issues, go figure ...

              H D 2 Replies Last reply Reply Quote 0
              • H Offline
                hypnosis4u2nv @chudak
                last edited by

                @chudak I've been playing with it since upgrading, I can't get it to work even though it was working prior. Also experienced a firewall crash because of it. The OpenVPN service needs work.

                JKnottJ 1 Reply Last reply Reply Quote 0
                • D Offline
                  divsys @chudak
                  last edited by

                  @chudak My initial experience:

                  Running a small network of OpenVPN connected boxes, mostly AMD 2GHz quadcore w/Intel quad nics. Sites are set as OpenVPN servers using TLS/SSL certificates no passwords.
                  Majority of sites are updated to 2.4.5p1 although a few running older 32bit versions.
                  About 40 sites in total, has been stable for a few years (at least).

                  My home box runs on a Gig fiber connection and services 36 OpenVPN clients as well as 4 OpenVPN server connections. Again this is all fixed TLS/SSL connections.

                  I decided to bite the bullet and try to upgrade my home box first made sure the few packages I had were up to date, took a backup and set it to auto-update.

                  The update took a "good while" perhaps 8 minutes to complete but the box came back as expected and I had internet. Out of 36 client connections, only one didn't come back properly.

                  I checked the logs and it was giving me some odd messages about negotiating a link, so on a hunch (and remebering something about preferred encryption types) I locked the link at both ends to AES-256-GCM, forced both processes to restart and the link came back as expected.

                  Everything looked good, so I picked one of the remote sites as a test and again updated packages, took a backup and ran the update. This time the remote site did not come back across OpenVPN, but I was able to remote directly into frontend and verify the site was up and showed an upgrade to 2.5.0.

                  Unfortunately the OpenVPN server was complaining about failed "TLS Handshake errors" which is somewhat odd as the site had been running fine for a few years at least.
                  Tried the usual cast of errors, recopied the TLS key from the server to client (I normally let the Server self-create it's opn TLS key and then copy that back to the client) to no avail,

                  I then went so far as to create a new CA on the Server, create a Server and Client cert from that and install them into the Server and Client processes. Still no go.

                  And just to confuse things a little further, I have 4 OpenVPN Server processes running on my home box that are working just fine on 2.5.0.

                  I'm still working through my debug process here, but either I'm missing something basic in a change to 2.5.0 re: Certs/TLS/etc. or something is Not Right.

                  -jfp

                  1 Reply Last reply Reply Quote 1
                  • JKnottJ Offline
                    JKnott @hypnosis4u2nv
                    last edited by

                    @hypnosis4u2nv said in OpenVPN to 2.5.0 works ?:

                    I've been playing with it since upgrading, I can't get it to work even though it was working prior.

                    For me, the config that was working with 2.4.5 didn't with 2.5.0.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    H 1 Reply Last reply Reply Quote 0
                    • H Offline
                      hypnosis4u2nv @JKnott
                      last edited by

                      @jknott Yeah, I'm in the same boat. Had it working and 2.5 killed it somehow.

                      How this issue wasn't seen during development is beyond me.

                      chudakC 1 Reply Last reply Reply Quote 1
                      • chudakC Offline
                        chudak @hypnosis4u2nv
                        last edited by

                        @hypnosis4u2nv

                        Wonder if a bug was reported about this ?

                        H 1 Reply Last reply Reply Quote 0
                        • H Offline
                          hypnosis4u2nv @chudak
                          last edited by

                          @chudak Scrolling through the forums I see lots of complaints regarding OpenVPN. I'd like to submit a bug but where do I begin? Is it OpenVPN or pfsense? I don't even know. My pfsense crashed during my attempts to get it working. When it rebooted, it knocked out the VPN client gateway forcing me to phantom edit and save to get it back up.

                          This release has serious flaws and shouldn't be out until this is fixed. The loss of connectivity is a pretty serious problem to have in deployment.

