OpenVPN in 2.4x is driving me nuts

  • We were happy to have a stable OpenVPN-site-by-site for years with pfsense.

    Starting with 2.40, it suddenly stopped working, not straight after upgrading, but some days later, although we did not change anything in both configs.

    As we did not find the error in the logs, we decided to completely reinstall both sites and restore the config from the backups and upgrade to 2.41.

    While restoring the client site did not change anything, the VPN-connecting immediately began to work after we had restored the server site. This again led to a working VPN-connection for some days.

    Yesterday again the VPN-connection broke down and did not restore.

    As I read here it could be a problem with the handling of the "old" certificates, but the (attached) VPN-logs do not tell anything about it

    Any hints?

  • I was able to look at the VPN-server-side today and now a simple rebooted "solved" it, e.g. the VPN-connection is running again (a reboot did not "solve" it the first time about 2 weeks ago, when just a new install with the old configs "solved" it).

    I just read that it could be a problem with persisting false routes which have to be removed manually.

    Anyone having the same problem here?

  • The VPN-connection had been running for 4 days now without Interruption when it suddenly went down this night again and does not reconnect.

    Aarrgg !

    I am afraid we have to look for alternatives concerning firewall and VPN.

  • It might be better to downgrade to the last pfsense version where it worked fine and then upgrade again when the issue is resolved.

  • Rebel Alliance Developer Netgate

    You haven't provided enough detail to speculate about the cause. Most likely the issue is on the server side, like you stated. What errors did you see there? You didn't post those logs.

    There isn't much to go wrong in OpenVPN. Especially randomly like you describe.

  • LAYER 8 Global Moderator

    What version of openvpn is server side running?

    With JimP, there is not enough info to even guess..

  • @jimp:

    What errors did you see there? You didn't post those logs.

    Those logs in my first post are the only ones. Which ones do you need further?

  • Rebel Alliance Developer Netgate

    There are no errors in that log, though. Maybe you cut the log off too early.

    Please post the logs from both sides around the time of a failed connection. Please post the logs as text, preferably, not an image, either in a code block inline in the post or attached as a text file.