OpenVPN Exiting due to fatal error



  • Morning,
    I've noticed this has been happening more and more lately. For instance, this morning, we had a secondary ISP go offline then back online. Once back online, the vpn shows in the off state. When trying to restart, it states its exiting due to fatal error. When I run the command from ssh, it states the address is already in use. No where on this box shows the current tunnel ip in use. If I change the tunnel IP and restart the vpn, it comes right up. I'm having to reboot the pfsense router to resolve this. we are currently running version 2.3.3.

    Is this a bug with pfsense? I can provide logs if needed, but I can not find where this address shows already in use.



  • Based on what I've seen online, this isn't the first time this has happened. Is there any way to fix my vpns without rebooting our router?



  • look like i have the same problem on 2.4.3.

    
    May 8 13:41:05	openvpn	73585	WARNING: using --pull/--client and --ifconfig together is probably not what you want
    May 8 13:41:05	openvpn	73585	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    May 8 13:41:05	openvpn	73585	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 8 13:41:05	openvpn	73585	TCP/UDP: Preserving recently used remote address: [AF_INET]185.34.52.16:443
    May 8 13:41:05	openvpn	73585	Attempting to establish TCP connection with [AF_INET]185.34.52.16:443 [nonblock]
    May 8 13:41:06	openvpn	73585	TCP connection established with [AF_INET]185.34.52.16:443
    May 8 13:41:06	openvpn	73585	TCPv4_CLIENT link local (bound): [AF_INET]82.140.19.25:0
    May 8 13:41:06	openvpn	73585	TCPv4_CLIENT link remote: [AF_INET]185.34.52.16:443
    May 8 13:41:06	openvpn	73585	[server] Peer Connection Initiated with [AF_INET]185.34.52.16:443
    May 8 13:41:08	openvpn	73585	TUN/TAP device ovpnc3 exists previously, keep at program end
    May 8 13:41:08	openvpn	73585	TUN/TAP device /dev/tun3 opened
    May 8 13:41:08	openvpn	73585	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    May 8 13:41:08	openvpn	73585	/sbin/ifconfig ovpnc3 10.8.0.2 10.8.0.1 mtu 1500 netmask 255.255.255.0 up
    May 8 13:41:08	openvpn	73585	FreeBSD ifconfig failed: external program exited with error status: 1
    May 8 13:41:08	openvpn	73585	Exiting due to fatal error
    
    

    and after reboot VPN starts and all is working as it should.

    why?



  • more detailed logs:

    Mon May 14 13:37:05 2018 us=232901 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
    Mon May 14 13:37:05 2018 us=232947 TUN/TAP device ovpnc3 exists previously, keep at program end
    Mon May 14 13:37:05 2018 us=232987 TUN/TAP device /dev/tun3 opened
    Mon May 14 13:37:05 2018 us=233001 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Mon May 14 13:37:05 2018 us=233022 /sbin/ifconfig ovpnc3 10.8.0.2 10.8.0.1 mtu 1500 netmask 255.255.255.0 up
    ifconfig: ioctl (SIOCAIFADDR): File exists
    Mon May 14 13:37:05 2018 us=237265 FreeBSD ifconfig failed: external program exited with error status: 1
    Mon May 14 13:37:05 2018 us=237288 Exiting due to fatal error
    
    


  • ok.

    i figured it out.

    there is a bug: pfsense doesn't support 2 or more OpenVPN client configurations with TUN device.


  • Netgate

    @mrpsycho:

    ok.

    i figured it out.

    there is a bug: pfsense doesn't support 2 or more OpenVPN client configurations with TUN device.

    Completely untrue.

    You must, however, use different tunnel networks for each tunnel.



  • @mrpsycho said in OpenVPN Exiting due to fatal error:

    10.8.0.2

    What derelict failed to clarify is that you are attempting to assign the same IP address to two different interfaces.

    This occurs when you are trying to make duplicate VPN connections that assign the same IP address to a TUN interface that has already been used by another connection's TUN interface.

    Look at your OpenVPN logs and the address that are being assigned by your VPN provider via the PUSH= entries. If you see that each separate VPN connection is trying to use the same local IP address to assign the its local TUN interface for each connection, this will not work when using multiple VPN connections. Each connection needs to assign an unique IP address to it's local TUN interface or you will have a conflict as indicated by the "ifconfig: ioctl (SIOCAIFADDR): File exists" error.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy