Help diagnosing 2.5x OpenVPN Issues

Griffo

I'm pulling my hair out. I'm trying to diagnose why or what is wrong with my setup after upgrading from 2.4.5p1 to the latest 2.5.x nightly. Just to be clear, it has been 100% functional for a long time, and i'm constantly switching VPN providers around so i'm pretty comfortable with the configuration required to make it work.

My set isn't that complicated, basically:

Vlan 500 - set to a gateway using L2TP tunnel to a remote VPN (I also have a backup OpenVPN client)*
Vlan 501 - set to an Nord OpenVPN server
Vlan 555 - set to an Nord OpenVPN Server
Vlan 666 - Vlan for IoT set to go directly out internet

I also have configured 2 other VPN clients (disabled) as i switch Vlan501 around between VPN endpoints to get around various geo-blocks , and to use Mullvad at times.

Now, after the upgrade
a) VLAN 500 works perfectly with L2TP
b) VLAN 500 works perfectly with OpenVPN
c) VLAN 501, 555 will not successfully tunnel traffic down the VPN.

Both NordVPN's connect and get IP's, as does the Mullvad VPN but I cannot seem to get it to work.

I do get this error occasionally in the OpenVPN logs

Jan 29 13:08:31 gw openvpn[480]: Authenticate/Decrypt packet error: missing authentication info

But only one or twice, i would have though I'd get hundreds of entries if there was some fundamental issue with the encryption settings.

I attempted to delete and re-create everything from scratch, but then i ran into this issue: https://redmine.pfsense.org/issues/11328 which halted me. I have however deleted and re-created the firewall rules, NAT rules, interface, removed the kill-switch rules etc.

I guess I'm trying to work out if it's all related (i.e there's some issue with the OpenVPN cipher config in 2.5.x) or it's an OpenVPN client compatibility issue or the NAT rules or what.

*(P.S I know L2TP is horrendously insecure, it's only used for video streaming and this particular provider is 10x faster with L2TP compared to OVPN)

