[OpenVPN] - Exiting due to fatal error



  • I'm having a hard time trying to configure Pfsense's OpenVpn-client to connect to ExpressVPN.
    Everything should be configured the correct way if i'm not mistaken, but i do see this error message in the log and i can't get an IP add.

    I for sure hope some of your guys knows what is going on here, because i don't  :(

    	openvpn	93023	FreeBSD ifconfig failed: external program exited with error status: 1
    Oct 11 19:39:39	openvpn	93023	/sbin/ifconfig ovpnc1 10.21.3.174 10.21.3.173 mtu 1500 netmask 255.255.255.255 up
    Oct 11 19:39:39	openvpn	93023	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Oct 11 19:39:39	openvpn	93023	TUN/TAP device /dev/tun1 opened
    Oct 11 19:39:36	openvpn	93023	[Server] Peer Connection Initiated with [AF_INET]173.244.55.58:1195
    Oct 11 19:39:36	openvpn	93023	WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
    Oct 11 19:39:36	openvpn	93023	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1606'
    Oct 11 19:39:36	openvpn	93023	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Oct 11 19:39:36	openvpn	93023	UDPv4 link remote: [AF_INET]173.244.55.58:1195
    Oct 11 19:39:36	openvpn	93023	UDPv4 link local (bound): [AF_INET]xx.xxx.xx.xxx
    Oct 11 19:39:36	openvpn	93023	Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
    Oct 11 19:39:36	openvpn	93023	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 11 19:39:36	openvpn	93023	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Oct 11 19:39:36	openvpn	92936	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
    Oct 11 19:39:36	openvpn	92936	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Oct 11 19:39:36	openvpn	92936	OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    Oct 11 19:36:26	openvpn	66148	Exiting due to fatal error
    Oct 11 19:36:26	openvpn	66148	FreeBSD ifconfig failed: external program exited with error status: 1
    Oct 11 19:36:26	openvpn	66148	/sbin/ifconfig ovpnc1 10.21.3.174 10.21.3.173 mtu 1500 netmask 255.255.255.255 up
    Oct 11 19:36:26	openvpn	66148	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Oct 11 19:36:26	openvpn	66148	TUN/TAP device /dev/tun1 opened
    Oct 11 19:36:24	openvpn	66148	[Server] Peer Connection Initiated with [AF_INET]173.244.55.58:1195
    Oct 11 19:36:24	openvpn	66148	WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
    Oct 11 19:36:24	openvpn	66148	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1606'
    Oct 11 19:36:23	openvpn	66148	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Oct 11 19:36:23	openvpn	66148	UDPv4 link remote: [AF_INET]173.244.55.58:1195
    Oct 11 19:36:23	openvpn	66148	UDPv4 link local (bound): [AF_INET]xx.xxx.xx.xxx
    Oct 11 19:36:23	openvpn	66148	Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
    Oct 11 19:36:23	openvpn	66148	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 11 19:36:23	openvpn	66148	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Oct 11 19:36:23	openvpn	66062	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
    Oct 11 19:36:23	openvpn	66062	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Oct 11 19:36:23	openvpn	66062	OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    

  • Rebel Alliance Developer Netgate

    Oct 11 19:36:26	openvpn	66148	/sbin/ifconfig ovpnc1 10.21.3.174 10.21.3.173 mtu 1500 netmask 255.255.255.255 up
    Oct 11 19:36:26	openvpn	66148	FreeBSD ifconfig failed: external program exited with error status: 1
    
    

    That means it could not apply that IP address to the OpenVPN interface. Do you have a network that might already overlap that subnet or IP address? Check Status > Interfaces and Diagnostics > Routes.



  • I can see that it uses 10.21.3.141 and i have an OpenVPN Server running on 10.0.3.x could that be the issue here?



