Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN client showing 100% packetloss following 2.5.0 upgrade

    OpenVPN
    11
    66
    1015
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      custardduck22 last edited by

      Hi,

      I have a policy based routing setup to pass certain traffic through an OpenVPN client on pfSense to NordVPN. I followed the NordVPN setup instructions for pfSense here and this has been working perfectly for ~6 months now.

      Today, I've upgraded to 2.5.0 and the NordVPN gateway is now reporting "Offline, Packetloss: 100%" with no traffic able to be routed to NordVPN. The normal WAN traffic is unaffected.

      • Status / OpenVPN shows the NordVPN client connection status as "up" with a Virtual Address assigned;

      • System Logs / OpenVPN reports a successful connection, but includes a "Authenticate/Decrypt packet error: missing authentication info" error;

      • System Logs / System / Gateway shows a dpinger alarm "NORDVPN_VPNV4 8.8.8.8: Alarm latency 0us stddev 0us loss 100%";

      • Firewall / NAT / Outbound has the correct manual rules for the Gateway;

      • System / Routing / Gateways - I have tried disabling Gateway Monitoring & Gateway Action but with no impact;

      • VPN / OpenVPN - I have deleted the NordVPN client and set it up from scratch but encounter the same problem.

      I'm starting to run out of ideas - any thoughts?

      Thanks

      N R G 3 Replies Last reply Reply Quote 1
      • N
        NeVaR @custardduck22 last edited by

        @custardduck22 I also have issue with the OpenVPN. I'm using torguard. I too have "Offline, Packetloss: 100%" when viewing on the Status > Gateway. While Status > OpenVPN showing the status is up. But my system logs for OpenVPN only contain warning but no mention about Authenticate/Decrypt packet error"

        R 1 Reply Last reply Reply Quote 0
        • R
          RumMonkey69 @custardduck22 last edited by RumMonkey69

          @custardduck22 I have the same.

          From what I can gather people that have done a clean install have not got these issues, whereas I upgraded and have numerous problems.

          Im going to have to reinstall and start from scratch, :(

          Also nordvpn wont even talk about 2.5 as if unsupported by them.

          N 1 Reply Last reply Reply Quote 0
          • R
            RumMonkey69 @NeVaR last edited by RumMonkey69

            @nevar also same

            8372eae0-5d07-435d-81bd-2f8c37014100-image.png

            but i have got it to work by disabling gateway monitoring

            1 Reply Last reply Reply Quote 0
            • T
              theo098 last edited by theo098

              Same here. I also have NordVPN. It worked flawless with 2.4.5 P1 for > 6 months.
              My problems are a bit different though.

              It started with the default gateway set to my IPTV WAN interface. Corrected -> works.

              As soon as I start OpenVPN, my IPTV starts to interrupt. It looks like the VPN and IGMP Proxy do not work together.
              Disable OpenVPN -> IPTV works flawless.

              e3eee55d-638a-46f1-8021-d2a19e80f2af-afbeelding.png

              1 Reply Last reply Reply Quote 0
              • N
                NeVaR @RumMonkey69 last edited by

                @rummonkey69 you mean deleting the openvpn client profile? I did that still the same. I having feeling it is the addition setting added to the openvpn client. Like you unchecking "Enable Data Encryption Negotiation" does not do anything since it stated that "Disabling this feature is deprecated.". There also new field "TLS keydir direction" which I haven't see this before when I setup my torguard

                R 1 Reply Last reply Reply Quote 0
                • R
                  RumMonkey69 @NeVaR last edited by

                  @nevar no i mean disabling gateway monitoring for failover as I have more than one openvpn client.

                  N 1 Reply Last reply Reply Quote 0
                  • N
                    NeVaR @RumMonkey69 last edited by

                    @rummonkey69 I don't have gateway monitoring enable aside "Do not create rules when gateway is down". I disable that as well and I'm getting same error Offline, Packetloss: 100%. I using two openvpn clients as well. I can't only point the issue to "Enable Data Encryption Negotiation" and "TLS keydir direction". On tutorial it show that uncheck Enable NCP which I guess replace with "Enable Data Ecnryption Negotiation".

