[OpenVPN] - Exiting due to fatal error

notaduck

I'm having a hard time trying to configure Pfsense's OpenVpn-client to connect to ExpressVPN.
Everything should be configured the correct way if i'm not mistaken, but i do see this error message in the log and i can't get an IP add.

I for sure hope some of your guys knows what is going on here, because i don't  :(

	openvpn	93023	FreeBSD ifconfig failed: external program exited with error status: 1
Oct 11 19:39:39	openvpn	93023	/sbin/ifconfig ovpnc1 10.21.3.174 10.21.3.173 mtu 1500 netmask 255.255.255.255 up
Oct 11 19:39:39	openvpn	93023	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Oct 11 19:39:39	openvpn	93023	TUN/TAP device /dev/tun1 opened
Oct 11 19:39:36	openvpn	93023	[Server] Peer Connection Initiated with [AF_INET]173.244.55.58:1195
Oct 11 19:39:36	openvpn	93023	WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Oct 11 19:39:36	openvpn	93023	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1606'
Oct 11 19:39:36	openvpn	93023	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 11 19:39:36	openvpn	93023	UDPv4 link remote: [AF_INET]173.244.55.58:1195
Oct 11 19:39:36	openvpn	93023	UDPv4 link local (bound): [AF_INET]xx.xxx.xx.xxx
Oct 11 19:39:36	openvpn	93023	Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Oct 11 19:39:36	openvpn	93023	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 11 19:39:36	openvpn	93023	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 11 19:39:36	openvpn	92936	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
Oct 11 19:39:36	openvpn	92936	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Oct 11 19:39:36	openvpn	92936	OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
Oct 11 19:36:26	openvpn	66148	Exiting due to fatal error
Oct 11 19:36:26	openvpn	66148	FreeBSD ifconfig failed: external program exited with error status: 1
Oct 11 19:36:26	openvpn	66148	/sbin/ifconfig ovpnc1 10.21.3.174 10.21.3.173 mtu 1500 netmask 255.255.255.255 up
Oct 11 19:36:26	openvpn	66148	do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Oct 11 19:36:26	openvpn	66148	TUN/TAP device /dev/tun1 opened
Oct 11 19:36:24	openvpn	66148	[Server] Peer Connection Initiated with [AF_INET]173.244.55.58:1195
Oct 11 19:36:24	openvpn	66148	WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Oct 11 19:36:24	openvpn	66148	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1606'
Oct 11 19:36:23	openvpn	66148	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 11 19:36:23	openvpn	66148	UDPv4 link remote: [AF_INET]173.244.55.58:1195
Oct 11 19:36:23	openvpn	66148	UDPv4 link local (bound): [AF_INET]xx.xxx.xx.xxx
Oct 11 19:36:23	openvpn	66148	Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Oct 11 19:36:23	openvpn	66148	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 11 19:36:23	openvpn	66148	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 11 19:36:23	openvpn	66062	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
Oct 11 19:36:23	openvpn	66062	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Oct 11 19:36:23	openvpn	66062	OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016

jimp

Oct 11 19:36:26	openvpn	66148	/sbin/ifconfig ovpnc1 10.21.3.174 10.21.3.173 mtu 1500 netmask 255.255.255.255 up
Oct 11 19:36:26	openvpn	66148	FreeBSD ifconfig failed: external program exited with error status: 1

That means it could not apply that IP address to the OpenVPN interface. Do you have a network that might already overlap that subnet or IP address? Check Status > Interfaces and Diagnostics > Routes.

notaduck

I can see that it uses 10.21.3.141 and i have an OpenVPN Server running on 10.0.3.x could that be the issue here?

heper

copy/paste your routing table here. (remove or modify your public ip adresses of wan)

notaduck

Here is a copy of my Routes (Didn't thhought the forum was that helpfull ;) )

