OpenVPN Client failing to start
-
I have set up pfSense as a client of AirVPN via OpenVPN. This has worked flawlessly for many months prior to pfSense 2.40. Since the upgrade, the client will not start consistently, and the following log entries appear.
Oct 19 06:33:44 openvpn 60233 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6 Oct 19 06:33:44 openvpn 60233 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017 Oct 19 06:33:44 openvpn 60233 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10 Oct 19 06:33:44 openvpn 60498 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client4.sock Oct 19 06:33:44 openvpn 60498 mlockall call succeeded Oct 19 06:33:44 openvpn 60498 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Oct 19 06:33:44 openvpn 60498 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 19 06:33:44 openvpn 60498 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 19 06:33:44 openvpn 60498 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 19 06:33:44 openvpn 60498 TCP/UDP: Preserving recently used remote address: [AF_INET]173.44.55.154:443 Oct 19 06:33:44 openvpn 60498 Socket Buffers: R=[42080->42080] S=[57344->57344] Oct 19 06:33:44 openvpn 60498 UDPv4 link local (bound): [AF_INET]x.x.x.x:0 Oct 19 06:33:44 openvpn 60498 UDPv4 link remote: [AF_INET]173.44.55.154:443 Oct 19 06:33:44 openvpn 60498 TLS: Initial packet from [AF_INET]173.44.55.154:443, sid=d24649d5 e33dc07d Oct 19 06:33:45 openvpn 60498 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Oct 19 06:33:45 openvpn 60498 VERIFY OK: nsCertType=SERVER Oct 19 06:33:45 openvpn 60498 VERIFY KU OK Oct 19 06:33:45 openvpn 60498 Validating certificate extended key usage Oct 19 06:33:45 openvpn 60498 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Oct 19 06:33:45 openvpn 60498 VERIFY EKU OK Oct 19 06:33:45 openvpn 60498 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org Oct 19 06:33:45 openvpn 60498 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Oct 19 06:33:45 openvpn 60498 [server] Peer Connection Initiated with [AF_INET]173.44.55.154:443 Oct 19 06:33:46 openvpn 60498 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Oct 19 06:33:46 openvpn 60498 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.37.186 255.255.0.0' Oct 19 06:33:46 openvpn 60498 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Oct 19 06:33:46 openvpn 60498 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Oct 19 06:33:46 openvpn 60498 OPTIONS IMPORT: timers and/or timeouts modified Oct 19 06:33:46 openvpn 60498 OPTIONS IMPORT: compression parms modified Oct 19 06:33:46 openvpn 60498 OPTIONS IMPORT: --ifconfig/up options modified Oct 19 06:33:46 openvpn 60498 OPTIONS IMPORT: route-related options modified Oct 19 06:33:46 openvpn 60498 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Oct 19 06:33:46 openvpn 60498 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 19 06:33:46 openvpn 60498 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Oct 19 06:33:46 openvpn 60498 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 19 06:33:46 openvpn 60498 TUN/TAP device ovpnc4 exists previously, keep at program end Oct 19 06:33:46 openvpn 60498 TUN/TAP device /dev/tun4 opened Oct 19 06:33:46 openvpn 60498 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Oct 19 06:33:46 openvpn 60498 /sbin/ifconfig ovpnc4 10.4.37.186 10.4.0.1 mtu 1500 netmask 255.255.0.0 up Oct 19 06:33:46 openvpn 60498 FreeBSD ifconfig failed: external program exited with error status: 1 Oct 19 06:33:46 openvpn 60498 Exiting due to fatal error
I am not sure what to make of this error code, and how to fix it. Any suggestions?
-
I should add that the OpenVPN client works for a while after rebooting pfSense, but then eventually fails with the error in the prior post. Attempting to restart the OpenVPN client in the pfSense GUI does not work to get it restarted - it fails immediately. Once the error occurs, the only way to restart it is by a reboot.
-
Check Diagnostics > Routes, do you already have an entry referencing 10.4.37.0/24 or 10.4.37.186 specifically?
-
Right now, the OpenVPN client is up/running, and I have the assigned private IP of 10.4.4.186 (Note that addresses in my VLANs and on my OpenVPN servers are different subnets, so there is not a conflict between the addresses).
I have the following entries under routes:
10.4.0.0/16 10.4.0.1 UGS 0 1500 ovpnc4
10.4.0.1 10.4.4.186 UGHS 38153 1500 ovpnc4I will check again once the OpenVPN client goes down, and see if the relevant route is missing. If it is, what would be the next step?
-
Hi, I have the exact same problem. Since upgrading to pfSense 2.4.x OpenVPN client stops working after a while and the errors OP mentioned appears in the logs.
The only solution I found is rebooting my pfsense box. This happens usually when WAN IP gets changed or if I make some changes to OpenVPN settings.
Another thing I noticed is interface field of OpenVPN settings is not working as well. No matter what interface I choose in this field OpenVPN always use
default gateway. This used to be working perfectly in pfSense 2.3.x. -
I saw this same problem when testing 2.4.x and went back to 2.3.4.
Routes aren't being removed when the openvpn client goes down, so the openvpn client gets the ifconfig error when it tries to start back up.
-
Same exact issue I am having, fails to delete old dynamic routes. Update version 2.4.1 may of fixed this issue, can anyone confirm?
https://forum.pfsense.org/index.php?topic=138608.0