                    1 Reply Last reply Reply Quote 0
                    • B
                      bjames88 last edited by

                      I am having the same issue as well. I've been doing some research and tried a few different configurations on my VPN connection but no luck. Following this thread in hope that someone gets a lead.

                      1 Reply Last reply Reply Quote 0
                      • B
                        bjames88 last edited by

                        I played with the settings for a while and finally got it working by unchecking "Enable Data Encryption Negotiation". You might want to reboot after making this change.

                        e95c38b6-bd08-413b-af9c-91aee4016781-image.png

                        N B C T 4 Replies Last reply Reply Quote 4
                        • N
                          NeVaR @bjames88 last edited by

                          @bjames88 Already tried that. so what confusing with the last sentence "Disabling this feature is deprecated." So unchecking does not do anything? So who is your vpn provider?

                          B 1 Reply Last reply Reply Quote 0
                          • B
                            bartkowski @bjames88 last edited by

                            @bjames88 Thanks! This has solved my issue. I was pulling my hair out.
                            On top of that, Cloudflare had an issue in Chicago area tonight, which when navigating to www.nordvpn.com (and few others) caused 502 nginx bad gateway to be shown. Their app on android also didn't work for several minutes.

                            1 Reply Last reply Reply Quote 1
                            • C
                              custardduck22 @bjames88 last edited by

                              @bjames88 thank you - this worked for me too

                              1 Reply Last reply Reply Quote 1
                              • B
                                bjames88 @NeVaR last edited by

                                @nevar Deprecated means the feature will be removed in the feature but it is currently still available. It's not longer supported and will eventually be completely removed.

                                I use Nord as my VPN provider.

                                1 Reply Last reply Reply Quote 0
                                • T
                                  theo098 @bjames88 last edited by theo098

                                  @bjames88 That's it. Thanks a lot! Everthing is working again. Worked right away, didn't even have to reboot.

                                  c2ca6b26-c1e7-4f1f-abfd-21ba9ca94740-afbeelding.png

                                  N 1 Reply Last reply Reply Quote 1
                                  • N
                                    NeVaR @theo098 last edited by

                                    I managed to get it work on Torguard somewhat. I need select AES-128-GCM instead of AES-256GCM for the Fallback Data Encryption Algorithm as well unchecked Enable Data Encryption Negotiation. But on Status > Gateways, it still showing Offline, 100% packet loss. Can you guy confirm if you still seeing that status ?

                                    1 Reply Last reply Reply Quote 1
                                    • N
                                      NeVaR last edited by

                                      Relating to "Offline, Packetlost: 100%", Goto System > Routing, then edit the each vpn gateway you have and checked "Disable Gateway Monitoring" & "Disable Gateway Monitoring Action". Majority of VPN provider ignore ping which explain why you getting 100% Packetlost. This resolve my issue running multiple vpn clients. Since pfsense detects that gateway is offline since it didn't get ping response which causing some weird issue.

                                      R S 2 Replies Last reply Reply Quote 0
                                      • R
                                        RumMonkey69 @NeVaR last edited by

                                        @nevar not true.

                                        Reinstall clean of 2.5 and it's working as was before.

                                        Doing upgrade and restore didn't fuck the issue.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Skooby @NeVaR last edited by

                                          @nevar thanks that worked for me

                                          S 1 Reply Last reply Reply Quote 0
                                          • S
                                            Skooby @Skooby last edited by Skooby

                                            ok so doing that allowed the connection to work. However its now ignoring all my rules and routing everything thru the openvpn gateway. These rules have not changed in the last 2 years so something has changed with 2.5.0. I guess next step is to do a clean install and restore the config

                                            S 1 Reply Last reply Reply Quote 0
                                            • S
                                              Skooby @Skooby last edited by

                                              ok, so a clean install did not work either. (restored config afterwards)

                                              N 1 Reply Last reply Reply Quote 0
                                              • H
                                                hypnosis4u2nv last edited by

                                                I have Torguard also and had the same issue.

                                                System->Routing->Gateways->Edit-> Monitor IP - Set it to anything, I used 8.8.8.8

                                                Now shows online in the Gateways. I believe it's an issue with ICMP over that gateway.