Griffo

SOme OpenVPN logs if they help

Jan 29 14:40:54 gw openvpn[88967]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jan 29 14:40:54 gw openvpn[88967]: MANAGEMENT: CMD 'state 1'
Jan 29 14:40:54 gw openvpn[88967]: MANAGEMENT: CMD 'status 2'
Jan 29 14:40:54 gw openvpn[88967]: MANAGEMENT: Client disconnected
Jan 29 14:40:54 gw openvpn[48771]: MANAGEMENT: Client connected from /var/etc/openvpn/client3/sock
Jan 29 14:40:54 gw openvpn[48771]: MANAGEMENT: CMD 'state 1'
Jan 29 14:40:54 gw openvpn[48771]: MANAGEMENT: CMD 'status 2'
Jan 29 14:40:54 gw openvpn[48771]: MANAGEMENT: Client disconnected
Jan 29 14:40:54 gw openvpn[43702]: MANAGEMENT: Client connected from /var/etc/openvpn/client5/sock
Jan 29 14:40:54 gw openvpn[43702]: MANAGEMENT: CMD 'state 1'
Jan 29 14:40:54 gw openvpn[43702]: MANAGEMENT: CMD 'status 2'
Jan 29 14:40:54 gw openvpn[43702]: MANAGEMENT: Client disconnected
Jan 29 14:40:57 gw openvpn[88967]: event_wait : Interrupted system call (code=4)
Jan 29 14:40:57 gw openvpn[88967]: SIGTERM received, sending exit notification to peer
Jan 29 14:40:58 gw openvpn[88967]: Closing TUN/TAP interface
Jan 29 14:40:58 gw openvpn[88967]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1637 10.8.0.6 255.255.255.0 init
Jan 29 14:40:58 gw openvpn[88967]: SIGTERM[soft,exit-with-notification] received, process exiting
Jan 29 14:40:58 gw openvpn[59500]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Jan 29 14:40:58 gw openvpn[59500]: WARNING: file '/var/etc/openvpn/client1/up' is group or others accessible
Jan 29 14:40:58 gw openvpn[59500]: OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 7 2021
Jan 29 14:40:58 gw openvpn[59500]: library versions: OpenSSL 1.1.1i-freebsd 8 Dec 2020, LZO 2.10
Jan 29 14:40:58 gw openvpn[59725]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1/sock
Jan 29 14:40:58 gw openvpn[59725]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 29 14:40:58 gw openvpn[59725]: WARNING: experimental option --capath /var/etc/openvpn/client1/ca
Jan 29 14:40:58 gw openvpn[59725]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 29 14:40:58 gw openvpn[59725]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 29 14:40:58 gw openvpn[59725]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.204.187:1194
Jan 29 14:40:58 gw openvpn[59725]: Socket Buffers: R=[42080->1048576] S=[57344->1048576]
Jan 29 14:40:58 gw openvpn[59725]: UDPv4 link local (bound): [AF_INET]159.196.107.74:0
Jan 29 14:40:58 gw openvpn[59725]: UDPv4 link remote: [AF_INET]217.138.204.187:1194
Jan 29 14:40:58 gw openvpn[59725]: TLS: Initial packet from [AF_INET]217.138.204.187:1194, sid=08391a6c 561fbb4a
Jan 29 14:40:58 gw openvpn[59725]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 29 14:40:58 gw openvpn[59725]: VERIFY WARNING: depth=0, unable to get certificate CRL: CN=au676.nordvpn.com
Jan 29 14:40:58 gw openvpn[59725]: VERIFY WARNING: depth=1, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN CA5
Jan 29 14:40:58 gw openvpn[59725]: VERIFY WARNING: depth=2, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN Root CA
Jan 29 14:40:58 gw openvpn[59725]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Jan 29 14:40:58 gw openvpn[59725]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5
Jan 29 14:40:58 gw openvpn[59725]: VERIFY KU OK
Jan 29 14:40:58 gw openvpn[59725]: Validating certificate extended key usage
Jan 29 14:40:58 gw openvpn[59725]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 29 14:40:58 gw openvpn[59725]: VERIFY EKU OK
Jan 29 14:40:58 gw openvpn[59725]: VERIFY OK: depth=0, CN=au676.nordvpn.com
Jan 29 14:40:58 gw openvpn[59725]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1582', remote='link-mtu 1634'
Jan 29 14:40:58 gw openvpn[59725]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
Jan 29 14:40:58 gw openvpn[59725]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Jan 29 14:40:58 gw openvpn[59725]: [au676.nordvpn.com] Peer Connection Initiated with [AF_INET]217.138.204.187:1194
Jan 29 14:40:59 gw openvpn[59725]: SENT CONTROL [au676.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jan 29 14:40:59 gw openvpn[59725]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.3.3 255.255.255.0,peer-id 1'
Jan 29 14:40:59 gw openvpn[59725]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jan 29 14:40:59 gw openvpn[59725]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 29 14:40:59 gw openvpn[59725]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: explicit notify parm(s) modified
Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: compression parms modified
Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 29 14:40:59 gw openvpn[59725]: Socket Buffers: R=[1048576->524288] S=[1048576->524288]
Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: route-related options modified
Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: peer-id set
Jan 29 14:40:59 gw openvpn[59725]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 29 14:40:59 gw openvpn[59725]: Using peer cipher 'AES-256-CBC'
Jan 29 14:40:59 gw openvpn[59725]: Data Channel: using negotiated cipher 'AES-256-CBC'
Jan 29 14:40:59 gw openvpn[59725]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 29 14:40:59 gw openvpn[59725]: Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 29 14:40:59 gw openvpn[59725]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 29 14:40:59 gw openvpn[59725]: Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 29 14:40:59 gw openvpn[59725]: TUN/TAP device ovpnc1 exists previously, keep at program end
Jan 29 14:40:59 gw openvpn[59725]: TUN/TAP device /dev/tun1 opened
Jan 29 14:40:59 gw openvpn[59725]: /sbin/ifconfig ovpnc1 10.8.3.3 10.8.3.1 mtu 1500 netmask 255.255.255.0 up
Jan 29 14:40:59 gw openvpn[59725]: /sbin/route add -net 10.8.3.0 10.8.3.1 255.255.255.0
Jan 29 14:40:59 gw openvpn[59725]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1637 10.8.3.3 255.255.255.0 init
Jan 29 14:40:59 gw openvpn[59725]: Initialization Sequence Completed
Jan 29 14:41:00 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:00 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:00 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:01 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:01 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:02 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:03 gw openvpn[59725]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jan 29 14:41:03 gw openvpn[59725]: MANAGEMENT: CMD 'state 1'
Jan 29 14:41:03 gw openvpn[59725]: MANAGEMENT: CMD 'status 2'
Jan 29 14:41:03 gw openvpn[59725]: MANAGEMENT: Client disconnected
Jan 29 14:41:03 gw openvpn[48771]: MANAGEMENT: Client connected from /var/etc/openvpn/client3/sock
Jan 29 14:41:03 gw openvpn[48771]: MANAGEMENT: CMD 'state 1'
Jan 29 14:41:03 gw openvpn[48771]: MANAGEMENT: CMD 'status 2'
Jan 29 14:41:03 gw openvpn[48771]: MANAGEMENT: Client disconnected
Jan 29 14:41:03 gw openvpn[43702]: MANAGEMENT: Client connected from /var/etc/openvpn/client5/sock
Jan 29 14:41:03 gw openvpn[43702]: MANAGEMENT: CMD 'state 1'
Jan 29 14:41:03 gw openvpn[43702]: MANAGEMENT: CMD 'status 2'
Jan 29 14:41:03 gw openvpn[43702]: MANAGEMENT: Client disconnected
Jan 29 14:41:04 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:04 gw openvpn[48771]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:04 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:06 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:07 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:07 gw openvpn[59725]: MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jan 29 14:41:07 gw openvpn[59725]: MANAGEMENT: CMD 'state 1'
Jan 29 14:41:07 gw openvpn[59725]: MANAGEMENT: CMD 'status 2'
Jan 29 14:41:07 gw openvpn[59725]: MANAGEMENT: Client disconnected
Jan 29 14:41:07 gw openvpn[48771]: MANAGEMENT: Client connected from /var/etc/openvpn/client3/sock
Jan 29 14:41:07 gw openvpn[48771]: MANAGEMENT: CMD 'state 1'
Jan 29 14:41:07 gw openvpn[48771]: MANAGEMENT: CMD 'status 2'
Jan 29 14:41:07 gw openvpn[48771]: MANAGEMENT: Client disconnected
Jan 29 14:41:07 gw openvpn[43702]: MANAGEMENT: Client connected from /var/etc/openvpn/client5/sock
Jan 29 14:41:07 gw openvpn[43702]: MANAGEMENT: CMD 'state 1'
Jan 29 14:41:07 gw openvpn[43702]: MANAGEMENT: CMD 'status 2'
Jan 29 14:41:07 gw openvpn[43702]: MANAGEMENT: Client disconnected
Jan 29 14:41:07 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:09 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:10 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info
Jan 29 14:41:11 gw openvpn[59725]: Authenticate/Decrypt packet error: missing authentication info