                          chudakC 1 Reply Last reply Reply Quote 0
                          • chudakC Offline
                            chudak @hypnosis4u2nv
                            last edited by chudak

                            @hypnosis4u2nv said in OpenVPN to 2.5.0 works ?:

                            @chudak Scrolling through the forums I see lots of complaints regarding OpenVPN. I'd like to submit a bug but where do I begin? Is it OpenVPN or pfsense? I don't even know. My pfsense crashed during my attempts to get it working. When it rebooted, it knocked out the VPN client gateway forcing me to phantom edit and save to get it back up.

                            This release has serious flaws and shouldn't be out until this is fixed. The loss of connectivity is a pretty serious problem to have in deployment.

                            Shining side of open source is that everyone can contribute
                            Pls submit as it will benefit all of us !

                            https://redmine.pfsense.org/
                            https://github.com/pfsense/pfsense

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              divsys
                              last edited by divsys

                              @divsys Was able to get my "problem" OpenVPN site back up.

                              To recap: TLS/SSL S2S connection that was previously fine under 2.4.5p1 Server/Client.
                              Converted Client to 2.5.0, Server left at 2.4.5p1 and the connection remained fine.
                              Once I converted the Server (remote in my case) to 2.5.0, the connection failed w/ various TLS HMAC and other Handshake errors.

                              Chased various issues, finally disabled TLS completely to drop the variables in play and recreated a new CA, Server cert, and Client cert.
                              Copied the certs onto the client and restarted both ends.
                              I started seeing
                              "VERIFY WARNING: depth=1, unable to get certificate ....."
                              for the CA I just created on the Server and the Client.
                              As a possible fix I went back and checked the box
                              "Add this Certificate Authority to the Operating System Trust Store"
                              on the Server and Client CA cert page.
                              I had to physically reboot both boxes for this to have any effect.
                              I was then able to apply the newly created CA and Certs to both ends and the link came back up.

                              Seems a new cert check in 2.5.0 didn't like my previously created certs from 2.4.x.
                              Was a little ugly to track, but reasonably simple to resolve in the end.

                              If this is a possibility moving forward, it might be nice to "prescan" previously created certs somehow to know if you're going to step into a minefield.

                              Edit: I was able to re-enable TLS once I had the certs connected properly.

                              -jfp

                              H 1 Reply Last reply Reply Quote 1
                              • H Offline
                                hypnosis4u2nv @divsys
                                last edited by hypnosis4u2nv

                                @divsys Thanks for sharing your troubleshooting. Going to give this a try later and configure my OpenVPN client from scratch again.

                                There's a known issue with non local gateways not coming back up after boot. Did you do a reboot and confirm that they connect fine? Not sure if this pertains to us who use OpenVPN as a client and have specific traffic utilizing that gateway.

                                https://redmine.pfsense.org/issues/11433

                                D 1 Reply Last reply Reply Quote 0
                                • D Offline
                                  divsys @hypnosis4u2nv
                                  last edited by

                                  @hypnosis4u2nv That's not an issue for my setups.
                                  I'm typically using this a means of providing secure Site-Site links over multiple different LANS.
                                  General internet traffic simply passes through the local gateway at each site.
                                  With the exceptions I've noted, the changeover to 2.5.0 has been pretty invisible.
                                  I'll be moving more slowly as I changeover sites.
                                  Some of the remote locations are less than accessible, I don't need to create headaches when not required.

                                  -jfp

                                  D 1 Reply Last reply Reply Quote 1
                                  • D Offline
                                    divsys @divsys
                                    last edited by

                                    @divsys Looks like my guesses about needing the:
                                    "Add this Certificate Authority to the Operating System Trust Store"
                                    option on the CA were incorrect.
                                    The S2S link remains stable after my previous work to rebuild CA&certs, but I found the secondary server for RoadWarrior clients was not allowing any connections.
                                    It was failing with the same Unable to get certificate msgs.

                                    Hunted about a few messages and found:OpenVPN 2.5.0 Certificate Verification Fails
                                    Implemented the suggested fix and everything came back to life.
                                    Hopefully we'll see a patch/fix for this.

                                    -jfp

                                    H 1 Reply Last reply Reply Quote 0
                                    • H Offline
                                      hypnosis4u2nv @divsys
                                      last edited by

                                      @divsys Appreciate the heads up. Gonna wait for a fix for all this. Right now I'm getting by as a Wireguard client.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.