                                                On an unrelated note, I had to dump OpenVPN because I couldn't get it to work with policy based routing. Either I had issues with the clients I wanted to connect through it or it took over as the main gateway for my LAN. I gave up and setup Wireguard as a client for now via Torguard. My policy based rules are working as they should.

                                                N 1 Reply Last reply Reply Quote 0
                                                • N
                                                  NeVaR @hypnosis4u2nv last edited by

                                                  @hypnosis4u2nv Here's my setting System > Routing > Gateways > Edit (Torguard)

                                                  Address Family: IPv4
                                                  Gateway: dynamic
                                                  Gateway Monitor: checked, Disable gateway monitoring
                                                  Gateway Action: checked, Disable gateway monitoring action
                                                  Force state: unchecked

                                                  How do you setup wireguard as a client?

                                                  H 1 Reply Last reply Reply Quote 0
                                                  • G
                                                    Griffo @custardduck22 last edited by Griffo

                                                    @custardduck22 @bjames88 for NordVPN you just need to delete the 'tls-client" custom option they recommend. I've got many tunnels running with Negotiation still enabled.

                                                    Nord1.PNG
                                                    Nord2.PNG
                                                    Nord3.PNG
                                                    Nord4.PNG
                                                    Nord5.PNG

                                                    1 Reply Last reply Reply Quote 1
                                                    • H
                                                      hypnosis4u2nv @NeVaR last edited by hypnosis4u2nv

                                                      @nevar You don't need to disable monitoring, just use an IP to monitor and set it on the Monitor IP setting.

                                                      Go to the configurator page on Torguard, set it to Wireguard, choose your server location and plug in the private and public keys you generate in pfsense. It will pop out a configuration, just plug that data in Wireguard and into the peer.

                                                      Add a NAT rule for your WAN to LAN (or any other interface)

                                                      Add a firewall rule to allow any (everything) for the Wireguard interface.

                                                      Under LAN (or any other interface you set in NAT) allow any protocol, source set to whatever you want (I'm using aliases for certain devices), go to advanced tag the traffic (I use vpntraffic) and set the gateway to wireguard.

                                                      Create a floating rule for WAN block traffic, Any for all, go to advanced, set tagged to vpntraffic (or whatever you used in the above LAN rule. This is your killswitch, if the connection drops to the VPN, nothing can access the internet via WAN. Test Wireguard before you set the killswitch to rule out errors.

                                                      Enjoy Wireguard as a client.

                                                      G 1 Reply Last reply Reply Quote 0
                                                      • G
                                                        Griffo @hypnosis4u2nv last edited by Griffo

                                                        @hypnosis4u2nv Did you post in the wrong thread? You're talking about WireGuard in an OpenVPN thread.

                                                        H 1 Reply Last reply Reply Quote 0
                                                        • B
                                                          bjames88 last edited by bjames88

                                                          Nord has not posted their documentation for setting up NordVPN on pfSense 2.5.0.

                                                          https://support.nordvpn.com/Connectivity/Router/1626958942/pfSense-2-5-Setup-with-NordVPN.htm

                                                          I just went through this new howto doc and made a few changes to my current settings. Those were mostly in the crypto settings for the client config as far as I remember but you might want to go through everything. So far it looks good, I'm connecting and working though the VPN.

                                                          G R 2 Replies Last reply Reply Quote 1
                                                          • H
                                                            hypnosis4u2nv @Griffo last edited by

                                                            @griffo The previous user asked how I set it up.

                                                            1 Reply Last reply Reply Quote 0
                                                            • G
                                                              Griffo @bjames88 last edited by

                                                              @bjames88 said in OpenVPN client showing 100% packetloss following 2.5.0 upgrade:

                                                              Nord has not posted their documentation for setting up NordVPN on pfSense 2.5.0.

                                                              Interesting how they call out they are not going to let you use Wireguard :-)
                                                              Nord do some strange things. LIke the fact they moved to Service credentials rather than username / password. But don't give you a mechanism to revoke or cycle it.... so it's actually less secure than using your username & password as at least you can change them.

                                                              B 1 Reply Last reply Reply Quote 0
                                                              • B
                                                                bjames88 @Griffo last edited by

                                                                @griffo It doesn't surprise me that they don't have Wireguard available for manual setup yet. The could be working out the best way to deal with the certs. I also liked the user of service credentials but you have a good point that you can't cycle those yourself. Hmmm...

