• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN not working after 2.5 upgrade.

Scheduled Pinned Locked Moved OpenVPN
21 Posts 5 Posters 3.8k Views 9 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J Offline
    jimp Rebel Alliance Developer Netgate
    last edited by jimp Feb 24, 2021, 9:36 PM Feb 24, 2021, 9:36 PM

    The data ciphers change can bite some people for a couple reasons, but most don't have to do with pfSense.

    For example:

    Server: OpenVPN 2.5 with Data Ciphers list with cipher A, Fallback cipher B (used when data cipher negotiation isn't possible)
    Client: pfSense 2.4.x/OpenVPN 2.4.x with cipher set to B.

    When that client is upgraded to pfSense 2.5, it adds B to the data cipher list and sets fallback to B, and data cipher negotiation is enabled. It also adds some stock items to the list which are suggested by OpenVPN which in this example we'll say don't include A.

    In this scenario, now the client has data cipher negotiation and is negotiating with the server. The server data cipher list only includes A, the client data cipher list doesn't include A. The fallback isn't used on the server because they are both capable of negotiating, but they can't agree on a cipher.

    So post-upgrade this doesn't work, but there isn't anything pfSense should have done differently in this scenario, the server is not configured to match the client. Disabling data cipher negotiation nudges it to work because now the server is forced to use its fallback cipher in that scenario.

    tl;dr Upgrade might expose an existing misconfiguration on the remote side, and you have to change the list to match what the server wants, which may be different than what was configured before.

    Resist the temptation to disable data cipher negotiation. Eventually it won't be possible to disable, and also OpenVPN says in 3.0 they're removing the cipher choice entirely, allowing it to pick from all AEAD ciphers such as AES-GCM and ChaCha automatically.

    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

    Need help fast? Netgate Global Support!

    Do not Chat/PM for help!

    J 1 Reply Last reply Feb 24, 2021, 9:40 PM Reply Quote 0
    • J Offline
      JKnott @jimp
      last edited by JKnott Feb 24, 2021, 9:44 PM Feb 24, 2021, 9:40 PM

      @jimp

      So, what are we supposed to do to get around this??? Also, why can I connect on the local LAN, but not from elsewhere? If I can connect on the local LAN, then surely the ciphers, etc. are OK.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • J Offline
        jimp Rebel Alliance Developer Netgate
        last edited by Feb 24, 2021, 9:44 PM

        Either:

        1. Fix the server.
        2. Find out what cipher the server does want, and add it to the list.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        J 1 Reply Last reply Feb 24, 2021, 9:46 PM Reply Quote 0
        • J Offline
          JKnott @jimp
          last edited by Feb 24, 2021, 9:46 PM

          @jimp

          And how the H do I do that??? I deleted the previous server config and started from scratch. What did I do wrong to cause this?

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • J Offline
            jimp Rebel Alliance Developer Netgate
            last edited by Feb 24, 2021, 9:48 PM

            Not enough info for your case, I'm talking about OP and others connecting to a third party provider.

            Yours may or may not be the same, but would be a subject for another thread if it's your own server.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            J 1 Reply Last reply Feb 24, 2021, 10:21 PM Reply Quote 0
            • J Offline
              JKnott @jimp
              last edited by Feb 24, 2021, 10:21 PM

              @jimp

              I had a working VPN between my pfsense system (2.4.5) and my notebook computer. After upgrading to 2.5.0, that VPN failed. I then deleted both the server and client configs and recreated from scratch. The problem still remains. I even tried that Legacy Client setting, as the client is 2.4.3. Given that I can connect over the local LAN, but not from outside the LAN, I don't understand how it could be an issue with ciphers or any other setting in either the server or client. Shouldn't it also fail on the local LAN, if I had any of those wrong? Also, the Allowed Data Encryption Algorithms, Fallback Data Encryption Algorithm and Auth digest algorithm are identical on server & client. I have been through configurations several times and can't see any discrepancies.

              Again, why would it connect on the local LAN, but not from outside?

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • J Offline
                jimp Rebel Alliance Developer Netgate
                last edited by Feb 24, 2021, 11:50 PM

                Without more info I can't say but it doesn't sound like the problem being discussed in this thread, so either start a different thread or continue one you already have elsewhere so the topic doesn't get hijacked.

                The problem in this thread is for clients on pfSense to remote VPN providers, not for servers on pfSense.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • S Offline
                  stevemosher @JeGr
                  last edited by Feb 26, 2021, 3:02 PM

                  @jegr said in OpenVPN not working after 2.5 upgrade.:

                  @stevemosher said in OpenVPN not working after 2.5 upgrade.:

                  2.5 is the suck until its tested properly.

                  That has nothing to do with pfSense 2.5 but with OpenVPN 2.5 that is now shipped with it. OpenVPN changed parameters and deprecated a few of thems and made others mandatory.

                  Also you both are discussing very different problems. @stevemosher obviously is using client mode to connect to some VPN provider which may still be on 2.4 and thus perhaps needs different settings now to connect from a 2.5 instance. Again not per se pfSense' fault.

                  @jknott describes a dial in scenario. Again one now has to check the clients if there are e.g. settings like NCP Ciphers active or not as 2.5 has NCP enforced and renamed to data-ciphers (one big change from OpenVPN). So that's nothing that has to be "properly" tested as again it is an OpenVPN problem, not a pfSense problem. Also check out, that now there is a checkbox in the client export settings that can generate v2.4 compat configurations when exporting configs otherwise your client has to understand the new keywords from v2.5.

