Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help diagnosing 2.5x OpenVPN Issues

    OpenVPN
    3
    9
    302
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Griffo last edited by

      I'm pulling my hair out. I'm trying to diagnose why or what is wrong with my setup after upgrading from 2.4.5p1 to the latest 2.5.x nightly. Just to be clear, it has been 100% functional for a long time, and i'm constantly switching VPN providers around so i'm pretty comfortable with the configuration required to make it work.

      My set isn't that complicated, basically:

      Vlan 500 - set to a gateway using L2TP tunnel to a remote VPN (I also have a backup OpenVPN client)*
      Vlan 501 - set to an Nord OpenVPN server
      Vlan 555 - set to an Nord OpenVPN Server
      Vlan 666 - Vlan for IoT set to go directly out internet

      I also have configured 2 other VPN clients (disabled) as i switch Vlan501 around between VPN endpoints to get around various geo-blocks , and to use Mullvad at times.

      Now, after the upgrade
      a) VLAN 500 works perfectly with L2TP
      b) VLAN 500 works perfectly with OpenVPN
      c) VLAN 501, 555 will not successfully tunnel traffic down the VPN.

      Both NordVPN's connect and get IP's, as does the Mullvad VPN but I cannot seem to get it to work.

      I do get this error occasionally in the OpenVPN logs

      Jan 29 13:08:31 gw openvpn[480]: Authenticate/Decrypt packet error: missing authentication info

      But only one or twice, i would have though I'd get hundreds of entries if there was some fundamental issue with the encryption settings.

      I attempted to delete and re-create everything from scratch, but then i ran into this issue: https://redmine.pfsense.org/issues/11328 which halted me. I have however deleted and re-created the firewall rules, NAT rules, interface, removed the kill-switch rules etc.

      I guess I'm trying to work out if it's all related (i.e there's some issue with the OpenVPN cipher config in 2.5.x) or it's an OpenVPN client compatibility issue or the NAT rules or what.

      *(P.S I know L2TP is horrendously insecure, it's only used for video streaming and this particular provider is 10x faster with L2TP compared to OVPN)