                                                                1 Reply Last reply Reply Quote 0
                                                                • R
                                                                  RumMonkey69 @bjames88 last edited by

                                                                  @bjames88 Its strange.

                                                                  After a clean install, I have not made any changes to the NordVPN guide and all is working fine for me.

                                                                  But it didn't work as a not clean install/upgrade.

                                                                  741ca9f8-fd27-45e4-986e-b283fc8e18b9-image.png

                                                                  B 1 Reply Last reply Reply Quote 1
                                                                  • B
                                                                    bjames88 @RumMonkey69 last edited by

                                                                    @rummonkey69 Had you added those Enable Data Encryption Algorithms or did they show up on their own after the upgrade? Those are not the same Algorithms shown to be added on the Nord 2.4.5 config guide.

                                                                    R 1 Reply Last reply Reply Quote 0
                                                                    • N
                                                                      NeVaR @Skooby last edited by

                                                                      @skooby I don't believe clean install will help. It is likely added option is set to enable instead of disable like for example the monitor of the gateways. When I was using 2.4, I don't believe there was monitor feature for the gateways. I recommend going through each setting for the interface, gateway and vpn profile.

                                                                      R 1 Reply Last reply Reply Quote 0
                                                                      • R
                                                                        RumMonkey69 @bjames88 last edited by

                                                                        @bjames88 it was default settings, I only added VPN server name , usernames and passwords and the custom rules as mentioned on the site.

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • R
                                                                          RumMonkey69 @NeVaR last edited by

                                                                          @nevar yes the monitor features has been there for long time.

                                                                          N 1 Reply Last reply Reply Quote 0
                                                                          • N
                                                                            NeVaR @RumMonkey69 last edited by

                                                                            @rummonkey69 hmmm, i can only guess there some changes to it since i didn't encounter with "offline, 100% packetloss" on the gateway after i upgrade to 2.5 and only resolve my issue to enable "disable monitoring" checkboxes.

                                                                            R 1 Reply Last reply Reply Quote 0
                                                                            • R
                                                                              RumMonkey69 @NeVaR last edited by

                                                                              @nevar yeah I had to disable them when I upgraded. But no issues when clean.

                                                                              G 1 Reply Last reply Reply Quote 0
                                                                              • G
                                                                                Griffo @RumMonkey69 last edited by

                                                                                @rummonkey69 i had the same issue with the late dev builds. No matter what i did, post upgrade Nord would not connect, or after editing it would connect but total traffic loss. A clean build and it worked fine.

                                                                                H 1 Reply Last reply Reply Quote 0
                                                                                • H
                                                                                  hypnosis4u2nv @Griffo last edited by

                                                                                  @griffo I had issues with a clean install of pfsense and restoring my config. I'd lean towards something wrong with the old config and how it transfers over to the new version of openvpn.

                                                                                  G 1 Reply Last reply Reply Quote 0
                                                                                  • G
                                                                                    Griffo @hypnosis4u2nv last edited by Griffo

                                                                                    @hypnosis4u2nv Yes same, restoring config did not work. Clean build, restoring just OpenVPN config did not work.

                                                                                    Clean build, manual config recreation worked.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post

                                                                                    Products

                                                                                    • Platform Overview
                                                                                    • TNSR
                                                                                    • pfSense Plus
                                                                                    • Appliances

                                                                                    Services

                                                                                    • Training
                                                                                    • Professional Services

                                                                                    Support

                                                                                    • Subscription Plans
                                                                                    • Contact Support
                                                                                    • Product Lifecycle
                                                                                    • Documentation

                                                                                    News

                                                                                    • Media Coverage
                                                                                    • Press
                                                                                    • Events

                                                                                    Resources

                                                                                    • Blog
                                                                                    • FAQ
                                                                                    • Find a Partner
                                                                                    • Resource Library
                                                                                    • Security Information

                                                                                    Company

                                                                                    • About Us
                                                                                    • Careers
                                                                                    • Partners
                                                                                    • Contact Us
                                                                                    • Legal
                                                                                    Our Mission

                                                                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                                    Subscribe to our Newsletter

                                                                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                                    © 2021 Rubicon Communications, LLC | Privacy Policy