jimp

We'll need a lot more information about the specific configuration you're using to help here. Before and after upgrade would be the most helpful. Look in the config history or compare with an older backup and see what the differences are in config.xml for that tunnel on 2.4.x vs 2.5.0, and what the resulting config looks like in /var/etc/openvpn/.

Looks like a TLS auth mismatch to me but could be something else.

Griffo

@jimp Thanks i'll try to provide as much info as I can.

So I started again. I reverted to 2.4 and restored the config, and re-did the upgrade. I can provide full before and after configs privately.

I then set up another Nord VPN client following their guide as closely as possible, it still didn't work.
I then factory reset the box, set followed the same guide, and it works. To Upload.zip

Here's before, and after, and then another config of it working (post factory reset on 2.5)

Griffo

@griffo I give up. I've spent all day battling this thing. There's just too much strange behaviour post upgrade, it makes diagnosis hard when there's 5 things going wrong at once. I'll wait until I have time to rebuild it from scratch.

jimp

Unless something different is happening in the generated configuration that isn't obvious from the XML, it's probably your custom options that are breaking it. The config itself looks fine except for those, and your "working" version has a different set.

Griffo

@jimp Thank you for looking at it. I got a bit stressed after a 12 hour session of wrangling with the firewall and gave up, which is very unlike me. I'll try again with a clean build rather than an upgrade. Something "weird" happens when I try to upgrade my box, i'm guessings probably some cruft left over from something I tried to do years ago that's lurking around in the config somewhere. Feel free to close / lock this topic. Cheers

Griffo

@griffo A new day, a bigger cup of coffee and I worked it out.

Two issues

a) the NordVPN guides say to add the option tls-client to the custom config. With this option left in, it will connect but not pass traffic. There's obviously a TLS mismatch going on but it works without it.

b) with the option "Don't pull routes" NOT selected in the client, the pfsense box does not seem to give the gateway the addresses correctly. Bizarrely when I was doing a packet trace I could see the ICMP packets for the gateway monitor flying around, but in the system -> routing -> gateway screen no gateway or monitor IP was listed.

Changed those two settings and it works. Not sure if either are bugs or just a change in behavior of the new OpenVPN client version?

bcruze

@griffo

I don’t have any knowledge of nordvpn servers. But I can tell you as of feb 4th mullvad upgraded their servers to openvpn 2.5. I emailed them the day before to see when it would happen. The next day they were upgraded

I about 25 days ago upgraded my 3100 and could not connect to a few providers. So I rolled back to current stable and everything played nice.. so I know exactly what you were going through

Help diagnosing 2.5x OpenVPN Issues

Products

Services

Support

News

Resources

Company

Our Mission

Subscribe to our Newsletter