      1 Reply Last reply Reply Quote 0
      • G
        Griffo last edited by

        SOme OpenVPN logs if they help

        Jan 29 14:40:54 gw openvpn[88967]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
        Jan 29 14:40:54 gw openvpn[88967]: MANAGEMENT: CMD 'state 1'
        Jan 29 14:40:54 gw openvpn[88967]: MANAGEMENT: CMD 'status 2'
        Jan 29 14:40:54 gw openvpn[88967]: MANAGEMENT: Client disconnected
        Jan 29 14:40:54 gw openvpn[48771]: MANAGEMENT: Client connected from /var/etc/openvpn/client3/sock
        Jan 29 14:40:54 gw openvpn[48771]: MANAGEMENT: CMD 'state 1'
        Jan 29 14:40:54 gw openvpn[48771]: MANAGEMENT: CMD 'status 2'
        Jan 29 14:40:54 gw openvpn[48771]: MANAGEMENT: Client disconnected
        Jan 29 14:40:54 gw openvpn[43702]: MANAGEMENT: Client connected from /var/etc/openvpn/client5/sock
        Jan 29 14:40:54 gw openvpn[43702]: MANAGEMENT: CMD 'state 1'
        Jan 29 14:40:54 gw openvpn[43702]: MANAGEMENT: CMD 'status 2'
        Jan 29 14:40:54 gw openvpn[43702]: MANAGEMENT: Client disconnected
        Jan 29 14:40:57 gw openvpn[88967]: event_wait : Interrupted system call (code=4)
        Jan 29 14:40:57 gw openvpn[88967]: SIGTERM received, sending exit notification to peer
        Jan 29 14:40:58 gw openvpn[88967]: Closing TUN/TAP interface
        Jan 29 14:40:58 gw openvpn[88967]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1637 10.8.0.6 255.255.255.0 init
        Jan 29 14:40:58 gw openvpn[88967]: SIGTERM[soft,exit-with-notification] received, process exiting
        Jan 29 14:40:58 gw openvpn[59500]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
        Jan 29 14:40:58 gw openvpn[59500]: WARNING: file '/var/etc/openvpn/client1/up' is group or others accessible
        Jan 29 14:40:58 gw openvpn[59500]: OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 7 2021
        Jan 29 14:40:58 gw openvpn[59500]: library versions: OpenSSL 1.1.1i-freebsd 8 Dec 2020, LZO 2.10
        Jan 29 14:40:58 gw openvpn[59725]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1/sock
        Jan 29 14:40:58 gw openvpn[59725]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
        Jan 29 14:40:58 gw openvpn[59725]: WARNING: experimental option --capath /var/etc/openvpn/client1/ca
        Jan 29 14:40:58 gw openvpn[59725]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
        Jan 29 14:40:58 gw openvpn[59725]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
        Jan 29 14:40:58 gw openvpn[59725]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.204.187:1194
        Jan 29 14:40:58 gw openvpn[59725]: Socket Buffers: R=[42080->1048576] S=[57344->1048576]
        Jan 29 14:40:58 gw openvpn[59725]: UDPv4 link local (bound): [AF_INET]159.196.107.74:0
        Jan 29 14:40:58 gw openvpn[59725]: UDPv4 link remote: [AF_INET]217.138.204.187:1194
        Jan 29 14:40:58 gw openvpn[59725]: TLS: Initial packet from [AF_INET]217.138.204.187:1194, sid=08391a6c 561fbb4a
        Jan 29 14:40:58 gw openvpn[59725]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
        Jan 29 14:40:58 gw openvpn[59725]: VERIFY WARNING: depth=0, unable to get certificate CRL: CN=au676.nordvpn.com
        Jan 29 14:40:58 gw openvpn[59725]: VERIFY WARNING: depth=1, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN CA5
        Jan 29 14:40:58 gw openvpn[59725]: VERIFY WARNING: depth=2, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN Root CA
        Jan 29 14:40:58 gw openvpn[59725]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
        Jan 29 14:40:58 gw openvpn[59725]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5
        Jan 29 14:40:58 gw openvpn[59725]: VERIFY KU OK
        Jan 29 14:40:58 gw openvpn[59725]: Validating certificate extended key usage
        Jan 29 14:40:58 gw openvpn[59725]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
        Jan 29 14:40:58 gw openvpn[59725]: VERIFY EKU OK
        Jan 29 14:40:58 gw openvpn[59725]: VERIFY OK: depth=0, CN=au676.nordvpn.com
        Jan 29 14:40:58 gw openvpn[59725]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1582', remote='link-mtu 1634'
        Jan 29 14:40:58 gw openvpn[59725]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
        Jan 29 14:40:58 gw openvpn[59725]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
        Jan 29 14:40:58 gw openvpn[59725]: [au676.nordvpn.com] Peer Connection Initiated with [AF_INET]217.138.204.187:1194
        Jan 29 14:40:59 gw openvpn[59725]: SENT CONTROL [au676.nordvpn.com]: 'PUSH_REQUEST' (status=1)
        Jan 29 14:40:59 gw openvpn[59725]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.3.3 255.255.255.0,peer-id 1'
        Jan 29 14:40:59 gw openvpn[59725]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
        Jan 29 14:40:59 gw openvpn[59725]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
        Jan 29 14:40:59 gw openvpn[59725]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
        Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: timers and/or timeouts modified
        Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: explicit notify parm(s) modified
        Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: compression parms modified
        Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
        Jan 29 14:40:59 gw openvpn[59725]: Socket Buffers: R=[1048576->524288] S=[1048576->524288]
        Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: --ifconfig/up options modified
        Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: route-related options modified
        Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: peer-id set
        Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: adjusting link_mtu to 1657
        Jan 29 14:40:59 gw openvpn[59725]: Using peer cipher 'AES-256-CBC'
        Jan 29 14:40:59 gw openvpn[59725]: Data Channel: using negotiated cipher 'AES-256-CBC'
        Jan 29 14:40:59 gw openvpn[59725]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
        Jan 29 14:40:59 gw openvpn[59725]: Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
        Jan 29 14:40:59 gw openvpn[59725]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
        Jan 29 14:40:59 gw openvpn[59725]: Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
        Jan 29 14:40:59 gw openvpn[59725]: TUN/TAP device ovpnc1 exists previously, keep at program end
        Jan 29 14:40:59 gw openvpn[59725]: TUN/TAP device /dev/tun1 opened
        Jan 29 14:40:59 gw openvpn[59725]: /sbin/ifconfig ovpnc1 10.8.3.3 10.8.3.1 mtu 1500 netmask 255.255.255.0 up
        Jan 29 14:40:59 gw openvpn[59725]: /sbin/route add -net 10.8.3.0 10.8.3.1 255.255.255.0
        Jan 29 14:40:59 gw openvpn[59725]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1637 10.8.3.3 255.255.255.0 init
        Jan 29 14:40:59 gw openvpn[59725]: Initialization Sequence Completed
        Jan 29 14:41:00 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:00 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:00 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:01 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:01 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:02 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:03 gw openvpn[59725]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
        Jan 29 14:41:03 gw openvpn[59725]: MANAGEMENT: CMD 'state 1'
        Jan 29 14:41:03 gw openvpn[59725]: MANAGEMENT: CMD 'status 2'
        Jan 29 14:41:03 gw openvpn[59725]: MANAGEMENT: Client disconnected
        Jan 29 14:41:03 gw openvpn[48771]: MANAGEMENT: Client connected from /var/etc/openvpn/client3/sock
        Jan 29 14:41:03 gw openvpn[48771]: MANAGEMENT: CMD 'state 1'
        Jan 29 14:41:03 gw openvpn[48771]: MANAGEMENT: CMD 'status 2'
        Jan 29 14:41:03 gw openvpn[48771]: MANAGEMENT: Client disconnected
        Jan 29 14:41:03 gw openvpn[43702]: MANAGEMENT: Client connected from /var/etc/openvpn/client5/sock
        Jan 29 14:41:03 gw openvpn[43702]: MANAGEMENT: CMD 'state 1'
        Jan 29 14:41:03 gw openvpn[43702]: MANAGEMENT: CMD 'status 2'
        Jan 29 14:41:03 gw openvpn[43702]: MANAGEMENT: Client disconnected
        Jan 29 14:41:04 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:04 gw openvpn[48771]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:04 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:06 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:07 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:07 gw openvpn[59725]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
        Jan 29 14:41:07 gw openvpn[59725]: MANAGEMENT: CMD 'state 1'
        Jan 29 14:41:07 gw openvpn[59725]: MANAGEMENT: CMD 'status 2'
        Jan 29 14:41:07 gw openvpn[59725]: MANAGEMENT: Client disconnected
        Jan 29 14:41:07 gw openvpn[48771]: MANAGEMENT: Client connected from /var/etc/openvpn/client3/sock
        Jan 29 14:41:07 gw openvpn[48771]: MANAGEMENT: CMD 'state 1'
        Jan 29 14:41:07 gw openvpn[48771]: MANAGEMENT: CMD 'status 2'
        Jan 29 14:41:07 gw openvpn[48771]: MANAGEMENT: Client disconnected
        Jan 29 14:41:07 gw openvpn[43702]: MANAGEMENT: Client connected from /var/etc/openvpn/client5/sock
        Jan 29 14:41:07 gw openvpn[43702]: MANAGEMENT: CMD 'state 1'
        Jan 29 14:41:07 gw openvpn[43702]: MANAGEMENT: CMD 'status 2'
        Jan 29 14:41:07 gw openvpn[43702]: MANAGEMENT: Client disconnected
        Jan 29 14:41:07 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:09 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:10 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        Jan 29 14:41:11 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
        