Destination	Gateway	Flags	Use	Mtu	Netif	Expire
0.0.0.0/1	10.21.3.145	UGS	0	1500	ovpnc1	
default	xx.xxx.xx.xxx	UGS	166894	1500	em0	
4.2.2.3	xx.xxx.xx.xxx	UGHS	3	1500	em0	
10.0.1.0/24	link#1	U	4025931	1500	re0	
10.0.1.1	link#1	UHS	0	16384	lo0	
10.0.2.0/24	link#3	U	242129	1500	em1	
10.0.2.1	xx.xxx.xx.xxx	UGHS	0	16384	em0	
10.0.3.0/24	10.0.3.1	UGS	0	1500	ovpns2	
10.0.3.1	link#10	UHS	0	16384	lo0	
10.0.3.2	link#10	UH	0	1500	ovpns2	
10.21.0.1/32	10.21.3.145	UGS	0	1500	ovpnc1	
10.21.3.145	link#11	UH	38	1500	ovpnc1	
10.21.3.146	link#11	UHS	0	16384	lo0	
xx.xxx.xx.xxx/30	link#2	U	107212	1500	em0	
xx.xxx.xx.xxx	link#2	UHS	0	16384	lo0	
127.0.0.1	link#8	UH	838	16384	lo0	
128.0.0.0/1	10.21.3.145	UGS	2	1500	ovpnc1	
173.244.55.11/32 	xx.xxx.xx.xxx	UGS	36	1500	em0	
208.67.222.222	xx.xxx.xx.xxx	UGHS	13	1500	em0

heper

What's on .145? Are those static routes?

Remove all unneeded 10.21.3.x configuration.
Stop ovpnc1 and check routing table again for differences

notaduck

So I stopped my OpenVPN server and my routing tables looked like this

default	xx.xxx.xx.xxx	UGS	354394	1500	em0	
4.2.2.3	xx.xxx.xx.xxx	UGHS	3	1500	em0	
10.0.1.0/24	link#1	U	9835635	1500	re0	
10.0.1.1	link#1	UHS	0	16384	lo0	
10.0.2.0/24	link#3	U	428520	1500	em1	
10.0.2.1	xx.xxx.xx.xxx	UGHS	0	16384	em0	
xx.xxx.xx.xxx/30	link#2	U	206541	1500	em0	
xx.xxx.xx.xxx	link#2	UHS	0	16384	lo0	
127.0.0.1	link#8	UH	1542	16384	lo0	
208.67.222.222	xx.xxx.xx.xxx	UGHS	15	1500	em0	

and started the OpenVPN client without any luck.

0.0.0.0/1	10.21.3.185	UGS	4	1500	ovpnc1	
default	xx.xxx.xx.xxx 	UGS	354728	1500	em0	
4.2.2.3	xx.xxx.xx.xxx 	UGHS	3	1500	em0	
10.0.1.0/24	link#1	U	9836394	1500	re0	
10.0.1.1	link#1	UHS	0	16384	lo0	
10.0.2.0/24	link#3	U	429113	1500	em1	
10.0.2.1	xx.xxx.xx.xxx 	UGHS	0	16384	em0	
10.21.0.1/32	10.21.3.185	UGS	0	1500	ovpnc1	
10.21.3.185	link#11	UH	68	1500	ovpnc1	
10.21.3.186	link#11	UHS	0	16384	lo0	
xx.xxx.xx.xxx/30	link#2	U	206881	1500	em0	
xx.xxx.xx.xxx 	link#2	UHS	0	16384	lo0	
127.0.0.1	link#8	UH	1551	16384	lo0	
128.0.0.0/1	10.21.3.185	UGS	134	1500	ovpnc1	
173.244.55.5/32	xx.xxx.xx.xxx 	UGS	169	1500	em0	
208.67.222.222	xx.xxx.xx.xxx 	UGHS	19	1500	em0	

do you mean 10.0.3.145? In that case my guess is that it is the virtual IP i get from the client, so it shouldn't be static.
I haven't configured anything regarding 10.21.3.xxx