Can not get OpenVPN server up and running; "Unable to contact deamon"



  • A while ago I build my own pfSense router/firewall. Main hardware: ASRock H270M-ITX/ac; Intel Pentium G4560. Little overkill, but after having everything setup and running, I
    want to make a backup and install pfSense again in a virtual ESXi environment.

    I have a challenge with the configuration of my OpenVPN server on my pfSense 2.3.4 router/firewall. After a clean install of pfSense I have only configured the WAN and LAN; no
    packages installed and configured. Primary goal is to get the OpenVPN server up and running.

    I used a tutorial. There are a lot of tutorials on the internet, but this one I selected because the description is sound and clear. I use port 443, because of experiences in
    the past (I had till recently an ASUS RT-AC68U with RMerlin firmware and OpenVPN server up and running with port 443. Not every network outside my house/office allows me to use port 1194 (experienced in a hotel and during a holiday on a camping), port 443 always works).

    Making the certificates and configuring the server went as expected; pretty easy. At the end I gave the pfSense a reboot.

    Next I noticed the following: "[error] Unable to contact deamon. Service not running?"

    Of course I had a look in the logs and used Google to find out more. I found two possibilities. Possibility 1. Killing the process. But I saw everytime different PID's, and when
    I want to kill the mentioned PID, it did not exist. Looking again at the PID number, I saw a different PID number, but that could also not be killed. Strange… Killing
    everything with the option -9 I did not do, because I read that also firewall rules will be killed, and that is not what I want...

    I installed pfSense and OpenVPN again. But with the same result. Looking further I came on possibility 2: https://forum.pfsense.org/index.php?topic=110355.0. My knowledge is too little to understand exactly what is going on and how to copy, but I do notice that other users having the same challenges (but different causes) do something with an IP alias that's helps them further.

    After troubleshooting for one and a half weeks (every day a few moments when possible with a little family around me…) I learned that I am not the only one, but others before
    me have had this two years ago, different versions, but no clear root cause and solution. Finally I come to you. Can you help me out here? Thanks in advance.


  • Rebel Alliance Developer Netgate

    More than likely, you have a much simpler problem to solve. You want to use 443 for OpenVPN but your firewall GUI uses port 443 by default. Move the firewall GUI to another port under System > Advanced, then edit/save on OpenVPN.

    If that doesn't help, check Status > System Logs on the OpenVPN tab and see what errors show there.



  • @jimp:

    More than likely, you have a much simpler problem to solve. You want to use 443 for OpenVPN but your firewall GUI uses port 443 by default. Move the firewall GUI to another port under System > Advanced, then edit/save on OpenVPN.

    I switched the GUI port to 444. No success, unfortunatelly. It almost sounds to good to be true  ;)

    If that doesn't help, check Status > System Logs on the OpenVPN tab and see what errors show there.

    I have copied the last two lines, because the other lines are the same.
        Jun 28 19:24:38 openvpn 21912 Use –help for more information.
        Jun 28 19:24:38 openvpn 21912 Options error: --server directive network/netmask combination is invalid

    I already Googled on the second line, but no relation to the 'connection to the deamon'. I would really appreciate it when you or someone else can make something out of this log line


  • Rebel Alliance Developer Netgate

    What did you put in there for the tunnel network?

    And what are the other settings on the server (mode, etc). Screenshots of the page would be helpful, you can blur/redact any private info but do try to leave as much detail as possible.



  • Thanks. Here are my pfSense OpenVPN Server settings. I looked very carefully to give not away any personal information. Please inform me if I have overlooked something.






    Thanks for the help.


  • Rebel Alliance Developer Netgate

    Tunnel network should be the network address of the subnet, not an IP address inside it. Change that to end in .0, so 10.8.0.0/24



  • @jimp:

    Tunnel network should be the network address of the subnet, not an IP address inside it. Change that to end in .0, so 10.8.0.0/24

    :-[ Thank you very much. The connection with the deamon is possible now and the error is gone. I never thought of this IP address… In basis, all the settings I recognized from my previous OpenVPN server I used in this setup. I learned that setting up an OpenVPN server is not that easy.

    Thanks Jimp for your patience and clear instructions. I really appreciate that!