Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Client failing to start

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 5 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfguy2017
      last edited by

      I have set up pfSense as a client of AirVPN via OpenVPN.  This has worked flawlessly for many months prior to pfSense 2.40.  Since the upgrade, the client will not start consistently, and the following log entries appear.

      
      Oct 19 06:33:44 	openvpn 	60233 	WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
      Oct 19 06:33:44 	openvpn 	60233 	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
      Oct 19 06:33:44 	openvpn 	60233 	library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
      Oct 19 06:33:44 	openvpn 	60498 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client4.sock
      Oct 19 06:33:44 	openvpn 	60498 	mlockall call succeeded
      Oct 19 06:33:44 	openvpn 	60498 	WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
      Oct 19 06:33:44 	openvpn 	60498 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Oct 19 06:33:44 	openvpn 	60498 	Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
      Oct 19 06:33:44 	openvpn 	60498 	Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
      Oct 19 06:33:44 	openvpn 	60498 	TCP/UDP: Preserving recently used remote address: [AF_INET]173.44.55.154:443
      Oct 19 06:33:44 	openvpn 	60498 	Socket Buffers: R=[42080->42080] S=[57344->57344]
      Oct 19 06:33:44 	openvpn 	60498 	UDPv4 link local (bound): [AF_INET]x.x.x.x:0
      Oct 19 06:33:44 	openvpn 	60498 	UDPv4 link remote: [AF_INET]173.44.55.154:443
      Oct 19 06:33:44 	openvpn 	60498 	TLS: Initial packet from [AF_INET]173.44.55.154:443, sid=d24649d5 e33dc07d
      Oct 19 06:33:45 	openvpn 	60498 	VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
      Oct 19 06:33:45 	openvpn 	60498 	VERIFY OK: nsCertType=SERVER
      Oct 19 06:33:45 	openvpn 	60498 	VERIFY KU OK
      Oct 19 06:33:45 	openvpn 	60498 	Validating certificate extended key usage
      Oct 19 06:33:45 	openvpn 	60498 	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      Oct 19 06:33:45 	openvpn 	60498 	VERIFY EKU OK
      Oct 19 06:33:45 	openvpn 	60498 	VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
      Oct 19 06:33:45 	openvpn 	60498 	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
      Oct 19 06:33:45 	openvpn 	60498 	[server] Peer Connection Initiated with [AF_INET]173.44.55.154:443
      Oct 19 06:33:46 	openvpn 	60498 	SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
      Oct 19 06:33:46 	openvpn 	60498 	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.37.186 255.255.0.0'
      Oct 19 06:33:46 	openvpn 	60498 	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
      Oct 19 06:33:46 	openvpn 	60498 	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
      Oct 19 06:33:46 	openvpn 	60498 	OPTIONS IMPORT: timers and/or timeouts modified
      Oct 19 06:33:46 	openvpn 	60498 	OPTIONS IMPORT: compression parms modified
      Oct 19 06:33:46 	openvpn 	60498 	OPTIONS IMPORT: --ifconfig/up options modified
      Oct 19 06:33:46 	openvpn 	60498 	OPTIONS IMPORT: route-related options modified
      Oct 19 06:33:46 	openvpn 	60498 	Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
      Oct 19 06:33:46 	openvpn 	60498 	Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
      Oct 19 06:33:46 	openvpn 	60498 	Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
      Oct 19 06:33:46 	openvpn 	60498 	Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
      Oct 19 06:33:46 	openvpn 	60498 	TUN/TAP device ovpnc4 exists previously, keep at program end
      Oct 19 06:33:46 	openvpn 	60498 	TUN/TAP device /dev/tun4 opened
      Oct 19 06:33:46 	openvpn 	60498 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
      Oct 19 06:33:46 	openvpn 	60498 	/sbin/ifconfig ovpnc4 10.4.37.186 10.4.0.1 mtu 1500 netmask 255.255.0.0 up
      Oct 19 06:33:46 	openvpn 	60498 	FreeBSD ifconfig failed: external program exited with error status: 1
      Oct 19 06:33:46 	openvpn 	60498 	Exiting due to fatal error
      
      

      I am not sure what to make of this error code, and how to fix it.  Any suggestions?

      1 Reply Last reply Reply Quote 0
      • P
        pfguy2017
        last edited by

        I should add that the OpenVPN client works for a while after rebooting pfSense, but then eventually fails with the error in the prior post.  Attempting to restart the OpenVPN client in the pfSense GUI does not work to get it restarted - it fails immediately.  Once the error occurs, the only way to restart it is by a reboot.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Check Diagnostics > Routes, do you already have an entry referencing 10.4.37.0/24 or 10.4.37.186 specifically?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • P
            pfguy2017
            last edited by

            Right now, the OpenVPN client is up/running, and I have the assigned private IP of 10.4.4.186 (Note that addresses in my VLANs and on my OpenVPN servers are different subnets, so there is not a conflict between the addresses).

            I have the following entries under routes:
            10.4.0.0/16 10.4.0.1 UGS 0 1500 ovpnc4
            10.4.0.1 10.4.4.186 UGHS 38153 1500 ovpnc4

            I will check again once the OpenVPN client goes down, and see if the relevant route is missing.  If it is, what would be the next step?

            1 Reply Last reply Reply Quote 0
            • A
              amires
              last edited by

              Hi, I have the exact same problem. Since upgrading to pfSense 2.4.x OpenVPN client stops working after a while and the errors OP mentioned appears in the logs.
              The only solution I found is rebooting my pfsense box. This happens usually when WAN IP gets changed or if I make some changes to OpenVPN settings.
              Another thing I noticed is interface field of OpenVPN settings is not working as well. No matter what interface I choose in this field OpenVPN always use
              default gateway. This used to be working perfectly in pfSense 2.3.x.

              1 Reply Last reply Reply Quote 0
              • C
                cosmoxl
                last edited by

                I saw this same problem when testing 2.4.x and went back to 2.3.4.

                Routes aren't being removed when the openvpn client goes down, so the openvpn client gets the ifconfig error when it tries to start back up.

                1 Reply Last reply Reply Quote 0
                • R
                  RHLinux
                  last edited by

                  Same exact issue I am having, fails to delete old dynamic routes.  Update version 2.4.1 may of fixed this issue, can anyone confirm?

                  https://forum.pfsense.org/index.php?topic=138608.0

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.