        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          We'll need a lot more information about the specific configuration you're using to help here. Before and after upgrade would be the most helpful. Look in the config history or compare with an older backup and see what the differences are in config.xml for that tunnel on 2.4.x vs 2.5.0, and what the resulting config looks like in /var/etc/openvpn/.

          Looks like a TLS auth mismatch to me but could be something else.

          G 1 Reply Last reply Reply Quote 0
          • G
            Griffo @jimp last edited by Griffo

            @jimp Thanks i'll try to provide as much info as I can.

            So I started again. I reverted to 2.4 and restored the config, and re-did the upgrade. I can provide full before and after configs privately.

            I then set up another Nord VPN client following their guide as closely as possible, it still didn't work.
            I then factory reset the box, set followed the same guide, and it works. To Upload.zip

            Here's before, and after, and then another config of it working (post factory reset on 2.5)

            G 1 Reply Last reply Reply Quote 0
            • G
              Griffo @Griffo last edited by

              @griffo I give up. I've spent all day battling this thing. There's just too much strange behaviour post upgrade, it makes diagnosis hard when there's 5 things going wrong at once. I'll wait until I have time to rebuild it from scratch.

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                Unless something different is happening in the generated configuration that isn't obvious from the XML, it's probably your custom options that are breaking it. The config itself looks fine except for those, and your "working" version has a different set.

                G 1 Reply Last reply Reply Quote 1
                • G
                  Griffo @jimp last edited by

                  @jimp Thank you for looking at it. I got a bit stressed after a 12 hour session of wrangling with the firewall and gave up, which is very unlike me. I'll try again with a clean build rather than an upgrade. Something "weird" happens when I try to upgrade my box, i'm guessings probably some cruft left over from something I tried to do years ago that's lurking around in the config somewhere. Feel free to close / lock this topic. Cheers

                  G 1 Reply Last reply Reply Quote 0
                  • G
                    Griffo @Griffo last edited by

                    @griffo A new day, a bigger cup of coffee and I worked it out.

                    Two issues

                    a) the NordVPN guides say to add the option tls-client to the custom config. With this option left in, it will connect but not pass traffic. There's obviously a TLS mismatch going on but it works without it.

                    b) with the option "Don't pull routes" NOT selected in the client, the pfsense box does not seem to give the gateway the addresses correctly. Bizarrely when I was doing a packet trace I could see the ICMP packets for the gateway monitor flying around, but in the system -> routing -> gateway screen no gateway or monitor IP was listed.

                    Changed those two settings and it works. Not sure if either are bugs or just a change in behavior of the new OpenVPN client version?

                    B 1 Reply Last reply Reply Quote 0
                    • B
                      bcruze @Griffo last edited by

                      @griffo

                      I don’t have any knowledge of nordvpn servers. But I can tell you as of feb 4th mullvad upgraded their servers to openvpn 2.5. I emailed them the day before to see when it would happen. The next day they were upgraded

                      I about 25 days ago upgraded my 3100 and could not connect to a few providers. So I rolled back to current stable and everything played nice.. so I know exactly what you were going through

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy