What's up with OpenVPN and 2.4.5 update?



  • The OpenVPN client no longer connects on 2.4.5 after upgrading. It's been working fine for years. I see several others have current issues with site-to-site VPN. One fix was to change the --proto tcp option to --proto tcp-client

    I'm using UDP with P.I.A. so added proto udp-client to the Advanced Config > Custom Options in the client config but that doesn't look right:

    Jul 7 06:18:45 	openvpn 	65518 	Options error: Bad protocol: 'udp-client'. Allowed protocols with --proto option: [proto-uninitialized] [udp] [tcp-server] [tcp-client] [tcp] [udp4] [tcp4-server] [tcp4-client] [tcp4] [udp6] [tcp6-server] [tcp6-client] [tcp6]
    

    My ovpnc1 interface usually has an IPv4 on it when the VPN is up (of course) but it's not showing an IP at the moment (via ifconfig ovpnc1)

    ovpnc1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    	options=80000<LINKSTATE>
    	inet6 fe80::xxxx:xxxx:xxxx:beef%ovpnc1 prefixlen 64 scopeid 0x9
    	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    	groups: tun openvpn
    

    After removing the tcp edit, still no IP on my ovpnc1 interface. Any thoughts? I've confirmed PIA is working by connecting with the same auth creds from my desktop.
    Thanks.

    Jul 7 06:15:26 	openvpn 	67867 	SIGUSR1[soft,ping-restart] received, process restarting
    Jul 7 06:15:26 	openvpn 	67867 	Restart pause, 10 second(s)
    Jul 7 06:15:36 	openvpn 	67867 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 7 06:15:36 	openvpn 	67867 	Re-using SSL/TLS context
    Jul 7 06:15:36 	openvpn 	67867 	PID packet_id_init seq_backtrack=64 time_backtrack=15
    Jul 7 06:15:36 	openvpn 	67867 	PID packet_id_init seq_backtrack=64 time_backtrack=15
    Jul 7 06:15:36 	openvpn 	67867 	PID packet_id_init seq_backtrack=64 time_backtrack=15
    Jul 7 06:15:36 	openvpn 	67867 	PID packet_id_init seq_backtrack=64 time_backtrack=15
    Jul 7 06:15:36 	openvpn 	67867 	Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
    Jul 7 06:15:36 	openvpn 	67867 	MTU DYNAMIC mtu=1450, flags=2, 1621 -> 1450
    Jul 7 06:15:36 	openvpn 	67867 	Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
    Jul 7 06:15:36 	openvpn 	67867 	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
    Jul 7 06:15:36 	openvpn 	67867 	calc_options_string_link_mtu: link-mtu 1621 -> 1569
    Jul 7 06:15:36 	openvpn 	67867 	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
    Jul 7 06:15:36 	openvpn 	67867 	calc_options_string_link_mtu: link-mtu 1621 -> 1569
    Jul 7 06:15:36 	openvpn 	67867 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
    Jul 7 06:15:36 	openvpn 	67867 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
    Jul 7 06:15:36 	openvpn 	67867 	TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.18:1197
    Jul 7 06:15:36 	openvpn 	67867 	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Jul 7 06:15:36 	openvpn 	67867 	UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.56:0
    Jul 7 06:15:36 	openvpn 	67867 	UDPv4 link remote: [AF_INET]xxx.xxx.xxx.18:1197
    Jul 7 06:15:36 	openvpn 	67867 	TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
    Jul 7 06:15:36 	openvpn 	67867 	SENT PING
    Jul 7 06:15:36 	openvpn 	67867 	UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Jul 7 06:15:38 	openvpn 	67867 	UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Jul 7 06:15:43 	openvpn 	67867 	UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Jul 7 06:15:51 	openvpn 	67867 	UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Jul 7 06:16:02 	openvpn 	67867 	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
    Jul 7 06:16:02 	openvpn 	67867 	SENT PING
    


  • @Dave-R2 nothing ‘up’ with it, working fine here. Post your VPN config screen, it looks like your key setup in pfSense is off.



  • Thanks for the quick reply. I grabbed the openvpn.zip from the docs to get an updated CA cert from those configs. Changed out the server, port and CA cert with one from the zip and it's working now. Why this coincides with the 2.4.5 update I have no idea but clearly not an issue with PfSense.


  • LAYER 8 Moderator

    Could have been another case of those SSL problems with one of the Root CAs rotating their CA cert (old one expired). Perhaps working fine without actually "touching" / restarting it but now needed the new certificate chain to reconnect.


Log in to reply