upgraded my 1100 to 21.05.1 and everything seems unstable now

derekmarch

@nocling do you happen to have a link for where i can read about this? I read some of the documentation but didn't see anything about needing to reconfigure all my openvpn stuff.

Thanks

NOCling

The release Notes are a god starting point:
https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html#openvpn

I use IPsec on my Devices.

stephenw10

@nocling said in upgraded my 1100 to 21.05.1 and everything seems unstable now:

https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html#openvpn

Yes it's almost certainly that if this is the first time you've tried a 21.0X release.

Check the OpenVPN logs. You should see why it's disconnecting.

Steve

derekmarch

@stephenw10 Thanks for the tips and links everyone.

I do see all sorts of errors and disconnects in the openvpn logs. Is this just as simple as finding the new instructions for making an openvpn 2.5 connection and re-doing them? Or is there going to be problems with all of the rules i've put in place to make sure certain IPs are using these profiles as well?

stephenw10

It's probably just a config mismatch between the new 2.5 client and the servers that could well still be running 2.4.
The logs should show though.

Steve

derekmarch

So i followed the walk through at https://support.nordvpn.com/Connectivity/Router/1626958942/pfSense-2-5-Setup-with-NordVPN.htm

I don't know what went wrong. It seemed like the VPN was connecting but it didn't appear to have any actual internet connection. And it appears the DNS settings in the walkthrough screwed up all my DNS so I had to restore back to the save before attempting this.

There are a lot of errors in the log, but I don't know enough about it to tell what is wrong with my configuration. Trying to attach them here to see if anyone has any suggestions.

Thanks

openvpn logs.txt

stephenw10

Mmm, a number of errors there indeed.
There are a bunch of times it just refuses your login:

Aug 6 14:49:33 	openvpn 	45746 	AUTH: Received control message: AUTH_FAILED
Aug 6 14:49:33 	openvpn 	45746 	SIGUSR1[soft,auth-failure] received, process restarting

But then it does accept it. Are you logged in somewhere else using that account perhaps?
If that happens it will usually logout the other device and then allow you to connect but then the other device will log you out! That happens at 2-3min intervals. We see that using pfSense as the server.

Then they are sending bad options:

Aug 6 14:50:07 	openvpn 	63887 	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Aug 6 14:50:07 	openvpn 	63887 	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Aug 6 14:50:07 	openvpn 	63887 	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])

Likely those are just ignored though you did say it broke DNS....

Then there is this on a few connections:

Aug 6 14:50:16 	openvpn 	45746 	/sbin/route add -net 10.8.2.0 10.8.2.1 255.255.255.0
Aug 6 14:50:16 	openvpn 	45746 	ERROR: FreeBSD route add command failed: external program exited with error status: 1

That's usually a routing conflict. There is probably already a route in the table for that.

What I would do is first disable all but one client and get that working first. The logs will be easier to read.

Then set that client to 'do not pull routes' so it doesn't try to pull a default route everytime. Instead use policy routes which I believe you are doing anyway.

Steve

derekmarch

@stephenw10 Hm,

I might have it working now.

I checked and I had do not pull routes already selected.

I changed

Fallback Data Encryption Algorithm: AES-256-CBC

and

Allow Compression: Refuse any non-stub compression (Most Secure)

Everything else from my original 2.4.5 build i left exactly the same. I need to do some further testing but it appears my VPNs are now working and routing properly for the IPs they should be used for.

also, I have 5 connections allowed through nord, and I generally use 4 or 5 of them (counting the 3 i have in pfsense), so maybe that's why it's giving that message. And those bad options is odd, because the items in that options list are taken from the nordvpn walk through.

Thanks for all the help

derekmarch

Aug 6 16:38:00 openvpn 89605 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=se460.nordvpn.com
Aug 6 16:38:00 openvpn 89605 VERIFY WARNING: depth=1, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN CA6
Aug 6 16:38:00 openvpn 89605 VERIFY WARNING: depth=2, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN Root CA
Aug 6 16:38:00 openvpn 89605 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Aug 6 16:38:00 openvpn 89605 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Aug 6 16:38:00 openvpn 89605 VERIFY KU OK
Aug 6 16:38:00 openvpn 89605 Validating certificate extended key usage
Aug 6 16:38:00 openvpn 89605 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

That is in my latest logs. even though everything is up and running it appears, why would i still be getting these certificate warnings?

stephenw10

It can't access a certificate revocation list so it can't check if the server certs have been revoked.
That's not a problem for the connection though. I doubt Nord publish a CRL, though I've never looked into it.

Steve