OpenVPN Client failing to start



  • I have set up pfSense as a client of AirVPN via OpenVPN.  This has worked flawlessly for many months prior to pfSense 2.40.  Since the upgrade, the client will not start consistently, and the following log entries appear.

    
    Oct 19 06:33:44 	openvpn 	60233 	WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
    Oct 19 06:33:44 	openvpn 	60233 	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
    Oct 19 06:33:44 	openvpn 	60233 	library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
    Oct 19 06:33:44 	openvpn 	60498 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client4.sock
    Oct 19 06:33:44 	openvpn 	60498 	mlockall call succeeded
    Oct 19 06:33:44 	openvpn 	60498 	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
    Oct 19 06:33:44 	openvpn 	60498 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 19 06:33:44 	openvpn 	60498 	Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 19 06:33:44 	openvpn 	60498 	Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 19 06:33:44 	openvpn 	60498 	TCP/UDP: Preserving recently used remote address: [AF_INET]173.44.55.154:443
    Oct 19 06:33:44 	openvpn 	60498 	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Oct 19 06:33:44 	openvpn 	60498 	UDPv4 link local (bound): [AF_INET]x.x.x.x:0
    Oct 19 06:33:44 	openvpn 	60498 	UDPv4 link remote: [AF_INET]173.44.55.154:443
    Oct 19 06:33:44 	openvpn 	60498 	TLS: Initial packet from [AF_INET]173.44.55.154:443, sid=d24649d5 e33dc07d
    Oct 19 06:33:45 	openvpn 	60498 	VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
    Oct 19 06:33:45 	openvpn 	60498 	VERIFY OK: nsCertType=SERVER
    Oct 19 06:33:45 	openvpn 	60498 	VERIFY KU OK
    Oct 19 06:33:45 	openvpn 	60498 	Validating certificate extended key usage
    Oct 19 06:33:45 	openvpn 	60498 	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Oct 19 06:33:45 	openvpn 	60498 	VERIFY EKU OK
    Oct 19 06:33:45 	openvpn 	60498 	VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
    Oct 19 06:33:45 	openvpn 	60498 	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
    Oct 19 06:33:45 	openvpn 	60498 	[server] Peer Connection Initiated with [AF_INET]173.44.55.154:443
    Oct 19 06:33:46 	openvpn 	60498 	SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Oct 19 06:33:46 	openvpn 	60498 	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.37.186 255.255.0.0'
    Oct 19 06:33:46 	openvpn 	60498 	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    Oct 19 06:33:46 	openvpn 	60498 	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Oct 19 06:33:46 	openvpn 	60498 	OPTIONS IMPORT: timers and/or timeouts modified
    Oct 19 06:33:46 	openvpn 	60498 	OPTIONS IMPORT: compression parms modified
    Oct 19 06:33:46 	openvpn 	60498 	OPTIONS IMPORT: --ifconfig/up options modified
    Oct 19 06:33:46 	openvpn 	60498 	OPTIONS IMPORT: route-related options modified
    Oct 19 06:33:46 	openvpn 	60498 	Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    Oct 19 06:33:46 	openvpn 	60498 	Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 19 06:33:46 	openvpn 	60498 	Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    Oct 19 06:33:46 	openvpn 	60498 	Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 19 06:33:46 	openvpn 	60498 	TUN/TAP device ovpnc4 exists previously, keep at program end
    Oct 19 06:33:46 	openvpn 	60498 	TUN/TAP device /dev/tun4 opened
    Oct 19 06:33:46 	openvpn 	60498 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Oct 19 06:33:46 	openvpn 	60498 	/sbin/ifconfig ovpnc4 10.4.37.186 10.4.0.1 mtu 1500 netmask 255.255.0.0 up
    Oct 19 06:33:46 	openvpn 	60498 	FreeBSD ifconfig failed: external program exited with error status: 1
    Oct 19 06:33:46 	openvpn 	60498 	Exiting due to fatal error
    
    

    I am not sure what to make of this error code, and how to fix it.  Any suggestions?



  • I should add that the OpenVPN client works for a while after rebooting pfSense, but then eventually fails with the error in the prior post.  Attempting to restart the OpenVPN client in the pfSense GUI does not work to get it restarted - it fails immediately.  Once the error occurs, the only way to restart it is by a reboot.


  • Rebel Alliance Developer Netgate

    Check Diagnostics > Routes, do you already have an entry referencing 10.4.37.0/24 or 10.4.37.186 specifically?



  • Right now, the OpenVPN client is up/running, and I have the assigned private IP of 10.4.4.186 (Note that addresses in my VLANs and on my OpenVPN servers are different subnets, so there is not a conflict between the addresses).

    I have the following entries under routes:
    10.4.0.0/16 10.4.0.1 UGS 0 1500 ovpnc4
    10.4.0.1 10.4.4.186 UGHS 38153 1500 ovpnc4

    I will check again once the OpenVPN client goes down, and see if the relevant route is missing.  If it is, what would be the next step?



  • Hi, I have the exact same problem. Since upgrading to pfSense 2.4.x OpenVPN client stops working after a while and the errors OP mentioned appears in the logs.
    The only solution I found is rebooting my pfsense box. This happens usually when WAN IP gets changed or if I make some changes to OpenVPN settings.
    Another thing I noticed is interface field of OpenVPN settings is not working as well. No matter what interface I choose in this field OpenVPN always use
    default gateway. This used to be working perfectly in pfSense 2.3.x.



  • I saw this same problem when testing 2.4.x and went back to 2.3.4.

    Routes aren't being removed when the openvpn client goes down, so the openvpn client gets the ifconfig error when it tries to start back up.



  • Same exact issue I am having, fails to delete old dynamic routes.  Update version 2.4.1 may of fixed this issue, can anyone confirm?

    https://forum.pfsense.org/index.php?topic=138608.0


Log in to reply