Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What's up with OpenVPN and 2.4.5 update?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dave R2
      last edited by Dave R2

      The OpenVPN client no longer connects on 2.4.5 after upgrading. It's been working fine for years. I see several others have current issues with site-to-site VPN. One fix was to change the --proto tcp option to --proto tcp-client

      I'm using UDP with P.I.A. so added proto udp-client to the Advanced Config > Custom Options in the client config but that doesn't look right:

      Jul 7 06:18:45 	openvpn 	65518 	Options error: Bad protocol: 'udp-client'. Allowed protocols with --proto option: [proto-uninitialized] [udp] [tcp-server] [tcp-client] [tcp] [udp4] [tcp4-server] [tcp4-client] [tcp4] [udp6] [tcp6-server] [tcp6-client] [tcp6]
      

      My ovpnc1 interface usually has an IPv4 on it when the VPN is up (of course) but it's not showing an IP at the moment (via ifconfig ovpnc1)

      ovpnc1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
      	options=80000<LINKSTATE>
      	inet6 fe80::xxxx:xxxx:xxxx:beef%ovpnc1 prefixlen 64 scopeid 0x9
      	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
      	groups: tun openvpn
      

      After removing the tcp edit, still no IP on my ovpnc1 interface. Any thoughts? I've confirmed PIA is working by connecting with the same auth creds from my desktop.
      Thanks.

      Jul 7 06:15:26 	openvpn 	67867 	SIGUSR1[soft,ping-restart] received, process restarting
      Jul 7 06:15:26 	openvpn 	67867 	Restart pause, 10 second(s)
      Jul 7 06:15:36 	openvpn 	67867 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Jul 7 06:15:36 	openvpn 	67867 	Re-using SSL/TLS context
      Jul 7 06:15:36 	openvpn 	67867 	PID packet_id_init seq_backtrack=64 time_backtrack=15
      Jul 7 06:15:36 	openvpn 	67867 	PID packet_id_init seq_backtrack=64 time_backtrack=15
      Jul 7 06:15:36 	openvpn 	67867 	PID packet_id_init seq_backtrack=64 time_backtrack=15
      Jul 7 06:15:36 	openvpn 	67867 	PID packet_id_init seq_backtrack=64 time_backtrack=15
      Jul 7 06:15:36 	openvpn 	67867 	Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
      Jul 7 06:15:36 	openvpn 	67867 	MTU DYNAMIC mtu=1450, flags=2, 1621 -> 1450
      Jul 7 06:15:36 	openvpn 	67867 	Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
      Jul 7 06:15:36 	openvpn 	67867 	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
      Jul 7 06:15:36 	openvpn 	67867 	calc_options_string_link_mtu: link-mtu 1621 -> 1569
      Jul 7 06:15:36 	openvpn 	67867 	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
      Jul 7 06:15:36 	openvpn 	67867 	calc_options_string_link_mtu: link-mtu 1621 -> 1569
      Jul 7 06:15:36 	openvpn 	67867 	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
      Jul 7 06:15:36 	openvpn 	67867 	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
      Jul 7 06:15:36 	openvpn 	67867 	TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.18:1197
      Jul 7 06:15:36 	openvpn 	67867 	Socket Buffers: R=[42080->42080] S=[57344->57344]
      Jul 7 06:15:36 	openvpn 	67867 	UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.56:0
      Jul 7 06:15:36 	openvpn 	67867 	UDPv4 link remote: [AF_INET]xxx.xxx.xxx.18:1197
      Jul 7 06:15:36 	openvpn 	67867 	TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
      Jul 7 06:15:36 	openvpn 	67867 	SENT PING
      Jul 7 06:15:36 	openvpn 	67867 	UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
      Jul 7 06:15:38 	openvpn 	67867 	UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
      Jul 7 06:15:43 	openvpn 	67867 	UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
      Jul 7 06:15:51 	openvpn 	67867 	UDPv4 WRITE [14] to [AF_INET]104.18.5.18:1197: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
      Jul 7 06:16:02 	openvpn 	67867 	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
      Jul 7 06:16:02 	openvpn 	67867 	SENT PING
      
      Q 1 Reply Last reply Reply Quote 0
      • Q
        q54e3w @Dave R2
        last edited by

        @Dave-R2 nothing ‘up’ with it, working fine here. Post your VPN config screen, it looks like your key setup in pfSense is off.

        1 Reply Last reply Reply Quote 0
        • D
          Dave R2
          last edited by

          Thanks for the quick reply. I grabbed the openvpn.zip from the docs to get an updated CA cert from those configs. Changed out the server, port and CA cert with one from the zip and it's working now. Why this coincides with the 2.4.5 update I have no idea but clearly not an issue with PfSense.

          1 Reply Last reply Reply Quote 0
          • JeGrJ
            JeGr LAYER 8 Moderator
            last edited by

            Could have been another case of those SSL problems with one of the Root CAs rotating their CA cert (old one expired). Perhaps working fine without actually "touching" / restarting it but now needed the new certificate chain to reconnect.

            Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.