  • copy/paste your routing table here. (remove or modify your public ip adresses of wan)



  • Here is a copy of my Routes (Didn't thhought the forum was that helpfull ;) )

    Destination	Gateway	Flags	Use	Mtu	Netif	Expire
    0.0.0.0/1	10.21.3.145	UGS	0	1500	ovpnc1	
    default	xx.xxx.xx.xxx	UGS	166894	1500	em0	
    4.2.2.3	xx.xxx.xx.xxx	UGHS	3	1500	em0	
    10.0.1.0/24	link#1	U	4025931	1500	re0	
    10.0.1.1	link#1	UHS	0	16384	lo0	
    10.0.2.0/24	link#3	U	242129	1500	em1	
    10.0.2.1	xx.xxx.xx.xxx	UGHS	0	16384	em0	
    10.0.3.0/24	10.0.3.1	UGS	0	1500	ovpns2	
    10.0.3.1	link#10	UHS	0	16384	lo0	
    10.0.3.2	link#10	UH	0	1500	ovpns2	
    10.21.0.1/32	10.21.3.145	UGS	0	1500	ovpnc1	
    10.21.3.145	link#11	UH	38	1500	ovpnc1	
    10.21.3.146	link#11	UHS	0	16384	lo0	
    xx.xxx.xx.xxx/30	link#2	U	107212	1500	em0	
    xx.xxx.xx.xxx	link#2	UHS	0	16384	lo0	
    127.0.0.1	link#8	UH	838	16384	lo0	
    128.0.0.0/1	10.21.3.145	UGS	2	1500	ovpnc1	
    173.244.55.11/32 	xx.xxx.xx.xxx	UGS	36	1500	em0	
    208.67.222.222	xx.xxx.xx.xxx	UGHS	13	1500	em0
    


  • What's on .145? Are those static routes?

    Remove all unneeded 10.21.3.x configuration.
    Stop ovpnc1 and check routing table again for differences



  • So I stopped my OpenVPN server and my routing tables looked like this

    default	xx.xxx.xx.xxx	UGS	354394	1500	em0	
    4.2.2.3	xx.xxx.xx.xxx	UGHS	3	1500	em0	
    10.0.1.0/24	link#1	U	9835635	1500	re0	
    10.0.1.1	link#1	UHS	0	16384	lo0	
    10.0.2.0/24	link#3	U	428520	1500	em1	
    10.0.2.1	xx.xxx.xx.xxx	UGHS	0	16384	em0	
    xx.xxx.xx.xxx/30	link#2	U	206541	1500	em0	
    xx.xxx.xx.xxx	link#2	UHS	0	16384	lo0	
    127.0.0.1	link#8	UH	1542	16384	lo0	
    208.67.222.222	xx.xxx.xx.xxx	UGHS	15	1500	em0	
    
    

    and started the OpenVPN client without any luck.

    0.0.0.0/1	10.21.3.185	UGS	4	1500	ovpnc1	
    default	xx.xxx.xx.xxx 	UGS	354728	1500	em0	
    4.2.2.3	xx.xxx.xx.xxx 	UGHS	3	1500	em0	
    10.0.1.0/24	link#1	U	9836394	1500	re0	
    10.0.1.1	link#1	UHS	0	16384	lo0	
    10.0.2.0/24	link#3	U	429113	1500	em1	
    10.0.2.1	xx.xxx.xx.xxx 	UGHS	0	16384	em0	
    10.21.0.1/32	10.21.3.185	UGS	0	1500	ovpnc1	
    10.21.3.185	link#11	UH	68	1500	ovpnc1	
    10.21.3.186	link#11	UHS	0	16384	lo0	
    xx.xxx.xx.xxx/30	link#2	U	206881	1500	em0	
    xx.xxx.xx.xxx 	link#2	UHS	0	16384	lo0	
    127.0.0.1	link#8	UH	1551	16384	lo0	
    128.0.0.0/1	10.21.3.185	UGS	134	1500	ovpnc1	
    173.244.55.5/32	xx.xxx.xx.xxx 	UGS	169	1500	em0	
    208.67.222.222	xx.xxx.xx.xxx 	UGHS	19	1500	em0	
    
    

    do you mean 10.0.3.145? In that case my guess is that it is the virtual IP i get from the client, so it shouldn't be static.
    I haven't configured anything regarding 10.21.3.xxx