                  Cheers
                  \jens

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    stevemosher
                    last edited by Feb 26, 2021, 3:05 PM

                    All I hear is 'not our problem'.

                    Just sat in another meeting to discuss buying some Palo Alto product or some FIrepower crap from Cisco.

                    So much for open source solutions.

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jimp Rebel Alliance Developer Netgate
                      last edited by Feb 26, 2021, 4:37 PM

                      Not "not our problem" but "some things are out of our control".

                      If we can find a workaround or a way to make things behave better in our code, we'll happily change it. But thus far most of the threads have had OPs stop responding without giving us enough information to determine what can be done, or they get mixed up with 3-4 different issues and confuse people (like what was happening here).

                      See also: Changes we made at the direct suggestion of OpenVPN developers
                      https://redmine.pfsense.org/issues/10919

                      If OP or anyone that is having a problem with the VPN client scenario to a third party provider wants to pick this back up and provide more info/logs, then we can keep looking into it.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      S 1 Reply Last reply Feb 27, 2021, 1:51 PM Reply Quote 0
                      • S Offline
                        stevemosher @jimp
                        last edited by Feb 27, 2021, 1:51 PM

                        @jimp

                        @jimp said in OpenVPN not working after 2.5 upgrade.:

                        Not "not our problem" but "some things are out of our control".

                        If we can find a workaround or a way to make things behave better in our code, we'll happily change it. But thus far most of the threads have had OPs stop responding without giving us enough information to determine what can be done, or they get mixed up with 3-4 different issues and confuse people (like what was happening here).

                        See also: Changes we made at the direct suggestion of OpenVPN developers
                        https://redmine.pfsense.org/issues/10919

                        If OP or anyone that is having a problem with the VPN client scenario to a third party provider wants to pick this back up and provide more info/logs, then we can keep looking into it.

                        What am I to gain out of the url provided?

                        J 1 Reply Last reply Feb 27, 2021, 10:37 PM Reply Quote 0
                        • J Offline
                          jimp Rebel Alliance Developer Netgate @stevemosher
                          last edited by Feb 27, 2021, 10:37 PM

                          @stevemosher said in OpenVPN not working after 2.5 upgrade.:

                          What am I to gain out of the url provided?

                          Information about specific changes made in OpenVPN behavior for OpenVPN 2.5.0 which could be relevant to problems in threads like this (and others).

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          S 1 Reply Last reply Mar 5, 2021, 2:36 PM Reply Quote 0
                          • S Offline
                            stevemosher @jimp
                            last edited by stevemosher Mar 5, 2021, 2:37 PM Mar 5, 2021, 2:36 PM

                            @jimp said in OpenVPN not working after 2.5 upgrade.:

                            @stevemosher said in OpenVPN not working after 2.5 upgrade.:

                            What am I to gain out of the url provided?

                            Information about specific changes made in OpenVPN behavior for OpenVPN 2.5.0 which could be relevant to problems in threads like this (and others).

                            My eyes glaze over on some of this stuff. I was just trying to get my company back online here. You can see the entire thread is issues with 2.5. Our speeds are gone. 2 links to Nord usually got us about 80MB on the tunnels. We now get about 34MB. After this 'downgrade' they are making us buy Palo Alto products.

                            I'll say it again .. 2.5 is the suck.

                            J 1 Reply Last reply Mar 24, 2021, 10:24 AM Reply Quote 1
                            • J Offline
                              jagradang @stevemosher
                              last edited by Mar 24, 2021, 10:24 AM

                              @stevemosher Same problem from me! 2.5 really has broken openvpn badly!! Thinking of trying to find a way to downgrade maybe just to get my vpn working again!

                              S 1 Reply Last reply Mar 24, 2021, 3:48 PM Reply Quote 0
                              • S Offline
                                stevemosher @jagradang
                                last edited by Mar 24, 2021, 3:48 PM

                                @jagradang said in OpenVPN not working after 2.5 upgrade.:

                                @stevemosher Same problem from me! 2.5 really has broken openvpn badly!! Thinking of trying to find a way to downgrade maybe just to get my vpn working again!

                                We went back to 2.4.5-P1. Speeds, stability and peace from my users has returned. 2.5 is ass.

                                J 1 Reply Last reply Mar 28, 2021, 10:04 AM Reply Quote 1
                                • J Offline
                                  jagradang @stevemosher
                                  last edited by Mar 28, 2021, 10:04 AM

                                  @stevemosher I'm on the verge of reverting too.. 2.5 is a shockingly bad release. Considering they had release candidates and still not fixed this.. I think the issue is around ciphers

                                  I have managed to 'fix' the fluctuating speeds by unchecking Enable Data Encryption Negotiation and changed the Fallback Data Encryption Algorithm to AES-128.

                                  I get lots of warnings in the logs but it connects and my speeds are now consistently back to how the were before my upgrade.

                                  How that's working or why, no idea but it seems to fix it for me so guessing from your comment even though it shouldn't affect it, it is for me.

                                  Let's see how much I can out up with it before I switch back to odler release

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                    This community forum collects and processes your personal information.
                                    consent.not_received